![Threat Research | Weekly Recap [22 Feb 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [22 Feb 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap: This overview highlights infostealers, RATs, supply-chain and CI/AI toolchain compromises, vulnerabilities, ransomware activity, and phishing campaigns, featuring notable actors and families such as CharlieKirk, XWorm, SANDWORM_MODE, QakBot, and Lynx. It also emphasizes trends like AI-driven C2 abuse, adaptive phishing via Telegram, firmware and mobile backdoors, and notable incidents involving Dell RecoverPoint, Ivanti EPMM, BeyondTrust, and SolarWinds WHD. #CharlieKirk #ArkanixStealer #MIMICRAT #ClickFix #LunarApplication #XWorm #TrustConnect #DocConnect #Foxveil #GrayCharlie #AtlassianJira #SANDWORM_MODE #Notepad++ #LotusBlossom #Chrysalis #UNC6201 #DellRecoverPoint #BeyondTrust #IvantiEPMM #SolarWindsWHD #IngressNGINX #QakBot #SinobiRansomware #LynxRansomware #Keenadu #Velociraptor #Cloudflared #DaisyCloud #Redline
Tag: MACOS
Socket’s Threat Research Team discovered a Shai-Hulud-like supply chain worm campaign tracked as SANDWORM_MODE that spread through at least 19 typosquatting npm packages and a malicious GitHub Action, harvesting developer and CI secrets, exfiltrating via HTTPS/GitHub API/DNS, and persisting via git hooks and MCP server injection targeting AI coding assistants. npm, GitHub, and Cloudflare removed related infrastructure, but defenders must treat the identified packages and injected workflows as active compromise risks and rotate/revoke affected tokens, audit global git templates, and inspect AI assistant configs for rogue MCP servers. #SANDWORM_MODE #suport-color
AhnLab’s January 2026 report summarizes automated collection and analysis of Infostealer samples distributed via SEO-poisoned crack/keygen pages, forum and corporate site posts, and highlights differences in Windows and macOS distribution and obfuscation techniques. Notable findings include ACRStealer’s shift to ECDH + ChaCha20-Poly1305 for C2 encryption and rapid macOS sample churn with…
Security researchers uncovered a mass-distributed macOS loader delivered via cracked music plugin DMGs that deploys multistage payloads including Odyssey and MacSyncStealer and an additional Mach-O loader. The campaign leverages social engineering (including ClickFix-style browser prompts), obfuscated shell scripts, and PPI/affiliate tracking to retrieve and execute secondary payloads from domains such as mac[.]fleebottom-33[.]xyz and robincompany[.]xyz. #MacSyncStealer #Odyssey
![Cybersecurity News | Daily Recap [16 Feb 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [16 Feb 2026]")
Daily Recap, researchers report a live ClawdBot infection that exfiltrates OpenClaw configurations (including private keys) enabling AI‑agent impersonation, while CTM360 warns of a global campaign distributing Lumma Stealer and a trojanized Ninja Browser via Google Groups and weaponized ad fraud. Patch alerts follow, with BeyondTrust CVE-2026-1731 requiring patching within 3 days, Google Chrome’s high‑severity zero‑day CVE-2026-2441 being fixed across platforms, Windows 11 boot issues addressed by KB5077181, Lotus Blossom hijacking Notepad++ updates to deploy Chrysalis and Cobalt Strike in high‑value targets, and VoidLink campaigns affecting technology and financial sectors alongside ShinyHunters’ Canada Goose data leak. #ClawdBot #OpenClaw #LummaStealer #NinjaBrowser #ModeloRAT #NotepadPlusPlus #Chrysalis #CobaltStrike #LotusBlossom #VoidLink #ShinyHunters #CanadaGoose #BeyondTrust #ChromeZeroDay
An actively exploited use-after-free flaw in Google Chrome’s CSS engine, tracked as CVE-2026-2441, enables remote code execution and prompted an out-of-band emergency update. Users should update Chrome Stable on Windows, macOS, and Linux to versions 145.0.7632.75/76 or 144.0.7559.75 (or extended 144.0.7559.177) immediately to mitigate the risk #CVE-2026-2441 #GoogleChrome…
