Malware
AppleChris
According to Unit 42, AppleChris is a custom Windows backdoor implemented as multiple Portable Executable (PE) binaries (EXEs and DLLs) that support flexible deployment, including DLL hijacking via th
According to Unit 42, AppleChris is a custom Windows backdoor implemented as multiple Portable Executable (PE) binaries (EXEs and DLLs) that support flexible deployment, including DLL hijacking via the Volume Shadow Copy Service. It provides comprehensive remote access capabilities such as drive and directory enumeration, file upload/download/deletion, process listing and creation, and interactive shell execution, all controlled over HTTP using custom verbs and RSA/AES-encrypted C2 traffic. AppleChris uses a dead drop resolver design where C2 IPs are dynamically retrieved and decrypted, initially via a dual Dropbox + Pastebin mechanism (Dropbox variant) and later via a streamlined Pastebin-only approach (Tunneler variant). The newer Tunneler variant additionally introduces a proxy tunneling command that creates reverse TCP tunnels for network pivoting, while employing delayed execution and mutex-based single-instance checks to evade detection.
Family metadata imported from Malpedia (Fraunhofer FKIE).