Cybersecurity researchers have recently identified two sophisticated malware families: CHILLYHELL, a modular backdoor specifically designed for Apple macOS systems, and ZynorRAT, a Go-based remote access trojan (RAT) capable of compromising both Windows and Linux platforms.
CHILLYHELL: A macOS Backdoor
CHILLYHELL is a C++-written malware tailored for Intel-based macOS architectures. Attributed to the threat group UNC4487, active since at least October 2022, this malware has been linked to espionage activities, including compromising Ukrainian government websites to redirect users and deploy malicious payloads.
A notable CHILLYHELL sample was uploaded to the VirusTotal platform on May 2, 2025. This sample, notarized by Apple in 2021, had been publicly available on Dropbox since then. Apple has since revoked the associated developer certificates to mitigate the threat.
Operational Mechanisms of CHILLYHELL
Upon execution, CHILLYHELL conducts extensive profiling of the infected system and establishes persistence through multiple methods:
– LaunchAgent or LaunchDaemon Installation: The malware installs itself as a LaunchAgent or system LaunchDaemon to ensure it runs at startup.
– Shell Profile Modification: As a backup, CHILLYHELL modifies shell configuration files (.zshrc, .bash_profile, or .profile) to include commands that relaunch the malware.
The malware communicates with command-and-control (C2) servers via hard-coded IP addresses (93.88.75[.]252 or 148.72.172[.]53) using HTTP or DNS protocols. It employs a command loop to receive and execute instructions from its operators.
Advanced Evasion Techniques
CHILLYHELL utilizes timestomping to alter the timestamps of its artifacts, making detection more challenging. If it lacks the necessary permissions for direct system calls, it resorts to shell commands like `touch -c -a -t` and `touch -c -m -t` with formatted date strings to modify access and modification times.
Functional Capabilities
The malware supports a range of commands, including:
– Reverse Shell Execution: Initiates a reverse shell to the C2 server.
– Self-Update: Downloads and installs new versions of itself.
– Module Execution: Runs modules like ModuleSUBF to enumerate user accounts from /etc/passwd and perform brute-force attacks using password lists retrieved from the C2 server.
Jamf Threat Labs highlights CHILLYHELL’s flexibility, noting its multiple persistence mechanisms, communication protocols, and modular structure. The inclusion of features like timestomping and password cracking distinguishes it within the macOS threat landscape. Notably, the malware’s notarization by Apple underscores that not all malicious code is unsigned.
ZynorRAT: A Cross-Platform Threat
ZynorRAT is a remote access trojan written in Go, targeting both Windows and Linux systems. It utilizes a Telegram bot named @lraterrorsbot (also known as lrat) to control infected hosts. The malware was first submitted to VirusTotal on July 8, 2025, and does not share characteristics with known malware families.
Capabilities of ZynorRAT
The Linux variant of ZynorRAT offers extensive functionalities, including:
– File System Enumeration: Lists directories using the command `/fs_list`.
– File Exfiltration: Extracts files from the host with `/fs_get`.
– System Profiling: Gathers system metrics via `/metrics`.
– Screenshot Capture: Takes screenshots of the infected system.
– Persistence Mechanisms: Establishes persistence through systemd services.
– Arbitrary Command Execution: Executes commands as directed by the attacker.
Implications and Recommendations
The emergence of CHILLYHELL and ZynorRAT highlights the evolving sophistication of malware targeting multiple operating systems. Users and organizations are advised to:
– Exercise Caution: Be vigilant when downloading and installing software, especially from unverified sources.
– Regularly Update Systems: Ensure operating systems and applications are up-to-date with the latest security patches.
– Implement Robust Security Measures: Utilize comprehensive security solutions that can detect and mitigate such threats.
– Monitor Network Traffic: Keep an eye on unusual network activities that may indicate C2 communications.
By adopting these practices, users can enhance their defenses against these and other emerging cyber threats.
