{ "type": "Domain", "indicator": "http.host", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/http.host", "alexa": "http://www.alexa.com/siteinfo/http.host", "indicator": "http.host", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 363079, "indicator": "http.host", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "69f3653e884ec7a430371ba3", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "MioLab, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. MioLab employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and ClickFix integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes bulletproof hosting services and shares infrastruct...", "modified": "2026-05-04T11:24:29.519000", "created": "2026-04-30T14:20:46.278000", "tags": [ "macos stealer", "clickfix", "maas platform", "cryptocurrency theft", "bulletproof hosting", "miolab" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "MioLab", "targeted_countries": [], "malware_families": [ { "id": "MioLab", "display_name": "MioLab", "target": null }, { "id": "SUPERNOVA - S0578", "display_name": "SUPERNOVA - S0578", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 64 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 386457, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f3426f663eb79b1e568192", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "A look at some of the highlights from the week of cybersecurity news, as well as the company's latest partnership with Microsoft and SentinelOne, which aims to deliver AI-powered security operations and incident response support.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:52:15.201000", "tags": [ "miolab", "chromium", "cloudflare", "miolab macos", "ledger", "builder", "keychain", "apple", "terminal", "claude code", "exfiltration", "nova", "payload", "exodus", "cookie", "february", "grabber", "defense evasion", "format", "desktop", "cards", "mozilla", "bitcoin", "telegram", "nova stealer", "decoy", "dropper", "ditto", "macos", "integrations", "clickfix", "malvertising", "stage-2" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MacOS", "display_name": "MacOS", "target": null }, { "id": "Integrations", "display_name": "Integrations", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Miolab", "display_name": "Miolab", "target": null }, { "id": "Malvertising", "display_name": "Malvertising", "target": null }, { "id": "MioLab", "display_name": "MioLab", "target": null }, { "id": "Stage-2", "display_name": "Stage-2", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 6, "domain": 64 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552172, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ee1f520fbfeebe4cb7291e", "name": "GoLoader at Industrial Scale: Two Unauthenticated Builder Panels, 468K Polymorphic Samples, Steganographic .NET Loaders, and a Cracked njRAT Config Pointing to a Chinese XWorm Operator", "description": "Recent investigations uncovered two unauthenticated GoLoader builder panels located at IP addresses 121.127.246.86 and 118.107.6.148, both operational since at least January 2026. These panels are responsible for generating approximately 468,349 unique polymorphic Windows malware samples through a variety of methods, including steganography and process hollowing. The panels operate without login requirements, providing full API access to users. They actively manage 71 tasks and have been observed sending malicious payloads to a publicly accessible Alibaba Cloud storage bucket hosting 652 files amounting to about 867 MB, which include steganographic PNG carriers, VBS scripts, and Chinese-language social engineering themes targeting cryptocurrency investors.", "modified": "2026-05-26T14:22:02.791000", "created": "2026-04-26T14:21:06.495000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "alibaba cloud", "oss bucket", "goloader panel", "hong kong", "ddns cluster", "stage", "aes256 config", "panel", "credentials", "goloader", "powershell", "loader", "malware", "april", "python", "bladabindi", "dropper", "service", "rats", "encodedcommand", "trojan", "back", "xworm", "hong", "live", "execution", "windows", "pe", "remote access", "toupper", "waterhydra", "njrat" ], "references": [ "https://intel.breakglass.tech/post/goloader-polymorphic-builder-panels-stego-njrat-xworm-laohe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Retail" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 5, "YARA": 3, "domain": 1, "hostname": 7 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2d1676259843fbf880124", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "MioLab, also