macOS users are once again in the crosshairs as cybercriminals roll out fresh versions of the notorious ReaderUpdate malware—this time rewritten in Rust, Go, Crystal, and Nim, according to a new SentinelOne report.
First detected in 2020 as a compiled Python-based malware loader, ReaderUpdate has evolved significantly over the years. It initially spread via fake utilities bundled in shady installers found on free and third-party software sites. Despite the evolving programming languages, the malware’s core mission has remained consistent: deploying Genieo adware—also known as Dolittle or MaxOfferDeal—on Intel-based macOS systems.
Since mid-2024, security researchers have flagged an uptick in variants written in Rust, Nim, and Crystal. SentinelOne’s latest analysis also confirms an emerging version built with Go, showing that the attackers are diversifying their toolkit. Despite the programming differences, the payload and core behavior haven’t changed. These new versions continue to reach out to various command-and-control (C&C) domains, including the long-standing www[.]entryway[.]world, to communicate and fetch further instructions.
Interestingly, these updated variants are being spread through older infections of ReaderUpdate, effectively using already-compromised systems to expand their footprint. That’s a clever move by threat actors who are maximizing past infections to deliver new malware builds—without raising immediate red flags.
All current versions of ReaderUpdate are specifically designed for Intel-based Macs, meaning Apple Silicon users appear to be untouched—for now. Each version collects detailed system information on the infected machine to generate a unique fingerprint. This data is then sent to the C&C server. From there, operators can deliver and execute arbitrary commands, making the malware highly adaptable and dangerous.
The Go-based variant, although newer and less widespread, has already been spotted reaching out to at least seven different C&C domains. SentinelOne has identified nine unique Go samples so far, compared to the hundreds of samples found in Nim, Crystal, and Rust. This suggests that while the Go version is emerging, other variants are currently more dominant in the wild.
While the ReaderUpdate loader has so far been tied to adware, its modular nature poses a broader risk. Researchers warn it could easily be used to deploy more harmful payloads in future attacks. This opens the door for use in Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS) schemes, potentially turning ReaderUpdate into a vehicle for larger cybercrime operations.
Security experts urge macOS users to avoid downloading software from unofficial sites and to verify installers before use. As the malware continues to evolve and experiment with multiple programming languages, staying ahead of these threats will require constant vigilance and updated security tools.
