Mac OS X Trojan hides behind malicious PDF disguise

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Mac OS X malwareA fascinating new example of Mac malware has been discovered, that appears to be adopting an old Windows-style disguise to fool users into running it.

Despite the numerous times that cybercriminals have created boobytrapped PDF files that exploit vulnerabilities to infect unsuspecting users, many people still think that PDF files are somehow magically safer to open than conventional programs.

The OSX/Revir-B Trojan plays on this by posing as a PDF file.

When the malicious Macintosh application file is run it tries to drop a PDF embedded inside it onto the user’s hard drive. The Chinese language PDF file displayed is about a controversial topic, “Do the Diaoyu Islands belong to Japan?”

Sign up to our free newsletter.
Security news, advice, and tips.

The Diaoyu Islands (known as the Senkaku islands in Japan) are the subject of a long-running dispute between the two countries, with both claiming sovereignty.

Because the document is opened, users may believe that they have opened a harmless PDF rather than run a program.

Malicious PDF

When we tested the malware inside our labs, we couldn’t manage to get it to execute as the author probably intended – however, strings embedded deep inside its code make it clear that it was written with malicious intent.

Malware code

The malware attempts to install a backdoor Trojan horse (detected by Sophos as OSX/Imuler-A) which would give malicious hackers remote access to your Apple Mac computer.

As our friends at F-Secure point out, we have seen plenty of Windows malware in the past which has pretended to be a PDF rather than an EXE – sometimes using techniques such as the double-extension trick (for instance, filename.PDF.EXE).

It’s quite possible that this is evidence that Mac malware authors are attempting something similar, moving on from the fake anti-virus alerts that blighted many Mac users earlier this year.

Customers of Sophos, including users of Sophos’s free anti-virus for Mac, are protected against the malware.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.