{ "type": "URL", "indicator": "https://hai-per-package.com/api/load_mac/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://hai-per-package.com/api/load_mac/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4071849543, "indicator": "https://hai-per-package.com/api/load_mac/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6855bacae134aaca15b1723e", "name": "Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday Loader.", "description": "A recent malware campaign attributed to unidentified threat actors, dubbed \"Dark Partners,\" has been observed delivering malicious payloads targeting Windows and MacOS users. The campaign utilizes a loader known as \"PayDay Loader,\" which primarily facilitates the distribution of infostealers, including the notorious Poseidon Stealer for MacOS. The origin of this malware can be traced back to impersonated websites mimicking well-known AI and VPN services, with notable emphasis on fostering user trust through familiar brands.", "modified": "2025-07-20T19:01:42.402000", "created": "2025-06-20T19:47:22.873000", "tags": [ "payday loader", "cfile", "require", "promise", "grabfolder", "dark", "await", "c2 server", "null", "base64", "ffile", "loader", "lumma stealer", "error", "crypto", "dllimport", "install", "bypass", "path", "stop", "phantom", "exodus", "harmony", "tron", "temple", "poseidon", "\u2019m", "dark partners", "windows", "lumma", "nodejs", "cybersecurity cryptocurrency" ], "references": [ "https://g0njxa.medium.com/dark-partners-the-crypto-heist-adventure-of-poseidon-stealer-and-payday-loader-c91382fac5c8" ], "public": 1, "adversary": "Poseidon", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Dark Partners", "display_name": "Dark Partners", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NodeJS", "display_name": "NodeJS", "target": null }, { "id": "Cybersecurity Cryptocurrency", "display_name": "Cybersecurity Cryptocurrency", "target": null }, { "id": "Poseidon", "display_name": "Poseidon", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "URL": 18, "domain": 79, "email": 1, "hostname": 179 }, "indicator_count": 305, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "315 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://g0njxa.medium.com/dark-partners-the-crypto-heist-adventure-of-poseidon-stealer-and-payday-loader-c91382fac5c8" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Poseidon" ], "malware_families": [ "Poseidon", "Nodejs", "\u2019m", "Dark partners", "Cybersecurity cryptocurrency", "Windows", "Lumma" ], "industries": [], "unique_indicators": 312 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/hai-per-package.com", "whois": "http://whois.domaintools.com/hai-per-package.com", "domain": "hai-per-package.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6855bacae134aaca15b1723e", "name": "Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday Loader.", "description": "A recent malware campaign attributed to unidentified threat actors, dubbed \"Dark Partners,\" has been observed delivering malicious payloads targeting Windows and MacOS users. The campaign utilizes a loader known as \"PayDay Loader,\" which primarily facilitates the distribution of infostealers, including the notorious Poseidon Stealer for MacOS. The origin of this malware can be traced back to impersonated websites mimicking well-known AI and VPN services, with notable emphasis on fostering user trust through familiar brands.", "modified": "2025-07-20T19:01:42.402000", "created": "2025-06-20T19:47:22.873000", "tags": [ "payday loader", "cfile", "require", "promise", "grabfolder", "dark", "await", "c2 server", "null", "base64", "ffile", "loader", "lumma stealer", "error", "crypto", "dllimport", "install", "bypass", "path", "stop", "phantom", "exodus", "harmony", "tron", "temple", "poseidon", "\u2019m", "dark partners", "windows", "lumma", "nodejs", "cybersecurity cryptocurrency" ], "references": [ "https://g0njxa.medium.com/dark-partners-the-crypto-heist-adventure-of-poseidon-stealer-and-payday-loader-c91382fac5c8" ], "public": 1, "adversary": "Poseidon", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Dark Partners", "display_name": "Dark Partners", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NodeJS", "display_name": "NodeJS", "target": null }, { "id": "Cybersecurity Cryptocurrency", "display_name": "Cybersecurity Cryptocurrency", "target": null }, { "id": "Poseidon", "display_name": "Poseidon", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "URL": 18, "domain": 79, "email": 1, "hostname": 179 }, "indicator_count": 305, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "315 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://hai-per-package.com/api/load_mac/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://hai-per-package.com/api/load_mac/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780261767.968925 }