{ "type": "Domain", "indicator": "avafex.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/avafex.com", "alexa": "http://www.alexa.com/siteinfo/avafex.com", "indicator": "avafex.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4346841716, "indicator": "avafex.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69fb97e43f09a3b9ae3a39b9", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.", "modified": "2026-05-08T08:52:51.052000", "created": "2026-05-06T19:35:00.840000", "tags": [ "phantompulse", "infostealer", "shub stealer", "clickfix", "applescript", "macos" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Macsync", "display_name": "Macsync", "target": null }, { "id": "Shub Stealer", "display_name": "Shub Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "PhantomPulse", "display_name": "PhantomPulse", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "IPv4": 8, "URL": 16, "domain": 113, "hostname": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552233, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a026d1302c9455055c93776", "name": "hdsaljlkdldjlksjalkjlksdajlkdas", "description": "", "modified": "2026-05-11T23:58:11.141000", "created": "2026-05-11T23:58:11.141000", "tags": [ "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 953, "FileHash-MD5": 151, "FileHash-SHA1": 50, "FileHash-SHA256": 54, "IPv4": 858, "domain": 214, "hostname": 559 }, "indicator_count": 2839, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01cb66a47965ab8969488f", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix\u2011style instructions and targeting macOS users. In this recent iteration, threat actors attempt to take advantage of users who are looking for helpful advice on macOS-related issues (for example, optimizing their disk space) in blog sites and other user-driven content platforms by hosting their malicious commands in these sites.", "modified": "2026-05-11T12:28:22.151000", "created": "2026-05-11T12:28:22.151000", "tags": [], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "IPv4": 8, "URL": 16, "domain": 54, "hostname": 5 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 63, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a015ff906d70a7e190b0569", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "", "modified": "2026-05-11T04:50:01.963000", "created": "2026-05-11T04:50:01.963000", "tags": [ "phantompulse", "infostealer", "shub stealer", "clickfix", "applescript", "macos" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Macsync", "display_name": "Macsync", "target": null }, { "id": "Shub Stealer", "display_name": "Shub Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "PhantomPulse", "display_name": "PhantomPulse", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "white", "cloned_from": "69fb97e43f09a3b9ae3a39b9", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "IPv4": 8, "URL": 16, "domain": 113, "hostname": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Amos", "Macsync", "Phantompulse", "Shub stealer" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Amos", "Macsync", "Phantompulse", "Shub stealer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69fb97e43f09a3b9ae3a39b9", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.", "modified": "2026-05-08T08:52:51.052000", "created": "2026-05-06T19:35:00.840000", "tags": [ "phantompulse", "infostealer", "shub stealer", "clickfix", "applescript", "macos" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Macsync", "display_name": "Macsync", "target": null }, { "id": "Shub Stealer", "display_name": "Shub Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "PhantomPulse", "display_name": "PhantomPulse", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "IPv4": 8, "URL": 16, "domain": 113, "hostname": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552233, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a026d1302c9455055c93776", "name": "hdsaljlkdldjlksjalkjlksdajlkdas", "description": "", "modified": "2026-05-11T23:58:11.141000", "created": "2026-05-11T23:58:11.141000", "tags": [ "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 953, "FileHash-MD5": 151, "FileHash-SHA1": 50, "FileHash-SHA256": 54, "IPv4": 858, "domain": 214, "hostname": 559 }, "indicator_count": 2839, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01cb66a47965ab8969488f", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix\u2011style instructions and targeting macOS users. In this recent iteration, threat actors attempt to take advantage of users who are looking for helpful advice on macOS-related issues (for example, optimizing their disk space) in blog sites and other user-driven content platforms by hosting their malicious commands in these sites.", "modified": "2026-05-11T12:28:22.151000", "created": "2026-05-11T12:28:22.151000", "tags": [], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "IPv4": 8, "URL": 16, "domain": 54, "hostname": 5 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 63, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a015ff906d70a7e190b0569", "name": "ClickFix campaign uses fake macOS utilities lures to deliver infostealers", "description": "", "modified": "2026-05-11T04:50:01.963000", "created": "2026-05-11T04:50:01.963000", "tags": [ "phantompulse", "infostealer", "shub stealer", "clickfix", "applescript", "macos" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Macsync", "display_name": "Macsync", "target": null }, { "id": "Shub Stealer", "display_name": "Shub Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "PhantomPulse", "display_name": "PhantomPulse", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1543.004", "name": "Launch Daemon", "display_name": "T1543.004 - Launch Daemon" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "white", "cloned_from": "69fb97e43f09a3b9ae3a39b9", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "IPv4": 8, "URL": 16, "domain": 113, "hostname": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "avafex.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "avafex.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780185165.535774 }