NukeSped is a macOS-targeting backdoor attributed to DPKR that enables persistent remote access and command execution on compromised systems.

Symptoms

You might observe the following artifacts associated with this threat:

• Persistence Artifacts: Newly created LaunchAgents or LaunchDaemons (typically .plist files) in the ~/Library/LaunchAgents/ or /Library/LaunchAgents/ directories.
• Suspicious Background Processes: Unfamiliar processes such as node, python, or osascript running persistently without an associated open application.
• Anomalous Network Activity: Unauthorized outbound traffic to unknown remote servers, often indicating Command and Control (C2) beaconing.
• Security Bypass Logs: System logs showing that macOS Gatekeeper was bypassed or that binaries were executed from the /tmp/ directory using sudo.

Technical Breakdown

NukeSped is a sophisticated backdoor developed in C++ and Python that provides the Lazarus Group with persistent remote access to infected devices. Historically distributed via trojanized cryptocurrency applications, the threat has evolved into a modular framework capable of data exfiltration and additional payload deployment. Recently, NukeSped was associated with the Axios npm package breach, in which a hijacked maintainer account was used to publish malicious versions axios@1.14.1 and axios@0.30.4.

The infection chain typically begins with social engineering, such as fake job offers on professional networking sites or compromised developer packages on repositories like npm. In the Axios attack, the threat actor pre-staged a malicious dependency, plain-crypto-js@4.2.1, 18 hours before publishing the poisoned Axios releases. This package masqueraded as the legitimate crypto-js library, using an identical description and pointing to the real brix/crypto-js GitHub repository, while containing a postinstall hook that executed a RAT dropper script, setup.js, the moment a developer ran npm install.

Once executed, the macOS payload was delivered via an AppleScript written to/tmp/6202033, which contacted the attacker's C2 server at sfrclak.com:8000 and downloaded a binary saved to /Library/Caches/com.apple.act.mond — a path designed to mimic a legitimate Apple system cache file using Apple's reverse-DNS daemon naming convention. The malware then established persistence by installing a launch agent configured with the RunAtLoad key.

Some of NukeSped's primary capabilities include:

• Remote Shell Execution: Executing arbitrary shell commands through native macOS utilities. In the Axios attack, the macOS payload was launched via /bin/zsh after being downloaded and granted execute permissions with chmod 770.
• Information Harvesting: Extracting browser cookies, saved passwords, and cryptocurrency wallet keys.
• Stealth Techniques: Using "dot-prefix" naming (e.g., .FlashUpdateCheck) to hide files from the macOS Finder and storing payloads in hidden paths like ~/Library/WifiPreference/. The Axios attack employed a comparable approach, naming the dropped binary com.apple.act.mond to blend with legitimate Apple processes. Additionally, setup.js performed active evidence destruction post-execution: deleting itself, removing the malicious package.json, and replacing it with a clean stub reporting an older version number (4.2.0 rather than 4.2.1), causing standard forensic tools like npm list to show no sign of compromise.

The Axios attack also demonstrated cross-platform targeting, with separate second-stage payloads pre-built for macOS, Windows, and Linux, each contacting the same C2 endpoint with distinct POST body identifiers (packages.npm.org/product0, product1, and product2, respectively) designed to appear as benign npm registry traffic in network logs.

Next Steps

Iru Endpoint Detection & Response (EDR) provides behavioral detections to detect files masquerading as legitimate Apple binaries, in addition to suspicious C2 events. Users should rotate credentials for browser-based accounts and move cryptocurrency assets to cold storage.

In the future, ensure all software is obtained from official sources and remain cautious of unsolicited technical assessments or software sent via social engineering channels. Standard GUI file management may not reveal NukeSped's hidden components; therefore, utilizing professional security monitoring tools to audit system activity is recommended.