{ "type": "bundle", "id": "bundle--cd58d8e7-260e-419c-aad9-9598b3fae438", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--3c419327-e652-4e91-8f18-a6f9d12ba756", "created": "2023-03-08T12:51:56.203314Z", "modified": "2026-01-06T23:28:11.277197Z", "name": "Objective-see", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--37d150e6-44d7-4903-b56d-d14b3e88dcd6", "hashes": { "SHA-256": "6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59" } }, { "type": "file", "spec_version": "2.1", "id": "file--a18257f1-808d-4ceb-9d02-2df104c53bb1", "hashes": { "SHA-256": "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--7bbf57a7-7525-420f-8f76-6cfcab5c1304", "value": "visualstudiofactory.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--0e4151c7-e343-4b9e-be74-b0b7253bd2de", "value": "akamaitechcloudservices.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--1261a3e1-65b9-48fc-995e-87aa055fe362", "value": "msedgepackageinfo.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--c60b5916-fccb-4162-960f-84bc43606851", "value": "azureonlinestorage.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5312488a-0968-4892-be2b-0fdf9904d1a3", "value": "zacharryblogs.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--c84f9e68-157d-4676-9d6c-c99bbd66b160", "value": "officestoragebox.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--845d879b-c10e-4300-8f74-c3c3db743cfb", "value": "pbxphonenetwork.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--dd084def-4e31-425a-a506-14ab670a4217", "value": "sourceslabs.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--8a5ae2ad-2984-42e1-9f92-6c6da70b7ff2", "value": "officeaddons.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--64bf44fb-e8c0-4489-91ee-1b825ed8a3a4", "value": "glcloudservice.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--bdb722f7-40ee-479b-90a9-7c1b2499583a", "value": "pbxcloudeservices.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b1fbc5f9-cac3-49fc-8e32-3a2c1ddb65db", "value": "azuredeploystore.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a48ec800-3909-4026-9391-567a8f5f7c84", "value": "pbxsources.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--76b49f68-671a-479e-a126-9cf5564ac27f", "value": "msstorageboxes.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--c904bcfc-85fb-45fd-966a-e602dc0097b4", "value": "globalkeystroke.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e7b77417-ff9b-4aac-8305-63f492fb5ab8", "value": "airbseeker.com" }, { "type": "url", "spec_version": "2.1", "id": "url--9740950d-39e8-46e8-9079-5e598b60f584", "value": "https://sbmsa.wiki/blog/_insert" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b53aaf51-0e38-45b6-8f16-b7539699ac8e", "value": "sbmsa.wiki" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1fa71e98-b23e-4b0e-8f75-3386cc0b8f8d", "created": "2026-06-24T19:57:15.343976Z", "modified": "2026-06-24T19:57:15.343976Z", "name": "YARA Rule", "pattern": "rule XProtect_MACOS_c723519\r\n{\r\nmeta:\r\n\t\t description = \"MACOS.c723519\"\r\nstrings:\r\n\t\t $s1 = { 5F 6D 5F 43 6F 6E 66 69 67 }\r\n\t\t $s2 = { 5F 5F 5A 39 53 65 74 43 6F 6E 66 69 67 76 }\r\n\t\t $s3 = { 5F 5F 5A 31 30 4C 6F 61 64 43 6F 6E 66 69 67 76 }\r\n\t\t $s4 = { 5F 5F 5A 31 30 53 61 76 65 43 6F 6E 66 69 67 76 }\r\n\t\t $s5 = { 5F 5F 5A 31 33 4D 65 73 73 61 67 65 54 68 72 65 61 64 76 }\r\ncondition:\r\n\t\t Macho and filesize < 100KB and all of them\r\n}", "pattern_type": "yara", "valid_from": "2023-10-05T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a7801fc2-91ec-4ad9-8a1d-3d6bd1c2f980", "created": "2026-06-24T19:57:15.344944Z", "modified": "2026-06-24T19:57:15.344944Z", "name": "YARA Rule", "pattern": "rule MTI_Hunting_POOLRAT {\r\nmeta:\r\n\t\t author = \"Mandiant\"\r\n\t\t disclaimer = \"This rule is meant for hunting and is not tested to run in a production\r\nenvironment\"\r\n\t\t description = \"Detects strings found in POOLRAT. \"\r\n\r\n4\r\n\r\nVIRUS BULLETIN CONFERENCE OCTOBER 2023\r\n\r\n\f\r\nMAC-ING SENSE OF THE 3CX SUPPLY CHAIN ATTACK: ANALYSIS OF THE MACOS PAYLOADS WARDLE\r\n\t\t