How To Remove HZ RAT On Mac [Complete Guide]

author avatarTodor Pichurov Hours Posted on Hours Updated on

Before we dive in

Before we dive in, let's make sure you stay safe online. We created SpyHunter because your security matters to us.

Protect your computer today — download SpyHunter right here! Check out our top tips below to keep your computer safe and secure.

Download SpyHunter

Are you worried about the security of your macOS system amidst the increasing complexity of cyber threats?

HZ RAT, a malware targeting macOS users, particularly those using popular Chinese apps like WeChat and DingTalk, underscores the growing need for robust cybersecurity measures.

This article will explore the mechanics of HZ RAT, discuss its unique threat to macOS users, and offer practical tips to safeguard your system.

Read on for comprehensive insights into combating this sophisticated malware and ensuring your digital safety.

This Article Contains:

What is the HZ RAT Backdoor?

HZ RAT is a sophisticated form of malware that functions as a backdoor on macOS systems, though it also has a Windows version.

Specifically designed to target users of the Chinese communication applications DingTalk and WeChat, HZ RAT allows cybercriminals to carry out a variety of malicious activities.

ai generated, hacker, computer

By mimicking legitimate software packages, this malware deceives users into downloading and installing it on their devices.

Once installed, HZ RAT can execute commands sent from a remote server, manage files, download further malicious payloads, and intercept and send data back to the cybercriminals.

The ability to execute arbitrary commands makes it particularly dangerous as it could lead to further exploitation of the infected system.

The mechanics of macOS backdoors

Backdoors like HZ RAT operate by opening a hidden entry point into your device, which allows attackers to take control or steal information without your knowledge.

For macOS users, this usually involves tricking the user into downloading what appears to be a harmless software package. Once this package is executed, it installs a backdoor component in a way that often bypasses typical security checks.

In the case of macOS, malware often uses shell scripts—a type of programming script that executes commands on Unix-based systems, including macOS.

These scripts are preferred by attackers because they are powerful and offer deep access to the system’s operations. HZ RAT uses these scripts to execute a predefined set of commands, which can manipulate files, gather system data, or download additional malicious software.

Initial access and infection strategies

The initial infection strategy of HZ RAT on macOS relies heavily on social engineering and the exploitation of trusted applications.

The trojan’s distribution through disguised files prompts users to unwittingly install the malware, believing they are downloading a safe and useful application. Specifically, it exploits the popularity and the trust in apps dealing with instant messaging and data management.

Once installed, the malware utilizes sophisticated shell scripts to modify system configurations and establish persistence.

These scripts connect the infected device to a remote server, thereby initiating unauthorized data transfers and enabling the remote execution of malicious commands.

Persistent threat tactics in macOS

To maintain its presence on an infected macOS system, HZ RAT employs persistence mechanisms that allow it to survive reboots and user attempts to remove suspicious software.

It plants itself in /System/Library/LaunchAgents and /System/Library/LaunchDaemons, ensuring it runs continually in the background without the user’s knowledge.

Remove HZ RAT using SpyHunter

For comprehensive malware protection and removal, consider using SpyHunter. SpyHunter can detect and eliminate various types of malware, including the likes of HZ RAT.

Its real-time system guards block unauthorized activities, providing an additional layer of security.

  1. Download the app here and install it following the on-screen prompts.
  2. Launch SpyHunter from your dock and then select a full scan of your Mac from the main menu.
  3. Wait for the scan to end and then examine the list of possible detections, making sure all detected threats are selected for removal.
remove malware, trojans, and other threats with spyhunter
  1. Proceed to remove all malware discovered using the interface buttons.
remove malware, viruses, and potentially unwanted programs with spyhunter for mac

Regular scans with SpyHunter help ensure that your macOS remains clean and secure from any new malware that tries to infiltrate your system.

Steps to manually remove HZ RAT from Mac

1: Identify and end suspicious processes

To get started with removing HZ RAT, first stop or force quit any suspicious processes.

