Daily Brief

A new malware named Shamos, a variant of Atomic macOS Stealer, is targeting Mac devices, stealing sensitive data and credentials. Developed by the cybercriminal group "COOKIE SPIDER," Shamos has been detected in over 300 environments globally since June 2025. The malware spreads through ClickFix attacks, using fake troubleshooting guides and malvertising to trick users into executing harmful shell commands. Once installed, Shamos bypasses macOS Gatekeeper protections, collects data like cryptocurrency wallet files and browser information, and transmits them to attackers. Shamos ensures persistence by creating a Plist file for automatic execution on system startup when run with sudo privileges. Users are advised to avoid executing unknown commands found online and to seek help from official Apple resources to prevent infection. ClickFix tactics have become increasingly effective for malware distribution, also being used in ransomware and state-sponsored attacks.

Microsoft's security team has identified a growing threat from ClickFix, a social engineering tactic masquerading as CAPTCHA tests to execute malicious commands on user systems. ClickFix campaigns have targeted thousands of enterprise and end-user devices globally, leveraging fake CAPTCHA challenges to bypass conventional security measures. Attackers use ClickFix to deploy various malware payloads, including Lumma Stealer, Xworm, and AsyncRAT, which operate in-memory to evade detection. A notable attack on Portuguese organizations involved ClickFix to deploy the Lampion info-stealer, although the final payload delivery was thwarted due to commented-out code. Variants of ClickFix have been found mimicking Google Chrome error pages and Discord landing pages, expanding the technique's reach across different platforms. Microsoft's recommendations focus on user education, email filtering, and technical defenses like PowerShell script block logging and app control policies to mitigate these threats. The report provides indicators of compromise to enhance security scanning systems, aiding in the identification and prevention of ClickFix-related attacks.

Cybersecurity researchers identified a novel Linux malware delivery method using malicious RAR filenames to evade antivirus detection, primarily through phishing emails disguised as beauty product surveys. The attack chain begins with a spam email containing a RAR archive, where the file name itself is encoded with a Base64 command, triggering malware execution when parsed by a shell script. This technique bypasses traditional defenses as antivirus engines typically do not scan file names, allowing attackers to execute arbitrary code through shell command injection. The malware, VShell, is a Go-based remote access tool used by Chinese hacking groups, capable of in-memory operation, reverse shell access, and encrypted command-and-control communications. The attack targets a wide range of Linux devices, exploiting command injection vulnerabilities and the permissive execution environment of Linux systems to deliver a powerful backdoor. In parallel, Picus Security reported on RingReaper, a post-exploit tool leveraging Linux's io_uring framework to evade traditional monitoring, highlighting an evolving threat landscape for Linux systems. The use of io_uring allows RingReaper to perform operations asynchronously, reducing detection visibility and complicating efforts to monitor malicious activity on Linux platforms.

Interpol's Serengeti 2.0 operation led to the arrest of 1,209 individuals across Africa, targeting cybercriminals involved in ransomware, BEC scams, and cryptocurrency fraud. The operation, conducted between June and August, resulted in the seizure of $97.4 million from criminal enterprises, with significant recoveries in Angola and Zambia. Authorities in Angola dismantled 25 illegal cryptocurrency mining centers, recovering $37 million, which will be used to improve power delivery in vulnerable regions. In Zambia, a large-scale crypto-investment fraud scheme was dismantled, affecting 65,000 victims and resulting in the arrest of 15 individuals and the seizure of related infrastructure. The operation included 11,432 takedowns of malicious networks, supported by intelligence from private sector partners and focused on dismantling command-and-control servers. Interpol's coordinated efforts highlight the importance of international collaboration and information sharing in combating cybercrime and protecting victims globally. The operation underscores the ongoing threat of online scams, which continue to generate significant financial losses despite the technical complexity of ransomware attacks.

INTERPOL's Operation Serengeti led to the arrest of 1,209 cybercriminals across 18 African nations, targeting 88,000 victims and recovering $97.4 million. The operation dismantled 11,432 malicious infrastructures, demonstrating the extensive reach of cybercrime and the necessity for international collaboration. Authorities in Angola dismantled 25 illegal cryptocurrency mining centers, involving 60 Chinese nationals, and seized equipment worth over $37 million. Zambian officials uncovered a large-scale online investment fraud affecting 65,000 victims, resulting in $300 million in losses; 15 individuals were arrested. The operation also disrupted a transnational inheritance scam originating in Germany, with arrests and seizures totaling $1.6 million in losses. Group-IB provided intelligence on scams and BEC campaigns, underscoring the importance of private-sector collaboration in combating cybercrime. The initiative underscores the critical role of cross-border cooperation in enhancing investigative capabilities and safeguarding victims globally.

