Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

RustBucket

RustBucket is a multi-stage macOS backdoor/trojan attributed with strong confidence to BlueNoroff, a DPRK-linked subgroup associated with Lazarus. It targets macOS users, including victims in cryptocurrency and Web3-related operations, and has been described as marking BlueNoroff’s major pivot to macOS. The infection chain uses social engineering, including fake PDF viewer applications and malicious PDF lures such as job descriptions or protected/confidential documents. Stage 1 is a compiled AppleScript applet masquerading as a PDF viewer that downloads and executes Stage 2, often writing it to /Users/Shared/ including as /Users/Shared/.pd. Stage 2 has been observed in Swift and Objective-C variants for Intel, Apple silicon, and universal architectures; it requires a specially crafted PDF to unlock code that downloads and executes the Rust-based Stage 3 payload. The final-stage Rust backdoor gathers host information, including environmental and disk details, communicates with C2 using the User-Agent string "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)," and can download and execute additional malware or attacker-supplied payloads. Reported capabilities include basic system information collection and file execution. Later variants added persistence via a LaunchAgent at ~/Library/LaunchAgents/com.apple.systemupdate.plist and copied the malware to ~/Library/Metadata/System Update; other reporting noted persistence disguised as "Safari Update" and C2 domain autoserverupdate[.]line[.]pm. Additional observed paths and artifacts include $TMPDIR/ErrorCheck.zip and residual/internal references to a webT module. RustBucket infrastructure, tooling, and tradecraft have been linked to later DPRK macOS activity including KandyKorn, GhostCall, and Hidden Risk, with researchers assessing overlap in infrastructure, file paths, strings such as "cur1-agent," and related components such as ObjCShellz and SysPhon.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT38

The malicious PDF dropped a second-stage malware known as RUSTBUCKET which is a backdoor written in Rust that supports file execution.

via mandiant threat intelligencecloud.google.com
Lazarus

‘RustBucket’, as they labeled it, was attributed with strong confidence to the BlueNoroff APT... targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices.

via sentinelone blogsentinelone.com
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence2

After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge.

Execution

2 techniques
T1059.002AppleScriptEvidence2

This campaign initially involved a first stage AppleScript applet... This retrieves a file... an AppleScript script that when executed posts the filepath of the executing process to a remote server.

T1059.004Unix ShellEvidence1

The script contains three do shell script commands, which serve to download and execute the next stage.

Persistence

3 techniques
T1543Create or Modify System ProcessEvidence1

The malicious PDF dropped a second-stage malware known as RUSTBUCKET... and in this instance persisted, via a Launch Agent disguised as “Safari Update”.

T1543.001Launch AgentEvidence1

variant B contains a persistence mechanism that was not present in the earlier versions of RustBucket. This takes the form of a hardcoded LaunchAgent, which is written to disk at ~/Library/LaunchAgents/com.apple.systemupdate.plist .

T1547Boot or Logon Autostart ExecutionEvidence1

SentinelLABS observed the use of a novel persistence mechanism abusing the Zsh configuration file zshenv.

Privilege Escalation

3 techniques
T1543Create or Modify System ProcessEvidence1

The malicious PDF dropped a second-stage malware known as RUSTBUCKET... and in this instance persisted, via a Launch Agent disguised as “Safari Update”.

T1543.001Launch AgentEvidence1

variant B contains a persistence mechanism that was not present in the earlier versions of RustBucket. This takes the form of a hardcoded LaunchAgent, which is written to disk at ~/Library/LaunchAgents/com.apple.systemupdate.plist .

T1547Boot or Logon Autostart ExecutionEvidence1

SentinelLABS observed the use of a novel persistence mechanism abusing the Zsh configuration file zshenv.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

The Stage 2 payload requires a specially-crafted PDF to unlock the code which would lead to the downloading of the Stage 3 and provide an XOR’d key to decode the obfuscated C2 appended to the end of the PDF.

T1036MasqueradingEvidence1

The attack begins with an Applet that masquerades as a PDF Viewer app.

T1218System Binary Proxy ExecutionEvidence1

It ad-hoc code-signs dropped payloads ( codesign --force --deep --sign - ) to bypass Gatekeeper.

T1497Virtualization/Sandbox EvasionEvidence1

variant A for gathering environmental information and checking for execution in a virtual machine via querying the SPHardwareDataType value of system_profiler .

T1564.001Hidden Files and DirectoriesEvidence1

The Stage 1 variant described by Elastic differs in that it writes the second stage as a hidden file to /Users/Shared/.pd .

Discovery

2 techniques
T1082System Information DiscoveryEvidence1

This is responsible for surveilling the environment and parsing the arguments received at launch, processing commands, gathering disk information and more.

T1497Virtualization/Sandbox EvasionEvidence1

variant A for gathering environmental information and checking for execution in a virtual machine via querying the SPHardwareDataType value of system_profiler .

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence2

The DoPost function is used to make the HTTP Post request to the C2 using libcurl.

T1071.001Web ProtocolsEvidence1

After gathering environmental information, the malware calls sym.updator::send_request to post the data to the C2 using the following User-Agent string

T1105Ingress Tool TransferEvidence1

Across the samples, various username strings can be found... the Stage 2 payloads have in common the task of retrieving the Stage 3 from the command and control server.

Other

1 technique
T1656ImpersonationEvidence1

Recent findings from Mandiant heist investigations have identified social engineering of developers via fake job recruiting with coding tests as a common initial infection vector.

INDICATORS OF COMPROMISE

IOCs tracked for this family

88 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
30 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
55 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 year ago
domain●●●●●●●●●●●●View more in app1 year ago
domain●●●●●●●●●●●●View more in app1 year ago
domain●●●●●●●●●●●●View more in app1 year ago
domain●●●●●●●●●●●●View more in app1 year ago
domain●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
codebyNews
Jun 21, 2026
Persistence macOS: техники закрепления для Red Team

macOS malware cited as using LaunchAgents/LaunchDaemons persistence mechanisms.

Read more
huntress blogNews
Mar 30, 2026
Supply Chain Compromise of axios npm Package | Huntress

Referenced as part of attribution context linking the campaign to DPRK activity via the webT module; no direct operational role in this axios compromise is described beyond that linkage.

Read more
emsisoftNews
Nov 20, 2025
Mac Specific Threats and Analysis

Backdoor trojan (noted in 2023) that bypasses Gatekeeper via a fake PDF app and enables follow-on malware installation and espionage.

Read more
the hacker newsNews
Oct 28, 2025
Researchers Expose GhostCall and GhostHire: BlueNoroff's New Malware Chains

Referenced as an earlier campaign/malware associated with BlueNoroff's pivot to macOS targeting; also mentioned as having a 'lightweight version' called SysPhon.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching88

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.