Iran-Linked APT35 Creates Mac Malware for Targeted Cyberattacks

The threat of cyberattacks continues to grow as advanced persistent threats (APTs) develop more sophisticated techniques. One such APT, known as APT35 and linked to Iran, has recently emerged with a specially crafted Mac malware called “NokNok.” This malware is specifically designed to carry out targeted cyberattacks on civil society members. In a recent discovery, APT35 launched an attack on a nuclear security expert, utilizing the Mac malware as part of a broader campaign. This article will delve into the details of the NokNok malware, discuss the tactics employed by APT35, and explore the implications of such targeted cyberattacks.

Discovery of Mac Malware

The development of the NokNok Mac malware by APT35 has raised concerns among cybersecurity researchers. The discovery came after the APT35 group sent a conversation lure email to a nuclear security expert, pretending to be a senior fellow with the Royal United Services Institute. By engaging in payload-less email interactions, the attackers built trust with their target before delivering a malicious link.

Attack on Nuclear Security Expert

After successfully communicating with the target, the attackers sent a malicious link redirecting to a Dropbox URL containing the NokNok malware. This carefully orchestrated attack demonstrates the level of sophistication employed by APT35. By targeting nuclear security experts, the APT35 group showcases their determination to gain valuable information from specific individuals.

Broader Campaign by APT35

The attack on the nuclear security expert appears to be part of a larger campaign orchestrated by APT35. This campaign includes an updated cyberattack arsenal, indicating a high level of sophistication and adaptability on the part of this APT group. It is crucial to understand the motivation and objectives behind such attacks in order to effectively counter APT35’s cyber operations.

Similarities to Israeli Journalist Campaign

Noteworthy similarities can be observed between the attack on the nuclear security expert and a recent spear-phishing campaign by APT35 targeting an Israeli journalist. Both attacks involved a password-protected .RAR file and a malicious LNK file. The malware used in the Israeli journalist campaign, known as PowerStar, is believed to have a strong resemblance to the NokNok malware. These connections suggest a consistent operational strategy employed by APT35 in their cyber campaigns.

Support for Non-Windows Environments

APT35’s decision to develop the NokNok malware for Mac platforms demonstrates their adaptability to non-Windows environments. By pivoting to the Apple-specific infection chain, APT35 expands its reach and increases the potential impact of its cyberattacks. This highlights the need for comprehensive cybersecurity measures across all operating systems and platforms.

Change in Infection Chain Tactics

The use of .RAR and .LNK files as part of APT35’s infection chain represents a departure from their typical approach involving VBA macros or remote template injection. This shift in tactics suggests that APT35 is continually evolving to bypass security measures and exploit new vulnerabilities. By leveraging file formats that are less likely to raise suspicion, APT35 can increase the likelihood of successful malware delivery.

Adaptation due to Microsoft Macro Disabling

The disabling of macros downloaded from the internet by Microsoft has forced threat actors like APT35 to adapt their tactics. The usage of LNK files for malware delivery is an example of this adaptation. By employing different methods, APT35 aims to bypass security protocols and remain covert in their operations. Organizations must remain vigilant and update their cybersecurity measures accordingly.

Attribution to APT35

Based on code similarities and campaign tactics, techniques, and procedures, cybersecurity firm Proofpoint attributes the Mac malware campaign to APT35 with “high confidence.” This attribution underscores the significance of APT35 as a persistent and advanced threat actor in the cybersecurity landscape. It also emphasizes the importance of accurate attribution for an effective response to such threats.

The emergence of APT35’s Mac malware, NokNok, serves as a reminder of the evolving cyber threat landscape and the need for continuous vigilance. By specifically targeting individuals within the civil society sector, APT35 highlights the importance of bolstered cybersecurity defenses for critical infrastructure and organizations. Understanding APT35’s tactics, such as their shift to non-Windows environments and diversification of malware delivery methods, enables proactive defense strategies and strengthens resilience against future cyber threats.

Explore more

Compliance Drives Regulated B2B Influencer Marketing in 2026

The shifting landscape of digital authority has fundamentally transformed how enterprise-level organizations engage with industry experts and thought leaders across global markets. As the professional world moves deeper into this period of technological saturation, the superficial tactics of the past have been replaced by a rigorous commitment to transparency and legal precision. In earlier years, the simple inclusion of a

Transforming Voice of the Customer Into Predictive Action

Corporate boardrooms often overflow with real-time dashboards and complex analytics, yet many organizations still find themselves blindsided by sudden shifts in customer loyalty and market demand. While the technology to capture feedback has become ubiquitous, the structural ability to interpret and act upon that data in a meaningful timeframe remains remarkably rare for the average enterprise. Most traditional systems are

How Will Databricks CustomerLake Redefine Agentic Marketing?

The ongoing evolution of the digital landscape has forced a radical reconsideration of how enterprises capture, process, and ultimately utilize the vast oceans of consumer data generated every second of the day. Modern marketing departments have long struggled with the paradox of having too much information but not enough actionable insight to drive meaningful consumer interactions in real time. The

How Can Small Banks Compete With Global Financial Giants?

Nikolai Braiden has seen the evolution of financial architecture from its early blockchain roots to the current wave of institutional modernization, and today he joins us to dissect a pivotal shift in venture capital. With BankTech Ventures recently deploying $15 million into AI and stablecoin solutions, the landscape for regional banking is undergoing a profound transformation. Braiden’s perspective as an

Bullski Presale Tops the List of Best Meme Coins for 2026

The current cryptocurrency market in 2026 has transitioned into a highly sophisticated arena where institutional standards and community-driven viral momentum converge to create unique financial opportunities. Investors are no longer satisfied with speculative assets lacking fundamental safeguards, leading to a significant shift toward projects that prioritize technical transparency and structured growth. In this evolving landscape, the Bullski presale has emerged