Coldzer0 is the handle associated with the OSX/Coldroot malware author/operator. Available reporting links Coldzer0 to the cross-platform Coldroot remote access trojan targeting macOS, including author-identifying strings embedded in the binary ("Coded By Coldzer0 / Skype:Coldzer01") and public demo videos/source code references. Coldroot masquerades as an Apple audio driver, is unsigned and UPX-packed, requests user credentials, persists via a launch daemon, attempts to modify macOS accessibility/privacy controls for keylogging, and beacons to command-and-control infrastructure. Reported capabilities include host reconnaissance and exfiltration, file and directory operations, process execution and killing, upload/download, active window capture, keylogging, remote desktop, and shutdown. The malware was reportedly intended for commercial sale, and an older version's source code was publicly released. Separate reporting also associates the name Coldzer0 with the compromise of the vBulletin and Foxit Software forums, where hundreds of thousands of users' information was stolen. Based on the provided content, no higher-confidence nation-state attribution is available, and no additional aliases or sub-groups are directly supported beyond the handle Coldzer0.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as the named actor behind hacks of vBulletin and Foxit Software forums resulting in theft of hundreds of thousands of users' information.
Coldzer0 is the author and operator of Coldroot, a cross-platform remote access trojan (RAT) targeting macOS (and other platforms). Coldroot is a feature-complete RAT capable of keylogging, remote desktop, file management, process control, and persistence. It is distributed as a fake Apple audio driver and attempts to masquerade as a legitimate application. The malware is designed to evade detection and was undetected by AV engines at the time of analysis. Coldroot was offered for sale and its source code and demo videos were publicly available.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.