Daily Brief

A new campaign is exploiting macOS developers by distributing infostealing malware through fake Homebrew, LogMeIn, and TradingView platforms. The attack utilizes Google Ads to promote malicious sites that mimic legitimate platforms, tricking users into executing harmful commands. Researchers identified over 85 domains impersonating these platforms, leveraging "ClickFix" techniques to deceive users into installing malware. The malware, including AMOS and Odyssey Stealers, is delivered via base64-encoded commands that bypass macOS security features like Gatekeeper. Once installed, the malware collects hardware information, manipulates system services, and exfiltrates sensitive data, including browser credentials and cryptocurrency information. AMOS operates as a malware-as-a-service, offering remote access capabilities, while Odyssey targets browser data and cryptocurrency wallets. Users are advised against executing Terminal commands from untrusted sources to prevent infection and data theft.

Seqrite Labs has identified a new .NET malware, CAPI Backdoor, targeting Russian automobile and e-commerce firms through phishing emails containing ZIP archives. The attack utilizes a decoy Russian-language document and a Windows shortcut (LNK) file to execute the malware via a legitimate Microsoft binary, leveraging a living-off-the-land technique. CAPI Backdoor is capable of stealing data from web browsers, taking screenshots, collecting system information, and exfiltrating data to a remote server. The malware employs methods to establish persistence, including scheduled tasks and LNK files in the Windows Startup folder, ensuring continued access to compromised systems. The campaign's connection to the Russian automobile sector is suggested by a domain impersonating "carprice[.]ru," indicating targeted industry focus. The malware's ability to evade detection by checking for virtual environments and installed antivirus products poses a significant challenge to security measures. Organizations in the targeted sectors are advised to enhance email security protocols and monitor for suspicious activity linked to the identified malware indicators.

Silver Fox, a Chinese cybercrime group, has broadened its Winos 4.0 malware attacks to include Japan and Malaysia, utilizing the HoldingHands RAT for remote access. The group employs phishing emails with malicious PDFs masquerading as official documents to initiate infections, targeting unsuspecting users in these regions. Winos 4.0 spreads through phishing and SEO poisoning, directing victims to fake websites imitating popular software platforms like Google Chrome and Telegram. Recent campaigns have shifted focus to Malaysia, using deceptive landing pages to distribute the HoldingHands RAT, which conducts anti-VM checks and terminates security processes. The HoldingHands RAT communicates with a remote server, executes attacker commands, and can update its command-and-control address via the Windows Registry. Operation Silk Lure, a related campaign, targets Chinese fintech and trading firms with phishing emails containing malicious LNK files, leading to Winos 4.0 deployment. The malware's capabilities include persistence, reconnaissance, and evasion techniques, posing significant risks of espionage, identity theft, and credential compromise.

ConnectWise has released a critical security update for its Automate platform, addressing vulnerabilities that could lead to adversary-in-the-middle attacks and unauthorized data interception. The most severe flaw, CVE-2025-11492, rated 9.6 in severity, involves potential cleartext transmission of sensitive information, exposing communications to interception and modification. A second vulnerability, CVE-2025-11493, with an 8.8 severity score, lacks integrity verification for update packages, allowing attackers to push malicious files as legitimate updates. These vulnerabilities could enable attackers to impersonate a valid ConnectWise server and deploy malware or unauthorized updates to client machines. ConnectWise has updated cloud-based instances to the latest Automate release, 2025.9, and advises on-premise users to install the update promptly. Although there is no mention of active exploitation, the vulnerabilities pose a significant risk of being targeted by future exploits. Past incidents with ConnectWise products, including breaches by nation-state actors, underline the importance of timely patch management and security vigilance.

Envoy Air, an American Airlines subsidiary, reported a data breach involving its Oracle E-Business Suite, attributed to the Clop extortion group. The breach did not compromise sensitive or customer data but involved limited business and commercial contact information. The Clop group has begun leaking the stolen data, criticizing the company's security measures on their leak site. The incident is part of a broader campaign by Clop, exploiting a zero-day vulnerability, CVE-2025-61882, in Oracle systems. CrowdStrike and Mandiant confirmed Clop's use of these vulnerabilities in August to breach systems and deploy malware. Oracle has since patched the exploited zero-day vulnerabilities, including another recent one, CVE-2025-61884. Clop's activities extend beyond Envoy Air, with other organizations, including Harvard University, also impacted by similar attacks. The U.S. State Department offers a $10 million reward for information linking Clop's activities to any foreign government.

