S0498: Cryptoistic
Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.[1]
Analyst context for executives and security teams
Cryptoistic is a macOS backdoor identified by ATT&CK as Swift-written malware used by Lazarus Group. Its business relevance is less about a broad, fully documented malware profile and more about validating whether macOS endpoints receive the same SOC visibility, incident response playbooks, and control scrutiny as Windows systems. The mapped behaviors include local data collection, user and file discovery, file deletion, tool transfer, and encrypted or non-application-layer command-and-control, which are the kinds of actions that can undermine containment and evidence preservation if macOS telemetry is thin.
Executive priority
Treat this as a prompt to test macOS readiness against state-sponsored malware tradecraft documented in ATT&CK. Leaders should ask whether managed detection, IR, asset inventory, endpoint controls, and network monitoring cover macOS systems well enough to identify discovery, file access, tool ingress, cleanup activity, and unusual C2 patterns. It also supports audit and risk conversations around whether non-Windows endpoints are included in logging, retention, response authority, and escalation processes.
Technical view
Cryptoistic is a macOS malware object with relationships to Lazarus Group and techniques T1005, T1033, T1070.004, T1083, T1095, T1105, and T1573. SOC and IR teams should validate visibility for macOS process execution, file-system enumeration, local data access, user discovery, file deletion, inbound file/tool creation, and network sessions that may use encrypted channels or protocols outside expected application-layer traffic. Because ATT&CK provides no official detection text for this object, detections should be technique-led rather than malware-signature-dependent.
Likely telemetry
- macOS endpoint process execution and parent-child process context
- macOS file creation, access, enumeration, and deletion events
- User/session and account context from macOS hosts
- Endpoint network connection metadata from macOS systems
- Network telemetry capable of identifying unusual encrypted channels or non-application-layer protocol use
Detection direction
- Validate technique-level coverage for Data from Local System, System Owner/User Discovery, File and Directory Discovery, File Deletion, Ingress Tool Transfer, Non-Application Layer Protocol, and Encrypted Channel on macOS.
- Tune detections around suspicious combinations: user/file discovery followed by local data access, new tool/file arrival, deletion activity, and outbound encrypted or unusual protocol communications.
- Review false positives from legitimate administration, software update mechanisms, backup tools, developer tooling, and security agents that enumerate files, transfer binaries, or delete temporary artifacts.
- Confirm macOS telemetry parity with other endpoint platforms; a common blind spot is assuming enterprise endpoint coverage exists without verifying event depth, retention, and analyst access for macOS.
- Use the Lazarus Group relationship as threat-intelligence context for prioritization, not as proof of attribution in any local alert.
Mitigation priorities
- Prioritize complete macOS asset inventory, endpoint security coverage, and centralized logging before relying on analytic detections.
- Restrict unnecessary outbound protocols and monitor encrypted egress patterns from macOS endpoints, especially where business use is limited or predictable.
- Harden endpoint controls to limit unauthorized tool transfer, execution, and access to sensitive local data.
- Ensure incident response procedures preserve macOS file-system and network evidence, including cases where malware may delete files to reduce forensic traces.
- Include macOS systems in compliance evidence, logging retention, and tabletop exercises so response teams can demonstrate coverage beyond Windows-centric workflows.
Analyst notes and limits
ATT&CK identifies Cryptoistic as a Swift backdoor for macOS and relates it to Lazarus Group usage plus several collection, discovery, defense evasion, and command-and-control techniques. The most useful defensive approach is to map these relationships to local macOS telemetry and response procedures rather than overfitting to a named malware family.
The supplied ATT&CK object has no official detection guidance, no aliases, and no explicit tactics listed on the malware object itself. Details such as persistence method, initial access, specific indicators, C2 infrastructure, prevalence, and current activity are not provided in the supplied fields. Local environment evidence is required before making exposure, attribution, or detection-coverage claims.
Cryptoistic
Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | Cryptoistic can retrieve files from the local file system.CitationSentinelOne Lazarus macOS July 2020 |
| Enterprise | T1573 | Encrypted Channel | Cryptoistic can engage in encrypted communications with C2.CitationSentinelOne Lazarus macOS July 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Cryptoistic has the ability delete files from a compromised host.CitationSentinelOne Lazarus macOS July 2020 |
| Enterprise | T1083 | File and Directory Discovery | Cryptoistic can scan a directory to identify files for deletion.CitationSentinelOne Lazarus macOS July 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Cryptoistic has the ability to send and receive files.CitationSentinelOne Lazarus macOS July 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | Cryptoistic can use TCP in communications with C2.CitationSentinelOne Lazarus macOS July 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Cryptoistic can gather data on the user of a compromised host.CitationSentinelOne Lazarus macOS July 2020 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f50f8da94eeb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne Lazarus macOS July 2020
Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
Open source URL -
[2]
mitre-attack S0498Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.