known as Nova, has emerged as a significant player in the MacOS malware landscape, focusing on the acquisition of sensitive data from high-value targets such as cryptocurrency investors and executive professionals. This Premium Malware-as-a-Service (MaaS) platform is heavily marketed in Russian-speaking underground forums and offers advanced capabilities designed for effective data exfiltration.", "modified": "2026-04-23T17:27:31.611000", "created": "2026-03-24T18:01:11.793000", "tags": [ "miolab", "chromium", "cloudflare", "miolab macos", "ledger", "builder", "keychain", "apple", "terminal", "claude code", "nova", "payload", "exodus", "cookie", "february", "grabber", "format", "desktop", "cards", "mozilla", "bitcoin", "telegram", "nova stealer", "decoy", "dropper", "ditto", "macos", "integrations", "clickfix", "malvertising", "stage-2" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Miolab", "display_name": "Miolab", "target": null }, { "id": "MioLab", "display_name": "MioLab", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 6, "domain": 64 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680a97944a2471734ba68ebf", "name": "The LokiBot, Plik .csrss.exe nazwa_komputera: TEST22-PC", "description": "https://www.malware.me/analysis/59554/summary/ \n\u201eC:\\U\u017cytkownicy\\test22\\AppData\\Local\\Temp\\.csrss.exe\u201d\n PobierzNazw\u0119KomputeraA nazwa_komputera: TEST22-PC\nThe LokiBot, a trojan that uses the name \"Inferno\", has been detected on a server in the Czech Republic and sent to a third party site in Europe.. the following:\n252d8e4898c6a7c1a3647c2b8474e9e12901c9e2ef2af8ffe278e163d8786fb6\nPlik .csrss.exe\n94.142.140.73\n87.251.79.123", "modified": "2025-05-24T19:03:29.494000", "created": "2025-04-24T19:57:08.161000", "tags": [ "sha256", "vhash", "imphash", "rich pe", "ssdeep", "contained", "utc first", "submission", "chi2", "english us", "homenet", "externalnet", "et malware", "charoninferno", "charon3b", "trojan", "msg:\"et", "destination ip", "msdw", "port docelowy", "lcid1033", "smlen", "spn647", "bv6fet56ww", "lokibot checkin", "malware", "crash report", "microsoft", "rticon english", "vs2008", "compiler", "vs2008 sp1", "vs2005" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "msg:\"ET", "display_name": "msg:\"ET", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 69, "FileHash-SHA256": 482, "URL": 35, "domain": 7, "hostname": 3 }, "indicator_count": 680, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a9f3def74f96146bc342d5", "name": "cobalt_loader_unpacked.exe", "description": "A guide to the Cobaltloader, a 32-bit executable for Windows, has been published by the University of Oxford.. and its website is published on the same day as the release.", "modified": "2025-02-10T12:41:02.752000", "created": "2025-02-10T12:41:02.752000", "tags": [ "sha256", "sha1", "size", "ms windows", "copy ssdeep", "copy imphash", "call", "imagescnmemread", "imagescncntcode", "e5a596d6h", "rsp20h", "e5a595f0h", "e5a595dch", "rsp10h", "rsp18h", "rsp04h", "rsp08h", "rsp0ch", "rax05h", "themida", "thumbprint md5", "serial number", "vs2022", "symantec time", "stamping", "from", "algorithm", "thumbprint", "globalsign root", "submission", "w5k0fa2", "connection", "i64d", "http", "userprofile", "studio", "ldap", "detail", "cdecl sol", "socks5 connect", "ca file", "error", "class", "combo", "delta", "bind", "unknown", "void", "rest", "problem", "procin", "httpports", "ipv4 address", "homenet", "externalnet", "tgi hunt", "curl", "ip address", "et hunting", "dotted quad", "clientendpoint", "perimeter", "hunting", "informational", "policy", "outbound", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "loader", "sality", "dnguard" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA256": 177, "FileHash-SHA1": 7, "YARA": 52, "email": 7, "IPv4": 38, "URL": 154, "domain": 14, "hostname": 58 }, "indicator_count": 530, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "474 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674229b10c2364e895e83fb1", "name": "Skrypt pow\u0142oki 331883651 hiroz3x.sh", "description": "1. Downloads the file using both `wget` and `curl`.\n2. Concatenates the downloaded content to a file named `hiroz3x`.\n3. Makes `hiroz3x` executable.\n4. Executes `hiroz3x` with the argument `hiro.payload`.