{ "id": "fc34c806-571e-4adf-bc57-abe976030cb6", "created_at": "2026-04-06T00:06:09.846229Z", "updated_at": "2026-04-10T03:38:19.195377Z", "deleted_at": null, "sha1_hash": "6dcfc6e02e63f469d1eee60007f2a9c0fbf04938", "title": "AppleJeus: Analysis of North Korea’s Cryptocurrency Malware | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 389501, "plain_text": "AppleJeus: Analysis of North Korea’s Cryptocurrency Malware |\r\nCISA\r\nPublished: 2021-04-15 · Archived: 2026-04-05 12:40:04 UTC\r\nSummary\r\nThis Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®)\r\nframework. See the ATT\u0026CK for Enterprise for all referenced threat actor tactics and techniques.\r\nThis joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the\r\nCybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight\r\nthe cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of\r\nKorea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA,\r\nand Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including\r\ncryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading\r\napplications that have been modified to include malware that facilitates theft of cryptocurrency.\r\nThese cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year\r\nalone. It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent\r\ninternational sanctions on North Korea—the applications enable them to gain entry into companies that conduct\r\ncryptocurrency transactions and steal cryptocurrency from victim accounts. As highlighted in FASTCash 2.0:\r\nNorth Korea's BeagleBoyz Robbing Banks and Guidance on the North Korean Cyber Threat, North Korea’s state-sponsored cyber actors are targeting cryptocurrency exchanges and accounts to steal and launder hundreds of\r\nmillions of dollars in cryptocurrency.[1][2][3] The U.S. Government refers to malicious cyber activity by the\r\nNorth Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit\r\nhttps://www.us-cert.cisa.gov/northkorea.\r\nThe U.S. Government has identified malware and indicators of compromise (IOCs) used by the North Korean\r\ngovernment to facilitate cryptocurrency thefts; the cybersecurity community refers to this activity as “AppleJeus.”\r\nThis report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as\r\ncryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both\r\nWindows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus\r\nfooling individuals into downloading it as a third-party application from a website that seems legitimate. In\r\naddition to infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing,\r\nsocial networking, and social engineering techniques to lure users into downloading the malware.\r\nRefer to the following Malware Analysis Reports (MARs) for full technical details of AppleJeus malware and\r\nassociated IOCs.\r\nMAR-10322463-1.v1: AppleJeus – Celas Trade Pro\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 1 of 22\n\nMAR-10322463-2.v1: AppleJeus – JMT Trading\r\nMAR-10322463-3.v1: AppleJeus – Union Crypto\r\nMAR-10322463-4.v1: AppleJeus – Kupay Wallet\r\nMAR-10322463-5.v1: AppleJeus – CoinGoTrade\r\nMAR-10322463-6.v1: AppleJeus – Dorusio\r\nMAR-10322463-7.v1: AppleJeus – Ants2Whale\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nThe North Korean government has used multiple versions of AppleJeus since the malware was initially discovered\r\nin 2018. This section outlines seven of the versions below. The MARs listed above provide further technical\r\ndetails of these versions. Initially, HIDDEN COBRA actors used websites that appeared to host legitimate\r\ncryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other\r\ninitial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to\r\ndownload the malware.\r\nTargeted Nations\r\nHIDDEN COBRA actors have targeted institutions with AppleJeus malware in several sectors, including energy,\r\nfinance, government, industry, technology, and telecommunications. Since January 2020, the threat actors have\r\ntargeted these sectors in the following countries: Argentina, Australia, Belgium, Brazil, Canada, China, Denmark,\r\nEstonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands,\r\nNew Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the\r\nUnited Kingdom, Ukraine, and the United States (figure 1).\r\n Figure 1: Countries targeted with AppleJeus by HIDDEN COBRA threat actors since 2020\r\nAppleJeus Versions Note\r\nThe version numbers used for headings in this document correspond to the order the AppleJeus campaigns were\r\nidentified in open source or through other investigative means. These versions may or may not be in the correct\r\norder to develop or deploy the AppleJeus campaigns.\r\nAppleJeus Version 1: Celas Trade Pro\r\nIntroduction and Infrastructure\r\nIn August 2018, open-source reporting disclosed information about a trojanized version of a legitimate\r\ncryptocurrency trading application on an undisclosed victim’s computer. The malicious program, known as Celas\r\nTrade Pro, was a modified version of the benign Q.T. Bitcoin Trader application. This incident led to the victim\r\ncompany being infected with a Remote Administration Tool (RAT) known as FALLCHILL, which was attributed\r\nto North Korea (HIDDEN COBRA) by the U.S. Government. FALLCHILL is a fully functional RAT with\r\nmultiple commands that the adversary can issue from a command and control (C2) server to infected systems via\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 2 of 22\n\nvarious proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware\r\n(Develop Capabilities: Malware [T1587.001 ]). Because of this, additional HIDDEN COBRA malware may be\r\npresent on systems compromised with FALLCHILL.[4]\r\nFurther research revealed that a phishing email from a Celas LLC company (Phishing: Spearphishing Link\r\n[T1566.002 ]) recommended the trojanized cryptocurrency trading application to victims. The email provided a\r\nlink to the Celas’ website, celasllc[.]com (Acquire Infrastructure: Domain [T1583.001 ]), where the victim\r\ncould download a Windows or macOS version of the trojanized application.\r\nThe celasllc[.]com domain resolved to the following Internet Protocol (IP) addresses from May 29, 2018, to\r\nJanuary 23, 2021.\r\n45.199.63[.]220\r\n107.187.66[.]103\r\n145.249.106[.]19\r\n175.29.32[.]160\r\n185.142.236[.]213\r\n185.181.104[.]82\r\n198.251.83[.]27\r\n208.91.197[.]46\r\n209.99.64[.]18\r\nThe celasllc[.]com domain had a valid Sectigo (previously known as Comodo) Secure Sockets Layer (SSL)\r\ncertificate (Obtain Capabilities: Digital Certificates [T1588.004 ]). The SSL certificate was “Domain Control\r\nValidated,” a weak security verification level that does not require validation of the owner’s identity or the actual\r\nbusiness’s existence.\r\nCelas Trade Pro Application Analysis\r\nWindows Program\r\nThe Windows version of the malicious Celas Trade Pro application is an MSI Installer ( .msi ). The MSI Installer\r\ninstallation package comprises a software component and an application programming interface (API) that\r\nMicrosoft uses for the installation, maintenance, and removal of software. The installer looks legitimate and is\r\nsigned by a valid Sectigo certificate that was purchased by the same user as the SSL certificate for celasllc[.]com\r\n(Obtain Capabilities: Code Signing Certificates [T1588.003 ]). The MSI Installer asks the victim for\r\nadministrative privileges to run (User Execution: Malicious File [T1204.002 ]).