McAfee Labs reveals new Android malware exploiting .NET MAUI to steal user data. Learn about advanced evasion techniques and how to stay protected.

McAfee Labs has revealed that cybercriminals are exploiting Microsoft’s newly introduced .NET MAUI app development tool to spread Android malware with cross-platform capabilities.

The McAfee Mobile Research Team discovered that this development framework, meant to replace Xamarin and expand beyond mobile platforms, is now being abused to disguise malicious code within seemingly legitimate applications, and primary targets are Android users.

Unlike traditional Android malware, which relies on DEX files or native libraries, these threats store their core functionalities as blob binaries within assemblies. This method effectively bypasses many antivirus solutions that primarily focus on analysing conventional Android app components.

The second example, a fake social networking application, targeted Chinese-speaking users, attempting to steal contacts, SMS messages, and photos. This malware employed multi-stage dynamic loading, which entails encrypting and loading DEX files in three separate stages to obscure its malicious payload.

Fake app’s screen and the fake X app (Source: McAfee Labs)

Additionally, the malware manipulated the AndroidManifest.xml file by adding an excessive number of meaningless permissions, disrupting analysis tools. It also utilized encrypted TCP socket communication to evade network traffic interception.

McAfee Labs also observed that the threat actors diversified their themes, distributing fake dating apps with similar structures and functionalities, indicating a widespread campaign.

“These apps had different background images but shared the same structure and functionality, indicating that they were likely created by the same developer as the fake X app,” researchers noted in their report.

The rise of .NET MAUI-based malware and the adoption of new evasion techniques, including hiding code blobs within assemblies, multi-stage dynamic loading, and encrypted communication, shows a concerning trend that needs immediate addressing by the cybersecurity community.

To stay safe, please exercise caution when downloading applications from unofficial sources, particularly in regions with limited access to official app stores, such as China. “Staying vigilant and ensuring that security measures are in place can help protect against emerging threats,” McAfee researchers concluded.

Featured/Top Image by iXimus from Pixabay

Hackers Are Using Microsoft’s .NET MAUI to Spread Android Malware

Alisa Viejo, United States, 25th March 2025, CyberNewsWire

**Alisa Viejo, United States, March 25th, 2025, CyberNewsWire**

One Identity, a leader in unified identity security, today announced that One Identity Active Roles has been named a winner in the Hybrid Active Directory Protection category of the 2025 Cybersecurity Excellence Awards. This recognition highlights One Identity’s ongoing commitment to providing robust identity management solutions that help organizations secure their hybrid Active Directory (AD) environments. 

The Cybersecurity Excellence Awards, produced by Cybersecurity Insiders, celebrate companies, products, and professionals that demonstrate excellence, innovation, and leadership in information security. This year marks the 10th anniversary of the awards, making this recognition particularly meaningful. 

> “We congratulate One Identity on this outstanding achievement in the ‘Hybrid Active Directory Protection’ category of the 2025 Cybersecurity Excellence Awards,” said Holger Schulze, founder of Cybersecurity Insiders and organizer of the Cybersecurity Excellence Awards. “As we celebrate 10 years of recognizing excellence in cybersecurity, your innovation, commitment, and leadership set a powerful example for the entire industry.” 

One Identity Active Roles is designed to simplify and strengthen identity security and management for hybrid Active Directory environments. It helps organizations protect against security breaches, streamline administrative tasks, and ensure regulatory compliance by delivering automated, policy-based management. By reducing complexity and risk in managing Active Directory and Entra ID objects, Active Roles reduces the attack surface, protecting the organization from cyberattacks. 

> “This award is a testament to our commitment to helping organizations secure their hybrid Active Directory environments,” said Mark Logan, CEO of One Identity. “Active Roles empowers businesses to reduce complexity, strengthen security, and better manage their identities — and we’re honored to see it recognized as a leader in this space.” 

To learn more about One Identity Active Roles and how it helps protect hybrid Active Directory environments, users can visit the Active Roles product page.

**About One Identity**

One Identity delivers unified identity security solutions that help customers strengthen their overall cybersecurity posture and protect the people, applications, and data essential to business. Their Unified Identity Security Platform brings together identity and access management solutions: Identity Governance and Administration (IGA), Access Management (AM), Privileged Access Management (PAM), and Active Directory Management (AD Mgmt) capabilities to enable organizations to shift from a fragmented to a holistic approach to identity security. One Identity is trusted and proven on a global scale – managing more than 500 million identities for more than 11,000 organizations worldwide.

