Lazarus Group Targets macOS in Supply Chain Assault

Written by

Cybersecurity firm ESET has detected a significant supply chain attack targeting macOS devices. The Lazarus Group, known for its advanced cyber operations, was reportedly behind this breach.

The attack, which began in March 2023, involved compromising the X_TRADER software and 3CX phone system apps, affecting unsuspecting users of both Windows and macOS platforms.

While macOS systems have historically been less vulnerable to malware compared to Windows devices, ESET’s telemetry data showed a notable rise in detections following this incident. Potentially Unwanted Applications (PUAs) accounted for nearly half of all macOS detections in the first half of 2023.

“The supply-chain attack’s impact is reflected in a 16.8% increase in Trojan detections, which accounted for 11.2% of all macOS detections during the same period,” ESET wrote in a press release shared with Infosecurity via email.

The company’s investigations also found that both Windows and macOS applications developed by 3CX contained malicious code. This compromised software build chain enabled the attackers to distribute a trojanized 3CX macOS application, identified as OSX/NukeSped.P.

“Further analysis revealed that the trojanised 3CX macOS application [...] had been digitally signed in late January,” the cybersecurity experts wrote.

“However, ESET telemetry only detected the compromised application on February 14 2023, with a subsequent spike in detections recorded towards the end of March. The affected systems were primarily located in Germany, the United Kingdom, France, the United States and Canada.”

While the attack aimed to deliver additional malware to select 3CX customers, only a few cases were observed, primarily in France and Chile. This second-stage malware targeted cryptocurrency companies on both Windows and macOS platforms.

Read more on 3CX-focused attacks: 3CX Hackers Also Compromised Critical Infrastructure Firms

Notably, the 3CX supply chain attack stemmed from a prior supply chain attack on Trading Technologies' X_TRADER software in 2022, indicating the evolving threat landscape and the need for enhanced cybersecurity measures across all platforms. 

This incident serves as a reminder that vigilance and security are essential defenses against evolving cyber-threats. More information about these attacks is available in the ESET Threat Report H1 2023.

Editorial image credit: Krisda /

What’s hot on Infosecurity Magazine?