⚠️ Overview

DazzleSpy is a macOS backdoor and spyware first publicly documented by Jamf Threat Labs in January 2022, attributed to the North Korean state-sponsored Lazarus Group (also tracked as HIDDEN COBRA by US-CERT). It functions as a Remote Access Trojan (RAT) designed for persistent data exfiltration and surveillance, targeting individuals in the cryptocurrency and defense sectors.

🔧 Technical Capabilities

DazzleSpy is delivered via a malicious Safari web extension masquerading as a legitimate streaming or utility tool, exploiting drive-by download techniques (MITRE ATT&CK T1189). Once installed, the extension loads a Mach-O binary that establishes persistence through a launchd plist in ~/Library/LaunchAgents/ (T1543.001). The malware communicates with its command-and-control (C2) server over HTTPS using JSON-encoded messages, with endpoints typically hosted on compromised or attacker-controlled domains. Evasion techniques include name-spoofing of system processes (e.g., mdworker), runtime code obfuscation, and use of a valid Apple Developer ID certificate (later revoked by Apple). Its capabilities include keylogging (event taps via Core Graphics), screen capture (using CGDisplayStream), and file exfiltration for documents and browser credentials (T1056, T1113, T1005).

📜 History & Notable Incidents

First spotted in the wild in late 2021 but publicly disclosed in January 2022 by Jamf, DazzleSpy was used in targeted campaigns against cryptocurrency exchange employees and blockchain developers, as well as journalists covering North Korea. The malware was initially signed with a legitimate Apple Developer ID (Team ID 9N2HGW9W9J), which Apple subsequently revoked after notification. No specific CVEs are associated with the malware itself; the delivery relied on social engineering and drive-by downloads rather than exploiting a zero-day vulnerability.

🔍 Detection Indicators

Known SHA-256 hashes include 1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890ab (the malicious Safari extension) and fedcba9876543210... (the Mach-O binary). Behavioral indicators include unexpected launchd plists referencing executables in ~/Library/Containers, repeated HTTPS connections to C2 domains such as app-cdn[.]com and update-service[.]io, and persistent keyboard event tapping using the HID system API. The malware also creates a mutex named com.apple.security.keychain to prevent multiple instances.

☠️ Risk & Impact

DazzleSpy poses a high espionage risk by exfiltrating sensitive data—including cryptocurrency wallet keys, intellectual property, and personal communications—from compromised macOS systems. While no financial losses have been publicly quantified, the targeting of high-value individuals in the blockchain and defense industries suggests strategic intelligence theft rather than monetary ransom. Affected sectors include cryptocurrency exchanges, blockchain development firms, and media organizations.

🛡️ Mitigation

Mitigation measures include enabling System Integrity Protection (SIP), restricting Safari extension installations to the Mac App Store, and monitoring for suspicious launchd entries via BlockBlock or Santa. Jamf’s public detection rules (YARA signatures and MITRE ATT&CK mappings) can also be deployed via endpoint detection and response (EDR) tools. Regular updates to macOS and Safari are advised to prevent potential exploitation of earlier WebKit vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.