Jamf Nation
2025-10-28 by Micah Babinski (@mbabinski)
IP Geo-Location Extension Attribute Closely Resembles Keylogger Behavior
Jamf Extension Attributes are used to add extra contextual info to devices managed within Jamf Connect MDM. These extension attributes are defined in an XML format. One commonly-used extension attribute, IP Geo-location, available on Jamf Github here, uses curl requests to extract IP location information in the exact same way as Nova Logger, a recent variant of Snake Keylogger. This includes the commands: curl -L -s --max-time 10 http://checkip.dyndns.org and curl -L -s --max-time 10 http://freegeoip.net/xml/<ip_address>. Note: Nova Logger uses reallyfreegeoip[.]org to get the country name of the victim device (slightly different domain).