Europol's operation, codenamed 'SIMCARTEL', dismantled an illegal SIM-box service facilitating over 3,200 fraud cases, resulting in losses exceeding EUR 4.5 million. The operation involved seizing 1,200 SIM-box devices and 40,000 SIM cards used for telecommunication crimes, including phishing, investment fraud, and extortion. The cybercriminal service operated through websites gogetsms.com and apisim.com, now seized and displaying law enforcement banners. The fraudulent service provided phone numbers from over 80 countries, aiding in the creation of more than 49 million fake online accounts. Authorities linked the service to 1,700 fraud cases in Austria and 1,500 in Latvia, with significant financial impacts in both countries. The operation led to the arrest of five Latvian nationals and two other suspects, with forensic analysis of seized servers ongoing. The collaborative effort involved law enforcement from Austria, Estonia, Finland, and Latvia, conducting 26 searches to dismantle the network.

Have I Been Pwned reports a data breach at Prosper affecting 17.6 million individuals, though Prosper has yet to verify this figure. The breach reportedly involves email addresses and other personal information, but customer accounts and funds remain secure. Prosper's investigation is ongoing; the company has confirmed the breach involved sensitive data, including Social Security numbers. The San Francisco-based lender has contained the unauthorized access as of September 2, but the breach's initial timeline is unclear. Prosper is offering free credit monitoring to affected individuals and pledges to enhance its security measures following the incident. The breach is among the largest this year, though it does not rank among the biggest breaches historically. Prosper is cooperating with law enforcement and prioritizes transparency with customers as the investigation progresses.

Microsoft addressed a critical vulnerability (CVE-2025-55315) in the Kestrel ASP.NET Core web server, marked with the highest severity rating for an ASP.NET Core flaw. The flaw allows authenticated attackers to smuggle HTTP requests, potentially hijacking user credentials and bypassing front-end security measures. Successful exploitation could lead to unauthorized access, privilege escalation, server-side request forgery, and bypassing cross-site request forgery checks. Microsoft released security updates for Visual Studio 2022, ASP.NET Core 2.3, 8.0, 9.0, and the Kestrel Core package to mitigate the vulnerability. The impact of the vulnerability varies based on the targeted application, with the worst-case scenario being a security feature bypass. During this month's Patch Tuesday, Microsoft released updates for 172 vulnerabilities, including eight critical and six zero-day flaws. Organizations are urged to apply the updates promptly to protect against potential exploitation and maintain application security.

VMware certifications are designed to enhance IT professionals' skills, enabling them to master complex systems and build secure, reliable infrastructures. The VMUG Advantage program provides resources for hands-on practice, mentorship, and cost savings, accelerating the certification journey. According to a Pearson VUE report, 63% of certified professionals have received or anticipate job promotions, while 82% feel more confident pursuing new opportunities. Certification fosters a culture of innovation and empowerment within teams, leading to faster communication and improved talent retention. VMUG leaders emphasize that certification transforms IT professionals from reactive operators to proactive strategists, enhancing their problem-solving and leadership capabilities. The program supports both individual career growth and organizational capability development through scalable training solutions and group licensing options. As the IT landscape evolves with hybrid clouds and AI-driven security, VMware certification serves as a critical anchor for maintaining expertise and relevance.

Cisco Talos reports North Korean hackers merging BeaverTail and OtterCookie malware, enhancing capabilities with keylogging and screenshot features, indicating an evolving threat landscape. The group, linked to the Contagious Interview campaign, uses decentralized blockchain infrastructure for command-and-control, marking a first for nation-state actors. The campaign targets job seekers through fake recruitment scams, leading to the installation of information-stealing malware under the guise of technical assessments. A Sri Lankan organization was inadvertently impacted, with malware distributed via a trojanized Node.js application hosted on Bitbucket. Malicious npm package "node-nvm-ssh" was downloaded 306 times before removal, part of a broader campaign involving 338 flagged Node libraries. The malware's new version, OtterCookie v5, includes features for data theft, remote command execution, and persistent access via AnyDesk installation. Researchers noted the use of legitimate npm packages for malicious purposes, raising concerns over software supply chain vulnerabilities. The discovery of a Visual Studio Code extension containing malware code suggests potential experimentation with new delivery methods.

