SOC Prime Bias: Medium

16 Apr 2026 16:46
newspaper icon bitso.com

North Korea’s Safari Campaign Delivers RATs

Author Photo
SOC Prime Team linkedin icon Follow
North Korea’s Safari Campaign Delivers RATs
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The article outlines a new macOS malware framework called Mach-O Man that has been linked to the Lazarus Group’s Famous Chollima unit. The malware is distributed through compromised Telegram accounts and fake meeting invitations that persuade targets to run a ClickFix command on their devices. The toolkit includes several Mach-O binaries designed to gather host details, maintain persistence, and steal credentials and browser data, with exfiltration occurring through Telegram. The campaign appears focused on cryptocurrency exchanges and other organizations in the financial sector.

Investigation

Researchers identified a staging binary named teamsSDK.bin that was downloaded and executed through a malicious command sequence. Additional components, including D1yCPUyk.bin, minst2.bin, and macrasv2, were then used to enumerate the system, create a LaunchAgent for persistence, and harvest browser extensions, keychain data, and cookies. Command-and-control communication relied on a Go-based HTTP server that exposed an unauthenticated /info endpoint and leaked a Telegram Bot API token. Investigators also found remote-access services such as RDP, WinRM, and Chrome Remote Desktop exposed on the C2 host.

Mitigation

Users should avoid interacting with unsolicited meeting links and confirm the legitimacy of any terminal commands suggested during unexpected conversations. Organizations should monitor for unauthorized LaunchAgents, require trusted code signing for macOS binaries, and restrict execution of unknown files. Network defenses should block outbound connections to suspicious Go-based HTTP servers and flag traffic using the Go-http-client user agent. Telegram bot tokens should be protected from exposure, and remote desktop services should be locked down with least-privilege access controls.

Response

Security teams should detect the execution of unknown .bin files and monitor for creation of LaunchAgents named com.onedrive.launcher. Alerts should also be triggered on outbound connections to suspicious infrastructure using the Go-http-client user agent, as well as repeated POST requests to /info endpoints. Defenders should watch for unexpected Telegram API activity tied to unfamiliar bot tokens. Full host forensics should be conducted to identify and remove all malicious binaries, followed by credential resets for any accounts that may have been compromised.

"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ffcc99 classDef process fill:#e6ffe6 classDef file fill:#ffe6cc classDef service fill:#e6e6ff %% Node Definitions initial_access_user_execution["<b>Action</b> – <b>T1204.001 User Execution</b><br/>Victim clicks a malicious u201cfixu201d link in a Telegram meeting that runs a curl command"] class initial_access_user_execution action tool_curl["<b>Tool</b> – <b>Name</b>: curl<br/><b>Description</b>: commandu2011line utility to transfer data from or to a server"] class tool_curl tool file_teamsSDK_bin["<b>File</b> – <b>Name</b>: teamsSDK.bin (Machu2011O)<br/><b>Description</b>: Stager binary downloaded and executed"] class file_teamsSDK_bin file process_curl_download["<b>Process</b> – curl download and execute teamsSDK.bin"] class process_curl_download process malware_teamsSDK["<b>Malware</b> – <b>Name</b>: teamsSDK<br/><b>Description</b>: contacts C2 after execution"] class malware_teamsSDK malware service_go_http["<b>Service</b> – Go based HTTP server<br/><b>Port</b>: 80/443<br/><b>Endpoint</b>: /info (unauthenticated)"] class service_go_http service process_c2_communication["<b>Process</b> – Communicates with C2 via HTTP POST to /info"] class process_c2_communication process file_minst2_bin["<b>File</b> – <b>Name</b>: minst2.bin"] class file_minst2_bin file process_install_launchagent["<b>Process</b> – Installs LaunchAgent plist for persistence"] class process_install_launchagent process malware_fake_onedrive["<b>Malware</b> – Fake u201cOneDriveu201d binary launched at login"] class malware_fake_onedrive malware tool_macrasv2["<b>Tool</b> – <b>Name</b>: macrasv2<br/><b>Description</b>: extracts Keychain entries, browser passwords, cookies, extensions"] class tool_macrasv2 tool process_keychain_extraction["<b>Process</b> – Extracts macOS Keychain and browser data"] class process_keychain_extraction process action_discovery_system_info["<b>Action</b> – <b>T1082 System Information Discovery</b><br/>Collects CPU ID, hostname, user, installed apps"] class action_discovery_system_info action action_discovery_software["<b>Action</b> – <b>T1518 Software Discovery</b><br/>Enumerates installed browsers and extensions"] class action_discovery_software action service_telegram_bot["<b>Service</b> – Telegram Bot API<br/><b>Purpose</b>: Receive exfiltrated credentials"] class service_telegram_bot service process_exfiltration["<b>Process</b> – Sends collected data to Telegram bot"] class process_exfiltration process action_content_injection["<b>Action</b> – <b>T1659 Content Injection</b><br/>Unauthenticated /info endpoint permits arbitrary file upload"] class action_content_injection action action_dynamic_resolution["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Resolves C2 domain at runtime"] class action_dynamic_resolution action %% Connections initial_access_user_execution –>|uses| tool_curl tool_curl –>|downloads| file_teamsSDK_bin file_teamsSDK_bin –>|executed by| process_curl_download process_curl_download –>|runs| malware_teamsSDK malware_teamsSDK –>|communicates with| service_go_http service_go_http –>|receives data via| process_c2_communication process_c2_communication –>|triggers| file_minst2_bin file_minst2_bin –>|installs| process_install_launchagent process_install_launchagent –>|creates| malware_fake_onedrive malware_fake_onedrive –>|executes at login| action_discovery_system_info action_discovery_system_info –>|leads to| action_discovery_software action_discovery_software –>|provides data to| tool_macrasv2 tool_macrasv2 –>|performs| process_keychain_extraction process_keychain_extraction –>|gives data to| process_exfiltration process_exfiltration –>|sends to| service_telegram_bot malware_teamsSDK –>|enables| action_content_injection action_content_injection –>|allows| file_minst2_bin malware_teamsSDK –>|enables| action_dynamic_resolution action_dynamic_resolution –>|resolves| service_go_http "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (T1546.006 / T1587.001) designed to trigger the detection rule. The commands reflect a realistic “living‑off‑the‑land” deployment of the Mach‑O Man binaries.

