{ "Event": { "analysis": "1", "date": "2026-04-16", "extends_uuid": "", "info": "[Threat Intel] Dissecting macOS intrusion from lure to compromise", "protected": false, "publish_timestamp": "1776767202", "published": true, "threat_level_id": "2", "timestamp": "1776767202", "uuid": "c34798e4-a736-4edc-8e82-14946c70d473", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#d74cce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#838eb9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keychain - T1555.001\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#89bea3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"AppleScript - T1059.002\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive Collected Data - T1560\"", "relationship_type": "" }, { "colour": "#867a84", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Launch Daemon - T1543.004\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#3b2e13", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Plist Modification - T1547.011\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Lazarus Group\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"STARDUST CHOLLIMA\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#680082", "local": false, "name": "ms-caro-malware:malware-platform=\"MacOS\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776423615", "to_ids": false, "type": "link", "uuid": "981ef08b-5905-4866-aba4-6ea0962d8e08", "value": "https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776423615", "to_ids": false, "type": "text", "uuid": "2f850d17-a190-405c-9b5d-babd104e14bb", "value": "Microsoft Threat Intelligence uncovered a macOS-focused cyber campaign by North Korean threat actor Sapphire Sleet utilizing social engineering to compromise systems. The attack chain begins with a malicious AppleScript file disguised as a Zoom SDK update, which executes cascading payloads through curl-to-osascript chains. The campaign deploys multiple backdoors including com.apple.cli, services, icloudz, and com.google.chromes.updaters for persistence and command execution. Credential harvesting occurs through fake system dialogs that mimic legitimate macOS password prompts. The threat actor bypasses Transparency, Consent, and Control protections by directly manipulating the TCC database, enabling extensive data exfiltration targeting cryptocurrency wallets, browser credentials, Telegram sessions, SSH keys, and Apple Notes. Operations focus on cryptocurrency, finance, and blockchain organizations with the primary objective of stealing digital assets." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776423615", "to_ids": false, "type": "text", "uuid": "edfd1378-5514-49c4-8fa5-06be914d6090", "value": "Name: Dissecting macOS intrusion from lure to compromise\nAuthor: AlienVault\nAdversary: STARDUST CHOLLIMA\nTags: [\"social engineering\", \"north korea\", \"systemupdate.app\", \"tcc bypass\", \"com.google.chromes.updaters\", \"applescript\", \"services\", \"softwareupdate.app\", \"cryptocurrency theft\", \"com.apple.cli\", \"macos\", \"sapphire sleet\", \"credential harvesting\", \"icloudz\"]\nTgtd countries: []\nMlwr families: [\"com.apple.cli\", \"services\", \"icloudz\", \"com.google.chromes.updaters\", \"systemupdate.app\", \"softwareupdate.app\"]\nAttack_ids: [\"T1539\", \"T1548.002\", \"T1555.001\", \"T1119\", \"T1059.002\", \"T1005\", \"T1560\", \"T1543.004\", \"T1555.003\", \"T1547.011\", \"T1552.001\", \"T1204\", \"T1041\", \"T1566\", \"T1027\", \"T1573\", \"T1102.002\", \"T1071.001\", \"T1105\"]\nIndustries: [\"Finance\", \"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776683953", "to_ids": false, "type": "threat-actor", "uuid": "4ccdb3f3-9c7b-4c46-9c5f-dacd4a136959", "value": "Sapphire Sleet", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Lazarus Group\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"STARDUST CHOLLIMA\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693934", "to_ids": true, "type": "ip-dst", "uuid": "c40915ef-31bd-456d-811d-c8374d24bd57", "value": "83.136.209.22", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693955", "to_ids": true, "type": "domain", "uuid": "b13c8d05-7ebf-4645-a419-9c4cb68a3518", "value": "uw04webzoom.us", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693976", "to_ids": true, "type": "domain", "uuid": "f504f58d-36bd-406d-ad9a-59b59beca6f8", "value": "ur01webzoom.us", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693997", "to_ids": true, "type": "domain", "uuid": "76f0aa70-ba6d-49ff-9545-2a9d92d80acb", "value": "uv01webzoom.us", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694019", "to_ids": true, "type": "ip-dst", "uuid": "4fe53836-7ec