{
	"id": "d3397dad-861f-4580-b4fc-46ce006a1e7f",
	"created_at": "2026-04-06T00:22:17.640889Z",
	"updated_at": "2026-04-10T13:12:04.509816Z",
	"deleted_at": null,
	"sha1_hash": "c831406987f4fc744176d669ea9410d76df9deef",
	"title": "Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive related to July 2009 Ürümqi riots in China (Samples included)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 561125,
	"plain_text": "Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive\r\nrelated to July 2009 Ürümqi riots in China (Samples included)\r\nArchived: 2026-04-05 17:18:08 UTC\r\nJul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive related to July 2009 Ürümqi riots\r\nin China (Samples included)\r\nThe recently discovered Backdoor for Mac Olyx (Criminals gain control over Mac with BackDoor.Olyx)  was\r\nused for targeted attacks (or what it appears to be), which is not surprising. As Microsoft pointed out, in addition\r\nto malware, the package contains an html page and photos from a Wikipedia page for events dated July 5, 2009,\r\nhowever it appears that all photos relate to one event - July 2009 Ürümqi riots in China. \r\n\"Government censors disabled keyword searches for \"Urumqi\", and blocked access to Facebook and\r\nTwitter as well as local alternatives Fanfou and Youku. Chinese news sites mainly fed from Xinhua\r\nnews service for updates about the rioting in Urumqi, comments features on websites were disabled on\r\nsome stories to prevent negative posts about the lack of news. Internet connections in Urumqi were\r\nreportedly down.Many unauthorized postings on local sites and Google were said to have been\r\n\"harmonised\" by government censors, and emails containing terms related to the riots were blocked or\r\nedited to prevent discord.\"\r\nPerhaps the trojans found in the package Ghostnet backdoor as Backdoor:Win32/Remosh.A. and the new\r\nBackdoor:MacOS_X/Olyx.A were destined for a Chinese human rights activist, as he/she would be likely to be\r\ninterested in this particular event update. In addition, it is known that many of the Gh0stnet targets were  human\r\nrights activists.\r\n  General File Information\r\nhttp://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html\r\nPage 1 of 8\n\nMD5: 93a9b55bb66d0ff80676232818d5952f\r\nFile Type: Mach-O I386\r\nMalware: Backdoor.Olyx\r\nMD5: f65fbeb945348ad2e1a123ef5cee65d3\r\nFile Type: Windows PE EXE\r\nMalware: Ghostnet backdoor\r\nDownload\r\nAdditional information and Analysis links\r\nhttp://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html\r\nPage 2 of 8\n\n----------------------------------------------------------------------\r\nMicrosoft Malware Protection center posted an excellent analysis with a lot of details, which you can find at the\r\nlink below: Backdoor Olyx - is it malware on a mission for Mac?\r\nOriginal report of Olyx backdoor by Dr.Web Criminals gain control over Mac with BackDoor.Olyx\r\nMD5: 93a9b55bb66d0ff80676232818d5952f\r\nFile Type: Mach-O I386\r\nMalware: Backdoor.Olyx\r\nI am not a Mac or RE expert, I just made a few screenshots of the disassembled Mach-O file with Microsoft\r\ncomments, which I thought were relevant. Please correct me if needed :)\r\nhttp://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html\r\nPage 3 of 8\n\nMD5: f65fbeb945348ad2e1a123ef5cee65d3\r\nFile Type: Windows PE EXE\r\nMalware: Ghostnet backdoor\r\nAnubis Analysis  http://anubis.iseclab.org/?\r\naction=result\u0026task_id=1ae9dcbf36d882e541d8fa26d533a9d39\u0026format=html\r\nHere is a screenshot of the certificate, which was revoked and some strings from the binary\r\nhttp://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html\r\nPage 4 of 8\n\nhttp://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html\r\nPage 5 of 8\n\nAutomated Scans\r\nCurrent events 2009 July 5\r\nSubmission date:2011-07-27 05:07:51 (UTC)\r\nResult:19 /43 (44.2%)\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=a5c1b89b26007f4672409e0e7a3ab85135a0ffc01c74c4b6d49084da7fe9def5-1311743271\r\nAhnLab-V3     2011.07.27.00     2011.07.27     MacOS_X/Olyx\r\nAvast     4.8.1351.0     2011.07.26     MacOS:Olyx [Trj]\r\nAvast5     5.0.677.0     2011.07.26     MacOS:Olyx [Trj]\r\nBitDefender     7.2     2011.07.27     MAC.OSX.Backdoor.Olyx.A\r\nComodo     9524     2011.07.27     UnclassifiedMalware\r\nDrWeb     5.0.2.03300     