{ "type": "Domain", "indicator": "superdocs.ru", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/superdocs.ru", "alexa": "http://www.alexa.com/siteinfo/superdocs.ru", "indicator": "superdocs.ru", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3460975850, "indicator": "superdocs.ru", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6304e95e39919cf7ead010b7", "name": "XCSSET Malware Update | macOS Threat Actors Prepare for Life Without Python", "description": "Threat actors behind the XCSSET malware have been relatively quiet since last year. However, new activity beginning around April 2022 and increasing through May to August shows that actors have not only adapted to changes in macOS Monterey, but are preparing for the demise of Python, an integral and essential part of their current toolkit.", "modified": "2022-09-22T00:02:31.511000", "created": "2022-08-23T14:51:09.684000", "tags": [ "XCSSET", "malware", "macOS", "SHC-compiled", "AppleScript" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 485, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 37, "domain": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386609, "modified_text": "1348 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b8a03d858edc9cb782d646", "name": "XCSSET Malware Update | macOS Threat Actors Prepare for Life Without Python", "description": "SentinelOne has been named the world\u2019s leading provider of self-defending endpoint security services for the fourth year in a row, beating rivals such as CrowdStrike, RSA and IBM.", "modified": "2025-03-23T15:02:20.895000", "created": "2025-02-21T15:48:13.289000", "tags": [ "xcsset", "apple", "xcsset malware", "monterey", "applescripts", "github", "twitter account", "august", "frameworks", "dockutil", "april", "python", "virustotal", "compiler", "osaminer", "tencent", "dock", "vlad", "june", "malware", "protect", "mrt" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MRT", "display_name": "MRT", "target": null }, { "id": "XCSSET", "display_name": "XCSSET", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dataendure_soc", "id": "59789", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "434 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6306b424e5c5c4d5a5d4e058", "name": "XCSSET Malware Updates with Python 3 to Target macOS Monterey Users", "description": "", "modified": "2022-09-24T00:01:35.234000", "created": "2022-08-24T23:28:36.909000", "tags": [], "references": [ "August 25th, 2022 - CryptoGen Cyber Threat Intelligence -XCSSET Malware Updates with Python 3 to Target macOS Monterey Users .pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "1346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6305d7aa39c809c84d58846b", "name": "XCSSET Malware Update | macOS Threat Actors Prepare for Life Without Python - SentinelOne", "description": "SentinelOne is an industry-leading cybersecurity platform that delivers the security you need to prevent, detect, undo and prevent cyber-threats, and offers a range of solutions to all types of challenges.", "modified": "2022-09-23T00:00:05.122000", "created": "2022-08-24T07:47:54.231000", "tags": [ "xcsset", "threat", "mrt", "apple", "xcsset malware", "monterey", "applescripts", "github", "twitter account", "august", "frameworks", "dockutil", "april", "python", "virustotal", "compiler", "osaminer", "tencent", "vlad", "june", "malware", "protect" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "MRT", "display_name": "MRT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6305ee45df0790b2c0ed56e6", "name": "XCSSET Malware Updates with Python 3 to Target macOS Monterey Users", "description": "The operators of the XCSSET macOS malware have upped the stakes by making iterative improvements that add support for macOS Monterey by upgrading its source code components to Python 3.\n\n\"The malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022,\" SentinelOne researchers Phil Stokes and Dinesh Devadoss said in a report.", "modified": "2022-09-23T00:00:05.122000", "created": "2022-08-24T09:24:21.096000", "tags": [ "xcsset", "threat", "mrt", "apple", "xcsset malware", "monterey", "applescripts", "github", "twitter account", "august", "frameworks", "dockutil", "april", "python", "virustotal", "compiler", "osaminer", "tencent", "vlad", "june", "malware", "protect" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/", "https://thehackernews.com/2022/08/xcsset-malware-updates-with-python-3-to.