Security researchers are raising concerns over a widespread cyberattack campaign employing cracked macOS apps to distribute the Activator backdoor. Unlike typical malware threats embedded within cracked software, Activator uses a unique multistage delivery method, providing users with an unusable version of the desired app along with a separate “Activator” app containing malicious executables. Users are then prompted to copy both apps to the Applications folder, initiating a series of malicious actions, including disabling macOS’ Gatekeeper settings and installing a Launch Agent on the device. The campaign, discovered by Kaspersky and analyzed by SentinelOne, is notable for its scale and potential risk to both individual and business users.
The threat actors behind Activator are utilizing as many as 70 unique cracked macOS applications, presenting lures with business-focused titles like Snag It, Nisus Writer Express, and Rhino-8. The cracked apps serve as vehicles for delivering the backdoor, posing a risk to employers that do not restrict software downloads by users. The delivery method involves users running the Activator app, which prompts for the admin password, subsequently disabling macOS’ Gatekeeper settings and allowing applications from outside Apple’s official app store to run. Activator is a first-stage installer and downloader for other malware, hinting at the potential goal of building a macOS botnet.
The Activator campaign, observed by SentinelOne, has shown a significant volume of unique samples, surpassing even the quantity of macOS adware and bundleware loaders. The threat actor’s choice of cracked apps with business-related titles increases the likelihood of compromising workplace systems. While the exact motive remains unclear, the sophistication of the delivery method, coupled with the use of Python backdoors launched directly from loader scripts, suggests potential long-term objectives. The campaign underscores the evolving tactics of threat actors targeting macOS users and highlights the need for heightened vigilance and cybersecurity measures.
Security researchers, including those at Kaspersky and SentinelOne, have identified the Activator campaign as a major cybersecurity threat, emphasizing its unique approach to delivering malware through cracked macOS apps. The scale, multistage delivery method, and potential goal of building a macOS botnet make this campaign particularly concerning for both individual and business users. Employers, especially those without restrictions on software downloads, face heightened risks as threat actors exploit the lure of cracked business-focused apps. The campaign serves as a reminder of the evolving tactics used by cybercriminals and the importance of proactive cybersecurity measures.
