Pulse Detail — Threat Intelligence

PULSE NAME

Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday Loader.

WHITE Poseidon PetrP.73 2025-06-20 Modified: 2025-07-20

305

IOCs

HIGH VOLUME

A recent malware campaign attributed to unidentified threat actors, dubbed "Dark Partners," has been observed delivering malicious payloads targeting Windows and MacOS users. The campaign utilizes a loader known as "PayDay Loader," which primarily facilitates the distribution of infostealers, including the notorious Poseidon Stealer for MacOS. The origin of this malware can be traced back to impersonated websites mimicking well-known AI and VPN services, with notable emphasis on fostering user trust through familiar brands.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1199 T1564

MALWARE FAMILIES

’m Dark Partners Windows Lumma NodeJS Cybersecurity Cryptocurrency Poseidon

Indicators of Compromise (305)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	3d5312654bd7a7cc539cd25e9a2c7d3c	MD5 of b5151e75e8e8af1519bef9111f2acbb24b290f0b1f9e7bc0518e9e6eac95f7cc	2025-06-20
FileHash-MD5	69925b133d4cb28da7c207c8f61a7c72	MD5 of 82d2b0397dba3749c0444a70a197edaf4c862d815f00c2c4b47746c8e11da4f7	2025-06-20
FileHash-MD5	f81818df31adcd478b1b577b7ce775a8	MD5 of f82be98ea43b62e983683c0494dc6abf7a155843363f0107d484247ff1c2520a	2025-06-20
FileHash-SHA1	12a63d62a762bd21248b8f67950d0640b12f73d0	SHA1 of b5151e75e8e8af1519bef9111f2acbb24b290f0b1f9e7bc0518e9e6eac95f7cc	2025-06-20
FileHash-SHA1	183be5a2a2d9cbd3db8bd0c6401e0e5f8450704d	SHA1 of f82be98ea43b62e983683c0494dc6abf7a155843363f0107d484247ff1c2520a	2025-06-20
FileHash-SHA1	482b23e9b9b7dd5c2103a16155b7358091579d4a	SHA1 of 82d2b0397dba3749c0444a70a197edaf4c862d815f00c2c4b47746c8e11da4f7	2025-06-20
FileHash-SHA256	07b610bf7862614da77ebf4ba2773471fc6f9dc80a6e64b9f1e1287e260d739b	—	2025-06-20
FileHash-SHA256	2355248070b08d290a07e9a6ff8f8eed856a1bdfb28e256368afdb89ffc38e35	—	2025-06-20
FileHash-SHA256	3c82e15750142216665e2a2537ce5d0de05312ff06bdf62819ef86cbb3826d08	—	2025-06-20
FileHash-SHA256	3ef9c05b09eced9e1ea6bd3ebaaf6df26573db0addbbdcef025fb1f0438f5e7a	—	2025-06-20
FileHash-SHA256	4924ff91e9be84960f9241130e080bb5f3cbf19f17f62e1fc15e48fb6852cd89	—	2025-06-20
FileHash-SHA256	5a1fab9beb8ee0c8f570d5df14c018b3444b0859b0b9f8cb6abc41fb9bf4e073	—	2025-06-20
FileHash-SHA256	5ca6b15a14af2c8e9024e6168a8b30b84b49aeb593af31ecd7d0bbfc0a82c067	—	2025-06-20
FileHash-SHA256	7a368e51340b4cf673bce4031aafbb091f889439108e0bd9af7f9db39637c92f	—	2025-06-20
FileHash-SHA256	80303bf8c5e0d105e96c61627e5bc599ced1a9708c216fa575d7ce33535e7047	—	2025-06-20
FileHash-SHA256	82d2b0397dba3749c0444a70a197edaf4c862d815f00c2c4b47746c8e11da4f7	—	2025-06-20
FileHash-SHA256	85f61e048c330aaafd81ac5a78b8d72049d80e006fcfd95e32afaf8a883d2b10	—	2025-06-20
FileHash-SHA256	9d54779c91c5ff137e5c5c4b7eb1a284d29dc27c4e64126615c58e4557ee998c	—	2025-06-20
FileHash-SHA256	aa39323513603117cbc6d6c694849e92854b4193e22be087ec0f20019872e98a	—	2025-06-20
FileHash-SHA256	b5151e75e8e8af1519bef9111f2acbb24b290f0b1f9e7bc0518e9e6eac95f7cc	—	2025-06-20
FileHash-SHA256	b9457326cb02aa98a2e9243b79ba6cc1138485d1066b64621b6013c6df15d8a2	—	2025-06-20
FileHash-SHA256	baa5220f6fed2cf0b526b1b2fbc3fbf45abf1968de40acbab99f0e57ab2127b1	—	2025-06-20
FileHash-SHA256	bdda199202fb5d66c5e17539818b06d6b514af8a9a6535a4393fecd3a32e670c	—	2025-06-20
