{ "type": "URL", "indicator": "https://apple-ads-metric.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://apple-ads-metric.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4040845925, "indicator": "https://apple-ads-metric.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "67bf4431daee3fb074cce3dd", "name": "North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer", "description": "A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. The malware suite includes \"RustDoor,\" a Rust-based backdoor masquerading as legitimate software updates, and a previously undocumented macOS variant of \"Koi Stealer,\" designed to exfiltrate sensitive information", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-26T16:41:21.362000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386984, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67bffe94eeea55f19bc590c7", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-27T05:56:36.853000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": "67bf4431daee3fb074cce3dd", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c00d03934a9b34538207c9", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-27T06:58:11.901000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": "67bffe94eeea55f19bc590c7", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67bf119ff06473a3d9f47c79", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "Palo Alto Networks research has identified two new variants of malware targeting macOS, as well as a previously undocumented variant of a similar family family known as Koi Stealer, used by a North Korean threat actor.", "modified": "2025-03-28T13:01:13.638000", "created": "2025-02-26T13:05:35.516000", "tags": [ "koi stealer", "cortex xdr", "rustdoor", "c2 server", "unit", "figure", "applescript", "palo alto", "networks", "studio", "malware", "discord", "alliance", "infostealer", "rust", "download", "macho", "redline stealer", "stealer", "steam", "sentinel", "bluenoroff", "nullmixer", "rustbucket", "windows", "windows koi", "macos", "koi" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "RustDoor", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "Windows Koi", "display_name": "Windows Koi", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Koi", "display_name": "Koi", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 16, "URL": 6, "domain": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Koi stealer" ], "industries": [], "unique_indicators": 27 }, "other": { "adversary": [ "RustDoor" ], "malware_families": [ "Windows", "Macos", "Rustbucket", "Koi stealer", "Rustdoor", "Koi", "Windows koi" ], "industries": [ "Cryptocurrency" ], "unique_indicators": 32 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/apple-ads-metric.com", "whois": "http://whois.domaintools.com/apple-ads-metric.com", "domain": "apple-ads-metric.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "67bf4431daee3fb074cce3dd", "name": "North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer", "description": "A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. The malware suite includes \"RustDoor,\" a Rust-based backdoor masquerading as legitimate software updates, and a previously undocumented macOS variant of \"Koi Stealer,\" designed to exfiltrate sensitive information", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-26T16:41:21.362000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386984, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67bffe94eeea55f19bc590c7", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-27T05:56:36.853000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": "67bf4431daee3fb074cce3dd", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c00d03934a9b34538207c9", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-27T06:58:11.901000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": "67bffe94eeea55f19bc590c7", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67bf119ff06473a3d9f47c79", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "Palo Alto Networks research has identified two new variants of malware targeting macOS, as well as a previously undocumented variant of a similar family family known as Koi Stealer, used by a North Korean threat actor.", "modified": "2025-03-28T13:01:13.638000", "created": "2025-02-26T13:05:35.516000", "tags": [ "koi stealer", "cortex xdr", "rustdoor", "c2 server", "unit", "figure", "applescript", "palo alto", "networks", "studio", "malware", "discord", "alliance", "infostealer", "rust", "download", "macho", "redline stealer", "stealer", "steam", "sentinel", "bluenoroff", "nullmixer", "rustbucket", "windows", "windows koi", "macos", "koi" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "RustDoor", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "Windows Koi", "display_name": "Windows Koi", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Koi", "display_name": "Koi", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 16, "URL": 6, "domain": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://apple-ads-metric.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://apple-ads-metric.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780452764.438796 }