[GUEST ACCESS MODE: Data is scrambled or limited to provide examples. Make requests using your API key to unlock full data. Check https://lunarcrush.ai/auth for authentication information.]

@L0Psec "https://security-att.com//downloads/ATTActiveArmor.dmg shared by @malwrhunterteam - more AMOS. C++ uses crypt() executes "ugly" osascript via system() Talks to 185.93.89.62 (known) 9a4b14a7ff3cc6443a2b9e3a95a2259295d5809b81cd5829d12fa87d4e60ed71"
X Link @L0Psec 2025-10-22T11:52Z 2616 followers, 13.2K engagements

"Related to MacSync: 0d5c59fb86a094f4b2d5c170e9fa4a8c401de6267b6d6cd12af45003690aba0b already being detected on VT. Uses simpler XOR with just a X byte key 0x93. (Maybe slightly older version) Same user-agent as the previous sample. 🧵"
X Link @L0Psec 2025-10-26T13:56Z 2616 followers, 1301 engagements

"@antoinedss I don't think it changes much when detecting the execution of osascript however this behavior does show launchctl as the parent which may not be commonly used detection logic for these. This event could potentially be used as a detection itself too"
X Link @L0Psec 2025-10-27T11:51Z 2615 followers, XX engagements