Moonlock Lab

Realtek or real threat? The macOS malware that won’t quit

Mykhailo Hrebeniuk

Apr 30, 20257 min read

Realtek or real threat? The macOS malware that won’t quit: Header image

In April 2025, a post on X by MalwareHunterTeam flagged a suspicious file named driverupdate masquerading as a legitimate macOS driver update. Only 2 out of 64 security vendors on VirusTotal identified the file in question, which has a SHA256 hash of f5a24d157881801fd13c5e6b6e870dea2873010e75765c231c1437b42fa82dd2, as malicious.

This discovery prompted a deeper investigation. It revealed a malware campaign that echoes a previous operation we documented on HackerNoon, now with subtle, evasive updates.

A familiar enemy with a new face

This campaign, much like its predecessor, begins with a deceptive lure: a fake Realtek driver update.

The initial infection vector is a Bash script named realtekmac.sh (SHA256: c192b93d30e482a20a958ceb329a53733debc4962d77cb273b019ca589dede6a), which users are tricked into executing through social engineering tactics. Once run, the script kicks off a multi-stage attack designed for persistence, credential theft, and long-term system surveillance.

The execution chain: A step-by-step breakdown

An image of a flowchart illustrating the malware's execution flow from deception to data theft.

Here’s a breakdown of how this malware works:

  1.  Initial infection: The realtekmac.sh script checks the macOS system architecture (arm64 or x86_64) and downloads a corresponding ZIP archive from https://api.autodriverfix.online. The archive, named WebCam.zip (SHA256: 6f6a9e8134e22c5b604b34256173848530136bec0d82ce78eaea61866fa2066a), is extracted into /var/tmp/WebCam/. It contains a second-stage script (cloud.sh) and a phishing application (DriverMinUpdate.app).
  2. Persistence via LaunchAgents: To ensure long-term access, the script creates a launchd plist (com.drive.plist) in ~/Library/LaunchAgents/. This ensures that cloud.sh executes automatically on system startup, using launchctl to load the configuration.
  3. Phishing with a fake app: The DriverMinUpdate.app (SHA256: 34b6fc9024591e7a107ffbdfb77e788ec2dd83943ab4ba4889b9996ca08260b8) is a deceptive macOS application that prompts users for their system password through a GUI. If the user complies, the stolen credentials are exfiltrated to an attacker-controlled Dropbox account, a tactic reminiscent of a previously analyzed sample.
  4. Second-stage loader: The cloud.sh script (SHA256: b98e6ea26eba32001a3e414b8648db9c74690e3bc2e8d649beb3336216c9949f) executes the main payload, a Go-based stealer named driverupdate.go (SHA256: f748e7f01f2daf6cbdb72fddd7a8e1415bceea0c42004d034f60faa5331c44e4) using a bundled Go runtime.
  5. Stealer activation and C2 communication: The Go component establishes a persistent command-and-control (C2) loop with a hardcoded endpoint at http://158.62.198.177:8080, hosted by Shock Hosting LLC in the US. It collects system information (username, hostname, OS, architecture), steals Chrome cookies, login data, and Keychain credentials, and supports remote command execution. All communication is encrypted with RC4, authenticated with MD5 checksums, and encoded in base64 to evade detection.

Evolution of the threat

Compared to the earlier variant we analyzed in our HackerNoon article, the core functionality remains unchanged. However, the attackers have made subtle adjustments to avoid detection.

File names and infrastructure: The filenames have been updated (e.g., realtekmac.sh instead of ffmpeg.sh, WebCam.zip instead of VCam_intel.zip). The download URLs have shifted to api.autodriverfix.online, and the C2 server now operates at 158.62.198.177.

A screenshot showing the script for this malware compared to the original, showing instances of updated filenames.

Phishing app storage: The DriverMinUpdate.app now stores stolen credentials in /pwd.txt instead of /password.txt.

No functional changes: The execution flow, persistence mechanisms, and stealer capabilities (targeting Chrome and Keychain data) remain identical.

A screenshot showing the script for this malware compared to the original, showing that execution flow, persistence mechanisms, and stealer capabilities have not been changed.

These changes suggest that the threat actors are actively maintaining the campaign, likely in response to increased scrutiny following public disclosures.

