Detecting TodoSwift

In August 2024, Kandji published research on a newly discovered macOS malware family dubbed TodoSwift. Notable for being written in Apple’s Swift language, a rarity in malware, TodoSwift blends in by mimicking legitimate macOS software behaviors while maintaining persistence and backdoor capabilities.

What is TodoSwift?

TodoSwift is a macOS backdoor that masquerades as a legitimate PDF downloader, but it secretly downloads and executes a second-stage malicious payload in the background. Researchers believe it is likely linked to the BlueNoroff threat group, a North Korean (DPRK) hacking group.

Why It Matters

MacOS malware is still relatively rare compared to its Windows counterparts, and Swift-based threats are even less common. TodoSwift demonstrates how attackers are evolving their tooling to better align with native macOS development practices.

Our contribution: A YARA Rule for TodoSwift

Building on Kandji’’s original research, we developed a YARA rule to detect known TodoSwift samples based on their unique strings, file structure, and behavior. While there are currently no reports of new variants in the wild, this rule can be used for retrohunting, adding visibility across macOS file corpora, and detecting any emerging samples.

With Stairwell, you have access to over 100,000 YARA rules. It goes beyond just writing rules. You can automatically apply this rule across your entire file corpus and uncover hidden macOS threats in seconds.