\nThe script attempts to change the working directory to `/tmp`, `/var/run`, `/mnt`, `/root`, or `/` before each download attempt\nhttp://45.13.227.151/h0r0zx00xh0r0zx00xdefault/\n6188f876ce4244dd2f4bacaa3e3ab7fa2462f39848b83ec705eb8c749e8ac09b", "modified": "2024-12-27T00:01:27.205000", "created": "2024-11-23T19:14:57.957000", "tags": [ "elf sha256", "matches rule", "threats open", "o http", "request", "get http", "snort", "misc attack", "potentially bad", "traffic matches", "shell", "trojan", "body", "sandbox", "speed", "web request", "commands", "cmdlets", "commandline", "james pemberton", "endgame", "jhasenbusch", "austin songer", "austinsonger", "getcommand", "homenet", "externalnet", "perimeter", "tgi hunt", "httpports", "major", "checks-hostname", "detect-debug-environment", "self-delete", "sets-process-name", "telnet-communication" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "downloader.medusa/shell", "display_name": "downloader.medusa/shell", "target": null }, { "id": "medusa shell bash", "display_name": "medusa shell bash", "target": null }, { "id": "downloader trojan", "display_name": "downloader trojan", "target": null } ], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 405, "FileHash-SHA1": 407, "FileHash-SHA256": 2369, "IPv4": 366, "URL": 685, "domain": 80, "hostname": 130, "YARA": 5 }, "indicator_count": 4447, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "519 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6740400990d6031df482102b", "name": "Cryptbot downloader: A deep cryptanalysis - TEHTRIS", "description": "", "modified": "2024-11-22T08:25:45.176000", "created": "2024-11-22T08:25:45.176000", "tags": [ "utf8", "cryptbot", "pbkdf2", "urls", "assertionerror", "pe header", "compromise", "stage2", "stage2 cryptbot", "attack timeline", "virustotal", "code", "defense", "stealth", "downloader", "hello" ], "references": [ "https://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cti-tehtris", "id": "284434", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_284434/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 20, "FileHash-SHA256": 115, "URL": 102, "YARA": 1, "domain": 2, "hostname": 62 }, "indicator_count": 322, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64dd9c1d76a7807782a691d3", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.", "modified": "2024-02-14T21:44:02.852000", "created": "2023-08-17T04:03:41.985000", "tags": [ "o cloexec", "r procversion", "cachyos", "gnu ld", "gnu binutils", "microsoft", "f lockfd", "cygwin", "u respfd", "procselffd13", "procselffd14", "x8664", "uname", "linux", "getconf", "cpus32", "case", "m x8664", "s linux", "x8664 o", "z linux", "z x8664", "replying", "timing", "successfully", "shift", "procselffd16", "empty", "head", "dirty", "found", "splitting", "license", "index", "kill", "zfrm", "argv" ], "references": [ ".ICE-unix", ".org.chromium.Chromium.12ZdF3", ".vbox-mrkd-ipc", "@tmp", ".org.chromium.Chromium.T2jdbS", ".X11-unix", "albert_yt_ynb2tftv", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", "plasma-csd-generator.LTvjbT", "pytest-of-mrkd", "runtime-root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", ".org.chromium.Chromium.coQnti", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "bauh@mrkd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.8GBhMA", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", ".org.chromium.Chromium.HMzFxo", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "tmp.D4NXyZ3U4J", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "tmp.ziktUZeKXL", "v8-compile-cache-0", "tmp90lfbdek", "tst-bz26353KOtJVp", "v8-compile-cache-1000", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "strlcatmMvE1V.c", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcpydb8x03.c", "stdbool.ht64kj6qw.c", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BV:TelegramBot-A\\ [Trj]", "display_name": "BV:TelegramBot-A\\ [Trj]", "target": null }, { "id": "Ransom:Linux/DarkRadiation.A!MTB", "display_name": "Ransom:Linux/DarkRadiation.A!MTB", "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB" }, { "id": "SLF:MamacseMacro.A", "display_name": "SLF:MamacseMacro.A", "target": null }, { "id": "TrojanDownloader:Linux/Morila!MTB", "display_name": "TrojanDownloader:Linux/Morila!MTB", "target": "/malware/TrojanDownloader:Linux/Morila!MTB" }, { "id": "Backdoor:Win32/R2d2.A", "display_name": "Backdoor:Win32/R2d2.A", "target": "/malware/Backdoor:Win32/R2d2.A" }, { "id": "Sf:ShellCode-DZ\\ [Trj]", "display_name": "Sf:ShellCode-DZ\\ [Trj]", "target": null }, { "id": "NETexecutableMicrosoft", "display_name": "NETexecutableMicrosoft", "target": null }, { "id": "TrojanDropper:Win32/FakeFlexnet.A", "display_name": "TrojanDropper:Win32/FakeFlexnet.A", "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A" }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 