Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0369: CoinTicker

CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[1]

EnterpriseS0369MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

CoinTicker matters because it shows how a seemingly useful macOS cryptocurrency utility can become a delivery path for backdoor components. For leaders, the decision value is not the app name alone; it is whether the organization can identify untrusted macOS applications, persistence through Launch Agents, hidden or obfuscated files, and script-based execution before they become an incident-response problem.

Executive priority

Treat this as a macOS endpoint and software-trust risk. Organizations with executives, developers, finance teams, or cryptocurrency-adjacent users on macOS should confirm that application control, endpoint telemetry, and incident response procedures cover non-App-Store or untrusted apps, Gatekeeper bypass indicators, and user-level persistence. This object supports prioritizing macOS visibility and audit evidence around application provenance, persistence monitoring, and suspicious tool transfer rather than focusing only on Windows-centric controls.

Technical view

ATT&CK describes CoinTicker as a malicious macOS application posing as a cryptocurrency price ticker that installs components of the open source backdoors EvilOSX and EggShell. Related ATT&CK behaviors include obfuscated files or information, deobfuscation/decoding, ingress tool transfer, Unix shell and Python execution, Launch Agent persistence, Gatekeeper bypass, and hidden files/directories. SOC and IR teams should validate macOS collection for application launches, quarantine/Gatekeeper-related metadata, LaunchAgent plist creation or modification, hidden file creation, scripting interpreter execution, and network/file-transfer activity associated with newly installed applications. The relationship set also includes Windows Command Shell, but the supplied platform for CoinTicker is macOS, so detection validation should not assume Windows exposure from this object alone.

Likely telemetry

  • macOS endpoint process execution events, especially app-spawned shell or Python activity
  • File creation and modification events for LaunchAgent property lists in user and system LaunchAgents paths
  • Application provenance, code-signing, notarization, quarantine, and Gatekeeper-related metadata where available
  • File-system telemetry for hidden files/directories and obfuscated or decoded payload artifacts
  • Network connection and download/file-transfer logs from newly installed or rarely used macOS applications

Detection direction

  • Build detections around behavior chains: new or suspicious macOS app execution followed by shell/Python execution, file download, hidden file creation, and LaunchAgent persistence.
  • Validate visibility into Gatekeeper bypass indicators and quarantine attribute changes, but tune carefully because legitimate administrative and developer workflows may manipulate application attributes.
  • Monitor LaunchAgent plist creation or modification, especially in user-writable locations, and correlate with recently downloaded applications.
  • Review obfuscation/deobfuscation signals together with execution context; obfuscated files alone can create noise without process, path, and parent-child context.
  • Because ATT&CK provides no official detection text for this object, use the related techniques to drive coverage testing rather than assuming a CoinTicker-specific analytic exists.

Mitigation priorities

  • Prioritize macOS application control and software provenance controls for untrusted or unsigned applications, especially utilities downloaded outside managed channels.
  • Ensure endpoint protection and logging cover macOS persistence locations, scripting interpreters, and file-transfer behavior.
  • Harden and monitor Gatekeeper-related protections without relying on them as the only control, since the related ATT&CK behavior includes Gatekeeper bypass.
  • Maintain IR playbooks for suspicious macOS applications that include containment, LaunchAgent review, hidden file discovery, and backdoor component triage.
  • Use awareness and policy controls for high-risk lure categories such as cryptocurrency utilities when relevant to the organization.
Analyst notes and limits

The most useful defensive framing is macOS readiness: can the team prove it sees untrusted app execution, persistence, hidden artifacts, and script-based activity? CoinTicker is also a reminder that open source backdoor components can appear inside a branded application, so triage should focus on behaviors and artifacts rather than only the application name.

The supplied ATT&CK object has no official detection text, no specified tactics on the malware object, and only one external reporting reference. Conclusions are limited to the official description and listed ATT&CK relationships. Local telemetry, asset inventory, and application allowlisting data are required to determine actual exposure or detection coverage.

Official MITRE ATT&CK definition

CoinTicker

CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1564.001 Hidden Files and Directories Sub-technique

CoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string].CitationCoinTicker 2019
Enterprise T1027 Obfuscated Files or Information

CoinTicker initially downloads a hidden encoded file.CitationCoinTicker 2019
Enterprise T1059.004 Unix Shell Sub-technique

CoinTicker executes a bash script to establish a reverse shell.CitationCoinTicker 2019
Enterprise T1105 Ingress Tool Transfer

CoinTicker executes a Python script to download its second stage.CitationCoinTicker 2019
Enterprise T1140 Deobfuscate/Decode Files or Information

CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.CitationCoinTicker 2019
Enterprise T1543.001 Launch Agent Sub-technique

CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.CitationCoinTicker 2019
Enterprise T1059.006 Python Sub-technique

CoinTicker executes a Python script to download its second stage.CitationCoinTicker 2019
Enterprise T1059.003 Windows Command Shell Sub-technique

CoinTicker executes a bash script to establish a reverse shell.CitationCoinTicker 2019
Enterprise T1553.001 Gatekeeper Bypass Sub-technique

CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.CitationCoinTicker 2019
Relationship explorer

All related ATT&CK context

uses · Technique T1564.001: Hidden Files and Directories Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1059.004: Unix Shell Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1543.001: Launch Agent Enterprise uses · Technique T1059.006: Python Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1553.001: Gatekeeper Bypass Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
78467b08494e61f2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 78467b08494e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CoinTicker 2019

    Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.

    Open source URL
  2. [2]
    mitre-attack S0369
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use