NordVPN’s Black Friday 2025 deals offer up to 77% discounts on long-term plans, making premium VPN services more affordable than ever. These discounts include access to fast speeds, strong encryption, streaming capabilities, and comprehensive security tools, ensuring safer online experiences. #NordVPN #WireGuard
Tag: MACOS
The second version of the Shai-Hulud worm is propagating through backdoored NPM packages, executing during npm preinstall to run bundled JavaScript (via node/bun), steal credentials, exfiltrate secrets to attacker-controlled GitHub repositories, install a self-hosted GitHub Actions runner for persistent backdoor access, and delete user files when no NPM token is found. The campaign has trojaned ~800â1,000 NPM packages and leaked credentials from over 25,000 GitHub repositories, with exfiltrated artifacts like cloud.json and actionsSecrets.json available in created repositories. #Shai-Hulud #GitHub
Multiple cyber threat actors are actively exploiting commercial spyware to target messaging app users worldwide, using techniques like phishing, QR codes, zero-click exploits, and impersonation. These threats primarily aim at high-value individuals, including government officials and civil society organizations, emphasizing the need for enhanced mobile communication security. #Spyware #ZeroClickExploits…
Jamf Threat Labs analyzed a new macOS infostealer family named DigitStealer that uses unsigned disk images, multi-stage in-memory payloads, AppleScript/JXA, and hardware-based sysctl checks to target Apple Silicon M2+ systems and evade detection. The campaign modifies Ledger Live to redirect endpoints, exfiltrates credentials and files to attacker-controlled domains (notably goldenticketsshop[.]com), and…
Multiple popular npm scopes (including @zapier, @asyncapi, @postman, @posthog and @ensdomains) were compromised via account takeover and developer compromise to inject a stealthy two-stage loader (setup_bun.js â bun_environment.js) that installs or locates the Bun runtime and runs an obfuscated 10MB payload in the background while suppressing all output. The malicious code harvests CI and cloud credentials (GITHUB_TOKEN, NPM_TOKEN, AWS keys), performs aggressive multi-region cloud secret enumeration, propagates by using stolen NPM tokens to republish packages, and includes destructive file-shredding if no valid tokens are found. #Sha1-Hulud #Bun
Googleâs Threat Intelligence Group (GTIG) uncovered a sophisticated cyber-espionage campaign by APT24, primarily targeting organizations in Taiwan through the BADAUDIO downloader. The campaign spans over three years and involves complex delivery methods including web compromises, supply chain attacks, and spear-phishing, demonstrating high-level technical obfuscation and strategic planning. #APT24 #BADAUDIO…
![Threat Research | Weekly Recap [23 Nov 2025]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [23 Nov 2025]")
Cybersecurity Threat Research ‘Weekly’ Recap highlights a broad spectrum of activity, from APT and state-backed espionage campaigns to email, banking malware, ransomware, phishing, and supply-chain abuse, along with updates on detection and defensive tooling. Key actors and families mentioned include APT35, APT24, ToddyCat, MuddyWater, UNC1549, Curly COMrades, Kimsuky, NotDoor, WaterSaci, Astaroth, Eternidade, Sarcoma, Lynx, Akira, The Gentlemen, Tycoon2FA, Tsundere, PlushDaemon, NKNShell, TamperedChef, and related C2 and advancement trends.
#APT35 #APT24 #ToddyCat #MuddyWater #UNC1549 #CurlyCOMrades #Kimsuky #NotDoor #WaterSaci #Astaroth #Eternidade #Sarcoma #Lynx #Akira #TheGentlemen #Tycoon2FA #Tsundere #PlushDaemon #NKNShell #TamperedChef
Google Threat Intelligence Group (GTIG) details a three-year espionage campaign by PRCânexus actor APT24 that deploys a highly obfuscated firstâstage downloader called BADAUDIO to establish persistent access via strategic web compromises, supplyâchain abuse of a Taiwanese digital marketing firm, and targeted phishing. The report analyzes BADAUDIOâs controlâflow flattening, DLL sideloading, AESâencrypted payload delivery (including Cobalt Strike Beacon instances), advanced browser fingerprinting for tailored targeting, and shares IOCs and YARA rules to aid detection and mitigation. #APT24 #BADAUDIO
Morphisec discovered a sustained campaign that weaponizes Blender .blend files hosted on 3D asset sites to run embedded Python scripts which chain into PowerShell stages and download StealC V2 components. The operation uses decoy documents, Pyramid C2 with ChaCha20-encrypted payloads, and persistence via hidden LNK files, linking the campaign to previously observed Russian-speaking activity. #StealC #Blender
Google has enhanced its Quick Share to support cross-platform file sharing with Apple’s AirDrop, ensuring secure and efficient transfers between Android and iOS devices. The feature emphasizes strong security measures, including memory-safe programming and no server routing, while expanding its availability in future Android devices. #AirDrop #QuickShare…
This week’s cybersecurity roundup highlights a surge in scanning targeting Palo Alto Networks and a major data breach affecting WEL Companies. Key issues include hacking incidents, legal battles over spyware, and new cyberattack techniques like network implants and AI prompt injections. #PaloAltoNetworks #NSOGroup #WELCompanies…
A China-linked threat actor known as APT24 has been using sophisticated malware called BADAUDIO to maintain persistent access to compromised networks through a campaign spanning nearly three years. The campaign includes supply chain attacks, web compromises, and spear-phishing, primarily targeting organizations in Taiwan and Southeast Asia. #APT24 #BADAUDIO…
Google Threat Intelligence Group (GTIG) reports that PRCânexus threat actor APT24 has run a threeâyear espionage campaign delivering a heavily obfuscated firstâstage downloader named BADAUDIOâoften using strategic web compromises, supplyâchain compromise of a Taiwanese marketing firm, and targeted phishing to deploy AESâencrypted payloads such as Cobalt Strike Beacon. The report details BADAUDIOâs controlâflow flattening, DLL sideloading execution chain, fingerprintingâbased targeting, extensive infrastructure churn, and provides IOCs and YARA rules for detection. #BADAUDIO #APT24 #CobaltStrikeBeacon #twisinbeth.com
A new Android banking trojan called Sturnus targets secure messaging apps like WhatsApp, Telegram, and Signal to steal sensitive information. It can conduct overlay attacks, log keystrokes, and remotely control infected devices, posing a significant threat to financial institutions and users in Europe. #Sturnus #AndroidTrojan #ThreatFabric #FintechThreats…
Recent cybersecurity incidents reveal a rise in international espionage, targeted hacking campaigns, and vulnerabilities in widely used systems and devices. These stories highlight the ongoing efforts of governments, cybercriminals, and security researchers to adapt and respond to new online threats. #LinkedInEspionage #OracleVulnerability…