{ "Event": { "analysis": "1", "date": "2026-04-08", "extends_uuid": "", "info": "[Threat Intel] A new Mac stealer targeting $10K+ crypto wallets", "protected": false, "publish_timestamp": "1776767189", "published": true, "threat_level_id": "3", "timestamp": "1776767189", "uuid": "c4af9327-6041-4a3b-99f2-33c7af75c9ad", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#e7d11f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Private Keys - T1552.004\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#15723e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Launch Agent - T1543.001\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#f439e5", "local": false, "name": "misp-galaxy:target-information=\"Spain\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#680082", "local": false, "name": "ms-caro-malware:malware-platform=\"MacOS\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776308424", "to_ids": false, "type": "link", "uuid": "076f91b0-7e6b-457a-9da7-f8e6b5cf3009", "value": "https://moonlock.com/notorious-hacker-returns-notnullosx-stealer", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776308424", "to_ids": false, "type": "text", "uuid": "ac0c6284-a1fc-4582-89a7-8097f02596dc", "value": "A sophisticated macOS stealer called notnullOSX emerged in March 2026, developed by threat actor alh1mik (formerly 0xFFF) who returned after a 2023 exit from underground forums. This Go-written modular stealer exclusively targets macOS users with cryptocurrency holdings exceeding $10,000. Distribution occurs through ClickFix social engineering and malicious DMG files disguised as legitimate applications like WallSpace. The malware employs a modular architecture with specialized components to exfiltrate iMessage history, Apple Notes, browser credentials, Safari cookies, crypto wallet files, SSH keys, and cloud provider credentials. By social-engineering victims into granting Full Disk Access, notnullOSX bypasses macOS TCC protections without triggering permission dialogs. The stealer maintains persistent WebSocket connections to Firebase infrastructure, functioning as both an infostealer and backdoor with remote module update capabilities." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776308424", "to_ids": false, "type": "text", "uuid": "7a44bcc7-2513-4bca-9d23-bfe441425ebd", "value": "Name: A new Mac stealer targeting $10K+ crypto wallets\nAuthor: AlienVault\nAdversary: alh1mik\nTags: [\"cryptocurrency theft\", \"poseidon stealer\", \"macos stealer\", \"atomic macos stealer\", \"notnullosx\", \"clickfix\"]\nTgtd countries: [\"Spain\", \"Taiwan\"]\nMlwr families: [\"notnullOSX\", \"Atomic macOS Stealer\", \"Poseidon Stealer\", \"Banshee\", \"Cthulhu\"]\nAttack_ids: [\"T1056.001\", \"T1539\", \"T1036.005\", \"T1204.002\", \"T1566.002\", \"T1119\", \"T1005\", \"T1140\", \"T1555.003\", \"T1552.004\", \"T1087\", \"T1083\", \"T1552.001\", \"T1041\", \"T1059.004\", \"T1562.001\", \"T1573.002\", \"T1543.001\", \"T1071.001\", \"T1564.001\"]\nIndustries: [\"Finance\", \"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776308424", "to_ids": false, "type": "threat-actor", "uuid": "60106112-3708-4981-bd43-e0bcd0702786", "value": "alh1mik" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692142", "to_ids": true, "type": "domain", "uuid": "d384a703-16c4-4be0-90f4-78eb5d08964e", "value": "coockie.