206, "domain": 5129, "FileHash-MD5": 177, "FileHash-SHA1": 114, "URL": 646, "hostname": 2078, "CVE": 412, "email": 4 }, "indicator_count": 8766, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ffcf3ffe737f8cb8dfd", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "", "modified": "2023-12-06T16:23:24.919000", "created": "2023-12-06T16:23:24.919000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 103, "hostname": 524, "domain": 1292, "FileHash-SHA256": 95, "FileHash-MD5": 54, "FileHash-SHA1": 39, "URL": 169, "email": 1 }, "indicator_count": 2277, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "strlcatmMvE1V.c", ".X11-unix", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.12ZdF3", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "stdbool.ht64kj6qw.c", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "pytest-of-mrkd", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "tmp.ziktUZeKXL", "tst-bz26353KOtJVp", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "strlcpydb8x03.c", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "fish.root", "qtsingleapp-Octopi-1d88-3e8-lockfile", "plasma-csd-generator.LTvjbT", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8", ".vbox-mrkd-ipc", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "stdbool.hcc0B2j.c", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "https://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "albert_yt_ynb2tftv", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", ".org.chromium.Chromium.HMzFxo", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", ".org.chromium.Chromium.T2jdbS", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", ".org.chromium.Chromium.8GBhMA", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "bauh@mrkd", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "v8-compile-cache-0", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", "tmp90lfbdek", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "@tmp", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "IOCs.2026.csv", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://intel.breakglass.tech/post/goloader-polymorphic-builder-panels-stego-njrat-xworm-laohe", "IOCs.2026.pdf", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "tmp.D4NXyZ3U4J", "qtsingleapp-Notifi-4c42-3e8-lockfile", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "v8-compile-cache-1000", ".org.chromium.Chromium.coQnti", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "20230816_202710-scantemp.b14ff4bc3a", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd", ".X0-lock", "runtime-root", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", ".ICE-unix", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6" ], "related": { "alienvault": { "adversary": [ "MioLab" ], "malware_families": [ "Supernova - s0578", "Miolab" ], "industries": [] }, "other": { "adversary": [ "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "N/A", "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [ "Miolab", "Slf:mamacsemacro.a", "Clickfix", "Bv:telegrambot-a\\ [trj]", "Integrations", "Ransom:linux/darkradiation.a!mtb", "Downloader.medusa/shell", "Medusa shell bash", "Stage-2", "Backdoor:win32/r2d2.a", "Malvertising", "Msg:\"et", "Sf:shellcode-dz\\ [trj]", "Macos", "Trojandropper:win32/fakeflexnet.a", "Downloader trojan", "Netexecutablemicrosoft", "Trojandownloader:linux/morila!mtb", "Delphi" ], "industries": [ "Cryptocurrency", "Retail", "Individuals" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "69f3653e884ec7a430371ba3", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "MioLab, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. MioLab employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and ClickFix integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes bulletproof hosting services and shares infrastruct...", "modified": "2026-05-04T11:24:29.519000", "created": "2026-04-30T14:20:46.278000", "tags": [ "macos stealer", "clickfix", "maas platform", "cryptocurrency theft", "bulletproof hosting", "miolab" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "MioLab", "targeted_countries": [], "malware_families": [ { "id": "MioLab", "display_name": "MioLab", "target": null }, { "id": "SUPERNOVA - S0578", "display_name": "SUPERNOVA - S0578", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 64 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 386457, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f3426f663eb79b1e568192", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "A look at some of the highlights from the week of cybersecurity news, as well as the company's latest partnership with Microsoft and SentinelOne, which aims to deliver AI-powered security operations and incident response support.