Russian Mac malware behind U.S. DNC hacks looks to steal passwords and iPhone backups

“The group behind one of the largest cyberespionage campaigns has been targeting Mac users with malware designed to steal passwords, take screenshots, and steal backed-up iPhone data,” Danny Palmer reports for ZDNet. “This malware, discovered by cybersecurity researchers at Bitdefender, is thought to be linked to the APT28 group, which was accused of interferring in the United States presidential election.”

“Bitdefender notes a number of similarities between the malware attacks against Macs — which have been taking place since September 2016 — and previous campaigns by the group, believed to be closely linked to Russia military intelligence and also dubbed Fancy Bea,” Palmer reports. “Known as Xagent, the new form of malware targets victims running Mac OS X and installs a modular backdoor onto the system which enables the perpetrators to carry out cyberespionage activities.”

“Analysis of the malware reveals the presence of modules which will probe the infected system for hardware and software configurations, collect information on running processes, harvest desktop screenshots, and steal passwords,” Palmer reports. “Xagent is also capable of stealing iPhone backups stored on a compromised Mac.”

Read more in the full article here.

MacDailyNews Take: The most likely attack vector appears to be via “MacKeeper.”

Do not install MacKeeper. Certainly do not buy MacKeeper. If you have MacKeeper, uninstall it now.

MacKeeper scamware leaks 13 million Mac owners’ data, leaves passwords open to easy cracking – December 15, 2015
Security researcher claims to have downloaded sensitive data from 13 million accounts of MacKeeper scamware app – December 14, 2015
MacKeeper buyers ask for refunds in droves following class-action lawsuit – October 23, 2015
MacKeeper customers can file a claim to get their money back – August 10, 2015
Don’t waste your money on OS X snake oil for your Mac – July 28, 2015
How to detect and remove MacKeeper and keylogger malware on your Mac – July 17, 2015
Controversial MacKeeper security program opens critical hole on Mac computers – May 12, 2015
What ‘MacKeeper’ is and why you should avoid it – January 21, 2015
How to uninstall MacKeeper from your Mac – December 19, 2014


  1. Dump Trump. The same homophobic pee-lover likes making deals with a country that does NOT like America at all, and are stealing Americans private material. They of course also stole the vote for Trump too in the style of the 2000 Elections. Trump and Russia are both bad for America and I still can’t believe all this happened.

    1. Hey Whitney, do you really believe all that Russia stole the election B.S.? I also see that you believe that ALGORE lost in 2000 because Bush cheated. In other words, when your guy loses, someone cheated But when your guy wins, it legit. What an simple minded child.

      1. Russia and co-conspirators used well known and new, propaganda techniques to sway somesimple minded (ahem) folks. Enough in 3 states to elect an unqualified sexual predator as president. (ahem)

        The supreme court decided the 2000 election based on counting the ballots would hurt george bushes feelings.

        1. The people who did this may or may not have been Russian but were unlikely part of the Russian Government. You don’t sign your work. The signatures of well known Russian hackers that were found seem more likely to have been placed there to make it look as if the Russian government were involved.

          In either case, far more damage to the election was done by George Soros just writing his checks and leaving an open trail he doesn’t care who follows.

          1. You know that soros thing is a myth, right? I guess not. Any hacking done isn’t the issue. The issue is selective and untimely leaking of information affecting peoples attitudes. sway 80,000 people in 3 states and you have affected the election.

            1. And a sexual predator grabbed your pvssy and you like it. So that’s your big defense of the subject. I guess tRumpanzees can only speak in one word sentences since their dear leader can only speak in 140 characters.

            2. your “offer” is cloyingly and intentional disingenuous as you are well aware than I am not a republican and loathe CIA George with equal intensity that I do The Muslim Usurper. OBP has overcome the globalist faction in both parties, but you are too much of a vacillating weasel to take a stand and support him.

            3. HAHAHAHA! ‘Vacillating weasel’.

              No, I simply have superior discernment of people and a mind that thinks OFF the idiotic 1-dimensional political scale. I’m much too complicated for your comprehension. (KISS = Keep It Stupid, Simple).

              But I did mention something reasonably nice about you on MDN today. See if you can find it. 😉

            4. This is the fate of vacillating weasels that claim “superior discernment of people and a mind that thinks OFF the idiotic 1-dimensional scale.”

              Half of the French army is on French streets. If you are so obtuse to not see that it is coming here, your “I’m much too complicated for your comprehension” rings more of arrogance and folly than reason and intellect.

      2. I am *not* supporting Christopher Paul Whitney’s post. But I take a bit of pleasure in pointing out that Trump preemptively stated that if he lost the election it would be due to foul play – rigging the system. By your logic, that makes Trump simple-minded. Nice.

