Maltrail — CraftedSignal Threat Feed

Maltrail IOC Feed Update for Multiple Threats

hello@craftedsignal.io — Sun, 15 Mar 2026 21:00:08 +0000

This threat brief highlights indicators of compromise (IOCs) identified on March 15, 2026, through the Maltrail feed. The identified IOCs are associated with a variety of threat actors and malware families, targeting both macOS and Android operating systems. The threats include OSX_Atomic, which potentially delivers malware to macOS systems; FakeApp, used for deceptive applications; Android_Joker, a known Android malware family; Lummack2, an information stealer; APT_Sidewinder, an advanced persistent threat actor; APT_Kimsuky, another APT group; and Hak5Cloud_C2, related to Hak5 Cloud Command and Control infrastructure. This diverse set of IOCs underscores the wide range of threats organizations face and the importance of monitoring network traffic and system logs for malicious activity. This data is crucial for detection engineers to build and deploy relevant detection rules to protect their environments.

Attack Chain

Initial Access (OSX_Atomic/FakeApp): User downloads a seemingly legitimate application from a compromised website (e.g., appsformacs.com, torrents4mac.com, or a FakeApp site like adhushapp-razvd.com).
Execution (OSX_Atomic/FakeApp): The downloaded application is executed on the user’s macOS or Android device. This may involve bypassing security warnings or exploiting vulnerabilities.
Persistence (OSX_Atomic/Android_Joker): The malware establishes persistence on the system, potentially using techniques such as modifying startup items or scheduled tasks (OSX_Atomic), or registering as a background service (Android_Joker).
Command and Control (Multiple): The malware connects to a command-and-control (C2) server (e.g., c2.socops.net, onev.online) to receive instructions and exfiltrate data.
Credential Theft (Lummack2): The malware attempts to steal credentials stored on the system or in web browsers, potentially using keylogging or form grabbing techniques (Lummack2). Observed communicating with police-center.vg.
Data Exfiltration (Multiple): Sensitive data, such as credentials, financial information, or personal data, is exfiltrated to the C2 server.
Lateral Movement (APT_Sidewinder/APT_Kimsuky): The attacker uses the compromised system to move laterally within the network, targeting other systems and data. APT_Sidewinder uses domains like visa.nadra.gov-pk.info while APT_Kimsuky leverages naver.liferod.com for potential C2 or phishing activities.
Impact (Multiple): The attacker achieves their objectives, which may include financial gain (through fraud or extortion), intellectual property theft, or espionage.

Impact

The identified IOCs represent a diverse range of threats that can have significant impact on organizations and individuals. Successful attacks can lead to financial losses due to fraud or ransomware, data breaches resulting in the theft of sensitive information, and reputational damage. The targeting of macOS and Android devices indicates a broad scope of potential victims, encompassing both corporate and personal devices. The involvement of APT groups like APT_Sidewinder and APT_Kimsuky suggests potential for targeted attacks with significant impact on national security or critical infrastructure. A single successful infection can lead to widespread compromise within an organization’s network.

Recommendation

Block the malicious domains listed in the IOC table at the DNS resolver and firewall to prevent communication with known C2 infrastructure.
Implement a network intrusion detection system (NIDS) rule to detect connections to the malicious domains and URLs (IOCs) to identify potentially compromised systems.
Deploy the Sigma rules provided below to your SIEM and tune them for your specific environment to detect suspicious process execution and network connections.
Investigate systems communicating with any of the listed IOCs (domains/URLs) for signs of malware infection or unauthorized access.

Maltrail IOCs Report: Tracking Multiple Threat Actors

hello@craftedsignal.io — Fri, 27 Feb 2026 23:00:14 +0000

This threat brief is based on an IOC feed from Maltrail, dated February 27, 2026, which aggregates indicators related to various threat actors and malware campaigns. The tracked actors include APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp. The IOCs primarily consist of domains and IP addresses associated with these groups’ network infrastructure and malware distribution. These campaigns are likely targeting a wide range of victims across multiple sectors, employing diverse techniques to achieve their objectives, including initial access, command and control, and potentially data exfiltration or deployment of malicious payloads. The data suggests ongoing malicious activity necessitating proactive monitoring and detection efforts.

Attack Chain

Initial Compromise: An unsuspecting user visits a compromised website or interacts with a malicious advertisement, potentially leading to the download of a malware loader such as those associated with SmokeLoader or FakeApp.
Malware Installation: The initial loader executes on the victim’s system, establishing persistence and preparing the environment for further malicious activities. This may involve creating scheduled tasks or modifying registry keys for auto-start.
Command and Control (C2) Communication: The malware establishes communication with a command-and-control server, using domains such as dax.estate (SmokeLoader) or resistantmusic.shop (PowerShell Injector) to receive instructions and transmit data.
PowerShell Injection: The PowerShell Injector, utilizes multiple techniques to inject malicious code into running processes, allowing it to evade detection and maintain persistence within the system. Domains such as apostile.zapto.org and googletranslate.zapto.org may resolve to infrastructure involved in command and control of compromised hosts.
Lateral Movement: The attackers leverage compromised systems to move laterally within the network, potentially using stolen credentials or exploiting vulnerabilities to gain access to additional systems.
Data Exfiltration: Sensitive data is collected from compromised systems and exfiltrated to attacker-controlled servers, potentially using domains such as ashersoftlib.com (APT_Bitter) for staging or exfiltration.
Android Exploitation: In the case of Android_Joker, malicious applications distributed through unofficial channels or app stores communicate with petitle.cloud for command and control, potentially leading to data theft or installation of further malware.
Final Objective: The final objective of the attack may vary depending on the actor and the target, ranging from data theft and espionage (APT_UNC2465, Lazarus Group, APT_Bitter) to financial gain (Android_Joker) or widespread malware distribution (SmokeLoader, FakeApp, PowerShell Injector).

Impact

Compromised systems can be used for a variety of malicious purposes, including data theft, financial fraud, and further propagation of malware. Victims may experience data breaches, financial losses, and reputational damage. The wide range of threat actors involved suggests that various sectors and organizations are at risk. If successful, these attacks can lead to significant financial losses and disruption of business operations.

Recommendation

Block the identified malicious domains and IP addresses at the network perimeter to prevent communication with command-and-control servers (IOC table).
Implement a web proxy filter to block access to URLs associated with malware downloads and phishing campaigns (IOC table).
Monitor network traffic for connections to known malicious domains and IP addresses associated with APT_Bitter, PowerShell Injector, SmokeLoader, and FakeApp (IOC table).
Deploy the Sigma rule to detect network connections to domains associated with PowerShell Injector infrastructure. Tune the rule for your environment (Sigma Rule).
Deploy the Sigma rule to detect network connections to infrastructure associated with FakeApp campaigns, adjusting the rule as needed for your environment (Sigma Rule).
Investigate and remediate any systems that exhibit suspicious network activity or have been identified as compromised based on the IOCs provided (IOC table).