BlueNoroff’s SnatchCrypto operation runs two linked campaigns — GhostCall and GhostHire — that use sophisticated social engineering (fake Zoom/Teams calls and fake recruiter assessments) to deliver multi-stage malware chains targeting Web3/blockchain executives and developers. The actor reuses recordings of real victims, leverages Telegram and GitHub for delivery, and deploys modular implants like DownTroy, ZoomClutch/TeamsClutch, CosmicDoor, RooTroy, SneakMain, and SysPhon while employing AI to refine lures and tooling. #BlueNoroff #DownTroy
Tag: MACOS
![Threat Research | Weekly Recap [26 Oct 2025]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [26 Oct 2025]")
Cybersecurity Threat Research ‘Weekly’ Recap. This week highlights a breadth of activity across ransomware, cloud and identity abuse, infostealers, APTs, phishing, and infrastructure abuse, with notable trends in cross‑platform extortion, OAuth persistence, ESP‑style backdoors, and supply‑chain abuse. The report also covers defensive tooling advancements, geopolitical cyber campaigns, and sector‑focused incident trends, including insights on detection challenges and emerging attacker techniques.
AzureHound is an open-source data collection tool used to enumerate Microsoft Entra ID and Azure resources via Microsoft Graph and Azure REST APIs, and while intended for defensive testing, threat actors have misused it for cloud discovery and privilege escalation mapping. Recent activity links its misuse to actors such as Curious…
Global Group is a Ransomware-as-a-Service (RaaS) operation that surfaced in June 2025, offering cross-platform Go-based payloads, affiliate-friendly features (including AI-assisted extortion), and reuse of code and infrastructure linked to Mamona and BlackLock. AttackIQ published an emulation/attack graph to help organizations validate detection and prevention controls against Global Group behaviors. #GlobalGroup #Mamona…
RedTiger is an open-source, Python-based infostealer (released 2024) that targets gamers by stealing Discord tokens and account data, browser-stored credentials and payment info, game accounts (e.g., Roblox), cryptocurrency wallets, screenshots, and webcam images. Stolen data is archived, uploaded to GoFile, and the download link is sent to attackers via Discord webhook; samples are PyInstaller binaries with some targeting French-speaking users. #RedTiger #GoFile
Cybercriminals continue to exploit weak points such as misconfigurations, stale components, and trusted systems like OAuth to gain unauthorized access. Recent threats include sophisticated malware like Lumma Stealer and Vidar Stealer 2.0, as well as large-scale scams leveraging fake ads and open-source supply chain attacks. #LummaStealer #VidarStealer #OAuth #SupplyChainRisks…
OpenAI’s Atlas and Perplexity’s Comet browsers are vulnerable to AI Sidebar Spoofing attacks that could lead users to malicious websites or actions. Researchers demonstrated that attackers could inject fake sidebars to deceive users and manipulate their online activities with serious security implications. #AI Sidebar Spoofing #SquareX #CometBrowser #OpenAIBrowserAtlas #CredentialTheft
A coordinated campaign is impersonating developer tools and trusted services to trick macOS users into pasting base64-encoded curl commands that fetch and execute installer scripts delivering Odyssey Stealer and AMOS. Operators reuse infrastructure, SSL certificates, and domains (e.g., 93.152.230[.]79, 195.82.147[.]38, bonoud.com) to maintain persistence and scale across at least 85 phishing sites. #OdysseyStealer #AMOS #93.152.230.79 #195.82.147.38
The Lumma Stealer information stealer’s activity has significantly declined following a doxxing campaign that exposed key members’ personal and operational details. This hit to their infrastructure led to a shift in cybercriminal focus towards alternative infostealers like Vidar and StealC. #LummaStealer #WaterKurita…
A critical vulnerability in Dolby’s Unified Decoder allows for remote code execution through malicious audio messages, affecting Android, macOS, and iOS devices. Multiple security patches have been issued by Dolby, Google, and Microsoft to address this flaw. #DolbyUnifiedDecoder #CVE-2025-54957…
A recent report highlights OtterCandy, a sophisticated malware family associated with North Korean-linked group WaterPlum, targeting multiple platforms. The malware’s latest version enhances its data theft, persistence, and anti-forensic capabilities, marking a significant evolution in their intrusion tactics. #WaterPlum #OtterCandy #FamousChollima…
WaterPlum Cluster B (BlockNovas) has been observed distributing a new Node.js RAT/infostealer named OtterCandy across Windows, macOS, and Linux to steal browser credentials, crypto wallets, and files via Socket.IO-connected C2 servers. An August 2025 update (v2) added client_id for improved victim identification, expanded browser-extension theft targets, full Chromium data exfiltration, and…
Cybercriminals are leveraging TikTok videos disguised as legitimate activation guides to spread the Aura Stealer malware and steal sensitive information. This campaign uses social engineering and PowerShell commands to infect computers and compromise user credentials. #AuraStealer #PowerShell #TikTokMalware
A new cyber campaign targets macOS developers with fake platforms like Homebrew, LogMeIn, and TradingView, delivering infostealing malware such as AMOS and Odyssey. The attackers use convincing fake sites and Terminal commands to trick users into installing malicious payloads. #AMOS #OdysseyStealer
Since late 2023, UNC5142 has used compromised WordPress sites and a multistage JavaScript downloader called CLEARSHORT that leverages BNB Smart Chain smart contracts (EtherHiding) to deliver infostealers such as VIDAR, LUMMAC.V2, RADTHIEF, and ATOMIC. The actor evolved from single-contract Base64 delivery to a three-level AES-encrypted smart contract architecture, abused Cloudflare Pages for lures, and paused observable activity after July 23, 2025. #UNC5142 #CLEARSHORT #EtherHiding #VIDAR #RADTHIEF #LUMMAC.V2 #ATOMIC