Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Healthcare & Biotech
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Threat Research Knowledge Base Threats Backdoor Activator
Backdoor Activator
Description
Backdoor Activator is a macOS malware campaign that spreads through infected copies of popular applications and productivity tools, often via torrent downloads. Disguised as software 'Activators' to crack legitimate applications, this malware family compromises system security and may facilitate unauthorized remote access.
Variant Names
N/A
Alternative Names
- Bkdr.Activator
Country of origin
Unknown
Symptoms
You might observe the following artifacts associated with this threat:
- Presence of an "Activator" application alongside a non-functional version of the desired software.
- Unexpected requests for administrator passwords during the execution of the "Activator."
- Changes to system security settings, such as Gatekeeper being disabled to allow applications from unidentified developers.
Technical Breakdown
Backdoor Activator is often distributed through torrent links offering cracked versions of popular macOS software. The downloaded disk image typically contains two applications: an unusable version of the targeted software and an "Activator" app purportedly designed to patch the software for full functionality.
Upon launching the "Activator" app, the following actions are performed:
- Administrator Privileges Request: Prompts the user for an administrator password, which is then used to execute commands with elevated privileges.
- Disabling Gatekeeper: Runs the command
spctl master-disableto turn off macOS's Gatekeeper, allowing the execution of applications from unidentified developers. - Python Installation: Checks for the presence of Python; if absent, installs current Python version from a legitimate, signed installer included within the malware's resources.
These backdoors allow attackers to remotely control the system, exfiltrate data, install additional payloads, or use the compromised machine as part of a larger botnet — all without the user's knowledge.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.
Related
Atomic Stealer (AMOS) is a sophisticated piece of malware that targets Apple users by masquerading as legitimate applications. Once installed, AMOS can exfiltrate extensive data, including keychain passwords, user documents, system information, browser data, credit card information, and cryptocurrency wallets. There is a strong association between Atomic Stealer and Russian-speaking cybercriminal communities.
Banshee is a sophisticated macOS infostealer that poses a significant threat to Apple users. It is designed to exfiltrate a wide range of sensitive information, including system data, login credentials, and, cryptocurrency wallets.
Cuckoo is an info stealer that typically masquerades as macOS applications such as Homebrew and Google Chrome. Discovered by Kandji in 2024, it has been known to steal passwords, as well as recording audio and video from an infected system.
Manage and secure your Apple devices at scale.
