{ "id": "a46f3922-7902-43de-8041-0236525c1744", "created_at": "2026-04-06T00:06:15.183638Z", "updated_at": "2026-04-10T03:35:17.07652Z", "deleted_at": null, "sha1_hash": "c5d83b00ab4727c5a632bdda4d2da4fe6d7c5054", "title": "WildPressure targets the macOS platform", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 214970, "plain_text": "WildPressure targets the macOS platform\r\nBy Denis Legezo\r\nPublished: 2021-07-07 · Archived: 2026-04-05 14:27:06 UTC\r\nNew findings\r\nOur previous story regarding WildPressure was dedicated to their campaign against industrial-related targets in the\r\nMiddle East. By keeping track of their malware in spring 2021, we were able to find a newer version. It contains\r\nthe C++ Milum Trojan, a corresponding VBScript variant with the same version (1.6.1) and a set of modules that\r\ninclude an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers\r\nbesides the C++ ones, based a field in the C2 communication protocol that contains the “client” programming\r\nlanguage.\r\nAnother language used by WildPressure is Python. The PyInstaller module for Windows contains a script named\r\n“Guard”. Perhaps the most interesting finding here is that this malware was developed for both Windows and\r\nmacOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable\r\nacross all three programming languages used by the authors.\r\nThe versioning system shows that the malware used by WildPressure is still under active development. Besides\r\ncommercial VPS, this time the operators used compromised legitimate WordPress websites. With low confidence\r\nthis time, we believe their targets to be in the oil and gas industry. If previously the operators used readable\r\n“clientids” like “HatLandid3”, the new ones we observed in the Milum samples appear to be randomized like\r\n“5CU5EQLOSI” and “C29QoCli33jjxtb”.\r\nAlthough we couldn’t associate WildPressure’s activity with other threat actors, we did find minor similarities in\r\nthe TTPs used by BlackShadow, which is also active in the same region. However, we consider that these\r\nsimilarities serve as minor ties and are not enough to make any attribution.\r\nPython multi-OS Trojan\r\nSHA1 872FC1D91E078F0A274CA604785117BEB261B870\r\nFile type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows\r\nFile size 3.3 MB\r\nFile name svchost.exe\r\nThis PyInstaller Windows executable was detected in our telemetry on September 1, 2020, showing version 2.2.1.\r\nIt contains an archive with all the necessary libraries and a Python Trojan that works both on Windows and\r\nmacOS. The original name of the script inside this PyInstaller bundle is “Guard”. The malware authors\r\nhttps://securelist.com/wildpressure-targets-macos/103072/\r\nPage 1 of 9\n\nextensively relied on publicly available third-party code[1]\r\n to create it. Near the entry point one can find the first\r\noperating system-dependent code, which checks on macOS if another instance of the Trojan is running.\r\nmacOS-specific code snippet to check if another Trojan instance is already running\r\nThe Guard class constructor contains initial values, such as an XOR key (enc_key field) to decrypt the\r\nconfiguration. In this sample, it is set to decimal 110 and the C2 message type (answer_type_value field) to\r\n“Check”. The code that initializes class members for encryption and network communications is OS independent,\r\nbut persistence methods aren’t.\r\nFor macOS, Guard decodes an XML document and creates a plist file using its contents at\r\n$HOME/Library/LaunchAgents/com.apple.pyapple.plist to autorun itself; while for Windows, the script creates a\r\nRunOnce registry key Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\gd_system. We provide the full list\r\nof persistence IoCs at the end of this article.