\r\nOnce permission is granted, the threat actor is able to run the program with elevated privileges (Abuse Elevation\r\nControl Mechanism [T1548 ]) and MSI executes the following actions.\r\nInstalls CelasTradePro.exe in folder C:\\Program Files (x86)\\CelasTradePro\r\nInstalls Updater.exe in folder C:\\Program Files (x86)\\CelasTradePro\r\nRuns Updater.exe with the CheckUpdate parameters\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 3 of 22\n\nThe CelasTradePro.exe program asks for the user’s exchange and loads a legitimate-looking cryptocurrency\r\ntrading platform—very similar to the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.\r\nThe Updater.exe program has the same program icon as CelasTradePro.exe . When run, it checks for the\r\nCheckUpdate parameter, collects the victim’s host information (System Owner/User Discovery [T1033 ]),\r\nencrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website\r\n(Exfiltration Over C2 Channel [T1041 ]).\r\nmacOS X Program\r\nThe macOS version of the malicious application is a DMG Installer that has a disk image format that Apple\r\ncommonly uses to distribute software over the internet. The installer looks legitimate and has a valid digital\r\nsignature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004 ]). It has very similar functionality\r\nto the Windows version. The installer executes the following actions.\r\nInstalls CelasTradePro in folder /Applications/CelasTradePro.app/Contents/MacOS/\r\nInstalls Updater in folder /Applications/CelasTradePro.app/Contents/MacOS\r\nExecutes a postinstall script\r\nMoves .com.celastradepro.plist to folder LaunchDaemons\r\nRuns Updater with the CheckUpdate parameter\r\nCelasTradePro asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform—\r\nvery similar to the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.\r\nUpdater checks for the CheckUpdate parameter and, when found, it collects the victim’s host information\r\n(System Owner/User Discovery [T1033] ), encrypts the collected information with a hardcoded XOR key before\r\nexfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041 ]). This\r\nprocess helps the adversary obtain persistence on a victim’s network.\r\nThe postinstall script is a sequence of instructions that runs after successfully installing an application\r\n(Command and Scripting Interpreter: Unix Shell [T1059.004 ]). This script moves property list ( plist ) file\r\n.com.celastradepro.plist from the installer package to the LaunchDaemons folder (Scheduled Task/Job:\r\nLaunchd [T1053.004 ]). The leading “.” makes it unlisted in the Finder app or default Terminal directory listing\r\n(Hide Artifacts: Hidden Files and Directories [T1564.001 ]). Once in the folder, this property list ( plist ) file\r\nwill launch the Updater program with the CheckUpdate parameter on system load as Root for every user.\r\nBecause the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script\r\nlaunches the Updater program with the CheckUpdate parameter and runs it in the background (Create or\r\nModify System Process: Launch Daemon [T1543.004 ]).\r\nPayload\r\nAfter a cybersecurity company published a report detailing the above programs and their malicious extras, the\r\nwebsite was no longer accessible. Since this site was the C2 server, the payload cannot be confirmed. The\r\ncybersecurity company that published the report states the payload was an encrypted and obfuscated binary\r\n(Obfuscated Files or Information [T1027 ]), which eventually drops FALLCHILL onto the machine and installs\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 4 of 22\n\nit as a service (Create or Modify System Process: Windows Service [T1543.003 ]). FALLCHILL malware uses\r\nan RC4 encryption algorithm with a 16-byte key to protect its communications (Encrypted Channel: Symmetric\r\nCryptography [T1573.001 ]). The key employed in these versions has also been used in a previous version of\r\nFALLCHILL.[5][6 ]\r\nFor more details on AppleJeus Version 1: Celas Trade Pro, see MAR-10322463-1.v1.\r\nAppleJeus Version 2: JMT Trading\r\nIntroduction and Infrastructure\r\nIn October 2019, a cybersecurity company identified a new version of the AppleJeus malware—JMT Trading—\r\nthanks to its many similarities to the original AppleJeus malware. Again, the malware was in the form of a\r\ncryptocurrency trading application, which a legitimate-looking company, called JMT Trading, marketed and\r\ndistributed on their website, jmttrading[.]org (Acquire Infrastructure: Domain [T1583.001 ]). This website\r\ncontained a “Download from GitHub” button, which linked to JMT Trading’s GitHub page (Acquire\r\nInfrastructure: Web Services [T1583.006 ]), where Windows and macOS X versions of the JMT Trader\r\napplication were available for download (Develop Capabilities: Malware [T1587.001 ]). The GitHub page also\r\nincluded .zip and tar.gz files containing the source code.\r\nThe jmttrading[.]org domain resolved to the following IP addresses from October 15, 2016, to January 22,\r\n2021.\r\n45.33.2[.]79\r\n45.33.23[.]183\r\n45.56.79[.]23\r\n45.79.19[.]196\r\n96.126.123[.]244\r\n146.112.61[.]107\r\n184.168.221[.]40\r\n184.168.221[.]57\r\n198.187.29[.]20\r\n198.54.117[.]197\r\n198.54.117[.]198\r\n198.54.117[.]199\r\n198.54.117[.]200\r\n198.58.118[.]167\r\nThe jmttrading[.]org domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates\r\n[T1588.004 ]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does\r\nnot require validation of the owner’s identity or the actual business’s existence. The current SSL certificate was\r\nissued by Let’s Encrypt.\r\nJMT Trading Application Analysis\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 5 of 22\n\nWindows Program\r\nThe Windows version of the malicious cryptocurrency application is an MSI Installer. The installer looks\r\nlegitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004\r\n]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for\r\njmttrading[.]org (Obtain Capabilities: Code Signing Certificates [T1588.003 ]). The MSI Installer asks the\r\nvictim for administrative privileges to run (User Execution: Malicious File [T1204.002 ]).\r\nOnce permission is granted, the MSI executes the following actions.\r\nInstalls JMTTrader.exe in folder C:\\Program Files (x86)\\JMTTrader\r\nInstalls CrashReporter.exe in folder C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\JMTTrader\r\nRuns CrashReporter.exe with the Maintain parameter\r\nThe JMTTrader.exe program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading\r\nplatform—very similar to CelasTradePro.exe and the benign Q.T. Bitcoin Trader—that exhibits no signs of\r\nmalicious activity.