Researchers Discover Yet Another Malware Designed to Compromise Mac Devices

This time, the researchers are blaming Russian hacking group APT28 for developing this malware.

Bitdefender, renowned IT security/antivirus firm, has identified that the latest strain of Xagent for Mac is being used as a backdoor for intruders. After the malware is installed via Komplex downloader, it looks for a debugger’s presence and if it isn’t found it waits for network connection to be enabled to contact its C&C servers. The attackers then activate specific payload modules

A Russian hacking group APT28 is believed to be playing a role in the development of tools to infiltrate and infect systems that run on Windows, iOS, Linux and Android. Perhaps now their primary target has become Mac devices, which is why we are receiving reports about one Mac malware after another.

“Xagent’ malware infects Mac, steals passwords, iPhone backups and screenshots.”

More: OS X devices targeted by APT28 group with new Trojan called Komplex

In their blog post published on TuesdayBitdefender researchers explained that Xagent’s Mac version could be customized to perform tasks like intrusion, obtaining passwords, taking screenshots and stealing iOS backups that are stored on the infected Mac device. Xagent is a payload with modules that can search the system configuration of Mac devices, offload running processes and launch executable codes. 

The aspect that hinted at the involvement of APT28 [Pdf] in the distribution of Xagent is the file path located in the malware’s binary file that showed the writer of Komplex developed itKomplex is a first-stage Trojan that was used by Sofacy too to compromise devices. According to the findings of Bitdefender researchers, Xagent’s Mac version is being planted by Komplex too.

The APT28 group has been active since 2007 and shares close ties with the Russian government. The group’s members are well-versed in Russian and operate according to Russian business timings while they usually attack Ukraine, Romania, US, Canada and Spain, which probably are facts that led to the assumption that it is linked with Russia.

More: France Believes Russia Hacked TV5Monde Posing as ISIS Hackers

Last year another group going by the handle of FancyBears leaked sensitive documents from World Anti-Doping Agency (WADA) exposing several athletes involved in doping. The same group was also blamed for targeting MH17 crash investigators with a spear-phishing campaign. As a result; security researchers concluded a close relationship between APT28 and FancyBears.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Newest Sales

Written by Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.