Users can find more information here: https://www.oneidentity.com

**Contact**

**Liberty Pike**  
**\[email protected\]**

Active Roles Wins 2025 Cybersecurity Excellence Award for Hybrid Active Directory Protection

Ramat Gan, Israel, 25th March 2025, CyberNewsWire

**Ramat Gan, Israel, March 25th, 2025, CyberNewsWire**

CYREBRO, the AI-native Managed Detection and Response (MDR), today announced its recognition as a leading detection and response startup in the Gartner report, Emerging Tech: Techscape for Detection and Response Startups. This acknowledgment highlights CYREBRO’s innovative approach to cybersecurity, leveraging advanced technology and expert analysis to combat evolving cyber threats.

Among the key findings in the report:

*   Startups are experimenting with generative AI (GenAI) technologies. The use of AI agents/AI security operations center (SOC) analysts and GenAI remediation recommendations has become crucial for staying ahead of evolving threats.
*   The preemptive cybersecurity approach to detection and response has gained momentum, with startups working across complex threat intelligence, adopting purple team cultures, and improving their strategic industry offerings.

CYREBRO has been identified as a key startup in the preemptive cybersecurity category, which highlights companies with a proactive strategy designed to prevent, disrupt, or deter cyberattacks before they can achieve their goals. CYREBRO’s inclusion validates its commitment to delivering comprehensive future-proof security solutions, providing organizations with a robust defense against diverse risks and cyberattacks.

> “We are honored to be recognized by Gartner for our emerging technology in the detection and response space,” said Ori Arbel, CTO of CYREBRO. “The report highlights the growing need for innovative detection and response solutions that can effectively address the increasing sophistication of cyberattacks. CYREBRO is committed to empower its partners and customers with cutting-edge solutions.”

CYREBRO’s platform leverages advanced proprietary technology, including AI and machine learning, to precisely detect and respond to threats. By automating the correlation and prioritization of security events, CYREBRO ensures that businesses can focus on critical threats, minimizing disruption and maintaining operational continuity.

Gartner, Emerging Tech: Techscape for Detection and Response Startups, 19 March 2025. Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner members can access the full report here. (For Gartner subscribers only).

**Gartner Disclaimer**

GARTNER is the registered trademark and service mark of Gartner Inc., and/or its affiliates in the U.S. and/or internationally and has been used herein with permission. All rights reserved. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner’s research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

**About CYREBRO**

CYREBRO is an AI-native, end-to-end Managed Detection and Response (MDR) solution, designed for hands-off or hands-on control through its future-proof SOC platform.

With its advanced Security Data Lake revolutionizing SIEM and SOAR capabilities, CYREBRO includes 24/7 SOC monitoring and threat intelligence, augmented with exceptionally swift incident response and forensic investigations. CYREBRO delivers precision-guided threat detection and response across any tech stack, providing clear, actionable insights to ensure world-class security and compliance.

With comprehensive visibility and expert guidance, CYREBRO empowers over 900 businesses of all sizes to manage threats proactively, enhancing their security posture and delivering full and complete protection.  

**Contact**

**CMO**  
**Gil Harel**  
**CYREBRO**  
**\[email protected\]**

CYREBRO Recognized in Gartner Emerging Tech Report for Detection and Response Startups

Cybercriminals exploit AbyssWorker driver to disable EDR systems, deploying MEDUSA ransomware with revoked certificates for stealthy attacks.

Cybercriminals are exploiting custom and compromised drivers to disable endpoint detection and response (EDR) systems, facilitating undetected malicious activity. Elastic Security Labs (ESL) has identified a financially motivated campaign deploying MEDUSA ransomware, utilizing a loader paired with a revoked certificate-signed driver named AbyssWorker. This driver, originating from a Chinese vendor, is designed to neutralize EDR solutions.

As per ESL’s investigation, shared with Hackread.com, this tactic blinds security tools and allows malicious actors to operate freely, increasing the success rate of their attacks.

The AbyssWorker driver, originating from a Chinese vendor, is a key component in a campaign that installs itself on victim machines and systematically targets and silences various EDR solutions.

“This EDR-killer driver was recently reported by ConnectWise in another campaign, using a different certificate and IO control codes, at which time some of its capabilities were discussed. In 2022, Google Cloud Mandiant disclosed a malicious driver called POORTRY, which we believe is the earliest mention of this driver,” researchers noted in the blog post.

The actual filename of the malicious driver is identified as smuol.sys (a 64-bit Windows PE driver). It cleverly mimics a legitimate CrowdStrike Falcon driver, probably to blend into legitimate system processes. ESL identified multiple samples on VirusTotal dating from August 2024 to February 2025, all signed with revoked certificates from various Chinese companies, including Foshan Gaoming Kedeyu Insulation Materials Co., Ltd and FEI XIAO, among others. These certificates, while widely used across various malware campaigns, are not specific to AbyssWorker.

Upon initialization, AbyssWorker establishes a device and symbolic link, registering callbacks for major functions. A critical defence evasion mechanism involves stripping existing handles to its client process from other processes, preventing external manipulation. It also registers callbacks to deny access to handles of protected processes and threads.

The driver’s core functionality resides in its DeviceIoControl handlers, which execute a range of operations based on I/O control codes. These operations include file manipulation, process and driver termination, and API loading. A password is required to enable the driver’s malicious capabilities. For file operations, AbyssWorker uses I/O Request Packets (IRPs), bypassing standard APIs.

AbyssWorker can remove notification callbacks, replace driver major functions, detach mini-filter devices, terminate processes and threads, and restore hooked NTFS and PNP driver functions. Notably, it can trigger a system reboot using the undocumented HalReturnToFirmware function. These capabilities directly support MEDUSA ransomware’s ability to operate without security interference.

A key obfuscation technique AbyssWorker employs is calling “constant-returning functions” throughout the binary to complicate static analysis. However, Elastic deemed it inefficient, as they are easy to identify and declared it “an inefficient obfuscation scheme.”

Nevertheless, AbyssWorker represents a significant threat, demonstrating the increasing sophistication of kernel-level malware designed to disable security infrastructure. ESL has provided a client implementation example, offering researchers a means to further explore and experiment with this malware. To further aid in detection, Elastic Security has released YARA rules, available on their GitHub repository, enabling security professionals to identify instances of AbyssWorker within their environments.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development, stating,

_“_The Medusa malware is living up to its name, finding new ways to infect hosts even after one method has been blocked. Using a batch file to disable system services is a short-term ploy as it can be detected and blocked. Security teams should be on alert for any systems that have a time change and review end-user permissions to prevent the user from stopping the time service._“_

Top/Featured Image by WaveGenerics from Pixabay

Medusa Ransomware Disables Anti-Malware Tools with Stolen Certificates

In-game skins are more than just cosmetic upgrades, they’re a core part of gaming culture. Whether you’re looking…

In-game skins are more than just cosmetic upgrades, they’re a core part of **gaming culture**. Whether you’re looking to collect rare skins or show off your prized inventory, managing skins comes with risks. Scammers are everywhere, looking to trick players out of their prized items or even compromise their accounts.

That’s why it’s a must to handle your skins safely. With a few simple practices and some awareness, you can protect yourself from **gaming-related scams and malware**. Let’s break down the most common tricks scammers use and how to stay secure.

**Table of Contents Hide**

1.  Common Scams to Watch Out For
2.  1\. Stick to Trusted Platforms
3.  2\. Enable Two-Factor Authentication (2FA)
4.  3\. Double-Check Trade Links and Offers
5.  4\. Stay Alert for Phishing Attempts
6.  5\. Be Skeptical of Unrealistic Offers
7.  6\. Protect Your Account with Good Practices
8.  7\. Keep Your Devices Secure
9.  8\. Watch Out for Fake Payment Proof
10.  Final Tips

****Common Scams to Watch Out For****

Before we address safety tips, let’s look at some common scams you might witness:

*   **Phishing Links:** Fake websites that mimic legitimate platforms to steal your login credentials.

*   **Fake Middlemen:** Scammers posing as trusted intermediaries who take off with your skins.

*   **Chargeback Scams:** Fraudulent payment reversals after a transaction.

*   **Fake Trade Offers:** Seemingly legitimate offers that include different or empty items.

*   **Overpayment Scams:** Someone claims they sent too much money and requests a refund before reversing the initial payment.

*   **API Hijacking:** Attackers take control of your Steam account to initiate unauthorized trades.

****1\. Stick to Trusted Platforms****

The most important rule is to use only reliable and well-established platforms to manage your skins or other **in-game** items. These platforms ensure that both the item and the transaction are secure, reducing the risk of losing your assets.

Here are a few recommended options:

*   **Skin.Land**: Offers secure transactions with fair prices and multiple payment options.

*   **Steam Market**: Valve’s official marketplace with built-in security measures.

*   **Fortnite Shop**: The official Fortnite Shop offers authentic items and secure transactions.

*   **Epic Games Store**: Offers not just Epic Games products but third-party as well.

*   **Minecraft Marketplace**: The official Minecraft marketplace is home to everything Minecraft with guaranteed security.

Always research any third-party platform before using it to make sure it’s reputable and uses secure trade systems.

****2\. Enable Two-Factor Authentication (2FA)****

Securing your account with 2FA is a must.

*   Activate **Steam Guard Mobile Authenticator** to add security.

*   Enable two-step verification on any third-party sites you use.

This simple step significantly reduces the chances of unauthorized account access.

****3\. Double-Check Trade Links and Offers****

Watch out when clicking on trade offers or links sent through messages or DMs. Scammers often use profiles that mimic legitimate accounts.

*   Check the profile’s history and activity to ensure it’s genuine.

*   Never rush into a trade — take the time to double-check everything.

*   Verify the trade link through the official platform, not through random messages.

****4\. Stay Alert for Phishing Attempts****

One of the most common tricks is sending phishing links disguised as official trading platforms. Always inspect URLs carefully and avoid clicking on links sent by strangers.

*   Always manually type the website URL instead of clicking links.

*   Check for minor typos or unusual characters in URLs that can indicate a fake site.

****5\. Be Skeptical of Unrealistic Offers****

If a deal seems too good to be true, it probably is. Scammers often lure players by offering skins at suspiciously low prices. Always verify the current market value of the item before proceeding.

*   Stay wary of anyone pushing you to finalize a trade quickly.

*   Compare prices on reputable platforms to get a sense of what’s fair.

****6\. Protect Your Account with Good Practices****

Don’t let your account be an easy target. Here are some extra tips:

*   Avoid sharing your account information with anyone.

*   Keep your Steam profile private to reduce the chances of being targeted.

*   Regularly update your passwords and never reuse them across different sites.

****7\. Keep Your Devices Secure****

Remember that trading safely also means keeping your devices malware-free.

*   Use updated antivirus software to catch potential threats.

*   Regularly scan your system for malware that might compromise your account.

****8\. Watch Out for Fake Payment Proof****

Scammers may try to convince you they’ve made a payment by sending fake screenshots. Always make sure the funds are actually in your account before completing a trade.

****Final Tips****

*   Stick to platforms with a strong reputation.

*   Don’t trust deals that seem too good to be true.

*   Verify all links and offers before taking action.

*   Protect your Steam account with 2FA and strong passwords.

By following these simple guidelines, you can keep your skins and your account secure from scams and malware. Stay smart, stay safe, and game on!

Image by Ahmed Al-Maslamani from Pixabay.

Staying Safe with In-Game Skins: How to Avoid Scams and Malware

Oracle is caught up in a cybersecurity mess right now, with claims about a massive data breach affecting…

Oracle is caught up in a cybersecurity mess right now, with claims about a massive data breach affecting its cloud infrastructure. Last week, Hackread.com **published an article** based on the findings of cybersecurity firm CloudSEK revealing that a threat actor had stolen 6 million records from Oracle Cloud. The hacker, identified as “**rose87168**“, claimed to have compromised a key Single Sign-On (SSO) endpoint, resulting in the exfiltration of sensitive data including SSO and LDAP credentials, OAuth2 keys, and customer tenant information.

****Oracle’s Firm Denial****

Shortly after the story broke, Oracle issued a categorical denial, making a strong statement that “**There has been no breach of Oracle Cloud**.” The company maintained that the credentials published by the threat actor were not associated with Oracle Cloud and emphasized that no Oracle Cloud customers were affected. This statement directly contradicted the findings of CloudSEK, which had alerted the public and Oracle via formal reports.

****CloudSEK’s Follow-Up Investigation****

However, CloudSEK has doubled down on Oracle’s claims with a new follow-up analysis, presenting what it calls “conclusive evidence” of the breach. In a **blog post**, which the company shared with Hackread.com ahead of its publishing over the weekend, CloudSEK outlined how their researchers detected the threat actor’s activities on March 21, 2025.

According to the cybersecurity firm, they traced the attack to a compromised production SSO endpoint (**login.us2.oraclecloud.com**), which the hacker exploited to steal records from more than 140,000 tenants.

CloudSEK also found evidence that the threat actor had actively used the compromised domain to authenticate API requests via **OAuth2 tokens**, as seen in an archived public GitHub repository under Oracle’s official **"oracle-quickstart"** account. The endpoint was proven to be in use for production purposes, contradicting Oracle’s assertion that the credentials were unrelated to their infrastructure.

****New Evidence: Real Customer Data Confirmed****

One of the most noteworthy pieces of evidence involves real customer domain names that the hacker provided as samples. CloudSEK verified the domains against publicly available data and found that they were, in fact, valid Oracle Cloud customers. Some of the domain names identified include:

*   **sbgtv.com**

*   **nexinfo.com**

*   **nucor-jfe.com**

*   **rapid4cloud.com**

*   **cloudbasesolutions.com**

These domains were present in GitHub repositories and Oracle partner documentation, and CloudSEK confirmed they were not mere dummy or canary accounts. Additionally, the compromised endpoint, **login.us2.oraclecloud.com**, was validated as an active production SSO setup, used in real-world configurations by OneLogin and Rainfocus.

The screenshot shared by CloudSEK shows “login.us2.oraclecloud.com” was a production SSO setup

****The Impact and Concerns****

The impact of this breach, if proven, could be serious. The exposure of 6 million records, including encrypted SSO and LDAP passwords risks unauthorized access, espionage, and data breaches across affected systems. Additionally, the inclusion of JKS files and OAuth2 keys means attackers might gain long-term control over affected services.

CloudSEK warns that the compromised credentials could potentially be cracked and reused in a way that poses further risks to enterprise environments. The hacker is also reportedly demanding **ransom payments** from affected firms to delete the stolen data, amplifying both financial and reputational threats.

****CloudSEK’s Stance: Evidence over Speculation****

In response to Oracle’s denial, Rahul Sasi, CEO of CloudSEK, stated that the company is focused on providing transparency and evidence rather than speculation. CloudSEK has been sharing its findings through public reports and free tools to help organizations assess whether they are affected.

Additionally, Rahul recommends companies change their SSO and LDAP credentials right away and set up multi-factor authentication (MFA) to add extra protection. It’s also important to take a closer look at logs to spot any unusual activity related to the compromised endpoint. Keeping an eye on **dark web forums** for any signs of leaked data is a good move too. On top of that, it’s a good idea to get in touch with Oracle Security to figure out any weak spots and fix them.

****Questions Are Pouring In Already****

Cybersecurity experts are already questioning Oracle’s quick denial. **Chad Cragle**, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform stressed that Oracle needs to address the questions raised by CloudSEK to maintain its credibility.

_“_CloudSEK raises a critical point. If there was no breach, how did a threat actor allegedly upload a file to the Oracle Cloud subdomain?_“_ argued Chad. _“_This indicates unauthorized access, even if it wasn’t a full-scale compromise.”

_“_Dismissing the incident without addressing this key detail raises more questions than answers. If Oracle wants to maintain credibility, the company must clarify how the file ended up there, whether any security gaps were exploited, and why the subdomain was taken down,_“_ he added.

**Heath Renfrow**, CISO and Co-founder at Fenix24 a Chattanooga, Tennessee-based cyber disaster recovery firm, expressed concerns about Oracle’s stance on the breach and the threat actor’s ability to upload files within critical infrastructure.

_“_Regardless of Oracle’s position, the presence of a threat actor-uploaded file in the webroot of what appears to be an Oracle Cloud Infrastructure (OCI) login subdomain is deeply concerning,_“_ said Health. _“_This detail, coupled with the public availability of sensitive data on forums, raises valid questions about the scope of compromise and whether customers with federated login configurations could be at risk._“_

Hackread.com has reached out to Oracle. Stay tuned for updates!

CloudSEK Disputes Oracle Over Data Breach Denial with New Evidence

When you think of malware, your mind probably jumps to malicious downloads or email attachments. But it turns…

When you think of malware, your mind probably jumps to malicious downloads or email attachments. But it turns out, some pretty innocent-looking devices can also be used as sneaky vectors for malicious software. Here are five surprising gadgets that could become malware delivery systems, and how to protect yourself.

****1\. Headphones and Speakers****

Yes, you read that right! Your trusty headphones or speakers could spread malware. This isn’t about plugging them into an infected device but rather using them to transmit data through sound waves. Researchers have demonstrated how malware can convert audio output devices into ultrasonic transmitters.

In one proof-of-concept attack called “AirHopper,” headphones were used to leak data from air-gapped computers by sending high-frequency audio signals that could be picked up by a nearby compromised device with a microphone.

While this kind of attack is rare and highly sophisticated, it shows that even your headphones can be weaponized. To minimize risk, always update your audio drivers and keep your system security tight.

****2\. Smart Light Bulbs****

Your fancy smart lighting system could be more than just mood lighting — it could also be a way for hackers to infiltrate your network. Researchers have shown that some smart bulbs can be infected with malware, which then spreads to other connected devices.

A notable example is the “Philips Hue” vulnerability discovered in 2020. Hackers could exploit flaws to jump from the smart bulb to the home network. Once inside, they could potentially access sensitive data or take control of other smart gadgets.

To stay safe, always update your smart devices’ firmware and keep them on a separate network from your primary devices.

****3\. Barcode Scanners****

Believe it or not, barcode scanners can become vectors for malware, too. In one case known as “Zombie Zero,” attackers embedded malware into the firmware of barcode scanners before they even left the factory.

Once these compromised scanners were used in warehouses, they infected connected systems, allowing hackers to spy on corporate networks and steal data. This is a prime example of a supply chain attack where infected hardware is shipped directly from the manufacturer.

Always check for firmware updates and run security scans even on seemingly simple devices like scanners.

****4\. Smart Coffee Maker****

Who knew your morning coffee could be a security risk? Some high-tech coffee makers come with Wi-Fi connectivity and smartphone control, making them vulnerable to attacks. Researchers have shown that smart coffee machines can be hacked to not only disrupt their functions but also act as a gateway into your home network.

One security researcher demonstrated how they could make the coffee maker constantly boil water or refuse to brew until a ransom was paid; a quirky but serious take on ransomware. However, a real-world cyber attack on a coffee machine has already happened. It happened in July 2017 when a coffee machine was compromised to infect computer devices at a factory company that has multiple petrochemical factories making chemicals in Europe.

****5\. Traffic Lights****

Smart traffic lights, essential for managing city traffic, are vulnerable to cyberattacks. Hackers can exploit weak security protocols or outdated software to manipulate signals, causing chaos on the roads. In some cases, malware can alter light patterns or disable systems entirely, leading to accidents or gridlock. Researchers have demonstrated how vulnerabilities in communication protocols allow control over signals.

****How to Stay Safe****

*   **Keep Firmware Updated:** No matter how harmless a device seems, make sure its software is up to date.

*   **Segment Your Network:** Keep IoT devices on a separate network from your primary devices.

*   **Use Strong Passwords:** Set unique, complex passwords for each device.

*   **Monitor Network Activity:** Regularly check which devices are connected to your network.

It’s crazy to think that everyday gadgets, from headphones to coffee makers, can become cybersecurity nightmares. However, that’s just how the world of cybersecurity works – make security part of your daily routine.

5 Unexpected Devices You Didn’t Know Could Spread Malware

LayerX Labs reports a sophisticated macOS phishing campaign, evading security measures. Learn how attackers adapt and steal credentials from Mac users.

A recent report by LayerX Labs has revealed a new phishing campaign that was initially designed to deceive Windows users but lately focused on targeting macOS users.

The campaign, which LayerX Labs monitored for several months, originally posed as Microsoft security alerts, aiming to steal user credentials. In the attack, attackers employed deceptive tactics, creating fake security warnings on hacked websites that claimed the user’s computer was “compromised” and “locked.” Victims were encouraged to enter their Windows username and password, while malicious code froze the webpage, mimicking a complete system lockdown.

According to LayerX’s analysis, shared with Hackread.com, several factors contributed to the campaign’s initial effectiveness. Firstly, the phishing pages were hosted on Microsoft’s Windows.net platform, making the fake security warnings appear legitimate.

Also, attackers utilized trusted hosting services, exploiting the fact that traditional anti-phishing defences often rely on top-level domain reputation. Furthermore, they employed randomized, rapidly changing subdomains, making it difficult for security tools to track and block the malicious pages, which themselves were professionally designed, and frequently updated to evade detection. Some even incorporated anti-bot and CAPTCHA technologies to hinder automated web crawlers. 

When Microsoft, along with Chrome and Firefox, introduced new anti-scareware features in early 2025, a dramatic 90% drop in Windows-targeted attacks was noticed. In response, the attackers adapted their strategy, shifting their focus to macOS users, unprotected by these new defences.

Within two weeks, LayerX Labs observed a surge in Mac-based attacks, much similar to the Windows-targeted ones but with slight code adjustments aiming to specifically target macOS and Safari users. Victims were lured to the phishing pages via compromised domain “parking” pages, often after making a typo in a URL.

In one instance, a macOS and Safari user from a LayerX enterprise customer was targeted. Although the organization employed a Secure Web Gateway, the attack bypassed it. However, LayerX’s AI-based detection system, which analyzes web pages using numerous parameters at the browser level, successfully blocked the attack.

Screenshot shows the phishing scam targeting both Windows and macOS users (Credit: LayerX Labs)

This campaign highlights the increasing sophistication of phishing attacks targeting macOS users. Menlo Security’s recent State of Browser Security report further highlights this trend, revealing a dramatic increase in browser-based attacks, especially since the popularity of generative AI.

The report found a whopping 140% increase in browser-based phishing attacks compared to 2023, with a 130% increase specifically in zero-hour phishing attacks and the impersonation of major brands like Facebook, Microsoft, and Netflix.  

Menlo Security’s analysis of over 752,000 browser-based phishing attacks reveals that one in five attacks now employs evasive techniques to bypass traditional security measures.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development stating, “In the past few weeks, we’ve seen an uptick in browser-based phishing attacks that use legitimate hosting services to trick users into falling for the attack and the ruse they use is a fairly old one and quite common.”

“If you ever get an unknown random pop-up saying your computer is compromised, it should be treated as suspicious and ignored,” Thomas warned. “Anti-virus services will never ask you to enter a username and password to remove a threat.”

New Phishing Campaign Targets macOS Users with Fake Security Alerts

**Cary, NC, March 24th, 2025, CyberNewsWire**

INE Security, a global provider of cybersecurity training and certification, today announced its initiative to spotlight the increasing cyber threats targeting healthcare institutions. In recognition of National Physicians Week 2025, the company is drawing attention to new industry data showing a sharp rise in cyberattacks on hospitals and clinics—incidents that have cost the healthcare sector millions and posed significant risks to patient safety and trust.

Recent reports show healthcare has endured a record wave of cyber breaches. In 2023 alone, there were 725 hacking-related breaches reported in U.S. healthcare, according to The HIPPA Journal, exposing over 124 million patient records, the worst year on record​. Healthcare cybersecurity threats and breaches remain the costliest of any industry with the average data breach in a hospital now costing about $10.93 million per incident​. 

**Protecting Patients and Trust Through Training and Education**

Defending against these evolving threats requires more than just technology – it demands well-trained personnel at all levels. Experts note that human error remains a leading cause of breaches in healthcare, yet a significant portion of staff lack adequate cybersecurity awareness. Nearly one-third of healthcare employees have received no cybersecurity training from their employer, even though human mistakes contributed to roughly 33% of healthcare cyber incidents​. 

> Healthcare leaders are urged to treat ongoing cyber education as mandatory continuing education, akin to medical training, to ingrain a culture of security mindfulness. “Every member of a healthcare team – from physicians to IT personnel – plays a role in cybersecurity,” said Dara Warn, CEO of INE Security. “Continuous training ensures that protecting patient data and systems becomes as second nature as protecting patients’ physical health.”

Importantly, robust cybersecurity isn’t just about technical prevention—it’s also about preserving patient trust. Patients expect their sensitive health information to be guarded with the same care as their medical treatment. Breaches undermine that confidence: about 66% of patients say they would switch healthcare providers if a breach compromised their personal data due to poor security practices​. 

Ongoing training and certification of healthcare cybersecurity teams help maintain that trust by demonstrating a visible commitment to data protection and privacy. When providers proactively train staff and tighten defenses, patients can feel safer knowing their hospital is staying ahead of threats.

**Industry-Leading Certifications Validate Critical Skills**

One way healthcare organizations are bolstering their security posture is by having their IT and security staff earn industry-recognized cybersecurity certifications. Certifications serve as a benchmark for broad and deep knowledge, assuring that professionals can effectively prevent, detect, and respond to attacks. Some of the leading cybersecurity certifications being pursued in the healthcare sector include:

*   **CISSP (Certified Information Systems Security Professional)** – a globally respected credential covering security architecture, risk management, and governance.
*   **CompTIA Security+** – an entry-to-intermediate level certification establishing core security skills and knowledge, often a baseline for IT staff.
*   **eWPTX** **–** a highly respected certification that is 100% practical and validates the advanced skills necessary to conduct in-depth penetration tests on modern web applications.
*   **eJPT** **–** a hands-on, entry-level Red Team certification that simulates skills utilized during real-world engagements.

