Researchers discovered a ClickFix-style macOS lure (macclouddrive.com/s2) that tricks users into pasting a Terminal one-liner which downloads a daemonized Zsh stager that executes a remote AppleScript to harvest browser credentials, Keychain data, crypto wallets, and other sensitive files. The campaign uses the MacSync infostealer with rotating jmpbowl.* C2 domains and conditionally trojanizes Electron wallet apps (Ledger Wallet.app, Trezor Suite.app) to capture PINs and recovery phrases for long-term phishing. #MacSync #jmpbowl
Tag: EDR
JA3 TLS fingerprints are still useful as durable, tool-level behavioral indicators that can reveal new malicious tooling and enable clustering of related activity when enriched with context. ANY.RUN shows how JA3 frequency analysis and TI Lookup link specific JA3 hashes to malware and exfiltration channels, e.g., Remcos and Skuld. #Remcos #Skuld…
This article discusses the growing importance, proliferation, and security challenges of Application Programming Interfaces (APIs) in the context of AI advancements and cyber threats. It highlights how the rapid increase in APIs, especially with autonomous AI systems, expands the attack surface, making effective security measures more critical than ever. #SesameOp #OpenAIAPI…
Two critical vulnerabilities in the open-source AI framework Chainlit pose significant security risks, including data leaks and full system takeovers. Organizations using Chainlit should update to the patched version 2.9.4 to mitigate these threats. #Chainlit #CVE-2026-22218 #CVE-2026-22219 #AIFrameworkSecurity…
A new malware family called PDFSider is being used in targeted attacks, including by multiple ransomware groups, to deploy advanced backdoors and evade detection. The malware leverages legitimate applications and sophisticated techniques like DLL sideloading and environmental checks to carry out cyberespionage and remote code execution. #PDFSider #MustangPanda #DLLSideloading #Cyberespionage…
Two critical vulnerabilities in the open-source chatbot framework Chainlit could allow attackers to access sensitive data, including API keys and internal files. These flaws impact versions prior to 2.9.4 and pose risks of data leaks, privilege escalation, and lateral movement within cloud environments. #CVE-2026-22218 #CVE-2026-22219 #Chainlit #CloudSecurity…
Operation Poseidon is a spear-phishing campaign attributed to the Konni APT that abused legitimate advertising redirection (ad.doubleclick[.]net, mkt.naver[.]com) and compromised WordPress sites to distribute EndRAT via LNK files and AutoIt scripts disguised as PDFs. The campaign reused C2 infrastructure (e.g., jlrandsons.co[.]uk), multiple IPs and file hashes, and underscores the need for behavior-based EDR detection and multi-stage redirection analysis. #EndRAT #Konni
A new malware strain called PDFSider is being used by ransomware threat actors to gain long-term access to a Fortune 100 finance company’s Windows systems. The malware employs sophisticated techniques like DLL side-loading and encrypted communication, highlighting advanced cyberattack capabilities. #PDFSider #QilinRansomware
Seqrite Labs uncovered “Operation Covert Access,” a targeted spear-phishing campaign that abuses authentic Argentine federal court documents to deliver a multi-stage Rust-based Remote Access Trojan (CovertRAT) via a weaponized LNK, BAT loader, and a GitHub-hosted second-stage binary. The implant demonstrates extensive anti-VM/anti-debug checks, IPv4/IPv6 C2 fallback (default 181.231.253.69:4444), and a modular command set for persistence, data theft, file transfer, encryption, and privilege escalation. #CovertRATCiR #ArgentinaJudicialSector
![Threat Research | Weekly Recap [18 Jan 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [18 Jan 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap. The report highlights a surge in encryptionless extortion and the rise of new RaaS groups such as Qilin, Akira, and LockBit 5.0, tracks the December 2025 ransomware activity, surveys infostealers, phishing campaigns, RATs and loaders, and web skimming, notes notable vulnerabilities like MongoBleed (CVE-2025-14847), CVE-2020-8554 and CVE-2017-11882, and points to defense tools such as Landlock telemetry and AuraInspector along with AI/LLM attack surface insights and Validin’s research. #Qilin #Akira #LockBit5_0 #Sicarii #CrazyHunter #Medusa #Remcos #AsyncRAT #CastleLoader #VoidLink #KONGTUKE #LOTUSLITE #AshTag #AshenLepus #RustDesk #Winos4_0 #RedVDS #Magecart #SilentPush #MongoBleed #CVE2025_14847 #CVE2020_8554 #CVE2017_11882 #SolyxImmortal #ACRStealer #LummaC2 #Stealc #MonetaStealer #MEXCApiAutomator #MustangPanda
A Jordanian national pleaded guilty to selling network access and malware that disables endpoint detection tools, affecting numerous companies and linked to a ransomware attack. The case highlights the role of initial access brokers and the ongoing threat posed by the “r1z” cybercrime forum account. #CVE-2022-26134 #CobaltStrike…
Sysdig TRT’s analysis of VoidLink describes a Chinese-developed, Zig-built Linux malware framework that uses a three-stage fileless loader, serverside rootkit compilation (SRC) to produce kernel modules per-target, and multiple stealth/control channels including prctl, eBPF, and an ICMP covert channel. Despite advanced adaptive evasion, VoidLink’s memfd_create/execveat fileless execution, eBPF and kernel-module activity, and other runtime behaviors are detectable with tools like Falco and Sysdig Secure. #VoidLink #Sysdig
Mamba Phishing-as-a-Service Kit: How Modern adversary-in-the-middle (AiTM) Attacks Operate – CYFIRMA
CYFIRMA assesses Mamba 2FA is a scalable adversary-in-the-middle phishing framework that automates realistic Microsoft authentication flows to capture credentials, bypass MFA, and relay sessions with minimal user interaction. The report highlights encoded URL parameters, Microsoft-style password prompts, client-side password capture, rapid redirection to legitimate sites, and recommends hardened identity controls such as FIDO2/WebAuthn and continuous monitoring to mitigate risk. #Mamba2FA #Microsoft365
VoidLink is an advanced, modular Linux command-and-control framework designed for long-term stealthy access in cloud and container environments, featuring a Zig-written core, a web-based C2 dashboard, and a BOF-like plugin API. It includes 30+ plugins (credential harvesting, container escape, persistence), multiple rootkit techniques (LD_PRELOAD, LKM, eBPF), adaptive OPSEC, and multi-protocol C2 capabilities. #VoidLink #Kubernetes
FortiGuard Labs analyzed a phishing campaign that delivers a fileless variant of the Remcos RAT via a malicious Word document that downloads a crafted RTF exploiting CVE-2017-11882 to execute shellcode and launch VBScript and PowerShell loaders. The attack results in in-memory loading of a .NET module and process hollowing to deploy Remcos (version 7.0.4 Pro), with persistence via a scheduled task and C2 communications to 216.9.224.26:51010. #Remcos #CVE_2017_11882