Adam Kohler

1.7K posts

Adam Kohler

@AdamJKohler

Father | Husband | macOS Detection Engineer and Malware Researcher

Broomfield, CO Katılım Temmuz 2010

227 Takip Edilen242 Takipçiler

Adam Kohler@AdamJKohler·30 Nis

New on the Iru blog: MiniRAT, a Go macOS RAT delivered via a compromised npm package (velora-dex-sdk). iru.com/blog/minirat

English

716

Adam Kohler@AdamJKohler·31 Mar

macOS infostealers (e.g., AMOS) → no exploit → user execution → data theft Fake apps + terminal lures still very effective. iru.com/blog/atomic-st…

English

100

Adam Kohler@AdamJKohler·30 Mar

Vibe Coded a small network app using Apple's new ES events found in macOS 26.4! Thanks for the inspiration @patrickwardle objective-see.org/blog/blog_0x86…

English

3.5K

Adam Kohler retweetledi

L0Psec@L0Psec·10 Mar

Here's an interesting one shared by @malwrhunterteam: 1f174bb02bdf4758bfdde788bd581a8ff18378c223321c69ab5c9da8a2b6e342. NIM compiled, collects system info and sends via Telegram API bot net comms. 1 VT hit and code insights has a pretty good summary. 🧵Let's dig in.

English

Adam Kohler@AdamJKohler·9 Mar

This was an awesome training! If you have the opportunity to take it you should! #macOS #Vulnerability

Csaba Fitzl@theevilbit

Last week we piloted our "macOS Vulnerability Researcher" training with @gergely_kalman privately at @officiallyiru . We delivered the training for our entire Threat Intel team, and some of our Solution Engineers. It was super cool, all the students were amazing and we had plenty of interactions. We, as trainers also learned a lot. We are looking forward now to our first public offering, which will be in Seoul, South Korea, at Zer0Con. This will be the only training this year in Asia, and there are still a few places left, if you are interested you can sign up here: zer0con.org

English

104

Adam Kohler retweetledi

Objective-See Foundation@objective_see·17 Şub

"There is no ES_EVENT_TYPE_AUTH_PASTE (or equivalent) event" ...yet! Apple, please!? 🤞🏼

Patrick Wardle@patrickwardle

Motivated by @moonlock_lab’s recent findings on ClickFix attacks surfacing via Google Search results and even LLMs 🤯, I’ve added basic protection against most of these attacks to BlockBlock 🍎🛡️ Read: “ClickFix: Stopped at ⌘+V” objective-see.org/blog/blog_0x85…

English

2.4K

Adam Kohler@AdamJKohler·20 Şub

A write-up by Iru's security researcher Calvin So breaks down a macOS malware loader delivered via fake music plugins. The analysis walks through a multi-stage execution chain where Mach-O binaries and scripts launch sequential payloads that ultimately deploy info stealers like Odyssey and MacSyncStealer. Relying on ClickFix-style prompts for initial access. Check it out! the-sequence.com/macos-malware-…

English

1.4K

Adam Kohler@AdamJKohler·4 Şub

@osint_barbie This absolutely drives me insane.

English

212

xiu@osint_barbie·4 Şub

Me seeing how vendors name any macOS stealer as AMOS 🥲😂

English

9.6K

Adam Kohler@AdamJKohler·15 Oca

Here are some hashes related to the macOS version of the MonetaStealer. 4885adc9de7e91b74a3ac01187775459acf3e4e026ee2fa776b3419cf8dbaf00 1a5027adf99076470444c5ffdd83a4313ab1d21827700699d0ee6ab1337beb70 6f746388853178a3b4c2c91a6bd98438fb59e760caa273a8d6a4c03936498c39

English

Adam Kohler@AdamJKohler·15 Oca

We have identified a new stealer that seems to still be in its testing phase. The file named "Portfolio Review" hints at it being potentially used to target individuals during the hiring process. the-sequence.com/monetastealer-… #threat #macOS #malware #Apple

English

Adam Kohler retweetledi

Iru@officiallyiru·13 Oca

The worm has awakened, and it’s hungry for your source code. Shai-Hulud 2.0 is a self-propagating NPM nightmare that turns your GitHub runners into attacker-controlled C2 channels. Two of our threat intelligence researchers break down Shai-Hulud 2.0 in this video, and explain how to remediate for it.

