macOS Malware Deploys in Fake Job Scams

A sophisticated malware campaign targeting macOS users has been discovered, involving fake job assessments and social engineering tactics. The FlexibleFerret malware, attributed to DPRK-aligned operators, uses multi-stage attacks to deploy on victims' systems. The campaign begins with JavaScript files on fake recruitment websites, prompting users to execute commands that download and run malicious shell scripts. These scripts then fetch and execute a Golang backdoor, which establishes persistence and communicates with a command and control server. The malware can collect system information, upload and download files, execute commands, and steal Chrome data. The attackers use Dropbox as an exfiltration channel for captured credentials.

Pulse ID: 6926ad7fa13662f75aa22c7f
Pulse Link: https://otx.alienvault.com/pulse/6926ad7fa13662f75aa22c7f
Pulse Author: AlienVault
Created: 2025-11-26 07:34:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chrome #CyberSecurity #DPRK #Dropbox #Golang #ICS #InfoSec #Java #JavaScript #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #SocialEngineering #bot #AlienVault

Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities

A new threat actor is distributing the RondoDox malware, a variant of Mirai, targeting IoT devices. The actor uses residential IP addresses for distribution and employs over a dozen exploits to target various IoT vulnerabilities. The malware's first stage is a shell script that attempts to disable security measures, remove competing malware, and download architecture-specific second-stage binaries. The campaign has been active since July 2025, with consistent use of a handful of distribution points. The actor targets home routers and other IoT devices using multiple CVEs and generic command injection attempts.

Pulse ID: 6926ce4acf381a3fb07c9efb
Pulse Link: https://otx.alienvault.com/pulse/6926ce4acf381a3fb07c9efb
Pulse Author: AlienVault
Created: 2025-11-26 09:54:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #IoT #Malware #Mirai #OTX #OpenThreatExchange #bot #AlienVault

Inside DPRK's Fake Job Platform Targeting U.S. AI Talent

This analysis details a sophisticated DPRK-linked operation called Contagious Interview, which uses a fake job platform to target U.S. AI talent. The campaign mimics legitimate recruitment processes, offering job listings from well-known tech companies to lure victims. The platform, hosted at lenvny[.]com, is designed to appear as a legitimate AI-powered interview tool. It employs various techniques to establish credibility, including professional design, fake testimonials, and comparisons with real companies. The attack culminates in a malware delivery through a clipboard hijacking technique, triggered when victims attempt to record a video introduction. This operation specifically targets high-value professionals in AI and cryptocurrency sectors, aiming to gain access to strategic information and financial assets.

Pulse ID: 6926d16a60c2447d2c490745
Pulse Link: https://otx.alienvault.com/pulse/6926d16a60c2447d2c490745
Pulse Author: AlienVault
Created: 2025-11-26 10:07:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Clipboard #CyberSecurity #DPRK #ICS #InfoSec #Malware #Mimic #OTX #OpenThreatExchange #RAT #bot #cryptocurrency #AlienVault

Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads

The TamperedChef campaign is a global malvertising and SEO operation that distributes seemingly legitimate software with valid code signing to trick users into executing malicious installers. These fake applications mimic common software and establish persistence through scheduled tasks, delivering obfuscated JavaScript payloads for remote access. The campaign uses a network of U.S.-registered shell companies to acquire and rotate code-signing certificates, maintaining trust exploitation. Victims are primarily in the Americas, with a focus on healthcare, construction, and manufacturing industries. The campaign's infrastructure is designed for quick rebuilding after takedowns, using short-term domain registrations and certificate rotations. The attackers' motivations may include selling initial access, credential theft, ransomware staging, or opportunistic espionage.

Pulse ID: 6926b00a12a427dc4d783af7
Pulse Link: https://otx.alienvault.com/pulse/6926b00a12a427dc4d783af7
Pulse Author: AlienVault
Created: 2025-11-26 07:45:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Americas #CyberSecurity #Espionage #Healthcare #InfoSec #Java #JavaScript #Malvertising #Manufacturing #Mimic #OTX #OpenThreatExchange #RAT #RansomWare #Rust #bot #AlienVault

The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk

Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync requests reaching their sinkhole, indicating different networks at play. The infrastructure behind these operations was found to be deliberate and planned, with domains actively registered until 2025. The attack vector leverages users' trust in calendar events, making it more effective than traditional phishing emails. The researchers also discovered links to the Balada injector campaign, involving website compromises and redirection chains. The scale of operations includes over 1,300 domains and various monetization strategies, including selling calendar event ad space.

Pulse ID: 6926c81b646b18ae922d7f8d
Pulse Link: https://otx.alienvault.com/pulse/6926c81b646b18ae922d7f8d
Pulse Author: AlienVault
Created: 2025-11-26 09:27:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bitsight #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #Rust #SocialEngineering #bot #AlienVault

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finger protocol, and anti-analysis checks. They utilize multiple domains for payload delivery and command and control. The group's infrastructure overlaps with previous campaigns from 2024, suggesting an evolution of tactics rather than a new actor. NetMedved's operations involve social engineering, custom obfuscation, and abuse of legitimate tools to evade detection and maintain persistence on compromised systems.

