In an alarming development, North Korean hackers are using seemingly innocuous macOS applications — like trojanized Notepad apps and Minesweeper games — to infiltrate Apple systems. Leveraging apps developed with Google's Flutter framework, these malicious tools have even managed to temporarily bypass Apple's stringent security protocols by using valid developer IDs and passing Apple’s notarization process.
According to cybersecurity experts at Jamf Threat Labs, these applications, some titled with cryptocurrency-related themes such as "New Updates in Crypto Exchange" and "New Era for Stablecoins and DeFi," are linked to North Korean threat actors and likely aimed at testing new methods for bypassing macOS security. Starting in November 2024, Jamf detected these apps on VirusTotal, appearing initially harmless and evading antivirus detections. The apps, once downloaded, connected to command-and-control servers associated with the DPRK, allowing them to execute scripts sent remotely.
"It is not unheard of for actors to embed malware within a Flutter-based application," said Jamf researchers Ferdous Saljooki and Jaron Bradley, "however, this is the first we've seen of this attacker using it to go after macOS devices." Using the Flutter framework provides versatility for the attackers and conceals their malicious code within a dynamic library (dylib), which complicates detection and removal by traditional security tools.
The applications function similarly to legitimate software, such as Minesweeper and Notepad, with one app even pulling freely available Minesweeper code from GitHub. However, beneath the surface, they contain obfuscated code capable of AppleScript execution. This allows the malicious app to perform remote commands, effectively turning a macOS system into a tool for the hackers’ larger network.
One of the more concerning aspects of this breach is the hackers’ ability to sidestep Apple's notarization. Five out of six identified applications were signed using valid developer IDs, meaning they initially passed Apple’s security checks and were allowed to run on macOS without triggering alarms. Apple has since revoked the signatures, preventing these apps from bypassing security on updated systems, though it remains unclear whether they were used in targeted attacks or as part of an exploratory exercise.
Joe Silva, CEO of Spektion, a stealth-mode cybersecurity startup and former Chief Information Security Officer, warns that this attack exemplifies an increasing threat. “While macOS is not publicly targeted as frequently as Windows, it is just as vulnerable to cyberattacks leveraging third-party software components,” Silva said. “This recent attack, focused on injecting Flutter applications with malware to target macOS devices, was conducted by nation-state actors from the DPRK. However, these tactics are increasingly being adopted by non-state actors as well.”
Silva points to the nature of these supply chain attacks, where seemingly harmless software serves as a Trojan horse for malware. This tactic, he explains, is proliferating as traditional anti-malware technology struggles to detect embedded threats within third-party software, which remains a significant blind spot for organizations. “The attack itself is typically only discovered when secondary malware is installed and detected — or when other successful attacks have been reported,” he added.
Experts say the attack highlights a critical need for enhanced security measures surrounding third-party software. As companies prepare for 2025, industry leaders suggest prioritizing third-party software security and supply chain monitoring to stay ahead of these evolving threats.
For now, questions remain about whether these apps were actively used in operations or merely represent a test of North Korea’s growing cyber capabilities. The presence of multiple variations of the same apps suggests a methodical approach to testing how far these tools can penetrate before detection. Given the implications, experts suggest organizations and individuals alike should exercise caution when downloading third-party applications, even those that appear to have been vetted by Apple’s security protocols.