FileHash-SHA256	c3f9c300ca939a51d599114246beb08afb473bff565438994e9e1b457dbf5492	—	2025-06-20
FileHash-SHA256	c90782b335649daeb853d04944f138a5662d5644d642f07e4a064ff1315fe2cf	—	2025-06-20
FileHash-SHA256	cee3a87d1cbce053b9ab01966eecab5eee34934b62ea662fe8bc97a0ef6f4f11	—	2025-06-20
FileHash-SHA256	e6c74a6f5d4b19f33730576fc8d0104501327f208ca4bd3cf0b96be86cc4e911	—	2025-06-20
FileHash-SHA256	f82be98ea43b62e983683c0494dc6abf7a155843363f0107d484247ff1c2520a	—	2025-06-20
URL	http://140.82.54.223/ebYCOhjfCA4TqFs1IVH4Nw%3D%3D	—	2025-06-20
URL	http://140.82.54.223/get_encrypt_file/9o0il09RRPEPoS%2BmEZPaDg%3D%3D'	—	2025-06-20
URL	http://140.82.54.223/get_encrypt_file/JJVpLy4DY6zktgdembdB0A%3D%3D'	—	2025-06-20
URL	http://140.82.54.223/oierajasdkwcnwuqwd/fx8I96OXirLAMGekkCL3yA%3D%3D	—	2025-06-20
URL	http://199.247.14.131/p2p	—	2025-06-20
URL	http://199.247.14.131/p2p\	—	2025-06-20
URL	http://65.20.101.215/p2p	—	2025-06-20
URL	http://94.141.122.164:33337	—	2025-06-20
URL	http://event.data?.uuid	—	2025-06-20
URL	https://certcentral.org/lookup?detail_type=malware&query=Paydayloader	—	2025-06-20
URL	https://hai-per-package.com/api/load_mac/	—	2025-06-20
URL	https://hai-per-package.com/api/load_mac/$	—	2025-06-20
URL	https://hai-per-package.com/api/p_b_android/$	—	2025-06-20
URL	https://hai-per-package.com/jszip.min.js'	—	2025-06-20
URL	https://opana.get-manus.com/$	—	2025-06-20
URL	https://opana.get-manus.com/?asda=	—	2025-06-20
URL	https://opana.get-manus.com?asda=$	—	2025-06-20
URL	https://replicate-6phm9gg3zoacooy.app-tools.info/explore'	—	2025-06-20
domain	ai-creatify.org	—	2025-06-20
domain	ai-deepseek.org	—	2025-06-20
domain	alpha-gen-3.com	—	2025-06-20
domain	app-creatify.com	—	2025-06-20
domain	app-deepseek.org	—	2025-06-20
domain	app-deepspeek.com	—	2025-06-20
domain	app-ispring.com	—	2025-06-20
domain	app-openai.com	—	2025-06-20
domain	app-sora.org	—	2025-06-20
domain	app-technology.org	—	2025-06-20
domain	app-tools.info	—	2025-06-20
domain	bendiregitimi.com	—	2025-06-20
domain	blender-ai.com	—	2025-06-20
domain	certcentral.org	—	2025-06-20
domain	check-airdrop.org	—	2025-06-20
domain	creatify-ai.org	—	2025-06-20
domain	creatify-app.com	—	2025-06-20
domain	decipher.final	—	2025-06-20
domain	deepseek-download.com	—	2025-06-20
domain	descript-ai.com	—	2025-06-20
domain	event.data	—	2025-06-20
domain	evoto-ai.me	—	2025-06-20
domain	gen-3-alpha.com	—	2025-06-20
domain	gen3-alpha.com	—	2025-06-20
domain	gen3alpha.org	—	2025-06-20
domain	get-deepseek.com	—	2025-06-20
domain	get-hiper.me	—	2025-06-20
domain	get-loom.com	—	2025-06-20
domain	get-loom.org	—	2025-06-20
domain	get-tradingview.org	—	2025-06-20
domain	guarda.co	—	2025-06-20
domain	hai-per-package.com	—	2025-06-20
domain	index-my.com	—	2025-06-20
domain	index-sora-ai-video.com	—	2025-06-20
domain	loom-download.com	—	2025-06-20
domain	loom-rewind.com	—	2025-06-20
domain	lumion2024.com	—	2025-06-20
domain	magicalstyle.org	—	2025-06-20
domain	maxon-cinema4d.com	—	2025-06-20
domain	meta-trader5.com	—	2025-06-20
domain	moxon4d.com	—	2025-06-20
domain	my-bisc.network	—	2025-06-20
domain	my-creatify.org	—	2025-06-20
domain	my-creativity.org	—	2025-06-20
domain	my-deepseek.com	—	2025-06-20
domain	my-deepseek.org	—	2025-06-20
domain	my-descript.com	—	2025-06-20
domain	my-exodus.com	—	2025-06-20
domain	my-hotgame.com	—	2025-06-20
domain	my-koinly.com	—	2025-06-20
domain	my-loom.org	—	2025-06-20
domain	my-pica.art	—	2025-06-20
