← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications | Recorded Future
WHITE Armature_TIP 2025-02-22 Modified: 2025-03-24
65
IOCs
HIGH VOLUME
Recorded Future's Insikt Group has identified a widespread cyberattack campaign involving Vortax, a purported virtual meeting software, which spreads infostealers to steal information on users of macOS.
amosvortaxrecorded futureintelligenceinsikt groupstealcatomic macosstealerfuturemarkopoloinsiktmacosriflespinegoogle drivemopsledunc3886mandianttokengithubc2 serverdownload fileuploadcrosswalkreptilewritedownloadalibabamedusatacacs servertacacslookovercontactpersistenceenterpriserootkitsicmpinstallpythoninstallerlauncherreptile.shelllinuxvirtualshinevirtualpie
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Recorded Future Insikt macOS REPTILE.SHELL MOPSLED Linux VIRTUALSHINE VIRTUALPIE REPTILE
Indicators of Compromise (65)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 YARA domain
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2022-22948 2025-02-22
CVE CVE-2022-41328 2025-02-22
CVE CVE-2022-42475 2025-02-22
CVE CVE-2023-20867 2025-02-22
CVE CVE-2023-34048 2025-02-22
CVE CVE-2023-6080 2025-02-22
FileHash-MD5 047ac6aebe0fe80f9f09c5c548233407 2025-02-22
FileHash-MD5 084132b20ed65b2930129b156b99f5b3 2025-02-22
FileHash-MD5 0e43a0f747a60855209b311d727a20bf 2025-02-22
FileHash-MD5 0f76936e237bd87dfa2378106099a673 2025-02-22
FileHash-MD5 1079d416e093ba40aa9e95a4c2a5b61f 2025-02-22
FileHash-MD5 129ba90886c5f5eb0c81d901ad10c622 2025-02-22
FileHash-MD5 1b7aee68f384e252286559abc32e6dd1 2025-02-22
FileHash-MD5 1d89b48548ea1ddf0337741ebdb89d92 2025-02-22
FileHash-MD5 2716c60c28cf7f7568f55ac33313468b 2025-02-22
FileHash-MD5 2bade2a5ec166d3a226761f78711ce2f 2025-02-22
FileHash-MD5 2c28ec2d541f555b2838099ca849f965 2025-02-22
FileHash-MD5 381b7a2a6d581e3482c829bfb542a7de 2025-02-22
FileHash-MD5 3a8a60416b7b0e1aa5d17eefb0a45a16 2025-02-22
FileHash-MD5 3c7316012cba3bbfa8a95d7277cda873 2025-02-22
FileHash-MD5 4282de95cc54829d7ac275e436e33b78 2025-02-22
FileHash-MD5 48f9bbdb670f89fce9c51ad433b4f200 2025-02-22
FileHash-MD5 4d5e4f64a9b56067704a977ed89aa641 2025-02-22
FileHash-MD5 4ddca39b05103aeb075ebb0e03522064 2025-02-22
FileHash-MD5 4fb72d580241f27945ec187855efd84a 2025-02-22
FileHash-MD5 568074d60dd4759e963adc5fe9f15eb1 2025-02-22
FileHash-MD5 5d232b72378754f7a6433f93e6380737 2025-02-22
FileHash-MD5 61ab3f6401d60ec36cd3ac980a8deb75 2025-02-22
FileHash-MD5 62bed88bd426f91ddbbbcfcd8508ed6a 2025-02-22
FileHash-MD5 6e248f5424810ea67212f1f2e4616aa5 2025-02-22
FileHash-MD5 827d8ae502e3a4d56e6c3a238ba855a7 2025-02-22
FileHash-MD5 876787f76867ecf654019bd19409c5b8 2025-02-22
FileHash-MD5 89339821cdf6e9297000f3e6949f0404 2025-02-22
FileHash-MD5 8e80b40b1298f022c7f3a96599806c43 2025-02-22
FileHash-MD5 969d7f092ed05c72f27eef5f2c8158d6 2025-02-22
FileHash-MD5 9c428a35d9fc1fdaf31af186ff6eec08 2025-02-22
FileHash-MD5 9ea86dccd5bbde47f8641b62a1eeff07 2025-02-22
FileHash-MD5 9ef5266a9fdd25474227c3e33b8e6d77 2025-02-22
FileHash-MD5 a7cd7b61d13256f5478feb28ab34be72 2025-02-22
FileHash-MD5 b754237c7b5e9461389a6d960156db1e 2025-02-22
FileHash-MD5 bca2ccff0596a9f102550976750e2a89 2025-02-22
FileHash-MD5 bd6e38b6ff85ab02c1a4325e8af29ce4 2025-02-22
FileHash-MD5 c870ea6a598c12218e6ac36d791032b5 2025-02-22
FileHash-MD5 c9c00c627015bd78fda22fa28fd11cd7 2025-02-22
FileHash-MD5 c9f2476bf8db102fea7310abadeb9e01 2025-02-22
FileHash-MD5 cd3e9e4df7e607f4fe83873b9d1142e3 2025-02-22
FileHash-MD5 d18a5f1e8c321472a31c27f4985834a4 2025-02-22
FileHash-MD5 e2cdf2a3380d0197aa11ff98a34cc59e 2025-02-22
FileHash-MD5 ecb34a068eeb2548c0cbe2de00e53ed2 2025-02-22
FileHash-MD5 ed9be20fea9203f4c4557c66c5b9686c 2025-02-22
FileHash-MD5 f41ad99b8a8c95e4132e850b3663cb40 2025-02-22
FileHash-MD5 fcb742b507e3c074da5524d1a7c80f7f 2025-02-22
FileHash-MD5 fd3834d566a993c549a13a52d843a4e1 2025-02-22
FileHash-SHA1 d6a57b9aaa20fe4f3330f5979979081af09a4232 SHA1 of 3c7316012cba3bbfa8a95d7277cda873 2025-02-22
FileHash-SHA256 1893523f2a4d4e7905f1b688c5a81b069f06b3c3d8c0ff9d16620468d117edbb SHA256 of 3c7316012cba3bbfa8a95d7277cda873 2025-02-22
YARA 1514b5c79f7292fa565534be86967f86d52ad559 2025-02-22
YARA 3e44ed6a778d60b89c51826efbebe9d9570a14b2 2025-02-22
YARA 3ed57cf022cc4632886f7ae07733a1b6b981827a 2025-02-22
YARA 65273c0449717f6a1e6d473a324e645f0c1aec4b 2025-02-22
YARA 78404f644ba5f2b74d9bf036c942793087387eb1 2025-02-22
YARA 95f8be5726ed6e4e9ef8bec4c6402afa3696407b 2025-02-22
YARA b0115a5ab4e3392a52edd85c50bfa57b97215d5a 2025-02-22
domain cron.data 2025-02-22
domain number.rs 2025-02-22
domain reptile.shell 2025-02-22
References (1)
↗ https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations