CyberSecurity news

FlagThis - #macos

@www.huntress.com //
The North Korea-aligned threat actor known as BlueNoroff, also tracked as TA444, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon, has been observed targeting an employee in the Web3 sector with deceptive tactics. According to research shared by Huntress, these tactics include the use of deepfake Zoom calls featuring synthetic personas of company executives to trick victims into installing malware on their Apple macOS devices. This sophisticated social engineering campaign highlights the evolving techniques employed by threat actors to compromise systems and gain access to sensitive information.

Huntress researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon provided detailed analysis of a recent BlueNoroff intrusion targeting a cryptocurrency foundation employee. The employee was initially contacted via Telegram and enticed to schedule a meeting through a Calendly link. This link redirected the user to a fake Zoom domain controlled by the attackers. During the deepfake Zoom meeting, the employee was prompted to download a malicious Zoom extension, delivered via Telegram, under the guise of a microphone issue fix. This extension, named "zoom_sdk_support.scpt," initiated the malware installation process.

The AppleScript downloaded a payload from a malicious website, disabling bash history logging and checking for Rosetta 2 installation on the compromised Mac. It then proceeded to create a hidden file and download binaries to the "/tmp/icloud_helper" directory, prompting the user for their system password and wiping the history of executed commands to cover their tracks. This intrusion led to the discovery of eight distinct malicious binaries on the victim host, including Telegram 2, Root Troy V4, and InjectWithDyld. The Field Effect Analysis team has also been investigating similar activity related to BlueNoroff.

Recommended read:
References :
  • Know Your Adversary: Huntress has shared the of analysis of a recent BlueNoroff attack involving a macOS device, a fake Zoom extension and even deepfakes!
  • The Hacker News: BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with macOS Backdoor Malware
  • Blog: Zoom & doom: BlueNoroff call opens the door
  • www.huntress.com: Inside BlueNoroff Web3 Intrusion Analysis
  • www.csoonline.com: North Korea’s BlueNoroff uses AI deepfakes to push Mac malware in fake Zoom calls. In a novel social engineering campaign, North Korea’s BlueNoroff is tricking company executives into downloading fake Zoom extensions that install a custom-built Mac malware suite.
  • Virus Bulletin: New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack
  • securityonline.info: North Korean BlueNoroff Uses Deepfakes in Zoom Scams to Install macOS Malware for Crypto Theft
  • cyberpress.org: BlueNoroff Hackers Leverage Zoom App to Spread Infostealer Malware in Sophisticated Cyberattacks
  • gbhackers.com: Exploits Zoom App to Deploy Infostealer Malware in Targeted Attacks

@www.bitdegree.org //
Cybercriminals are deploying fake Ledger Live applications to target MacOS users and their cryptocurrency holdings. The malware is designed to steal seed phrases, the critical 12 or 24-word recovery phrases that grant complete access to a user's cryptocurrency wallet. These campaigns involve tricking users into downloading and installing a fraudulent Ledger Live app, which then prompts them to enter their seed phrase under false pretenses. Once entered, this information is sent directly to the attackers, allowing them to seize control of the victim's digital assets.

The method often involves the use of "Atomic macOS Stealer," a tool that cybersecurity firm Moonlock has discovered on approximately 2,800 compromised websites. This stealer infiltrates the system, gathers personal information, passwords, and wallet details. A key aspect of the attack is replacing the legitimate Ledger Live application with a fake one. Initially, these fraudulent apps were limited to collecting basic wallet information. But attackers have evolved their techniques to directly target and steal seed phrases, enabling them to transfer all funds from the compromised wallets.

Users are urged to exercise extreme caution and only download Ledger Live directly from the official Ledger website. The threat is significant as it exploits the trust placed in established cryptocurrency tools. The compromise of the Ledger Discord moderator account earlier this month, where a phishing link was posted requesting wallet recovery phrases, underscores the increasing sophistication of these attacks. This isn't just about theft but hackers finding new ways to target tools that many crypto users trust.

Recommended read:
References :
  • www.bitdegree.org: macOS users who use Live are being targeted by a scam that tricks them into handing over their crypto.
  • www.bleepingcomputer.com: Cybercriminal campaigns are using fake Ledger apps to target macOS users and their digital assets by deploying malware that attempts to steal seed phrases that protect access to digital cryptocurrency wallets.
  • www.scworld.com: Apps impersonating the widely used hardware-based cryptocurrency wallet Ledger have been harnessed to compromise macOS users' wallet seed phrases, BleepingComputer reports.

