Cybersecurity researchers have discovered two new families of malware, including a modular Apple MacOS backdoor called Chillyhell, named Zinorrat, which can target both Windows and Linux systems, and a Go-based remote access Trojan (RAT).
According to an analysis by JAMF Threat Labs, Chillyhell is written in C++ and is developed for Intel Architectures.
Chillyhell is the name assigned to malware caused by an uncategorized threat cluster called UNC4487. Hacking groups have been rated active since at least October 2022.
According to Threat Intelligence, shared by Google Mandiant, UNC4487 is suspected of espionage and has been observed to compromise the website of Ukrainian government agencies and target social engineers to run Matambuchus or Chileel malware.
Apple Device Management Company said it discovered a new Chillyhell sample uploaded to the Virustotal Malware Scanning platform on May 2, 2025. The artifact, notarized by Apple in 2021, has been said to have been published on Dropbox since then. Apple then revoked the malware-linked developer certificate.
When executed, the malware extensively profiles the compromised host, establishes persistence using three different methods, and then initializes command and control (C2) communication with the hard coding server (93.88.75[.]252 or 148.72.172[.]53) Enter the command loop via HTTP or DNS and receive further instructions from the operator.
To set up persistence, Chillyhell installs itself as a Launchagent or System LaunchDaemon. As a backup mechanism, modify the user’s shell profile (.zshrc, .bash_profile, or .profile) to insert the startup command into the configuration file.
A notable tactic employed in malware is to use time tests to change the timestamp of created artifacts to avoid rising red flags.
“If there is not enough permission to update the timestamp by a direct system call, we’ll go back to using -C -A -T and Touch -C -M -T, respectively, using shell commands.
Chillyhell supports a wide range of commands that launch a reverse shell to a C2 IP address, download new versions of the malware, get additional payloads, run modular modules, enumerate user accounts from “/etc/etswd” and allow you to perform brute force attacks using a redefined list of passwords from the C2 server.
“Between its multiple persistence mechanisms, the ability to communicate different protocols and modular structures, Chillyhell is extremely flexible,” Jamf said. “Features such as time stomp and password cracking make this sample a rare discovery in the current MacOS threat landscape.”
“In particular, Chillyhell is notarized and serves as an important reminder that not all malicious code is unsigned.”
The findings dovetail with the discovery of Zirorrat, a rat for use on Commandeer-infected Windows and Linux hosts using a telegram bot called @larterrorsbot (also known as LRAT). The malware was first submitted to Virustotal on July 8, 2025, shows evidence. It does not share any duplicates with other known malware families.
The GO compiled Linux version supports a wide range of functions to allow file removal, system enumeration, screenshot capture, persistence via SystemD service, and execution of any commands –
/fs_list, directories /fs_get, exclude files from host/metrics, kill a particular process by passing the “ps” linux command /proc_kill to run system profiling /proc_list, kill a particular process by passing the pid as input /capture_display, and kill a particular process to establish a screenshot/persistence.
The Windows version of Zirorrat is almost identical to its Linux counterpart, relying on a Linux-based persistence mechanism. This could indicate that development of the Windows variant is an ongoing work.
“Its main purpose is to serve as a centrally managed collection, exfiltration and remote access tool via telegram bots,” said Alessandra Rizzo, a researcher at Sysdig. “Telegram serves as the primary C2 infrastructure where the malware receives more commands when it is deployed to the victim machine.”
Further analysis of the leaked screenshots via telegram bots revealed that the payload was distributed through a file sharing service known as dosya.co, and that the malware author “infects” their own machine to test its functionality.
Zirorrat is probably considered to be the only actor’s work of Turkish origin, given the language used in Telegram Chats.
“The malware ecosystem doesn’t have a shortage of rats, but malware developers are still dedicating their time to create them from scratch,” says Rizzo. “Zirorrat’s customization and automated controls highlight the evolving sophistication of modern malware, even within the earliest stages.”
Source link
