FacebookTwitterLinkedIn

How to remove AppleJeus malware

Also Known As: AppleJeus backdoor
Type: Mac Virus
Damage level: Severe

What kind of malware is AppleJeus?

AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

There is now a new trojanized cryptocurrency trading app called JMT Trader that operates in a similar manner - it installs the AppleJeus backdoor trojan on the victim's computer. JMT Trader can be installed on Windows and MacOS computers.

AppleJeus malware

More about AppleJeus

To promote the JMT Traded application, cyber criminals have created a supposedly 'official' website and Twitter account. People who attempt to download JMT Trader are redirected to GitHub on which the Mac and Windows executables for JMT Trader are stored.

This software is disguised as a legitimate application, which supposedly allows users to trade cryptocurrency on various different platforms. When installed, JMT Trader infects the computer with a backdoor Trojan called AppleJeus, but under the name of CrashReporter.

To launch CrashReporter on each login, JMT Trader creates a scheduled task called JMTCrashReporter. When launched, CrashReporter communicates with a Command & Control server to receive and execute commands.

It can terminate itself, download and execute files from the Command & Control server, and execute shell commands that give cyber criminals control over the infected system. The CrashReporter process runs under an identical name on Windows and MacOS operating systems.

This process is separate from the JMT Trader, and thus runs in the background even if this software is not launched. Additionally, CrashReporter is a daemon, a background process that runs without any visible interface.

Bear in mind that eliminating the JMT Trader application will not remove AppleJeus (CrashReporter) malware, and therefore you should scan the system with a reputable anti-virus/anti-spyware suite (e.g., Combo Cleaner Antivirus for macOS) to eliminate all remnants.

To disguise Celas Trade Pro as a legitimate trading app, cyber criminals created a website and fabricated an entire company. JMT Trader also has a download website and Twitter account, which may seem legitimate. Furthermore, JMT Trader is a clone of legitimate software called QT Bitcoin Trader.

The names (JMT Trader and Celas Trade Pro) appear to be the names of legitimate programs (and companies), and thus people are often tricked into downloading and installing them.

The AppleJeus backdoor Trojan that is installed through these apps could be used to install additional malware (such as ransomware), steal confidential information (passwords, logins of various accounts), take screenshots, and so on.

To avoid data/financial loss, identity theft, problems with privacy, and so on, we recommend that you remove JMT Trader and all files relating to CrashReporter immediately. We have provided locations of the malicious files below.

Threat Summary:
Name AppleJeus backdoor
Threat Type Backdoor, Trojan, Mac malware, Mac virus.
Detection Names (JMT Trader installer) ALYac (Trojan.OSX.Agent.39168L), GData (Generic.Trojan.Agent.UXGSUS), Ikarus (Trojan.Win32.Casdet), Kaspersky (Backdoor.OSX.Agent.s), Full List (VirusTotal)
Detection Names (CrashReporter on Mac) BitDefender (Trojan.MAC.Agent.DU), DrWeb (Mac.Trojan.Siggen.1), ESET-NOD32 (OSX/NukeSped.B), Kaspersky (HEUR:Backdoor.OSX.Agent.s), Full List (VirusTotal)
Symptoms Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Supposedly official Twitter account and website, fake flash player installers, torrent file downloads, software cracking tools.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet, installation of additional malware.
Additional Information This malware targets both Windows and MacOS users. JMT Trader extracts a secondary malicious program (CrashReporter.exe) that operates as a backdoor.
Malware Removal (Mac)

To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner for Mac
To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Examples of similar malware

The Internet is full of Trojans. Some examples are Casbaneiro, Bolik, and Kryptik. Typically, these programs are designed to spread other malware. People with computers infected with programs of this type experience data/financial loss, identity theft, or other problems. Tips about how to avoid being tricked into installing malware are provided below.

How did unwanted applications install on my computer?

Cyber criminals proliferate AppleJeus malware through fake cryptocurrency trading software (JMT Trader), which can be downloaded from a supposedly 'official' website or Twitter. These pages lead to Github, on which Windows and MacOS executables are stored.

When downloaded and opened, these executables install JMT Trader and a secondary malicious program (backdoor) called CrashReporter, however, this is not the only way malware is spread. Cyber criminals often use spam campaigns (emails), other untrustworthy software download channels, unofficial software activation tools, and fake updaters.

Cyber criminals proliferate rogue software through spam campaigns by sending emails that contain malicious attachments. The main goal is to trick recipients into opening the attached file. If opened, this infects the system with malware.

Typically, cyber criminals attach Microsoft Office documents, executable files (.exe, and others), archive fies (RAR, ZIP, and so on), and JavaScript files. Another way to proliferate malware is to use untrustworthy download sources.

For example, Peer-to-Peer networks (torrent clients, eMule), freeware download and free file hosting websites, third party downloaders, supposedly official pages (such as the one used to distribute JMT Trader), and so on.

People who download files or programs through tools/channels of this type risk downloading malicious files (typically, they are disguised as harmless, legitimate). When opened, these files install malware. To proliferate malware, cyber criminals often use software 'cracking' tools, which install malicious programs rather than activating paid/licensed software.

