{ "type": "URL", "indicator": "https://com.apple.home.group", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://com.apple.home.group", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4028621236, "indicator": "https://com.apple.home.group", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "678d3ad53ba37ac1825e3d2c", "name": "Aishah Lazim", "description": "Domestic cyberterrorism", "modified": "2025-02-21T00:57:53.601000", "created": "2025-01-19T17:48:05.477000", "tags": [ "filesystem", "timestamp", "plugin", "event", "mcdp29xxisp", "mcdp29xxapp", "mcdp29xx", "slam", "debug", "info", "stix2", "wisemo", "findmykids", "shutdownlog", "chromefavicon", "firefoxfavicon", "interactionc", "whatsapp", "predator", "flexispy", "cerberus", "metasploit", "theonespy", "netspy", "mobilespy", "webwatcher", "observer", "phonespy", "spynote", "ahmyth", "droidwatcher", "lovespy", "onespy", "safenet", "calendar", "f2c43", "timezonedb", "runningboard", "aspsnapshots", "wifi", "safari", "GUANGZHOU FIVE SIX TECHNOLOGY CO L", "194 Green Street", "Brooklyn" ], "references": [ "info.json", "timeline.csv", "filesystem.json", "command.log", "DiskMountConditioner.json" ], "public": 1, "adversary": "Dragonforce Malaysia Hacker Group", "targeted_countries": [ "United States of America", "Bahrain", "France" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 923, "FileHash-MD5": 12, "FileHash-SHA1": 39, "domain": 817, "FileHash-SHA256": 422, "URL": 1543, "CIDR": 4, "email": 68, "SSLCertFingerprint": 387, "CVE": 5 }, "indicator_count": 4220, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67b2748046b400a75722958a", "name": "OpsBedil: MacOS Software Post-Installation Exploitation, Apple Inc.", "description": "Threat actors affiliated with DragonForce Malaysia, Lazarus Group, etc. exploit unauthorized nodes during MacOS software installations to gain persistence, exfiltrate data, and escalate privileges. Techniques observed include T1003 (Credential Dumping) to harvest keychain data, T1020 (Automated Exfiltration) over T1071 (Application Layer Protocol), and T1027 (Obfuscation) to conceal payloads. Persistence is achieved via T1053 (Scheduled Tasks) and T1543 (System Process Creation). Lateral movement is supported by T1046 (Network Discovery) and T1055 (Process Injection). Valid credentials (T1078) and remote services (T1133) enable long-term access. Proxy use (T1090) and tunneling (T1572) evade detection. Attackers hijack resources (T1496) and may deploy T1498 (DoS). Monitoring for unsigned installations, abnormal processes, and unusual traffic can detect this activity. Validating software sources and restricting network egress is recommended.", "modified": "2025-02-21T00:57:29.372000", "created": "2025-02-16T23:28:00.763000", "tags": [ "downloads music", "desktop library", "movies public", "hostname", "cves", "emails", "convertt", "filehashesepo", "display", "bash", "term", "path", "shell", "date", "license", "dyldlibrarypath", "apache software", "foundation", "notice file", "apache license", "version", "unless", "as is", "basis", "usrsbinkadmin l", "heimdal", "btmm hash", "s gmtnever", "kerberos", "logger", "force", "mit emulation", "bad option", "certhash", "movies", "music", "bluetool mktemp", "getfileinfo", "ioaccelmemory", "iosdebug", "rez mountcd9660", "mountftp", "bpinstall", "importcsv", "re resmerger", "select", "define", "http", "filehash", "open", "Aishah Siti Lazim", "194 Green Street", "Aishah Lazim", "LGBTQ Hate Attack", "Anti-semitic", "DragonForce Malaysia", "dragonforce.io", "synthetic identity theft", "computer intrusion act", "illegal surveillance", "noncivilian citizens", "havana syndrome", "electromagnetic radiation" ], "references": [ "envvars", "kadmin.local", "Info.plist", "metadata.json", "/var/log/install.log", "/var/log/install.log", "/var/log/asl", "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", "/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/accessoryupdaterd", "" ], "public": 1, "adversary": "DragonForce Malaysia", "targeted_countries": [ "United States of America", "Israel", "Bahrain", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Government", "NGO", "Media", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 116, "URL": 93, "domain": 11, "hostname": 45 }, "indicator_count": 286, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "command.log", "Info.plist", "info.json", "filesystem.json", "/var/log/asl", "DiskMountConditioner.json", "timeline.csv", "metadata.json", "envvars", "/var/log/install.log", "/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/accessoryupdaterd", "kadmin.local", "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "DragonForce Malaysia", "Dragonforce Malaysia Hacker Group" ], "malware_families": [ "" ], "industries": [ "Media", "Education", "Ngo", "Government" ], "unique_indicators": 3104 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/home.group", "whois": "http://whois.domaintools.com/home.group", "domain": "home.group", "hostname": "com.apple.home.group" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "678d3ad53ba37ac1825e3d2c", "name": "Aishah Lazim", "description": "Domestic cyberterrorism", "modified": "2025-02-21T00:57:53.601000", "created": "2025-01-19T17:48:05.477000", "tags": [ "filesystem", "timestamp", "plugin", "event", "mcdp29xxisp", "mcdp29xxapp", "mcdp29xx", "slam", "debug", "info", "stix2", "wisemo", "findmykids", "shutdownlog", "chromefavicon", "firefoxfavicon", "interactionc", "whatsapp", "predator", "flexispy", "cerberus", "metasploit", "theonespy", "netspy", "mobilespy", "webwatcher", "observer", "phonespy", "spynote", "ahmyth", "droidwatcher", "lovespy", "onespy", "safenet", "calendar", "f2c43", "timezonedb", "runningboard", "aspsnapshots", "wifi", "safari", "GUANGZHOU FIVE SIX TECHNOLOGY CO L", "194 Green Street", "Brooklyn" ], "references": [ "info.json", "timeline.csv", "filesystem.json", "command.log", "DiskMountConditioner.json" ], "public": 1, "adversary": "Dragonforce Malaysia Hacker Group", "targeted_countries": [ "United States of America", "Bahrain", "France" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 923, "FileHash-MD5": 12, "FileHash-SHA1": 39, "domain": 817, "FileHash-SHA256": 422, "URL": 1543, "CIDR": 4, "email": 68, "SSLCertFingerprint": 387, "CVE": 5 }, "indicator_count": 4220, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67b2748046b400a75722958a", "name": "OpsBedil: MacOS Software Post-Installation Exploitation, Apple Inc.", "description": "Threat actors affiliated with DragonForce Malaysia, Lazarus Group, etc. exploit unauthorized nodes during MacOS software installations to gain persistence, exfiltrate data, and escalate privileges. Techniques observed include T1003 (Credential Dumping) to harvest keychain data, T1020 (Automated Exfiltration) over T1071 (Application Layer Protocol), and T1027 (Obfuscation) to conceal payloads. Persistence is achieved via T1053 (Scheduled Tasks) and T1543 (System Process Creation). Lateral movement is supported by T1046 (Network Discovery) and T1055 (Process Injection). Valid credentials (T1078) and remote services (T1133) enable long-term access. Proxy use (T1090) and tunneling (T1572) evade detection. Attackers hijack resources (T1496) and may deploy T1498 (DoS). Monitoring for unsigned installations, abnormal processes, and unusual traffic can detect this activity. Validating software sources and restricting network egress is recommended.", "modified": "2025-02-21T00:57:29.372000", "created": "2025-02-16T23:28:00.763000", "tags": [ "downloads music", "desktop library", "movies public", "hostname", "cves", "emails", "convertt", "filehashesepo", "display", "bash", "term", "path", "shell", "date", "license", "dyldlibrarypath", "apache software", "foundation", "notice file", "apache license", "version", "unless", "as is", "basis", "usrsbinkadmin l", "heimdal", "btmm hash", "s gmtnever", "kerberos", "logger", "force", "mit emulation", "bad option", "certhash", "movies", "music", "bluetool mktemp", "getfileinfo", "ioaccelmemory", "iosdebug", "rez mountcd9660", "mountftp", "bpinstall", "importcsv", "re resmerger", "select", "define", "http", "filehash", "open", "Aishah Siti Lazim", "194 Green Street", "Aishah Lazim", "LGBTQ Hate Attack", "Anti-semitic", "DragonForce Malaysia", "dragonforce.io", "synthetic identity theft", "computer intrusion act", "illegal surveillance", "noncivilian citizens", "havana syndrome", "electromagnetic radiation" ], "references": [ "envvars", "kadmin.local", "Info.plist", "metadata.json", "/var/log/install.log", "/var/log/install.log", "/var/log/asl", "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", "/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/accessoryupdaterd", "" ], "public": 1, "adversary": "DragonForce Malaysia", "targeted_countries": [ "United States of America", "Israel", "Bahrain", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Government", "NGO", "Media", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 116, "URL": 93, "domain": 11, "hostname": 45 }, "indicator_count": 286, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://com.apple.home.group", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://com.apple.home.group", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780213075.0863614 }