Google released emergency updates to fix a high-severity Chrome zero-day, CVE-2026-2441, that has been exploited in the wild. The vulnerability is a use-after-free caused by an iterator invalidation in CSSFontFeatureValuesMap, and Google backported fixes to Stable Desktop releases for Windows, macOS, and Linux while noting further related work remains. #CVE-2026-2441 #Chrome
Microsoft disclosed a new ClickFix variant that tricks users into running nslookup via the Windows Run dialog and cmd.exe to perform DNS-based staging and fetch a second-stage payload. The chain downloads a ZIP from azwsappdev[.]com that leads to a Python script, VBScript and ModeloRAT persistence, while related campaigns use CastleLoader, Lumma…
Daily Recap, fake recruiters distribute a modular RAT named Graphalgo attributed to Lazarus (North Korea) that enables MetaMask theft, token-protected C2, remote command execution and data exfiltration across 192 packages. MacSync is promoted via ClickFix campaigns that abuse Claude artifacts and Google Ads to coax macOS users into pasting shell commands that install the MacSync infostealer, with multiple variants sharing C2 infrastructure, while Louis Vuitton, Christian Dior Couture, and Tiffany were fined $25 million for breaches tied to ShinyHunters exploiting Salesforce SaaS access. #Graphalgo #ShinyHunters
OpenClaw is an agentic AI platform that runs locally with deep system access and an extensible third‑party “skill” ecosystem, enabling file management, workflow automation, and direct shell command execution. Security researchers have identified widespread malicious skills (notably the ClawHavoc campaign) and critical vulnerabilities such as CVE-2026-25253 that enable credential theft, data exfiltration, and remote code execution, prompting mitigations like VirusTotal scanning, Clawdex detection, and blocking via Iru. #OpenClaw #ClawHavoc
North Korean threat actor UNC1069 used AI-generated deepfakes and sophisticated custom malware to target a FinTech company in the cryptocurrency sector. Mandiant’s investigation revealed a Telegram account hijack, a spoofed Calendly/Zoom call that lured the victim into a ClickFix routine, and deployment of seven malware families including SILENCELIFT, DEEPBREATH, and CHROMEPUSH….
Apple released security updates to patch a zero-day arbitrary code execution vulnerability in dyld tracked as CVE-2026-20700 that was exploited in an “extremely sophisticated” targeted attack against specific individuals. The flaw, discovered by Google’s Threat Analysis Group, affects iPhone, iPad, Mac, tvOS, watchOS, and visionOS devices and was fixed in iOS…
Datadog observed an active campaign using fake GitHub repositories and ClickFix landing pages to social-engineer victims into pasting commands that install macOS infostealers and (in some builds) Windows components. The actor iterates on MacSync and a persistent SHub Stealer v2.0—adding credential validation, broad file and wallet collection, dynamic anti-analysis, and a LaunchAgent-based beacon for remote command execution. #SHub #MacSync
GTIG observed widespread misuse of generative AI in late 2025, including an uptick in model extraction (“distillation”) attempts and AI-augmented operations such as reconnaissance, hyper-personalized phishing, and AI-assisted malware development. Notable examples include the HONESTCUE downloader that called Gemini’s API to generate stage-two code and the COINBAIT phishing kit built with AI-assisted code generation and hosted on legitimate services (#HONESTCUE #COINBAIT)
Threat actors are abusing public Claude artifacts and malicious Google Ads in ClickFix campaigns to trick macOS users into pasting shell commands that install the MacSync infostealer. Researchers from Moonlock Lab and AdGuard observed multiple variants and thousands of views, with the same C2 infrastructure linking the activity to a single actor. #MacSync #Claude