Dr. Christopher Kunz
MAC USERS CAUTION: This is currently the top (sponsored) Google result for searches like "mac flush DNS cache". It is, quite obviously, malware which is not very reliably detected (6/97 on VT). I suspect some variant of Lumma.
Presentation domain got first logged at CRT on June 4th. Dropper domain icloudservers.com is older, but got moved to CF June 2nd.
1/2
Jun 10, 2025 at 9:09amWeb
Show threadJan Lehnardt Jun 10, 2025
@christopherkunz alias dnsreset='sudo killall -HUP mDNSResponder'
😎
Show threadDr. Christopher KunzJun 10, 2025
@janl There‘s no curl and base64 encoded url in there, this must be wrong!
Show threadCandason Jun 10, 2025
@christopherkunz How can this be a sponsored link? Aren't theese checked links?
Show threadDr. Christopher KunzJun 10, 2025
@Candason You should probably ask Google's "Ad Safety" team. There are at least five different Google Adwords accounts that advertise this malvertising page.
Show threadJeroen Wiert PluimersJun 10, 2025
@christopherkunz part 2/2 https://chaos.social/@christopherkunz/114658296127784644
Dr. Christopher Kunz (@[email protected])

Attached: 1 image The site instructs you to curl something base64 encoded, which is a short shell script. The script asks for sudo password, saves them to /tmp/.pass und downloads the actual malware binary to /tmp/update. I don't have a Mac sandbox to try it out, but I'm fairly certain it's an infostealer type thingy. 2/2

chaos.social