Technical dive: Inside the Go-based stealer

The driverupdate.go payload is a Go-based stealer that orchestrates command-and-control communication, system profiling, and credential theft. Let’s dissect its inner workings, module by module, and trace its execution flow to uncover how it maintains stealth and control.

Core functionality

The stealer’s primary role is to establish a persistent C2 channel, profile the infected system, and exfiltrate sensitive data. It achieves this through a combination of system reconnaissance, credential theft, and remote command execution.

The codebase is organized into distinct modules, each handling a specific aspect of the attack:

  • instance/ manages process locking and unique identifier generation to ensure single-instance execution and persistent tracking.
  • core/ implements the main C2 loop and handles command execution, serving as the stealer’s operational backbone.
  • auto/ executes automated credential exfiltration, targeting Chrome browser data and macOS Keychain credentials.
  • transport/ facilitates encrypted network communication using RC4 and MD5 for obfuscation and authentication.
  • command/ defines message formatting and parsing logic for C2 interactions.
  • util/ provides utility functions, such as file compression for exfiltration.

This modular design allows the malware to operate efficiently while remaining adaptable for future updates.

Execution flow

The stealer’s execution begins in driverupdate.go, where the main() function calls Run_DLL_Func() to initialize the malicious logic. The flow unfolds as follows.

Instance initialization

  • instance.genrateId() generates or retrieves a unique machine ID stored in /tmp/.host. This ID ensures that the C2 server can track the infected device across sessions, creating a persistent fingerprint for the victim’s machine.
  • instance.CheckDup_Instance() checks for the presence of /tmp/.store to prevent multiple instances of the malware from running simultaneously. This reduces the risk of detection by security tools.
  • instance.Delay() introduces a 10-second delay to evade sandbox environments, which often terminate processes that don’t exhibit immediate activity. This anti-analysis trick helps the malware slip past automated defenses.
  • instance.RegisterIn_stance() stores the process ID in a temporary file, reinforcing the single-instance lock.
A screenshot of the stealer's execution flow, highlighting /tmp/.host, sleep, duplication protection, and C2 communication loop establishment.

C2 communication loop

The core.StatMainLoop(id, url) function, defined in core/loop.go, establishes a persistent connection to the C2 server at http://158.62.198.177:8080, hosted by Shock Hosting LLC in the United States. The communication protocol is designed for stealth:

  • Outbound messages: The command.MakeMsg(id, type, data) function constructs messages with a unique ID, message type (e.g., MSG_PING, MSG_FILE), and data payload. These are base64-encoded, encrypted with RC4, and sent via HTTP POST.
  • Initial data: The procesInfo() function collects system details — username, hostname, OS version, and architecture — and sends them as the first outbound message, giving attackers a snapshot of the victim’s environment.
A screenshot of the stealer's core.StatMainLoop(id, url) function, showing the loop process and the get/send to C2 command.

Remote command handling

The C2 server then responds with RC4-encrypted, MD5-authenticated, and base64-encoded commands in the format of [command_type, arg1, arg2, …].

The stealer supports a versatile set of commands, each tied to a specific malicious action:

  • COMMAND_INFO requests updated system information, re-running procesInfo() to gather user, hostname, OS, and architecture data.
  • COMMAND_UPLOAD instructs the malware to receive an archive from the C2 server and write it to disk using procesUpload(data). This enables the deployment of additional payloads.
  • COMMAND_DOWNLOAD exfiltrates local files or directories via procesDownload(path), which reads the target, compresses it using util.Compress(), and sends it as an MSG_FILE message.
  • COMMAND_OSSHELL executes shell commands via procesOsShell() using exec.Command(). Commands can run silently (detached) or return output as an MSG_LOG message, allowing attackers to manipulate the system remotely.
  • COMMAND_AUTO triggers automated credential theft through procesAuto(mode), invoking auto.AutoModeC_hromeCookie() to extract Chrome cookies and auto.AutoModeMa_cChromeLoginData() to steal login credentials and Keychain data.
  • COMMAND_WAIT puts the malware to sleep for a specified duration using procesWait(hex_duration). Thus, the stealer maintains a low profile while sending periodic heartbeats (MSG_PING).
  • COMMAND_EXIT terminates the C2 loop and stops execution via procesExit(), allowing attackers to clean up if needed.