@gbhackers.com //
References: hackread.com , Wazuh ,
FrigidStealer, an information-stealing malware targeting macOS users, has been identified as a significant threat since January 2025. The malware spreads through deceptive tactics, primarily by posing as legitimate browser updates. This approach exploits user trust and makes it a particularly insidious form of malware, as it doesn't rely on traditional exploit kits or vulnerabilities. Instead, it tricks users into downloading a malicious disk image file (DMG) disguised as a Safari update from compromised websites. Once downloaded, the DMG file requires manual execution, often bypassing macOS Gatekeeper protections by prompting users to enter their password via AppleScript.

The malware targets sensitive data on macOS endpoints, including browser credentials, cryptocurrency wallets, files, and system information. After installation, FrigidStealer registers itself as an application, "ddaolimaki-daunito," and establishes persistence via launchservicesd as a foreground application with the bundle ID "com.wails.ddaolimaki-daunito." It then uses Apple Events for unauthorized inter-process communication to harvest data. This stolen data is exfiltrated to a command-and-control (C2) server through DNS data exfiltration via mDNSResponder. Post-exfiltration, the malware terminates its processes to evade detection and remove associated jobs.

Cybersecurity experts at Wazuh, an open-source SIEM and XDR platform, have released detection capabilities to help combat FrigidStealer. Wazuh uses the macOS Unified Logging System (ULS) to monitor system logs and custom decoders and rules on the Wazuh server to detect suspicious activities. These activities include the malware's process registration, unauthorized Apple Events usage, and unusual DNS queries, all of which can be visualized on the Wazuh dashboard to enable swift incident response. The malware has been linked to TA2726 and TA2727, known for using fake browser updates as an attack vector, and potentially to the EvilCorp syndicate due to its financial motivations.

Recommended read:
References :
  • hackread.com: FrigidStealer Malware Hits macOS Users via Fake Safari Browser Updates
  • Wazuh: Detecting FrigidStealer malware with Wazuh
  • gbhackers.com: FrigidStealer Malware Targets macOS Users to Harvest Login Credentials

TIGR Threat@Security Risk Advisors //
A supply chain attack has successfully compromised the 'rand-user-agent' npm package, injecting obfuscated code designed to activate a remote access trojan (RAT) on unsuspecting users' systems. This JavaScript library, used for generating randomized user-agent strings beneficial for web scraping and automated testing, has been averaging 45,000 weekly downloads despite being deprecated. The malicious activity was detected by an automated malware analysis pipeline on May 5, 2025, which flagged the [email protected] version for containing unusual code indicative of a supply chain attack.

The injected RAT was designed to establish a persistent connection with a command and control (C2) server at http://85.239.62[.]36:3306. Upon activation, the RAT transmits critical machine identification data, including hostname, username, operating system type, and a generated UUID, enabling attackers to uniquely identify and manage compromised systems. Once connected, the RAT listens for commands from the C2 server, allowing attackers to manipulate the file system, execute arbitrary shell commands, and exfiltrate data from affected systems.

Researchers at Aikido noted that threat actors exploited the package's semi-abandoned but still popular status to inject malicious code into unauthorized releases. The compromised versions of the package were promptly removed from the npm repository. Users are advised to check their systems for any installations of the compromised package and implement robust security practices to mitigate the risk of similar supply chain attacks. This incident underscores the critical importance of vigilant monitoring and dependency management in software development to protect against supply chain vulnerabilities.

Recommended read:
References :
  • bsky.app: A threat actor has compromised the rand-user-agent JavaScript library and released a malicious version containing a remote access trojan.
  • BleepingComputer: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • The DefendOps Diaries: Understanding the Supply Chain Attack on 'rand-user-agent' npm Package
  • www.bleepingcomputer.com: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • Secure Bulletin: Malicious npm packages hijack macOS Cursor AI IDE
  • Security Risk Advisors: Malicious npm Packages Target macOS Cursor Editor and Cryptocurrency Users in Coordinated Supply Chain Attacks
  • The Hacker News: Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
  • Security Risk Advisors: RATatouille RAT Discovered in Compromised rand-user-agent NPM Package Affecting Thousands of Weekly Downloads
  • BleepingComputer: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • socket.dev: Malicious #npm packages targeting #Cursor editor and #crypto users steal credentials and execute remote code. #cybersecurity #supplychain