RE: LeoThread 2025-09-06 19:09
You are viewing a single comment's thread:
Faced another targeting incident on the workstation. A strange pop-up appeared and was dismissed, then the familiar download sound from Finder was heard, signaling file copying.
"That's strange."
0
0
0.000
It was alarming to see a pop-up indicating the entire documents folder being duplicated to /tmp.
Upon running a quick script to investigate, it was discovered that remote access had been gained, and a copy script was active. Disconnection from the internet was immediate, followed by a thorough examination.
An osascript from the terminal was found copying files to Library/Caches, likely for upload.
The situation was baffling, possibly linked to auto-downloads from messages or other apps like Telegram. The iCloud-synced desktop documents were at risk due to sensitive content.
It's crucial to be vigilant as it's inevitable before becoming a target. A complete system reset was done, and iCloud document syncing might be disabled.
Thankfully, private keys were not involved since @vultisig is used, providing security even with iCloud storing one of the vault shares.
Stay safe!