New ReaderUpdate Malware Variants Target macOS Users

As the holiday season approaches, a new wave of malicious activity has been detected targeting macOS users. SentinelOne researchers have identified multiple variants of the ReaderUpdate malware, written in Crystal, Nim, Rust, and Go programming languages, that are specifically designed to infect Apple devices.

The ReaderUpdate malware has been active since 2020, initially appearing as a compiled Python binary that delivered Genieo adware. However, it remained largely undetected until resurfacing in late 2024 with new variants that have taken advantage of advancements in programming languages to evade detection.

The Rise of New ReaderUpdate Variants

A recent suspicious binary written in Nim was identified by SentinelOne researchers. This variant contacts a C2 server, gains persistence, and collects system information. While only one sample is currently detected by antivirus tools, many others remain undetected.

According to SentinelOne, the ReaderUpdate malware is currently distributed in five variants compiled from five different source languages. The new variants are spread via older infections and third-party downloads, often through trojanized apps like "DragonDrop."

The Five Variants of ReaderUpdate

  • Crystal: A variant written in Crystal programming language.
  • Nim: A variant written in Nim programming language.
  • Rust: A variant written in Rust programming language.
  • Go: The newest and rarest variant, written in Go programming language.

The Go variant of the malware is notable for its unique characteristics. It collects system hardware info for unique victim IDs and hides in ~/Library/Application Support/. The malware maintains persistence via a .plist file. It also executes remote C2 commands, which may be used to offer threat actors Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS).

The malware obfuscates strings and URLs to evade analysis. "Throughout the binary, the developers obfuscate many of the strings, including the C2 URL and the property list content, using functions that either assemble characters on the stack or run some simple character substitution algorithm," reads a report.

The Threat Landscape

"ReaderUpdate is a widespread campaign utilising binaries written in a variety of different source languages, each containing its own unique challenges for detection and analysis," concludes the report. "Interestingly, this loader platform has been quietly infecting victims through old infections that went largely unnoticed due to the malware remaining dormant or delivering little more than adware."

"Nevertheless, where compromised, hosts remain vulnerable to the delivery of any payload the operators choose to deliver, whether of their own or sold as Pay-Per-Install or Malware-as-a-Service on underground markets," warns the report.