The Electronic Frontier Foundation (EFF) is supporting a lawsuit against the Trump administration's social media surveillance program, citing First Amendment violations affecting both citizens and noncitizens. The program, known as "Catch and Revoke," involves AI monitoring of visa holders' social media for anti-American views, potentially leading to visa revocations. A federal court ruled the executive orders initiating these measures unconstitutional, temporarily halting deportations based on protected speech, though an appeal is expected. The lawsuit claims that the surveillance program has led to self-censorship among union members, with many deleting social media content or altering online behavior. The program's impact extends to offline activities, with union members reportedly reducing participation in rallies and other public demonstrations due to fear of repercussions. The State Department defends the program, stating it targets individuals expressing harmful sentiments against Americans, emphasizing national security concerns. The case highlights ongoing tensions between national security measures and civil liberties, with implications for how social media data is used in immigration enforcement.

The Dutch government's sanctions on Nexperia, a Chinese-owned chipmaker, could lead to a significant shortage of automotive chips, impacting major car manufacturers globally. Nexperia, a key supplier for automotive electronic control units, faces export restrictions from China's Ministry of Commerce, affecting its ability to ship components internationally. The European Automobile Manufacturers' Association and the Alliance for Automotive Innovation have raised concerns over potential disruptions in vehicle production due to chip shortages. China's export control is a response to the Netherlands' governance-related measures against Nexperia, including suspending its Chinese CEO and restricting asset relocation. Nexperia is actively negotiating with Chinese authorities for an exemption from export restrictions and is engaging with government bodies to mitigate the impact. The situation is exacerbated by US pressure on the Netherlands to separate Nexperia's European operations from its Chinese parent company, Wingtech Technology. The automotive industry, still recovering from past chip shortages, warns of potential production stoppages if the issue isn't resolved swiftly. The incident underscores the complex geopolitical dynamics affecting global supply chains and the need for resilient strategies in critical industries.

Shadowserver Foundation identified over 266,000 F5 BIG-IP instances exposed online following a security breach involving nation-state hackers, potentially linked to China. F5 disclosed the breach, revealing source code theft and information on undisclosed BIG-IP vulnerabilities, though no exploitation evidence has been found. F5 promptly issued patches for 44 vulnerabilities and urged customers to update their systems, including BIG-IP, F5OS, and other related products. CISA mandated U.S. federal agencies to secure F5 products by October 22, with further deadlines for other devices, emphasizing the urgency of patching. The attack involved the Brickstorm malware, a Go-based backdoor associated with the UNC5291 threat group, active in F5's network for at least a year. F5's products are critical to over 23,000 customers globally, including 48 of the Fortune 50, highlighting the potential widespread impact of these vulnerabilities. The incident underscores the need for robust patch management and threat-hunting practices to mitigate risks associated with exposed network devices.

The rise of autonomous AI agents with significant system privileges introduces new security risks, demanding a shift in focus towards robust identity management. Traditional security models centered on firewalls and endpoint protection are outdated, as identity management becomes the primary control point in modern cybersecurity. The 2025-2026 SailPoint Horizons of Identity Security report indicates that less than 40% of AI agents are governed by identity security policies, exposing enterprises to heightened risks. Organizations with advanced identity security programs achieve higher ROI, leveraging identity management to prevent breaches and enhance operational efficiency. A significant gap exists between organizations with mature identity security practices and those lagging, increasing vulnerability to sophisticated threats. The report highlights that only 25% of organizations view Identity and Access Management (IAM) as a strategic enabler, limiting potential for transformation and risk mitigation. As AI-driven capabilities expand, enterprises must reassess their identity security posture to ensure readiness against evolving threat landscapes.

Researchers identified a critical vulnerability in WatchGuard Fireware OS, tracked as CVE-2025-9242, allowing unauthenticated attackers to execute arbitrary code on affected devices. The flaw affects Fireware OS versions 11.10.2 to 11.12.4_Update1, 12.0 to 12.11.3, and 2025.1, impacting both mobile user and branch office VPNs with IKEv2. Exploitation involves an out-of-bounds write in the iked process, potentially enabling attackers to gain control of the instruction pointer register and spawn a Python shell. WatchGuard has released patches to address the vulnerability, urging users to update to secure versions to prevent potential exploitation by ransomware groups. The vulnerability's characteristics, such as internet exposure and lack of authentication, make it attractive for malicious actors seeking remote code execution capabilities. This discovery follows recent disclosures of other critical vulnerabilities, including those in Progress Telerik UI and Dell UnityVSA, emphasizing the need for timely patch management. Organizations using affected WatchGuard devices should prioritize patching and review their VPN configurations to mitigate potential security risks.