These sorts of attacks reveal growing adversary interest in secure messaging apps used by high-value targets for communication, Google says.

Source: aily\_creativity via Shutterstock

Multiple Russia-aligned threat groups are actively targeting the Signal Messenger application of individuals likely to exchange sensitive military and government communications related to the country's war with Ukraine.

For now, the activity appears limited to persons of interest to Russia's intelligence services, according to researchers at Google's Threat Intelligence Group (GTIG), who spotted it recently. But the tactics the threat actors are using in the campaign could well serve as a blueprint for other groups to follow in broader attacks on Signal, WhatsApp, Telegram, and other popular messaging apps, GTIG warned in a blog post this week.

**Likely to Become More Prevalent**

"We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war," Google threat analyst Dan Black wrote in the post.

Two of the Russian cyber-espionage groups that Google observed targeting Signal are UNC5792 — a threat actor that Ukraine's CERT tracks as UAC-0195 — and UNC4221 (aka UAC-0185). The goal of the attackers in both cases is to trick targeted victims into unknowingly linking their Signal account to an attacker-controlled device so any incoming messages are simultaneously available on the linked device.  

The attacks are taking advantage of "linked devices," a feature of the Signal app that allows users to securely connect and synchronize their account across multiple devices. However, the tactics that each threat group uses to get targets to unwittingly link their accounts have been slightly different.

UNC5782's ploy has been to send invitations asking targeted individuals to join a Signal group by sharing a malicious QR code with them. While the invitations look identical to Signal's group invite, the threat actors have modified them so that anyone social-engineered into scanning the QR code ends up linking their account to a UNC592-controlled device instead.

The other threat group, UNC4221, is using a customized phishing kit that impersonates parts of Kropyva, an application that Ukraine's military uses for artillery guidance, to try and social-engineer Signal Messenger users of interest. The threat actor has established Kropyva-themed phishing sites with the QR code directly embedded on them. It has also set up phishing sites pretending to contain legitimate Signal instructions for device linking to encourage scam victims into scanning their malicious QR code.

**Broad Threat Actor Interest**

Google identified UNC4221 and UNC5782 as two of several Russian and Belarusian groups that are targeting Signal Messenger to spy on persons of interest. Not all attacks by UNC4221 and UNC578 have involved device linking. Russia's infamous Sandworm cyber-sabotage group (which Google tracks as APT44) has been stealing Signal messages from a target's Signal database or local storage files, using a combination of malware tools. Similarly, Turla, a threat actor that the US government has tied to Russia's Federal Security Service (FSB), is doing the same using a lightweight PowerShell script that it deploys after gaining access to a target environment. Another threat actor from the region targeting Signal Messenger, according to Google, is Belarus-linked UNC1151, which uses the Robocopy Windows file-copying tool to copy and store Signal messages and attachments for future theft.

The flurry of activity targeting Signal is a sign of broader attacker interest in secure messaging apps used by those in espionage and intelligence gathering, including politicians, military personnel, activists, privacy advocates, and journalists. The apps' security features, which include end-to-end encryption of text, voice, and video with minimal data collection practices, have made it a popular tool for at-risk individuals and communities. It has also made the app "a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements," Google's Black wrote.

Signal is not the only target. Russian groups have also targeted Telegram and WhatsApp users in the same way, Black said. He pointed to a recent Microsoft report on attacks by Russian group Star Blizzard (aka Coldriver, Blue Charlie, Callisto, and UNC4057) that targeted WhatsApp accounts belonging to current and former government officials and diplomats.

Significantly, attacks targeting WhatsApp can affect businesses as well. Although WhatsApp — like Signal, Telegram and other messenger apps — is primarily consumer-focused, numerous businesses worldwide use the app. WhatsApp even has a business version that it has positioned as a tool that businesses can use to engage with customers, accelerate sales, and deliver customer support.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Russian Groups Target Signal Messenger in Spy Campaign

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn…

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn how they’re stealing messages and what you can do to defend yourself.

Russian state-backed actors are increasingly targeting secure messaging applications like Signal to intercept sensitive communications, reveals a recent report by Google’s Threat Intelligence Group. These groups, often aligned with Russian intelligence services, are focusing on compromising accounts used by individuals of interest, including military personnel, politicians, journalists, and activists. While the initial focus appears to be related to the conflict in Ukraine, researchers believe that these tactics will spread to other regions and threat actors.  

A primary method employed by these actors in this campaign involves exploiting the “linked devices” feature of Signal. By using phishing techniques, they trick users into scanning malicious QR codes, which then secretly link the victim’s account to a device controlled by the attacker. This allows the attacker to receive all messages in real-time, effectively eavesdropping on conversations without needing to compromise the entire device.

These malicious QR codes are often disguised as legitimate Signal resources, such as group invites, security alerts, or even device pairing instructions. In some cases, they are incorporated into phishing pages designed to mimic specialized applications, such as those used by the Ukrainian military.

The screenshot shows a Signal app phishing site and one of the malicious QR codes used in the attack (via Google).

In some cases, malicious QR codes are used in close-access scenarios, such as when Russian military forces capture devices on the battlefield.  This method lacks centralized monitoring and can go unnoticed for extended periods, which makes it hard to detect.

One group, identified as UNC5792 (also known as UAC-0195), has been observed modifying legitimate Signal group invite links. These altered links redirect victims to fake pages that initiate the unauthorized linking of their devices to the attacker’s control. The phishing pages are designed to closely resemble official Signal invites, making detection challenging. 

Another group, UNC4221 (UAC-0185), has targeted Ukrainian military personnel by embedding malicious QR codes within phishing sites that mimic artillery guidance applications. They have also used fake Signal security alerts to deceive victims. 