Fake software updaters usually infect systems by exploiting bugs/flaws of outdated software, or by installing malicious software rather than updates.

How to avoid installation of unwanted applications

Avoid opening attachments or links that are presented in emails sent from unknown, suspicious email addresses. If a received email seems irrelevant, do not open the included attachment or click the presented link. Download software using direct links and from trustworthy, official websites only.

Avoid using third party downloaders, installers, unofficial web pages, or other untrustworthy sources. These are often used to proliferate malicious software (or other unwanted programs). Installed software should be updated and activated using tools or implemented functions that are provided by official software developers, and not third party tools.

Note that it is illegal to bypass software activation using 'cracking' tools. Finally, use a reputable anti-virus or anti-spyware suite and scan the operating system with it regularly. If your computer is already infected with rogue apps, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.

Screenshots of JMT Trader application:

JMT Trader create new password JMT Trader list of exchange platforms JMT Trader control panel

List of CrashReporter files:

  • /Applications/JMTTrader.app/Contents/CrashReporter (MacOS)
  • /Library/JMTTrader/CrashReporter (MacOS)
  • %AppData%\JMTTrader\CrashReporter (Windows OS)

Screenshot of JMT Trader installer asking for permission to install additional software:

JTM Trader installer asking for permissions to install additional software

CrashReporter process running in Activity Monitor:

CrashReporter.exe process in Activity Monitor

Update 7 December 2022 - Cybercriminals have been observed using fake cryptocurrency applications to trick users into infecting computers with the AppleJeus malware. They are using bloxholder[.]com site (a non-existing company's website) that hosts a fake app called BloxHolder. This app is AppleJeus malware bundled with the QTBitcoinTrader application.

Screenshot of the page distributing AppleJeus malware masquerading as BloxHolder application:

applejeus malware fake bloxholder website

Instant automatic Mac malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

Video showing how to remove adware and browser hijackers from a Mac computer:

Unwanted applications removal:

Remove unwanted applications from your "Applications" folder:

mac browser hijacker removal from applications folder

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX", "NicePlayer", or other suspicious applications and drag them to the Trash. After removing unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove adware-related files and folders

Mac Go To Folder step

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

Mac removing related files and folders - step 1Check for adware generated files in the /Library/LaunchAgents/ folder:

Mac go to /Library/LaunchAgents - step 1

In the Go to Folder... bar, type: /Library/LaunchAgents/

Mac go to /Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 2Check for adware generated files in the ~/Library/Application Support/ folder:

Mac go to /Library/Application Support - step 1

In the Go to Folder... bar, type: ~/Library/Application Support/

Mac go to /Library/Application Support - step 2

In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.

Mac removing related files and folders - step 3Check for adware generated files in the ~/Library/LaunchAgents/ folder:

Mac go to ~/Library/LaunchAgents - step 1

In the Go to Folder... bar, type: ~/Library/LaunchAgents/

Mac go to ~/Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 4Check for adware generated files in the /Library/LaunchDaemons/ folder:

Mac go to /Library/LaunchDaemons - step 1

In the "Go to Folder..." bar, type: /Library/LaunchDaemons/

Mac go to /Library/LaunchDaemons - step 2

In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.

Mac removing malware related files and folders - step 5Scan your Mac with Combo Cleaner:

If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.

Mac remove malware with Combo Cleaner - step 1

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.

Mac remove malware with Combo Cleaner - step 2

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

Remove malicious extensions from Internet browsers

Safari iconRemove malicious Safari extensions:

Removal of malicious extensions in Safari - step 1

Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".

Removal of malicious extensions in Safari - step 2

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

Google Chrome logoRemove malicious extensions from Google Chrome:

Removal of malicious extensions in Google Chrome - step 1

Click the Chrome menu icon Google Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".

Removal of malicious extensions in Google Chrome - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

Mozilla Firefox logoRemove malicious extensions from Mozilla Firefox:

Removal of malicious extensions in Mozilla Firefox - step 1

Click the Firefox menu firefox menu icon (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".

Removal of malicious extensions in Mozilla Firefox - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

Frequently Asked Questions (FAQ)

My computer is infected with malware, should I format my storage device to get rid of it?

Most malware can be removed without formatting. It can be removed using antivirus software.

What are the biggest issues that malware can cause?

Cybercriminals can use malware to steal identities, money, and online accounts, make fraudulent purchases, inject other malware, and perform other malicious activities.

What is the purpose of AppleJeus malware?

AppleJeus can execute files downloaded from a C2 server and execute shell commands. It can be used to infect computers with other malware, steal sensitive information, and more.

How did AppleJeus infiltrate my computer?

Threat actors distribute AppleJeus via fake cryptocurrency trading software (JMT Trader). This software is promoted on supposedly 'official' websites and Twitter. When an executable file is downloaded and opened, it installs JMT Trader and a backdoor called CrashReporter.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove almost all known malware. In order to remove high-end malware, it is required to run a full system scan since malware of this kind usually hides deep in the system.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
AppleJeus backdoor QR code
Scan this QR code to have an easy access removal guide of AppleJeus backdoor on your mobile device.
We Recommend:

Get rid of Mac malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner for Mac

Platform: macOS

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.