\r\nThe program CrashReporter.exe is heavily obfuscated with the ADVObfuscation library, renamed “snowman”\r\n(Obfuscated Files or Information [T1027 ]). When run, it checks for the Maintain parameter and collects the\r\nvictim’s host information (System Owner/User Discovery [T1033 ]), encrypts the collected information with a\r\nhardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over\r\nC2 Channel [T1041 ]). The program also creates a scheduled SYSTEM task, named JMTCrashReporter , which\r\nruns CrashReporter.exe with the Maintain parameter at any user’s login (Scheduled Task/Job: Scheduled Task\r\n[T1053.005 ]).\r\nmacOS X Program\r\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very\r\nsimilar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that\r\nbefore installation. The installer executes the following actions.\r\nInstalls JMTTrader in folder /Applications/JMTTrader.app/Contents/MacOS/\r\nInstalls .CrashReporter in folder /Applications/JMTTrader.app/Contents/Resources/\r\nNote: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing.\r\nExecutes a postinstall script\r\nMoves .com.jmttrading.plist to folder LaunchDaemons\r\nChanges the file permissions on the plist\r\nRuns CrashReporter with the Maintain parameter\r\nMoves .CrashReporter to folder /Library/JMTTrader/CrashReporter\r\nMakes .CrashReporter executable\r\nThe JMTTrader program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading\r\nplatform—very similar to CelasTradePro and the benign Q.T. Bitcoin Trader—that exhibits no signs of\r\nmalicious activity.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 6 of 22\n\nThe CrashReporter program checks for the Maintain parameter and is not obfuscated. This lack of obfuscation\r\nmakes it easier to determine the program’s functionality in detail. When it finds the Maintain parameter, it\r\ncollects the victim’s host information (System Owner/User Discovery [T1033 ]), encrypts the collected\r\ninformation with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website\r\n(Exfiltration Over C2 Channel [T1041 ]).\r\nThe postinstall script has similar functionality to the one used by CelasTradePro , but it has a few additional\r\nfeatures (Command and Scripting Interpreter: Unix Shell [T1059.004 ]). It moves the property list ( plist ) file\r\n.com.jmttrading.plis t from the Installer package to the LaunchDaemons folder (Scheduled Task/Job: Launchd\r\n[T1053.004 ]), but also changes the file permissions on the plist file. Once in the folder, this property list\r\n( plist ) file will launch the CrashReporter program with the Maintain parameter on system load as Root for\r\nevery user. Also, the postinstall script moves the .CrashReporter program to a new location\r\n/Library/JMTTrader/CrashReporter and makes it executable. Because the LaunchDaemon will not run\r\nautomatically after the plist file is moved, the postinstall script launches CrashReporter with the\r\nMaintain parameter and runs it in the background (Create or Modify System Process: Launch Daemon\r\n[T1543.004 ]).\r\nPayload\r\nSoon after the cybersecurity company tweeted about JMT Trader on October 11, 2019, the files on GitHub were\r\nupdated to clean, non-malicious installers. Then on October 13, 2019, a different cybersecurity company\r\npublished an article detailing the macOS X JMT Trader, and soon after, the C2 beastgoc[.]com website went\r\noffline. There is not a confirmed sample of the payload to analyze at this point.\r\nFor more details on AppleJeus Version 2: JMT Trading, see MAR-10322463-2.v1.\r\nAppleJeus Version 3: Union Crypto\r\nIntroduction and Infrastructure\r\nIn December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity\r\ncompany based on many similarities to the original AppleJeus malware. Again, the malware was in the form of a\r\ncryptocurrency trading application, which was marketed and distributed by a legitimate-looking company, called\r\nUnion Crypto, on their website, unioncrypto[.]vip (Acquire Infrastructure: Domain [T1583.001 ]). Although\r\nthis website is no longer available, a cybersecurity researcher discovered a download link,\r\nhttps://www.unioncrypto[.]vip/download/W6c2dq8By7luMhCmya2v97YeN , recorded on VirusTotal for the macOS\r\nX version of UnionCryptoTrader . In contrast, open-source reporting stated that the Windows version might have\r\nbeen downloaded via instant messaging service Telegram, as it was found in a “Telegram Downloads” folder on\r\nan unnamed victim.[7 ]\r\nThe unioncrypto[.]vip domain resolved to the following IP addresses from June 5, 2019, to July 15, 2020.\r\n104.168.167[.]16\r\n198.54.117[.]197\r\n198.54.117[.]198\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 7 of 22\n\n198.54.117[.]199\r\n198.54.117[.]200\r\nThe domain unioncrypto[.]vip had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates\r\n[T1588.004 ]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does\r\nnot require validation of the owner’s identity or the actual business’s existence.\r\nUnion Crypto Trader Application Analysis\r\nWindows Program\r\nThe Windows version of the malicious cryptocurrency application is a Windows executable ( .exe ) (User\r\nExecution: Malicious File [T1204.002 ]), which acts as an installer that extracts a temporary MSI Installer.\r\nThe Windows program executes the following actions.\r\nExtracts UnionCryptoTrader.msi to folder C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\{82E4B719-\r\n90F74BD1-9CF1-56CD777E0C42}\r\nRuns UnionCryptoUpdater.msi\r\nInstalls UnionCryptoTrader.exe in folder C:\\Program Files\\UnionCryptoTrader\r\nInstalls UnionCryptoUpdater.exe in folder C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\UnionCryptoTrader\r\nDeletes UnionCryptoUpdater.msi\r\nRuns UnionCryptoUpdater.exe\r\nThe program UnionCryptoTrader.exe loads a legitimate-looking cryptocurrency arbitrage application—defined\r\nas “the simultaneous buying and selling of securities, currency, or commodities in different markets or in\r\nderivative forms to take advantage of differing prices for the same asset”—which exhibits no signs of malicious\r\nactivity. This application is very similar to another cryptocurrency arbitrage application known as Blackbird\r\nBitcoin Arbitrage.[8]\r\nThe program UnionCryptoUpdater.exe first installs itself as a service (Create or Modify System Process:\r\nWindows Service [T1543.003 ]), which will automatically start when any user logs on (Boot or Logon Autostart\r\nExecution [T1547 ]). The service is installed with a description stating it “Automatically installs updates for\r\nUnion Crypto Trader.” When launched, it collects the victim’s host information (System Owner/User Discovery\r\n[T1033 ]), combines the information in a string that is MD5 hashed and stored in the auth_signature variable\r\nbefore exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041 ]).\r\nmacOS X Program\r\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very\r\nsimilar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that\r\nbefore installation. The installer executes the following actions.