2-450a-b872-0d82cda0b91b", "value": "188.227.196.252", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776692042", "to_ids": true, "type": "sha256", "uuid": "50a2c1c6-af0c-46be-9cbd-93a587edd855", "value": "2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776692043", "to_ids": true, "type": "sha256", "uuid": "7331b280-439b-4823-98c0-57a48face25e", "value": "5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776692044", "to_ids": true, "type": "sha256", "uuid": "b1e4025b-9438-41ac-944f-3b3dbc14cdd5", "value": "95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694040", "to_ids": true, "type": "ip-dst", "uuid": "6582221b-2826-4bd8-a3a9-b5615c920335", "value": "104.145.210.107", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694061", "to_ids": true, "type": "ip-dst", "uuid": "d74b1a23-d1bf-48f9-988a-5d42dc36db06", "value": "83.136.208.246", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694082", "to_ids": true, "type": "ip-dst", "uuid": "4989e887-4e29-4d35-b149-0d23fffa18b0", "value": "83.136.208.48", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694104", "to_ids": true, "type": "ip-dst", "uuid": "b56a9c44-9830-47f4-be70-6895bea8068e", "value": "83.136.210.180", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694125", "to_ids": true, "type": "domain", "uuid": "79f4e346-a4b2-40cb-be9b-3b7ed0b03123", "value": "check02id.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694146", "to_ids": true, "type": "domain", "uuid": "46818501-5546-4020-84c8-859113cf24d8", "value": "uv03webzoom.us", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694167", "to_ids": true, "type": "domain", "uuid": "af1d90d8-187e-4ed3-94fb-f61c19fe7516", "value": "uv04webzoom.us", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694189", "to_ids": true, "type": "domain", "uuid": "89b4d186-cb27-4b7d-95fd-346a5ba6c13c", "value": "uw03webzoom.us", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694210", "to_ids": true, "type": "domain", "uuid": "5ec05f60-f5f0-49de-aa4e-2cd4f0448fb2", "value": "uw05webzoom.us", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776694231", "to_ids": true, "type": "domain", "uuid": "cedf2cce-b604-4a5b-b15a-c80d6c2ae6e2", "value": "ux06webzoom.us", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776694252", "uuid": "50757c25-bdfa-45d8-a03a-1d83c1e10e3f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776694252", "to_ids": true, "type": "md5", "uuid": "3ab16c5f-7059-46e9-b56d-b66f294c2daa", "value": "1b5c78314e947ddf81cf9a59cd2a3029", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692037", "to_ids": true, "type": "sha1", "uuid": "b09c6d5c-1add-460f-88bb-5b82ae2ca393", "value": "38c2970b855d1f15bcd695cd2a5873394be5ccb4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692037", "to_ids": true, "type": "sha256", "uuid": "f324c373-acfc-478c-a7da-59081495bdb2", "value": "05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689598", "to_ids": true, "type": "ssdeep", "uuid": "036de4b5-0a39-42f0-9e02-c593f5763d65", "value": "98304:8tWy/xdXmuJ+mcSkKi6xPbBCguDTRIaOG0wvgIBn2YRURm8INbO65d:8xvXmu6SvPoguDTRHOG0wv4YSRQNq6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689598", "to_ids": false, "type": "size-in-bytes", "uuid": "72a9fe62-5128-4fe0-92bb-a9d02aba6fc8", "value": "5246536" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689598", "to_ids": true, "type": "vhash", "uuid": "3dff4a4c-caeb-4bc9-ad20-72d6360c91fc", "value": "e77891e9cac024e7fdbbe145962206f5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689598", "to_ids": true, "type": "filename", "uuid": "27d96deb-8d92-4cc5-95d1-02d6a8d753c5", "value": "com.apple.cli" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 18/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689598", "to_ids": false, "type": "text", "uuid": "b913c471-15ce-446b-9429-fa2fe2448046", "value": "Type Description: Mach-O\nMicrosoft: Backdoor:MacOS/FlowOffset.B!dha\nVT Total Detection:27/64\nFirst Submission:2026-01-29T08:53:07.000000+00:00\nLast Submission:2026-04-08T07:46:27.