{ "type": "SHA256", "indicator": "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c", "validation": [], "base_indicator": { "id": 4327457483, "indicator": "8cd45ae9b53a2e9d3f24cfea654c6d6e9716d544", "type": "FileHash-SHA1", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "69e82714e5cf2d1fb9fe1b0a", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called \"Mach-O Man\". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-22T01:40:36.560000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f295c1c348d8af6f43cf73", "name": "ibcart", "description": "The full text of the text message sent to the BBC's Deepanshugoel99 website has now been published online, and it is the first time it has done so in the UK.", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:35:29.332000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 149, "URL": 6, "domain": 6, "hostname": 4 }, "indicator_count": 365, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69ecae6a156da44db667be66", "name": "imvfeoirewIVONVCIDJCJCW", "description": "", "modified": "2026-05-25T12:11:06.214000", "created": "2026-04-25T12:07:06.437000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 508, "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 187, "domain": 17, "hostname": 159 }, "indicator_count": 1071, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69ec9743b876273d04a7efb0", "name": "Lazarus Group Targets macOS Users via ClickFlixAttack", "description": "Lazarus Group uses ClickFixto trick macOS users into fake meeting pages and executing malicious commands.", "modified": "2026-05-25T10:17:12.729000", "created": "2026-04-25T10:28:19.221000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 3, "domain": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69ec976bddee2a8bbe864445", "name": "Lazarus Group Targets macOS Users via ClickFlixAttack", "description": "Lazarus Group uses ClickFixto trick macOS users into fake meeting pages and executing malicious commands.", "modified": "2026-05-25T10:17:12.729000", "created": "2026-04-25T10:28:59.233000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 3, "domain": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e9a4b23639f997c3cba6a7", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-23T04:48:50.209000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "69e82714e5cf2d1fb9fe1b0a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e9a4b2cef3cc730f0df1db", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-23T04:48:50.674000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "69e82714e5cf2d1fb9fe1b0a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f5ecf235ee7b342ce25b29", "name": "wsgethrtg", "description": "", "modified": "2026-05-02T12:24:18.252000", "created": "2026-05-02T12:24:18.252000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 3, "domain": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69d9c62d24ae9bc8d5653f56", "name": "DPRK-Linked \u201cMach-O Man\u201d Malware Kit Targeting macOS in Active ClickFix Campaign", "description": "\u201cMach-O Man\u201d is a DPRK-linked macOS malware kit distributed through ClickFix campaigns, relying on social engineering to trick victims into executing malicious commands. The toolkit is composed of Mach-O binaries compiled in Go and includes multiple stages for persistence, host profiling, and data theft.\n\nIt impersonates legitimate platforms such as Zoom, Google, and Teams, while maintaining persistence by posing as a OneDrive-related component. The malware targets browser extensions, stored credentials, cookies, and macOS Keychain data, staging the collected information for exfiltration via Telegram.\n\nAt the time of analysis, the toolkit remains undetected by standard security solutions.", "modified": "2026-04-11T03:55:25.495000", "created": "2026-04-11T03:55:25.495000", "tags": [ "macho", "macos", "dprk", "quetzalteam" ], "references": [], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "MachO-Man", "display_name": "MachO-Man", "target": null } ], "attack_ids": [], "industries": [ "Crypto", "Web3", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "QuetzalTeam", "id": "273351", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_273351/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "49 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv", "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "related": { "alienvault": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Pylangghostrat", "Mach-o man" ], "industries": [ "Finance", "Technology" ] }, "other": { "adversary": [ "Lazarus Group", "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [ "Pylangghostrat", "Mach-o man", "Macho-man" ], "industries": [ "Finance", "Crypto", "Technology", "Web3" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "69e82714e5cf2d1fb9fe1b0a", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called \"Mach-O Man\". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-22T01:40:36.560000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f295c1c348d8af6f43cf73", "name": "ibcart", "description": "The full text of the text message sent to the BBC's Deepanshugoel99 website has now been published online, and it is the first time it has done so in the UK.", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:35:29.332000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 149, "URL": 6, "domain": 6, "hostname": 4 }, "indicator_count": 365, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69ecae6a156da44db667be66", "name": "imvfeoirewIVONVCIDJCJCW", "description": "", "modified": "2026-05-25T12:11:06.214000", "created": "2026-04-25T12:07:06.437000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 508, "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 187, "domain": 17, "hostname": 159 }, "indicator_count": 1071, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69ec9743b876273d04a7efb0", "name": "Lazarus Group Targets macOS Users via ClickFlixAttack", "description": "Lazarus Group uses ClickFixto trick macOS users into fake meeting pages and executing malicious commands.", "modified": "2026-05-25T10:17:12.729000", "created": "2026-04-25T10:28:19.221000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 3, "domain": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69ec976bddee2a8bbe864445", "name": "Lazarus Group Targets macOS Users via ClickFlixAttack", "description": "Lazarus Group uses ClickFixto trick macOS users into fake meeting pages and executing malicious commands.", "modified": "2026-05-25T10:17:12.729000", "created": "2026-04-25T10:28:59.233000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 3, "domain": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e9a4b23639f997c3cba6a7", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-23T04:48:50.209000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "69e82714e5cf2d1fb9fe1b0a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e9a4b2cef3cc730f0df1db", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-23T04:48:50.674000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "69e82714e5cf2d1fb9fe1b0a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f5ecf235ee7b342ce25b29", "name": "wsgethrtg", "description": "", "modified": "2026-05-02T12:24:18.252000", "created": "2026-05-02T12:24:18.252000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 3, "domain": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69d9c62d24ae9bc8d5653f56", "name": "DPRK-Linked \u201cMach-O Man\u201d Malware Kit Targeting macOS in Active ClickFix Campaign", "description": "\u201cMach-O Man\u201d is a DPRK-linked macOS malware kit distributed through ClickFix campaigns, relying on social engineering to trick victims into executing malicious commands. The toolkit is composed of Mach-O binaries compiled in Go and includes multiple stages for persistence, host profiling, and data theft.\n\nIt impersonates legitimate platforms such as Zoom, Google, and Teams, while maintaining persistence by posing as a OneDrive-related component. The malware targets browser extensions, stored credentials, cookies, and macOS Keychain data, staging the collected information for exfiltration via Telegram.\n\nAt the time of analysis, the toolkit remains undetected by standard security solutions.", "modified": "2026-04-11T03:55:25.495000", "created": "2026-04-11T03:55:25.495000", "tags": [ "macho", "macos", "dprk", "quetzalteam" ], "references": [], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "MachO-Man", "display_name": "MachO-Man", "target": null } ], "attack_ids": [], "industries": [ "Crypto", "Web3", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "QuetzalTeam", "id": "273351", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_273351/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "49 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780173306.329941 }