\r\nInstalls UnionCryptoTrader in folder /Applications/UnionCryptoTrader.app/Contents/MacOS/\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 8 of 22\n\nInstalls .unioncryptoupdater in folder /Applications/UnionCryptoTrader.app/Contents/Resources/\r\nNote: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing\r\nExecutes a postinstall script\r\nMoves .vip.unioncrypto.plist to folder LaunchDaemons\r\nChanges the file permissions on the plist to Root\r\nRuns unioncryptoupdater\r\nMoves .unioncryptoupdater to folder /Library/UnionCrypto/unioncryptoupdater\r\nMakes .unioncryptoupdater executable\r\nThe UnionCryptoTrader program loads a legitimate-looking cryptocurrency arbitrage application, which exhibits\r\nno signs of malicious activity. The application is very similar to another cryptocurrency arbitrage application\r\nknown as Blackbird Bitcoin Arbitrage.\r\nThe .unioncryptoupdater program is signed ad-hoc, meaning it is not signed with a valid code-signing identity.\r\nWhen launched, it collects the victim’s host information (System Owner/User Discovery [T1033 ]), combines\r\nthe information in a string that is MD5 hashed and stored in the auth_signature variable before exfiltration, and\r\nsends it to a C2 website (Exfiltration Over C2 Channel [T1041 ]).\r\nThe postinstall script has similar functionality to the one used by JMT Trading (Command and Scripting\r\nInterpreter: Unix Shell [T1059.004 ]). It moves the property list ( plist ) file .vip.unioncrypto.plist from\r\nthe Installer package to the LaunchDaemons folder (Scheduled Task/Job: Launchd [T1053.004 ]), but also\r\nchanges the file permissions on the plist file to Root. Once in the folder, this property list ( plist ) file will\r\nlaunch the .unioncryptoupdater on system load as Root for every user. The postinstall script moves the\r\n.unioncryptoupdater program to a new location /Library/UnionCrypto/unioncryptoupdater and makes it\r\nexecutable. Because the LaunchDaemon will not run automatically after the plist file is moved, the\r\npostinstall script launches .unioncryptoupdater and runs it in the background (Create or Modify System\r\nProcess: Launch Daemon [T1543.004 ]).\r\nPayload\r\nThe payload for the Windows malware is a Windows Dynamic-Link-Library.  UnionCryptoUpdater.exe does not\r\nimmediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This\r\ndelay could be implemented to prevent researchers from directly obtaining the stage 2 malware.\r\nThe macOS X malware’s payload could not be downloaded, as the C2 server is no longer accessible. Additionally,\r\nnone of the open-source reporting for this sample contained copies of the macOS X payload. The macOS X\r\npayload is likely similar in functionality to the Windows stage 2 detailed above.\r\nFor more details on AppleJeus Version 3: Union Crypto, see MAR-10322463-3.v1.\r\nCommonalities between Celas Trade Pro, JMT Trading, and Union Crypto\r\nHardcoded Values\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 9 of 22\n\nIn each AppleJeus version, there are hardcoded values used for encryption or to create a signature when combined\r\nwith the time (table 1).\r\nTable 1: AppleJeus hardcoded values and uses\r\nAppleJeus Version Value Use\r\n1: Celas Trade Pro Moz\u0026Wie;#t/6T!2y XOR encryption to send data\r\n1: Celas Trade Pro W29ab@ad%Df324V$Yd RC4 decryption\r\n2: JMT Trader Windows X,%`PMk--Jj8s+6=15:20:11 XOR encryption to send data\r\n2: JMT Trader OSX X,%`PMk--Jj8s+6=\\x02 XOR encryption to send data\r\n3: Union Crypto Trader 12GWAPCT1F0I1S14 Combined with time for signature\r\nThe Union Crypto Trader and Celas LLC (XOR) values are 16 bytes in length. For JMT Trader, the first 16 bytes\r\nof the Windows and macOS X values are identical, and the additional bytes are in a time format for the Windows\r\nsample. The structure of a 16-byte value combined with the time is also used in Union Crypto Trader to create the\r\nauth_signature .\r\nAs mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use\r\n16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples.\r\nOpen-Source Cryptocurrency Applications\r\nAll three AppleJeus samples are bundled with modified copies of legitimate cryptocurrency applications and can\r\nbe used as originally designed to trade cryptocurrency. Both Celas LLC and JMT Trader modified the same\r\ncryptocurrency application, Q.T. Bitcoin Trader; Union Crypto Trader modified the Blackbird Bitcoin Arbitrage\r\napplication.\r\nPostinstall Scripts, Property List Files, and LaunchDaemons\r\nThe macOS X samples of all three AppleJeus versions contain postinstall scripts with similar logic. The Celas\r\nLLC postinstall script only moves the plist file to a new location and launches Updater with the\r\nCheckUpdate parameter in the background. The JMT Trader and Union Crypto Trader also perform these actions\r\nand have identical functionality. The additional actions performed by both postinstall scripts are to change the\r\nfile permissions on the plist , make a new directory in the /Library folder, move CrashReporter or\r\nUnionCryptoUpdater to the newly created folder, and make them executable.\r\nThe plist files for all three AppleJeus files have identical functionality. They only differ in the files’ names and\r\none default comment that was not removed from the Celas LLC plist . As the logic and functionality of the\r\npostinstall scripts and plist files are almost identical, the LaunchDaemons created also function the same.\r\nThey will all launch the secondary executable as Root on system load for every user.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 10 of 22\n\nAppleJeus Version 4: Kupay Wallet\r\nIntroduction and Infrastructure\r\nOn March 13, 2020, a new version of the AppleJeus malware was identified. The malware was marketed and\r\ndistributed by a legitimate-looking company, called Kupay Wallet, on their website kupaywallet[.]com (Acquire\r\nInfrastructure: Domain [T1583.001 ]).\r\nThe domain www.kupaywallet[.]com resolved to IP address 104.200.67[.]96 from March 20, 2020, to January\r\n16, 2021. CrownCloud US, LLC controlled the IP address (autonomous system number [ASN] 8100), and is\r\nlocated in New York, NY.\r\nThe domain www.kupaywallet[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital\r\nCertificates [T1588.004 ]). The SSL certificate was “Domain Control Validated,” a weak security verification\r\nlevel that does not require validation of the owner’s identity or the actual business’s existence.\r\nKupay Wallet Application Analysis\r\nWindows Program\r\nThe Windows version of the malicious cryptocurrency application is an MSI Installer. The MSI executes the\r\nfollowing actions.\r\nInstalls Kupay.exe in folder C:\\Program Files (x86)\\Kupay\r\nInstalls KupayUpgrade.exe in folder C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\KupaySupport\r\nRuns KupayUpgrade.exe\r\nThe program Kupay.exe loads a legitimate-looking cryptocurrency wallet platform, which exhibits no signs of\r\nmalicious activity and is very similar to an open-source platform known as Copay, distributed by Atlanta-based\r\ncompany BitPay.\r\nThe program KupayUpgrade.exe first installs itself as a service (Create or Modify System Process: Windows\r\nService [T1543.003 ]), which will automatically start when any user logs on (Boot or Logon Autostart Execution\r\n[T1547 ]). The service is installed with a description stating it is an “Automatic Kupay Upgrade.” When\r\nlaunched, it collects the victim’s host information (System Owner/User Discovery [T1033 ]), combines the\r\ninformation in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041 ]).