RustBucket: APT group targets Macs with PDF Trojan malware

Posted on by

An advanced persistent threat (APT) group known as BlueNoroff is reportedly targeting Macs with a new malware family. BlueNoroff is believed to have ties to Lazarus Group, which has developed a variety of Mac malware in recent years. Both APT groups seem to be aligned with the interests of the North Korean government.

The new malware family is known as RustBucket. Keep reading to learn everything you need to know about this threat and how to keep your Mac safe.

In this article:

What does OSX/RustBucket Mac malware do?

To an unsuspecting user, the RustBucket Trojan horse looks like a simple PDF-reader app. It has an innocuous-looking icon, and the app’s name is “Internal PDF Viewer.” (Note that future variants may use a different disguise instead.)

OSX/RustBucket’s “Internal PDF Viewer” Trojan horse app icon.

RustBucket’s first-stage Trojan is a simple AppleScript app that runs a few shell scripts. These scripts download, unzip, and run a second-stage payload, written in Objective-C.

That second payload is a basic PDF reader app. Yes, you can actually open any standard PDF with it. However, “Internal PDF Viewer” has some secret functionality as well.

The evil-PDF trigger

As the name hints, “Internal PDF Viewer” is designed to read particular PDF files. But in reality, the app doesn’t let you view proprietary PDFs intended exclusively for the eyes of a particular company’s employees.

Instead, opening a maliciously crafted PDF file triggers additional behavior, causing the app to phone home to a command-and-control (C&C or C2) server.

The third-stage payload

At this point, the app attempts to download an additional payload or receive further instructions from the server. However, by the time the malware was discovered, the server was not responding to the phone-home URL as expected. This seems to imply that the goals of that particular variant’s campaign might have already been achieved. It seemed that the server operators had voluntarily shut down the C&C functionality at that particular URL.

However, researchers discovered another URL on the same server that hosted what may have been the third-stage malware payload. This payload was written in Rust (hence the malware’s nickname, RustBucket).

Researchers are still investigating the functionality of this last payload. But based on the APT group’s past activity, BlueNoroff’s RustBucket malware would likely attempt to steal cryptocurrency. It may also attempt to exfiltrate other sensitive or proprietary information to the North Korea-linked threat group.

How can one remove or prevent RustBucket and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this Mac malware. Intego products detect components of this threat as OSX/RustBucket or variations of trojan:OSX/Nukesped.

If you believe your Mac may be infected—or to prevent future infections—use trusted antivirus software. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.

Additionally, if you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.

RustBucket indicators of compromise (IoCs)

This file path is associated with RustBucket malware:

/Users/Shared/Internal PDF

The following SHA-256 hashes relate to RustBucket-related malware campaigns:

*First reported by Intego

These command-and-control (C&C) domains and IP address have been used in conjunction with this malware:


Network administrators can check recent network traffic logs to try to identify whether any computers on their network may have attempted to contact these domains or IP, which could indicate a possible infection.

Is RustBucket known by any other names?

Other vendors’ names for threat components related to this malware campaign may include variations of the following, among others:

Backdoor (0040f37a1), BIN.S.Agent.1144, HEUR_PDFEXP.E, HEUR:Trojan-Downloader.OSX.Lazarus.d, HEUR:Trojan-Downloader.OSX.Lazarus.e, HEUR:Trojan-Downloader.OSX.Lazarus.gen, IOS/Nukesped.E, MAC/NukeSpeed.E, MacOS:Nukesped-A [Drp], MacOS:NukeSpeed-AC [Trj], MacOS:NukeSpeed-AD [Trj], MacOS/Nukesped.E, Malware.OSX/NukeSped.kdvjc, Malware.OSX/NukeSped.mwfxa, Malware.OSX/NukeSped.xtyyy, Malware.OSX/NukeSped.xtyzd, Osx.Trojan-Downloader.Lazarus.Cdhl, Osx.Trojan-Downloader.Lazarus.Lzfl, OSX.Trojan.Gen, Osx.Trojan.Nukesped.Rnkl, OSX/NukeSped-AV, OSX/NukeSped.kdvjc, OSX/NukeSped.mwfxa, OSX/NukeSped.R, OSX/NukeSped.R!tr, OSX/NukeSped.S, OSX/NukeSped.xtyyy, OSX/NukeSped.xtyzd, PDF.Z.Agent.1921288, PDF/Agent.AV, PDF/Agent.AW, PDF/Agent.AX, PDF/Agent.C6C7!tr, PDF/Agent5.D, PDF/BlueNoroff, TROJ_FRS.0NA103DP23, TROJ_FRS.0NA103DS23, TROJ_FRS.VSNTE123, Trojan-Downloader.OSX.Lazarus.c, Trojan-NukeSped.g, Trojan:MacOS/NukeSped.H, Trojan:PDF/Phish!MSR, Trojan.DownLoader45.55021, Trojan.Generic.33556067, Trojan.Generic.D2000663, Trojan.Generic.D3F9EE60, Trojan.Generic.D3FA0EC6, Trojan.Generic.D3FA0ECC, Trojan.Generic.D3FA0F15, Trojan.GenericKD.66711136, Trojan.GenericKD.66719430, Trojan.GenericKD.66719436, Trojan.GenericKD.66719509, Trojan.MAC.Generic.111990, Trojan.MAC.Generic.D1B576, Trojan.MAC.Lazarus.O, Trojan.MAC.Lazarus.P, Trojan.MAC.Lazarus.Q, Trojan.MAC.Lazarus.R, Trojan.MAC.Lazarus.S, Trojan.MacOS.NUKESPED.VSNW1AD23, Trojan.MacOS.S.Agent.103440, Trojan.None.Lazarus.4!c, Trojan.OSX.Lazarus.4!c, Trojan.OSX.Nukesped, Trojan.PDF.Agent, Trojan.ZIP.Lazarus.4!c, Trojan/OSX.NukeSped.103440, Trojan/OSX.NukeSped.1144, Trojan/OSX.NukeSped.11843410, Trojan/OSX.NukeSped.215488, Trojan/OSX.NukeSped.573999, Trojan/OSX.NukeSped.578196, Trojan/OSX.NukeSped.589304, Trojan/OSX.NukeSped.590536, Trojan/OSX.NukeSped.601670, Trojan/OSX.NukeSped.84416, Trojan/PDF.Agent, TrojanDownloader:MacOS/Lazarus.23ba746b, TrojanDownloader:MacOS/Lazarus.8440ead7, TrojanDownloader:MacOS/Lazarus.c591a120

How can I learn more?

For additional technical details about how RustBucket functions, see the original report by Ferdous Saljooki and Jaron Bradley. The pair credited Patrick Wardle for assisting them with their analysis.

We also acknowledge Simon Kenin and MalwareHunterTeam, who independently discovered some of the same samples and domains as Intego’s researcher team.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes. You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →