Macs under attack by North Korean spies — how to protect yourself

MacBook Air
(Image credit: Neil Godwin/Future via Getty Images)

Remember those nice North Korean hackers who destroyed Sony Pictures' computers, spread the WannaCry ransomware worm around the world and stole $100 million from the central bank of Bangladesh? Well, they're back, and they're attacking Macs.

Malwarebytes researchers said today (May 6) that the Lazarus Group, also known as Hidden Cobra, has repurposed the Linux variant of the Dacls remote-access Trojan (RAT) to work on Macs. RATs sneak onto a machine and give a remote attacker partial or full control.

"This Mac version is at least distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers," a Malwarebytes blog post explained. "It boasts a variety of features including command execution, file management, traffic proxying and worm scanning."

We'd normally tell you that you don't have much to fear from state-sponsored hackers. American, Chinese and Russian cyberespionage crews normally just want information and focus on diplomats, military officials, defense contractors, politicians and the like.

But North Korea's hackers have no problem committing regular crimes to make money. So this new Mac malware could just be limited to targeting specific individuals in China -- or it could be the beginning of a sustained mass spying campaign. (The Lazarus Group has been stealing cryptocurrency from Mac users for nearly two years.)

Either way, your best bet on how to avoid this Mac RAT is to install and run some of the best Mac antivirus software. Microsoft, Kaspersky, Trend Micro and of course Malwarebytes already recognize this RAT's signature; others will soon add it to their malware-definitions updates.

  • Get maximum protection with the best Mac VPN
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.