S0584: AppleJeus
AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[1]
Analyst context for executives and security teams
AppleJeus matters because it represents trojanized application delivery of downloader malware on Windows and macOS, originally observed in cryptocurrency-themed applications. For leaders, the practical issue is not only malware blocking; it is whether the organization can validate software trust, user-driven execution, installer behavior, persistence creation, and outbound web-based command-and-control activity across both endpoint platforms.
Executive priority
Prioritize this as a software supply-chain and endpoint resilience concern where Windows or macOS users install third-party applications, especially in business areas exposed to finance, cryptocurrency, technology, government, energy, industry, or telecommunications themes referenced by ATT&CK. Executives should ask whether controls can prove: users are protected from malicious links/files, installers and code signing are assessed, persistence changes are monitored, and incident responders can reconstruct activity when files are hidden, deleted, or obfuscated.
Technical view
ATT&CK provides no standalone detection text for AppleJeus, so validation should be relationship-driven. SOC and detection teams should test coverage for spearphishing links and user execution, suspicious installer package behavior, msiexec abuse on Windows, launchctl and Launch Daemon activity on macOS, Windows service and scheduled task creation, UAC bypass indicators, hidden/deleted/obfuscated files, system discovery, time-based sandbox evasion, and HTTP/S-style C2 with possible exfiltration over the same channel. Because AppleJeus is described as a downloader that has distributed FALLCHILL, investigations should treat downloader activity as a potential precursor to additional payloads rather than as a complete incident scope.
Likely telemetry
- Endpoint process creation telemetry for Windows and macOS
- Windows service creation/modification events
- Windows scheduled task creation and execution events
- macOS launchctl usage and Launch Daemon plist changes
- Installer package execution and pre/post-install script activity
Detection direction
- Correlate user-click or downloaded-application events with installer execution and immediate persistence creation.
- Tune for suspicious msiexec, scheduled task, and Windows service activity, while accounting for legitimate software deployment noise.
- On macOS, monitor launchctl activity and Launch Daemon creation or modification, especially following new application installation.
- Review code signing context, not just signature presence, because the related Code Signing technique indicates signed code can still be abused.
- Look for hidden files, file deletion, and obfuscated/deobfuscated content as investigation pivots, not isolated high-confidence alerts.
Mitigation priorities
- Strengthen user-facing controls for malicious links and files, including email/web filtering and user reporting workflows.
- Restrict or govern installation of unapproved third-party applications on Windows and macOS where business feasible.
- Harden installer execution paths and monitor installer scripts that inherit elevated permissions.
- Enforce least privilege and reduce routine local administrator use to limit UAC bypass, service creation, Launch Daemon installation, and installer persistence opportunities.
- Require endpoint telemetry coverage for both Windows and macOS persistence mechanisms before claiming detection readiness.
Analyst notes and limits
The supplied ATT&CK object identifies AppleJeus as a downloader family embedded in trojanized cryptocurrency applications, used by Lazarus Group, and associated with Windows and macOS. The most useful defensive interpretation comes from the listed technique relationships, which span initial access, execution, persistence, privilege escalation, stealth, discovery, command and control, and exfiltration behaviors.
MITRE does not provide official detection text for this object, and the object itself lists no tactics. This take therefore avoids asserting specific detection coverage or current activity. Local software inventory, endpoint logging depth, email/web telemetry, and macOS/Windows control maturity are required to determine real exposure and coverage.
AppleJeus
AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | AppleJeus has decoded files received from a C2.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | AppleJeus has deleted the MSI file after installation.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1546.016 | Installer Packages Sub-technique | During AppleJeus's installation process, it uses `postinstall` scripts to extract a hidden plist from the application's `/Resources` folder and execute the `plist` file as a Launch Daemon with elevated permissions.CitationObjectiveSee AppleJeus 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | AppleJeus has exfiltrated collected host information to a C2 server.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | AppleJeus has been distributed via spearphishing link.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | AppleJeus can install itself as a service.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | AppleJeus has added a leading |
| Enterprise | T1569.001 | Launchctl Sub-technique | AppleJeus has loaded a plist file using the |
| Enterprise | T1071.001 | Web Protocols Sub-technique | AppleJeus has sent data to its C2 server via |
| Enterprise | T1553.002 | Code Signing Sub-technique | AppleJeus has used a valid digital signature from Sectigo to appear legitimate.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | AppleJeus has used shell scripts to execute commands after installation and set persistence mechanisms.CitationCISA AppleJeus Feb 2021CitationObjectiveSee AppleJeus 2019 |
| Enterprise | T1082 | System Information Discovery | AppleJeus has collected the victim host information after infection.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1218.007 | Msiexec Sub-technique | AppleJeus has been installed via MSI installer.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | AppleJeus has required user execution of a malicious MSI installer.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | AppleJeus has waited a specified time before downloading a second stage payload.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1543.004 | Launch Daemon Sub-technique | AppleJeus has placed a plist file within the |
| Enterprise | T1204.001 | Malicious Link Sub-technique | AppleJeus's spearphishing links required user interaction to navigate to the malicious website.CitationCISA AppleJeus Feb 2021 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f4d42ce75d8f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA AppleJeus Feb 2021
Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
Open source URL -
[2]
AppleJeus
(Citation: CISA AppleJeus Feb 2021)
-
[3]
mitre-attack S0584Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.