{
	"id": "f218bf39-4690-467c-b5b3-b6324acc4ea0",
	"created_at": "2026-04-06T00:22:04.489672Z",
	"updated_at": "2026-04-10T03:30:33.912204Z",
	"deleted_at": null,
	"sha1_hash": "e507364f9d7b0a1a8e9aa9a5549bbf3277556eb1",
	"title": "WTF is Mughthesec!? Poking on a Piece of Undetected Adware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3772704,
	"plain_text": "WTF is Mughthesec!? Poking on a Piece of Undetected Adware\r\nArchived: 2026-04-05 23:40:16 UTC\r\nWTF is Mughthesec!?\r\n› poking on a piece of undetected adware\r\n8/08/2017\r\nlove these blog posts? support my tools \u0026 writing on patreon! Mahalo :)\r\nWant to play along? I've shared the adware, which can be downloaded here (password: infect3d).\r\nBackground\r\nYesterday Gavriel State (@gavrielstate) posted an interesting tweet:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 1 of 21\n\nInterestingly, googling \"Mughthesec\" only returned one relevant hit; a post on Apple's online's forums tilted\r\n\"Safari does not render Gmail correctly\". Posted on August 2nd, user 'giveen' stated that, \"Only in Safari, when\r\nthis specific user logins, it does not render Gmail correctly. Only Gmail. Only in Safari.\" Following another user's\r\nsuggestion, 'giveen ' ran EtreCheck which noted several \"unknown files:\"\r\n~/Library/LaunchAgents/com.Mughthesec.plist\r\n~/Library/Application Support/com.Mughthesec/Mughthesec\r\nGavriel was kind enough to share a sample ('Mughthesec') with me, and that, coupled with the assistance from\r\nanother security researcher, led to recovery of what appeared to be the original installer (sha256:\r\nf5d76324cb8fcae7f00b6825e4c110ddfd6b32db452f1eca0f4cff958316869c)\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 2 of 21\n\nAs neither the sample, Mughthesec, nor the (signed!) installer were detected by any AV engines on Virus Total I\r\ndecided to take a closer look.\r\nAnalysis\r\nLet's start with the installer disk image. Uploaded to VirusTotal on August 4th as Player.dmg, it currently remains\r\nundetected:\r\nUsing WhatsYourSign, we can examine the signing info:\r\nUsing spctl, we can confirm the disk image's certificate is still valid (i.e. not rejected):\r\n$ spctl -a -t install -vv ~/Downloads/Mughthesec/Player.dmg\r\n~/Downloads/Mughthesec/player.dmg: accepted\r\nsource=Developer ID\r\norigin=Developer ID Application: Quoc Thinh (9G2J3967H9)\r\nDouble-clicking the disk image, Player.dmg mounts it, revealing a single file Installer.app:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 3 of 21\n\nBesides it's icon and name, the Installer.app's' Info.plist file, shows it masquerading as Flash installer:\r\ncat Installer.app/Contents/Info.plist\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\r\n\u003c!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"\u003e\r\n\u003cplist version=\"1.0\"\u003e\r\n\u003cdict\u003e\r\n...\r\n   \u003ckey\u003eCFBundleIdentifier\u003c/key\u003e\r\n   \u003cstring\u003ecom.FlashPlayer\u003c/string\u003e\r\n   \u003ckey\u003eCFBundleName\u003c/key\u003e\r\n   \u003cstring\u003eFlashPlayerInstaller\u003c/string\u003e\r\nThis application, is also signed with the same Apple Developer ID:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 4 of 21\n\nExamining its application bundle, we can see its executable is a binary name 'mac' ... how creative!