Russian authorities have blocked access to Apple’s FaceTime and Snapchat, citing their use in coordinating terrorist activities and criminal recruitment. Additionally, Russia has banned other platforms like Roblox, WhatsApp, Viber, Signal, Discord, and WeChat for various reasons, including extremism and misinformation. #Roskomnadzor #FaceTime #Snapchat #Roblox #WhatsApp #Viber #Signal #Discord #WeChat
Tag: MACOS
Push researchers report that PhaaS kits dominate phishing sites targeting their customers, with Sneaky2FA emerging as a notable threat that now incorporates Browser-in-the-Browser (BITB) techniques to harvest Microsoft credentials and sessions. The campaigns rely on bot protection (Cloudflare Turnstile), conditional loading, heavy obfuscation, domain rotation, and embedded reverse-proxy/BITB windows to evade…
An internal artifact-scanning pipeline built around THOR Thunderstorm discovered a malicious VS Code extension “Icon Theme: Material” (publisher IconKiefApp) that contained two Rust implants (Mach-O and PE) hidden inside the 5.29.1 release. The team reported the extension to Microsoft, published a follow-up technical analysis describing Windows/macOS behavior and Solana- and Google…
The ClickFix attack is a highly deceptive social engineering campaign that tricks users into downloading fake software and executing malicious commands, leading to potential full system control. Recent studies show a dramatic increase in its use, with sophisticated cloning and command-line tactics employed by state-backed hacking groups to target various platforms….
Shai-Hulud V2 is an advanced supply chain campaign that abused the npm ecosystem to compromise over 700 packages, create 27,000+ malicious GitHub repositories, and expose roughly 14,000 secrets across hundreds of organizations. It leverages preinstall execution, Bun-based payloads, self-hosted GitHub Actions runners, cross-victim credential recycling, and a destructive dead man’s switch to maximize persistence, propagation, and data exfiltration. #ShaiHulud #npm
The GlassWorm supply chain campaign has re-emerged, targeting Microsoft Visual Studio Marketplace and Open VSX with 24 malicious extensions impersonating popular developer tools. The attackers use stolen credentials and Rust-based implants to spread malware, compromise repositories, and drain cryptocurrency assets. #GlassWorm #Solana #VisualStudioMarketplace #OpenVSX…
Jamf Threat Labs analyzed a multi-stage FlexibleFerret campaign that uses fake recruitment websites and staged hiring assessments to socially engineer macOS users into running Terminal commands that download and execute a shell loader and Go backdoor. The attack establishes persistence via a LaunchAgent, displays a decoy MediaPatcher.app to capture Chrome credentials and keychain data, and exfiltrates harvested data using the Dropbox upload API as part of the Contagious Interview operation. #FlexibleFerret #ContagiousInterview
North Korean threat actors are actively expanding their malicious operations within the npm ecosystem to distribute OtterCookie malware, targeting developers in the crypto and Web3 sectors. The campaign employs fake job offers, typosquatted packages, and a sophisticated infrastructure involving GitHub, Vercel, and C2 servers. #OtterCookie #ContagiousInterview…
![Threat Research | Weekly Recap [30 Nov 2025]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [30 Nov 2025]")
Cybersecurity Threat Research ‘Weekly’ Recap: The report highlights a broad wave of risk from supply-chain and developer-ecosystem abuse—including npm worm campaigns like Shai-Hulud 2.0, OtterCookie, and PyPI domain-takeover vectors—alongside ongoing nation-state operations from Lazarus, Kimsuky, Gamaredon, Tomiris, and related actors. It also covers infostealers, loaders, vulnerabilities (CVE-2025-61882, CVE-2025-64446), breaches, and e-commerce fraud, with defensive guidance on threat intelligence integration, automated security validation, phishing simulations, and AI risk mitigation.
#ShaiHulud #OtterCookie #Kimsuky #Lazarus #Gamaredon #Tomiris #WaterGamayun #BerserkBear #ShinySp1d3r #Gainsight
North Korean threat actors are conducting a persistent campaign targeting blockchain and Web3 developers by deploying malware through fake coding tests and job interviews. This sophisticated operation involves nearly 200 malicious npm packages, a complex multi-layered infrastructure, and an evolving approach to bypass security measures. #NorthKorea #npmMalware…
BlueNorroff targeted tech executives, venture capitalists, and Web3 developers with two interrelated campaigns—GhostCall (macOS-focused via malicious Zoom updates) and GhostHire (GitHub-based malware disguised as recruitment tests)—that exfiltrated wallets, keychains, API keys, notes, and other sensitive data. Analysis of 39 IoC domains, related IPs, and WHOIS/DNS history revealed bulk registrations, typosquatting clusters, and hundreds of infected client IPs and historical resolutions tied to malicious infrastructure. #BlueNorroff #GhostCall
North Korean threat actors are actively distributing malicious npm packages to deliver a variant of OtterCookie malware, targeting users through fake job interview platforms. This campaign demonstrates advanced evasion techniques and extensive use of JavaScript and crypto-focused workflows. #NorthKorea #OtterCookie…
Recent cybersecurity reports highlight legal actions against suspects involved in major attacks, vulnerabilities in popular browsers, and leaks revealing threat group operations. Key incidents include the TfL cyberattack, HashJack prompt injection, Charming Kitten leak, and ShadowV2 botnet activity. #ScatteredSpider #HashJack #CharmingKitten #ShadowV2…
Shai-hulud 2.0 is a sophisticated NPM-supplied malware that steals credentials and secrets from AWS, GCP, Azure, GitHub, and NPM, then uses those credentials to create attacker-controlled GitHub repositories, GitHub Actions runners/workflows, and to republish backdoored NPM packages. The campaign automates worm‑like supply‑chain propagation by injecting malicious preinstall hooks (setup_bun.js → bun_environment.js)…
North Korean state-sponsored operators running the Contagious Interview campaign have injected at least 197 malicious npm packages that act as loaders to fetch OtterCookie payloads from a Vercel staging endpoint and a threat actor-controlled GitHub account. The campaign uses typosquatted utilities and polished crypto lures to deliver a multi-platform infostealer/RAT that targets developer systems and crypto wallets. #OtterCookie #ContagiousInterview