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:52:15.201000", "tags": [ "miolab", "chromium", "cloudflare", "miolab macos", "ledger", "builder", "keychain", "apple", "terminal", "claude code", "exfiltration", "nova", "payload", "exodus", "cookie", "february", "grabber", "defense evasion", "format", "desktop", "cards", "mozilla", "bitcoin", "telegram", "nova stealer", "decoy", "dropper", "ditto", "macos", "integrations", "clickfix", "malvertising", "stage-2" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MacOS", "display_name": "MacOS", "target": null }, { "id": "Integrations", "display_name": "Integrations", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Miolab", "display_name": "Miolab", "target": null }, { "id": "Malvertising", "display_name": "Malvertising", "target": null }, { "id": "MioLab", "display_name": "MioLab", "target": null }, { "id": "Stage-2", "display_name": "Stage-2", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 6, "domain": 64 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552172, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ee1f520fbfeebe4cb7291e", "name": "GoLoader at Industrial Scale: Two Unauthenticated Builder Panels, 468K Polymorphic Samples, Steganographic .NET Loaders, and a Cracked njRAT Config Pointing to a Chinese XWorm Operator", "description": "Recent investigations uncovered two unauthenticated GoLoader builder panels located at IP addresses 121.127.246.86 and 118.107.6.148, both operational since at least January 2026. These panels are responsible for generating approximately 468,349 unique polymorphic Windows malware samples through a variety of methods, including steganography and process hollowing. The panels operate without login requirements, providing full API access to users. They actively manage 71 tasks and have been observed sending malicious payloads to a publicly accessible Alibaba Cloud storage bucket hosting 652 files amounting to about 867 MB, which include steganographic PNG carriers, VBS scripts, and Chinese-language social engineering themes targeting cryptocurrency investors.", "modified": "2026-05-26T14:22:02.791000", "created": "2026-04-26T14:21:06.495000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "alibaba cloud", "oss bucket", "goloader panel", "hong kong", "ddns cluster", "stage", "aes256 config", "panel", "credentials", "goloader", "powershell", "loader", "malware", "april", "python", "bladabindi", "dropper", "service", "rats", "encodedcommand", "trojan", "back", "xworm", "hong", "live", "execution", "windows", "pe", "remote access", "toupper", "waterhydra", "njrat" ], "references": [ "https://intel.breakglass.tech/post/goloader-polymorphic-builder-panels-stego-njrat-xworm-laohe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Retail" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 5, "YARA": 3, "domain": 1, "hostname": 7 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2d1676259843fbf880124", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "MioLab, also known as Nova, has emerged as a significant player in the MacOS malware landscape, focusing on the acquisition of sensitive data from high-value targets such as cryptocurrency investors and executive professionals. This Premium Malware-as-a-Service (MaaS) platform is heavily marketed in Russian-speaking underground forums and offers advanced capabilities designed for effective data exfiltration.", "modified": "2026-04-23T17:27:31.611000", "created": "2026-03-24T18:01:11.793000", "tags": [ "miolab", "chromium", "cloudflare", "miolab macos", "ledger", "builder", "keychain", "apple", "terminal", "claude code", "nova", "payload", "exodus", "cookie", "february", "grabber", "format", "desktop", "cards", "mozilla", "bitcoin", "telegram", "nova stealer", "decoy", "dropper", "ditto", "macos", "integrations", "clickfix", "malvertising", "stage-2" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Miolab", "display_name": "Miolab", "target": null }, { "id": "MioLab", "display_name": "MioLab", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 6, "domain": 64 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680a97944a2471734ba68ebf", "name": "The LokiBot, Plik .csrss.exe nazwa_komputera: TEST22-PC", "description": "https://www.malware.me/analysis/59554/summary/ \n\u201eC:\\U\u017cytkownicy\\test22\\AppData\\Local\\Temp\\.csrss.exe\u201d\n