{ "type": "URL", "indicator": "https://apple-ads-metric.com/npm", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://apple-ads-metric.com/npm", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4040845927, "indicator": "https://apple-ads-metric.com/npm", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "67bf119ff06473a3d9f47c79", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "Palo Alto Networks research has identified two new variants of malware targeting macOS, as well as a previously undocumented variant of a similar family family known as Koi Stealer, used by a North Korean threat actor.", "modified": "2025-03-28T13:01:13.638000", "created": "2025-02-26T13:05:35.516000", "tags": [ "koi stealer", "cortex xdr", "rustdoor", "c2 server", "unit", "figure", "applescript", "palo alto", "networks", "studio", "malware", "discord", "alliance", "infostealer", "rust", "download", "macho", "redline stealer", "stealer", "steam", "sentinel", "bluenoroff", "nullmixer", "rustbucket", "windows", "windows koi", "macos", "koi" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "RustDoor", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "Windows Koi", "display_name": "Windows Koi", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Koi", "display_name": "Koi", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 16, "URL": 6, "domain": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "RustDoor" ], "malware_families": [ "Macos", "Rustdoor", "Windows koi", "Koi", "Rustbucket", "Windows" ], "industries": [ "Cryptocurrency" ], "unique_indicators": 32 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/apple-ads-metric.com", "whois": "http://whois.domaintools.com/apple-ads-metric.com", "domain": "apple-ads-metric.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "67bf119ff06473a3d9f47c79", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "Palo Alto Networks research has identified two new variants of malware targeting macOS, as well as a previously undocumented variant of a similar family family known as Koi Stealer, used by a North Korean threat actor.", "modified": "2025-03-28T13:01:13.638000", "created": "2025-02-26T13:05:35.516000", "tags": [ "koi stealer", "cortex xdr", "rustdoor", "c2 server", "unit", "figure", "applescript", "palo alto", "networks", "studio", "malware", "discord", "alliance", "infostealer", "rust", "download", "macho", "redline stealer", "stealer", "steam", "sentinel", "bluenoroff", "nullmixer", "rustbucket", "windows", "windows koi", "macos", "koi" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "RustDoor", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "Windows Koi", "display_name": "Windows Koi", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Koi", "display_name": "Koi", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 16, "URL": 6, "domain": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://apple-ads-metric.com/npm", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://apple-ads-metric.com/npm", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780470713.639996 }