domain	my-pica.com	—	2025-06-20
domain	openai-index-sora.com	—	2025-06-20
domain	openai-index.org	—	2025-06-20
domain	piica-art.com	—	2025-06-20
domain	piica.org	—	2025-06-20
domain	processnames.map	—	2025-06-20
domain	rexruit.com	—	2025-06-20
domain	runaway-gen3.com	—	2025-06-20
domain	runway-gen3-alpha.com	—	2025-06-20
domain	sora-ai-download-now.com	—	2025-06-20
domain	sora-ai-explore.com	—	2025-06-20
domain	sora-install-now.com	—	2025-06-20
domain	sora-installs.com	—	2025-06-20
domain	sora-library.com	—	2025-06-20
domain	soraai-install-now.com	—	2025-06-20
domain	soraai-install.com	—	2025-06-20
domain	tiktok-studio-download.com	—	2025-06-20
domain	tiktoklivestudio.com	—	2025-06-20
domain	tradingview-app.org	—	2025-06-20
domain	tradingview-exchange.com	—	2025-06-20
domain	traidingview-app.com	—	2025-06-20
domain	unusual-whales.com	—	2025-06-20
domain	upscayl-ai.org	—	2025-06-20
domain	videoproconv.org	—	2025-06-20
domain	videopto.com	—	2025-06-20
domain	windscriibe.org	—	2025-06-20
domain	x00x.online	—	2025-06-20
email	webextension@metamask.io	—	2025-06-20
hostname	185-235-128-217.netherlands-2.vps.ac	—	2025-06-20
hostname	aave.xyz-domination.com	—	2025-06-20
hostname	abstract.little-mouse.net	—	2025-06-20
hostname	abstract.xyz-domination.com	—	2025-06-20
hostname	ai-runway.gen3-alpha.com	—	2025-06-20
hostname	ai.app-openai.com	—	2025-06-20
hostname	ai.app-technology.org	—	2025-06-20
hostname	aiarty-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	aiarty.app-tools.info	—	2025-06-20
hostname	aimodel.bignoxplay.com	—	2025-06-20
hostname	aimodel.techdom.click	—	2025-06-20
hostname	aimodel.travel-watch.org	—	2025-06-20
hostname	akool-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	akool.bignoxplay.com	—	2025-06-20
hostname	akool.cleartrip.voyage	—	2025-06-20
hostname	akool.techdom.click	—	2025-06-20
hostname	albert.app-tools.info	—	2025-06-20
hostname	albert.cleartrip.voyage	—	2025-06-20
hostname	app.unusual-whales.com	—	2025-06-20
hostname	bisq.xyz-domination.com	—	2025-06-20
hostname	black.evoto-ai.me	—	2025-06-20
hostname	bybit.travel-watch.org	—	2025-06-20
hostname	cap.cleartrip.voyage	—	2025-06-20
hostname	copy-ai-de.little-mouse.net	—	2025-06-20
hostname	copy-ai.little-mouse.net	—	2025-06-20
hostname	creatify-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	creatify-6phm9gg3zoacooy.xyz-domination.com	—	2025-06-20
hostname	creatify.app-tools.info	—	2025-06-20
hostname	creatify.xyz-domination.com	—	2025-06-20
hostname	deep.app-tools.info	—	2025-06-20
hostname	deepseek-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	deepseek-umxvljvoilcnxih.app-tools.info	—	2025-06-20
hostname	descript.xyz-domination.com	—	2025-06-20
hostname	dipo.cleartrip.voyage	—	2025-06-20
hostname	docs.x00x.online	—	2025-06-20
hostname	earni-fi-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	earni-fi.app-tools.info	—	2025-06-20
hostname	earni-fi.xyz-domination.com	—	2025-06-20
hostname	eclipse.xyz-domination.com	—	2025-06-20
hostname	escadajobs-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	eth.xyz-domination.com	—	2025-06-20
hostname	face-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	face-umxvljvoilcnxih.app-tools.info	—	2025-06-20
hostname	face.techdom.click	—	2025-06-20
hostname	facetwo.techdom.click	—	2025-06-20
hostname	france-openai.app-sora.org	—	2025-06-20
hostname	gen3ai.app-technology.org	—	2025-06-20