  1. Open the Activity Monitor and look for any processes that seem suspicious. This can include unrecognizable app names and strangely named apps.
  2. Select the suspect processes and force-quit them using the Stop button.
  3. Confirm your action to force-quit the process by clicking Force quit again.
the activity monitor app on macos on the cpu tab

2. Remove suspicious applications

  1. Navigate to your Applications folder through Finder.
  2. Look through the list of installed apps and look for any suspicious names or apps you don’t remember installing.
  3. Drag and drop the suspicious apps into the Trash.
  4. Empty the Trash to complete this step.
delete a program from applications using finder

3. Remove leftover files related to HZ RAT

  1. Open a Finder window and click on Go > Go to Folder.
  2. In the dialog box that pops up, enter the following paths in order:
    • /Library/LaunchAgents/
    • /Library/Application Support/
    • /Library/LaunchDaemons/
    • ~/Library/LaunchAgents/
    • ~/Library/Application Support/
  3. Examine each of those directory locations for any files that may be linked to HZ RAT and delete them all manually.
  4. Empty the Trash.
delete downloaded files from the finder app

Conclusion

To prevent future infections, follow best practices such as keeping your macOS and applications updated, using strong, unique passwords, and avoiding suspicious downloads or email attachments.

Additionally, using reputable anti-malware software like SpyHunter for regular system scans can help detect and block new threats before they can cause harm. Stay vigilant to maintain your Mac’s security.

Share this post on your favorite social media
author avatar

Todor has over a decade of experience in creating content about cybersecurity. He specializes in making complex security topics understandable for all. As part of the SpyHunter team, Todor uses his expertise to educate users, empowering them to better understand and manage their digital environments securely and efficiently.

Keep Your Mac Fast and Secure
Optimize your Mac and stay malware-free with SpyHunter
Download SpyHunter For Free

For a better understanding of our policies, please review our Free Trial Offer below, EULA, and Privacy/Cookie Policy.

SpyHunter Free Trial: Important Terms & Conditions

The SpyHunter Trial version includes, for one device, a one-time 7-day Trial period for SpyHunter 5 Pro (Windows) or SpyHunter for Mac, offering comprehensive malware detection and removal functionality, high-performance guards to actively protect your system from malware threats, and access to our technical support team via the SpyHunter HelpDesk. You will not be charged upfront during the Trial period, although a credit card is required to activate the Trial. (Prepaid credit cards, debit cards, and gift cards are not accepted under this offer.) The requirement for your payment method is to help ensure continuous, uninterrupted security protection during your transition from a Trial to a paid subscription should you decide to purchase. Your payment method will not be charged a payment amount upfront during the Trial, although authorization requests may be sent to your financial institution to verify that your payment method is valid (such authorization submissions are not requests for charges or fees by EnigmaSoft but, depending upon your payment method and/or your financial institution, may reflect on your account availability). You can cancel your Trial by contacting EnigmaSoft’s payment processor (identified in your confirmation email) or EnigmaSoft directly no later than two business days before the 7-day Trial period expires to avoid a charge coming due and being processed immediately after your Trial expires. If you decide to cancel during your Trial, you will immediately lose access to SpyHunter. If, for any reason, you believe a charge was processed that you did not wish to make (which could occur based on system administration, for example), you may also cancel and receive a full refund for the charge any time within 30 days of the date of the purchase charge. See FAQs.

At the end of the Trial, you will be billed upfront immediately at the price and for the subscription period as set forth in the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country per purchase page details) if you have not timely canceled. Pricing typically starts at $72 for 3 months (SpyHunter Pro Windows) and $42 for 3 months (SpyHunter for Mac). Your purchased subscription will be automatically renewed in accordance with the registration/purchase page terms, which provide for automatic renewals at the then applicable standard subscription fee in effect at the time of your original purchase and for the same subscription time period, provided you’re a continuous, uninterrupted subscription user. Please see the purchase page for details. Trial subject to these Terms, your agreement to EULA/TOS, Privacy/Cookie Policy, and Discount Terms. If you wish to uninstall SpyHunter, learn how.

