{
	"id": "47ce55e3-36a8-4c60-afcd-935a51d35e23",
	"created_at": "2026-04-06T00:07:27.888329Z",
	"updated_at": "2026-04-10T13:13:01.770638Z",
	"deleted_at": null,
	"sha1_hash": "e7791bc6c2c486a3ea3dbb022513569081973e8f",
	"title": "OSX/Imuler updated: still a threat on Mac OS X",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76094,
	"plain_text": "OSX/Imuler updated: still a threat on Mac OS X\r\nBy Alexis Dorais-Joncas\r\nArchived: 2026-04-05 19:00:55 UTC\r\nA new variant of Mac information-stealer OSX/Imuler hides itself inside a ZIP archive, right in the middle of an\r\narray of erotic pictures.\r\n16 Mar 2012  •  , 1 min. read\r\nThe Mac OS X information stealing malware OSX/Imuler, initially discovered last fall, has resurfaced. This time,\r\ninstead of being installed by the OSX/Revir.A dropper, this new variant of OSX/Imuler hides itself inside a ZIP\r\narchive, right in the middle of an array of erotic pictures, waiting for the user to open the malicious application.\r\nThis new variant is very similar to its ancestors in terms of command-and-control (C\u0026C ) communication and\r\nfunctionalities. (OSX/Imuler is an information stealer that can gather and transmit files, screenshots, and other\r\ndata to a remote server.) The network protocol is still HTTP-based and the payload is compressed with zlib. The\r\nhardcoded C\u0026C domain now being used is a new one, registered on February 13th, 2012 via a Chinese registrar.\r\nThe domain points to the same IP address as the previous variants, located in the USA and still active at time of\r\nwriting.\r\nThis all seems to indicate that the new variant was most likely released to improve its anti-virus evasion.\r\nOSX/Imuler has the functionality to upload arbitrary local files to the C\u0026C. A specialized separate executable\r\nnamed CurlUpload, downloaded from the C\u0026C every time the malware starts, is used to perform the operation.\r\nhttps://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/\r\nPage 1 of 2\n\nThis stand-alone executable, first seen in early 2011, presents interesting strings that suggest it was initially built\r\nfor Win32 but later recompiled for OS X:\r\nESET security software (including ESET Cybersecurity for Mac) since signature update 6970 detects this new\r\nvariant as OSX/Imuler.C.\r\nMD5 of the files analyzed:\r\n7dba3a178662e7ff904d12f260f0fff3 (Installer)\r\n9d2462920fdaed5e360875fb0cf8274f  (malicious payload))\r\ne00a280ad29440dcaab42ad093bcaafd  (uploader module)\r\nBig thanks to my colleague Marc-Étienne M. Léveillé for his work on this investigation.\r\nAlexis Dorais-Joncas\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/\r\nhttps://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/"
	],
	"report_names": [
		"osximuler-updated-still-a-threat-on-mac-os-x"
	],
	"threat_actors": [],
	"ts_created_at": 1775434047,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7791bc6c2c486a3ea3dbb022513569081973e8f.pdf",
		"text": "https://archive.orkl.eu/e7791bc6c2c486a3ea3dbb022513569081973e8f.txt",
		"img": "https://archive.orkl.eu/e7791bc6c2c486a3ea3dbb022513569081973e8f.jpg"
	}
}