{ "id": "bd43c154-57a6-40fd-94b6-2481e4c2ee1a", "created_at": "2026-04-06T01:32:24.554596Z", "updated_at": "2026-04-10T13:12:25.453534Z", "deleted_at": null, "sha1_hash": "f7a727e1dbee605ef152337439b5398a4c03a38d", "title": "The first Trojan in history to steal Linux and Mac OS X passwords", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62507, "plain_text": "The first Trojan in history to steal Linux and Mac OS X passwords\r\nPublished: 2012-08-22 · Archived: 2026-04-06 00:24:28 UTC\r\nBy continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies\r\nrelated to the collection of visitor statistics.\r\nLearn more\r\n22.08.2012\r\nReal-time threat news | Hot news | All the news | Virus alerts\r\nAugust 22, 2012\r\nRussian anti-virus company Doctor Web is reporting the emergence of the first cross-platform backdoor to\r\nrun under Linux and Mac OS X. This malicious program is designed to steal passwords stored by a number\r\nof popular Internet applications. Mac.BackDoor.Wirenet.1 is the first such Trojan capable of running under\r\nany of these operating systems.\r\nIt's not clear yet how the Trojan, which was added to the Dr.Web virus database as Mac.BackDoor.Wirenet.1,\r\nspreads. This malicious program is a backdoor that can work under Linux as well as under Mac OS X.\r\nWhen launched, it creates its copy in the user's home directory. The program uses the Advanced Encryption\r\nStandard (AES) to communicate with its control server whose address is 212.7.208.65.\r\nhttps://news.drweb.com/show/?i=2679\u0026lng=en\u0026c=14\r\nPage 1 of 3\n\nMac.BackDoor.Wirenet.1 also operates as a keylogger (it sends gathered keyboard input data to intruders); in\r\naddition, it steals passwords entered by the user in Opera, Firefox, Chrome, and Chromium, and passwords stored\r\nby such applications as Thunderbird, SeaMonkey, and Pidgin. Anti-virus software from Doctor Web successfully\r\ndetects and removes the backdoor, so the threat does not pose a serious danger to systems protected by Dr.Web for\r\nMac OS X and Dr.Web for Linux.\r\n2679 en 5\r\n0\r\nDoctor Web’s Q1 2026 review of virus activity on mobile devices\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nhttps://news.drweb.com/show/?i=2679\u0026lng=en\u0026c=14\r\nPage 2 of 3\n\nDoctor Web’s Q1 2026 virus activity review\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nDr.Web for personal computers receives SKD AWARDS product excellence distinction\r\n24.03.2026\r\nCorporate news | Dr.Web products\r\nRead\r\nSource: https://news.drweb.com/show/?i=2679\u0026lng=en\u0026c=14\r\nhttps://news.drweb.com/show/?i=2679\u0026lng=en\u0026c=14\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://news.drweb.com/show/?i=2679\u0026lng=en\u0026c=14" ], "report_names": [ "?i=2679\u0026lng=en\u0026c=14" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439144, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f7a727e1dbee605ef152337439b5398a4c03a38d.pdf", "text": "https://archive.orkl.eu/f7a727e1dbee605ef152337439b5398a4c03a38d.txt", "img": "https://archive.orkl.eu/f7a727e1dbee605ef152337439b5398a4c03a38d.jpg" } }