← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications | Recorded Future
WHITE Armature_TIP 2025-02-22 Modified: 2025-03-24
65
IOCs
HIGH VOLUME
Recorded Future's Insikt Group has identified a widespread cyberattack campaign involving Vortax, a purported virtual meeting software, which spreads infostealers to steal information on users of macOS.
amosvortaxrecorded futureintelligenceinsikt groupstealcatomic macosstealerfuturemarkopoloinsiktmacosriflespinegoogle drivemopsledunc3886mandianttokengithubc2 serverdownload fileuploadcrosswalkreptilewritedownloadalibabamedusatacacs servertacacslookovercontactpersistenceenterpriserootkitsicmpinstallpythoninstallerlauncherreptile.shelllinuxvirtualshinevirtualpie
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Recorded Future Insikt macOS REPTILE.SHELL MOPSLED Linux VIRTUALSHINE VIRTUALPIE REPTILE
Indicators of Compromise (1 / 65 total)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 YARA domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 d6a57b9aaa20fe4f3330f5979979081af09a4232 SHA1 of 3c7316012cba3bbfa8a95d7277cda873 2025-02-22
References (1)
↗ https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations