Costin Raiu from Kaspersky Lab said in a SecureList blog post ( says that last week the security software company of a possible link between a Mac OS X backdoor trojan and an APT attack known as LuckyCat. The IP address of the C&C to which this bot connects (199.192.152.*) was also used in other Windows malware samples during 2011, “which made us believe we were looking at the same entity behind these attacks,” he says.

“We think the above facts show a direct connection between the SabPub and Luckycat APT attacks,” Raiu writes. “We are pretty sure the SabPub backdoor was created as far back as February 2012 and was distributed via spear-phishing emails.”

His theory is that the malware payload was delivered through Word documents. Malware detection and virus tools aren’t effective for LuckyCat yet, thought this situation should change soon.