{ "type": "Domain", "indicator": "arkypc.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/arkypc.com", "alexa": "http://www.alexa.com/siteinfo/arkypc.com", "indicator": "arkypc.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4313395459, "indicator": "arkypc.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69ec44ff58f20f2cb01e0a1c", "name": "AMOS Stealer delivered via Cursor AI agent session", "description": "On April 23, 2026, Field Effect MDR identified AMOS Stealer malware delivered through a novel technique exploiting Cursor AI agent sessions running Claude Code. The attack employed social engineering to manipulate operators into prompting the AI agent to download and execute malicious AppleScript loaders. The heavily obfuscated scripts performed sandbox evasion checks, collected sensitive data including credentials, SSH keys, browser data, and cryptocurrency wallets, then exfiltrated compressed archives to remote servers within two minutes. The malware prompted users for local account credentials through fake macOS system dialogs, subsequently using elevated permissions to install persistent implants masquerading as legitimate system services. This delivery mechanism makes detection challenging as malicious commands blend with typical agentic coding behavior, representing an evolution in AMOS Stealer tactics beyond traditional SEO poisoning methods.", "modified": "2026-05-25T04:21:46.500000", "created": "2026-04-25T04:37:19.579000", "tags": [ "cryptocurrency theft", "social engineering", "amos stealer", "ai agent exploitation", "cursor", "applescript", "credential harvesting", "persistent implant" ], "references": [ "https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1556.001", "name": "Domain Controller Authentication", "display_name": "T1556.001 - Domain Controller Authentication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 5 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fb97e43f09a3b9ae3a39b9", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.", "modified": "2026-05-08T08:52:51.052000", "created": "2026-05-06T19:35:00.840000", "tags": [ "phantompulse", "infostealer", "shub stealer", "clickfix", "applescript", "macos" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Macsync", "display_name": "Macsync", "target": null }, { "id": "Shub Stealer", "display_name": "Shub Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "PhantomPulse", "display_name": "PhantomPulse", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "IPv4": 8, "URL": 16, "domain": 113, "hostname": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f0296d3af17167d0c50f7a", "name": "IOC - AMOS Stealer delivered via Cursor AI agent session", "description": "", "modified": "2026-05-25T04:21:46.500000", "created": "2026-04-28T03:28:45.900000", "tags": [ "cryptocurrency theft", "social engineering", "amos stealer", "ai agent exploitation", "cursor", "applescript", "credential harvesting", "persistent implant" ], "references": [ "https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1556.001", "name": "Domain Controller Authentication", "display_name": "T1556.001 - Domain Controller Authentication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" } ], "industries": [], "TLP": "white", "cloned_from": "69ec44ff58f20f2cb01e0a1c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 5 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f19249610906a8b5470a4b", "name": "AMOS Stealer delivered via Cursor AI agent session", "description": "", "modified": "2026-05-25T04:21:46.500000", "created": "2026-04-29T05:08:25.090000", "tags": [ "cryptocurrency theft", "social engineering", "amos stealer", "ai agent exploitation", "cursor", "applescript", "credential harvesting", "persistent implant" ], "references": [ "https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1556.001", "name": "Domain Controller Authentication", "display_name": "T1556.001 - Domain Controller Authentication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" } ], "industries": [], "TLP": "white", "cloned_from": "69ec44ff58f20f2cb01e0a1c", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 5 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01cb66a47965ab8969488f", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix\u2011style instructions and targeting macOS users. In this recent iteration, threat actors attempt to take advantage of users who are looking for helpful advice on macOS-related issues (for example, optimizing their disk space) in blog sites and other user-driven content platforms by hosting their malicious commands in these sites.", "modified": "2026-05-11T12:28:22.151000", "created": "2026-05-11T12:28:22.151000", "tags": [], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "IPv4": 8, "URL": 16, "domain": 54, "hostname": 5 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 63, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a015ff906d70a7e190b0569", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "", "modified": "2026-05-11T04:50:01.963000", "created": "2026-05-11T04:50:01.963000", "tags": [ "phantompulse", "infostealer", "shub stealer", "clickfix", "applescript", "macos" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Macsync", "display_name": "Macsync", "target": null }, { "id": "Shub Stealer", "display_name": "Shub Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "PhantomPulse", "display_name": "PhantomPulse", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "white", "cloned_from": "69fb97e43f09a3b9ae3a39b9", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "IPv4": 8, "URL": 16, "domain": 