Mastodawn

RE: https://infosec.exchange/@_r_netsec/116220859869337905

Waah, joli boulot.
Je me demande qui en est l’auteur.

lecture technique très intéressante.
Une analyse statique complétée par du monitoring comportementale réseau qui plonge dans les entrailles du ver infostealer macOS injecté dans un plugin VS Code lors de la campagne Glassworm v2.. 👀

C’est balaise et résilient, avec une belle répartition des tâches de vol entre AppleScript et Node.js.

Les échantillons déobfusqués ont aussi été mis à disposition sur #malwarebazaar

https://bazaar.abuse.ch/sample/d72c1c75958ad7c68ef2fb2480fa9ebe185e457f3b62047b31565857fa06a51a/

#CyberVeille #MacSecurity #macOS #Malware #ThreatIntel #Glassworm
👇

Show thread

decio

j'ai demandé au 🐈

C'est horriblement bien ficelée

https://mermaid.live/edit#pako:eNp9VlFz2jgQ_is7frg-NAFsDCTczN0Q0zQ0CXExTTtVbm6EEaDGtlxJTpNmcr_neL9_wB-7lWyIaTP1E7K-Xe9---0uj04s5szpO4tEfItXVGqYDm8ywGdA3txrlikuMriOIEAcNCEopBISYpHmUqRcMVCFhKucGdCnv-Dw8A84IVmeQi4Zz5SmSdL4ov4qfZ7Y-4CE9CERdA4xjVebNeRUgtKb9ZJmYilpvuIMPmTchFYZBtZwSIabdbzii4VkKcs0DN5Eh16nexicBBVwaIFvSKTpkoEL5jNM4mV5_cZen5KBxtQ0Alqwje3UXr19jB4wlH9TBsEowoRloTDJP59K0FsEwVXBLfYziYTUfBujvRsjW-bujEw2ayWSQhv-kLrk1YfJBQQe3HEKkUhoRiu7M2swItPNOjHpUbkss8srlmZUsa6PTvKCK0gwMq8yHVnTdyRAQ3gNo2vDCMxpZmAKVswkr-BsOg0ri3fW4vwHIqvLc3t5UZHX3rF2Yd9fuuRE0ixeGV77WDBGEyZhkOcJi2LJ862bCu7t4B7C70TCUCljrOmzHipkm4QYJkexZDHbv_JRhRhqSSNP0816zikWbl7AZDDdRaiKmRUORC7sPvtzZOa5dK3nsUuuRQIZveNLdIiyhmBlJF2kyOQpl2wh7mtm48rMI4EQtxzZbaK4lihx_EELLRY8SfAn2zWN0kIij3UfXumjTdxOC0ZDBfNXO7yCb9grrB7quF3iffLRXiGeqVst8jrGLzEdKwIFUXSGUQw-RhBLNjfBjYXGaC0ZdbtOadclEV1QybGly7Rel2nBLXtALfKsbtMtbXpkKOLCCEfBb4n-3bTR5Ukd2CuBR-TUdMh1OK5fHpWXxyTicMHmSyabU8m-41jJJaZg3fYBlZknNN62goQ7oxHkVUvxhWZcbdZ7-RyXnf_JRcVgLbSkVjNG-xBeRVNrD83c27LHsvnP8vGe5bMvVSudsn5XpXS0uMXKwVuuz4rZCyivjhqHly9A2mSK2WGgd8wIR9LYKHFHPapT8wU0sudBaJ4rt0rV-3WqRk91M29rVnvX3n_3IidtqPcnyiOme1K6LJ2ELgmwfmUsF7RAEgdLUzxcFo1CMWnzQCdSN_IEvdVchGVKoUcq1rerwc6yf5qNWGQLvmwqHM4sbTbmVNOm9fdFNet-yhzDNsHpACydUfm1QDe4nqopasbv4SG7o3VqwioDn5wzlg8SUw_JkjJdhrIUMVPqV7rxwX6RFjATYm_clP35HskRWcbuDTmRiG-Zboyu7PLMsUXA7x0dv2DlkUkVBg687cQ1KVga_1Y_DbfKrk2GUuQ5gmc8ozjMKikZUypx8mOCn0chlDtgv5O2PnzcA8UMdIFhJzANQpwl0VVwHv2CB9xve4uPmepnWm7-q68t80xcMjybwgnXUyHl8w6ydx45Re3OaHxbrUpIWSrqrThpGz5REuaTfRiFB4D7VW13pjqA2IzDA1hRtWJ7lj4JVvRrwbBSGqucF7ME_28kFEqNAYZVh-NgFWlKM5QufsgIB95FSOKMY98hs3Vsl1R1wQKb0YsrIC8PdVQPixrvxPDabo9DHNabdUplbWXUCH5f9sekUx3LEk265TGsjr0tfFLB29XR2z-2K0nuH7394w9gf-848Z0DZyn53OlrWbADJ2UypeboPBrgjaNXOLlvnD7-nLMFLRJ949xkT2iW0-yzEOnWUopiuXL6C5ooPBU5tjYbcop6eoYgE0wGosi00_e61oXTf3TunX6nddzoed1Wr33kH3U8z-8cOA9Ov9tqtF2v03J918X33c7TgfPdfrTVOOp1Wvh4Lb_X67je0_8UKlqd

Show thread

decio Mar 17

Tiens, plot twist ! le bouzin pivote vers windows

"On March 16, a new Solana memo appeared on the published #GlassWorm wallet (28PKnu, documented by Truesec in October 2025) at 11:42 UTC with a kill-switch toggle set to OFF and a live payload URL. The campaign had reactivated. The payload was not the macOS stealer from Parts 1 and 2. It was a 202KB JavaScript file targeting Windows, bundling native DLLs, a Chrome browser extension disguised as "Google Docs Offline", a DPAPI credential dumper, and exfiltration to a previously unseen server."
👇
https://codeberg.org/tip-o-deincognito/glassworm-writeup/src/branch/main/PART3.md

glassworm-writeup/PART3.md at main

glassworm-writeup - GlassWorm macOS infostealer: static analysis, live C2 monitoring, and IoCs

Codeberg.org