{ "type": "Domain", "indicator": "emailreddit.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/emailreddit.com", "alexa": "http://www.alexa.com/siteinfo/emailreddit.com", "indicator": "emailreddit.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3076880820, "indicator": "emailreddit.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68e94967bcab143b278f0611", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It includes advanced features such as operating system detection and clipboard injection, enabling low-effort, cross-platform malware deployment.", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-10T17:59:02.682000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": null, "export_count": 105, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 387178, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a8aa737add292d5ee2097f", "name": "Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure", "description": "A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fake security prompts and CAPTCHA pages on domains like cryptoinfo-news.com to appear legitimate. The stolen data is exfiltrated to command and control servers, some of which run on unusual ports. The campaign's infrastructure spans multiple regions, with several C2 servers hosted in Russia. The analysis uncovered over 50 related servers with similar configurations, suggesting a financially motivated and globally distributed operation.", "modified": "2025-09-21T17:06:17.019000", "created": "2025-08-22T17:35:47.118000", "tags": [ "cryptowallet", "macos", "phishing", "data theft", "applescript", "terminal commands", "c2 infrastructure", "clickfix" ], "references": [ "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Clickfix", "display_name": "Clickfix", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 387178, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfc736f1c7651872f4359", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-14T07:32:03.410000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": "68e94967bcab143b278f0611", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e817f0dabc6208c9dd969b", "name": "ClickFix Attacks Were Automated By IUAM ClickFix Generator", "description": ".", "modified": "2025-11-08T20:06:04.056000", "created": "2025-10-09T20:15:44.672000", "tags": [ "odyssey", "deerstealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6880e92486e34c26bca7cd67", "name": "Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure", "description": "", "modified": "2025-08-22T13:03:04.127000", "created": "2025-07-23T13:52:36.705000", "tags": [ "clickfix", "app store", "strong", "like", "port", "delivery", "http", "campaign", "steal data", "iocs", "phishing", "desktop", "accept", "cookie", "terminal", "virustotal", "main", "patch" ], "references": [ "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 16, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68619ed938b37aa4229ec3d8", "name": "Odyssey Stealer Campaign Targets macOS", "description": "", "modified": "2025-07-29T20:03:01.062000", "created": "2025-06-29T20:15:21.720000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 17 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686199d7228bb1c05f65a97d", "name": "ODYSSEY STEALER : THE REBRAND OF POSEIDON STEALER.", "description": "The CYFIRMA research team has identified the emergence of Odyssey Stealer, a sophisticated macOS-focused infostealer that employs a technique known as Clickfix to deliver malicious AppleScripts. These scripts are hosted on typosquatted websites, typically mimicking finance domains, Apple App Store URLs, or cryptocurrency news sites, indicating a clear target audience of individuals involved in finance and cryptocurrency.", "modified": "2025-07-29T19:02:47.253000", "created": "2025-06-29T19:53:59.134000", "tags": [ "odyssey c2", "panel", "command", "mitre ttps", "ta0002", "file t1064", "t1059", "ta0005", "defense evasion", "modify tools" ], "references": [ "https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 26, "URL": 41, "hostname": 3 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/", "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing", "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Deerstealer", "Odyssey", "Clickfix" ], "industries": [ "Finance", "Information technology" ] }, "other": { "adversary": [], "malware_families": [ "Deerstealer", "Odyssey" ], "industries": [ "Information technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68e94967bcab143b278f0611", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It includes advanced features such as operating system detection and clipboard injection, enabling low-effort, cross-platform malware deployment.", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-10T17:59:02.682000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": null, "export_count": 105, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 387178, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a8aa737add292d5ee2097f", "name": "Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure", "description": "A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fake security prompts and CAPTCHA pages on domains like cryptoinfo-news.com to appear legitimate. The stolen data is exfiltrated to command and control servers, some of which run on unusual ports. The campaign's infrastructure spans multiple regions, with several C2 servers hosted in Russia. The analysis uncovered over 50 related servers with similar configurations, suggesting a financially motivated and globally distributed operation.", "modified": "2025-09-21T17:06:17.019000", "created": "2025-08-22T17:35:47.118000", "tags": [ "cryptowallet", "macos", "phishing", "data theft", "applescript", "terminal commands", "c2 infrastructure", "clickfix" ], "references": [ "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Clickfix", "display_name": "Clickfix", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 387178, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfc736f1c7651872f4359", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-14T07:32:03.410000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": "68e94967bcab143b278f0611", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e817f0dabc6208c9dd969b", "name": "ClickFix Attacks Were Automated By IUAM ClickFix Generator", "description": ".", "modified": "2025-11-08T20:06:04.056000", "created": "2025-10-09T20:15:44.672000", "tags": [ "odyssey", "deerstealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6880e92486e34c26bca7cd67", "name": "Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure", "description": "", "modified": "2025-08-22T13:03:04.127000", "created": "2025-07-23T13:52:36.705000", "tags": [ "clickfix", "app store", "strong", "like", "port", "delivery", "http", "campaign", "steal data", "iocs", "phishing", "desktop", "accept", "cookie", "terminal", "virustotal", "main", "patch" ], "references": [ "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 16, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68619ed938b37aa4229ec3d8", "name": "Odyssey Stealer Campaign Targets macOS", "description": "", "modified": "2025-07-29T20:03:01.062000", "created": "2025-06-29T20:15:21.720000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 17 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686199d7228bb1c05f65a97d", "name": "ODYSSEY STEALER : THE REBRAND OF POSEIDON STEALER.", "description": "The CYFIRMA research team has identified the emergence of Odyssey Stealer, a sophisticated macOS-focused infostealer that employs a technique known as Clickfix to deliver malicious AppleScripts. These scripts are hosted on typosquatted websites, typically mimicking finance domains, Apple App Store URLs, or cryptocurrency news sites, indicating a clear target audience of individuals involved in finance and cryptocurrency.", "modified": "2025-07-29T19:02:47.253000", "created": "2025-06-29T19:53:59.134000", "tags": [ "odyssey c2", "panel", "command", "mitre ttps", "ta0002", "file t1064", "t1059", "ta0005", "defense evasion", "modify tools" ], "references": [ "https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 26, "URL": 41, "hostname": 3 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "emailreddit.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "emailreddit.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780519191.7084892 }