{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/javascript_injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CleanMyMac X","OSX.Pirrit"],"_cs_severities":["medium"],"_cs_tags":["adware","macos","python","javascript_injection"],"_cs_type":"advisory","_cs_vendors":["Apple","MacPaw"],"content_html":"\u003cp\u003eThis brief details the analysis of a persistent Mac adware sample, potentially a component of the OSX.Pirrit family, first brought to light by Paul Taykalo of MacPaw. The adware employs multiple layers of obfuscation, including compiled Python bytecode, base64 encoding, zlib compression, and variable renaming, to evade traditional antivirus detection. Initial analysis of the VtZkT sample showed it was initially undetected by most AV engines on VirusTotal. The adware persists via a launch item, executing a Python script that ultimately injects malicious JavaScript into web pages. The analysis highlights the techniques used to deobfuscate the code and reveal the adware\u0026rsquo;s functionality, including the URL from which it downloads malicious JavaScript: hxxps://1049434604.rsc.cdn77.org/ij1.min.js.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adware is likely installed via shareware installers or trojanized applications, such as fake Adobe Flash installers.\u003c/li\u003e\n\u003cli\u003eA bash script (CqfeP) is persisted as a launch item to ensure the adware is automatically started each time the user logs into their Mac.\u003c/li\u003e\n\u003cli\u003eThe bash script changes directory to \u003ccode\u003e/Users/\u0026lt;user\u0026gt;/Library/search.amp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe bash script executes a compiled Python script (5mLen) with the \u003ccode\u003ef=\u003c/code\u003e parameter specifying another file (6bLJC).\u003c/li\u003e\n\u003cli\u003eThe 5mLen script decompresses and decodes the contents of 6bLJC, which contains base64 encoded and XORed data.\u003c/li\u003e\n\u003cli\u003eThe decoded script replaces placeholders like \u003ccode\u003epid_REPLACE\u003c/code\u003e, \u003ccode\u003escript_to_inject_REPLACE\u003c/code\u003e, and \u003ccode\u003eMID_REPLACE\u003c/code\u003e with values including a PID flag, the URL \u003ccode\u003ehxxps://1049434604.rsc.cdn77.org/ij1.min.js\u003c/code\u003e, and a machine identifier.\u003c/li\u003e\n\u003cli\u003eThe script executes the resulting JavaScript via \u003ccode\u003eosascript\u003c/code\u003e, injecting it into the current user\u0026rsquo;s web browser.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript likely displays advertisements or redirects user traffic for malicious purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe adware injects malicious JavaScript into web browsers, potentially leading to unwanted advertisements, browser redirects, data theft, or other malicious activities. While the exact scope of the campaign is unknown, the use of obfuscation techniques suggests a deliberate attempt to evade detection and target a wide range of Mac users. The injected JavaScript can compromise user experience and potentially lead to further malware infections.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the execution of \u003ccode\u003eosascript\u003c/code\u003e with suspicious arguments, specifically those containing injected JavaScript, using the Sigma rule \u0026ldquo;Detect JavaScript Injection via osascript\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eBlock network connections to \u003ccode\u003e1049434604.rsc.cdn77.org\u003c/code\u003e at the firewall or DNS resolver based on the IOC identified in this brief.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation and execution of files within the \u003ccode\u003e~/Library/search.amp\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eInspect shell scripts executed from user LaunchAgents for suspicious python calls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T07:33:40Z","date_published":"2026-05-07T07:33:40Z","id":"/briefs/2026-05-mac-adware-python/","summary":"A Mac adware, likely a component of OSX.Pirrit, uses multiple layers of obfuscation, including base64 encoding, zlib compression, and variable renaming, to evade detection and inject malicious JavaScript from hxxps://1049434604.rsc.cdn77.org/ij1.min.js.","title":"Mac Adware Injecting Malicious JavaScript via Obfuscated Python Script","url":"https://feed.craftedsignal.io/briefs/2026-05-mac-adware-python/"}],"language":"en","title":"CraftedSignal Threat Feed — Javascript_injection","version":"https://jsonfeed.org/version/1.1"}