\r\nmacOS X Program\r\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very\r\nsimilar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that\r\nbefore installation. The installer executes the following actions.\r\nInstalls Kupay in folder /Applications/Kupay.app/Contents/MacOS/\r\nInstalls kupay_upgrade in folder /Applications/Kupay.app/Contents/MacOS/\r\nExecutes a postinstall script\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 11 of 22\n\nCreates KupayDaemon folder in /Library/Application Support folder\r\nMoves kupay_upgrade to the new folder\r\nMoves com.kupay.pkg.wallet.plist to folder /Library/LaunchDaemons/\r\nRuns the command launchctl load to load the plist without a restart\r\nRuns kupay_upgrade in the background\r\nKupay is likely a copy of an open-source cryptocurrency wallet application, loads a legitimate-looking wallet\r\nprogram (fully functional), and its functionality is identical to the Windows Kupay.exe program.\r\nThe kupay_upgrade program calls its function CheckUpdate (which contains most of the logic functionality of\r\nthe malware) and sends a POST to the C2 server with a connection named “Kupay Wallet 9.0.1 (Check Update\r\nOsx)” (Application Layer Protocol: Web Protocols [T1071.001 ]). If the C2 server returns a file, it is decoded\r\nand written to the victim’s folder /private/tmp/kupay_update with permissions set by the command chmod\r\n700 (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059 ]). Stage 2 is then\r\nlaunched, and the malware, kupay_upgrade , returns to sleeping and checking in with the C2 server at\r\npredetermined intervals (Application Layer Protocol: Web Protocols [T1071.001 ]).\r\nThe postinstall script has similar functionality to other AppleJeus scripts (Command and Scripting Interpreter:\r\nUnix Shell [T1059.004 ]). It creates the KupayDaemon folder in /Library/Application Support folder and\r\nthen moves kupay_upgrade to the new folder. It moves the property list ( plist ) file\r\ncom.kupay.pkg.wallet.plist from the Installer package to the /Library/LaunchDaemons/ folder (Scheduled\r\nTask/Job: Launchd [T1053.004 ]). The script runs the command launchctl load to load the plist without a\r\nrestart (Command and Scripting Interpreter [T1059 ]). But, since the LaunchDaemon will not run automatically\r\nafter the plist file is moved, the postinstall script launches kupay_upgrade and runs it in the background\r\n(Create or Modify System Process: Launch Daemon [T1543.004 ]).\r\nPayload\r\nThe Windows malware’s payload could not be downloaded since the C2 server is no longer accessible.\r\nAdditionally, none of the open-source reporting for this sample contained copies of the payload. The Windows\r\npayload is likely similar in functionality to the macOS X stage 2 detailed below.\r\nThe stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of\r\nfunctionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a\r\npayload, read and write files, execute commands via the terminal, etc.\r\nFor more details on AppleJeus Version 4: Kupay Wallet, see MAR-10322463-4.v1.\r\nAppleJeus Version 5: CoinGoTrade\r\nIntroduction and Infrastructure\r\nIn early 2020, another version of the AppleJeus malware was identified. This time the malware was marketed and\r\ndistributed by a legitimate-looking company called CoinGoTrade on their website coingotrade[.]com (Acquire\r\nInfrastructure: Domain [T1583.001 ]).\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 12 of 22\n\nThe domain CoinGoTrade[.]com resolved to IP address 198.54.114[.]175 from February 28, 2020, to January\r\n23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP\r\naddress is in the same ASN for Dorusio[.]com and Ants2Whale[.]com .\r\nThe domain CoinGoTrade[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates\r\n[T1588.004 ]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does\r\nnot require validation of the owner’s identity or the actual business’s existence.\r\nCoinGoTrade Application Analysis\r\nWindows Program\r\nThe Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and\r\nwill execute the following actions.\r\nInstalls CoinGoTrade.exe in folder C:\\Program Files (x86)\\CoinGoTrade\r\nInstalls CoinGoTradeUpdate.exe in folder C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\CoinGoTradeSupport\r\nRuns CoinGoTradeUpdate.exe\r\nCoinGoTrade.exe loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity\r\nand is a copy of an open-source cryptocurrency application.\r\nCoinGoTradeUpdate.exe first installs itself as a service (Create or Modify System Process: Windows Service\r\n[T1543.003 ]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547\r\n]). The service is installed with a description stating it is an “Automatic CoinGoTrade Upgrade.” When\r\nlaunched, it collects the victim’s host information (System Owner/User Discovery [T1033 ]), combines the\r\ninformation in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041 ]).\r\nmacOS X Program\r\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very\r\nsimilar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that\r\nbefore installation. The installer executes the following actions.\r\nInstalls CoinGoTrade in folder /Applications/CoinGoTrade.app/Contents/MacOS/\r\nInstalls CoinGoTradeUpgradeDaemon in folder /Applications/CoinGoTrade.app/Contents/MacOS/\r\nExecutes a postinstall script\r\nCreates CoinGoTradeService folder in /Library/Application Support folder\r\nMoves CoinGoTradeUpgradeDaemon to the new folder\r\nMoves com.coingotrade.pkg.product.plist to folder /Library/LaunchDaemons/\r\nRuns CoinGoTradeUpgradeDaemon in the background\r\nThe CoinGoTrade program is likely a copy of an open-source cryptocurrency wallet application and loads a\r\nlegitimate-looking, fully functional wallet program).\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 13 of 22\n\nThe CoinGoTradeUpgradeDaemon program calls its function CheckUpdate (which contains most of the logic\r\nfunctionality of the malware) and sends a POST to the C2 server with a connection named “CoinGoTrade 1.0\r\n(Check Update Osx)” (Application Layer Protocol: Web Protocols [T1071.001] ). If the C2 server returns a file,\r\nit is decoded and written to the victim’s folder /private/tmp/updatecoingotrade with permissions set by the\r\ncommand chmod 700 (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059\r\n]). Stage 2 is then launched, and the malware, CoinGoTradeUpgradeDaemon , returns to sleeping and checking in\r\nwith the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001 ]).\r\nThe postinstall script has similar functionality to the other scripts (Command and Scripting Interpreter: Unix\r\nShell [T1059.004 ]) and installs CoinGoTrade and CoinGoTradeUpgradeDaemon in folder\r\n/Applications/CoinGoTrade.app/Contents/MacOS/ . It moves the property list (plist) file\r\ncom.coingotrade.pkg.product.plist to the /Library/LaunchDaemons/ folder (Scheduled Task/Job: Launchd\r\n[T1053.004 ]). Because the LaunchDaemon will not run automatically after the plist file is moved, the\r\npostinstall script launches CoinGoTradeUpgradeDaemon and runs it in the background (Create or Modify\r\nSystem Process: Launch Daemon [T1543.004 ]).