TrafficStealer uses Docker containers to generate revenue by proxying usersā traffic and manipulating ad engagement, turning honeypots into monetization machines. Attackers leverage public container images and automation via YAML to scale the operation, while ā¦
Tag: MACOS
Researchers observed in-the-wild exploitation of zero-day vulnerabilities in PaperCut MF/NG that allow unauthenticated remote code execution via an authentication bypass. The campaign uses post-exploitation payloads (including Atera and Syncro RMM installers) ā¦
ESET researchers link Lazarus to the 3CX supply-chain attack, detailing Operation DreamJobās Linux payload OdicLoader delivering the SimplexTea backdoor via OpenDrive. The findings reinforce Lazarusās cross-OS toolkit (Windows, macOS, Linux) and its engagementā¦
Security researchers Š°Š½Š°Š»ŠøŠ·ed a 3CX supply-chain attack and found that manipulated MSI installers of 3CXDesktopApp deliver a malicious DLL which decrypts and executes shellcode, dropping a backdoor named Gopuram along with an infostealer. Attribution points toā¦
Symantec tracks a new loader called Verblecon (Trojan.Verblecon) used in low-reward attacks to install cryptocurrency miners and potentially steal Discord access tokens, with greater danger if leveraged in ransomware or espionage. First spotted in January 2022ā¦
Volexity analyzed a supply-chain compromise of the 3CX Desktop App in which a malicious ffmpeg library inserted into signed installers decoded encrypted blobs, fetched staged payloads, and reflectively loaded a 64-bit information-stealer dubbed ICONIC/ICONICSTā¦
SentinelOne details a multi-stage supply-chain campaign that trojanizes the 3CXDesktopApp, loading shellcode and pulling ICO data from GitHub to deliver a 3rd-stage infostealer DLL. The operation also extends to macOS with separate stages (libffmpeg.dylib and ā¦
MacOS threat actors are increasingly focusing on data theft rather than ransom, exfiltrating session cookies, keychains, SSH keys, and other sensitive data to monetize or enable espionage. The article outlines where these data assets reside, how attackers acceā¦
MacStealer is a macOS stealer distributed via DMG that is controlled over Telegram, marking a new platform for stealer operations. It exfiltrates browser credentials, Keychain data, and files, sending stolen data via HTTP POST to a C2 and to Telegram channels/ā¦
Threat actors are increasingly using Go (Golang) to develop crossāplatform information stealers, with Titan Stealer highlighted as a recent example. The article covers Titan Stealerās Go-based builder, its C2 infrastructure and dashboards, the data it collectsā¦
Phylum reports an ongoing typosquatting campaign targeting Python and JavaScript developers on PyPI and NPM, delivering a ransomware payload when executed. The attacker publishes typosquatted packages (notably around the Python requests package) that fetch a lā¦
DeimosC2 is presented as an open-source post-exploitation C2 framework that attackers may consider alongside Cobalt Strike, with details on how it operates, how its traffic and binaries can be identified, and defensive recommendations. The report covers Deimosā¦
Two zero-day Exchange vulnerabilities, CVE-2022-41040 and CVE-2022-41082 (ProxyNotShell), are being actively exploited in the wild, with over 1.6 million exploit attempts observed across 4 million protected websites. The activity shows GET-based probing againsā¦
Cisco Talos uncovers a new all-in-one offensive framework, Alchimist, with a GoLang-based C2 and a companion RAT called Insekt that targets Windows, Linux, and Mac, featuring a Chinese web UI and remote administration. The dropper/c2 stack includes MacOSX explā¦
Operation In(ter)ception continues Lazarusā macOS malware activity, using decoy job postings for Coinbase and Crypto.com to lure victims and install a multi-stage payload. The campaign features persistence via a LaunchAgent, staged download components, and harā¦