\r\nhttps://securelist.com/wildpressure-targets-macos/103072/\r\nPage 2 of 9\n\nMalware decodes the XML, fills [pyscript] placeholder with its path and drops .plist file for persistence\r\nFor fingerprinting Windows and macOS operating systems, Guard uses standard Python libraries. Beacon data for\r\nthe C2 contains the hostname, machine architecture, OS release name. To fingerprint Windows targets, Guard also\r\nuses WQL (WMI Query Language) requests similarly to Milum and WMIC command line utility features. For\r\nexample, to distinguish the installed security products it executes the following command:\r\ncmd /c wmic /NAMESPACE:\\\\\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET displayName,\r\nproductUptoDate /Format:List\r\nOn macOS, Guard enumerates running processes using the “ls /Applications” command and compares the results\r\nagainst a list of security solutions: [“kaspersky security.app”,”kaspersky anti-virus for mac.app” , “intego”,\r\n“sophos anti-virus.app” , “virusbarrier.app”,”mcafee internet security.app”]\r\nThe path to the file containing Guard’s configuration data is %APPDATA%\\Microsoft\\grconf.dat under Windows\r\nand $HOME\\.appdata\\grconf.dat under macOS.\r\nGuard’s configuration data has to start with the string “*grds*”. Below is a comparison between different\r\nWildPressure sample parameters, including magic values used to pre- and post-fix the configuration data.\r\nParameter C++ Milum Python Guard VBScript Tandis\r\nVersion 1.0.1 – 1.6.1 2.2.1 1.6.1\r\nSerial\r\nComparable to “clientid”\r\nwith values like\r\n“HatLandid3”\r\n1——-C29QoCli\r\n————————\r\n1——-Tandis_7\r\n————————\r\nRelays\r\nList of .php pages hosted\r\non VPS\r\nList of hacked\r\nWordPress websites\r\nList of hacked WordPress\r\nwebsites\r\nEncoded\r\nconfiguration\r\n(ws32) (we32) *grds* *grde* Configuration embedded\r\ninside the script\r\nhttps://securelist.com/wildpressure-targets-macos/103072/\r\nPage 3 of 9\n\nstart\\end\r\nThese prefix and suffix values allowed us to decode Mulim and Guard configuration data as well as the self-decrypted Tandis with Bash and Python scripts. Following configuration parsing, the Trojan is ready for its main\r\nworking cycle. It awaits commands from its C2 that are XML-based and XOR-encrypted with the aforementioned\r\ndecimal value 110. Among them are typical Trojan functions: downloading files, uploading files, executing\r\ncommands with the OS command interpreter, updating the Trojan and cleaning up the target.\r\nVBScript self-decrypted variant\r\nSHA1 CD7904E6D59142F209BD248D21242E3740999A0D\r\nFile type Self-decrypting VBScript\r\nFile size 51 KB\r\nFile name l2dIIYKCQw.vbs\r\nWe named the Tandis Trojan after its “serial” configuration parameter. This VBScript Trojan version is Windows-only and relies much more on WQL queries than Guard. It was first detected in our telemetry on September 1,\r\n2020, showing version 1.6.1. The abilities, parameters and working cycle are quite similar to Guard and other\r\nWildPressure malware.\r\nThe persistence is again system registry-based (please check the IoCs at the end). The function HexToBin() is in\r\ncharge of the additional encryption used inside the script for some strings and C2 communication. The basic\r\nunhexlify-XOR algorithm is the same as in the initial self-decryption; and to read plain text we used the same\r\naforementioned script with corresponding key (again 110 decimal, stored in a class data member). The C2\r\ncommunication protocol is “encrypted XML over HTTP” (using Msxml2.XMLHTTP and\r\nMsxml2.DOMDocument objects).\r\nBelow are the commands that Tandis supports:\r\nCommand Description\r\n1 Wait\r\n2 Silently execute command with interpreter with cmd /c\r\n3 Download file\r\n4 Update the script from server\r\n5 Clean up, remove persistence and the script file\r\n6 Upload file\r\n7 Update wait timings in the configuration\r\nhttps://securelist.com/wildpressure-targets-macos/103072/\r\nPage 4 of 9\n\n8\r\nFingerprint the host. In particular, Tandis gathers all the installed security products besides\r\nDefender with a WQL query\r\nPlugin-based C++ malware\r\nIn addition to the already enumerated scripting implants that WildPressure uses, some findings are related to C++\r\ndevelopments. We discovered several, previously unknown, interconnected modules used to gather data on target\r\nhosts in our telemetry. The compilation times seen in this malware precedes our detection date by a large margin,\r\nand we therefore consider them to be tampered with.\r\nThe plugins we found are rather simplistic. We will therefore focus on the implemented interface between the\r\norchestrator and its plugins.