{ "type": "Domain", "indicator": "zkcall.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zkcall.net", "alexa": "http://www.alexa.com/siteinfo/zkcall.net", "indicator": "zkcall.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4167169409, "indicator": "zkcall.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6949f798ff6abcb62cd7546e", "name": "MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware", "description": "MacSync Stealer malware has evolved from using drag-to-terminal and ClickFix techniques to a more sophisticated approach. The new variant is delivered as a code-signed and notarized Swift application within a disk image, eliminating the need for direct terminal interaction. The malware retrieves an encoded script from a remote server and executes it via a Swift-built helper executable. The installer is signed with Developer Team ID GNJLS3UYZ4 and contains decoy files to inflate its size. The malware performs various checks, including internet connectivity and execution timing, before downloading and executing the second-stage payload. This evolution reflects a broader trend in macOS malware, where attackers attempt to bypass security measures by using signed and notarized executables.", "modified": "2025-12-23T09:13:13.587000", "created": "2025-12-23T01:59:52.660000", "tags": [ "notarized", "evasion", "macsync stealer", "macos", "infostealer", "code-signed", "dropper", "odyssey infostealer", "swift" ], "references": [ "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis" ], "public": 1, "adversary": "MacSync Stealer", "targeted_countries": [], "malware_families": [ { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey infostealer", "display_name": "Odyssey infostealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "URL": 1, "domain": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 378587, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69665ded0012eb61b7c63c52", "name": "MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware \u2014 Jamf Threat Labs", "description": "", "modified": "2026-01-13T14:59:57.708000", "created": "2026-01-13T14:59:57.708000", "tags": [ "apple", "macsync stealer", "jamf threat", "labs", "jamf", "iocs", "virustotal" ], "references": [ "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 1, "domain": 3 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 848, "modified_text": "100 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69624fae26367aea519fa4c0", "name": "MacSync Stealer Exploiting Signed macOS Apps to Bypass Gatekeeper", "description": "", "modified": "2026-01-10T13:10:06.819000", "created": "2026-01-10T13:10:06.819000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 487, "modified_text": "103 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b746998641e6d95f1d738", "name": "MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware", "description": "", "modified": "2025-12-24T05:04:41.530000", "created": "2025-12-24T05:04:41.530000", "tags": [ "notarized", "evasion", "macsync stealer", "macos", "infostealer", "code-signed", "dropper", "odyssey infostealer", "swift" ], "references": [ "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis" ], "public": 1, "adversary": "MacSync Stealer", "targeted_countries": [], "malware_families": [ { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey infostealer", "display_name": "Odyssey infostealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "6949f798ff6abcb62cd7546e", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "URL": 1, "domain": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "121 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694a27426099dffe56e7a50a", "name": "MacOS Infostealer Evolves With Notarized Swift Payloads", "description": "Find out more about Jamf: The most complete Apple device management and security solution, available at \u00c2\u00a31.5m ($2.6m) in the UK, Ireland, Scotland and Wales.", "modified": "2025-12-23T05:23:14.372000", "created": "2025-12-23T05:23:14.372000", "tags": [ "apple", "macsync stealer", "jamf threat", "labs", "jamf", "iocs", "virustotal", "macsync" ], "references": [ "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MacSync", "display_name": "MacSync", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "URL": 1, "domain": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "122 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis", "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/", "Book2.csv" ], "related": { "alienvault": { "adversary": [ "MacSync Stealer" ], "malware_families": [ "Odyssey infostealer", "Macsync stealer" ], "industries": [] }, "other": { "adversary": [ "MacSync Stealer", "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing" ], "malware_families": [ "Macsync", "Odyssey infostealer", "Macsync stealer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6949f798ff6abcb62cd7546e", "name": "MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware", "description": "MacSync Stealer malware has evolved from using drag-to-terminal and ClickFix techniques to a more sophisticated approach. The new variant is delivered as a code-signed and notarized Swift application within a disk image, eliminating the need for direct terminal interaction. The malware retrieves an encoded script from a remote server and executes it via a Swift-built helper executable. The installer is signed with Developer Team ID GNJLS3UYZ4 and contains decoy files to inflate its size. The malware performs various checks, including internet connectivity and execution timing, before downloading and executing the second-stage payload. This evolution reflects a broader trend in macOS malware, where attackers attempt to bypass security measures by using signed and notarized executables.", "modified": "2025-12-23T09:13:13.587000", "created": "2025-12-23T01:59:52.660000", "tags": [ "notarized", "evasion", "macsync stealer", "macos", "infostealer", "code-signed", "dropper", "odyssey infostealer", "swift" ], "references": [ "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis" ], "public": 1, "adversary": "MacSync Stealer", "targeted_countries": [], "malware_families": [ { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey infostealer", "display_name": "Odyssey infostealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "URL": 1, "domain": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 378587, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69665ded0012eb61b7c63c52", "name": "MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware \u2014 Jamf Threat Labs", "description": "", "modified": "2026-01-13T14:59:57.708000", "created": "2026-01-13T14:59:57.708000", "tags": [ "apple", "macsync stealer", "jamf threat", "labs", "jamf", "iocs", "virustotal" ], "references": [ "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 1, "domain": 3 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 848, "modified_text": "100 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69624fae26367aea519fa4c0", "name": "MacSync Stealer Exploiting Signed macOS Apps to Bypass Gatekeeper", "description": "", "modified": "2026-01-10T13:10:06.819000", "created": "2026-01-10T13:10:06.819000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 487, "modified_text": "103 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b746998641e6d95f1d738", "name": "MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware", "description": "", "modified": "2025-12-24T05:04:41.530000", "created": "2025-12-24T05:04:41.530000", "tags": [ "notarized", "evasion", "macsync stealer", "macos", "infostealer", "code-signed", "dropper", "odyssey infostealer", "swift" ], "references": [ "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis" ], "public": 1, "adversary": "MacSync Stealer", "targeted_countries": [], "malware_families": [ { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey infostealer", "display_name": "Odyssey infostealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "6949f798ff6abcb62cd7546e", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "URL": 1, "domain": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "121 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694a27426099dffe56e7a50a", "name": "MacOS Infostealer Evolves With Notarized Swift Payloads", "description": "Find out more about Jamf: The most complete Apple device management and security solution, available at \u00c2\u00a31.5m ($2.6m) in the UK, Ireland, Scotland and Wales.", "modified": "2025-12-23T05:23:14.372000", "created": "2025-12-23T05:23:14.372000", "tags": [ "apple", "macsync stealer", "jamf threat", "labs", "jamf", "iocs", "virustotal", "macsync" ], "references": [ "https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MacSync", "display_name": "MacSync", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "URL": 1, "domain": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "122 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zkcall.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zkcall.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1777033538.5950015 }