Data exfiltration logic

The stealer’s exfiltration capabilities are both targeted and efficient:

  • File exfiltration: The procesDownload(path) function reads files or directories, compresses them into a tar+gzip archive using util.Compress(), and sends the result as an MSG_FILE message. 
  • Shell command output: The results of procesOsShell() are captured and sent as MSG_LOG messages, providing attackers with real-time feedback from executed commands.
  • Credential theft: The auto module targets Chrome and Keychain data, including:
    • auto.AutoModeC_hromeCookie(), which decrypts and extracts Chrome cookies, enabling session hijacking
    • auto.AutoModeMa_cChromeLoginData(), which retrieves login credentials and accesses Keychain-stored passwords, exposing sensitive account information
    • Additional functions like auto.AutoModeCh_romeGather() and auto.AutoModeCh_romeChangeProfile(), which collect extension data and modify Chrome preferences, potentially injecting malicious settings

A persistent threat with monetization in mind

This campaign, active as of April 2025, demonstrates the threat actors’ focus on long-term access and data theft for monetization. By evolving their infrastructure while maintaining core functionality, they continue to target unsuspecting macOS users.

Our previous analysis of a similar campaign using fake job listings to steal crypto shows that these actors are adaptable, leveraging social engineering to maximize their reach.

For macOS users, the lesson is clear: Stay vigilant and avoid executing unverified scripts. For security teams, this evolving threat underscores the need for robust detection mechanisms to counter obfuscated, multi-stage malware campaigns.

MITRE ATT&CK Mapping

A chart showing the known data on this stealer, broken down by Tactic, Technique ID, Technique Name, and Evidence from code.

Indicators of Compromise (IoCs)

To aid in detection and mitigation, we have included the following comprehensive list of indicators of compromise (IoCs) associated with this malware campaign.

File hashes (SHA256)

  • realtekmac.sh: c192b93d30e482a20a958ceb329a53733debc4962d77cb273b019ca589dede6a
  • WebCam.zip (Intel): 6f6a9e8134e22c5b604b34256173848530136bec0d82ce78eaea61866fa2066a
  • WebCam.zip (ARM): d08b8734aa15819f51052e3ebfb95733fcb09bddef5de29d5c6cce43866ea462
  • DriverMinUpdate.app: 34b6fc9024591e7a107ffbdfb77e788ec2dd83943ab4ba4889b9996ca08260b8
  • cloud.sh: b98e6ea26eba32001a3e414b8648db9c74690e3bc2e8d649beb3336216c9949f
  • driverupdate.go: f748e7f01f2daf6cbdb72fddd7a8e1415bceea0c42004d034f60faa5331c44e4

Network indicators

  • Download URLs:
    • https://api.autodriverfix.online/realtek-arm64.update
    • https://api.autodriverfix.online/realtek-intel.update
  • C2 server: http://158.62.198.177:8080

File paths

  • Extracted payload directory: /var/tmp/WebCam/
  • Persistence plist: ~/Library/LaunchAgents/com.drive.plist
  • Phishing credential storage: /pwd.txt
  • Machine ID storage: /tmp/.host
  • Instance lock file: /tmp/.store

Related samples (older variants)

  • ffmpeg.sh: 3697852e593cec371245f6a7aaa388176e514b3e63813fdb136a0301969291ea
  • VCam_intel.zip: 60ec2dbe8cfacdff1d4eb093032b0307e52cc68feb1f67487d9f401017c3edd7

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac and macOS are trademarks of Apple Inc. Realtek is a trademark of Realtek Semiconductor Corporation.

MoonLock Banner
Mykhailo Hrebeniuk Mykhailo Hrebeniuk
Mykhailo is a macOS security researcher at Moonlock, the cybersecurity division of MacPaw. He specializes in malware analysis, data analysis, and developing tools. Mykhailo previously worked as a software developer with embedded Linux and networking, focusing on vulnerability research.
You might also like
Moonlock 2024 macOS threat report (Header image)
Moonlock’s 2024 macOS threat report
Dec 3, 2024
14 min read
Kseniia Yamburh for OFTW: Confronting the surge of macOS stealers in 2024 (Header image)
Kseniia Yamburh for OFTW: Confronting the surge of macOS stealers in 2024
Oct 10, 2024
15 min read
macOS stealer posing as Loom is allegedly linked to the Crazy Evil group (Header image)
macOS stealer posing as Loom may be linked to Crazy Evil group
Aug 1, 2024
5 min read