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692163", "to_ids": true, "type": "ip-dst", "uuid": "a10c8868-0b4a-4f51-b8cf-7b93f0cbbaf9", "value": "83.217.209.88", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776692011", "to_ids": true, "type": "sha256", "uuid": "13f7c566-403c-40c7-8410-27c634775ccd", "value": "4584d02b5193799453766857dba97021f966b9cbf6033d7dd3a33d61eb975a6c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776692012", "to_ids": true, "type": "sha256", "uuid": "9a13153a-78b7-4676-a117-600b692c7c02", "value": "47373950e1d23c066de0ed2d511b4b7eea56ec22d7b501db265995fec51dbb44", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776692012", "to_ids": true, "type": "sha256", "uuid": "9866e8ff-8dd4-479a-b830-0af8ec5291a0", "value": "82cb3a22c90aee6cfc2f7e7f72e921e21226492c1d424d2b754b9cd763ab0b20", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776692013", "to_ids": true, "type": "sha256", "uuid": "ed5c2e08-0598-46cb-b859-aa846faa5ff7", "value": "b73adc5dc04159241e4a89cbc82eaa381f406080f3aaaa1f27d145900dd54267", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776766991", "to_ids": true, "type": "ip-dst", "uuid": "f11744de-0c89-45b4-b2e9-8b2a5aa407f4", "value": "111.90.149.111", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692205", "to_ids": true, "type": "url", "uuid": "f912792d-d782-4170-b30d-63ba68cc33d4", "value": "http://wallpapermacos.com/download/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692226", "to_ids": true, "type": "domain", "uuid": "359d6dad-754a-4616-8786-3a8fa3b65fb4", "value": "wallpapermacos.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692247", "to_ids": true, "type": "domain", "uuid": "6c0a0379-9d09-4e72-a26a-49d99794aa92", "value": "wallspaceapp.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692269", "to_ids": true, "type": "hostname", "uuid": "10f37614-adf4-4690-92e8-5a2e26664b8f", "value": "mactest-6b2ab-default-rtdb.firebaseio.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692290", "to_ids": true, "type": "hostname", "uuid": "758722c1-5705-48c2-9e57-f9fd9d7ef8ca", "value": "cdn.filestackcontent.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692311", "to_ids": true, "type": "url", "uuid": "b03f2c02-d057-4887-a147-2daca82de523", "value": "https://www.youtube.com/watch?v=nbH5KJGYBHk", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692333", "to_ids": true, "type": "url", "uuid": "c2d3bad2-54f3-42ba-b4b4-c938ff7e8610", "value": "https://www.youtube.com/@wallspacemacos", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "bash installer script location at Shinjiru IP", "deleted": false, "disable_correlation": false, "timestamp": "1776767012", "to_ids": true, "type": "url", "uuid": "cadcc90c-992b-4a69-a3dd-2887d73944f3", "value": "http://111.90.149.111:8080/installer", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776692354", "uuid": "0840e331-0cab-4bfc-9852-dc905f6dd32c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776692354", "to_ids": true, "type": "md5", "uuid": "04cdbd2f-d2ff-4a35-8215-b139fefaca82", "value": "c4c249ee87fbda08834e5883f8626db1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692006", "to_ids": true, "type": "sha1", "uuid": "63367b17-ac1a-47db-a0d5-a2f7b1ed306e", "value": "95bd38a6d71d4af22a05dbf1f4b316ab259ca717", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692006", "to_ids": true, "type": "sha256", "uuid": "f2c77661-d571-4923-bfb5-f1b4f63a4e7c", "value": "070402c2c531aa3a87b9ccd080532a51d17b01d982b205fc4487246d58de8913", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776688876", "to_ids": true, "type": "ssdeep", "uuid": "f01627ff-eee4-40cf-87d6-a25aba65c368", "value": "96:moCBAUyj70j1F8AhKRKhIREvYDYzQ3QrC/vIys1kGiLzlysi7Z0v:m1BAUyjwgAhKRKhIREvYDYzQ3QrC/v1T" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776688876", "to_ids": false, "type": "size-in-bytes", "uuid": "554d997b-48bd-4f94-b197-83faeef77f8a", "value": "5112" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776688876", "to_ids": true, "type": "filename", "uuid": "e6efc4e4-7088-41a6-90be-afbedebe1f23", "value": "070402c2c531aa3a87b9ccd080532a51d17b01d982b205fc4487246d58de8913.txt" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776688876", "to_ids": false, "type": "text", "uuid": "bb14f106-a7a1-47b8-9a44-94d01be62c31", "value": "Type