Back to Intelligence

MacSync, OtterCookie & ClickFix Banking Stealer: Multi-Platform Infostealer Surge — OTX Pulse Analysis

SA
Security Arsenal Team
April 14, 2026
5 min read

Recent OTX pulses indicate a coordinated surge in infostealer activity targeting distinct platforms and sectors. The campaign landscape is dominated by the MacSync stealer affecting macOS SLTT (State, Local, Tribal, Territorial) government users via SEO poisoning, and the OtterCookie infostealer attributed to FAMOUS CHOLLIMA (North Korean actors) targeting the technology sector via the npm supply chain.

Simultaneously, threat actors are exploiting the Claude Code leak on GitHub to distribute Vidar and GhostSocks, while a separate ClickFix campaign in Brazil is force-installing malicious Chrome extensions targeting banking customers. All campaigns converge on a primary objective: credential theft, session hijacking (OAuth2 tokens), and financial compromise using Malware-as-a-Service (MaaS) models.

Threat Actor / Malware Profile

MacSync Stealer (macOS)

  • Actor: Unknown (MaaS)
  • Distribution: SEO poisoning, fake ClickFix CAPTCHAs, fake ChatGPT conversations.
  • Payload Behavior: Shifts from fake downloads to shell-based loaders with dynamic AppleScript payloads. Targets cryptocurrency wallets and browser data.
  • Persistence: Utilizes sophisticated shell-based loaders.

OtterCookie / BeaverTail (npm/Node.js)

  • Actor: FAMOUS CHOLLIMA (North Korea)
  • Distribution: "Contagious interview" scheme; malicious npm packages (e.g., variants of big.js) that pull malicious dependencies.
  • Payload Behavior: Infostealer targeting credentials; acts as a loader for other malware like InvisibleFerret.
  • C2: Communicates with specific VPS infrastructure (144.172.x.x).

Vidar / GhostSocks (Windows/GitHub)

  • Actor: Unknown
  • Distribution: Trojanized GitHub repositories masquerading as leaked Claude Code source.
  • Payload Behavior: Vidar (v18.7) steals sensitive data; GhostSocks acts as a proxy/trojan.

ClickFix Banking Stealer (Chrome)

  • Actor: ANTONIO EDUARDO FREDERICO
  • Distribution: Social engineering (ClickFix) leading to force-install via Chrome Cloud Management enrollment tokens.
  • Target: Brazilian banking users (Banco Central do Brasil).

IOC Analysis

The provided indicators span multiple infrastructure types:

  • File Hashes (MD5/SHA256): Associated with MacSync loaders, Vidar stealers, and malicious Chrome extensions. These should be immediately added to EDR blocklists and used to scan historical file logs.
  • Network Infrastructure (IPv4): Heavily utilized by the OtterCookie campaign (144.172.0.0/16 range) and the Vidar/GhostSocks C2. These IPs suggest VPS hosting providers and should be blocked at the perimeter.
  • Domains & URLs: Includes SEO-poisoned domains (houstongaragedoorinstallers.com), C2 domains (cloudapi.stream), and malicious update URLs (xpie348.online). SOC teams should sinkhole these domains and inspect DNS logs for resolution requests.
  • Operationalization: Use SIEM correlation to alert on processes reaching out to cloudapi.stream or the specific 144.172.x.x subnet. Decode the .xml URLs from the ClickFix pulse to identify specific extension IDs.

Detection Engineering

Sigma Rules

YAML
---
title: Potential MacSync Stealer Activity - macOS
description: Detects execution of AppleScript via shell often used by MacSync loaders following a download.
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6616a9b1f4ac2e3d93a9f9b1/
tags:
    - attack.execution
    - attack.t1059.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/bin/sh'
        CommandLine|contains: 'osascript'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: Suspicious Node.js Child Process - OtterCookie
description: Detects Node.js spawning PowerShell or cmd, a behavior observed in npm-based supply chain attacks like OtterCookie.
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6616a9b1f4ac2e3d93a9f9b2/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    parent:
        Image|endswith: '\node.exe'
    child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    condition: parent and child
falsepositives:
    - Legitimate development build scripts
level: high
---
title: Chrome Extension Policy Registry Modification - ClickFix
description: Detects modifications to Chrome Extension Install Policies which may indicate force-installation via Cloud Management tokens.
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6616a9b1f4ac2e3d93a9f9b3/
tags:
    - attack.persistence
    - attackT1542.001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\\Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist'
    condition: selection
falsepositives:
    - IT administration management
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known C2 infrastructure from OtterCookie and Vidar campaigns
let C2IPs = dynamic(['144.172.110.228', '107.189.22.20', '147.45.197.92', '94.228.161.88', '144.126.135.238', '144.126.140.33']);
DeviceNetworkEvents
| where RemoteIP in (C2IPs) or RemoteUrl contains "cloudapi.stream" or RemoteUrl contains "xpie348.online"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort
| extend IOCHit = "OTX-Pulse-C2"

PowerShell Hunt Script

PowerShell
<#
    OTX Pulse IOC Hunter - MacSync, OtterCookie, Vidar, ClickFix
    Scans for running processes connecting to malicious IPs and checks for specific file hashes.
#>

$MaliciousIPs = @(
    '144.172.110.228', '144.172.110.96', '144.172.110.132', 
    '147.45.197.92', '94.228.161.88', '144.126.140.33'
)

Write-Host "[+] Checking active network connections for malicious C2 IPs..."
$Connections = Get-NetTCPConnection -State Established

foreach ($IP in $MaliciousIPs) {
    $Hits = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Hits) {
        $Processes = $Hits | ForEach-Object { Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue }
        Write-Host "[!] ALERT: Connection to $IP detected from process:" -ForegroundColor Red
        $Processes | Select-Object ProcessName, Id, Path
    }
}

# Check for specific MacSync File Hashes (if files present on disk)
$TargetHashes = @(
    '5190ef1733183a0dc63fb623357f56d6', 
    '866993e9950250ac2ce8c3b4c6a8bd39285e0fafd93860f235a3b0370f160dd1'
)

Write-Host "[+] Scanning user download folders for MacSync stealer hashes..."
$Users = Get-ChildItem -Path "C:\Users" -Directory
foreach ($User in $Users) {
    $Downloads = Join-Path -Path $User.FullName -ChildPath "Downloads"
    if (Test-Path $Downloads) {
        Get-ChildItem -Path $Downloads -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] CRITICAL: Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}


# Response Priorities

*   **Immediate:**
    *   Block all identified IP ranges (144.172.x.x, 94.228.x.x) and domains (cloudapi.stream, xpie348.online) at the firewall and proxy.
    *   Quarantine endpoints matching the provided file hashes (MD5/SHA256).
    *   Disable any Chrome extensions force-installed via policy that do not originate from corporate whitelists.

*   **24 Hours:**
    *   Initiate credential verification and password resets for accounts accessed from infected machines, specifically targeting Google/Microsoft O365 sessions and cryptocurrency wallets.
    *   Review npm package supply chains; block access to the specific malicious package versions mentioned in the OtterCookie pulse.

*   **1 Week:**
    *   Harden macOS endpoints against ClickFix by restricting the execution of unsigned AppleScript payloads.
    *   Review GitHub repository permissions and educate developers on the risks of cloned/trojanized repositories related to the "Claude Code" leak.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsmacsync-stealerottercookieclickfixvidar-stealernpm-supply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action