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "MRT", "display_name": "MRT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "6305d7aa39c809c84d58846b", "export_count": 340, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6306091e19e7796c6eb31ece", "name": "XCSSET IOCs", "description": "The full text of the text and characters that have been added to Apple and Google's operating systems, as well as the web browser, can now be viewed on Apple, Google and other sites.", "modified": "2022-09-23T00:00:05.122000", "created": "2022-08-24T11:18:54.880000", "tags": [], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6304dcda56532012fecb253f", "name": "XCSSET Malware Update", "description": "Threat actors behind the XCSSET malware have been relatively quiet since last year. However, new activity beginning around April 2022 and increasing through May to August shows that actors have not only adapted to changes in macOS Monterey, but are preparing for the demise of Python, an integral and essential part of their current toolkit.", "modified": "2022-09-22T00:02:31.511000", "created": "2022-08-23T13:57:46.809000", "tags": [ "xcsset", "apple", "applescripts", "malware", "Dropper", "Exfiltration" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jgomez1677", "id": "99942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 37, "domain": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1348 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6303d35b01f2d1a82bda7831", "name": "XCSSET Malware Update | macOS Threat Actors Prepare for Life Without Python - SentinelOne", "description": "SentinelOne is an industry-leading cybersecurity platform that delivers the security you need to prevent, detect, undo and prevent cyber-threats, and offers a range of solutions to all types of challenges.", "modified": "2022-09-21T00:02:24.222000", "created": "2022-08-22T19:04:59.499000", "tags": [ "xcsset", "threat", "mrt", "apple", "xcsset malware", "monterey", "applescripts", "github", "twitter account", "august", "frameworks", "dockutil", "april", "python", "virustotal", "compiler", "osaminer", "tencent", "vlad", "june", "malware", "protect" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "MRT", "display_name": "MRT", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 37, "domain": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/", "https://thehackernews.com/2022/08/xcsset-malware-updates-with-python-3-to.html", "August 25th, 2022 - CryptoGen Cyber Threat Intelligence -XCSSET Malware Updates with Python 3 to Target macOS Monterey Users .pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Xcsset" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Threat", "Mrt", "Xcsset" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6304e95e39919cf7ead010b7", "name": "XCSSET Malware Update | macOS Threat Actors Prepare for Life Without Python", "description": "Threat actors behind the XCSSET malware have been relatively quiet since last year. However, new activity beginning around April 2022 and increasing through May to August shows that actors have not only adapted to changes in macOS Monterey, but are preparing for the demise of Python, an integral and essential part of their current toolkit.", "modified": "2022-09-22T00:02:31.511000", "created": "2022-08-23T14:51:09.684000", "tags": [ "XCSSET", "malware", "macOS", "SHC-compiled", "AppleScript" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 485, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 37, "domain": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386609, "modified_text": "1348 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b8a03d858edc9cb782d646", "name": "XCSSET Malware Update | macOS Threat Actors Prepare for Life Without Python", "description": "SentinelOne has been named the world\u2019s leading provider of self-defending endpoint security services for the fourth year in a row, beating rivals such as CrowdStrike, RSA and IBM.", "modified": "2025-03-23T15:02:20.895000", "created": "2025-02-21T15:48:13.289000", "tags": [ "xcsset", "apple", "xcsset malware", "monterey", "applescripts", "github", "twitter account", "august", "frameworks", "dockutil", "april", "python", "virustotal", "compiler", "osaminer", "tencent", "dock", "vlad", "june", "malware", "protect", "mrt" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MRT", "display_name": "MRT", "target": null }, { "id": "XCSSET", "display_name": "XCSSET", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dataendure_soc", "id": "59789", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "434 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6306b424e5c5c4d5a5d4e058", "name": "XCSSET Malware Updates with Python 3 to Target macOS Monterey Users", "description": "", "modified": "2022-09-24T00:01:35.234000", "created": "2022-08-24T23:28:36.909000", "tags": [], "references": [ "August 25th, 2022 - CryptoGen Cyber