\r\nOrchestrator\r\nSHA1 FA50AC04D601BB7961CAE4ED23BE370C985723D6\r\nFile type PE32 executable (console) Intel 80386, for MS Windows\r\nFile size 87 KB\r\nFile name winloud.exe\r\nThis main module checks for the presence of a configuration file named “thumbnail.dat”. The precise directory of\r\nthis configuration file varies across Windows versions:\r\n%ALLUSERSPROFILE%\\system\\thumbnail.dat\r\n%ALLUSERSPROFILE%\\Application Data\\system\\Windows\\thumbnail.dat\r\nThe orchestrator uses a timer function that runs every two minutes and parses the configuration file for the plugin\r\nfile path, function name, etc., and attempts to execute the corresponding plugin.\r\nThe overall communication workflow between orchestrator and the plugins\r\nhttps://securelist.com/wildpressure-targets-macos/103072/\r\nPage 5 of 9\n\nPlugins come in the form of a DLL that exports a function named accessPluginInterface(), which returns a pointer\r\nto a class object to the orchestrator. This main module then runs the second function from the virtual functions\r\ntable, passing it the pointer to instantiated class objects. The plugins we’ve seen so far contained RTTI\r\ninformation.\r\nFingerprinting plugin\r\nSHA1 c34545d89a0882bb16ea6837d7380f2c72be7209\r\nFile type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nFile size 194 KB\r\nFile name GetClientInfo.dll\r\nThis plugin gathers really detailed data about the host with WQL queries and creates a JSON with a publicly\r\navailable library. The data includes OS version and the set of installed hotfixes, BIOS and HDD manufacturers,\r\ninstalled and running software and security products separately, user accounts and network adapters settings, etc.\r\nThe corresponding executed WQL queries look like this:\r\nSELECT Domain, DomainRole, TotalPhysicalMemory, UserName, SystemType FROM\r\nWin32_ComputerSystem\r\nSELECT DHCPServer, DNSDomain, MACAddress, DHCPEnabled, DefaultIPGateway, IPAddress,\r\nIPSubnet FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled ='TRUE'\"\r\nKeylogging and screenshotting plugins\r\nSHA1 fb7f69834ca10fe31675bbedf9f858ec45c38239\r\nFile type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nFile size 90.5 KB\r\nFile name Keylogger.dll\r\nSHA1 2bb6d37dbba52d79b896352c37763d540038eb25\r\nFile type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nFile size 78 KB\r\nFile name ScreenShot.dll\r\nhttps://securelist.com/wildpressure-targets-macos/103072/\r\nPage 6 of 9\n\nThese plugins are quite straightforward. The keylogger sets a WH_KEYBOARD_LL hook to gather the\r\nkeystrokes and gets clipboard content and Windows titles. The second takes screenshots by timer and by mouse\r\nevents, setting a WH_MOUSE_LL hook.\r\nCampaign infrastructure\r\nThe actor used both VPS and compromised servers in their infrastructure, most of which were WordPress\r\nwebsites. The legitimate, compromised websites served as Guard relay servers. In our previous 2019 investigation,\r\nwe were able to sinkhole the Milum C2, upiserversys1212[.]com. During our current investigation we managed to\r\nsinkhole another Milum C2, mwieurgbd114kjuvtg[.]com. However, we haven’t registered any recent Milum\r\nrequests sent to these domains with the corresponding main.php or url.php URI.\r\nDomain IP First seen ASN Malware\r\nN/A\r\n107.158.154[.]66 2021-04-07 62904, EONIX\r\nMilum\r\n185.177.59[.]234 2021-04-07 44901, BELCLOUD\r\n37.59.87[.]172 2014-12-26 16276, OVH\r\n80.255.3[.]86 2019-08-28 201011, NETZBETRIEB\r\nmwieurgbd114kjuvtg[.]com\r\n139.59.250[.]183\r\n(Sinkholed)\r\n2021-04-07\r\n(Sinkholed)\r\n14061, DIGITALOCEAN\r\nLegitimate, compromised Guard relay servers:\r\nhxxp://adelice-formation[.]eu\r\nhxxp://ricktallis[.]com/news\r\nhxxp://whatismyserver123456[.]com\r\nhxxp://www.glisru[.]eu\r\nhxxp://www.mozh[.]org\r\nWho was hit and by whom\r\nWe have very limited visibility for the samples described in this report. Based on our telemetry, we suspect that\r\nthe targets in the same Middle East region were related to the oil and gas industry.\r\nWe consider with high confidence that the aforementioned Tandis VBScript, PyInstaller and C++ samples belong\r\nto the same authors that we dubbed WildPressure due to the very similar coding style and victim profile. However,\r\nanother question remains: is WildPressure connected to other threat actors operating in the same region?\r\nAmong other actors that we’ve covered in the region Chafer and Ferocious Kitten are worth mentioning.