A new strain of macOS malware has been discovered believed to be the work of a North Korean state-backed APT group known as BlueNoroff. Dubbed ‘TodoSwift’ by Kandji researchers, the malware was first discovered when a signed file named TodoTasks was uploaded to VirusTotal on July 24, 2024.

TodoSwift shares several behavioral patterns with other known malware linked to North Korea, particularly those associated with the BlueNoroff group, including KANDYKORN and RustBucket.

RustBucket, first reported in July 2023, is an AppleScript-based backdoor that can fetch additional malicious payloads from a command-and-control (C2) server. Similarly, KANDYKORN, discovered last year, was used in a sophisticated cyber attack targeting blockchain engineers at an unnamed cryptocurrency exchange platform. The malicious tool can access and exfiltrate data, terminate arbitrary processes, and execute commands on the infected system.

A common thread connecting the above mentioned malware families is the use of linkpc[.]net domains for command-and-control (C2) purposes, a tactic also employed by BlueNoroff’s TodoSwift. The new malware is distributed through a dropper component masquerading as a legitimate application called TodoTasks. This dropper is a GUI application built with SwiftUI, designed to display a benign Bitcoin-related PDF document while secretly downloading and executing a second-stage binary—a technique that is similar to the one employed by RustBucket.

The PDF used in this attack is hosted on Google Drive and appears harmless, but the actual malicious payload is fetched from an actor-controlled domain.

Researchers are still analyzing the specifics of the downloaded binary, but the method of using a Google Drive URL and passing the C2 URL as a launch argument to the second-stage binary aligns with tactics previously seen in other North Korea-linked malware targeting macOS systems.