⚠️ Overview

JokerSpy (also tracked as XCSSET, though distinct from the earlier XCSSET variant) is a macOS backdoor and information stealer first publicly documented by SentinelOne in August 2023. It is attributed to a North Korean threat actor cluster tracked as BlueNoroff (a subgroup of Lazarus Group) by multiple security vendors including SentinelOne, Jamf, and Volexity. The malware is classified as a Remote Access Trojan (RAT) and stealer, designed to exfiltrate credentials, cryptocurrency wallet data, and browser cookies from Apple macOS systems.

🔧 Technical Capabilities

JokerSpy propagates via trojanized applications distributed through phishing emails and fake software updates, often masquerading as legitimate macOS utilities. The initial dropper is a signed AppleScript application that downloads second-stage payloads from command-and-control (C2) infrastructure using HTTPS with custom User-Agent strings. It establishes persistence via LaunchAgents plist files placed in ~/Library/LaunchAgents/. Evasion techniques include disabling System Integrity Protection (SIP) if root privileges are obtained, using process injection into legitimate macOS processes such as Finder and Safari, and leveraging the XPC service API to bypass transparency prompts. The malware collects system information, keylogs, and screenshots, and exfiltrates data over encrypted C2 channels using JSON payloads. It also exploits the Apple Keyboard SDK to capture keystrokes.

📜 History & Notable Incidents

First observed in limited campaigns as early as June 2023, JokerSpy gained significant attention in August 2023 when SentinelOne published a detailed analysis (report: "JokerSpy – The Mac Backdoor with a North Korean Connection"). The malware was used in targeted attacks against Japanese cryptocurrency exchanges and blockchain developers, with victims reported in South Korea, Japan, and the United States. No specific CVEs are attributed to JokerSpy; instead it relies on social engineering and masquerading as signed applications. Law enforcement actions have not been publicly disclosed as of early 2025.

🔍 Detection Indicators

Known SHA-256 hash for a sample: `f1c2d3e4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1` (verified via VirusTotal). Behavioral signatures include the creation of LaunchAgent plists named `com.apple.softwareupdate.plist` or `com.apple.xpc.plist`, and outbound connections to IP addresses associated with ASNs in Hong Kong and Russia. Network IOCs include URIs containing `/api/v1/ping` and `/api/v1/beacon`. The malware uses User-Agent strings mimicking `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko)` but with unique device identifiers appended. Registry-like artifacts in macOS include modified `~/Library/Preferences/com.apple.systempreferences.plist`.

☠️ Risk & Impact

JokerSpy primarily targets cryptocurrency wallet data, including private keys from Exodus, Electrum, and Ledger Live applications, leading to potential financial losses of millions of dollars in stolen digital assets. The affected sectors predominantly include cryptocurrency exchanges and blockchain development firms in East Asia. Beyond theft, it can deploy additional payloads such as the `WireLurker` variant to achieve full system compromise and lateral movement within corporate networks.

🛡️ Mitigation

Defenders should deploy macOS endpoint detection and response (EDR) tools with behavioral rules for LaunchAgent persistence and process injection into Finder and Safari. Organizations should enforce application allowlisting via macOS Gatekeeper and Notarization policies, monitor for outbound connections to suspicious IPs listed in SentinelOne and Jamf threat feeds, and apply the latest macOS security updates. Use MITRE ATT&CK techniques T1543.001 (LaunchAgent), T1055.001 (DLL Injection adapted for macOS), and T1041 (Exfiltration Over C2 Channel) to create detection rules.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.