SentinelOne has identified new variants of the ReaderUpdate malware, which now target macOS users. The malware was initially observed in 2020, distributed as a compiled Python binary, and focused on delivering the Genieo adware. However, new versions written in Crystal, Nim, Rust, and Go have emerged, making the malware more sophisticated and harder to detect. The malware loader, which has been active for years, now uses multiple programming languages to evade analysis and enhance its functionality.
The Go variant of ReaderUpdate, the latest version identified, operates by collecting hardware information to create a unique victim identifier.
It then establishes persistence on infected systems by copying itself to the ~/Library/Application Support/ directory and setting up a companion .plist file in the LaunchAgents folder. The malware also contacts command-and-control (C&C) servers to receive instructions, suggesting the ability to execute a wide range of malicious actions. Despite its initial focus on adware, ReaderUpdate could easily be repurposed for more harmful payloads in the future.
SentinelOne researchers have found that ReaderUpdate infections are often spread through trojanized software from third-party download sites.
The malware reaches infected systems via fake utility applications or malicious package installers. Once installed, it connects to C&C servers to execute remote commands, and the malware has been noted for using several sophisticated obfuscation methods to avoid detection. The malware’s distribution relies on older infections that went unnoticed until the new variants began surfacing in 2024.
The ReaderUpdate loader is compiled exclusively for x86 Intel architecture, meaning it requires Rosetta 2 for execution on Apple Silicon Macs. While the newer variants in Crystal, Nim, and Rust are more widespread, the Go version is rarer and has only been linked to a few domains. Security experts warn that, although this malware has been primarily associated with adware, its modular nature means that infected systems are vulnerable to more dangerous payloads. This underscores the need for strong defensive measures to mitigate evolving threats.
