New macOS Malware: SysJoker Malware Targets macOS on Intel and M1 Devices

SysJoker Malware Targets macOS on Intel and M1 Devices

The cybersecurity firm Intezer has discovered a backdoor that targets multiple operating systems including Windows, Linux, and macOS on both Intel and M1. 

In December 2021, researchers at Intezer discovered this multiplatform malware and published their findings for the Windows version in January 2022. Patrick Wardle of Objective-See performed an analysis of the macOS variation which details its method of establishing persistence and command and control (C&C) communications.

The executable file ends with a .ts extension which, according to Wardle, may indicate that it is masquerading as a video file. The binary is compiled for both the x86_64 and arm64 architecture allowing it to run on both Intel and M1 Mac devices. 

Once the malware is run, it creates a copy of itself, runs this copy, and then establishes persistence with a Launch Agent .plist file. The malware then downloads a file from Google Drive and decodes this into a C&C server URL. The attacker can then send commands to the malware and retrieve responses with this C&C server.

In response to this discovery, Addigy has come out with a Custom Fact that detects instances of files associated with SysJoker and a Custom Script which removes these files. These are called “SysJoker Malware Detected” and “SysJoker Malware Removal Script” in the Community tab.

Community Resources

New Community Fact: SysJoker Malware Removal Script

New Community Script: SysJoker Malware Detected

A Monitoring item can be created to automatically remediate compromised machines.


Indicators of Compromise for macOS (provided in Intezer’s report):

Files and Directories




Similar Posts