\r\nPayload\r\nThe Windows malware’s payload could not be downloaded because the C2 server is no longer accessible.\r\nAdditionally, none of the open-source reporting for this sample contained copies of the payload. The Windows\r\npayload is likely similar in functionality to the macOS X stage 2 detailed below.\r\nThe stage 2 payload for the macOS X malware was no longer available from the specified download URL. Still, a\r\nfile was submitted to VirusTotal by the same user on the same date as the macOS X CoinGoTradeUpgradeDaemon .\r\nThese clues suggest that the submitted file may be related to the macOS X version of the malware and the\r\ndownloaded payload.\r\nThe file prtspool is a 64-bit Mach-O executable with a large variety of features that have all been confirmed as\r\nfunctionality. The file has three C2 URLs hardcoded into the file and communicates to these with HTTP POST\r\nmultipart-form data boundary string. Like other HIDDEN COBRA malware, prtspool uses format strings to\r\nstore data collected about the system and sends it to the C2s.\r\nFor more details on AppleJeus Version 5: CoinGoTrade, see MAR-10322463-5.v1.\r\nAppleJeus Version 6: Dorusio\r\nIntroduction and Infrastructure\r\nIn March 2020, an additional version of the AppleJeus malware was identified. This time the malware was\r\nmarketed and distributed by a legitimate-looking company called Dorusio on their website, dorusio[.]com\r\n(Acquire Infrastructure: Domain [T1583.001 ]). Researchers collected samples for Windows and macOS X\r\nversions of the Dorusio Wallet (Develop Capabilities: Malware [T1587.001 ]). As of at least early 2020, the\r\nactual download links result in 404 errors. The download page has release notes with version revisions claiming\r\nto start with version 1.0.0, released on April 15, 2019.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 14 of 22\n\nThe domain dorusio[.]com resolved to IP address 198.54.115[.]51 from March 30, 2020 to January 23, 2021.\r\nThe IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in\r\nthe same ASN for CoinGoTrade[.]com and Ants2Whale[.]com.\r\nThe domain dorusio[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates\r\n[T1588.004 ]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does\r\nnot require validation of the owner’s identity or the actual business’s existence.\r\nDorusio Application Analysis\r\nWindows Program\r\nThe Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and\r\nwill install the following two programs.\r\nInstalls Dorusio.exe in folder C:\\Program Files (x86)\\Dorusio\r\nInstalls DorusioUpgrade.exe in folder C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\DorusioSupport\r\nRuns DorusioUpgrade.exe\r\nThe program, Dorusio.exe , loads a legitimate-looking cryptocurrency wallet platform with no signs of\r\nmalicious activity and is a copy of an open-source cryptocurrency application.\r\nThe program DorusioUpgrade.exe first installs itself as a service (Create or Modify System Process: Windows\r\nService [T1543.003 ]), which will automatically start when any user logs on (Boot or Logon Autostart Execution\r\n[T1547 ]). The service is installed with a description stating it “Automatic Dorusio Upgrade.” When launched, it\r\ncollects the victim’s host information (System Owner/User Discovery [T1033 ]), combines the information in\r\nstrings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041 ]).\r\nmacOS X Program\r\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very\r\nsimilar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that\r\nbefore installation. The installer executes the following actions.\r\nInstalls Dorusio in folder /Applications/Dorusio.app/Contents/MacOS/\r\nInstalls Dorusio_upgrade in folder /Applications/Dorusio.app/Contents/MacOS/\r\nExecutes a postinstall script\r\nCreates DorusioDaemon folder in /Library/Application Support folder\r\nMoves Dorusio_upgrade to the new folder\r\nMoves com.dorusio.pkg.wallet.plist to folder /Library/LaunchDaemons/\r\nRuns Dorusio_upgrade in the background\r\nThe Dorusio program is likely a copy of an open-source cryptocurrency wallet application and loads a\r\nlegitimate-looking wallet program (fully functional). Aside from the Dorusio logo and two new services, the\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 15 of 22\n\nwallet appears to be the same as the Kupay Wallet. This application seems to be a modification of the open-source\r\ncryptocurrency wallet Copay distributed by Atlanta-based company BitPay.\r\nThe Dorusio_upgrade program calls its function CheckUpdate (which contains most of the logic functionality\r\nof the malware) and sends a POST to the C2 server with a connection named “Dorusio Wallet 2.1.0 (Check\r\nUpdate Osx)” (Application Layer Protocol: Web Protocols [T1071.001] ). If the C2 server returns a file, it is\r\ndecoded and written to the victim’s folder /private/tmp/Dorusio_update with permissions set by the command\r\nchmod 700 (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059 ]). Stage 2\r\nis then launched, and the malware, Dorusio_upgrade , returns to sleeping and checking in with the C2 server at\r\npredetermined intervals (Application Layer Protocol: Web Protocols [T1071.001 ]).\r\nThe postinstall script has similar functionality to other AppleJeus scripts (Command and Scripting Interpreter:\r\nUnix Shell [T1059.004 ]). It creates the DorusioDaemon folder in /Library/Application Support folder and\r\nthen moves Dorusio_upgrade to the new folder. It moves the property list ( plist ) file\r\ncom.dorusio.pkg.wallet.plist from the Installer package to the /Library/LaunchDaemons/ folder (Scheduled\r\nTask/Job: Launchd [T1053.004] ). Because the LaunchDaemon will not run automatically after the plist file\r\nis moved, the postinstall script launches Dorusio_upgrade and runs it in the background (Create or Modify\r\nSystem Process: Launch Daemon [T1543.004 ]).\r\nPayload\r\nNeither the payload for the Windows nor macOS X malware could be downloaded; the C2 server is no longer\r\naccessible. The payloads are likely similar in functionality to the macOS X stage 2 from CoinGoTrade and Kupay\r\nWallet, or the Windows stage 2 from Union Crypto.\r\nFor more details on AppleJeus Version 6: Dorusio, see MAR-10322463-6.v1.\r\nAppleJeus 4, 5, and 6 Installation Conflictions\r\nIf a user attempts to install the Kupay Wallet, CoinGoTrade, and Dorusio applications on the same system, they\r\nwill encounter installation conflicts.\r\nIf Kupay Wallet is already installed on a system and the user tries to install CoinGoTrade or Dorusio:\r\nPop-up windows appear, stating a more recent version of the program is already installed.\r\nIf CoinGoTrade is already installed on a system and the user attempts to install Kupay Wallet:\r\nKupay.exe will be installed in the C:\\Program Files (x86)\\CoinGoTrade\\ folder .