← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
OpsBedil: MacOS Software Post-Installation Exploitation, Apple Inc.
WHITE DragonForce Malaysia ilyailya 2025-02-16 Modified: 2025-02-21
286
IOCs
HIGH VOLUME
Threat actors affiliated with DragonForce Malaysia, Lazarus Group, etc. exploit unauthorized nodes during MacOS software installations to gain persistence, exfiltrate data, and escalate privileges. Techniques observed include T1003 (Credential Dumping) to harvest keychain data, T1020 (Automated Exfiltration) over T1071 (Application Layer Protocol), and T1027 (Obfuscation) to conceal payloads. Persistence is achieved via T1053 (Scheduled Tasks) and T1543 (System Process Creation). Lateral movement is supported by T1046 (Network Discovery) and T1055 (Process Injection). Valid credentials (T1078) and remote services (T1133) enable long-term access. Proxy use (T1090) and tunneling (T1572) evade detection. Attackers hijack resources (T1496) and may deploy T1498 (DoS). Monitoring for unsigned installations, abnormal processes, and unusual traffic can detect this activity. Validating software sources and restricting network egress is recommended.
downloads musicdesktop librarymovies publichostnamecvesemailsconverttfilehashesepodisplaybashtermpathshelldatelicensedyldlibrarypathapache softwarefoundationnotice fileapache licenseversionunlessas isbasisusrsbinkadmin lheimdalbtmm hashs gmtneverkerberosloggerforcemit emulationbad optioncerthashmoviesmusicbluetool mktempgetfileinfoioaccelmemoryiosdebugrez mountcd9660mountftpbpinstallimportcsvre resmergerselectdefinehttpfilehashopenAishah Siti Lazim194 Green StreetAishah LazimLGBTQ Hate AttackAnti-semiticDragonForce Malaysiadragonforce.iosynthetic identity theftcomputer intrusion actillegal surveillancenoncivilian citizenshavana syndromeelectromagnetic radiation
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (8 / 286 total)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 40f7e15634ccf85de9c1469da7f6f13b MD5 of 0874d307fc45886d2751cd9e6816513dc3e1604e514ef1b291bbe7b1a887cd96 2025-02-16
FileHash-MD5 423172ddeb0960115d396095818f90f7 MD5 of 5d50a7cf15561f35ed54a2e442c3dfdac1d660dc18375f7e4105f50eec443f27 2025-02-16
FileHash-MD5 625794112bb06b2dba2a7b45b8f3052b MD5 of 89672c08916dd38d9d4b7f5bbf7f39f919adcaebc7f8bb1ed053cb701005499a 2025-02-16
FileHash-MD5 abac9826a3a9ed955f6572254901ca92 MD5 of 7bcffa722687055359c600e7a9abf5d57c9758dccf65b288ba2e6f174b43ac57 2025-02-16
FileHash-MD5 ae3727236430871f2b2d5dc5305b2699 MD5 of 258cb1d60a000e8e0bb6dc751b3dc14152628d9dd96454a3137d124a132a4e69 2025-02-16
FileHash-MD5 c1edb88c26e6b2d93f8bcb6d5814ad19 MD5 of 03a46ad7873ddb6663377282640d45e38697e0fdc1512692bcaee3cbba1aa016 2025-02-16
FileHash-MD5 ce0417034e1d116a820ee4d3eefb6955 MD5 of 1fcc418bdd7d2d40e7f70b9d636735ab760e1044bb76f8c2232bd189e2fd8be7 2025-02-16
FileHash-MD5 de26c8900da4f3b647fa026d2a338971 MD5 of af50c735173326b2af2e2d2b4717590e813c67a65ba664104880dc5d6a58a029 2025-02-16
References (10)
↗ envvars ↗ kadmin.local ↗ Info.plist ↗ metadata.json ↗ /var/log/install.log ↗ /var/log/install.log ↗ /var/log/asl ↗ /System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated ↗ /System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/accessoryupdaterd