AppleChris
Intelligence Profile
According to Unit 42, AppleChris is a custom Windows backdoor implemented as multiple Portable Executable (PE) binaries (EXEs and DLLs) that support flexible deployment, including DLL hijacking via the Volume Shadow Copy Service. It provides comprehensive remote access capabilities such as drive and directory enumeration, file upload/download/deletion, process listing and creation, and interactive shell execution, all controlled over HTTP using custom verbs and RSA/AES-encrypted C2 traffic. AppleChris uses a dead drop resolver design where C2 IPs are dynamically retrieved and decrypted, initially via a dual Dropbox + Pastebin mechanism (Dropbox variant) and later via a streamlined Pastebin-only approach (Tunneler variant). The newer Tunneler variant additionally introduces a proxy tunneling command that creates reverse TCP tunnels for network pivoting, while employing delayed execution and mutex-based single-instance checks to evade detection.
Threat Analysis
AppleChris is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.