You mean the domain name/ip? I don't know if that's been disclosed. On the next line it indicates the web page mostly just loads some javascript to perform another exploit.

k00b

security

Operation Triangulation: The last (hardware) mystery

> but the attackers chose to: (a) launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; (b) run a Safari process in invisible mode and forward it to a web page with the next stage.


do we know what web page it was forwarding to?