Description: Shell script\nMicrosoft: None\nVT Total Detection:21/62\nFirst Submission:2026-03-13T15:58:24.000000+00:00\nLast Submission:2026-04-19T23:19:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776692375", "uuid": "afcd285b-aba3-4e05-aefa-69e6fda60ce2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776692375", "to_ids": true, "type": "md5", "uuid": "bb263998-c0eb-46e3-93f5-e102e7745ef1", "value": "a1f06c2c83835259998f2d9d518ee2f6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692007", "to_ids": true, "type": "sha1", "uuid": "842426d6-2ea1-415a-bed8-c6fefad0fb07", "value": "6f6527f10c9f8d0dae55eed942cf2d6ca154bb44", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692007", "to_ids": true, "type": "sha256", "uuid": "bd71a7e6-dd0e-4719-aa6d-63d6835b1e26", "value": "636fa90aebab98534dcdbe50508ed8d3607c284c72f831a4503e223540d3f761", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776688940", "to_ids": true, "type": "ssdeep", "uuid": "53fbc79b-6aa8-41ee-b89a-ac8be4d7ec97", "value": "3072:jxLndcnBPG37uGKugHl7Sy7BE1xCi6fu9bLGxoPS1Avy9mTTILiq1DPLd+El:jgNGKGdaQoKxCi6fuRGGZvM04Dzd+E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776688940", "to_ids": false, "type": "size-in-bytes", "uuid": "6ecffb3f-28f7-4c8f-97f1-e34745c73b86", "value": "221285" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776688940", "to_ids": true, "type": "vhash", "uuid": "0e0913d7-ebbd-4268-b891-dd26a3a99c7f", "value": "bfa277e368cf771cb8ca581bbe87486c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776688940", "to_ids": true, "type": "filename", "uuid": "393b4a4c-9d36-4706-9b63-9baa873dc7e0", "value": "Oauth3API.dmg" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776688940", "to_ids": false, "type": "text", "uuid": "a7d1bcaa-08d9-49c6-88e8-3d19a10a54b3", "value": "Type Description: Macintosh Disk Image\nMicrosoft: Trojan:MacOS/Multiverze!rfn\nVT Total Detection:21/62\nFirst Submission:2026-03-13T13:43:45.000000+00:00\nLast Submission:2026-03-27T10:14:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776692396", "uuid": "a5cce7ef-cd5e-4514-9bc1-adbc1db05342", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776692396", "to_ids": true, "type": "md5", "uuid": "1eac6389-0007-4558-a9bb-640238621e41", "value": "ddf5c959ef9d990152d39c90b5efbfde", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692008", "to_ids": true, "type": "sha1", "uuid": "c3e051aa-6617-4ba8-8ce1-379a12c32008", "value": "a11ddc54e5eb9242ac04244d18b6b8e3ae2e9f97", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692008", "to_ids": true, "type": "sha256", "uuid": "d7fe0951-aa13-4c21-a9fd-655b5ab09a81", "value": "8d029b65c1076141d4817f25428cef44888b2fb4349ab9b9df7a413d240e1177", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776688983", "to_ids": true, "type": "ssdeep", "uuid": "cb7f8aff-5d8b-4c2d-a8a6-a9c7d9d5a6fc", "value": "6144:aWrgTNKQkzpYV9wdeSSwDqmJBmAsyxx2diTV3TI3kdjwSx:hcBKtKgdeS2MBqUx2dt3FU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776688983", "to_ids": false, "type": "size-in-bytes", "uuid": "c2d7b605-322c-4390-a80b-aed6614d1a4c", "value": "298907" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776688983", "to_ids": true, "type": "filename", "uuid": "37c069c8-dc04-4f5a-a375-0dbae44d9267", "value": "Install.sh" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776688983", "to_ids": false, "type": "text", "uuid": "e966e879-55fb-49e1-9216-2f50e5406303", "value": "Type Description: Shell script\nMicrosoft: None\nVT Total Detection:23/62\nFirst