\r\nThis binary is also (currently) undetected by any AV engine on Virus Total:\r\nTaking a quick peak at the installer binary shows what appears to be anti-anti-virus logic:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 5 of 21\n\nWe can also run strings to search for embedded URLs:\r\n$ strings -a ~/Downloads/Mughthesec/Installer.app/Contents/MacOS/mac | grep http\r\nhttp://api.simplyeapps.com/p\r\nhttp://cdn.simplyeapps.com/screens/precheck/DmFybQ==\r\nhttp://cdn.simplyeapps.com/screens/progress/DmFybQ==\r\nhttp://cdn.simplyeapps.com/screens/complete/DmFybQ==\r\nhttp://api.simplyeapps.com/l\r\nNow, before we run this in a VM - let's change the MAC address of the virtual machine. This is required step,\r\nbecause it turns out that the installer actually doesn't do anything malicious, (besides actually installing a legit\r\ncopy of Flash), if it detects it running in VM. Thomas Reed (@thomasareed) correctly guessed that this 'VM\r\ndetection' is done by examining the MAC address (VMWare VMs have 'recognizable' MAC address). Apparently\r\nthis is common trick used in macOS adware!\r\nTo change the VM's mac address, shut it down, then change it via the VM's Network Adapter's settings (click\r\n'Advanced Options' to modify the MAC address).\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 6 of 21\n\nAlright, let's run the damn Installer.app already! First thing, LuLu (my soon-to-be-released macOS firewall!)\r\ndetects an outgoing network connection:\r\nOnce the outgoing connection is allowed, the Installer application kindly asks the user to install some 'adware' and\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 7 of 21\n\npotentially unwanted programs:\r\n1. Advanced Mac Cleaner\r\n2. Safe Finder\r\n3. Booking.com\r\nSince we're playing along, we click 'Next' to install it all!\r\nNot too unexpectedly, the Advanced Mac Cleaner triggers a few BlockBlock warnings as it attempts to install a\r\npersistent launch agent and login item:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 8 of 21\n\nIt also kindly informs us of several 'critical' issues. How thoughtful :P\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 9 of 21\n\nMoving on to 'Safe Finder', BlockBlock as alerts us of a process named 'i' persisting something named\r\n'Mughthesec as a launch agent.\r\nAn open-source process monitoring utility I wrote (based on the Proc Info library) shows Mughthesec being\r\nstarted by the Installer application (FlashPlayerInstaller, pid: 490):\r\n# procMonitor\r\nprocess start:\r\npid: 532\r\npath: /private/tmp/F3A53281-D3FA-4F32-B996-3EE0FCF522D5/62/Mughthesec\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 10 of 21\n\nuser: 501\r\nargs: (\r\n   \"/tmp/F3A53281-D3FA-4F32-B996-3EE0FCF522D5/62/Mughthesec\",\r\n   2,\r\n   na,\r\n   na,\r\n   \"F3A53281-D3FA-4F32-B996-3EE0FCF522D5\"\r\n)\r\nancestors: (\r\n   490,\r\n   1\r\n)\r\nbinary:\r\nname: Mughthesec\r\npath: /private/tmp/F3A53281-D3FA-4F32-B996-3EE0FCF522D5/62/Mughthesec\r\nsigning info: {\r\n   signatureStatus = \"-67062\";\r\n} (isApple: 0 / isAppStore: 0)\r\nThe process monitor also shows this process (Mughthesec, pid: 532), spawning executing the 'i' process out of\r\n/tmp:\r\n# procMonitor\r\nprocess start:\r\npid: 568\r\npath: /private/tmp/5E0BE2D2-7AD7-4005-8B1C-A635675BB4FD/15261EBB-ED0B-46DA-8C3B-AE8C02E802B3/i\r\nuser: 501\r\nargs: (\r\n   \"/tmp/5E0BE2D2-7AD7-4005-8B1C-A635675BB4FD/15261EBB-ED0B-46DA-8C3B-AE8C02E802B3/i\",\r\n   \"5E0BE2D2-7AD7-4005-8B1C-A635675BB4FD\",\r\n   \"S+wIS+tmwyirlkak8AAF36JIq8TSRdg...==\",\r\n   10\r\n)\r\nancestors: (\r\n   532,\r\n   490,\r\n   1\r\n)\r\nbinary:\r\nname: i\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 11 of 21\n\npath: /private/tmp/5E0BE2D2-7AD7-4005-8B1C-A635675BB4FD/15261EBB-ED0B-46DA-8C3B-AE8C02E802B3/i\r\nsigning info: {\r\n   signatureStatus = \"-67062\";\r\n} (isApple: 0 / isAppStore: 0)\r\nThis 'i' process is what persists and starts 'launch agent' instance of Mughthesec. We can see this, again, via the\r\nprocess monitor which shows process 'i' (pid: 568) invoking launchctl with the 'load' command line