  • Attack Narrative & Commands:

    1. An attacker who has already gained a foothold on the macOS host copies the four Mach‑O Man binaries from a staging location (/tmp/stage) to a writable directory (/usr/local/bin).
    2. The binaries are made executable and launched sequentially to mimic the kit’s initialisation, reconnaissance, persistence, and credential‑theft phases.
    3. Persistence is achieved by writing a launch daemon plist that points to minst2.bin.
    # Step 1 – Stage the binaries (simulated by copying from a test assets folder)
mkdir -p /usr/local/bin/macho
cp ./assets/teamsSDK.bin /usr/local/bin/macho/
cp ./assets/D1YrHRTg.bin /usr/local/bin/macho/
cp ./assets/minst2.bin   /usr/local/bin/macho/
cp ./assets/macrasv2    /usr/local/bin/macho/

# Step 2 – Make them executable
chmod +x /usr/local/bin/macho/*.bin

# Step 3 – Execute the stager and reconnaissance binaries
/usr/local/bin/macho/teamsSDK.bin &
/usr/local/bin/macho/D1YrHRTg.bin &

# Step 4 – Install persistence (launch daemon) for minst2.bin
cat <<'EOF' > /Library/LaunchDaemons/com.macho.minst2.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key><string>com.macho.minst2</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/macho/minst2.bin</string>
    </array>
    <key>RunAtLoad</key><true/>
</dict>
</plist>
EOF
sudo launchctl load -w /Library/LaunchDaemons/com.macho.minst2.plist

# Step 5 – Execute the credential‑theft/exfil component
/usr/local/bin/macho/macrasv2 &

  • Regression Test Script: (self‑contained bash script that reproduces the above steps)

    #!/usr/bin/env bash
set -euo pipefail

# --- VARIABLES -------------------------------------------------
BIN_DIR="/usr/local/bin/macho"
ASSET_DIR="$(pwd)/assets"
PLIST="/Library/LaunchDaemons/com.macho.minst2.plist"

# --- PRE‑CHECK -------------------------------------------------
if [[ $(id -u) -ne 0 ]]; then
  echo "Script requires root to install launch daemon. Re‑run with sudo."
  exit 1
fi

# --- DEPLOY BINARIES -------------------------------------------
mkdir -p "$BIN_DIR"
for bin in teamsSDK.bin D1YrHRTg.bin minst2.bin macrasv2; do
  cp "$ASSET_DIR/$bin" "$BIN_DIR/$bin"
  chmod +x "$BIN_DIR/$bin"
done

# --- EXECUTE STAGER & RECON ------------------------------------
"$BIN_DIR/teamsSDK.bin" &
"$BIN_DIR/D1YrHRTg.bin" &

# --- PERSISTENCE (launch daemon) -------------------------------
cat <<'EOF' > "$PLIST"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key><string>com.macho.minst2</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/macho/minst2.bin</string>
    </array>
    <key>RunAtLoad</key><true/>
</dict>
</plist>
EOF
launchctl load -w "$PLIST"

# --- EXECUTE CREDENTIAL THEFT COMPONENT -----------------------
"$BIN_DIR/macrasv2" &

echo "Simulation executed – wait a few seconds for telemetry to appear."

  • Cleanup Commands:

    #!/usr/bin/env bash
set -euo pipefail

BIN_DIR="/usr/local/bin/macho"
PLIST="/Library/LaunchDaemons/com.macho.minst2.plist"

# Unload launch daemon
if [[ -f "$PLIST" ]]; then
  sudo launchctl unload -w "$PLIST"
  sudo rm -f "$PLIST"
fi

# Kill any lingering malicious processes
pkill -f teamsSDK.bin || true
pkill -f D1YrHRTg.bin || true
pkill -f minst2.bin   || true
pkill -f macrasv2    || true

# Remove binaries
sudo rm -rf "$BIN_DIR"

echo "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free