"Once executed, the malware extensively profiles the compromised host and establishes persistence using three different methods, following which it initializes command-and-control (C2) communication with a hard-coded server (93.88.75[.]252 or 148.72.172[.]53) over HTTP or DNS, and enters into a command loop to receive further instructions from its operators. To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon. As a backup mechanism, it alters the user's shell profile (.zshrc, .bash_profile, or .profile) to inject a launch command into the configuration file."
"Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures. CHILLYHELL is the name assigned to a malware that's attributed to an uncategorized threat cluster dubbed UNC4487."
Two new malware families were identified: CHILLYHELL, a modular Apple macOS backdoor written in C++ for Intel architectures, and ZynorRAT, a Go-based remote access trojan that targets Windows and Linux. CHILLYHELL is attributed to UNC4487, a suspected espionage cluster active since at least October 2022 and observed compromising Ukrainian government websites to redirect and socially engineer targets toward Matanbuchus or CHILLYHELL. A notarized CHILLYHELL sample uploaded to VirusTotal on May 2, 2025 was publicly hosted on Dropbox and had its developer certificates revoked by Apple. CHILLYHELL profiles hosts, establishes persistence via LaunchAgents, LaunchDaemons, or shell profile modification, uses timestomping to alter artifact timestamps, and communicates with hard-coded C2 servers over HTTP or DNS to receive commands.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]