option and the\r\npath to the launch agent plist:\r\n# procMonitor\r\nprocess start:\r\npid: 576\r\npath: /bin/launchctl\r\nuser: 501\r\nargs: (\r\n   \"/bin/launchctl\",\r\n   load,\r\n   \"/Users/user/Library/LaunchAgents/com.Mughthesec.plist\"\r\n)\r\nancestors: (\r\n   568,\r\n   532,\r\n   490,\r\n   1\r\n)\r\nbinary: name: launchctl\r\npath: /bin/launchctl\r\nsigning info: {\r\n   signatureStatus = 0;\r\n   signedByApple = 1;\r\n   signingAuthorities = (\r\n      \"Software Signing\",\r\n      \"Apple Code Signing Certification Authority\",\r\n      \"Apple Root CA\"\r\n);\r\n} (isApple: 1 / isAppStore: 0)\r\nOk, so let's take a closer look at the Mughthesec launch agent and binary. The Mughthesec launch agent plist is\r\nlocated at ~/Library/LaunchAgents/com.Mughthesec.plist:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 12 of 21\n\n$ cat ~/Library/LaunchAgents/com.Mughthesec.plist\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\nLabelcom.MughthesecProgramArguments/Users/user/Library/Application Support/com.Mughthesec/MughthesecrRunAtLoadStartInterval14400 From this plist we can see that the launch agent will:\n1. execute a binary: ~/Library/Application Support/com.Mughthesec/Mughthesec\n2. pass in a parameter: 'r'\n3. be automatically started whenever the user logs in, as 'RunAtLoad' is set to true\nThe 'Mughthesec' binary, ~/Library/Application Support/com.Mughthesec/Mughthesec, is unsigned:\n$ codesign -dvvv \"~/Library/Application Support/com.Mughthesec/Mughthesec\"\n~/Library/Application Support/com.Mughthesec/Mughthesec: code object is not signed at all\nIt is also (currently) undetected by any AV engines on VirusTotal:\nRunning strings shows some embedded URLs:\nhttps://objective-see.com/blog/blog_0x20.html\nPage 13 of 21\n\n$ strings -a ~/Library/Application Support/com.Mughthesec/Mughthesec | grep http\r\nhttp://api.mughthesec.com/ai\r\nhttp://api.mughthesec.com/l\r\nAttempting to access those URLs in a browser, appears to result in an error:\r\nHowever, the host mughthesec.com does appear to be online, resolving to 192.64.119.107:\r\n$ nslookup mughthesec.com\r\nNon-authoritative answer:\r\nName: mughthesec.com\r\nAddress: 192.64.119.107\r\nThis IP address, 192.64.119.107, appears to be rather malicious:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 14 of 21\n\nSo what does the Mughthesec binary actually do? Lets take a peek! However, I want to point out that I've learned\r\n(the hard way) that spending a large amount of time reversing adware can quickly drive one somewhat mad...so\r\nhere, we'll only perform a cursory look.\r\nA common tactic of adware is to hijack the victims browser (homepage, inject ads, etc) for financial gain.\r\nMughthesec (which is installed when the user \"agrees\" to install \"Safe Finder\") appears to conform to goal.\r\nSpecifically we can see that Safari's home page has been set to http://default27061330-a.akamaihd.net/s?\r\nq=@@@\u0026_pg=564D4420-C090-470B-9C13-6760B31264E7\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 15 of 21\n\nIf we open Safari; indeed the home page has been hijacked - though in a seemingly innocuous way. It simply\r\ndisplays a rather 'clean' search page - though looking at the source, we can the inclusion of several scripts 'Safe\r\nFinder' scripts:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 16 of 21\n\nAlso, examining the installed extensions we can see that an \"Any Search\" browser extension was installed:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 17 of 21\n\nSearches are funneled thru various affiliates, before ending up being serviced by Yahoo Search. However, 'Safe\r\nFinder' logic (such as an icon, and likely other scripts) are injected into all search results:\r\nAt this point, I'm calling it a night! It appears that Mughthesec is simply some 'run-of-the-mill' macOS malware.