\r\nAll CoinGoTrade files will be deleted.\r\nThe folders and files contained in the C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\CoinGoTradeSupport will\r\nremain installed.\r\nKupayUpgrade.exe is installed in the new folder C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\KupaySupport .\r\nIf Dorusio is already installed on a system and the user attempts to install Kupay Wallet:\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 16 of 22\n\nKupay.exe will be installed in the C:\\Program Files (x86)\\Dorusio\\ folder .\r\nAll Dorusio.exe files will be deleted.\r\nThe folders and files contained in C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\DorusioSupport will remain\r\ninstalled.\r\nKupayUpgrade.exe is installed in the new folder C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\KupaySupport .\r\nAppleJeus Version 7: Ants2Whale\r\nIntroduction and Infrastructure\r\nIn late 2020, a new version of AppleJeus was identified called “Ants2Whale.” The site for this version of\r\nAppleJeus is ants2whale[.]com (Acquire Infrastructure: Domain [T1583.001 ]). The website shows a\r\nlegitimate-looking cryptocurrency company and application. The website contains multiple spelling and grammar\r\nmistakes indicating the creator may not have English as a first language. The website states that to download\r\nAnts2Whale, a user must contact the administrator, as their product is a “premium package” (Develop\r\nCapabilities: Malware [T1587.001 ]).\r\nThe domain ants2whale[.]com resolved to IP address 198.54.114[.]237 from September 23, 2020, to January\r\n22, 2021. The IP address is controlled by NameCheap, Inc. (ASN 22612) and is located in Atlanta, GA. This IP\r\naddress is in the same ASN for CoinGoTrade[.]com and Dorusio[.]com .\r\nThe domain ants2whale[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates\r\n[T1588.004 ]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does\r\nnot require validation of the owner’s identity or the actual business’s existence.\r\nAnts2Whale Application Analysis\r\nWindows Program\r\nAs of late 2020, the Windows program was not available on VirusTotal. It is likely very similar to the macOS X\r\nversion detailed below.\r\nmacOS X Program\r\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very\r\nsimilar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that\r\nbefore installation. The installer executes the following actions.\r\nInstalls Ants2Whale in folder /Applications/Ants2whale.app/Contents/MacOS/Ants2whale\r\nInstalls Ants2WhaleHelper in folder /Library/Application Support/Ants2WhaleSupport/\r\nExecutes a postinstall script\r\nMoves com.Ants2whale.pkg.wallet.plist to folder /Library/LaunchDaemons/\r\nRuns Ants2WhaleHelper in the background\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 17 of 22\n\nThe Ants2Whale and Ants2WhaleHelper programs and the postinstall script function almost identically to\r\nprevious versions of AppleJeus and will not be discussed in depth in this advisory.\r\nFor more details on AppleJeus Version 7: Ants2Whale, see MAR-10322463-7.v1.\r\nATT\u0026CK Profile\r\nFigure 2 and table 2 provide summaries of the MITRE ATT\u0026CK techniques observed.\r\nFigure 2: MITRE ATT\u0026CK enterprise techniques used by AppleJeus\r\nTable 2: MITRE ATT\u0026CK techniques observed\r\nTactic Title Technique ID Technique Title\r\nResource Development [TA0042] T1583.001 Acquire Infrastructure: Domain\r\nResource Development [TA0042] T1583.006 Acquire Infrastructure: Web Services\r\nResource Development [TA0042] T1587.001 Develop Capabilities: Malware\r\nResource Development [TA0042] T1588.003 Obtain Capabilities: Code Signing Certificates\r\nResource Development [TA0042] T1588004 Obtain Capabilities: Digital Certificates\r\nInitial Access [TA0001] T1566.002 Phishing: Spearphishing Link\r\nExecution [TA0002] T1059 Command and Scripting Interpreter\r\nExecution [TA0002] T1059.004 Command and Scripting Interpreter: Unix Shell\r\nExecution [TA0002] T1204.002 User Execution: Malicious File\r\nPersistence [TA0003] T1053.004 Scheduled Task/Job: Launchd\r\nPersistence [TA0003] T1543.004 Create or Modify System Process: Launch Daemon\r\nPersistence [TA0003] T1547 Boot or Logon Autostart Execution\r\nPrivilege Escalation [TA0004] T1053.005 Scheduled Task/Job: Scheduled Task\r\nDefense Evasion [TA0005] T1027 Obfuscated Files or Information\r\nDefense Evasion [TA0005] T1548 Abuse Elevation Control Mechanism\r\nDefense Evasion [TA0005] T1564.001 Hide Artifacts: Hidden Files and Directories\r\nDiscovery [TA0007] T1033 System Owner/User Discovery\r\nExfiltration [TA0010] T1041 Exfiltration Over C2 Channel\r\nCommand and Control [TA0011] T1071.001 Application Layer Protocol: Web Protocols\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 18 of 22\n\nTactic Title Technique ID Technique Title\r\nCommand and Control [TA0011] T1573 Encrypted Channel\r\nCommand and Control [TA0011] T1573.001 Encrypted Channel: Symmetric Cryptography\r\nMitigations\r\nCompromise Mitigations\r\nOrganizations that identify AppleJeus malware within their networks should take immediate action. Initial actions\r\nshould include the following steps.\r\nContact the FBI, CISA, or Treasury immediately regarding any identified activity related to AppleJeus.\r\n(Refer to the Contact Information section below.)\r\nInitiate your organization’s incident response plan.\r\nGenerate new keys for wallets, and/or move to new wallets.\r\nIntroduce a two-factor authentication solution as an extra layer of verification.  \r\nUse hardware wallets, which keep the private keys in a separate, secured storage area.\r\nTo move funds out off a compromised wallet:\r\nDo not use the malware listed in this advisory to transfer funds, and  \r\nForm all transactions offline and then broadcast them to the network all at once in a short online\r\nsession, ideally prior to the attacker accessing them.\r\nRemove impacted hosts from network.\r\nAssume the threat actors have moved laterally within the network and downloaded additional malware.\r\nChange all passwords to any accounts associated with impacted hosts.\r\nReimage impacted host(s).  \r\nInstall anti-virus software to run daily deep scans of the host.\r\nEnsure your anti-virus software is setup to download the latest signatures daily.\r\nInstall a Host Based Intrusion Detection (HIDS)-based software and keep it up to date.\r\nEnsure all software and hardware is up to date, and all patches have been installed.\r\nEnsure network-based firewall is installed and/or up to date.\r\nEnsure the firewall’s firmware is up to date.\r\nPro-Active Mitigations\r\nConsider the following recommendations for defense against AppleJeus malware and related activity.\r\nCryptocurrency Users\r\nVerify source of cryptocurrency-related applications.\r\nUse multiple wallets for key storage, striking the appropriate risk balance between hot and cold storage.\r\nUse custodial accounts with multi-factor authentication mechanisms for both user and device verification.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 19 of 22\n\nPatronize cryptocurrency service businesses that offer indemnity protections for lost or stolen\r\ncryptocurrency.