Pulse ID: 6926cae8043aabe58197d11e
Pulse Link: https://otx.alienvault.com/pulse/6926cae8043aabe58197d11e
Pulse Author: AlienVault
Created: 2025-11-26 09:39:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #LNK #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Russia #SocialEngineering #bot #AlienVault

Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine

Arctic Wolf Labs identified a U.S.-based company targeted by the Russian-aligned threat group RomCom via SocGholish, operated by TA569. This marks the first observed instance of a RomCom payload being distributed through SocGholish. The attack chain involved compromising legitimate websites, using fake update lures to deliver malware, and executing malicious JavaScript on victim hosts. The targeted company had ties to Ukraine, aligning with RomCom's focus on entities supporting Ukraine. Evidence suggests Russia's GRU unit 29155 is leveraging SocGholish for targeting. The attack was thwarted by Arctic Wolf's Aurora Endpoint Defense, which detected and quarantined the RomCom loader upon delivery.

Pulse ID: 6925f15de6ea757941c36353
Pulse Link: https://otx.alienvault.com/pulse/6925f15de6ea757941c36353
Pulse Author: AlienVault
Created: 2025-11-25 18:11:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Endpoint #InfoSec #Java #JavaScript #Malware #Mythic #OTX #OpenThreatExchange #RAT #RomCom #Russia #SocGholish #UK #Ukr #Ukraine #bot #AlienVault

Water APT Multi-Stage Attack Uncovered

A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerability (CVE-2025-26633) to inject code into mmc.exe, initiating a series of hidden PowerShell stages. The attack employs layered obfuscation, password-protected archives, and process-hiding techniques to evade detection. The campaign's attribution to Water Gamayun is based on their unique exploitation methods, signature obfuscation patterns, infrastructure design, and specific social engineering themes. The group's objectives include strategic intelligence gathering, credential theft, and long-term persistence through custom backdoors and information stealers.

Pulse ID: 69264d24cbe30afec1cec15f
Pulse Link: https://otx.alienvault.com/pulse/69264d24cbe30afec1cec15f
Pulse Author: AlienVault
Created: 2025-11-26 00:43:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #OTX #OpenThreatExchange #PDF #Password #PowerShell #RAT #SocialEngineering #Vulnerability #Word #bot #AlienVault

Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware

New wave of clickFix attacks is identified to abuse highly realistic fake Windows
Update screens and PNG image steganography to secretly deploy info stealing
malware.

Pulse ID: 69258ec9f2e8abc71efb55e6
Pulse Link: https://otx.alienvault.com/pulse/69258ec9f2e8abc71efb55e6
Pulse Author: cryptocti
Created: 2025-11-25 11:11:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Steganography #Windows #bot #cryptocti

ClickFix Gets Creative: Malware Buried in Images

A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis.

Pulse ID: 6924c9a94b1c7374cf444b82
Pulse Link: https://otx.alienvault.com/pulse/6924c9a94b1c7374cf444b82
Pulse Author: AlienVault
Created: 2025-11-24 21:10:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #LummaC2 #Mac #Malware #NET #OTX #OpenThreatExchange #PowerShell #Rhadamanthys #ShellCode #Steganography #Windows #bot #AlienVault

Stories from the SOC: Mystery of the postponed proxyware install

A suspicious PowerShell alert led to the discovery of an attack chain aimed at installing proxyware on a compromised system. The infection originated from a disk-cleaning utility installed three days prior, which included malicious scripts and established a connection to a C2 server. The attack utilized a download cradle and in-memory execution techniques to evade detection. The SOC team successfully intercepted the attack before the proxyware installation could complete. The incident highlights the risks associated with unauthorized software installations and the importance of restricting PowerShell access in corporate environments.

Pulse ID: 6924c9aad09e7e30fb5d9b70
Pulse Link: https://otx.alienvault.com/pulse/6924c9aad09e7e30fb5d9b70
Pulse Author: AlienVault
Created: 2025-11-24 21:10:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PowerShell #Proxy #RAT #RCE #bot #AlienVault

Build script exposes PyPI to domain takeover attacks

ReversingLabs researchers discovered vulnerable code in legacy Python packages that could enable an attack on the Python Package Index (PyPI) via a domain compromise. The vulnerability lies in bootstrap files for a build tool that installs the Python package 'distribute' and performs other tasks. When executed, the bootstrap script fetches and executes an installation script from python-distribute.org, a domain now available for sale. Affected packages include tornado, pypiserver, slapos.core, and others. The issue stems from the complex history of Python packaging tools and the failure to formally decommission the 'distribute' module. This vulnerability highlights the risks of relying on hard-coded domains and the importance of addressing code rot in open-source projects.

Pulse ID: 6924c9abb614eb03b6f6433d
Pulse Link: https://otx.alienvault.com/pulse/6924c9abb614eb03b6f6433d
Pulse Author: AlienVault
Created: 2025-11-24 21:10:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PyPI #Python #RCE #ReversingLabs #Vulnerability #bot #AlienVault

ToddyCat APT Uses New Browser-Based Techniques to Access Internal Network

Recently ToddyCat APT group has emerged new ways to access corporate email communications at target organizations.