Cybersecurity researchers have identified increased malicious activities by Chinese-linked groups Murky Panda, Genesis Panda, and Glacial Panda, targeting cloud and telecommunications sectors for intelligence collection. Murky Panda, also known as Silk Typhoon, exploits zero-day vulnerabilities in cloud environments, leveraging trusted relationships to breach enterprise networks and access sensitive information. The group has targeted entities across North America, focusing on government, technology, and professional services sectors, using compromised SOHO devices to evade detection. Genesis Panda, active since January 2024, targets financial, media, and technology sectors across 11 countries, exploiting cloud services for lateral movement and persistent access. Glacial Panda has intensified its focus on the telecommunications sector, accessing call detail records and communications telemetry, primarily targeting Linux systems with known vulnerabilities. Attack techniques include the deployment of custom malware like CloudedHope and ShieldSlide, which provide backdoor access and facilitate data exfiltration and sustained network presence. These activities reflect a broader trend of Chinese hacking groups enhancing their capabilities in cloud environments, emphasizing stealth and persistence for long-term intelligence operations.

Traditional pentest delivery methods, such as static reports, are becoming obsolete due to inefficiencies and delays in remediation processes. Automation platforms like PlexTrac provide real-time delivery of pentest findings, integrating seamlessly with client workflows to enhance operational efficiency. Automated delivery supports Continuous Threat Exposure Management (CTEM), allowing organizations to handle the increasing volume of security findings more effectively. The shift to automated pentest delivery reduces mean time to remediation (MTTR), offering a competitive edge to service providers and operational maturity to enterprises. Automation in pentest delivery facilitates faster handoffs, improved visibility, and standardized remediation workflows, reducing overall risk exposure. Security teams are transitioning from reactive to proactive exposure management, with automation playing a crucial role in this evolution. Implementing automated pentest delivery requires careful planning to avoid potential pitfalls, ensuring systems are scalable and standardized.

INTERPOL's Operation Serengeti 2.0 resulted in the arrest of 1,209 cybercriminals across Africa, targeting nearly 88,000 victims globally from June to August 2025. The operation dismantled 11,432 malicious infrastructures and seized $97.4 million, disrupting significant cybercrime activities, including ransomware and business email compromise. Law enforcement agencies from 18 African countries and the UK participated, leveraging data from private sector partners like Fortinet and Kaspersky. This initiative is part of the African Joint Operation against Cybercrime, supported by the UK's Foreign, Commonwealth, and Development Office. Previous operations, such as Operation Red Card and Africa Cyber Surge II, have similarly targeted cybercrime rings, leading to numerous arrests and disrupted operations. INTERPOL's efforts reflect a growing global network focused on enhancing cooperation, information sharing, and investigative capabilities among member countries. The success of these operations demonstrates the impact of international collaboration in combating cybercrime and protecting victims worldwide.

DaVita, a leading kidney dialysis provider, confirmed a ransomware attack compromising personal and health data of nearly 2.7 million individuals. The breach affected DaVita's extensive network, including 3,113 outpatient centers globally, impacting operations and patient trust. Attackers infiltrated DaVita's systems on March 24, with detection and eviction occurring by April 12, highlighting a significant dwell time. Stolen data included sensitive personal, health, and financial information, such as social security numbers and dialysis lab test results. The Interlock ransomware group claimed responsibility, leaking 1.5 terabytes of data after failed negotiations with DaVita. The breach underscores the vulnerability of healthcare organizations to ransomware attacks, necessitating enhanced cybersecurity measures. DaVita has yet to publicly identify the specific ransomware variant involved, though Interlock's tactics suggest a sophisticated operation.

Davis Lu, a former software developer, received a four-year prison sentence for deploying malware that sabotaged his Ohio-based employer's network, causing significant operational disruptions. Lu's malicious actions, including a kill switch that locked out employees, resulted in hundreds of thousands of dollars in losses for the company. The sabotage was triggered when Lu's account was disabled, exploiting his technical expertise and insider access to introduce damaging code. The malware, named with terms like "IsDLEnabledinAD," caused global disruptions by crashing servers and preventing user logins. Lu attempted to cover his tracks by deleting encrypted data and researching methods to escalate privileges and hide processes. The incident underscores the critical need for organizations to identify and mitigate insider threats proactively. The case highlights the legal consequences of abusing privileged access, serving as a warning to potential insider threats.

Davis Lu, a former senior developer at Eaton, received a four-year prison sentence for installing malicious software on the company's servers. The malware, a Java program, was designed to crash servers by generating infinite non-terminating threads, causing significant operational disruption. Lu's actions led to a network overload, preventing login access for thousands of Eaton employees globally and resulting in data loss. The breach resulted in hundreds of thousands of dollars in damages, demonstrating the severe impact of insider threats. Lu's inadequate operational security included using his real name and corporate credentials, leading to his swift identification and arrest. The FBI highlighted the case as a reminder of the critical need for early detection of insider threats within organizations. This incident underscores the vulnerability of corporate networks to internal sabotage, despite advanced cybersecurity measures in place.

Davis Lu, a former software developer, received a four-year prison sentence for deploying custom malware against his previous employer, reportedly Eaton Corporation. The malware included an infinite Java thread loop designed to crash production systems and a kill switch that locked out employees when Lu's account was disabled. The sabotage caused significant disruption, locking thousands of users out of their accounts and resulting in hundreds of thousands of dollars in losses. Lu's actions were reportedly in retaliation for a demotion following a corporate restructuring, demonstrating the potential risks of insider threats. Investigations revealed Lu deleted encrypted data from his laptop and researched methods to elevate privileges and hide processes. Following his prison term, Lu will serve an additional three years of supervised release, highlighting the legal repercussions of cyber sabotage. This incident serves as a reminder of the importance of robust insider threat detection and response strategies to protect corporate networks.

Anthropic has implemented a classifier to detect nuclear-related queries in its Claude AI model, aiming to mitigate potential misuse of the technology. The classifier, developed in partnership with the US Department of Energy's National Nuclear Security Administration, achieved a 94.8% detection rate in tests with synthetic data. Real-world application of the classifier showed increased false positives, particularly during heightened geopolitical events, prompting the use of hierarchical summarization for accuracy. The initiative is part of Anthropic's Safeguards Usage Policy, focusing on preventing the design or development of nuclear, chemical, biological, or radiological weapons. The classifier successfully identified harmful prompts during internal tests, demonstrating its effectiveness in detecting potential threats. Anthropic plans to share insights with the Frontier Model Forum to enhance AI safety, involving collaboration with industry leaders like Google, Microsoft, and OpenAI. The initiative underscores the importance of balancing security measures with the need for legitimate scientific and educational discourse in AI development.

Microsoft has revised its Microsoft Active Protections Program (MAPP), limiting early access to vulnerability details for companies in China and similar nations. The decision follows recent SharePoint zero-day attacks, where vulnerabilities were exploited by various threat actors, including those linked to China, affecting over 400 organizations. Previously, MAPP participants received proof-of-concept exploit codes; now, they will receive general descriptions alongside patch releases. This change aims to prevent leaks of sensitive vulnerability information that could be exploited before patches are fully effective. Microsoft acknowledged that initial patches for the SharePoint flaws were insufficient, leading to a rapid deployment of updated fixes. The move addresses concerns about potential leaks from MAPP participants, with past incidents traced back to companies in China. The change is seen as a necessary step to enhance the security of the MAPP program while maintaining its value for network defenders.

Cybercriminals are increasingly recruiting English-speaking social engineers, with job listings for these skills doubling from 2024 to 2025, according to ReliaQuest. This trend signals a rise in English-language social engineering attacks, posing heightened risks for organizations worldwide. The "impersonation-as-a-service" model allows criminals to subscribe to comprehensive toolkits for conducting social engineering and ransomware attacks. ShinyHunters and Scattered Spider exemplify this trend, using sophisticated social engineering to target high-profile companies like Dior, Chanel, and Google. AI advancements have enhanced the capabilities of cybercriminals, making social engineering attacks more accessible and effective. Criminals are adopting techniques from nation-state actors, improving their reconnaissance, privilege escalation, and lateral movement within networks. The collaboration among cybercriminals on underground forums indicates a growing sophistication in cybercrime tactics and services.