113, "hostname": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ee32c2ef3a2353af0c84ff", "name": "Payload_Delivery | Apr 27, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Apr 27, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-26T15:44:02.616000", "created": "2026-04-26T15:44:02.616000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 117, "hostname": 465, "URL": 74 }, "indicator_count": 656, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "34 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ece12cdc4b5f05a17982ca", "name": "Payload_Delivery | Apr 26, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Apr 26, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-25T15:43:40.096000", "created": "2026-04-25T15:43:40.096000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 471, "domain": 39, "URL": 159 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "35 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb90631d1f8cb95120b25a", "name": "Payload_Delivery | Apr 25, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Apr 25, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-24T15:46:43.107000", "created": "2026-04-24T15:46:43.107000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1282, "URL": 385, "domain": 296, "FileHash-SHA256": 15, "FileHash-MD5": 6 }, "indicator_count": 1984, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eac9e1dcf44dd0344139dc", "name": "Twitter Feed - masaomi346 - 23-04-2026", "description": "", "modified": "2026-04-24T01:39:45.413000", "created": "2026-04-24T01:39:45.413000", "tags": [ "malware" ], "references": [ "https://x.com/masaomi346/status/2047114841899626502" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 2, "domain": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ea3ed95776a06ea1781626", "name": "Payload_Delivery | Apr 24, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Apr 24, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-23T15:46:32.884000", "created": "2026-04-23T15:46:32.884000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1322, "URL": 395, "domain": 256, "FileHash-SHA256": 11, "FileHash-MD5": 6 }, "indicator_count": 1990, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e8ebe2a5539d440123a2db", "name": "Payload_Delivery | Apr 23, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Apr 23, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-22T15:40:18.931000", "created": "2026-04-22T15:40:18.931000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1261, "URL": 477, "domain": 246, "FileHash-MD5": 5, "FileHash-SHA256": 4 }, "indicator_count": 1993, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e79b9960980415f851e2a9", "name": "Payload_Delivery | Apr 22, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Apr 22, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-21T15:45:29.364000", "created": "2026-04-21T15:45:29.364000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 210, "hostname": 1187, "URL": 594 }, "indicator_count": 1991, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "39 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e64a24dbeaf1dcb873954b", "name": "Payload_Delivery | Apr 21, 2026 | Part 1/5", "description": "Payload_Delivery indicators. Date: Apr 21, 2026. Part 1/5. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-20T15:45:40.677000", "created": "2026-04-20T15:45:40.677000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1151, "domain": 101, "URL": 729, "FileHash-SHA256": 4 }, "indicator_count": 1985, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "40 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e58345dcd79fc56cfc9651", "name": "Twitter Feed - masaomi346 - 19-04-2026", "description": "", "modified": "2026-04-20T01:37:09.153000", "created": "2026-04-20T01:37:09.153000", "tags": [ "malware" ], "references": [ "https://x.com/masaomi346/status/2045742506017738876" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 2, "domain": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "41 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session", "https://x.com/masaomi346/status/2045742506017738876", "https://x.com/masaomi346/status/2047114841899626502", "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/", "https://ltna.com.au/cyber", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Amos", "Phantompulse", "Shub stealer", "Amos stealer", "Macsync" ], "industries": [] }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [ "Amos", "Phantompulse", "Shub stealer", "Amos stealer", "Macsync" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69ec44ff58f20f2cb01e0a1c", "name": "AMOS Stealer delivered via Cursor AI agent session", "description": "On April 23, 2026, Field Effect MDR identified AMOS Stealer malware delivered through a novel technique exploiting Cursor AI agent sessions running Claude Code. The attack employed social engineering to manipulate operators into prompting the AI agent to download and execute malicious AppleScript loaders. The heavily obfuscated scripts performed sandbox evasion checks, collected sensitive data including credentials, SSH keys, browser data, and cryptocurrency wallets, then exfiltrated compressed archives to remote servers within two minutes. The malware prompted users for local account credentials through fake macOS system dialogs, subsequently using elevated permissions to install persistent implants masquerading as legitimate system services. This delivery mechanism makes detection challenging as malicious commands blend with typical agentic coding behavior, representing an evolution in AMOS Stealer tactics beyond traditional SEO poisoning methods.", "modified": "2026-05-25T04:21:46.500000", "created": "2026-04-25T04:37:19.579000", "tags": [ "cryptocurrency theft", "social engineering", "amos stealer", "ai agent exploitation", "cursor", "applescript", "credential harvesting", "persistent implant" ], "references": [ "https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1556.001", "name": "Domain Controller Authentication", "display_name": "T1556.001 - Domain Controller Authentication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 5 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fb97e43f09a3b9ae3a39b9", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.", "modified": "2026-05-08T08:52:51.052000", "created": "2026-05-06T19:35:00.840000", "tags": [ "phantompulse", "infostealer", "shub stealer", "clickfix", "applescript", "macos" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Macsync", "display_name": "Macsync", "target": null }, { "id": "Shub Stealer", "display_name": "Shub Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "PhantomPulse", "display_name": "PhantomPulse", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "IPv4": 8, "URL": 16, "domain": 113, "hostname": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f0296d3af17167d0c50f7a", "name": "IOC - AMOS Stealer delivered via Cursor AI agent session", "description": "", "modified": "2026-05-25T04:21:46.500000", "created": "2026-04-28T03:28:45.900000", "tags": [ "cryptocurrency theft", "social engineering", "amos stealer", "ai agent exploitation", "cursor", "applescript", "credential harvesting", "persistent implant" ], "references": [ "https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1556.001", "name": "Domain Controller Authentication", "display_name": "T1556.001 - Domain Controller Authentication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" } ], "industries": [], "TLP": "white", "cloned_from": "69ec44ff58f20f2cb01e0a1c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 5 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f19249610906a8b5470a4b", "name": "AMOS Stealer delivered via Cursor AI agent session", "description": "", "modified": "2026-05-25T04:21:46.500000", "created": "2026-04-29T05:08:25.090000", "tags": [ "cryptocurrency theft", "social engineering", "amos stealer", "ai agent exploitation", "cursor", "applescript", "credential harvesting", "persistent implant" ], "references": [ "https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1556.001", "name": "Domain Controller Authentication", "display_name": "T1556.001 - Domain Controller Authentication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" } ], "industries": [], "TLP": "white", "cloned_from": "69ec44ff58f20f2cb01e0a1c", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 5 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01cb66a47965ab8969488f", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix\u2011style instructions and targeting macOS users. In this recent iteration, threat actors attempt to take advantage of users who are looking for helpful advice on macOS-related issues (for example, optimizing their disk space) in blog sites and other user-driven content platforms by hosting their malicious commands in these sites.", "modified": "2026-05-11T12:28:22.151000", "created": "2026-05-11T12:28:22.151000", "tags": [], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "IPv4": 8, "URL": 16, "domain": 54, "hostname": 5 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 63, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a015ff906d70a7e190b0569", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "", "modified": "2026-05-11T04:50:01.963000", "created": "2026-05-11T04:50:01.963000", "tags": [ "phantompulse", "infostealer", "shub stealer", "clickfix", "applescript", "macos" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Macsync", "display_name": "Macsync", "target": null }, { "id": "Shub Stealer", "display_name": "Shub Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "PhantomPulse", "display_name": "PhantomPulse", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "white", "cloned_from": "69fb97e43f09a3b9ae3a39b9", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "IPv4": 8, "URL": 16, "domain": 113, "hostname": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ee32c2ef3a2353af0c84ff", "name": "Payload_Delivery | Apr 27, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Apr 27, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-26T15:44:02.616000", "created": "2026-04-26T15:44:02.616000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 117, "hostname": 465, "URL": 74 }, "indicator_count": 656, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "34 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ece12cdc4b5f05a17982ca", "name": "Payload_Delivery | Apr 26, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Apr 26, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-25T15:43:40.096000", "created": "2026-04-25T15:43:40.096000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 471, "domain": 39, "URL": 159 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "35 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb90631d1f8cb95120b25a", "name": "Payload_Delivery | Apr 25, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Apr 25, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-24T15:46:43.107000", "created": "2026-04-24T15:46:43.107000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1282, "URL": 385, "domain": 296, "FileHash-SHA256": 15, "FileHash-MD5": 6 }, "indicator_count": 1984, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "arkypc.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "arkypc.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200494.3267324 }