For payment on the automatic renewal of your subscription, an email reminder will be sent to the email address you provided when you registered before your next payment date. At the onset of your trial, you will receive an activation code that is limited to use for only one Trial and for only one device per account. Your subscription will automatically renew at the price and for the subscription period in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country per purchase page details), provided that you are a continuous, uninterrupted subscription user. For paid subscription users, if you cancel, you will continue to have access to your product(s) until the end of your paid subscription period. If you wish to receive a refund for your then current subscription period, you must cancel and apply for a refund within 30 days of your most recent purchase, and you will immediately stop receiving full functionality when your refund is processed.

For CALIFORNIA CONSUMERS, please see the notice provisions:
NOTICE TO CALIFORNIA CONSUMERS: Per the California Automatic Renewal Law, you may cancel a subscription as follows:

  1. Go to www.enigmasoftware.com and click the "Login" button at the top right corner.
  2. Log in with your username and password.
  3. In the navigation menu, go to "Order/Licenses." Next to your order/license, a button is available to cancel your subscription if applicable. Note: If you have multiple orders/products, you will need to cancel them on an individual basis.

Should you have any questions or problems, you can contact our EnigmaSoft support team by phone at +1 (888) 360-0646 (USA Toll-Free) / +353 76 680 3523 (Ireland/International) or by email at support@enigmasoftware.com.
How do you cancel a SpyHunter Trial? If your SpyHunter Trial was registered via MyCommerce, you can cancel the trial via MyCommerce by logging into the MyAccount section of MyCommerce (see your confirmation email for further details). You can also contact MyCommerce by phone or email to cancel. To contact MyCommerce via phone, you can call +1-800-406-4966 (USA Toll-Free) or +1-952-646-5022 (24x7x356). You can contact MyCommerce by e-mail at ordersupport@mycommerce.com. You can easily identify if your trial was registered via MyCommerce by checking the confirmation emails that were sent to you upon registration. Alternatively, all users may also contact EnigmaSoft Limited directly. Users can contact our technical support team by emailing support@enigmasoftware.com, opening a ticket in the SpyHunter HelpDesk, or calling +1 (888) 360-0646 (USA) / +353 76 680 3523 (Ireland/International). You can access the SpyHunter HelpDesk from SpyHunter's main screen. To open a support ticket, click on the "HelpDesk" icon. In the window that appears, click the "New Ticket" tab. Fill out the form and click the "Submit" button. If you are unsure of what "Problem Type" to select, please choose the "General Questions" option. Our support agents will promptly process your request and respond to you.

———

SpyHunter Purchase Details
You also have the choice of subscribing to SpyHunter immediately for full functionality, including malware removal and access to our support department via our HelpDesk, typically starting at $42 for 3 months (SpyHunter Basic Windows) and $42 for 3 months (SpyHunter for Mac) in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country per purchase page details). Your subscription will automatically renew at the then applicable standard subscription fee in effect at the time of your original purchase subscription and for the same subscription time period, provided you’re a continuous, uninterrupted subscription user and for which you will receive a notice of upcoming charges before the expiration of your subscription. Purchase of SpyHunter is subject to the terms and conditions on the purchase page, EULA/TOS, Privacy/Cookie Policy and Discount Terms.

———

General Terms
Any purchase for SpyHunter under a discounted price is valid for the offered discounted subscription term. After that, the then applicable standard pricing will apply for automatic renewals and/or future purchases. Pricing is subject to change, although we will notify you in advance of price changes.
All SpyHunter versions are subject to your agreeing to our EULA/TOS, Privacy/Cookie Policy, and Discount Terms. Please also see our FAQs and Threat Assessment Criteria. If you wish to uninstall SpyHunter, learn how.