hostname	generation.openai-index-sora.com	—	2025-06-20
hostname	get-openai.app-sora.org	—	2025-06-20
hostname	get-runway.gen3-alpha.com	—	2025-06-20
hostname	get.index-sora-ai-video.com	—	2025-06-20
hostname	get.openai-index-sora.com	—	2025-06-20
hostname	girlvanc.xyz-domination.com	—	2025-06-20
hostname	haiper-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	haiper-black.little-mouse.net	—	2025-06-20
hostname	haiper-umxvljvoilcnxih.app-tools.info	—	2025-06-20
hostname	haiper.bignoxplay.com	—	2025-06-20
hostname	haiper.cleartrip.voyage	—	2025-06-20
hostname	haiper.evoto-ai.me	—	2025-06-20
hostname	haiper.little-mouse.net	—	2025-06-20
hostname	haiper.techdom.click	—	2025-06-20
hostname	haiper.travel-watch.org	—	2025-06-20
hostname	havoc.travel-watch.org	—	2025-06-20
hostname	hedra-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	hedra.app-tools.info	—	2025-06-20
hostname	index-sora.app-openai.com	—	2025-06-20
hostname	ispring-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	ispring.app-tools.info	—	2025-06-20
hostname	italy-openai.app-sora.org	—	2025-06-20
hostname	jotoform-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	jotoform.app-tools.info	—	2025-06-20
hostname	koinly.xyz-domination.com	—	2025-06-20
hostname	ledger-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	ledger-treee-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	ledger-two-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	ledger.app-tools.info	—	2025-06-20
hostname	ledger.xyz-domination.com	—	2025-06-20
hostname	leonardoai.evoto-ai.me	—	2025-06-20
hostname	liama.cleartrip.voyage	—	2025-06-20
hostname	liama.techdom.click	—	2025-06-20
hostname	locketgold.techdom.click	—	2025-06-20
hostname	loom-rewind-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	loom-rewind.app-tools.info	—	2025-06-20
hostname	loom-rewind.xyz-domination.com	—	2025-06-20
hostname	lulu.mandarin-ca.com	—	2025-06-20
hostname	luminar.bignoxplay.com	—	2025-06-20
hostname	luminar.travel-watch.org	—	2025-06-20
hostname	luminarblack.techdom.click	—	2025-06-20
hostname	lumion-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	lumion.app-tools.info	—	2025-06-20
hostname	mac-clean-umxvljvoilcnxih.app-tools.info	—	2025-06-20
hostname	mac.cleartrip.voyage	—	2025-06-20
hostname	macblack.cleartrip.voyage	—	2025-06-20
hostname	macclean.app-tools.info	—	2025-06-20
hostname	maxon-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	maxon.app-tools.info	—	2025-06-20
hostname	metatrader.xyz-domination.com	—	2025-06-20
hostname	monday-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	monday.mandarin-ca.com	—	2025-06-20
hostname	mulkrsvtolooy8s.woltde.com	—	2025-06-20
hostname	my-sora.app-openai.com	—	2025-06-20
hostname	opana.get-manus.com	—	2025-06-20
hostname	openaai.clear-trip-ae.com	—	2025-06-20
hostname	openai.app-sora.org	—	2025-06-20
hostname	openai.app-technology.org	—	2025-06-20
hostname	openai.index-sora-ai-video.com	—	2025-06-20
hostname	panel.x00x.online	—	2025-06-20
hostname	piica-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	piica-org.app-tools.info	—	2025-06-20
hostname	piica-org.xyz-domination.com	—	2025-06-20
hostname	postman.travel-watch.org	—	2025-06-20
hostname	proai.bignoxplay.com	—	2025-06-20
hostname	proai.travel-watch.org	—	2025-06-20
hostname	redirect-gqxpcgzdrjeebyx.app-tools.info	—	2025-06-20
hostname	redirect.app-tools.info	—	2025-06-20