Submission:2026-03-14T12:40:37.000000+00:00\nLast Submission:2026-04-19T23:17:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776692417", "uuid": "8bbea3d9-e212-4027-a9fa-0ca105146a36", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776692417", "to_ids": true, "type": "md5", "uuid": "e586575c-11af-4650-9d26-3f1e5e21d610", "value": "85870d9889492e3df9fbec630bbb5fde", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692009", "to_ids": true, "type": "sha1", "uuid": "8d2eaba6-9f77-456b-83f9-db1fd801cd75", "value": "a549035a4c72ae3cd091767d90457314a623ddd0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692009", "to_ids": true, "type": "sha256", "uuid": "f5876661-728b-48dd-8467-d9834aad7aaa", "value": "b0cd860f18b0136e063d7ef9a3c84d138a1a21dbea019605ce66a3a1fad91db4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689005", "to_ids": true, "type": "ssdeep", "uuid": "3001359e-ff20-4b35-b9eb-b2aaf8f4bd71", "value": "393216:D1tJCH8iiq51rGJ4TFa46P4R8KAzjlNjo2ZbMM4p4wZ:D1zCciiq5BTAZzUUOZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689005", "to_ids": false, "type": "size-in-bytes", "uuid": "be212dce-3f54-4cdd-b45e-c608f5b0e579", "value": "29091072" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689005", "to_ids": true, "type": "vhash", "uuid": "c7067f7d-97c9-4709-bfb1-f05ba8af13d9", "value": "73e253f750fd7f3598b0e99d5f603f1f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689005", "to_ids": true, "type": "filename", "uuid": "3d4bb116-5122-4c33-8bc5-4126f1dba3a8", "value": "b0cd860f18b0136e063d7ef9a3c84d138a1a21dbea019605ce66a3a1fad91db4.macho" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689005", "to_ids": false, "type": "text", "uuid": "bb2facd4-b5d5-4d10-883d-76622aff8d4f", "value": "Type Description: Mach-O\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:25/64\nFirst Submission:2026-03-13T16:03:59.000000+00:00\nLast Submission:2026-03-21T15:30:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776692438", "uuid": "061c5686-ebd3-4d7b-a658-c79151303b38", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776692438", "to_ids": true, "type": "md5", "uuid": "14eeff87-2197-42e8-ba60-13d0eb9290f5", "value": "48ac3d7ed39152844b8b3112563cfcf7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692010", "to_ids": true, "type": "sha1", "uuid": "0f167f74-597a-465c-a548-3c485c8dc43e", "value": "98d0f9b2c7cfb3e137dee4172bbc1c8e2af7fbb7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692010", "to_ids": true, "type": "sha256", "uuid": "0e8a13d0-0e7d-4462-ae7b-2ff45aa8a898", "value": "ff7f0c39aa90ed8f4ce24658a347e7871bb5f6a607eaedf2cf2859a1fb5782a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689047", "to_ids": true, "type": "ssdeep", "uuid": "d5041203-3c2f-40c4-80bc-aaae5b0fd640", "value": "393216:vf52OdrDiD47LliwdGi+Hny0dfesyKgsDF/ZV2V:vfcOdDiDA/AdtfDFKV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689048", "to_ids": false, "type": "size-in-bytes", "uuid": "d93a0735-1011-480b-a4fd-5cd535e37248", "value": "29108560" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689048", "to_ids": true, "type": "vhash", "uuid": "9d4a770c-f623-453b-a3ec-b1eb5d58cfa6", "value": "73e253f750fd7f3598b0e99d5f603f1f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689048", "to_ids": true, "type": "filename", "uuid": "ca7508e0-fb91-47b7-a784-2b38232d23a7", "value": "client_111" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689048", "to_ids": false, "type": "text", "uuid": "d07af237-acaf-41fa-9c34-9931c70373b3", "value": "Type Description: Mach-O\nMicrosoft: Program:MacOS/Multiverze!rfn\nVT Total Detection:21/64\nFirst Submission:2026-03-13T13:47:33.000000+00:00\nLast Submission:2026-03-30T12:22:45.000000+00:00" } ] } ] } }