SabPub, a Mac OS X backdoor trojan, has been linked to an APT attack known as LuckyCat. The IP address of the C&C to which this bot connects (199.192192.152*) was also used in other Windows malware samples during 2011. The attackers took over the connection and started analysing our fake victim machine. They listed the contents of the root and home folders and even stole some of the files we put in there. We are pretty sure the operation of the bot was done manually which means a real attacker manually checks the infected machines.”]
Source: https://securelist.com/new-version-of-osx-sabpub-confirmed-mac-apt-attacks/33208/