North Korean hackers are known for their bold cyberattacks, mostly aimed at stealing money and bypassing economic sanctions to fund the country’s goals. Researchers at Jamf have discovered several hidden malware in macOS that appear to be linked to North Korean hackers. They found it on VirusTotal, a site where people check files for malware, but it was strangely marked as “clean”. Three versions of the malware have been released: one written in Go, another in Python, and the third in Flutter.

Google’s open-source framework Flutter is known for allowing developers to build apps based on a single Dart code base for iOS, Android, and other platforms. Flutter is popular for its cross-platform simplicity, but its design also makes it a dream tool for attackers because its code structure makes analysis difficult. This means hackers can more easily inject malicious code without immediately raising the flag.

In this case, the malware appeared to be a simple Minesweeper game cloned directly from GitHub, with a malicious payload hidden in a dylib file. This complex code attempted to connect to the command and control (C2) server at mbupdate[.]linkpc[.]net, a domain name containing links to previous North Korean malware. Fortunately, when Jamf found the server, it was down and only giving a “404 Not Found” error, so the attack could not fully take place. But the malware was cunning enough to evade Apple’s notarization process in the first place; This meant that macOS security systems deemed it safe.

In a particularly interesting trick, the malware was configured to execute AppleScript commands sent from the server and even run them in reverse to avoid detection. During Jamf’s tests, they confirmed that the malware was able to remotely execute any AppleScript command sent by the C2 server, giving hackers full control if the attack was real-time.

For now, this looks like a test run. Jamf suspects these hackers are trying to use Apple’s defenses to obtain malware. Flutter itself is not malicious, but it helps hide code details. It’s a reminder of how attackers are getting smarter, using common developer tools in new ways to hide their intentions.