← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
OpsBedil: MacOS Software Post-Installation Exploitation, Apple Inc.
WHITE DragonForce Malaysia ilyailya 2025-02-16 Modified: 2025-02-21
286
IOCs
HIGH VOLUME
Threat actors affiliated with DragonForce Malaysia, Lazarus Group, etc. exploit unauthorized nodes during MacOS software installations to gain persistence, exfiltrate data, and escalate privileges. Techniques observed include T1003 (Credential Dumping) to harvest keychain data, T1020 (Automated Exfiltration) over T1071 (Application Layer Protocol), and T1027 (Obfuscation) to conceal payloads. Persistence is achieved via T1053 (Scheduled Tasks) and T1543 (System Process Creation). Lateral movement is supported by T1046 (Network Discovery) and T1055 (Process Injection). Valid credentials (T1078) and remote services (T1133) enable long-term access. Proxy use (T1090) and tunneling (T1572) evade detection. Attackers hijack resources (T1496) and may deploy T1498 (DoS). Monitoring for unsigned installations, abnormal processes, and unusual traffic can detect this activity. Validating software sources and restricting network egress is recommended.
downloads musicdesktop librarymovies publichostnamecvesemailsconverttfilehashesepodisplaybashtermpathshelldatelicensedyldlibrarypathapache softwarefoundationnotice fileapache licenseversionunlessas isbasisusrsbinkadmin lheimdalbtmm hashs gmtneverkerberosloggerforcemit emulationbad optioncerthashmoviesmusicbluetool mktempgetfileinfoioaccelmemoryiosdebugrez mountcd9660mountftpbpinstallimportcsvre resmergerselectdefinehttpfilehashopenAishah Siti Lazim194 Green StreetAishah LazimLGBTQ Hate AttackAnti-semiticDragonForce Malaysiadragonforce.iosynthetic identity theftcomputer intrusion actillegal surveillancenoncivilian citizenshavana syndromeelectromagnetic radiation
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (10 / 286 total)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 3988fe33455521b9f616a0011b56af15fb1f768d SHA1 of 03a46ad7873ddb6663377282640d45e38697e0fdc1512692bcaee3cbba1aa016 2025-02-16
FileHash-SHA1 6cdcca6ca8be2d7ac0c61218815c7bc3d63703dd SHA1 of 258cb1d60a000e8e0bb6dc751b3dc14152628d9dd96454a3137d124a132a4e69 2025-02-16
FileHash-SHA1 7245cc2e728b967ce859bc7bb8814bb4a8b03441 2025-02-16
FileHash-SHA1 86b2dfbca1c7288dc3f50f883db0176f3bbc60c4 SHA1 of 5d50a7cf15561f35ed54a2e442c3dfdac1d660dc18375f7e4105f50eec443f27 2025-02-16
FileHash-SHA1 8d6947a147442c3951c09509a72ea13991332907 SHA1 of 1fcc418bdd7d2d40e7f70b9d636735ab760e1044bb76f8c2232bd189e2fd8be7 2025-02-16
FileHash-SHA1 8fef5718e1c895b25707621c9bf881d0716e844d SHA1 of 89672c08916dd38d9d4b7f5bbf7f39f919adcaebc7f8bb1ed053cb701005499a 2025-02-16
FileHash-SHA1 c45af42f9ced38a524d97a4269c958a0abf1a5eb SHA1 of 7bcffa722687055359c600e7a9abf5d57c9758dccf65b288ba2e6f174b43ac57 2025-02-16
FileHash-SHA1 de2b494b1e595b84fb458180c9c9b03e3d688d83 SHA1 of af50c735173326b2af2e2d2b4717590e813c67a65ba664104880dc5d6a58a029 2025-02-16
FileHash-SHA1 e8a8184e38041a2d214ae886c14883a994576a65 SHA1 of 0874d307fc45886d2751cd9e6816513dc3e1604e514ef1b291bbe7b1a887cd96 2025-02-16
FileHash-SHA1 d0ed2d7acbddf64b63a50bc871d427a18f39646b 2025-02-16
References (10)
↗ envvars ↗ kadmin.local ↗ Info.plist ↗ metadata.json ↗ /var/log/install.log ↗ /var/log/install.log ↗ /var/log/asl ↗ /System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated ↗ /System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/accessoryupdaterd