English

269

Adam Kohler retweetledi

Iru@officiallyiru·6 Ara

How does a single compromised NPM package become a self-replicating supply chain threat? Our threat intelligence team's research breaks down Shai-Hulud: a sophisticated malware campaign that weaponizes GitHub Actions, steals developer credentials, and propagates automatically through the NPM ecosystem. Deep-dive here: the-sequence.com/investigating-…

English

224

Adam Kohler retweetledi

Csaba Fitzl@theevilbit·5 Ara

🎉 My new blog post is about a PackageKit vulnerability I learned from @p1tsist1p 's blog posts. 🍎🐛macOS LPE via the .localized directory I tried convincing Apple to universally fix it with no luck. Go hunt for vulnerable pkg installers! There is a ton :-( Happy Friday! theevilbit.github.io/posts/localize…

English

130

12.8K

Adam Kohler@AdamJKohler·5 Ara

New blog post out today about Shai-Hulud Great work Calvin So! #Iru #Kandji the-sequence.com/investigating-…

English

740

Adam Kohler@AdamJKohler·29 Eki

@L0Psec The code insights are actually pretty good with these samples on VT.

English

L0Psec@L0Psec·28 Eki

IOCs: 7a8fc48ce4df4448b91a1e6b66410cca6993ac072cb12860b9cfa6438b25ed8e (2 detections on VT currently) domains: nfs8u9aw[.]shop ad4rchr39w8f[.]fun Steam and Telegram username: phefuckxiabot (bad word 🫤)

English

1.1K

L0Psec@L0Psec·28 Eki

Alright here's another interesting one. More infostealer stuff but worth a look. There's a couple parts to this so I'll attempt to summarize. Thanks @malwrhunterteam for sharing :) Starting with the initial mach-O, (readable strings?!?!) Ugly plist for persistence. 🧵

English

16K

Adam Kohler@AdamJKohler·28 Eki

@L0Psec @malwrhunterteam @500mk500 A lot of the related samples are still undetected on VT

English

L0Psec@L0Psec·25 Eki

@malwrhunterteam @500mk500 Shoutout to @malwrhunterteam for sharing this sample with me :)

English

448

L0Psec@L0Psec·25 Eki

Looks like a potential new MacSync Stealer variant. From: hxxps[:]//applegrowe. com/curl/7642f7bcd50f72ae34bfc24a29c8f294d257918d5bf3acdad800fc10a16e686d 🧵Let's look into it. :)

English

8.9K

Adam Kohler retweetledi

L0Psec@L0Psec·2 Eki

New Blog Post by @AdamJKohler and I digging into more Homebrew lures leveraged by macOS infostealers. the-sequence.com/brewing-troubl…

English

6.7K

Adam Kohler@AdamJKohler·19 Ağu

It’s always fun to find new malware and pass it off to @L0Psec to do his thing! This is an advanced multi stage malware written in rust. It’s been awhile since we have seen something specifically look for @patrickwardle tooling.

L0Psec@L0Psec

New RE Blog Post: RustyPages-Pt1 the-sequence.com/rustypages-mal… We RE a Rust dropper, that sets persistence and runs the downloaded next stage, queries @patrickwardle's tools, and quiets notifications. We included relevant IOCs as we continue our analysis of the loader for Part 2. :)

English

244

Adam Kohler retweetledi

L0Psec@L0Psec·14 Nis

New RE Blog Post :) kandji.io/blog/pasivrobb… This one is different from our previous posts. Our team analyzed a software suite which targets applications like WeChat and QQ. We weren't sure what to think of it, but as we dug deeper we felt it was best to share our findings.

English

4.7K

Adam Kohler@AdamJKohler·14 Nis

Sometimes the line between malware and security tools is blurred. Kandji deep dive into PasivRobber, a stealthy macOS software suite, reveals a sophisticated tool harvesting data from apps like WeChat, QQ, and browsers. Possibly state-backed. 👀 🔗 kandji.io/blog/pasivrobb…

English

171

Keşfet

@patrickwardle @malwrhunterteam @osint_barbie @p1tsist1p @L0Psec @500mk500 @elonmusk @BarackObama