FILTERING BY: CLEAR FILTER

AMOS Stealer Deployment via ClickFix Social Engineering on macOS

Threat actors are deploying the AMOS Stealer on macOS by adapting the "ClickFix" social engineering technique. The attack leverages browser-based lures masquerading as AI tool errors (e.g., ChatGPT, Grok), prompting users to manually copy and execute a malicious command in the macOS Terminal. This sequence bypasses browser security and Gatekeeper by utilizing curl or wget to download a DMG file, which is then silently mounted via hdiutil. The primary objective is the exfiltration of browser passwords, session cookies, and cryptocurrency wallets.

Lumma Stealer: Bypassing Google Chrome App-Bound Encryption for Crypto Theft

Lumma Stealer has evolved its execution chain to bypass Google Chrome's App-Bound Encryption (ABE) by transitioning from offline file decryption to "living-off-the-browser" techniques. By utilizing Asynchronous Procedure Call (APC) and Remote Thread Injection into chrome.exe, or leveraging malicious Chrome extensions, the malware forces the legitimate browser process to decrypt sensitive data using its own internal APIs. This allows attackers to exfiltrate session cookies and non-custodial cryptocurrency wallet seeds, effectively neutralizing ABE and enabling MFA bypass via session hijacking. Impact is concentrated on high-value digital assets and corporate account access via SEO poisoning and malvertising delivery vectors.

Runtime Abuse: Exploiting Node.js and Deno via OXLOADER and CASTLESTEALER

A malvertising campaign targets developers and Windows users by impersonating official Node.js and Deno installers through sponsored Google Ads. The attack chain deploys OXLOADER to facilitate the execution of CASTLESTEALER, CastleRAT, or Stealit malware. A primary technical innovation is the abuse of Node.js Single Executable Applications (SEA) and the Deno runtime to encapsulate malicious payloads. By executing within these legitimate JavaScript environments, the malware evades traditional EDR/AV solutions that trust common developer binaries. The impact includes the theft of sensitive credentials, API keys, and tokens, creating significant risks for developer workstations and potential supply chain contamination.

The Resurgence of Infostealers: Katz, Bee, and Acreed Malware Driving Identity-Centric Enterprise Compromise

Infostealer malware, specifically families such as Katz, Bee, and Acreed, has seen an 800% increase in activity, accelerating a shift toward identity-centric attack vectors. These threats target consumer devices via malvertising, phishing, and cracked software to exfiltrate browser cookies, session tokens, and saved credentials. By harvesting valid session data, attackers bypass Multi-Factor Authentication (MFA) through session hijacking. This data is subsequently commoditized through Initial Access Broker (IAB) marketplaces and Telegram-based distribution, providing the requisite access for enterprise-grade ransomware deployment and large-scale espionage operations.

ChatGPT Share Links Exploited to Bypass Security Filters and Deliver Infostealers

Threat actors are leveraging the ChatGPT "shared chat" feature to execute a sophisticated phishing campaign that bypasses corporate security infrastructure. By hosting fraudulent service outage notifications on the trusted chatgpt.com/share/ domain, attackers utilize domain reputation hijacking to circumvent Secure Web Gateways (SWG) and URL filters. The campaign redirects targets to download malicious, fake ChatGPT desktop applications for Windows (.exe) and macOS (.dmg/.pkg). These payloads deliver infostealer malware designed to exfiltrate browser cookies, session tokens, and sensitive system credentials, posing a critical risk of account takeover (ATO) and large-scale corporate data exfiltration.

Ultrahuman Smart Ring Data Breach: Biometric Data Exposure via Endpoint Compromise

Ultrahuman suffered a data breach resulting in the unauthorized exfiltration of sensitive customer wellness and biometric telemetry. The attack originated from an Infostealer malware infection on a corporate employee's laptop, which allowed threat actors to harvest credentials and move laterally into internal wellness data repositories. While financial data and user passwords remained secure, the breach exposed highly personal health metrics, including heart rate variability, sleep cycles, and blood glucose trends. This incident underscores critical vulnerabilities in endpoint security and privileged access management (PAM) within the wearable health technology sector.


LINK COPIED TO CLIPBOARD