{ "type": "Domain", "indicator": "limitedavailability-show.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/limitedavailability-show.com", "alexa": "http://www.alexa.com/siteinfo/limitedavailability-show.com", "indicator": "limitedavailability-show.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4052446151, "indicator": "limitedavailability-show.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "67e41bedc264bcc69a9b8e20", "name": "Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants", "description": "ReaderUpdate, a macOS malware loader platform active since 2020, has evolved to include variants written in Crystal, Nim, Rust, and now Go programming languages. Originally a compiled Python binary, the malware has been largely dormant until late 2024. The loader is capable of executing remote commands, potentially offering Pay-Per-Install or Malware-as-a-Service. It collects system information, creates persistence mechanisms, and communicates with command and control servers. The Go variant, less common than others, uses string obfuscation techniques to hinder analysis. While currently associated with adware delivery, the loader's capabilities pose a potential threat for more malicious payloads in the future.", "modified": "2025-03-26T17:01:07.073000", "created": "2025-03-26T15:23:25.756000", "tags": [ "genieo", "crystal", "silver toucan", "malware", "dolittle", "rust", "adware", "wizardupdate", "loader", "macos", "go", "nim", "persistence", "updateagent", "readerupdate" ], "references": [ "https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ReaderUpdate", "display_name": "ReaderUpdate", "target": null }, { "id": "Genieo", "display_name": "Genieo", "target": null }, { "id": "DOLITTLE", "display_name": "DOLITTLE", "target": null }, { "id": "WizardUpdate", "display_name": "WizardUpdate", "target": null }, { "id": "UpdateAgent", "display_name": "UpdateAgent", "target": null }, { "id": "Silver Toucan", "display_name": "Silver Toucan", "target": null } ], "attack_ids": [ { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1053.004", "name": "Launchd", "display_name": "T1053.004 - Launchd" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1546.004", "name": "Unix Shell Configuration Modification", "display_name": "T1546.004 - Unix Shell Configuration Modification" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 13, "FileHash-SHA256": 1, "domain": 10, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386727, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f1bbda9e928a3743d1c379", "name": "InQuest - 05-04-2025", "description": "", "modified": "2025-05-05T23:03:32.288000", "created": "2025-04-05T23:25:13.994000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 569, "FileHash-SHA256": 550, "domain": 150, "hostname": 107, "FileHash-SHA1": 39, "FileHash-MD5": 41 }, "indicator_count": 1456, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "391 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f06bc5e8059cb562270235", "name": "InQuest - 04-04-2025", "description": "", "modified": "2025-05-04T23:03:41.880000", "created": "2025-04-04T23:31:17.659000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 659, "FileHash-SHA256": 572, "FileHash-SHA1": 30, "FileHash-MD5": 43, "hostname": 138, "domain": 135 }, "indicator_count": 1577, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef1968f9c1c05c07ef00c0", "name": "InQuest - 03-04-2025", "description": "", "modified": "2025-05-03T23:03:06.090000", "created": "2025-04-03T23:27:36.140000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 533, "FileHash-MD5": 38, "URL": 728, "hostname": 134, "domain": 157, "FileHash-SHA1": 47 }, "indicator_count": 1637, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67edc9471b28e16af7425847", "name": "InQuest - 02-04-2025", "description": "", "modified": "2025-05-02T23:03:33.268000", "created": "2025-04-02T23:33:27.853000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 723, "FileHash-SHA256": 455, "domain": 142, "FileHash-MD5": 37, "hostname": 136, "FileHash-SHA1": 52 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "394 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Updateagent", "Readerupdate", "Dolittle", "Silver toucan", "Genieo", "Wizardupdate" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "67e41bedc264bcc69a9b8e20", "name": "Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants", "description": "ReaderUpdate, a macOS malware loader platform active since 2020, has evolved to include variants written in Crystal, Nim, Rust, and now Go programming languages. Originally a compiled Python binary, the malware has been largely dormant until late 2024. The loader is capable of executing remote commands, potentially offering Pay-Per-Install or Malware-as-a-Service. It collects system information, creates persistence mechanisms, and communicates with command and control servers. The Go variant, less common than others, uses string obfuscation techniques to hinder analysis. While currently associated with adware delivery, the loader's capabilities pose a potential threat for more malicious payloads in the future.", "modified": "2025-03-26T17:01:07.073000", "created": "2025-03-26T15:23:25.756000", "tags": [ "genieo", "crystal", "silver toucan", "malware", "dolittle", "rust", "adware", "wizardupdate", "loader", "macos", "go", "nim", "persistence", "updateagent", "readerupdate" ], "references": [ "https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ReaderUpdate", "display_name": "ReaderUpdate", "target": null }, { "id": "Genieo", "display_name": "Genieo", "target": null }, { "id": "DOLITTLE", "display_name": "DOLITTLE", "target": null }, { "id": "WizardUpdate", "display_name": "WizardUpdate", "target": null }, { "id": "UpdateAgent", "display_name": "UpdateAgent", "target": null }, { "id": "Silver Toucan", "display_name": "Silver Toucan", "target": null } ], "attack_ids": [ { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1053.004", "name": "Launchd", "display_name": "T1053.004 - Launchd" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1546.004", "name": "Unix Shell Configuration Modification", "display_name": "T1546.004 - Unix Shell Configuration Modification" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 13, "FileHash-SHA256": 1, "domain": 10, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386727, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f1bbda9e928a3743d1c379", "name": "InQuest - 05-04-2025", "description": "", "modified": "2025-05-05T23:03:32.288000", "created": "2025-04-05T23:25:13.994000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 569, "FileHash-SHA256": 550, "domain": 150, "hostname": 107, "FileHash-SHA1": 39, "FileHash-MD5": 41 }, "indicator_count": 1456, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "391 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f06bc5e8059cb562270235", "name": "InQuest - 04-04-2025", "description": "", "modified": "2025-05-04T23:03:41.880000", "created": "2025-04-04T23:31:17.659000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 659, "FileHash-SHA256": 572, "FileHash-SHA1": 30, "FileHash-MD5": 43, "hostname": 138, "domain": 135 }, "indicator_count": 1577, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef1968f9c1c05c07ef00c0", "name": "InQuest - 03-04-2025", "description": "", "modified": "2025-05-03T23:03:06.090000", "created": "2025-04-03T23:27:36.140000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 533, "FileHash-MD5": 38, "URL": 728, "hostname": 134, "domain": 157, "FileHash-SHA1": 47 }, "indicator_count": 1637, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67edc9471b28e16af7425847", "name": "InQuest - 02-04-2025", "description": "", "modified": "2025-05-02T23:03:33.268000", "created": "2025-04-02T23:33:27.853000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 723, "FileHash-SHA256": 455, "domain": 142, "FileHash-MD5": 37, "hostname": 136, "FileHash-SHA1": 52 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "394 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "limitedavailability-show.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "limitedavailability-show.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780339189.6205711 }