- Researchers have found two new Malware threats targeting macOS, Windows, and Linux systems.
- The modular backdoor named CHILLYHELL is developed for Apple macOS and attributed to a group active since 2022.
- ZynorRAT, a Go-based remote access trojan, can control infected Windows and Linux computers via Telegram.
- Both malware types focus on persistence, information stealing, and remote control functions.
- Apple has revoked the developer certificates related to CHILLYHELL after its recent discovery.
Cybersecurity teams have identified two new types of malware targeting multiple operating systems. One, called CHILLYHELL, is a modular backdoor designed for Apple macOS devices and linked to Hacking activity dating back to October 2022. The second, ZynorRAT, is a remote access trojan written in Go, impacting both Windows and Linux computers.
According to analysis from Jamf Threat Labs, CHILLYHELL is developed for Intel-based Macs and was found in a sample uploaded to the VirusTotal platform on May 2, 2025. The file, originally notarized by Apple in 2021, was publicly available on Dropbox until Apple revoked the certificates after the discovery.
CHILLYHELL profiles the infected system, establishes persistence in several ways, and communicates with command servers using either HTTP or DNS. The malware can install itself as either a LaunchAgent or LaunchDaemon—a method used to maintain ongoing access to macOS devices. If it cannot modify files directly, the malware changes the user’s shell profile to include launching commands. The researchers, Ferdous Saljooki and Maggie Zirnhelt, noted the malware’s use of “timestomping,” where it alters the creation dates of files to avoid detection. “Between its multiple persistence mechanisms, ability to communicate over different protocols and modular structure, ChillyHell is extraordinarily flexible,” Jamf said.
The malware also has the ability to open a remote shell, download new versions, carry out brute-force password attacks, and collect user account data. “Capabilities such as timestomping and password cracking make this sample an unusual find in the current macOS threat landscape,” the researchers said. More details can be found in Jamf’s official blog post.
Investigators have linked CHILLYHELL to an uncategorized threat group known as UNC4487. According to Google Mandiant, this group has targeted Ukraine government websites for espionage efforts, using malware to trick users into executing malicious files.
The second threat, ZynorRAT, relies on a Telegram bot to manage infected devices and was first submitted to VirusTotal on July 8, 2025. Both the Linux and Windows versions allow attackers to collect files, list processes, take screenshots, and execute system commands. While the Windows version mirrors the Linux one, it still depends on Linux-style persistence, suggesting ongoing development.
A report by Sysdig stated, “Its main purpose is to serve as a collection, exfiltration, and remote access tool, which is centrally managed through a Telegram bot.” The malware appears to be the creation of a lone developer, possibly from Turkey, based on Telegram chat language.
Research shows ZynorRAT’s distribution involves the Dosya.co file-sharing service, with evidence that its creator tested the malware on their own computers. The continued creation of tools like ZynorRAT highlights the ongoing advances in malware development.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Dogecoin Set for 16% Surge, Bullish Momentum Builds for DOGE
- XRP Surges Past $3 on Record Volume, Eyes $3.60 Breakout Target
- AsyncRAT Delivered via ScreenConnect in New Fileless Attack Campaign
- Texas Crypto Ponzi Operator Denied Bankruptcy Discharge in Court
- Fat App Thesis Goes Mainstream as Hyperliquid Surges Widely.
