I was running on not much steam after a very long day and installed plugins using a re-uploaded FabFilter installer from team GMATIC It installed an unusual "CoreAudio.app" application on the system. I removed it using an app removal utility for macOS.

The original link has since been removed from the site -- within hours.

The release team was unfamiliar, but I didn't notice until the installer had completed.

What kind of nastiness have I potentially exposed myself to?

 

No, not the audio engine. As I posted originally, it installed an iconless application called "CoreAudio.app" to my applications folder.

 

Yeah, I'm a little confused as to this myself... There is a core audio driver and whatnot... but I'm not sure what this CoreAudio.app is... or what happened... apparently there was some release deleted or removed by the moderation staff? I missed it, would love to hear more..

 

Ah ok, I haven't seen that..., WHO released it? I would love to peak at that package if there is something sketch going on....

 

I archived the following .rar after the installation: "FabFilter Total Bundle 2025 MacOS U2B GMATIC"

I do not recall seeing a GMATIC release on the site before.

 

Yeah, I'm not familiar with that either, and I wouldn't touch it.

Absolutely vet the releases and teams a little before putting things on your system as you probably have already learned.. !

 

TCGMATIC i think their name was

The last 2 "new" fake "teams", Oneclick and C0ndom uploaded bitcoin miners and some malware, rehashing some old V.R license as their own. Banned ASAP. As this new team...


so conclusion:
don't download from a "team" with 1 upload or zero comments and that was registered 1 month ago before first release, if you care about your stuff.
Stay with the teams that are known. Or...do what you want.
Why it's even possible or allowed to be uploader like that before getting vetted...who knows.

 

Already touched! Waiting for something terrible to happen now...

 

Thanks for the reply but I wasn't seeking advice on how to approach the site, though it is a good reminder to all. I obviously made an error of judgment and it certainly wasn't intentional.

What I was wondering was is if anybody had any further information on what threats I may have been exposed to and what the "CoreAudio.app" actually is...I doubt it's a good thing. And since it was removed, somebody knows something about it.

 

I took a quick look at the CoreAudio app from GMATIC that is included in our stolen release and it looks like it is a keylogger / monitoring app so I recommend anyone who has it installed to remove it immediately.

For anyone who wants to investigate a little more closely, PM me.

 

wow! wtf. this, paired with dox-gate that happened earlier in the week is highly susupect. Is somebody attacking the community? Thanks HCiSO for the warning!

 

Last edited: Feb 28, 2025 at 10:25 PM

my bad! i edited my comment to have less detail

 

The "virus" acts as a sort of snippet manager. If you copied & pasted crypto address that matches regex of some mainstream crypto it get's replaced instantly with the "attacker" address. If you haven't sent any crypto with the app running in the background you're safe. Just remove it from computer and login items.

TLDR: App monitors your clipboard and if it finds crypto address it replaces it with attacker address.

 

Last edited: Feb 28, 2025 at 11:03 PM

thats crazy. crypto is already robbing me blind in the last couple weeks, and now bad actors are trying to steal whats left of my sad portfolio
I didnt install it, but seesh! may the forever have bad luck!