Threat Intelligence -XCSSET Malware Updates with Python 3 to Target macOS Monterey Users .pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "1346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6305d7aa39c809c84d58846b", "name": "XCSSET Malware Update | macOS Threat Actors Prepare for Life Without Python - SentinelOne", "description": "SentinelOne is an industry-leading cybersecurity platform that delivers the security you need to prevent, detect, undo and prevent cyber-threats, and offers a range of solutions to all types of challenges.", "modified": "2022-09-23T00:00:05.122000", "created": "2022-08-24T07:47:54.231000", "tags": [ "xcsset", "threat", "mrt", "apple", "xcsset malware", "monterey", "applescripts", "github", "twitter account", "august", "frameworks", "dockutil", "april", "python", "virustotal", "compiler", "osaminer", "tencent", "vlad", "june", "malware", "protect" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "MRT", "display_name": "MRT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6305ee45df0790b2c0ed56e6", "name": "XCSSET Malware Updates with Python 3 to Target macOS Monterey Users", "description": "The operators of the XCSSET macOS malware have upped the stakes by making iterative improvements that add support for macOS Monterey by upgrading its source code components to Python 3.\n\n\"The malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022,\" SentinelOne researchers Phil Stokes and Dinesh Devadoss said in a report.", "modified": "2022-09-23T00:00:05.122000", "created": "2022-08-24T09:24:21.096000", "tags": [ "xcsset", "threat", "mrt", "apple", "xcsset malware", "monterey", "applescripts", "github", "twitter account", "august", "frameworks", "dockutil", "april", "python", "virustotal", "compiler", "osaminer", "tencent", "vlad", "june", "malware", "protect" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/", "https://thehackernews.com/2022/08/xcsset-malware-updates-with-python-3-to.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "MRT", "display_name": "MRT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "6305d7aa39c809c84d58846b", "export_count": 340, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6306091e19e7796c6eb31ece", "name": "XCSSET IOCs", "description": "The full text of the text and characters that have been added to Apple and Google's operating systems, as well as the web browser, can now be viewed on Apple, Google and other sites.", "modified": "2022-09-23T00:00:05.122000", "created": "2022-08-24T11:18:54.880000", "tags": [], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 37, "FileHash-SHA256": 10, "domain": 7 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6304dcda56532012fecb253f", "name": "XCSSET Malware Update", "description": "Threat actors behind the XCSSET malware have been relatively quiet since last year. However, new activity beginning around April 2022 and increasing through May to August shows that actors have not only adapted to changes in macOS Monterey, but are preparing for the demise of Python, an integral and essential part of their current toolkit.", "modified": "2022-09-22T00:02:31.511000", "created": "2022-08-23T13:57:46.809000", "tags": [ "xcsset", "apple", "applescripts", "malware", "Dropper", "Exfiltration" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jgomez1677", "id": "99942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 37, "domain": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1348 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6303d35b01f2d1a82bda7831", "name": "XCSSET Malware Update | macOS Threat Actors Prepare for Life Without Python - SentinelOne", "description": "SentinelOne is an industry-leading cybersecurity platform that delivers the security you need to prevent, detect, undo and prevent cyber-threats, and offers a range of solutions to all types of challenges.", "modified": "2022-09-21T00:02:24.222000", "created": "2022-08-22T19:04:59.499000", "tags": [ "xcsset", "threat", "mrt", "apple", "xcsset malware", "monterey", "applescripts", "github", "twitter account", "august", "frameworks", "dockutil", "april", "python", "virustotal", "compiler", "osaminer", "tencent", "vlad", "june", "malware", "protect" ], "references": [ "https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XCSSET", "display_name": "XCSSET", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "MRT", "display_name": "MRT", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 37, "domain": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "superdocs.ru", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "superdocs.ru", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780284194.5299265 }