Microsoft Warns Python Infostealers On macOS
Read More: buff.ly/sA1LZdJ

#macOSMalware #PythonMalware #InfoStealer #ThreatIntel #SocialEngineering #Malvertising #MicrosoftSecurity #CredentialTheft

Nomani Investment Scam Rises Using AI
Read More: buff.ly/OZyBEkf

#MacSyncMalware #macOSMalware #AppleGatekeeper #CodeSignedMalware #SwiftMalware #macOSSecurity #EndpointSecurity #ThreatResearch #AppleSecurity

New Macsync Malware Bypasses Macos
Read More: buff.ly/VugqKTX

#MacSyncMalware #macOSMalware #AppleGatekeeper #CodeSignedMalware #SwiftMalware #macOSSecurity #EndpointSecurity #ThreatResearch #AppleSecurity

New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App delivered through pirated macOS software read more about New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App

New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App reconbee.com/new-zuru-mal...

#ZuRumalware #malwareattack #developers #Trojanizedterminus #macosmalware #macosapp

NimDoor: North Korean Hackers Deploy Sophisticated macOS Malware Targeting Web3 and Crypto Firms   North Korean state-sponsored hackers have rolled out a new macOS malware strain dubbed NimDoor, designed to infiltrate Web3 and cryptocurrency organizations. According to a fresh analysis by SentinelOne researchers, the attackers leveraged uncommon methods and an innovative signal-based persistence mechanism never observed before. The attack chain starts with threat actors reaching out to potential victims through Telegram, persuading them to execute a bogus Zoom SDK update distributed via Calendly invitations and email—an approach reminiscent of tactics recently attributed to BlueNoroff by the managed security provider Huntress. SentinelOne’s report notes that the adversaries used a mix of C++ and Nim-compiled binaries (collectively referred to as NimDoor) on macOS—"a more unusual choice." One of these binaries, named 'installer,' handles the initial setup by preparing directories and configuration paths. It then deploys two additional components—'GoogIe LLC' and 'CoreKitAgent'—onto compromised systems. GoogIe LLC focuses on harvesting environment details and generating a hex-encoded configuration file, which is saved in a temporary directory. It also sets up a macOS LaunchAgent (com.google.update.plist) to ensure the malware runs automatically at login and retains authentication keys for future use. The most advanced piece of the toolkit is CoreKitAgent, the primary payload of NimDoor. This event-driven binary leverages macOS’s kqueue mechanism for asynchronous execution and implements a 10-state machine with a hardcoded transition table, enabling dynamic control depending on runtime conditions. A particularly distinctive characteristic is CoreKitAgent’s signal-based persistence, which relies on custom handlers for SIGINT and SIGTERM—signals typically used to terminate processes. "When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, a copy of GoogIe LLC as the loader, and a copy of itself as the trojan, setting executable permissions on the latter two via the addExecutionPermissions_user95startup95mainZutils_u32 function," SentinelLABS explains. "This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions." Once active, CoreKitAgent decodes and executes a hex-encoded AppleScript that connects to command-and-control servers every 30 seconds, exfiltrates system information, and executes remote commands via osascript, effectively acting as a stealth backdoor. Alongside the main NimDoor infection, a parallel chain initiated by 'zoom_sdk_support.scpt' deploys 'trojan1_arm64', which establishes WebSocket Secure (WSS)-based communications with attacker infrastructure. It downloads two additional scripts—upl and tlgrm—to facilitate data theft. Notably, researchers discovered that the loader script contains over 10,000 blank lines to hinder detection. Upl focuses on extracting browser data, Keychain credentials, and shell history files (.bash_history and .zsh_history), transmitting the stolen information to dataupload[.]store via curl. Meanwhile, tlgrm targets Telegram data, including .tempkeyEncrypted files, likely to decrypt private messages exchanged on the platform. Overall, SentinelLABS describes NimDoor and its associated payloads as among the most complex macOS malware attributed to North Korean threat actors so far. The framework’s modular architecture and the use of novel persistence techniques underscore how DPRK operators are continuously refining their cross-platform attack capabilities to breach cryptocurrency ecosystems and steal sensitive information. SentinelLABS’ comprehensive report provides detailed indicators of compromise, including malicious domains, file paths, scripts, and binaries linked to these intrusions.  

NimDoor: North Korean Hackers Deploy Sophisticated macOS Malware Targeting Web3 and Crypto Firms #cryptocurrencyattacks #MacOSMalware #malware

North Korean hackers are deploying NimDoor macOS malware via fake Zoom updates, targeting crypto firms. Stay vigilant! #CyberSecurity #NimDoor #macOSMalware #CryptoSecurity Link: thedailytechfeed.com/north-korean...

NimDoor crypto-theft macOS malware revives itself when killed cybersecurity firm SentinelOne this is a more unusual choice read more about NimDoor crypto-theft macOS malware revives itself when killed

NimDoor crypto-theft macOS malware revives itself when killed reconbee.com/nimdoor-cryp...

#NimDoor #crypto #macOSmalware #malwareattack #malware

1/3
🚨North Korea’s BlueNoroff (aka Sapphire Sleet) uses DEEPFAKES of execs in fake Zoom calls to trick employees into installing macOS malware. Their goal: steal crypto wallets & sensitive data. Huntress exposed this sophisticated attack.
#CyberSecurity #Deepfake #MacOSMalware #CryptoTheft #APT

macOS Malware Analysis : PKG Files There are very few resources on macOS Malware Analysis of native file types. I have often struggled to learn it in the beginning. Hence I decided to write a detailed article on PKG file analysis!

🔍 Understanding macOS Malware is crucial for any professional today.

Check out my in-depth guide on analyzing PKG files to enhance your skills in macOS Malware Analysis: www.malwr4n6.com/post/macos-m...

#macos #malwareanalysis #macosmalware #apple #malware #guide

Unmasking the New XCSSET macOS Malware Variant: A Deep Dive into Crypto Theft Tactics | The DefendOps Diaries Explore the new XCSSET macOS malware variant's tactics in crypto theft and advanced obfuscation techniques.

Unmasking the New XCSSET macOS Malware Variant: A Deep Dive into Crypto Theft Tactics

thedefendopsdiaries.com/unmasking-th...

#xcsset
#macosmalware
#cryptotheft
#cybersecurity
#malwareanalysis
#infosec
#obfuscation
#zeroday
#securitythreats
#macossecurity

Banshee Stealer Quellcode geleakt: macOS-Malware unschädlich gemacht Cyberkriminelle geben auf: Die Malware Banshee Stealer für MacOS wurde nach Veröffentlichung des Quellcodes aufgegeben. Der Artikel <a href="https://tarnkappe.info/artikel/it-sicherheit/banshee-stealer-quellcode-geleakt-macos-malware-unschaedlich-gemacht-304847.html">Banshee Stealer Quellcode geleakt: macOS-Malware unschädlich gemacht</a> erschien zuerst auf <a href="https://tarnkappe.info">TARNKAPPE.info</a>

📬 Banshee Stealer Quellcode geleakt: macOS-Malware unschädlich gemacht

#ITSicherheit #Malware #BansheeStealer #ElasticSecurityLabs #macOS #macOSMalware #QuellcodeLeak #VXUnderground

What is old is new again, #atomicstealer being distributed via #clearfake campaign. Haven't seen that in a while!

Clearfake domain: cejecuu4[.]xyz
C2: 193.124.185[.]23

Payload staged in Dropbox

#macosmalware #infostealers #amos #fakebrowserupdates #fakechrome