Cloudmensis

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
CloudMensis, a form of malware specifically designed to exploit macOS systems, was first brought to light by ESET in July 2022. The software infiltrates devices primarily through email attachments, causing significant security breaches once inside. Once installed, CloudMensis works diligently to identify where System Integrity Protection (SIP) is disabled, enabling it to load its own malicious database onto the compromised system. This malware is also known by several other names including InkSquid, RedEyes, BadRAT, Reaper, and ScarCruft. In a targeted campaign last year, an unknown macOS spyware named "CloudMensis" surfaced, exfiltrating vast amounts of data from Apple machines. The extracted information included documents, keystrokes, screen captures, and more, demonstrating the comprehensive threat this malware poses. CloudMensis was identified by APT37, a group notorious for their persistent cyber threats. The malware attempts to dump the access table from the TCC database, further compromising the security of infected systems. The primary malware used by APT37 is RokRAT, also known as DOGCALL. This backdoor has been adapted to various platforms including macOS (under the name CloudMensis) and Android (as RambleOn), indicating that it is being actively developed and maintained. The presence of CloudMensis on multiple platforms underscores the pervasive threat posed by this malware and the group behind it.
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Macos
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Cloudmensis Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
North Korea's ScarCruft Deploys RokRAT Malware via LNK File Infection Chains
Checkpoint
a year ago
Chain Reaction: ROKRAT’s Missing Link - Check Point Research
CERT-EU
10 months ago
macOS Under Attack: Examining the Growing Threat and User Perspectives
DARKReading
a month ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
CERT-EU
10 months ago
macOS Under Attack: Examining the Growing Threat and User Perspectives
DARKReading
a year ago
MacStealer Malware Plucks Bushels of Data From Apple Users
DARKReading
a month ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse