{ "type": "URL", "indicator": "https://terafolt.com/gate", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://terafolt.com/gate", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4329247673, "indicator": "https://terafolt.com/gate", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee2b81c986e399433144df", "name": "SHub Stealer v2.0: A Live C2 Serving 103 Wallet Extensions, 23 Desktop Wallets, and a Full AppleScript Source We Downloaded", "description": "SHub Stealer v2.0 is a sophisticated macOS infostealer known for its extensive targeting of cryptocurrency assets, utilizing a two-stage attack via a loader and an AppleScript payload. Active as of April 20, 2026, it employs a command-and-control (C2) server (http://terafolt.com) to deliver its malicious components and displays significant capabilities, including credential harvesting and backdooring of numerous cryptocurrency wallet applications.", "modified": "2026-04-26T15:13:05.974000", "created": "2026-04-26T15:13:05.974000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "shub stealer", "april", "ioc table", "ledger live", "trezor suite", "firefox", "datadog", "malwarebytes", "report", "public record", "february", "exodus", "persistence", "telegram", "phantom", "temple", "atomic", "intelligence shub", "shub", "applescript" ], "references": [ "https://intel.breakglass.tech/post/shub-stealer-v2-terafolt-live-c2-103-wallets-applescript-source" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 3, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "34 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://intel.breakglass.tech/post/shub-stealer-v2-terafolt-live-c2-103-wallets-applescript-source", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [], "industries": [], "unique_indicators": 1006 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/terafolt.com", "whois": "http://whois.domaintools.com/terafolt.com", "domain": "terafolt.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee2b81c986e399433144df", "name": "SHub Stealer v2.0: A Live C2 Serving 103 Wallet Extensions, 23 Desktop Wallets, and a Full AppleScript Source We Downloaded", "description": "SHub Stealer v2.0 is a sophisticated macOS infostealer known for its extensive targeting of cryptocurrency assets, utilizing a two-stage attack via a loader and an AppleScript payload. Active as of April 20, 2026, it employs a command-and-control (C2) server (http://terafolt.com) to deliver its malicious components and displays significant capabilities, including credential harvesting and backdooring of numerous cryptocurrency wallet applications.", "modified": "2026-04-26T15:13:05.974000", "created": "2026-04-26T15:13:05.974000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "shub stealer", "april", "ioc table", "ledger live", "trezor suite", "firefox", "datadog", "malwarebytes", "report", "public record", "february", "exodus", "persistence", "telegram", "phantom", "temple", "atomic", "intelligence shub", "shub", "applescript" ], "references": [ "https://intel.breakglass.tech/post/shub-stealer-v2-terafolt-live-c2-103-wallets-applescript-source" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 3, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "34 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://terafolt.com/gate", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://terafolt.com/gate", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780180214.463406 }