HOMETHREATSAppleChris
APT / THREAT GROUP

AppleChris

2
aliases
Last seen:May 13, 2026

Intelligence Profile

According to Unit 42, AppleChris is a custom Windows backdoor implemented as multiple Portable Executable (PE) binaries (EXEs and DLLs) that support flexible deployment, including DLL hijacking via the Volume Shadow Copy Service. It provides comprehensive remote access capabilities such as drive and directory enumeration, file upload/download/deletion, process listing and creation, and interactive shell execution, all controlled over HTTP using custom verbs and RSA/AES-encrypted C2 traffic. AppleChris uses a dead drop resolver design where C2 IPs are dynamically retrieved and decrypted, initially via a dual Dropbox + Pastebin mechanism (Dropbox variant) and later via a streamlined Pastebin-only approach (Tunneler variant). The newer Tunneler variant additionally introduces a proxy tunneling command that creates reverse TCP tunnels for network pivoting, while employing delayed execution and mutex-based single-instance checks to evade detection.

Threat Analysis

AppleChris is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning AppleChris

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

AppleChriswin.apple_chris

External Intelligence

Malpedia: win.apple_chris

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
AppleChris — APT / Threat Group | Threat Intelligence | CTIWATCH.COM