Two malvertising campaigns distributed modified text editors (Notepad‑ and VNote‑themed) to users, delivering a Go/CobaltStrike‑like backdoor called DPysMac64. The operation leverages fake sites, a downloader/updater chain, and a Geacon‑style payload with a DNS/HTTPS C2 to enable remote control on macOS and Linux systems. #DPysMac64 #Geacon #VNote #Notepad–
Keypoints
- The threat spreads via malvertising in search results, guiding users to fake Notepad++ and VNote download pages.
- Two related cases show malicious Notepad‑ and VNote‑like editors appearing in search results and advertising blocks.
- The macOS version’s payload (NotePad‑‑) is a DMG where the executable is modified and launches a downloader to fetch additional payloads.
- The downloader retrieves a next stage from update.transferusee[.]com and executes it, using the MD5 hash of device identifiers to form URLs.
- The final backdoor, DPysMac64, is a Geacon‑style implant with a C2 at dns.transferusee[.]com and capabilities similar to Geacon/BeaconTool.
- DPysMac64 supports a broad command set (SSH, process listing, screenshots, file operations, port scanning, etc.) and includes services/launch options for persistence.
- Infected installers for Linux and macOS show the same internal changes, suggesting a cross‑platform backdoor family with potential Linux variants.
MITRE Techniques
- [T1189] Drive-by Compromise – The malicious resource appeared in the advertisement section; opening it shows inconsistencies (vnote in URL, Notepad‑‐ vs Notepad++ image) and the packages contain Notepad‑‑. “The malicious site found in the notepad++ search is distributed through an advertisement block…”
- [T1105] Ingress Tool Transfer – The payload is downloaded from update.transferusee[.]com and executed; the updater is fetched before the backdoor runs.”
- [T1082] System Information Discovery – The MD5 hash of the device’s serial number is obtained via GetComputerUUID using ioreg to extract the serial: “MD5: … GetComputerUUID …”
- [T1059] Command and Scripting Interpreter – The backdoor presents a list of commands to perform actions; “The backdoor contains the following list of commands:”
- [T1021.004] Remote Services: SSH – CmdSSH creates an SSH connection to the target system.
- [T1057] Process Discovery – CmdList/ProcessList functionality retrieves a list of running processes.
- [T1056.001] Clipboard Data – CmdClipboard reads clipboard contents.
Indicators of Compromise
- [Domain] vnote.info – Malicious Notepad/VNote distribution site used in advertising and fake pages.
- [Domain] vnotepad.com – Fake VNote Notepad site linked from About window; certificate reference ties it to vnote.info.
- [Domain] update.transferusee[.]com – Updater/downloader host used to fetch the next stage (DPysMac64).
- [Domain] dns.transferusee[.]com – C2 domain used for command and control.
- [Domain] macOS/Linux resource domains tied to the same infrastructure (e.g., vnote.info, vnotepad.com).
- [URL] hxxp://update.transferusee[.]com/onl/mac/ – Mac updater URL used to fetch the payload.
- [URL] hxxp://update.transferusee[.]com/onl/lnx/ – Linux updater URL (MD5 hash derived from MAC address).
- [File Hash] 00fb77b83b8ab13461ea9dd27073f54f – MD5 of the macOS Notepad‑‑ DMG payload.
- [File Hash] 6ace1e014863eee67ab1d2d17a33d146 – MD5 of the macOS Notepad‑‑ executable inside the DMG.
- [File Hash] 43447f4c2499b1ad258371adff4f503f – MD5 associated with the DPysMac64 payload file.
- [File Name] updater – Downloader/executable path used to fetch the final backdoor stage (/tmp/updater).
Read more: https://securelist.com/trojanized-text-editor-apps/112167/