Pulse ID: 6925055c6b2b9d92c6c597c4
Pulse Link: https://otx.alienvault.com/pulse/6925055c6b2b9d92c6c597c4
Pulse Author: cryptocti
Created: 2025-11-25 01:24:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #RAT #bot #cryptocti

Tycoon2FA Launches Attacks Targeting Office 365 Accounts

Pulse ID: 6924d16022a8b82da657b3f1
Pulse Link: https://otx.alienvault.com/pulse/6924d16022a8b82da657b3f1
Pulse Author: cryptocti
Created: 2025-11-24 21:42:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#2FA #CyberSecurity #InfoSec #OTX #Office #OpenThreatExchange #bot #cryptocti

Stealthy Python Malware Hides Inside RAR Disguised as PNG

Pulse ID: 6924d19baf67041ac2f3a496
Pulse Link: https://otx.alienvault.com/pulse/6924d19baf67041ac2f3a496
Pulse Author: cryptocti
Created: 2025-11-24 21:43:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Python #bot #cryptocti

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for initial access, leveraging GitHub and Google Drive for malware distribution. The malware exfiltrates sensitive data including browser credentials, system information, and keystrokes. Additional activities by the same actor include credential theft through phishing sites and spear-phishing campaigns targeting South Korean users. The analysis provides evidence supporting the attribution to Kimsuky and highlights the ongoing development of variants and infrastructure, indicating successful attacks.

Pulse ID: 6924489d963d7a76a737f173
Pulse Link: https://otx.alienvault.com/pulse/6924489d963d7a76a737f173
Pulse Author: AlienVault
Created: 2025-11-24 11:59:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #Email #GitHub #Google #InfoSec #Kimsuky #Korea #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SouthKorea #SpearPhishing #UK #bot #AlienVault

Brazilian Campaign: Spreading the Malware via WhatsApp

A massive phishing campaign targeting Brazil is spreading malware through WhatsApp Web using an open-source automation script and loading a banking trojan into memory. The attack begins with a phishing email containing a malicious VBS script that downloads and executes an MSI file and another VBS file. The second VBS installs Python and Selenium, which are used to inject malicious JavaScript into WhatsApp Web. This allows the malware to send itself to the victim's contacts. The MSI file drops an AutoIt script that monitors for Brazilian banking and cryptocurrency-related windows, then loads an encrypted payload into memory to avoid detection. The payload targets specific Brazilian financial institutions and cryptocurrency wallets.

Pulse ID: 69244957dff9333c2df77a05
Pulse Link: https://otx.alienvault.com/pulse/69244957dff9333c2df77a05
Pulse Author: AlienVault
Created: 2025-11-24 12:02:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #Bank #BankingTrojan #Brazil #CyberSecurity #ELF #Email #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #Phishing #Python #RCE #Trojan #VBS #WhatsApp #Windows #bot #cryptocurrency #AlienVault

APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets

An internal leak from APT35 (Charming Kitten) reveals a sophisticated, state-directed cyber-intelligence operation targeting diplomatic, government, and corporate networks in the Middle East and Asia. The documents expose a bureaucratic structure with defined workflows, performance metrics, and specialized teams for exploit development, credential theft, and phishing campaigns. The group's focus on Exchange servers, use of ProxyShell exploits, and persistent mailbox monitoring demonstrate a strategic emphasis on long-term intelligence collection. The leak provides unprecedented insight into Iran's cyber capabilities, showing a mature apparatus that blends technical prowess with military-style oversight.

Pulse ID: 6921bcca5b00a92c1be4ffcc
Pulse Link: https://otx.alienvault.com/pulse/6921bcca5b00a92c1be4ffcc
Pulse Author: AlienVault
Created: 2025-11-22 13:38:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CyberSecurity #Government #ICS #InfoSec #Iran #Korea #MiddleEast #Military #OTX #OpenThreatExchange #Phishing #Proxy #RAT #SaudiArabia #Turkey #bot #AlienVault

Cl0p Ransomware Intensifies Targeted Attacks on Global Enterprises

Pulse ID: 69237fcffa97688d55267a77
Pulse Link: https://otx.alienvault.com/pulse/69237fcffa97688d55267a77
Pulse Author: cryptocti
Created: 2025-11-23 21:42:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cl0p #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RansomWare #bot #cryptocti

ShinyHunters Claims Data Theft by Leveraging Salesforce OAuth Tokens

Using Salesforce OAuth token compromised data, a sophisticated supply chain attack has reportedly compromised data across hundreds of organizations between customer success platform Gainsight and CRM giant Salesforce.

Pulse ID: 692268f3b6f98111c2ded75c
Pulse Link: https://otx.alienvault.com/pulse/692268f3b6f98111c2ded75c
Pulse Author: cryptocti
Created: 2025-11-23 01:52:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #InfoSec #OTX #OpenThreatExchange #RCE #SupplyChain #bot #cryptocti