As threat actors evolve, so too must our ability to detect and counter them. One particular group that has caught the attention of cybersecurity professionals worldwide is North Korea’s infamous Lazarus Group. Known for their sophisticated operations targeting cryptocurrency platforms, Lazarus has recently expanded their toolkit to include macOS malware. This article explores their AppleJeus campaign and offers practical insights for threat hunters focusing on Apple environments.

A Rising Tide: macOS Malware Outpacing Windows?

Surprisingly, recent reports from Malwarebytes revealed a shift in malware trends. For the first time in 2020, Mac malware detections outnumbered those on Windows. While historically seen as a less-targeted platform, macOS has clearly become a bigger target — largely driven by campaigns like Lazarus’s AppleJeus.

Operation AppleJeus: The Lazarus Playbook

AppleJeus began making waves in late 2018. The campaign primarily focused on cryptocurrency theft, but its reach extended far beyond finance — impacting sectors like government, energy, telecom, and technology.

The attack strategy involved cloning legitimate cryptocurrency apps and injecting them with backdoor malware. These altered applications were then distributed via convincingly fake websites, complete with valid SSL certificates from providers like Sectigo — albeit at the most basic verification tier.

Case Study: Cellistrade Pro

One of the earliest known infected apps was Cellistrade Pro, a modified version of the open-source app QtBitcoinTrader. Lazarus tweaked strings within the binary, repackaged it, and deployed it across macOS, Windows, and even Linux systems.

What made Cellistrade Pro particularly stealthy was its LaunchD persistence. In macOS, LaunchD manages system daemons and agents — essentially background services that can be triggered on boot. Lazarus used LaunchD plists (property list files) to ensure their malware launched automatically. Depending on the plist’s location, the process could run as the user or with root privileges — increasing the difficulty of detection.

Where to Hunt: Key Directories for LaunchDaemons & Agents

Threat hunters should monitor the following macOS directories:

• ~/Library/LaunchAgents/ (user-level access)

• /Library/LaunchAgents/

• /Library/LaunchDaemons/

• /System/Library/LaunchDaemons/

• /System/Library/LaunchAgents/

These are the common storage points for plist files used to trigger persistence. Notably, Lazarus’s malware always placed its plist in the LaunchDaemons folder and executed with root permissions — a clear red flag.

Malware Variants Beyond Cellistrade

In addition to Cellistrade Pro, six other applications were observed in the campaign:

• JMT Trading

• Union Crypto

• Coupay

• CoinGo Trade

• Deriso

• Ants2Whale

Each followed a similar naming and structural convention, allowing defenders to establish patterns useful in detection.

Command & Control (C2) Insights

Alongside persistence, the malware utilized cleverly disguised binaries like updater, helper, and crash reporter to manage communication with command-and-control servers. While the front-end appeared benign, these components secretly initiated outbound connections once the host booted.

The malware’s user-agent strings — identifiers used during web communications — were sometimes suspicious and atypical for standard Mac applications. This anomaly can be a goldmine for analysts conducting network traffic analysis.

What to Watch for in Network Traffic

Effective threat hunting combines both host-based and network-based indicators. Here are some artifacts to monitor:

• Unusual or rarely seen user-agent strings

• Unexpected HTTP or HTTPS URIs

• DNS queries to uncommon or new domains

• TLS certificates, especially low-assurance ones from providers like Sectigo

• Network activity from modified legitimate apps or unexpected background services

On the host side, utilities like netstat, osquery, or EDR (Endpoint Detection and Response) tools can help correlate traffic with process data.

Going Deeper: Tools and Tips

Want to inspect encrypted connections? Tools like MITMproxy can intercept and inspect TLS sessions — assuming certificate pinning is not in place. For plist analysis and daemon behavior, LaunchD.info provides excellent technical documentation and real-world examples.

Final Thoughts

Lazarus Group’s macOS campaigns illustrate how adversaries are adapting to exploit gaps in Apple environments. By understanding their tools — from plist-based persistence to network behavior — defenders can improve visibility and response.

Whether you’re protecting enterprise assets or your personal device, staying informed is the first step. If your Mac is communicating with unfamiliar services or showing unexpected persistence, it’s time to dig deeper.