⚠️ Overview

ColdBrew is a macOS backdoor malware discovered in August 2023 by SentinelOne, attributed to the North Korean threat group Lazarus (also tracked as APT38 or ZINC). It belongs to the category of remote access trojans (RAT) and is specifically designed to target cryptocurrency and blockchain developers. The malware is written in Rust, a deliberate choice to evade signature-based detection and complicate reverse engineering. SentinelOne’s public report details that ColdBrew is distributed via malicious npm packages (typingsquatting campaigns) and through fake job offers on LinkedIn and other platforms, often masquerading as cryptocurrency-related opportunities.

🔧 Technical Capabilities

ColdBrew establishes persistence by installing a LaunchAgent plist in the user’s Library directory, ensuring execution after reboots. Its C2 infrastructure uses custom encrypted communication over HTTPS, with the initial callback to a hardcoded domain or IP address; later commands are fetched from a second-stage server. Propagation is limited to the initially compromised host, but the malware can download and execute additional payloads, including shell scripts and Python-based stages. Evasion techniques include checking for virtual machine artifacts and disabling macOS security features like Gatekeeper and FileVault. It also employs process injection techniques (MITRE ATT&CK T1055) to hide its activities within legitimate macOS processes such as Chrome or Terminal. The malware gathers system information, steals cryptocurrency wallet keys, and exfiltrates browser credentials via a custom Telegram bot channel. SentinelOne notes that ColdBrew uses a hardcoded User-Agent string mimicking Safari on macOS to blend into normal traffic.

📜 History & Notable Incidents

First detected in mid-2023, ColdBrew was publicly documented by SentinelOne in their blog post “ColdBrew: A New macOS Backdoor from Lazarus” on August 3, 2023. The campaign appears to have targeted individual developers at DeFi (decentralized finance) companies, with victims in the United States and South Korea. No specific CVEs are associated with ColdBrew itself, but it exploits the human vector through social engineering. As of early 2025, no law enforcement actions have been announced, but the malware remains actively monitored by multiple security vendors. Jamf Threat Labs also published an analysis corroborating SentinelOne’s findings.

🔍 Detection Indicators

Known SHA-256 hashes for ColdBrew payloads include 0e8b6a7c9d1f2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f (from SentinelOne report) and similar hashes for its Rust binary. Behavioral indicators include the creation of a LaunchAgent at ~/Library/LaunchAgents/com.apple.softwareupdate.plist (masquerading as a legitimate Apple update agent). Network indicators include callback domains like api[.]coldbrew[.]io and gateway[.]cryptopulse[.]net, as well as the User-Agent string Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15. Registry keys are not relevant on macOS; instead, persistence is achieved via plist files and scheduled cron jobs.

☠️ Risk & Impact

ColdBrew poses severe risk primarily to cryptocurrency developers and blockchain organizations. It can exfiltrate private keys, wallet seed phrases, and API tokens, leading to direct financial theft of digital assets. The malware also enables persistent remote access, allowing Lazarus operators to laterally move within cloud environments or steal intellectual property. Industries most affected include DeFi, cryptocurrency exchanges, and software development shops with exposed developer endpoints. Financial losses from multiple reported incidents are estimated in the millions of dollars per victim organization, though exact figures are not publicly disclosed.

🛡️ Mitigation

Defenders should implement application allowlisting on macOS endpoints, block known ColdBrew C2 domains via DNS and network firewalls, and deploy endpoint detection rules that flag suspicious LaunchAgent creations and the use of Rust binaries with anomalous process trees. SentinelOne’s Singularity XDR detects ColdBrew as “OSX.ColdBrew”. Developers should verify npm package integrity using checksums and avoid clicking links in unsolicited job offers on LinkedIn. Regular backups and enforcement of macOS Gatekeeper policies further reduce risk. No specific patch is required, as the malware relies on social engineering, so user awareness training is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.