{ "id": "253ff1c2-fca9-47bc-a04f-a0e1eb753dea", "created_at": "2026-04-06T00:14:08.804162Z", "updated_at": "2026-04-10T03:35:26.018526Z", "deleted_at": null, "sha1_hash": "2a0fc9b84b30dde75516a01ebe5dec0b7bba2ac8", "title": "Rewterz Threat Alert – GIMMICK Malware - Active IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 36557, "plain_text": "Rewterz Threat Alert – GIMMICK Malware - Active IOCs -\r\nRewterz\r\nPublished: 2022-03-25 · Archived: 2026-04-05 17:09:56 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nGIMMICK Malware is a newly discovered malware used by a Chinese espionage threat actor called “Storm\r\nCloud”. GIMMICK is a macOS variant of the malware and reserachers previously discovered a Windows version\r\nof the malware as well. The malware is written in Objective C and uses Google Drive (and other public cloud\r\nhosting services) for C2 channels. And the malware is configured to communicate with its C2 server on working\r\ndays to blend in with network traffic in the target environment. The Chinese APT group has been targeting Tibetan\r\norganizations and individuals since at least 2018.\r\nImpact\r\nData Loss\r\nFile Encryption\r\nFinancial Loss\r\nIndicators of Compromise\r\nMD5\r\n23699799f496b8e872d05f19d2b397f8\r\n66c52c5bc096e15d984ae12fa0589b2f\r\nSHA-256\r\n2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f\r\nb554bfe4c2da7d0ac42d1b4f28f4aae854331fd6d2b3af22af961f6919740234\r\nSHA-1\r\nfe3a3e65b86d2b07654f9a6104c8cb392c88b7e8\r\n038e6c73d7235d9942ba9f4cc48cf2626c940dc7\r\nRemediation\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs\r\nPage 1 of 2\n\nBlock all threat indicators at your respective controls.\r\nSearch for IOCs in your environment.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs" ], "report_names": [ "rewterz-threat-alert-gimmick-malware-active-iocs" ], "threat_actors": [ { "id": "33eef76c-a6fa-4855-a77e-9a1e92fe8474", "created_at": "2023-11-21T02:00:07.393519Z", "updated_at": "2026-04-10T02:00:03.477407Z", "deleted_at": null, "main_name": "Storm Cloud", "aliases": [], "source_name": "MISPGALAXY:Storm Cloud", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434448, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a0fc9b84b30dde75516a01ebe5dec0b7bba2ac8.pdf", "text": "https://archive.orkl.eu/2a0fc9b84b30dde75516a01ebe5dec0b7bba2ac8.txt", "img": "https://archive.orkl.eu/2a0fc9b84b30dde75516a01ebe5dec0b7bba2ac8.jpg" } }