{ "type": "Domain", "indicator": "logmeln.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/logmeln.com", "alexa": "http://www.alexa.com/siteinfo/logmeln.com", "indicator": "logmeln.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4140566419, "indicator": "logmeln.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "68f130fdef3c6aab4fcab821", "name": "Odyssey Stealer & AMOS Hit macOS Developers with Fake Homebrew Sites", "description": "A sophisticated campaign targeting macOS developers has been uncovered, utilizing fake websites impersonating trusted platforms like Homebrew, TradingView, and LogMeIn to distribute Odyssey Stealer and AMOS malware. The attackers employ social engineering tactics, prompting users to paste base64-encoded commands in Terminal, which downloads malicious payloads. Over 85 phishing domains were identified, linked through shared SSL certificates and infrastructure. The campaign's infrastructure includes long-standing IP addresses showing multi-year activity. The malware attempts privilege escalation, performs anti-analysis checks, and disrupts backup services. This coordinated operation demonstrates the attackers' ability to adapt tactics and maintain persistence in the macOS ecosystem.", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-16T17:53:01.412000", "tags": [ "stealer", "macos", "privilege escalation", "phishing", "homebrew", "odyssey stealer", "amos", "developers", "social engineering", "infrastructure reuse" ], "references": [ "https://hunt.io/blog/macos-odyssey-amos-malware-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey Stealer", "display_name": "Odyssey Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 10 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386910, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f8bc8fed2ac5ab4696ad7d", "name": "Cyber Threat Advisory - Update 1: Spoofed Homebrew Sites Used to Spread Stealer Malware in Targeted Campaign", "description": "", "modified": "2025-11-21T11:03:18.076000", "created": "2025-10-22T11:14:22.238000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hunt.io/blog/macos-odyssey-amos-malware-campaign" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Amos", "Odyssey stealer" ], "industries": [ "Technology" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "68f130fdef3c6aab4fcab821", "name": "Odyssey Stealer & AMOS Hit macOS Developers with Fake Homebrew Sites", "description": "A sophisticated campaign targeting macOS developers has been uncovered, utilizing fake websites impersonating trusted platforms like Homebrew, TradingView, and LogMeIn to distribute Odyssey Stealer and AMOS malware. The attackers employ social engineering tactics, prompting users to paste base64-encoded commands in Terminal, which downloads malicious payloads. Over 85 phishing domains were identified, linked through shared SSL certificates and infrastructure. The campaign's infrastructure includes long-standing IP addresses showing multi-year activity. The malware attempts privilege escalation, performs anti-analysis checks, and disrupts backup services. This coordinated operation demonstrates the attackers' ability to adapt tactics and maintain persistence in the macOS ecosystem.", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-16T17:53:01.412000", "tags": [ "stealer", "macos", "privilege escalation", "phishing", "homebrew", "odyssey stealer", "amos", "developers", "social engineering", "infrastructure reuse" ], "references": [ "https://hunt.io/blog/macos-odyssey-amos-malware-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey Stealer", "display_name": "Odyssey Stealer", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 10 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386910, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f8bc8fed2ac5ab4696ad7d", "name": "Cyber Threat Advisory - Update 1: Spoofed Homebrew Sites Used to Spread Stealer Malware in Targeted Campaign", "description": "", "modified": "2025-11-21T11:03:18.076000", "created": "2025-10-22T11:14:22.238000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "logmeln.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "logmeln.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780415635.4789808 }