S1215 Binary Validator
Binary Validator is a Mach-O binary file used during Operation Triangulation.1 Binary Validator first collects information about the device, such as the device’s phone number and a list of installed applications, before the deployment of the TriangleDB implant. After the actions are completed and the data is collected, Binary Validator encrypts and sends the data to the C2 server, and in turn, the C2 server sends the TriangleDB implant.
| Item | Value |
|---|---|
| ID | S1215 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 27 March 2025 |
| Last Modified | 02 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1533 | Data from Local System | Binary Validator has searched for and has deleted the malicious iMessage attachment used in the initial access phase in various databases.1 |
| mobile | T1627 | Execution Guardrails | Binary Validator has checked if the device is jailbroken.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | Binary Validator has exfiltrated collected data to the C2 server.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.002 | File Deletion | Binary Validator has deleted crash logs which may have been created during the initial exploitation phase stored in /private/var/mobile/Library/Logs/CrashReporter.1 |
| mobile | T1424 | Process Discovery | Binary Validator has obtained a list of running processes.1 |
| mobile | T1418 | Software Discovery | Binary Validator has obtained a list of installed applications.1 |
| mobile | T1422 | System Network Configuration Discovery | Binary Validator has collected the device’s phone number and IMEI.1 |