Pulse Detail — Threat Intelligence

PULSE NAME

North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer

WHITE AlienVault 2025-02-26 Modified: 2025-03-28

IOCs

MEDIUM VOLUME

A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. The malware suite includes "RustDoor," a Rust-based backdoor masquerading as legitimate software updates, and a previously undocumented macOS variant of "Koi Stealer," designed to exfiltrate sensitive information

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1071.001 T1105 T1059.004 T1140 T1027 T1056.001 T1113 T1070.004

MALWARE FAMILIES

Koi Stealer

Indicators of Compromise (25)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	457b0b1ab814a830ee2f658eb501face	MD5 of 76f96a35b6f638eed779dc127f29a5b537ffc3bb7accc2c9bfab5a2120ea6bc9	2025-02-26
FileHash-MD5	701165265b73f90942b7000ba39cfe5c	MD5 of baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d	2025-02-26
FileHash-MD5	d2da2dc24f73f66f3fbe62784262378b	MD5 of a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5	2025-02-26
FileHash-SHA1	254aad39a432ff0df2ce35cc4ff3578afe1dc1df	SHA1 of baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d	2025-02-26
FileHash-SHA1	5ec7497107478f08ca5018bf659f9340880c059c	SHA1 of a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5	2025-02-26
FileHash-SHA1	a246db8fe1a4f385ed5e2eed5087a60fd2be6b5a	SHA1 of 76f96a35b6f638eed779dc127f29a5b537ffc3bb7accc2c9bfab5a2120ea6bc9	2025-02-26
FileHash-SHA256	17064520feaf5804aa725e123b24fd0f73f8afc9b7f4361650cd11ddf4ee768f	—	2025-02-26
FileHash-SHA256	27fcc3278afbbec44737e9f72666946607fea819f5b1cb9fbbe268037a561f0b	—	2025-02-26
FileHash-SHA256	76f96a35b6f638eed779dc127f29a5b537ffc3bb7accc2c9bfab5a2120ea6bc9	—	2025-02-26
FileHash-SHA256	77361f7ef25a0185636a0fc6deff2e9986720223da9d6b1494f671082105bebb	—	2025-02-26
FileHash-SHA256	8be62324fe5af009c12fb9afc8d4f47d12c98ea680bff490b3f5e0c72c8f9617	—	2025-02-26
FileHash-SHA256	8f0e2b8b3e07f5761066cb00bc0db10d68c56ada8c054e9f07990cc1ac5ae962	—	2025-02-26
FileHash-SHA256	97abafff549ea21797c135c965c5e4a46a44ec7353b2edd293e8a22d5954b6aa	—	2025-02-26
FileHash-SHA256	a5b7ddd12539ce3e8c08bed5855ddcea3217d41d7d4c58fcc1a7e01336b38912	—	2025-02-26
FileHash-SHA256	a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5	—	2025-02-26
FileHash-SHA256	adde2970b40634e91b9ef8520f8e50eaa7901a65f9230e65d7995ac1a47700ef	—	2025-02-26
FileHash-SHA256	b5119a49830a2044f406645c261e54ab335c9b1e1ed320df758405a8147fae88	—	2025-02-26
FileHash-SHA256	b5412375477a180608bf410f5cb36b4a0949bee7663648a06879f42be9a3b6bc	—	2025-02-26
FileHash-SHA256	baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d	—	2025-02-26
FileHash-SHA256	c379f4ab29a49d4bccb232c8551d1b8b01e64440ea495bbabef9010a519516c3	—	2025-02-26
FileHash-SHA256	c42b103b42d7e9817f93cb66716b7bf2e4fe73a405e0fbbae0806ce8b248a304	—	2025-02-26
URL	https://apple-ads-metric.com	—	2025-02-26
URL	https://visualstudiomacupdate.com	—	2025-02-26
domain	apple-ads-metric.com	—	2025-02-26
domain	visualstudiomacupdate.com	—	2025-02-26

References (1)

↗ https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/