{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ioc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["maltrail","ioc","osx","android","apt"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief highlights indicators of compromise (IOCs) identified on March 15, 2026, through the Maltrail feed. The identified IOCs are associated with a variety of threat actors and malware families, targeting both macOS and Android operating systems. The threats include OSX_Atomic, which potentially delivers malware to macOS systems; FakeApp, used for deceptive applications; Android_Joker, a known Android malware family; Lummack2, an information stealer; APT_Sidewinder, an advanced persistent threat actor; APT_Kimsuky, another APT group; and Hak5Cloud_C2, related to Hak5 Cloud Command and Control infrastructure. This diverse set of IOCs underscores the wide range of threats organizations face and the importance of monitoring network traffic and system logs for malicious activity. This data is crucial for detection engineers to build and deploy relevant detection rules to protect their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (OSX_Atomic/FakeApp):\u003c/strong\u003e User downloads a seemingly legitimate application from a compromised website (e.g., \u003ccode\u003eappsformacs.com\u003c/code\u003e, \u003ccode\u003etorrents4mac.com\u003c/code\u003e, or a FakeApp site like \u003ccode\u003eadhushapp-razvd.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (OSX_Atomic/FakeApp):\u003c/strong\u003e The downloaded application is executed on the user\u0026rsquo;s macOS or Android device. This may involve bypassing security warnings or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (OSX_Atomic/Android_Joker):\u003c/strong\u003e The malware establishes persistence on the system, potentially using techniques such as modifying startup items or scheduled tasks (OSX_Atomic), or registering as a background service (Android_Joker).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (Multiple):\u003c/strong\u003e The malware connects to a command-and-control (C2) server (e.g., \u003ccode\u003ec2.socops.net\u003c/code\u003e, \u003ccode\u003eonev.online\u003c/code\u003e) to receive instructions and exfiltrate data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft (Lummack2):\u003c/strong\u003e The malware attempts to steal credentials stored on the system or in web browsers, potentially using keylogging or form grabbing techniques (Lummack2).  Observed communicating with \u003ccode\u003epolice-center.vg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Multiple):\u003c/strong\u003e Sensitive data, such as credentials, financial information, or personal data, is exfiltrated to the C2 server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (APT_Sidewinder/APT_Kimsuky):\u003c/strong\u003e The attacker uses the compromised system to move laterally within the network, targeting other systems and data.  APT_Sidewinder uses domains like \u003ccode\u003evisa.nadra.gov-pk.info\u003c/code\u003e while APT_Kimsuky leverages \u003ccode\u003enaver.liferod.com\u003c/code\u003e for potential C2 or phishing activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Multiple):\u003c/strong\u003e The attacker achieves their objectives, which may include financial gain (through fraud or extortion), intellectual property theft, or espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe identified IOCs represent a diverse range of threats that can have significant impact on organizations and individuals. Successful attacks can lead to financial losses due to fraud or ransomware, data breaches resulting in the theft of sensitive information, and reputational damage. The targeting of macOS and Android devices indicates a broad scope of potential victims, encompassing both corporate and personal devices. The involvement of APT groups like APT_Sidewinder and APT_Kimsuky suggests potential for targeted attacks with significant impact on national security or critical infrastructure. A single successful infection can lead to widespread compromise within an organization\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the malicious domains listed in the IOC table at the DNS resolver and firewall to prevent communication with known C2 infrastructure.\u003c/li\u003e\n\u003cli\u003eImplement a network intrusion detection system (NIDS) rule to detect connections to the malicious domains and URLs (IOCs) to identify potentially compromised systems.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM and tune them for your specific environment to detect suspicious process execution and network connections.\u003c/li\u003e\n\u003cli\u003eInvestigate systems communicating with any of the listed IOCs (domains/URLs) for signs of malware infection or unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T21:00:08Z","date_published":"2026-03-15T21:00:08Z","id":"/briefs/2026-03-maltrail-iocs/","summary":"This brief summarizes IOCs extracted from the Maltrail feed on March 15, 2026, covering domains and URLs associated with threats targeting macOS and Android platforms, including OSX_Atomic, FakeApp, Android_Joker, Lummack2, APT_Sidewinder, APT_Kimsuky, and Hak5Cloud_C2.","title":"Maltrail IOC Feed Update for Multiple Threats","url":"https://feed.craftedsignal.io/briefs/2026-03-maltrail-iocs/"}],"language":"en","title":"CraftedSignal Threat Feed — Ioc","version":"https://jsonfeed.org/version/1.1"}