AppleJeus is a cross-platform malware developed by the Lazarus APT group. AppleJeus was a targeted attack distributed by phishing email claiming to be a cryptocurrency trading application.

The trading application has a hidden updater module that is installed and runs automatically after system reboot. This component will contact its C&C and it may upload/download additional files. The malware will first collect basic information from the system such as : host name, OS version, OS kernel version.The malware will send the collected information to its C&C encrypted within a .gif file. To persist system reboot, it creates the LaunchAgent “/Library/LaunchDaemons/com.celastradepro.plist” that will start “updater” file: