Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Apple. Show all posts
Windows
AI Android Apple Extortion Internet malware Ransomware Windows

Latest Malware "Mamona" Attacks Locally, Hides by Self Deletion

Latest Malware "Mamona" Attacks Locally, Hides by Self Deletion

Cybersecurity experts are tracing Mamona, a new ransomware strain that is famous for its stripped-down build and silent local execution. Experts believe that the ransomware prevents the usual command-and-control (C2) servers, choosing instead a self-contained method that moves past tools relying on network traffic analysis.  

The malware is executed locally on a Windows system as a standalone binary file. The offline approach reveals a blind spot in traditional defenses, raising questions about how even the best antivirus and detection mechanisms will work when there is no network.

Self-deletion and escape techniques make detection difficult

Once executed, it starts a three-second delay via a modified ping command, ”cmd.exe /C ping 127.0.0.7 -n 3 > Nul & Del /f /q.” After this, it self-deletes. The self-deletion helps to eliminate forensic artifacts that make it difficult for experts to track or examine the malware after it has been executed. 

The malware uses 127.0.0.7 instead of the popular 127.0.0.1, which helps in evading detection measures. This tactic escapes simple detection tests and doesn’t leave digital traces that older file-based scanners might tag. The malware also drops a ransom note titled README.HAes.txt and renames impacted files with the .HAes extension. This means the encryption was successful. 

“We integrated Sysmon with Wazuh to enrich logs from the infected endpoint and created Wazuh detection rules to identify malicious behaviour associated with Mamona ransomware,” said Wazuh in a blog post.

Spotting Mamona

Wazuh has alerted that the “plug-and-play” nature of the malware makes it easy for cybercriminals and helps in the commodization of ransomware. This change highlights an urgent need for robust inspections of what stands as the best ransomware protection when such attacks do not need remote control infrastructure. Wazu’s method to track Mamona involves combining Sysom for log capture and employing custom rules to flag particular behaviours like ransom note creation and ping-based delays.

According to TechRadar, “Rule 100901 targets the creation of the README.HAes.txt file, while Rule 100902 confirms the presence of ransomware when both ransom note activity and the delay/self-delete sequence appear together.”

Read more »
Windows
Apple Google Internet Microsoft Passkeys Passwords Technology Windows

Ditch Passwords, Use Passkeys to Secure Your Account

Ditch Passwords, Use Passkeys to Secure Your Account

Ditch passwords, use passkeys

Microsoft and Google users, in particular, have been warned about ditching passwords for passkeys. Passwords are easy to steal and can unlock your digital life. Microsoft has been at the forefront, confirming it will delete passwords for more than a billion users. Google, too, has warned that most of its users will have to add passkeys to their accounts. 

What are passkeys?

Instead of a username and password, passkeys use our device security to log into our account. This means that there is no password to hack and no two-factor authentication codes to bypass, making it phishing-resistant.

At the same time, the Okta team warned that it found threat actors exploiting v0, an advanced GenAI tool made by Vercelopens, to create phishing websites that mimic real sign-in webpages

Okta warns users to not use passwords

A video shows how this works, raising concerns about users still using passwords to sign into their accounts, even when backed by multi-factor authentication, and “especially if that 2FA is nothing better than SMS, which is now little better than nothing at all,” according to Forbes. 

According to Okta, “This signals a new evolution in the weaponization of GenAI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts. The technology is being used to build replicas of the legitimate sign-in pages of multiple brands, including an Okta customer.”

Why are passwords not safe?

It is shocking how easy a login webpage can be mimicked. Users should not be surprised that today’s cyber criminals are exploiting and weaponizing GenAI features to advance and streamline their phishing attacks. AI in the wrong hands can have massive repercussions for the cybersecurity industry.

According to Forbes, “Gone are the days of clumsy imagery and texts and fake sign-in pages that can be detected in an instant. These latest attacks need a technical solution.”

Users are advised to add passkeys to their accounts if available and stop using passwords when signing in to their accounts. Users should also ensure that if they use passwords, they should be long and unique, and not backed up by SMS 2-factor authentication. 

Read more »
North Korea cyberattack
Apple Apple MacOS Blockchain Blockchain Technology Crypto Attack crypto community cryptocurrency Cyber Attacks data security Data Theft Mac Mac Malware Malware Attack Malwares North Korea cyberattack

North Korean Malware Targets Mac Users in Crypto Sector via Calendly and Telegram

 

Cybersecurity researchers have identified a sophisticated malware campaign targeting Mac users involved in blockchain technologies. According to SentinelLabs, the attack has been linked to North Korean threat actors, based on an investigation conducted by Huntabil.IT. 

The attack method is designed to appear as a legitimate interaction. Victims are contacted via Telegram, where the attacker impersonates a known associate or business contact. They are then sent a meeting invite using Calendly, a widely-used scheduling platform. The Calendly message includes a link that falsely claims to be a “Zoom SDK update script.” Instead, this link downloads malware specifically designed to infiltrate macOS systems. 

The malware uses a combination of AppleScript, C++, and the Nim programming language to evade detection. This mix is relatively novel, especially the use of Nim in macOS attacks. Once installed, the malware gathers a broad range of data from the infected device. This includes system information, browser activity, and chat logs from Telegram. It also attempts to extract login credentials, macOS Keychain passwords, and data stored in browsers like Arc, Brave, Firefox, Chrome, and Microsoft Edge. Interestingly, Safari does not appear to be among the targeted applications. 

While the campaign focuses primarily on a niche audience—Mac users engaged in crypto-related work who use Calendly and Telegram—SentinelLabs warns that the tactics employed could signal broader threats on the horizon. The use of obscure programming combinations to bypass security measures is a red flag for potential future campaigns targeting a wider user base. 

To safeguard against such malware, users are advised to avoid downloading software from public code repositories or unofficial websites. While the Mac App Store is considered the safest source for macOS applications, software downloaded directly from reputable developers’ websites is generally secure. Users who rely on pirated or cracked applications remain at significantly higher risk of infection. 

Cyber hygiene remains essential. Never click on suspicious links received via email, text, or social platforms, especially from unknown or unverified sources. Always verify URLs by copying and pasting them into a text editor to see their true destination before visiting. It’s also crucial to install macOS security updates promptly, as these patches address known vulnerabilities.  

For additional protection, consider using trusted antivirus software. Guides from Macworld suggest that while macOS has built-in security, third-party tools like Intego can offer enhanced protection. As malware campaigns evolve in complexity and scope, staying vigilant is the best defense.
Read more »
virus
Apple Macbook malware Scam virus

One Click Is All It Takes: New Mac Malware Steals Your Data

 



A growing number of Mac users are being tricked into downloading harmful software through fake verification messages. These scams look like normal human checks, such as Google’s “I’m not a robot” box, but are actually part of a malware campaign targeting Apple computers.

Researchers recently found that over 2,800 websites have been hacked to spread a malware called Atomic Stealer. This software is designed to steal passwords, browser data, crypto wallets, and personal files from infected Macs.


How the scam works

The attack begins when someone visits one of these infected websites. A fake pop-up appears, asking them to prove they’re human. It looks like a regular verification step we’re used to seeing online. Most people would not think twice before clicking.

But once the user clicks the button, a hidden code is quietly copied to their clipboard. Then, the pop-up gives strange instructions that tell the person to open the Terminal app on their Mac and paste the copied code.

If they follow these steps and press Enter, the malware gets installed on their system. The software then begins stealing information saved in the system’s password manager and browsers, as well as any crypto assets stored on the device.


Why this trick is dangerous

This attack is hard to catch because the victim unknowingly helps install the malware. Instead of using a typical virus download, the scam relies on people following the instructions themselves. This method can bypass antivirus programs, making it even more dangerous.

What makes this more troubling is that this malware is being sold as a service. Hackers pay monthly to use Atomic Stealer, which means many groups can launch similar attacks using different techniques.


How to protect yourself

If a website ever tells you to open Terminal or paste something into your system, close it right away. This is not a normal request and should be treated as a red flag.

While Apple devices include built-in security tools, it’s also a good idea to install trusted antivirus software for added safety. Identity theft protection services can also help if your personal information is ever misused.

This scam is successful because it plays on our habits. Many people don’t question familiar actions, especially when under pressure. Share this information with friends and family so they can stay safe, too. Avoid unfamiliar websites, think carefully before clicking, and never follow odd instructions from online pop-ups.

Read more »
USB Charging
Apple Google Juice Jacking Samsung Technology USB Charging

Do Not Charge Your Phone at Public Stations, Experts Warn

Do Not Charge Your Phone at Public Stations, Experts Warn

For a long time, smartphones have had a built-in feature that saves us against unauthorized access through USB. In Android and iOS, pop-ups ask us to confirm access before a data USB connection is established to transfer our data. 

But this defense is not enough to protect against “juice-jacking” — a hacking technique that manipulates charging stations to install malicious code, steal data, or enable access to the device while plugged in. Experts have found a severe flaw in this system that hackers can exploit easily. 

Cybersecurity researchers have discovered a serious loophole in this system that can be easily exploited. 

Hackers using new technique to hack smartphones via USB

According to experts, hackers can now use a new method called “choice jacking” to make sure that access to smartphones is easily verified without the user realizing it. 

First, the hackers deploy a feature on a charging station so that it looks like a USB keyboard when connected. After that, through USB Power Delivery, it runs a “USB PD Data Role Swap” to make a Bluetooth connection, activating the file transfer consent pop-up, and approving permission while acting as a Bluetooth keyboard. 

The hackers leverage the charging station to evade the protection mechanism on the device, which is aimed at protecting users against hacking attacks with USB peripherals. This can become a serious issue if the hacker gets access to all files and personal data stored on our smartphones to hack accounts. 

Experts at Graz University of Technology tried this technique on devices from a lot of manufacturers such as Samsung, which sells the second most smartphones besides Apple. All tested smartphones allowed the researchers to transfer data during the duration the screen was unlocked. 

No solution to this problem

Despite smartphone manufacturers being aware of the problem, there are not enough safety measures against juice-jacking, Only Google and Apply have implemented a solution, which requires users first to provide their PIN or password before they can use a device as authorized start and begin the data transfer. But, other manufacturers have not come up with efficient solutions to address this issue and offer protection.

If your smartphone has USB debugging enabled, it can be dangerous as USB debugging allows hackers to get access to the device via the Android Debug Bridge and deploy their own apps, run files, and generally use a higher access mode. 

How to be safe?

The easiest way users can protect themselves from juice-jacking attacks through USB charging stations is to never use a public charging station. Users should always avoid charging stations in busy areas such as airports and malls, they are the most dangerous. 

Users are advised to carry their power banks when traveling and always keep their smartphones updated.

Read more »
X
Apple lazarus Linkedin macOS malware Microsoft X

Lazarus Gang Targets Job Seekers to Install Malware

Lazarus Gang Targets Job Seekers to Install Malware

North Korean hackers responsible for Contagious Interview are trapping job seekers in the cryptocurrency sector by using the popular ClickFix social-engineering attack strategy. They aimed to deploy a Go-based backdoor— earlier undocumented— known as GolangGhost on Windows and macOS systems. 

Hackers lure job seekers

The latest attack, potentially a part of a larger campaign, goes by the codename ClickFake Interview, according to French cybersecurity company Sekoia. Aka DeceptiveDeployment, DEV#POPPER, and Famoys Chollima; Contagious Interview has been active since December 2022, however, it was publicly reported only after late 2023. 

The attack uses legitimate job interview sites to promote the ClickFix tactic and deploy Windows and MacOS backdoors, said Sekoia experts Amaury G., Coline Chavane, and Felix Aimé, attributing the attack to the notorious Lazarus Group. 

Lazarus involved

One major highlight of the campaign is that it mainly attacks centralized finance businesses by mimicking firms like Kraken, Circle BlockFi, Coinbase, KuCoin, Robinhood, Tether, and Bybit. Traditionally, Lazarus targeted decentralized finance (DeFi) entities. 

Attack tactic explained

Like Operation Dream Job, Contagious Interview also uses fake job offers as traps to lure potential victims and trick them into downloading malware to steal sensitive data and cryptocurrency. The victims are approached via LinkedIn or X to schedule a video interview and asked to download malware-laced video conference software that triggers the infection process. 

Finding of Lazarus ClickFix attack

Security expert Tayloar Monahan first reported the Lazarus Group’s use of ClickFix in late 2022, saying the attack chains led to the installment of a malware strain called FERRET that delivered the Golang backdoor. In this malware campaign, the victims are prompted to use a video interview, ‘Willow,’ and do a sell video assessment. 

The whole process is carefully built to gain users and “proceeds smoothly until the user is asked to enable their camera,” Sekoia said. At this stage, an “error message appears, indicating that the user needs to download a driver to fix the issue. This is where the operator employs the ClickFix technique," adds Sekoia. 

