AMOS Stealer Deployment via ClickFix Social Engineering on macOS
Threat actors are deploying the AMOS Stealer on macOS by adapting the "ClickFix" social engineering technique. The attack leverages browser-based lures masquerading as AI tool errors (e.g., ChatGPT, Grok), prompting users to manually copy and execute a malicious command in the macOS Terminal. This sequence bypasses browser security and Gatekeeper by utilizing curl or wget to download a DMG file, which is then silently mounted via hdiutil. The primary objective is the exfiltration of browser passwords, session cookies, and cryptocurrency wallets.
Systematic Vulnerabilities in Apple AirDrop and Android Quick Share
Researchers from CISPA have identified critical, zero-click vulnerabilities in proximity-based file-transfer protocols, specifically Apple AirDrop and Google/Samsung Quick Share. Utilizing the custom "AIRFUZZ" protocol-aware fuzzer, the study uncovered systemic flaws in how privileged daemons process unauthenticated, complex serialized content such as Binary Plists, CPIO archives, and Protocol Buffers. Exploitation vectors include Swift-based Denial of Service (DoS), XML recursion, and memory corruption via Heap Use-After-Free (UAF). Most significantly, the research demonstrated a complete bypass of Device-to-Device (D2D) encryption in Samsung Quick Share. These vulnerabilities affect over 5 billion devices globally. All affected vendors—Apple, Google, and Samsung—have released patches to remediate these flaws.
Gaslight Malware: Adversarial Prompt Injection Targeting macOS and LLM-Based SOC Triage
Gaslight (macOS.Gaslight) is a Rust-based backdoor attributed to North Korean (DPRK) state-sponsored actors, designed for browser credential harvesting from Chrome, Brave, Firefox, and Safari on macOS. The implant utilizes the Telegram Bot API for command-and-control (C2) communications. Its primary innovation is the integration of 38 adversarial prompt injection strings embedded within the binary. These strings are engineered to deceive Large Language Models (LLMs) used by SOC analysts during triage, inducing AI refusals or hallucinated benign classifications to bypass automated analysis and extend attacker dwell time. Detection was initially facilitated by an Apple XProtect update.
Apple iPhone BootROM Vulnerability usbliter8
A critical hardware-level vulnerability in the Apple SecureROM (BootROM) enables privileged execution on A12 and A13 chipsets via the 'usbliter8' exploit. The flaw stems from a design weakness in the Synopsys DesignWare USB 2 (DWC2) controller, where a mismatch between DMA pointer increments and resets during USB Setup transactions triggers a buffer underflow. Attackers can bypass Pointer Authentication Codes (PAC) on A13 devices using heap corruption and interrupt handler manipulation to achieve EL1 privileged execution in Device Firmware Update (DFU) mode. Because the vulnerability exists in the immutable BootROM, it is unpatchable via software updates, requiring hardware replacement for full remediation.