\r\nBut is it new? Not likely. According to the mac adware analysis guru, Thomas Reed; this \"looks like a new variant\r\nof something we call OperatorMac\":\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 18 of 21\n\nMoreover, @noarfromspace pointed me towards several samples from earlier this year (spring?) that appear to be\r\nrelated:\r\nConclusion\r\nIn the blog post, we sought to answer the question, \"What is Mughthesec?\" The answer; likely a new variant of the\r\n'SafeFinder/OperatorMac' adware. Yes it's rather unsophisticated macOS malware, but it's installer is signed (to\r\n'bypass' Gatekeeper) and at the time of this analysis no anti-virus engines were detected it....and mac users are\r\nbeing infected :|\r\nSpeaking of infection, due to the fact that the installer is masquerading as Flash Player installer, it's likely that this\r\nadware is relying on common infection techniques to gain new victims. If I had to guess its infection vector is\r\nlikely one (or all?) of the following:\r\nfake popups on 'shady' websites\r\nmalicious ads, perhaps on legit websites\r\nEither way, user-interaction is likely required.\r\nIn terms of detection, we showed how BlockBlock will alert when the adware goes to persist. Neat!\r\nKnockKnock can also be used to (after the fact), to reveal infections. For example, it can reveal the presence of\r\nthe unsigned launch agent:\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 19 of 21\n\nAnd what about the malicious browser extension? Yup, KnockKnock can show that too:\r\nHooray! Objective-See FTW ❤️\r\nTo manually disinfect Mughthesec:\r\nunload the launch agent via: launchctl unload ~/Library/LaunchAgents/com.Mughthesec.plist\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 20 of 21\n\ndelete ~/Library/Application Support/com.Mughthesec/Mughthesec\r\ndelete ~/Library/LaunchAgents/com.Mughthesec.plist\r\ndelete the 'Any Search' browser extension\r\nHowever, as we saw, the Installer application could install other 'adware' - so it's probably best to just reinstall\r\nmacOS. Instructions here.\r\nlove these blog posts \u0026 tools? you can support them via patreon! Mahalo :)\r\nSource: https://objective-see.com/blog/blog_0x20.html\r\nhttps://objective-see.com/blog/blog_0x20.html\r\nPage 21 of 21\n\n  https://objective-see.com/blog/blog_0x20.html    \nIf we open Safari; indeed the home page has been hijacked-though in a seemingly innocuous way. It simply\ndisplays a rather 'clean' search page -though looking at the source, we can the inclusion of several scripts 'Safe\nFinder' scripts:      \n   Page 16 of 21   \n\n   https://objective-see.com/blog/blog_0x20.html   \nSearches are funneled thru various affiliates, before ending up being serviced by Yahoo Search. However, 'Safe\nFinder' logic (such as an icon, and likely other scripts) are injected into all search results: \nAt this point, I'm calling it a night! It appears that Mughthesec is simply some 'run-of-the-mill' macOS malware.\nBut is it new? Not likely. According to the mac adware analysis guru, Thomas Reed; this \"looks like a new variant\nof something we call OperatorMac\":     \n   Page 18 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://objective-see.com/blog/blog_0x20.html"
	],
	"report_names": [
		"blog_0x20.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434924,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e507364f9d7b0a1a8e9aa9a5549bbf3277556eb1.pdf",
		"text": "https://archive.orkl.eu/e507364f9d7b0a1a8e9aa9a5549bbf3277556eb1.txt",
		"img": "https://archive.orkl.eu/e507364f9d7b0a1a8e9aa9a5549bbf3277556eb1.jpg"
	}
}