    2. Don’t worry, little one. You can have another Jill Stein recount done. Hahahahaha! Presidency, Senate, House, 34 Governorships, almost all Statehouses, Supreme Court domination.

    3. Waaaaaaaah! Waaaaaaaaaah! My name is Christopher Paul Whitney, and I am an entitled baby. I believe everyone who shows up should get a ribbon.

      Grow up.

      Now walk upstairs and let mommy nurse you. I know it’s your safe space.

    4. Russia was ACTUAL ally to the USA in absolutely every major war: in 1770s, 1860s, 1910s, 1940s. And not only major: in 2000s Putin has helped the USA to fight Al-Qaeda in Afghanistan, for example. Putin has also warned the USA twice on Boston bombers.

      So lets separate Cold War propaganda by pro-Cold War neocon maniacs that are paid by the military industrial complex from who’s actual ally to the USA.

      The USA’s biggest formal “ally” is the kingdom of Saudi Arabia that has killed thousands of Americans as well as orders of magnitude more people their their terrorist ideology, Wahhabism/Salafism and its tools such as Al-Qaeda, Daesh (ISIS), Boko Haram and its many clones.

    1. botvinnik is russian and one of the russians that the russian government uses on popular American sites where comments are allowed, just so you know who and what is he (they) are.

          1. Good, keep watching. You will see an American that loves his family, believes freedom has nothing to do with how much I pay in taxes, and knows Donald Trump is a liar, crook, thief and should not hold the office of President.

            1. botvinnik, listen take your meds, there is no shame in you needing them, none what so ever. In fact, I’d be very proud of you if you make a chart and check off everyday that you have taken your meds for the day, very proud.

    1. And what is wrong with Botvinnik? He was a great chess master. His was genius, and his style has found fans all around the world.

      So lets not get back the MacCarthyite insanity. Fearmongering , xenophobia and bigotry of such policies is a truly ugly thing, be it directed at blacks, Jews, or Russians.

  2. They “look to steal” from Macs, because they have already infiltrated all members of the current US administration and their crappy samsung phones. Unbelievable tech and security cluelessness in the White House now.

      1. C’mon botty, you’ve pretty much killed this thread already, have you shaved yet? I know your dad’s been backed into a corner today but I’d love to hear your defence. Don’t worry about the
        Ruskies just parked off shore, they have bigger fish to fry.

  3. Notes Of The Moment:

    1) XAgent is confusingly also spelled Xagent, X Agent and X-Agent in the anti-malware literature. 🤢

    2) The name XAgent has been used previously for older different, but related malware that was written for iOS and Android. 🤦

    3) Discussions going on within the anti-malware community are considering renaming this specific malware as a new ‘C’ variant of Komplex, which was discovered in-the-wild last fall and was created by the same hackers. Why Bitdefender chose the ‘XAgent’ name instead is unclear. ⁉

    4) XAgent/Komplex.C is currently INERT. The servers with which it communicates are inactive. Therefore, infection may still be possible, but the malware has nowhere to send the data it rips-off from victims. ⚰

    The usual conclusion: Expect email PHISHING scams. They’re constant and persistent. If you’re a LAN administrator, expect your clients to download this crap onto their computers. Prevent this from happening and cleanup the resulting infections as best you can with the tools available. 🏥

    At the moment I know of two (2) potentially active malware for Mac. XAgent/Komplex.C isn’t one of them. Nearly ALL malware for OS X (macOS) have been Trojan horses, meaning that they require the Mac user to deliberately install the malware onto their computer. Don’t do that! NEVER install anything you haven’t verified to be real, legitimate software. Trust No One, especially email from friends. Faking source names on PHISHING email is Standard Practice. 😈

    Folks around here typically already know this stuff. But it’s good to remind ourselves and to share with the newbies and the ‘LUSERS’ who somehow consistently find ways to infect their computers. 🐣

    Stay safe out there kids! 📢

    1. Oh and XAgent/Komplex.C: THIS HAS NOTHING TO DO WITH MacKeeper!

      The MacKeeper malware was discovered last fall, it was named Komplex.A, it’s inert, but it was written by the same hackers as ‘XAgent’. Thus the confusion.

      The IMHO scum who write MacKeeper have since repaired their crapcode such that the Komplex.A malware no longer works.

      And yes (IMHO) never ever install MacKeeper. If you inadvertently fell for their (IMHO) diabolically evil web advertising, then UNINSTALL MacKeeper immediately!!! It provides nothing you can’t already perform within macOS out-of-the-box or perform using free utilities from other sources (such as Onyx, Malwarebytes Anti-malware, etc). Not kidding. IOW MacKeeper is (IMHO) not only crapware (IMHO), it’s worthless junk that only serves to slow down and mess up your Mac.

      Oh and the dicks who created MacKeeper lost TWO (2) lawsuits in 2016 due to their deceptive advertising.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.