Trusted Design

XSLCmd OSX Backdoor

概要

FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd – OSX.XSLCmd – which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd backdoor that has been around since at least 2009.

Created: 2026-02-23

Indicators

• URL - http://sghost.homeip.net/index.htm -
• FileHash-MD5 - fdb81d9f3b34b579cf34cd65647830cd -
• URL - http://210.211.31.214/img/qq.html -
• FileHash-MD5 - b54be0d6d3aa4d8e839d9bb42870a97b -
• FileHash-MD5 - 4c1918506917005d0026692a6b115ce1 -
• URL - http://59.148.180.62:8080 -
• URL - http://cdi.indiadigest.in:443 -
• FileHash-MD5 - 3d1914c340ab4dfcfae02b7ebf8c0849 -
• hostname - kr.microisoft.net -
• CVE - CVE-2010-1297 -
• URL - http://210.211.31.246/img/so.html -
• FileHash-MD5 - 09b20478f9c22886d3a2d59feada4131 -
• hostname - sghost.homeip.net -
• FileHash-MD5 - f22805b858ed26b9f76f8c24d0573c4b -
• FileHash-MD5 - 21cea8b0f5f894a9e28a1cf05f207798 -
• hostname - neo.lovexfree.com -
• URL - http://lemonawar.blogspot.it/2011/06/iphone-5.html -
• URL - http://61.128.110.38:8000 -
• URL - http://cdi.indiadigest.in:53 -
• FileHash-MD5 - 94218fba95e3f03796dd005a2851b5af -
• hostname - xls.officescan.biz -
• hostname - oracle.windowsnine.net -
• FileHash-MD5 - b27dd51f4b8c863603d3ac684567dbdc -
• URL - http://neo.lovexfree.com:80 -
• hostname - aus.winlogon.net -
• FileHash-MD5 - 93885b17fbadb2662e9cac565502a276 -
• URL - http://180.149.252.137/facebook/face.html -
• FileHash-MD5 - 72dfa4abae68dbf637c4707ebd89f18c -
• URL - http://221.130.190.27/img/eihqs.gif -
• FileHash-MD5 - b0704a540d58551f2d070515b4a7b008 -
• hostname - www.appleupdate.biz -
• URL - http://kr.microisoft.net:443 -
• FileHash-MD5 - 9e7df3d721b9bec3debfd8aa21fb0897 -
• URL - http://210.211.31.246/img/Cinci.html -
• URL - http://110.34.168.188:443 -
• URL - http://182.239.48.127:443 -
• YARA - 327bfc900daf17de437b9bbc41b769639cd0263e -
• FileHash-MD5 - 6fcc96f01b880ec3a046b54497264958 -
• URL - http://210.211.31.246:8080 -
• URL - http://180.149.252.136:443 -
• URL - http://66.90.103.135:443 -
• URL - http://182.239.48.127/swap/mg.html -
• hostname - smtp.allshell.net -
• FileHash-MD5 - fd2db8463d667ec6a5e887df579a05c1 -
• URL - http://76.12.61.116/rr.html -
• hostname - game.pmang-kr.com -
• FileHash-MD5 - 3ea4887d7c054a1cd7ebb662f0a5eb9d -
• hostname - news.lovexfree.com -
• URL - http://210.211.31.214/xslup/tr.bmp -
• FileHash-MD5 - 6b647c625f686f1cd6ccd2cab29dda3b -
• URL - http://184.172.139.10/sp/saic.htm -
• URL - http://120.50.47.28/facebook/face.html -
• URL - http://184.172.139.10/har/har.htm -
• URL - http://210.211.31.246/xslup/tr.bmp -
• domain - appleupdate.biz -
• FileHash-MD5 - e14c1f4781be96fd5967e286c2e44272 -
• FileHash-MD5 - 89698fe58f47d14514f1aae8e2f92c95 -
• URL - http://news.lovexfree.com:80 -
• FileHash-MD5 - 89624f1a3ed028c5880f074a8a5826be -
• FileHash-MD5 - 8826a06995249545d6ade39b0e47ff42 -
• hostname - neo.winlogon.net -
• URL - http://65.111.246.50:443 -
• URL - http://210.211.31.214/qq/ab.bmp -
• URL - http://210.211.31.246:443 -
• FileHash-MD5 - 9763c69840d34b94e46ecd98e0bfa48e -
• URL - http://google-analytics.dynalias.org/intl/images/index.html -
• hostname - google-analytics.dynalias.org -
• FileHash-MD5 - 6c3be96b65a7db4662ccaae34d6e72cc -
• hostname - cdi.indiadigest.in -
• hostname - cdi.vmnet.info -
• FileHash-MD5 - 17119d797ea48f4aa6ab196bed41c467 -
• FileHash-MD5 - 491df38a8fae5627283d4b7e728b3f91 -
• FileHash-MD5 - 2a46174a881e664cf3f557be50a681d1 -
• CVE - CVE-2010-0806 -
• CVE - CVE-2010-2884 -
• URL - http://ns2.windowsnine.net:443 -
• hostname - lemonawar.blogspot.it -
• hostname - ns2.windowsnine.net -
• URL - http://210.211.31.246/img/eihqs.html -
• URL - http://110.34.168.188/rr.html -
• URL - http://xls.officescan.biz:443 -
• URL - http://221.130.190.27/img/so.gif -
• URL - http://oracle.windowsnine.net:1119 -
• URL - http://72.18.128.145:443 -

類似Pulses

• OS X Gatekeeper exploit (score: 0.59)
• XcodeGhost Modifies Xcode, Infects Apple iOS Apps (score: 0.59)
• Mokes: New Family of Cross-Platform Desktop Backdoors Discovered (score: 0.57)
• The return of HackingTeam with new implants for OS X (score: 0.56)
• Backdoor:MSIL/Noobsrat (score: 0.55)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る