North Korean hackers are well-known for their bold cyberattacks, mostly aimed at stealing money to fund the country’s goals and get around economic sanctions. Researchers at Jamf have discovered some sneaky malware on macOS that appears to be linked to North Korean hackers. They found it on VirusTotal, a site where people check files for malware, but oddly, it was listed as “clean.” The malware came in three versions: one written in Go, another in Python, and the third using Flutter.
Flutter, Google’s open-source framework, is known for letting developers build apps for iOS, Android, and more from a single codebase in Dart. While it’s popular for its cross-platform ease, Flutter’s design also makes it a dream tool for attackers, as its code structure makes analysis tricky. This means hackers can sneak in malicious code more easily without immediately raising flags.
In this case, the malware pretended to be a simple Minesweeper game cloned directly from GitHub, with the malicious payload hidden in a dylib file. This hidden code tried connecting to a command-and-control (C2) server at mbupdate[.]linkpc[.]net, a domain with links to previous North Korean malware. Luckily, the server was inactive when Jamf found it, giving only a “404 Not Found” error, so the attack didn’t fully unfold. However, the malware was slick enough to slip through Apple’s notarization process initially, which meant macOS security systems thought it was safe.
An especially interesting trick here: the malware was set up to execute AppleScript commands sent from the server and even ran them backward to avoid detection. In Jamf’s tests, they confirmed the malware could remotely run any AppleScript command the C2 server sent, which could’ve given hackers full control if the attack had been live.
For now, it seems like this might have been a test run. Jamf suspects these hackers are experimenting with ways to sneak malware past Apple’s defenses. Flutter itself isn’t malicious, but it helps hide code details by design. It’s a reminder of how attackers are getting smarter, using regular developer tools in new ways to mask their intent.