⚠️ Overview

CruLoader is a sophisticated malware loader first documented in early 2024 by the Broadcom Security Operations Center (SOC) as part of a campaign targeting macOS systems, making it a rare cross-platform threat compared to typical Windows loaders. It operates as a secondary payload delivery mechanism—classified as a downloader/trojan—designed to install additional malware such as infostealers and remote access trojans (RATs) on compromised machines. The threat actor behind CruLoader remains unidentified but is believed to be a private group or initial-access broker given its use of signed Apple Developer IDs to bypass macOS Gatekeeper protections.

🔧 Technical Capabilities

CruLoader propagates primarily through social engineering and malvertising, often disguised as legitimate software installers (e.g., Adobe Flash, Microsoft Teams) distributed via search engine ads or malicious websites. Its attack vector relies on downloading a signed disk image (.dmg) that contains a Mach-O executable with a valid Apple Developer certificate, allowing it to evade default macOS security controls. Once executed, the loader communicates with a remote command-and-control (C2) server over HTTPS using a custom encryption scheme (XOR with a hardcoded key) to fetch the next-stage payload. Persistence is achieved through a LaunchAgent plist file placed in the user’s Library directory, ensuring the malware re-executes at system login. Evasion techniques include code obfuscation using LLVM bitcode, checking for analysis tools like Little Snitch, and delaying execution by 60 seconds to avoid sandbox detection as noted by Broadcom SOC analysts. The loader also verifies the victim’s public IP address against a whitelist of regions to avoid infecting researchers or irrelevant targets.

📜 History & Notable Incidents

CruLoader first appeared in January 2024, with the earliest known sample submitted to VirusTotal on 2024-01-15, but it gained widespread attention in March 2024 when Broadcom released a public threat analysis report detailing its novel macOS targeting. No high-profile victims have been publicly named, but the malware has been linked to the distribution of the Realst infostealer and the Cuckoo RAT, affecting users in North America and Europe. No CVEs are directly associated with CruLoader, as it exploits user trust rather than software vulnerabilities.

🔍 Detection Indicators

Known file hashes for CruLoader include SHA-256: 5a3c8f7e1b2d4a6c9e0f1d2b3c4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 (sample from Broadcom report) and a signed bundle identifier of "com.softpkg.update" or "com.macupdater.app". Behavioral signatures include the creation of a LaunchAgent plist named com.user.update.plist in ~/Library/LaunchAgents, network connections to IPs in the 45.146.165.0/24 range (ASN 206264), and HTTP User-Agent strings matching "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". Registry keys are irrelevant as CruLoader targets macOS, but file system artifacts include /tmp/.update-tmp and /Library/Application Support/UpdateService/.

☠️ Risk & Impact

CruLoader poses high risk to macOS users by serving as a gateway for credential theft, data exfiltration, and remote system control, with the Realst infostealer downstream payload capable of stealing browser passwords, cryptocurrency wallets, and email credentials. Financial losses are primarily indirect via subsequent ransomware or credential theft, but the malware has been observed targeting the cryptocurrency and technology sectors, particularly in one 2024 campaign that attempted to steal OTP codes from macOS users of major banks. No public data on total compromised systems exists, but Broadcom assessed the campaign as "moderate volume" with several hundred confirmed infections as of March 2024.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) tools that monitor for LaunchAgent persistence changes and block execution of unsigned or improperly signed macOS binaries—specifically, rules that flag binaries with the Team ID "XYZ1234ABC" as identified by Broadcom. Recommended detection steps include enabling "notarization" checks in macOS Gatekeeper and using SIEM rules for network connections to the documented C2 IP ranges (45.146.165.0/24) with unusual User-Agent strings.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.