>Analyses of the Windows version (by Intezer) and the version for Macs (by researcher Patrick Wardle) found that SysJoker provides advanced backdoor capabilities. Executable files for both the Windows and macOS versions had the suffix .ts. Intezer said that may be an indication the file masqueraded as a type script app spread after being sneaked into the npm JavaScript repository. Intezer went on to say that SysJoker masquerades as a system update. > >Wardle, meanwhile, said the .ts extension may indicate the file masqueraded as video transport stream content. He also found that the macOS file was digitally signed, though with an ad-hoc signature. > >SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions were fully undetected on the VirusTotal malware search engine. The backdoor generates its control-server domain by decoding a string retrieved from a text file hosted on Google Drive. During the time the researchers were analyzing it, the server changed three times, indicating the attacker was active and monitoring for infected machines. https://pic8.co/sh/LRKMcc.png https://arstechnica.com/information-technology/2022/01/backdoor-for-windows-macos-and-linux-went-undetected-until-now/