A Russian group that hacked the Democratic National Committee during last year’s presidential election are now targeting Macs, according to security firm Bitedefender Labs (via Macworld). APT28—also known as Sofacy, Sednit APT, and other names—has been developing malware that targets Macs and gives the Russians remote access to those Macs.

Bitedefender published a PDF about APT28 explaining what is known about the group’s identity and operations for those curious about them.

Dramatic interpretation of a hacker plying his trade

Mac Malware

The malware Bitedefender found is a variant of Xagent, or X-Agent, a previously known malware on Windows and Linux. Bitedefender traced similarities in the code that tied the variant to APT28, and said it is being distributed through Komplex installer, a known trojan.

According to the company:

Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers. After the communication has been established, the payload starts the modules.

Our preliminary analysis shows most of the C&C URLs impersonate Apple domains.

Once connected to the C&C, the payload sends a HelloMessage, then spawns two communication threads running in infinite loops. The former uses POST requests to send information to the C&C, while the latter monitors GET requests for commands.


Once installed, the malware can grab a list of running processes and run additional files. It can also grab desktop screenshots and harvest browser passwords.

“But the most important module, from an intelligence-gathering perspective,” the company said, “is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.”

Be Careful

All of which means there’s a nasty bit of malware out there. Don’t install anything from a source you don’t know.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments

If I get any emails from my bank, etc., I never follow any links in those emails, nor do I open or download any attachments. I go directly to the bank (etc.) site online and log in. If the message if valid, it’s likely in my inbox on that site. If nothing’s there or I’m just not sure, I initiate a chat and verify that I received a valid email. Sometimes they verify that the email is valid. I’ll then trust it.


Thought the Mac Unix kernels were such that Sandboxing and Address Space Randomization keeps the malware at bay.

Lee Dronick

I just received an email from Royal Bank and it had an attached .doc file. This may just a phishing email, though doc files can contain malicious macros. Fortunately I neither have a an account with Royal Bank or Word, Office for that matter. So I took some keywords from it and made a spam filter on my email server so no else in the family can get the spam.