RustBucket is a trojan targeting macOS, first discovered in 2023. RustBucket is a macOS backdoor attributed to BlueNoroff, a sub-group of North Korea's Lazarus Group. It uses a multi-stage attack chain: a fake PDF viewer application loads a trojanized document that downloads a Rust-written backdoor. It targets cryptocurrency companies and financial institutions, capable of persistent system access and data exfiltration. CoreLock detects this threat using CoreLock detects RustBucket through multi-stage behavioral analysis tracking the fake PDF viewer to payload delivery chain, YARA signatures matching known Rust-compiled backdoor variants, code signing verification flagging the unsigned fake PDF viewer, and network monitoring detecting C2 beacon patterns associated with BlueNoroff infrastructure.
Also known as: REF9135, BlueNoroff RustBucket
RustBucket is a macOS backdoor attributed to BlueNoroff, a sub-group of North Korea's Lazarus Group. It uses a multi-stage attack chain: a fake PDF viewer application loads a trojanized document that downloads a Rust-written backdoor. It targets cryptocurrency companies and financial institutions, capable of persistent system access and data exfiltration.
Spear-phishing emails with fake PDF documents requiring a 'special viewer'
Fake PDF reader application (Internal PDF Viewer.app) sent as a ZIP attachment
Second-stage payload embedded in crafted PDF documents
Social engineering targeting cryptocurrency and venture capital employees
Received a PDF that requires a custom viewer application to open
Application named 'Internal PDF Viewer' or similar in /Applications
Rust-compiled process making persistent connections to external servers
Unexpected DNS queries to domains resembling legitimate cloud services
Disconnect from all networks immediately. RustBucket is APT-grade malware designed for persistent access — assume the attacker may have active access to your system.
Delete 'Internal PDF Viewer' or any similar suspicious PDF application from /Applications. Also remove the malicious PDF document that triggered the second-stage download.
Check ~/Library/LaunchAgents and /Library/LaunchDaemons for plist files establishing persistence. RustBucket maintains a persistent backdoor that reconnects after system restart.
Review what files, credentials, and systems were accessible from this Mac. Assume all accessed data is compromised and rotate credentials accordingly.
Run a CoreLock deep scan to find all RustBucket components. Given this is state-sponsored malware, consider engaging professional incident response for thorough analysis.
Never install custom PDF viewers to read documents — legitimate PDFs open in Preview
Be suspicious of ZIP-attached applications from any source, even seemingly known contacts
Verify sender identity through independent channels before opening attachments
Use CoreLock's code signing verification to detect unsigned or suspiciously signed applications
Real-time Detection
CoreLock detects RustBucket through multi-stage behavioral analysis tracking the fake PDF viewer to payload delivery chain, YARA signatures matching known Rust-compiled backdoor variants, code signing verification flagging the unsigned fake PDF viewer, and network monitoring detecting C2 beacon patterns associated with BlueNoroff infrastructure.
Trojan — Lazarus Group is a North Korean state-sponsored APT that has increasingly target...
Trojan — Silver Sparrow was a mysterious macOS malware discovered on nearly 30,000 Macs a...
Trojan — XCSSET is a sophisticated macOS malware that infects Xcode developer projects. W...
RustBucket is a macOS backdoor operated by BlueNoroff, a North Korean state-sponsored group focused on financial theft. It uses a multi-stage attack: a fake PDF viewer loads a malicious PDF that downloads a Rust-written backdoor, giving attackers persistent access to the infected system.
The name comes from the backdoor's second and third-stage payloads being written in Rust, a systems programming language. Using Rust allows the malware to be cross-platform and makes reverse engineering more difficult for security researchers.
RustBucket specifically targets employees at cryptocurrency companies, venture capital firms, and financial institutions. The attackers use convincing spear-phishing with investment memos, market research, or business proposals as lures to deliver the initial fake PDF viewer.
Download CoreLock to detect and remove RustBucket and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows