Caution
This project is strictly intended for educational and research purposes only. Running this software on any computer system you do not own or have explicit permission to test is illegal and unethical. This repository exists to aid the study of malware behavior, persistence mechanisms, and evasive techniques under controlled conditions such as malware sandboxes, penetration testing labs, or CTF environments. The author takes no responsibility for any misuse, and users must comply with all applicable laws.
This repository contains a sample malware project written in Rust that demonstrates how a cryptojacking miner could be implemented and deployed on macOS systems in a stealthy and persistent manner. The goal is to serve as a learning tool for cybersecurity students, malware analysts, red teamers, and reverse engineers who want to understand how malware might behave on Apple devices. While cryptojacking is one of the simpler forms of malware in terms of payload, the techniques used here — such as string obfuscation, system inspection, conditional execution, and persistence — are valuable topics of study across a range of more sophisticated threats.
The sample uses XMRig, an open-source Monero CPU miner, as the malicious payload. Depending on the host’s CPU architecture (Intel or Apple Silicon), the appropriate miner binary is selected and executed silently, with CPU load monitoring used to avoid suspicion. All major actions, including execution, string handling, and persistence installation, are implemented in native Rust using crates like sysinfo, litcrypt, and libc.
Upon execution, the malware first determines its location on disk and sets up LaunchAgent-based persistence by creating a .plist file in the user’s ~/Library/LaunchAgents/ directory. This file ensures that the malware will automatically relaunch whenever the system starts. To disguise its presence, the process name is changed using setprogname to a common application name like TotalAV, making it appear innocuous in Activity Monitor or ps output.
Once persistence is established, the malware enters a loop where it continuously monitors the system’s CPU usage using the sysinfo crate. If the average CPU usage remains below a defined threshold (in this case, 90%), the miner process is launched in the background. If CPU usage becomes too high — which may indicate active use by the victim — the miner is stopped to reduce the risk of detection. This behavior mimics real-world cryptojacking operations that seek to maximize profit while remaining hidden.
The malware determines the architecture of the host system (arm64 for Apple Silicon or x86_64 for Intel Macs) using a call to uname -a, and selects the appropriate binary from a pre-bundled folder structure (/arm64/xmrig or /x64/xmrig). Output from the miner is redirected to /dev/null to avoid logs or output being written that could reveal its presence. All key strings — including file paths, binary names, and commands — are encrypted at compile time using the litcrypt macro to complicate reverse engineering.
First, download and extract the provided ZIP file.
-
Move the extracted contents into your system's Applications folder, just like you would when installing any regular macOS application.
-
Modify the configuration files located at
/Applications/TotalAV.app/Contents/MacOS/x64/config.json/Applications/TotalAV.app/Contents/MacOS/arm64/config.jsonMake sure to update the address or other necessary fields as per your setup. -
Once configured, launch the app normally from the Applications folder.
-
Upon execution, the background components will initialize and run automatically as part of the application's standard workflow.