Trojanised DeepSeek app targets macOS users with Poseidon Stealer
Security researcher g0njxa identified a new campaign that is disseminating fake versions of the DeepSeek artificial intelligence chatbot to target macOS users with Poseidon Stealer. The campaign tricks users into downloading and executing malicious files, allowing the threat actors to steal sensitive data from compromised systems, including browser-stored credentials, cryptocurrency wallets, system information, and keylogging data. The malware is distributed through phishing links and compromised websites, with attackers exploiting user trust in seemingly legitimate downloads. The malware creates persistence mechanisms by modifying macOS list files, exploits legitimate system processes to evade detection, and establishes encrypted communication with its C2 server for data transmission.
Premium Panel phishing kit used to target companies in Europe
Intrinsec researchers detailed the ‘Premium Panel’ phishing toolkit, which has been used in multiple campaigns for at least two years to target renown companies in various industries, primarily banking and logistics. Threat actors using the tool have primarily targeted Western companies, with exceptions observed in Saudi Arabia, Israel, South Africa, Taiwan, Qatar, and Guatemala. Threat actors used either compromised legitimate domains to host phishing pages, used temporary or free domains, or registered domains spoofing the target brand. Some Premium Panel users have also set up Telegram bots to receive notifications when a victim visits a phishing domain. Logging into the ‘Live Control Panel’ page also provides users with the ability to restrict the phishing domain to mobile users only, restrict access to the phishing domain entirely, and search for a victim IP address. On April 23rd, 2024, the toolkit was mentioned in a Facebook group named ‘ProDefence’.
Large-scale phishing campaign impersonating USPS uses new technique to deliver malicious PDFs
Zimperium researchers discovered a new phishing campaign impersonating the United States Postal Service (USPS) to target mobile phone users. The campaign involves a new obfuscation method to deliver malicious PDF files by embedding a malicious URL in a text message without using the standard ‘/URI tag’, making it more challenging to extract URLs during analysis. The PDFs are designed to steal credentials and compromise data, with over 20 malicious PDF files and 630 phishing pages identified as part of the campaign. The text messages urge users to click on the PDF file link to update their address information, which redirects them to a USPS phishing page. An analysis of the phishing pages revealed multilingual support, suggesting the attacker may be able to target a wide range of countries and may be using a phishing kit.
Fake XWorm RAT builder used to infect users with infostealer
CloudSEK researchers observed a trojanised version of the XWorm RAT builder being disseminated online, mainly via GitHub. The malicious builder appears to be specifically targeting script kiddies new to cybersecurity, with over 18,459 devices compromised to date. The malware is capable of stealing sensitive data such as browser credentials, Discord tokens, Telegram data, and system information. It uses Telegram as its C2 infrastructure, leveraging bot tokens and API calls to issue commands. The researchers discovered the malware’s ‘kill switch’ feature, enabling them to disrupt operations on active devices.
New TorNet backdoor delivered in campaign targeting Poland and Germany
Cisco Talos researchers observed an ongoing financially motivated campaign, active since at least July 2024, mainly targeting Poland and Germany. The campaign delivers various payloads, including Agent Tesla, Snake Keylogger, and a newly identified backdoor, dubbed TorNet. The campaign uses phishing emails impersonating financial institutions or manufacturing and logistics companies as the initial infection vector. The emails claim to be money transfer confirmations or order receipts, respectively, with an attached TAR archive. Unzipping the archive file leads to a .NET loader being run, which downloads PureCrypter from a compromised staging server, with PureCrypter used to drop and run the TorNet backdoor.
Ransomware
Volume of blog posts by operators during the last week.
How Interlock Ransomware Infects Healthcare OrganizationsThe Hacker News – Jan 29 2025Lynx Ransomware Group Unveiled with Sophisticated Affiliate ProgramInfosecurity Today – Jan 28 2025Phorpiex – Downloader Delivering RansomwareCybereason – Blog – Jan 28 2025New report warns of sophisticated techniques being used by ransomware group Arcus MediaSiliconANGLE – Jan 28 2025The 2024 Ransomware Landscape: Looking back on another painful yearRapid7 – Jan 27 2025ESXi ransomware attacks use SSH tunnels to avoid detectionSecurity Affairs – Jan 27 2025Emerging Threat Actor GD LockerSec Launches New RansomHub-Lookalike Site, Claims AWSTechNadu – Jan 27 2025Cobalt Strike and a Pair of SOCKS Lead to LockBit RansomwareThe DFIR Report – Blog – Jan 27 2025HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical CodeSentinelOne – Jan 23 2025Helldown Ransomware Technical & Malware Analysis ReportThreat Reports – ThreatMon – Jan 23 2025
Financial Services
Security Brief: Threat Actors Take Taxes Into AccountProofpoint US Blog – Jan 28 2025Doctor, where did you get these pictures? Using steganography in a cryptocurrency mining campaign.Dr Web – News – Jan 24 2025Tangerine Turkey mines cryptocurrency in global campaignRed Canary – Jan 23 2025PFS Investments Inc. Files Notice of Recent Data Breach Leaking Confidential InformationJD Supra – Jan 23 2025“Crazy Evil” Cryptoscam Gang: Unmasking a Global Threat in 2024Recorded Future – Blog – Jan 21 2025
Geopolitics
UAC-0063 Expands Cyber Attacks to European Embassies Using Stolen DocumentsThe Hacker News – Jan 29 2025Iranian hackers broadcast rocket sirens, pro-terror songs at 20 Israeli kindergartensJerusalem Post – Jan 27 2025Ukrainian hackers disrupt Russia’s Megafon, leaving many without mobile communications and internetUkrinform News – Jan 25 2025Fico accuses Ukraine of hacking Slovakia’s national insurerNV.ua – Jan 25 2025Japanese Companies Threatened by DPRK IT WorkersThreat Reports – NISOS – Jan 23 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2025-24085 | iPadOS | 7.8 | 6.0 | |
| Related: Apple fixes this year’s first actively exploited zero-day bug | ||||
| CVE-2020-11023 | BI Publisher | 6.9 | 5.8 | |
| Related: CISA Adds Five-Year-Old jQuery XSS Flaw to Exploited Vulnerabilities List | ||||
| CVE-2024-41710 | 6970 | 6.8 | 6.8 | |
| Related: Active Exploitation: New Aquabot Variant Phones Home | ||||
| CVE-2021-26855 | Exchange Server | 9.8 | 8.7 | |
| Related: Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor | ||||
| CVE-2024-57726 | Remote Support Software | 9.9 | 6.3 | |
| Related: Threat actors exploit SimpleHelp RMM for initial access | ||||