![Threat Research | Weekly Recap [28 Sep 2025]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [28 Sep 2025]")
Cybersecurity Threat Research ‘Weekly’ Recap. A wide range of threats were observed, including information-stealers, supply-chain abuses, botnets, ransomware, state-aligned APTs, web/infrastructure compromises, and offensive tooling, with notable activity across Europe, Asia, and online ecosystems. The report emphasizes defensive controls, incident response best practices, and AI/LLM security risks such as MCP backdoors and AI-obfuscated phishing campaigns.
Tag: MACOS
Bitdefender researchers tracked a global malvertising campaign that impersonated TradingView across Facebook, YouTube, and Google Ads to deliver a large multi-stage downloader and stealer (detected as Variant.DenoSnoop.Marte.1 and Trojan.Agent.GOSL) that hijacks accounts, steals credentials and crypto data, and persists via scheduled tasks and Defender exclusions. The campaign used hijacked Google advertiser…
![Cybersecurity News | Daily Recap [26 Sep 2025]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [26 Sep 2025]")
Daily Recap, Urgent patches and an emergency directive address multiple critical Cisco ASA/FTD flaws exploited by state-linked campaigns like ArcaneDoor and UAT4356 to deploy malware such as RayInitiator and LINE VIPER, while other zero-days in GoAnywhere MFT and widespread ransomware incidents underscore evolving threat activity across sectors. The roundup also highlights advanced espionage, AI/cloud risks, supply chain abuse, and notable law enforcement actions affecting organizations worldwide. #ArcaneDoor #RayInitiator #LINEVIPER #GoAnywhereMFT #Qilin #Akira #BRICKSTORM #RedNovember #COLDRIVER #DeceptiveDevelopment #ForcedLeak #VaneViper #XCSSET #InterpolAfrica #AmazonSettlement
Microsoft Threat Intelligence identified a new XCSSET variant that adds Firefox data exfiltration, clipboard hijacking with wallet-address substitution, run-only compiled AppleScript execution, and LaunchDaemon persistence while continuing to spread via infected Xcode projects. Microsoft shared findings with Apple and GitHub, provided detections and hunting queries, and recommended mitigations including inspecting Xcode projects and using Microsoft Defender protections. #XCSSET #HackBrowserData
Microsoft reports a new XCSSET malware variant targeting macOS, adding features like enhanced browser data theft, clipboard hijacking, and persistence. The malware primarily infects Xcode projects used by developers, enabling it to steal sensitive information and cryptocurrency data, with limited attacks observed so far. #XCSSET #macOS #malware #Xcode #cryptostealer
DeceptiveDevelopment is a North Korea-aligned group using sophisticated social engineeringâfake recruiter profiles and the ClickFix techniqueâto deliver multiplatform malware like BeaverTail, InvisibleFerret, WeaselStore, TsunamiKit, Tropidoor, and AkdoorTea targeting developers and crypto-related projects. Research links their operations to North Korean IT worker fraud campaigns (WageMole), showing shared tools, stolen identities, and operational overlap between malware-driven campaigns and employment-fraud schemes. #DeceptiveDevelopment #TsunamiKit
This report details a North Korea-linked campaign called Contagious Interview, which uses multi-platform malware and social engineering tactics to target cryptocurrency developers globally. The campaign involves fake job offers and malicious programming exercises to deliver malware like BeaverTail, WeaselStore, Tropidoor, and AkdoorTea, linked to Lazarus Group tools. #ContagiousInterview #LazarusGroup…
SolarWinds has released a critical hotfix for its Web Help Desk software to address a severe remote code execution vulnerability (CVE-2025-26399). Organizations using WHD 12.8.7 are advised to update promptly to mitigate the risk of unauthenticated attacks. #CVE202526399 #SolarWindsWHD…
A ransomware attack on Swedish IT company MiljĂśdata led to the theft of personal data affecting around 25 private companies and 200 Swedish municipalities. Volvo Group North America is now notifying employees about the breach involving their personal and Social Security information. #DataCarry #MiljĂśdata #VolvoGroup #Ransomware #DataBreach…
Shai-Hulud is a self-propagating npm worm that steals secrets, hijacks GitHub accounts and repositories, and backdoors popular packages by injecting a large malicious bundle.js and postinstall commands to publish infected package versions. Over 500 packages were infected â including widely used libraries such as @ctrl/tinycolor and multiple @crowdstrike packages â resulting in exposed private repos, stolen credentials, and automated propagation across the dependency chain. #Shai-Hulud #ctrl/tinycolor #CrowdStrike
Daily Recap, Phishing & Scams, Ransomware & Major Incidents, Data Breaches & Disruptions, Vulnerabilities & Patch Urgency, APTs & Espionage, DDoS & Telecom Threats, Supply Chain & Registry Security, Law, Enforcement & Regulation, Threat Trends & Tools highlight a wave of credential-stealing schemes targeting PyPI, GitHub, NPM, and LastPass, alongside ransomware campaigns impacting Jaguar Land Rover and UK firms, notable data breaches at Boyd Gaming, Circle K Hong Kong, and Lotte Card, plus critical vulnerabilities in GeoServer, SolarWinds Web Help Desk, and BMC firmware. The report also notes sophisticated espionage activities, record-setting DDoS, law firm-focused cyber threats, and ongoing security improvements like GitHub tightening npm ecosystem safeguards and WhatsAppâs translation feature for secure cross-language communication. #AtomicStealer #JLRShutdown #GeoServer #Brickstorm #NimbusManticore #CyberFraud #EuroFraud
Two malicious Rust crates, faster_log and async_println, impersonated the legitimate fast_log logger and contained code that scanned Rust source files for Solana and Ethereum private keys, exfiltrating matches via HTTP POST to a hardcoded Cloudflare Workers C2 endpoint. The crates were published May 25, 2025, downloaded 8,424 times combined, and were removed and publisher accounts locked after Socket reported them to crates.io. #faster_log #async_println #fast_log #rustguruman #dumbnbased #mainnet.solana-rpc-pool.workers.dev
North Korean operators used ClickFix lures on a fake hiring site to distribute compiled BeaverTail and InvisibleFerret payloads beginning in May 2025, shifting targeting toward marketing and trading roles and delivering binaries bundled with pkg and PyInstaller. The campaign used infrastructure including businesshire[.]top, nvidiasdk.fly[.]dev, and C2 172.86.93.139 and shows testing artifacts and low-scale deployment to date. #BeaverTail #InvisibleFerret
SolarWinds releases a hotfix to fix a critical remote code execution vulnerability in Web Help Desk, marking their third attempt to patch the issue. The vulnerability, CVE-2025-26399, is part of a series of deserialization flaws exploiting Java vulnerabilities. #CVE-2025-26399 #WebHelpDesk #SolarWinds…
Cybercriminals are using search engine ads to impersonate popular online services and lure users into installing macOS credential stealers like Atomic Stealer. LastPass and other brands are targeted, with malicious ads leading to fake GitHub sites to distribute malware. #LastPass #AtomicStealer #CredentialTheft…