2011.07.27     BackDoor.Olyx.1\r\nEmsisoft     5.1.0.8     2011.07.27     Backdoor.OSX.Olyx!IK\r\nF-Secure     9.0.16440.0     2011.07.27     Backdoor:OSX/Olyx.A\r\nGData     22     2011.07.27     MAC.OSX.Backdoor.Olyx.A\r\nIkarus     T3.1.1.104.0     2011.07.27     Backdoor.OSX.Olyx\r\nKaspersky     9.0.0.837     2011.07.27     Backdoor.OSX.Olyx.a\r\nhttp://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html\r\nPage 6 of 8\n\nMicrosoft     1.7104     2011.07.26     Backdoor:MacOS_X/Olyx.A\r\nNOD32     6327     2011.07.27     OSX/Olyx.A\r\nPCTools     8.0.0.5     2011.07.27     Backdoor.Olyx\r\nSophos     4.67.0     2011.07.27     OSX/Bckdr-RID\r\nSymantec     20111.1.0.186     2011.07.27     Backdoor.Olyx\r\nTrendMicro-HouseCall     9.200.0.1012     2011.07.27     OSX_OLYX.WA\r\nVBA32     3.12.16.4     2011.07.26     BackDoor.OSX.Generic\r\nVirusBuster     14.0.140.0     2011.07.26     Backdoor.OSX.Olyx.A\r\nAdditional information\r\nShow all\r\nMD5   : 93a9b55bb66d0ff80676232818d5952f\r\nVideo-Current events 2009 July 5.exe  - WINDOWS BINARY Submission date:2011-07-27 05:00:39 (UTC)\r\nResult:19/ 43 (44.2%)\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=d2f45192f22ef62a694facd0604b12c8c748ac94a6d8a2913f4beec7f04be1c1-1311742839\r\nAhnLab-V3    2011.07.27.00    2011.07.27    Win-Trojan/Olyx.205480\r\nAntiVir    7.11.12.130    2011.07.27    BDS/Olyx.A\r\nBitDefender    7.2    2011.07.27    Backdoor.Wolyx.A\r\nComodo    9524    2011.07.27    TrojWare.Win32.Magania.~AD\r\nDrWeb    5.0.2.03300    2011.07.27    Trojan.PWS.Multi.228\r\nEmsisoft    5.1.0.8    2011.07.27    Trojan-PWS.Win32.Hangame.cl!IK\r\neSafe    7.0.17.0    2011.07.26    Win32.Backdoor.Troja\r\nGData    22    2011.07.27    Backdoor.Wolyx.A\r\nIkarus    T3.1.1.104.0    2011.07.27    Trojan-PWS.Win32.Hangame.cl\r\nMcAfee    5.400.0.1158    2011.07.27    Artemis!F65FBEB94534\r\nMcAfee-GW-Edition    2010.1D    2011.07.26    Heuristic.BehavesLike.Win32.AdSpyware.A\r\nMicrosoft    1.7104    2011.07.26    Backdoor:Win32/Wolyx.A\r\nNOD32    6327    2011.07.27    Win32/Delf.OBY\r\nPanda    10.0.3.5    2011.07.26    Suspicious file\r\nPCTools    8.0.0.5    2011.07.27    Backdoor.Trojan\r\nSymantec    20111.1.0.186    2011.07.27    Backdoor.Trojan\r\nTrendMicro-HouseCall    9.200.0.1012    2011.07.27    BKDR_WOLYX.WA\r\nVIPRE    9978    2011.07.27    Trojan.Win32.Generic.pak!cobra\r\nVirusBuster    14.0.140.0    2011.07.26    Backdoor.Wolyx!YVAf5CV8Y34\r\nMD5   : f65fbeb945348ad2e1a123ef5cee65d3\r\nAnubis Analysis\r\nhttp://anubis.iseclab.org/?action=result\u0026task_id=1ae9dcbf36d882e541d8fa26d533a9d39\u0026format=html\r\nTraffic\r\nhttp://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html\r\nPage 7 of 8\n\n121.254.173.57\r\nHost reachable, 234 ms. average\r\n121.254.128.0 - 121.254.255.255\r\nKorea Internet Data Center Inc.\r\nKorea, Republic of\r\nYunmi Lee\r\nip@kidc.net\r\nKIDC Bldg, 261-1, Nonhyun-dong, Kangnam-ku, Seoul\r\nphone: +82-2-6440-2925\r\nfax: +82-2-6440-2909\r\nSource: http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html\r\nhttp://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html"
	],
	"report_names": [
		"jul-25-mac-olyx-gh0st-backdoor-in-rar.html"
	],
	"threat_actors": [
		{
			"id": "3cc6c262-df23-4075-a93f-b496e8908eb2",
			"created_at": "2022-10-25T16:07:23.682239Z",
			"updated_at": "2026-04-10T02:00:04.708878Z",
			"deleted_at": null,
			"main_name": "GhostNet",
			"aliases": [
				"GhostNet",
				"Snooping Dragon"
			],
			"source_name": "ETDA:GhostNet",
			"tools": [
				"AngryRebel",
				"Farfli",
				"Gh0st RAT",
				"Gh0stnet",
				"Ghost RAT",
				"Ghostnet",
				"Moudour",
				"Mydoor",
				"PCRat",
				"Remosh",
				"TOM-Skype"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e91dae30-a513-4fb1-aace-4457466313b3",
			"created_at": "2023-01-06T13:46:38.974913Z",
			"updated_at": "2026-04-10T02:00:03.168521Z",
			"deleted_at": null,
			"main_name": "GhostNet",
			"aliases": [
				"Snooping Dragon"
			],
			"source_name": "MISPGALAXY:GhostNet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434937,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c831406987f4fc744176d669ea9410d76df9deef.pdf",
		"text": "https://archive.orkl.eu/c831406987f4fc744176d669ea9410d76df9deef.txt",
		"img": "https://archive.orkl.eu/c831406987f4fc744176d669ea9410d76df9deef.jpg"
	}
}