PobierzNazw\u0119KomputeraA nazwa_komputera: TEST22-PC\nThe LokiBot, a trojan that uses the name \"Inferno\", has been detected on a server in the Czech Republic and sent to a third party site in Europe.. the following:\n252d8e4898c6a7c1a3647c2b8474e9e12901c9e2ef2af8ffe278e163d8786fb6\nPlik .csrss.exe\n94.142.140.73\n87.251.79.123", "modified": "2025-05-24T19:03:29.494000", "created": "2025-04-24T19:57:08.161000", "tags": [ "sha256", "vhash", "imphash", "rich pe", "ssdeep", "contained", "utc first", "submission", "chi2", "english us", "homenet", "externalnet", "et malware", "charoninferno", "charon3b", "trojan", "msg:\"et", "destination ip", "msdw", "port docelowy", "lcid1033", "smlen", "spn647", "bv6fet56ww", "lokibot checkin", "malware", "crash report", "microsoft", "rticon english", "vs2008", "compiler", "vs2008 sp1", "vs2005" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "msg:\"ET", "display_name": "msg:\"ET", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 69, "FileHash-SHA256": 482, "URL": 35, "domain": 7, "hostname": 3 }, "indicator_count": 680, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a9f3def74f96146bc342d5", "name": "cobalt_loader_unpacked.exe", "description": "A guide to the Cobaltloader, a 32-bit executable for Windows, has been published by the University of Oxford.. and its website is published on the same day as the release.", "modified": "2025-02-10T12:41:02.752000", "created": "2025-02-10T12:41:02.752000", "tags": [ "sha256", "sha1", "size", "ms windows", "copy ssdeep", "copy imphash", "call", "imagescnmemread", "imagescncntcode", "e5a596d6h", "rsp20h", "e5a595f0h", "e5a595dch", "rsp10h", "rsp18h", "rsp04h", "rsp08h", "rsp0ch", "rax05h", "themida", "thumbprint md5", "serial number", "vs2022", "symantec time", "stamping", "from", "algorithm", "thumbprint", "globalsign root", "submission", "w5k0fa2", "connection", "i64d", "http", "userprofile", "studio", "ldap", "detail", "cdecl sol", "socks5 connect", "ca file", "error", "class", "combo", "delta", "bind", "unknown", "void", "rest", "problem", "procin", "httpports", "ipv4 address", "homenet", "externalnet", "tgi hunt", "curl", "ip address", "et hunting", "dotted quad", "clientendpoint", "perimeter", "hunting", "informational", "policy", "outbound", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "loader", "sality", "dnguard" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA256": 177, "FileHash-SHA1": 7, "YARA": 52, "email": 7, "IPv4": 38, "URL": 154, "domain": 14, "hostname": 58 }, "indicator_count": 530, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "474 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674229b10c2364e895e83fb1", "name": "Skrypt pow\u0142oki 331883651 hiroz3x.sh", "description": "1. Downloads the file using both `wget` and `curl`.\n2. Concatenates the downloaded content to a file named `hiroz3x`.\n3. Makes `hiroz3x` executable.\n4. Executes `hiroz3x` with the argument `hiro.payload`.\nThe script attempts to change the working directory to `/tmp`, `/var/run`, `/mnt`, `/root`, or `/` before each download attempt\nhttp://45.13.227.151/h0r0zx00xh0r0zx00xdefault/\n6188f876ce4244dd2f4bacaa3e3ab7fa2462f39848b83ec705eb8c749e8ac09b", "modified": "2024-12-27T00:01:27.205000", "created": "2024-11-23T19:14:57.957000", "tags": [ "elf sha256", "matches rule", "threats open", "o http", "request", "get http", "snort", "misc attack", "potentially bad", "traffic matches", "shell", "trojan", "body", "sandbox", "speed", "web request", "commands", "cmdlets", "commandline", "james pemberton", "endgame", "jhasenbusch", "austin songer", "austinsonger", "getcommand", "homenet", "externalnet", "perimeter", "tgi hunt", "httpports", "major", "checks-hostname", "detect-debug-environment", "self-delete", "sets-process-name", "telnet-communication" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "downloader.medusa/shell", "display_name": "downloader.medusa/shell", "target": null }, { "id": "medusa shell bash", "display_name": "medusa shell bash", "target": null }, { "id": "downloader trojan", "display_name": "downloader trojan", "target": null } ], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 405, "FileHash-SHA1": 407, "FileHash-SHA256": 2369, "IPv4": 366, "URL": 685, "domain": 80, "hostname": 130, "YARA": 5 }, "indicator_count": 4447, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "519 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http.host", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "http.host", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180178.8181372 }