\r\nTechnically, there’s not much in common with their malware, but we observed some minor similarities with\r\nanother actor in the region we haven’t described publicly so far. Minor similarities with WildPressure are:\r\nhttps://securelist.com/wildpressure-targets-macos/103072/\r\nPage 7 of 9\n\nThe “pk” parameter in HTTP requests to distinguish the Trojan beacons from, for example, scanners;\r\nThe usage of hacked WordPress websites as relays.\r\nBoth tactics aren’t unique enough to come to any attribution conclusion – it’s possible both groups are simply\r\nusing the same generic techniques and programming approaches.\r\nLearn threat hunting and malware analysis with Denis Legezo and other GReAT experts.\r\nIndicators of Compromise\r\nMilum version 1.6.1\r\n0efd03fb65c3f92d9af87e4caf667f8e\r\nPyInstaller with Guard\r\n92A11F0DCB973D1A58D45C995993D854 (svchost.exe)\r\nSelf-decrypting Tandis VBScript\r\n861655D8DCA82391530F9D406C31EEE1 (l2dIIYKCQw.vbs)\r\nOrchestrator\r\nC116B3F75E12AD3555E762C7208F17B8 (winloud.exe)\r\nPlugins\r\nF2F6604EB9100F58E21C449AC4CC4249 (ScreenShot.dll)\r\nD322FAA64F750380DE45F518CA77CA43 (Keylogger.dll)\r\n9F8D77ECE0FF897FDFD8B00042F51A41 (GetClientInfo.dll)\r\nFile paths\r\nmacOS .plist files\r\n$HOME/Library/LaunchAgents/com.apple.pyapple.plist\r\nhttps://securelist.com/wildpressure-targets-macos/103072/\r\nPage 8 of 9\n\n$HOME/Library/LaunchAgents/apple.scriptzxy.plist\r\nConfig files under Windows\r\n%APPDATA%\\Microsoft\\grconf.dat\r\n%APPDATA%\\Microsoft\\vsdb.dat\r\n%ALLUSERSPROFILE%\\system\\thumbnail.dat\r\n%ALLUSERSPROFILE%\\Application Data\\system\\Windows\\thumbnail.dat\r\nConfig files under macOS\r\n$HOME/.appdata/grconf.dat\r\nRegistry values\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\gd_system\r\nWQL queries examples\r\nSELECT * FROM Win32_Process WHERE Name = ‘\u003call enumerated names here\u003e’\r\nSelect * from Win32_ComputerSystem\r\nSelect * From AntiVirusProduct\r\nSelect * From Win32_Process Where ParentProcessId = ‘\u003call enumerated ids here\u003e’\r\nMilum C2\r\nhxxp://107.158.154[.]66/core/main.php\r\nhxxp://185.177.59[.]234/core/main.php\r\nhxxp://37.59.87[.]172/page/view.php\r\nhxxp://80.255.3[.]86/page/view.php\r\nhxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php\r\n[1]\r\n E.g. https://gist.github.com/vaab/2ad7051fc193167f15f85ef573e54eb9 and\r\nhttps://code.activestate.com/recipes/65222-run-a-task-every-few-seconds/\r\nSource: https://securelist.com/wildpressure-targets-macos/103072/\r\nhttps://securelist.com/wildpressure-targets-macos/103072/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://securelist.com/wildpressure-targets-macos/103072/" ], "report_names": [ "103072" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "4a1e62ec-42d0-47c3-8b65-b3c5d9c496c0", "created_at": "2022-10-25T16:07:23.609046Z", "updated_at": "2026-04-10T02:00:04.686029Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "G0137" ], "source_name": "ETDA:Ferocious Kitten", "tools": [ "MarkiRAT" ], "source_id": "ETDA", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "c3ef437d-e8fa-4250-9a99-89a403035ad2", "created_at": "2022-10-25T16:07:24.406019Z", "updated_at": "2026-04-10T02:00:04.977275Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [ "WilePressure" ], "source_name": "ETDA:WildPressure", "tools": [ "Milum" ], "source_id": "ETDA", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "75297180-4681-4500-ad0e-cde0edeb1ed2", "created_at": "2024-02-06T02:00:04.156486Z", "updated_at": "2026-04-10T02:00:03.581217Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [], "source_name": "MISPGALAXY:Ferocious Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c652e4b-2f17-4e18-bd05-af12c27e76fb", "created_at": "2023-11-30T02:00:07.302263Z", "updated_at": "2026-04-10T02:00:03.485667Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [], "source_name": "MISPGALAXY:WildPressure", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "306b00c6-fec4-4698-86c5-2aed9feedd38", "created_at": "2022-10-25T15:50:23.444155Z", "updated_at": "2026-04-10T02:00:05.401052Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "Ferocious Kitten" ], "source_name": "MITRE:Ferocious Kitten", "tools": [ "MarkiRAT", "BITSAdmin" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433975, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5d83b00ab4727c5a632bdda4d2da4fe6d7c5054.pdf", "text": "https://archive.orkl.eu/c5d83b00ab4727c5a632bdda4d2da4fe6d7c5054.txt", "img": "https://archive.orkl.eu/c5d83b00ab4727c5a632bdda4d2da4fe6d7c5054.jpg" } }