Skip to main content
Mallory
Back to malware
Malware

CoinTicker

CoinTicker is a macOS malware family described as a cryptocurrency ticker that also exhibits trojan/backdoor behavior. Reported capabilities include downloading secondary payloads with curl, decoding an initially downloaded hidden encoded file using OpenSSL, establishing persistence via user LaunchAgents, and executing a bash script to create a reverse shell. The malware uses hidden files and directories to evade detection, including /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, and ~/Library/Containers/.[random string]/[random string]. It creates LaunchAgent persistence entries named .espl.plist and com.apple.[random string].plist. Supporting content also notes that CoinTicker, along with Shlayer and Bundlore, used curl to fetch secondary payloads in a way that bypassed Gatekeeper because curl does not set the com.apple.quarantine attribute. High-confidence indicators and artifacts mentioned in the content are the hidden files and LaunchAgent names above, as well as the use of reverse-shell behavior on infected macOS systems.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

4 techniques
T1059.003Windows Command ShellEvidence1
T1059.004Unix ShellEvidence3

Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C. CoinTicker executes a bash script to establish a reverse shell.

T1059.006PythonEvidence1
T1204.002Malicious FileEvidence1

В терминологии MITRE ATT&CK задействованы User Execution: Malicious File (T1204.002, Execution ...).

Persistence

1 technique
T1543.001Launch AgentEvidence2

Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.

Privilege Escalation

1 technique
T1543.001Launch AgentEvidence2

Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence4

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

T1140Deobfuscate/Decode Files or InformationEvidence5

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

T1564.001Hidden Files and DirectoriesEvidence2

Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.

Defense Impairment

1 technique
T1553.001Gatekeeper BypassEvidence2

В терминологии MITRE ATT&CK задействованы ... Gatekeeper Bypass (T1553.001, Defense Evasion ...).

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
codebyNews
Jun 12, 2026
Обход защиты macOS Gatekeeper: red team техники

macOS malware family referenced as leveraging curl-based secondary payload delivery to evade Gatekeeper quarantine checks.

Read more
picus security blogNews
Feb 17, 2022
T1059 Command and Scripting Interpreter of the MITRE ATT&CK Framework

A macOS application that installs backdoors under the guise of a cryptocurrency ticker.

Read more
mitre attack websiteNews
Jan 18, 2018
Create or Modify System Process: Launch Agent, Sub-technique T1543.001 - Enterprise | MITRE ATT&CK®

macOS malware that establishes persistence through user launch agents; associated in the content with cryptocurrency mining software persistence.

Read more
mitre attack websiteNews
Mar 20, 2015
Hide Artifacts: Hidden Files and Directories, Sub-technique T1564.001 - Enterprise | MITRE ATT&CK®

Downloads multiple hidden files on macOS to evade detection and maintain persistence.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.