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776694273", "uuid": "1f9c311a-1dc5-440c-9925-479666238381", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776694273", "to_ids": true, "type": "md5", "uuid": "3ef94034-0f22-4428-ac91-af747af783de", "value": "68a8bbcb7b30c25dcca741ff7a67d36b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692038", "to_ids": true, "type": "sha1", "uuid": "a686a4ee-de08-4401-93ed-99b8508bfba9", "value": "d0fc58c7aa07855d341f4b92d70ea05008574a2d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692039", "to_ids": true, "type": "sha256", "uuid": "17a0cb38-3a45-4227-9bcc-c88d8ac8508e", "value": "5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689662", "to_ids": true, "type": "ssdeep", "uuid": "521c9c0c-9dfc-49ef-a4e9-8f023267f653", "value": "98304:t8uj/T/bQVW1T/d8QV6ZRHHLRLm3Hrld3wDiutAudt9HvzSJxOVSX98Noq66FWY9:tn/iWTF7V6ZRLRmL3wDptAudtZzAOZW4" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689662", "to_ids": false, "type": "size-in-bytes", "uuid": "c026e740-9799-4d6c-844d-4e8d21045114", "value": "5565952" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689662", "to_ids": true, "type": "vhash", "uuid": "2601afd1-cd12-4a1b-96fa-f8053e7bfadb", "value": "fc6cd2674c5d8934c84f3bce9ca3223a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689662", "to_ids": true, "type": "filename", "uuid": "95a1dd12-0a39-4e6d-937a-f1452ac6b3b9", "value": "services" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 17/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689662", "to_ids": false, "type": "text", "uuid": "b7a0aa10-2e8c-4b39-960d-7799d961dd3d", "value": "Type Description: Mach-O\nMicrosoft: Backdoor:MacOS/FlowOffset.C!dha\nVT Total Detection:27/64\nFirst Submission:2026-02-03T19:38:55.000000+00:00\nLast Submission:2026-02-03T19:39:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776694295", "uuid": "193200c4-fbb7-461c-b84a-b27c78a842ce", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776694295", "to_ids": true, "type": "md5", "uuid": "115c9a06-d270-4ef3-b448-14a3401e5dd8", "value": "d6511c84da303ed2a93dab5c91538b7d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692039", "to_ids": true, "type": "sha1", "uuid": "dbb4cfe9-2687-4a96-a4db-ba218102720e", "value": "e47a68b3c0d40178e41c817b309da9c4462b4793", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692039", "to_ids": true, "type": "sha256", "uuid": "0c377363-f00a-415a-bedc-ce7a455ec07b", "value": "8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689684", "to_ids": true, "type": "ssdeep", "uuid": "b0502618-82c4-4c1b-8a5c-654230a3aa83", "value": "6144:NzC/A/9Ncae6O+swtWVu0AGv2I2xklMMYjq5:Nzj/6wWVu0AXIBlM" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689684", "to_ids": false, "type": "size-in-bytes", "uuid": "842cab04-8691-4995-85cf-a270b59ca333", "value": "556208" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689684", "to_ids": true, "type": "vhash", "uuid": "6375c992-14dd-4444-b456-4468bb332389", "value": "ba11f5f78b61e399d98c11360f079e29" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689684", "to_ids": true, "type": "filename", "uuid": "97fabca9-0db7-4c6b-a7ed-0cb841042abe", "value": "Mac Password Popup" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689684", "to_ids": false, "type": "text", "uuid": "0c832cbb-f3b5-4ca5-9ae3-b3e1c2508f08", "value": "Type Description: Mach-O\nMicrosoft: Trojan:MacOS/FlowOffset.D!dha\nVT Total Detection:14/64\nFirst Submission:2025-11-28T08:18:04.000000+00:00\nLast Submission:2026-02-06T21:12:12.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776694316", "uuid": "894679e7-6af7-4b9f-9ac3-c4e3ac402495", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776694316", "to_ids": true, "type": "md5", "uuid": "eeeca1ca-a08d-44f2-bdcc-d9b7bb3c86e5", "value": "e5f0d28260a60c041ede761c31f324da", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692041", "to_ids": true, "type": "sha1", "uuid": "5ee8febd-e3eb-4a7e-ace4-8a2370a36f3b", "value": "f8dacf0d163c63561a14593d19f356a2054b08b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692041", "to_ids": true, "type": "sha256", "uuid": "3da89d8f-18af-482a-b5fd-d363f3f9686f", "value": "a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689727", "to_ids": true, "type": "ssdeep", "uuid": "993c8fd7-189d-47d3-95b6-8d6b89bb2c42", "value": "3072:+j5ayec6tXan63CMM2uOo3oKcGl4XX4WnsAsua6PopKYXNz0z14WR8fz+gicP4Wy:+z6Ba6SMypcm4XoesQo4qAza88Ir9s" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689727", "to_ids": false, "type": "size-in-bytes", "uuid": "68a282c6-6f2c-4a83-9048-b117eb02b7ad", "value": "452480" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689727", "to_ids": true, "type": "vhash", "uuid": "11ce80f7-35c2-4444-b15c-2fe90d12ce7c", "value": "faebb11e01c920cf8d59ad16a0ee79cf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689727", "to_ids": true, "type": "filename", "uuid": "ee5f0380-1b14-40fa-9b76-f9d5c28d260d", "value": "Mac Password Popup" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689727", "to_ids": false, "type": "text", "uuid": "08b71846-f422-4464-98df-8a6469831835", "value": "Type Description: Mach-O\nMicrosoft: Trojan:MacOS/FlowOffset.E!dha\nVT Total Detection:15/64\nFirst Submission:2025-11-28T07:39:09.000000+00:00\nLast Submission:2026-02-06T21:11:11.000000+00:00" } ] } ] } }