Article Details

CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems. Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures. CHILLYHELL is the name assigned to a malware that's attributed to an uncategorized threat cluster dubbed UNC4487. The hacking group is assessed to have been active since at least October 2022. According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware. The Apple device management company said it discovered a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. The artifact, notarized by Apple back in 2021, is said to have been publicly hosted on Dropbox since then. Apple has since revoked the developer certificates linked to the malware. Once executed, the malware extensively profiles the compromised host and establishes persistence using three different methods, following which it initializes command-and-control (C2) communication with a hard-coded server (93.88.75[.]252 or 148.72.172[.]53) over HTTP or DNS, and enters into a command loop to receive further instructions from its operators. To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon. As a backup mechanism, it alters the user's shell profile (.zshrc, .bash_profile, or .profile) to inject a launch command into the configuration file. A noteworthy tactic adopted by the malware is its use of timestomping to modify the timestamps of created artifacts to avoid raising red flags. "If it does not have sufficient permission to update the timestamps by means of a direct system call, it will fall back to using shell commands touch -c -a -t and touch -c -m -t respectively, each with a formatted string representing a date from the past as an argument included at the end of the command," Jamf researchers Ferdous Saljooki and Maggie Zirnhelt said. CHILLYHELL supports a wide range of commands that allow it to launch a reverse shell to the C2 IP address, download a new version of the malware, fetch additional payloads, run a module named ModuleSUBF to enumerate user accounts from "/etc/passwd" and conduct brute-force attacks using a pre-defined password list retrieved from the C2 server. "Between its multiple persistence mechanisms, ability to communicate over different protocols and modular structure, ChillyHell is extraordinarily flexible," Jamf said. "Capabilities such as timestomping and password cracking make this sample an unusual find in the current macOS threat landscape." "Notably, ChillyHell was notarized and serves as an important reminder that not all malicious code comes unsigned." The findings dovetail with the discovery of ZynorRAT, a RAT that uses a Telegram bot called @lraterrorsbot (aka lrat) to commandeer infected Windows and Linux hosts. Evidence shows that the malware was first submitted to VirusTotal on July 8, 2025. It does not share any overlaps with other known malware families. Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution - ZynorRAT's Windows version is near-identical to its Linux counterpart, while still resorting to Linux-based persistence mechanisms. This likely indicates that development of the Windows variant is a work in progress. "Its main purpose is to serve as a collection, exfiltration, and remote access tool, which is centrally managed through a Telegram bot," Sysdig researcher Alessandra Rizzo said. "Telegram serves as the main C2 infrastructure through which the malware receives further commands once deployed on a victim machine." Further analysis of screenshots leaked via the Telegram bot has revealed that the payloads are distributed via a file-sharing service known as Dosya.co, and that the malware author may have "infected" their own machines to test out the functionality. ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin, given the language used in Telegram chats. "Although the malware ecosystem has no shortage of RATs, malware developers are still dedicating their time to creating them from scratch," Rizzo said. "ZynorRAT's customization and automated controls underline the evolving sophistication of modern malware, even within their earliest stages."