**INE Security’s Training Programs Empower Healthcare Heroes**

INE Security, a global leader in cybersecurity training, certifications, and certification preparation, is at the forefront of helping healthcare organizations fortify their cyber defenses through education. INE Security’s comprehensive cybersecurity training platform offers on-demand courses, interactive labs, and instructor-led trainings that cover the full spectrum of security domains – from fundamental cyber hygiene for general staff to advanced incident response and penetration testing for IT professionals. These programs are aligned with the requirements of top industry certifications, enabling hospital IT teams and security analysts to earn credentials like CISSP, CeJPT, and others as they build their skill sets.

Through INE Security’s hands-on training modules, healthcare professionals learn how to address the exact threats plaguing the sector today. For example, network defense and malware analysis labs show engineers how to contain ransomware outbreaks. Governance and compliance lessons ensure administrators understand frameworks like HIPAA and can integrate security into hospital operations. By continuously upskilling their workforce, healthcare providers can significantly reduce the likelihood of a breach and mitigate damage if it occurs. 

As National Physicians Week 2025 highlights the dedication of doctors to healing patients, INE Security emphasizes that protecting the systems and data those physicians rely on is equally essential to patient well-being. The healthcare industry’s cyber threats are continual and evolving, but with rigorous training, education, and certification of cybersecurity professionals, hospitals and clinics can stay one step ahead. Ongoing cybersecurity training is now fundamental to sustaining patient care and trust in our digitally driven healthcare system. This week and beyond, INE Security is proud to partner with healthcare organizations to ensure that those who save lives are backed by networks and data systems that are safe, secure, and resilient against cyber attacks.

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

Cyber Guardians: INE Security Champions Cybersecurity Training During National Physicians Week 2025

Cloak ransomware group claims attack on Virginia attorney general's office, demands ransom for stolen data. Investigation underway. Find out the impact and what's being done.

A cybercriminal collective, known as Cloak, has confirmed its involvement in an attack targeting the Virginia attorney general’s office in February 2025. This attack has reportedly caused disruption, compelling officials to enact emergency measures.

Chief Deputy Attorney General Steven Popps communicated to staff via email that the majority of the office’s IT resources, which included vital systems such as email, virtual private network access, internet connectivity, and the attorney general’s website were rendered inoperative, as reported by the Washington Post.

The disruption also forced employees to revert to traditional paper-based documentation processes. In response, the attorney general’s office promptly notified the Virginia State Police, the Federal Bureau of Investigation (FBI), and the Virginia Information Technologies Agency, and investigations were initiated into the incident.

On 20 March, Cloak publicly listed the Virginia attorney general’s website on their Tor-based data leak platform, accompanied by a message stating, “The waiting period has expired. Compromised data can be downloaded from the leak page.”

This statement suggests that negotiations between the ransomware group and the attorney general’s office have reached a deadlock, with the latter refusing to meet the ransom demands. Cloak has released images alleged to be documents stolen from the attorney general’s systems to substantiate their claims.  

However, the Virginia attorney general’s office has yet to officially acknowledge or confirm Cloak’s claims. At this stage, critical details remain undisclosed, including whether a ransom was paid, the amount demanded by Cloak, the nature and extent of the compromised data, and the specific methods used by the attackers to breach the attorney general’s network. We are also awaiting the official response from the attorney general’s office regarding the latest development.

For your information, Cloak is a ransomware group that emerged in 2022 and gained prominence in 2023. The group mainly targets small to medium-sized businesses in Europe and Asia, particularly Germany. It also employs malware designed to both exfiltrate data and encrypt computer systems, thereby compelling victims to pay a ransom.

Victims who refuse to pay face their stolen data published on Cloak’s data leak site for free download. The group’s payment rate is surprisingly high at 91-96%, showing how effectively it forces its victims.

Cloak Ransom Note (Source: Halcyonai)

Since its emergence, Cloak has claimed responsibility for 13 confirmed ransomware attacks, including attacks on the Canadian town of Ponoka and the German municipality of Gemeinde Kaisersbach in 2024, and 54 unconfirmed attacks (where targeted organizations did not acknowledge the intrusions). The attack on the Virginia attorney general marks Cloak’s first confirmed operation in 2025.

Top/Featured Image via Consumer Financial Services Law Monitor

Source

HackRead