do son 
In the ever-evolving landscape of cyber threats, the macOS platform is not immune. A malware loader platform known as ReaderUpdate has been silently lurking in the wild since at least 2020, evading the radar of many vendors and remaining largely undetected. SentinelOne’s recent analysis sheds light on this persistent threat, uncovering new variants and providing a technical breakdown of its operations.
The original ReaderUpdate binary, first observed in 2020, is an x86 Mach-O file typically found in the ~/Library/Application Support/ folder with a companion persistence agent in the user’s LaunchAgents folder. This initial variant embedded the Python runtime to deliver a compiled Python script obfuscated with pyarmor.
In 2023, reports indicated that ReaderUpdate infections were seen alongside WizardUpdate (aka UpdateAgent, Silver Toucan) infections, delivering Genieo (aka DOLITTLE) adware. Despite this activity, the loader remained largely dormant until the latter half of 2024, when a resurgence of new macOS malware samples written in Crystal, Nim, and Rust gained attention. SentinelOne’s discovery of Go variants further connects these activities, attributing them to the same cluster responsible for the earlier ReaderUpdate infections.
SentinelOne’s analysis of the Go variant reveals an x86 binary with randomized function names, a tactic used to hinder analysis. The malware begins by collecting system hardware information using the native system_profiler SPHardwareDataType command to generate a unique identifier for the victim.
ReaderUpdate then ensures its parent process runs from the ~/Library/Application Support/<malware name>/ folder, copying itself into this directory. It also creates a companion .plist file in the ~/Library/LaunchAgents/ folder.
The malware’s authors made a critical oversight: the code fails if the Library LaunchAgents folder does not exist by default on a new macOS install. If the folder is present, the malware unloads and reloads the launchd process.
Communication with the command and control (C2) server involves sending the unique identifier derived from the hardware UUID. The malware can parse and execute responses from the C2 server using Go’s os/exec package, indicating its capability to execute arbitrary remote commands.
While current ReaderUpdate infections primarily deliver adware, the loader’s functionality leaves compromised hosts vulnerable to more malicious payloads, posing a risk for Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS) operations.
ReaderUpdate employs various obfuscation techniques, including randomizing strings and using character substitution routines, to complicate analysis.
The Go variant, though less common than the Nim, Crystal, and Rust variants, connects to a larger infrastructure that ties the different variants together, including the original Python version, through the domain entryway[.]world.
ReaderUpdate represents a widespread campaign utilizing binaries written in various source languages, each posing unique detection and analysis challenges. The platform’s ability to quietly infect victims and deliver various payloads, from adware to potentially more malicious threats, underscores the importance of vigilance and robust security measures.