hostname	redirect.xyz-domination.com	—	2025-06-20
hostname	replicate-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	replicate-page.generate-ai.org	—	2025-06-20
hostname	run.upscayl-ai.org	—	2025-06-20
hostname	runway-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	runway-black-two.upscayl-ai.org	—	2025-06-20
hostname	runway-two.upscayl-ai.org	—	2025-06-20
hostname	runway-umxvljvoilcnxih.app-tools.info	—	2025-06-20
hostname	runway.gen3-alpha.com	—	2025-06-20
hostname	runway.upscayl-ai.org	—	2025-06-20
hostname	runway.xyz-domination.com	—	2025-06-20
hostname	runwayai.gen3-alpha.com	—	2025-06-20
hostname	runwayml.app-tools.info	—	2025-06-20
hostname	runwayml.mandarin-ca.com	—	2025-06-20
hostname	sora-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	sora-6phm9gg3zoacooy.xyz-domination.com	—	2025-06-20
hostname	sora-ai.app-openai.com	—	2025-06-20
hostname	sora-umxvljvoilcnxih.app-tools.info	—	2025-06-20
hostname	sora.app-openai.com	—	2025-06-20
hostname	sora.xyz-domination.com	—	2025-06-20
hostname	sorablack.cleartrip.voyage	—	2025-06-20
hostname	spain-openai.app-sora.org	—	2025-06-20
hostname	stripe-redirect-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	stripe-redirect-zoimglwkogheeel.app-tools.info	—	2025-06-20
hostname	stripe.app-tools.info	—	2025-06-20
hostname	sweet.upscayl-ai.org	—	2025-06-20
hostname	sweethome-umxvljvoilcnxih.app-tools.info	—	2025-06-20
hostname	sweethome.bignoxplay.com	—	2025-06-20
hostname	sweethome.cleartrip.voyage	—	2025-06-20
hostname	sweethome.travel-watch.org	—	2025-06-20
hostname	swett-black.upscayl-ai.org	—	2025-06-20
hostname	synthesia.bignoxplay.com	—	2025-06-20
hostname	synthesia.cleartrip.voyage	—	2025-06-20
hostname	synthesia.techdom.click	—	2025-06-20
hostname	synthesia.travel-watch.org	—	2025-06-20
hostname	tg-l.app-tools.info	—	2025-06-20
hostname	tg-l.upscayl-ai.org	—	2025-06-20
hostname	tg-l.xyz-domination.com	—	2025-06-20
hostname	timedoctor-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	timedoctor.app-tools.info	—	2025-06-20
hostname	tradingview-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	tradingview.app-tools.info	—	2025-06-20
hostname	tradingview.xyz-domination.com	—	2025-06-20
hostname	tt.xyz-domination.com	—	2025-06-20
hostname	uizard.bignoxplay.com	—	2025-06-20
hostname	uizard.cleartrip.voyage	—	2025-06-20
hostname	uizard.techdom.click	—	2025-06-20
hostname	uizard.travel-watch.org	—	2025-06-20
hostname	ultra.cleartrip.voyage	—	2025-06-20
hostname	ultraviewer-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	unusualwhales-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	unusualwhales.app-tools.info	—	2025-06-20
hostname	upscayl-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	upscayl.app-tools.info	—	2025-06-20
hostname	upscayl.techdom.click	—	2025-06-20
hostname	video-proc-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	videoproc.app-tools.info	—	2025-06-20
hostname	weface.bignoxplay.com	—	2025-06-20
hostname	weface.cleartrip.voyage	—	2025-06-20
hostname	weface.travel-watch.org	—	2025-06-20
hostname	wind-scribe.app-tools.info	—	2025-06-20
hostname	windscribe-6phm9gg3zoacooy.app-tools.info	—	2025-06-20
hostname	windscribe.xyz-domination.com	—	2025-06-20
hostname	ynthesia.techdom.click	—	2025-06-20

References (1)

↗ https://g0njxa.medium.com/dark-partners-the-crypto-heist-adventure-of-poseidon-stealer-and-payday-loader-c91382fac5c8