RustBucket macOS Malware

Cybersecurity analysts at Jamf Threat Labs have recently uncovered a macOS malware family. The new malware family has been tracked as “RustBucket,” which downloads and executes several types of payloads by communicating with the command and control (C2) servers.

BlueNoroff, a North Korean threat group with financial motives, is believed to have developed this new macOS malware. 


BlueNoroff is a faction of the notorious Lazarus cluster, which is also known by several aliases, and here below, we have mentioned them:-

  • APT28
  • Nickel Gladstone
  • Sapphire Sleet
  • Stardust Chollima
  • TA444

Payloads Used

This group has been linked with the Lazarus cluster due to several similarities; these similarities include:-

  • Malicious tooling
  • Workflow
  • Social engineering patterns

Unlike other members of the Lazarus Group, BlueNoroff stands out for its advanced cyber theft operations, which focus on infiltrating the SWIFT system and cryptocurrency exchanges. 

These activities are monitored under CryptoCore as part of their intrusion set. The FBI accused BlueNoroff of stealing $100 million in cryptocurrency from Harmony Horizon Bridge in June 2022.

BlueNoroff’s attack tactics have recently shifted towards using job-themed lures on fake landing pages to deceive email recipients into giving away their login credentials.

RustBucket disguises itself as an “Internal PDF Viewer” app, requiring the victim to override Gatekeeper protections for the attack to succeed.

PDF Viewer

The AppleScript file is a malicious app that fetches a second-stage payload from a remote server. This payload, bearing the same name as the initial app, is also ad-hoc signed.

The second-stage payload, coded in Objective-C, presents a simple PDF viewer that triggers the next phase of the attack sequence exclusively upon opening a rigged PDF file via the application.

Second-stage Payload

The application functions as a PDF viewer, made possible by utilizing Apple’s proficient PDFKit Framework. The application has performed no malicious actions as of yet upon its execution.

Jamf detected a nine-page PDF document that claims to provide an “investment strategy.” Once opened, it connects to a C2 server to fetch and execute a third-stage trojan.

It has been observed that the third-stage trojan is coded in Rust as a Mach-O executable, which enables the trojan to carry out system surveillance commands. The means of gaining initial access and the success rate of the attacks remain unclear. 

However, this latest discovery suggests that threat actors adjust their toolsets to incorporate cross-platform malware by utilizing Rust and Go-like programming languages.

Here is a visual representation of the complete workflow:-

Infection Workflow

Lazarus Group’s recent attacks on various industries and countries to collect strategic intelligence and commit cryptocurrency theft coincide with the discovery of this malware.

By targeting macOS, threat actors recognize that those without appropriate tooling to tackle attacks on the Apple ecosystem will remain vulnerable as the operating system’s market share increases.

Lazarus Group, known for targeting macOS and with ties to BlueNoroff, will likely inspire other APT groups to follow the same.


Here below, we have mentioned all the recommendations:-

  • If you receive an email from someone you do not know, make sure not to open any files.
  • The links in these emails are also not recommended to be clicked on.
  • Ensure your Apple computer is protected with one of the best Mac antivirus software solutions.
  • Avoid downloading any files from untrusted or unreliable sources.

Building Your Malware Defense Strategy – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.