\r\nConsider having a dedicated device for cryptocurrency management.\r\nFinancial Service Companies\r\nVerify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks at\r\nhttps://ithandbook.ffiec.gov, especially those related to information security.\r\nReport suspicious cyber and financial activities. For more information on mandatory and voluntary\r\nreporting of cyber events via suspicious activity reports, see the Financial Crimes Enforcement Network\r\n(FinCEN) Advisory FIN-2016-A005: Advisory to Financial Institutions on Cyber- Events and Cyber-Enabled Crime at https://www.fincen.gov/sites/default/files/advisory/2016-10-\r\n25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf and FinCEN’s Section 314(b) Fact\r\nSheet at https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf.\r\nCryptocurrency Businesses\r\nVerify compliance with the Cryptocurrency Security Standard at http://cryptoconsortium.github.io/CCSS/\r\n.\r\nAll Organizations\r\nIncorporate IOCs identified in CISA’s Malware Analysis Reports on https://us-cert.cisa.gov/northkorea into\r\nintrusion detection systems and security alert systems to enable active blocking or reporting of suspected\r\nmalicious activity.\r\nSee table 3 below, which provides a summary of preventative ATT\u0026CK mitigations based on observed\r\ntechniques.\r\nTable 3: MITRE ATT\u0026CK mitigations based on observed techniques\r\nMitigation Description\r\nUser Training [M1017]\r\nTrain users to identify social engineering techniques and spearphishing\r\nemails.\r\nUser Training [M1017]\r\nProvide users with the awareness of common phishing and spearphishing\r\ntechniques and raise suspicion for potentially malicious events.\r\nUser Account Management\r\n[M1018]\r\nLimit privileges of user accounts and remediate Privilege Escalation\r\nvectors so only authorized administrators can create new Launch Daemons.\r\nUser Account Management\r\n[M1018]\r\nLimit privileges of user accounts and remediate Privilege Escalation\r\nvectors so only authorized administrators can create scheduled tasks on\r\nremote systems.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 20 of 22\n\nMitigation Description\r\nSSL/TLS Inspection [M1020] Use SSL/TLS inspection to see encrypted sessions’ contents to look for\r\nnetwork-based indicators of malware communication protocols.\r\nRestrict Web-Based Content\r\n[M1021]\r\nDetermine if certain websites that can be used for spearphishing are\r\nnecessary for business operations and consider blocking access if the\r\nactivity cannot be monitored well or poses a significant risk.\r\nRestrict Web-Based Content\r\n[M1021]\r\nBlock Script extensions to prevent the execution of scripts and HTA files\r\nthat may commonly be used during the exploitation process.\r\nRestrict Web-Based Content\r\n[M1021]\r\nEmploy an adblocker to prevent malicious code served up through ads from\r\nexecuting.\r\nRestrict File and Directory\r\nPermissions [M1022]\r\nPrevent all users from writing to the /Library/StartupItems directory to\r\nprevent any startup items from getting registered since StartupItems are\r\ndeprecated.\r\nPrivileged Account\r\nManagement [M1026]\r\nWhen PowerShell is necessary, restrict PowerShell execution policy to\r\nadministrators. Be aware that there are methods of bypassing the\r\nPowerShell execution policy, depending on environment configuration.\r\nPrivileged Account\r\nManagement [M1026]\r\nConfigure the Increase Scheduling Priority option only to allow the\r\nAdministrators group the rights to schedule a priority process.\r\nOperating System\r\nConfiguration [M1028]\r\nConfigure settings for scheduled tasks to force tasks to run under the\r\nauthenticated account’s context instead of allowing them to run as\r\nSYSTEM.\r\nNetwork Intrusion Prevention\r\n[M1031]\r\nUse network intrusion detection and prevention systems that use network\r\nsignatures to identify traffic for specific adversary malware and mitigate\r\nactivity at the network level.\r\nExecution Prevention\r\n[M1038]\r\nUse application control tools where appropriate.\r\nExecution Prevention\r\n[M1038]\r\nUse application control tools to prevent the running of executables\r\nmasquerading as other files.\r\nBehavior Prevention on\r\nEndpoint [M1040]\r\nConfigure endpoint (if possible) to block some process injection types\r\nbased on common sequences of behavior during the injection process.\r\nDisable or Remove Feature or\r\nProgram [M1042]\r\nDisable or remove any unnecessary or unused shells or interpreters.\r\nCode Signing [M1045] Where possible, only permit the execution of signed scripts.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 21 of 22\n\nMitigation Description\r\nAudit [M1047]\r\nAudit logging for launchd events in macOS can be reviewed or centrally\r\ncollected using multiple options, such as Syslog, OpenBSM, or OSquery.\r\nAudit [M1047]\r\nToolkits like the PowerSploit framework contain PowerUp modules that\r\ncan be used to explore systems for permission weaknesses in scheduled\r\ntasks that could be used to escalate privileges.\r\nAntivirus/Antimalware\r\n[M1049]\r\nUse an antivirus program to quarantine suspicious files automatically.\r\nContact Information\r\nRecipients of this report are encouraged to contribute any additional information that they may have related to this\r\nthreat.\r\nFor any questions related to this report or to report an intrusion and request resources for incident response or\r\ntechnical assistance, please contact:\r\nThe FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov ) or a local field office,\r\nCISA (1-844-Say-CISA or Central@cisa.dhs.gov ), or\r\nTreasury Office of Cybersecurity and Critical Infrastructure Protection (Treasury OCCIP) (202-622-3000\r\nor OCCIP-Coord@treasury.gov ).\r\nReferences\r\n[6] MITRE ATT\u0026CK Software: FALLCHILL\r\n[7] SecureList: Operation AppleJeus Sequel\r\n[8] GitHub: Blackbird Bitcoin Arbitrage\r\nRevisions\r\nFebruary 17, 2021: Initial Version|April 15, 2021: Updated MITRE ATT\u0026CK technique from Command and\r\nScripting Interpreter: AppleScript [T1059.002] to Command and Scripting Interpreter: Unix Shell [T1059.004].\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-048a\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "MISPGALAXY" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa21-048a" ], "report_names": [ "aa21-048a" ], "threat_actors": [ { "id": "fdf8d396-bbe4-454c-970a-81c4c3093b27", "created_at": "2022-10-25T16:07:23.763387Z", "updated_at": "2026-04-10T02:00:04.742186Z", "deleted_at": null, "main_name": "BeagleBoyz", "aliases": [ "BeagleBoyz", "Operation FASTCash" ], "source_name": "ETDA:BeagleBoyz", "tools": [ "Cyruslish", "ECCENTRICBANDWAGON", "FASTCash", "NACHOCHEESE", "NachoCheese", "PSLogger", "TWOPENCE", "VIVACIOUSGIFT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433969, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6dcfc6e02e63f469d1eee60007f2a9c0fbf04938.pdf", "text": "https://archive.orkl.eu/6dcfc6e02e63f469d1eee60007f2a9c0fbf04938.txt", "img": "https://archive.orkl.eu/6dcfc6e02e63f469d1eee60007f2a9c0fbf04938.jpg" } }