md5 = \"451c23709ecd5a8461ad060f6346930c\"\r\n\t\t date = \"10/28/2020\"\r\n\t\t version = \"1\"\r\nstrings:\r\n\t\t $str1 = \"name=\\\"uid\\\"%s%s%u%s\" wide ascii\r\n\t\t $str2 = \"name=\\\"session\\\"%s%s%u%s\" wide ascii\r\n\t\t $str3 = \"name=\\\"action\\\"%s%s%s%s\" wide ascii\r\n\t\t $str4 = \"name=\\\"token\\\"%s%s%u%s\" wide ascii\r\n\t\t $boundary = \"--N9dLfqxHNUUw8qaUPqggVTpX-\" wide ascii nocase\r\ncondition:\r\n\t\t any of ($str*) or $boundary\r\n}", "pattern_type": "yara", "valid_from": "2023-10-05T00:00:00Z" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b34ee18e-5430-4d97-8131-c3b39933524b", "value": "o.cn" }, { "type": "file", "spec_version": "2.1", "id": "file--234b9659-70dd-4efd-82fb-f45e35ab70bb", "hashes": { "SHA-1": "5555494424668e99d3173e03a74c86801f09f4a9" } }, { "type": "url", "spec_version": "2.1", "id": "url--bef6403b-2f24-446b-80d5-0cd73a8613fe", "value": "https://globalkeystroke.com/pockbackx.php" }, { "type": "url", "spec_version": "2.1", "id": "url--a1838218-86db-43c5-821e-f8d8e90e582f", "value": "https://airbseeker.com/rediret.php" }, { "type": "url", "spec_version": "2.1", "id": "url--3cf3fb1e-e872-4574-ab4d-c3aeef69810f", "value": "https://www.woodmate.it/administrator/help/en-GB/bins/tags/taghelper.php" }, { "type": "url", "spec_version": "2.1", "id": "url--417f6d82-fe2d-4a80-8f4f-e613c2567d29", "value": "https://akamaitechcloudservices.com/v2/fileapi" }, { "type": "file", "spec_version": "2.1", "id": "file--800701c6-b0f4-4992-b091-901a3899f916", "hashes": { "MD5": "451c23709ecd5a8461ad060f6346930c" } }, { "type": "file", "spec_version": "2.1", "id": "file--0f4983de-278e-44e3-8ccc-7dba97423de8", "hashes": { "MD5": "d9d19abffc2c7dac11a16745f4aea44f" } }, { "type": "file", "spec_version": "2.1", "id": "file--49fea009-69bb-4ec9-bb06-ac90e0512135", "hashes": { "SHA-1": "55554944839216049d683075bc3f5a8628778bb8" } }, { "type": "report", "spec_version": "2.1", "id": "report--2d09614d-0cd8-4ec5-9cdb-7550639e4d06", "created_by_ref": "identity--3c419327-e652-4e91-8f18-a6f9d12ba756", "created": "2026-06-24T19:57:15.353847Z", "modified": "2026-06-24T19:57:15.353847Z", "name": "Mac-ing sense of the 3CX supply chain attack: analysis of the macOS payloads", "published": "2023-10-05T00:00:00Z", "object_refs": [ "identity--3c419327-e652-4e91-8f18-a6f9d12ba756", "file--37d150e6-44d7-4903-b56d-d14b3e88dcd6", "file--a18257f1-808d-4ceb-9d02-2df104c53bb1", "domain-name--7bbf57a7-7525-420f-8f76-6cfcab5c1304", "domain-name--0e4151c7-e343-4b9e-be74-b0b7253bd2de", "domain-name--1261a3e1-65b9-48fc-995e-87aa055fe362", "domain-name--c60b5916-fccb-4162-960f-84bc43606851", "domain-name--5312488a-0968-4892-be2b-0fdf9904d1a3", "domain-name--c84f9e68-157d-4676-9d6c-c99bbd66b160", "domain-name--845d879b-c10e-4300-8f74-c3c3db743cfb", "domain-name--dd084def-4e31-425a-a506-14ab670a4217", "domain-name--8a5ae2ad-2984-42e1-9f92-6c6da70b7ff2", "domain-name--64bf44fb-e8c0-4489-91ee-1b825ed8a3a4", "domain-name--bdb722f7-40ee-479b-90a9-7c1b2499583a", "domain-name--b1fbc5f9-cac3-49fc-8e32-3a2c1ddb65db", "domain-name--a48ec800-3909-4026-9391-567a8f5f7c84", "domain-name--76b49f68-671a-479e-a126-9cf5564ac27f", "domain-name--c904bcfc-85fb-45fd-966a-e602dc0097b4", "domain-name--e7b77417-ff9b-4aac-8305-63f492fb5ab8", "url--9740950d-39e8-46e8-9079-5e598b60f584", "domain-name--b53aaf51-0e38-45b6-8f16-b7539699ac8e", "indicator--1fa71e98-b23e-4b0e-8f75-3386cc0b8f8d", "indicator--a7801fc2-91ec-4ad9-8a1d-3d6bd1c2f980", "domain-name--b34ee18e-5430-4d97-8131-c3b39933524b", "file--234b9659-70dd-4efd-82fb-f45e35ab70bb", "url--bef6403b-2f24-446b-80d5-0cd73a8613fe", "url--a1838218-86db-43c5-821e-f8d8e90e582f", "url--3cf3fb1e-e872-4574-ab4d-c3aeef69810f", "url--417f6d82-fe2d-4a80-8f4f-e613c2567d29", "file--800701c6-b0f4-4992-b091-901a3899f916", "file--0f4983de-278e-44e3-8ccc-7dba97423de8", "file--49fea009-69bb-4ec9-bb06-ac90e0512135" ], "external_references": [ { "source_name": "source", "url": "https://www.virusbulletin.com/conference/vb2023/abstracts/mac-ing-sense-3cx-supply-chain-attack-analysis-macos-payloads/" } ] } ] }