Different attack tactics for Windows and MacOS users

The prompts given to victims may vary depending on the OS. For Windows, victims are asked to open the Command Prompt and run a curl command to perform a Visual Basic Script (VBS) file to launch a basic script to run GolanGhost. MacOS victims are prompted to open the Terminal app and perform a curl command to run a malicious shell script, which then runs another shell script that runs a stealer module called FROSTYFERRET—aka ChromwUpdateAlert— and the backdoor. 

Read more »
VPN
Apple Data Privacy Data Regulation Google Internet Privacy VPN

Apple and Google App Stores Host VPN Apps Linked to China, Face Outrage

Apple and Google App Stores Host VPN Apps Linked to China, Face Outrage

Google (GOOGL) and Apple (AAPL) are under harsh scrutiny after a recent report disclosed that their app stores host VPN applications associated with a Chinese cybersecurity firm, Qihoo 360. The U.S government has blacklisted the firm. The Financial Times reports that 5 VPNs still available to U.S users, such as VPN Proxy master and Turbo VPN, are linked to Qihoo. It was sanctioned in 2020 on the charges of alleged military ties. 

Ilusion of Privacy: VPNs collecting data 

In 2025 alone, three VPN apps have had over a million downloads on Google Play and  Apple’s App Store, suggesting these aren’t small-time apps, Sensor Tower reports. They are advertised as “private browsing” tools, but the VPNs provide the companies with complete user data of their online activity. This is alarming because China’s national security laws mandate that companies give user data if the government demands it. 

Concerns around ownership structures

The intricate web of ownership structures raises important questions; the apps are run by Singapore-based Innovative Connecting, owned by Lemon Seed, a Cayman Islands firm. Qihoo acquired Lemon Seed for $69.9 million in 2020. The company claimed to sell the business months late, but FT reports the China-based team making the applications were still under Qihoo’s umbrella for years. According to FT, a developer said, “You could say that we’re part of them, and you could say we’re not. It’s complicated.”

Amid outrage, Google and Apple respond 

Google said it strives to follow sanctions and remove violators when found. Apple has removed two apps- Snap VPN and Thunder VPN- after FT contacted the business, claiming it follows strict rules on VPN data-sharing.

Privacy scare can damage stock valuations

What Google and Apple face is more than public outage. Investors prioritise data privacy, and regulatory threat has increased, mainly with growing concerns around U.S tech firms’ links to China. If the U.S government gets involved, it can result in stricter rules, fines, and even more app removals. If this happens, shareholders won’t be happy. 

According to FT, “Innovative Connecting said the content of the article was not accurate and declined to comment further. Guangzhou Lianchuang declined to comment. Qihoo and Chen Ningyi did not respond to requests for comment.”

Read more »
Privacy
Apple Artificial Intelligence Cyberattacks Cybersecurity CyberThreat DPA Google Military Privacy

Apps Illegally Sold Location Data of US Military and Intelligence Personnel

 


Earlier this year, news reports revealed that a Florida-based data brokerage company had engaged in the sale of location data belonging to US military and intelligence personnel stationed overseas in the course of its operations. While at the time, it remained unclear to us as to how this sensitive information came into existence. 
 
However, recent investigations indicate that the data was collected in part through various mobile applications operating under revenue-sharing agreements with an advertising technology company. An American company later resold this data, which was then resold by that firm. Location data collection is one of the most common practices among mobile applications. It is an essential component of navigation and mapping, but it also enhances the functionality of various other applications. 
 
There are concerns that many applications collect location data without a clear or justified reason. Apple’s iOS operating system mandates that apps request permission before accessing location data. Regulations ensure privacy by providing transparency and control over the collection and use of location-related sensitive information. 
 
After revelations about the unauthorized sale of location data, Senator Ron Wyden (D-WA) requested clarification from Datastream regarding the source of the data. Wyden’s office also reached out to an ad-tech company but did not receive a response. Consequently, the senator escalated the matter to Lithuania’s Data Protection Authority (DPA) due to national security concerns. 
 
The Lithuanian DPA launched an official investigation into the incident. However, the results remain pending. This case highlights the complexities of the location data industry, where information is often exchanged between multiple organizations with limited regulation. 
 
Cybersecurity expert Zach Edwards pointed out during a conference that "advertising companies often function as surveillance companies with better business models." This growing concern over data collection, sharing, and monetization in the digital advertising industry underscores the need for stricter regulations and accountability. 
 
Security experts recommend that users disable location services when unnecessary and use VPNs for added protection. Given the vast amount of location data transmitted through mobile applications, these precautions are crucial in mitigating potential security risks.
Read more »
Subscribe to: Posts (Atom)