Beyond phishing, APT44 (Sandworm) utilizes malware and scripts to extract Signal messages from compromised Windows and Android devices. Their WAVESIGN script retrieves recent messages, while Infamous Chisel malware searches for Signal database files on Android devices.  

Other groups, like Turla and UNC1151, target the desktop application, using scripts and tools to copy and exfiltrate stored messages. UNC4221 has also used a JavaScript payload called PINPOINT to gather user information and geolocation data.

The popularity of secure messaging apps makes them prime targets for adversaries and other platforms, such as WhatsApp and Telegram, are also facing similar threats.

“The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term,” researchers warned.

Therefore, users are advised to stay cautious. It is important to use strong screen locks with complex passwords, keep operating systems and apps updated, and ensure Google Play Protect is enabled. Regularly auditing linked devices, exercising caution with QR codes and links, and enabling two-factor authentication are also recommended. iPhone users at high risk should consider enabling Lockdown Mode.

Hackers Tricking Users Into Linking Devices to Steal Signal Messages

The authentication bypass vulnerability in the OS for the company's firewall devices is under increasing attack and being chained with other bugs, making it imperative for organizations to mitigate the issue ASAP.

Source: Chiew via Shutterstock

Attackers are actively exploiting an authentication bypass flaw found in the Palo Alto Networks PAN-OS software that lets an unauthenticated attacker bypass authentication of that interface and invoke certain PHP scripts.

Both the Cybersecurity Infrastructure and Security Agency (CISA) and security researchers are warning of increasing attacker activity to exploit the flaw, tracked as CVE-2025-0108 and first revealed in a blog post on Feb. 12 as a zero-day flaw by researchers at Searchlight Cyber AssetNote. PAN-OS is the operating system for Palo Alto's firewall devices; the flaw affects certain versions of PAN-OS v11.2, v11.1 , v10.2, and v10.1 and has been patched for all affected versions.

Patch info is available in Palo Alto's security advisory on CVE-2025-0108, which is rated as 8.8 and therefore of high severity on the CVSS. The company warned that while the PHP scripts that can be invoked do not themselves enable remote code execution, exploiting the flaw "can negatively impact integrity and confidentiality of PAN-OS," potentially giving attackers access to vulnerable systems, where other bugs could be used to achieve further aims.

Indeed, researchers observed attackers making exploit attempts by chaining CVE-2025-0108 with two other PAN-OS Web management interface flaws — CVE-2024-9474, a privilege escalation flaw, and CVE-2025-0111, an authenticated file read vulnerability — on unpatched and unsecured PAN-OS instances.

**Active Exploitation of Palo Alto Firewalls**

Threat actors apparently got the memo on the potential for exploit, as attacks on affected devices are on the rise. As of Feb. 18, 25 malicious IPs are actively exploiting CVE-2025-0108, up from merely two the day after its discovery was made public, according to researchers at GreyNoise. The top three countries for these attacks are the US, Germany, and the Netherlands, according to a blog post on the exploitation.

"Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them," Noah Stone, head of content at GreyNoise Intelligence, wrote in the post.

The increased activity to exploit the flaw compelled the CISA to add it to the Known Exploited Vulnerabilities Catalog this week and urge those affected to apply Palo Alto's patches for affected device versions.

**Why CVE-2025-0108 in PAN-OS Exists**

The flaw exists because of a common architecture present in PAN-OS, "where authentication is enforced at a proxy layer, but then the request is passed through a second layer with different behavior," security researcher Adam Kues wrote in Searchlight Cyber Assenote's post.

"Fundamentally, these architectures lead to header smuggling and path confusion, which can result in many impactful bugs," he explained.

Specifically, a Web request to the PAN-OS management interface is handled by three separate components: Nginx, Apache, and the PHP application itself. The researchers found that when the authentication by the requester is set at the Nginx level and based on HTTP headers, the request is then reprocessed again in Apache, which may process the path or headers differently to Nginx before finally handing off the request to PHP.

"If there is a difference between what Nginx thinks our request looks like and what Apache thinks our request looks like, we could achieve an authentication bypass," Kues explained.

The risk of exploitation is greatest if a network configuration enables access to the management interface from the Internet (or any untrusted network) either directly or through a dataplane interface that includes a management interface profile, Palo Alto noted in its advisory.

**Eliminate Risk by Patching Auth Bypass Now**

Palo Alto's network devices are widely used and flaws within them are often quickly set upon by attackers, making it imperative that mitigation for CVE-2025-0108 happens sooner rather than later. The best way to eliminate the risk of exploitation completely is to apply Palo Alto's updates to affected devices, according to the CISA and researchers.

Affected organizations also can reduce this risk if network administrators ensure that only trusted internal IP addresses can access the management interface, according to Palo Alto. Defenders can discover any assets that require remediation action by visiting the Assets section of the Customer Support Portal, the company said.

Palo Alto also recommends that organizations whitelist IPs in the management interface to prevent this or similar vulnerabilities from being exploited over the Internet.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: CISA Warns of Palo Alto Flaw Exploited in the Wild

Google warns that hackers tied to Russia are tricking Ukrainian soldiers with fake QR codes for Signal group invites that let spies steal their messages. Signal has pushed out new safeguards.

For more than a decade now, Russian cyberwarfare has used Ukraine as a test lab for its latest hacking techniques, methods that often target Ukrainians first before they're deployed more broadly. Now Google is warning of a Russian espionage trick that's been used to obtain Ukrainians' messages on the encrypted platform Signal—and one that both Ukrainians and other Signal users worldwide should protect themselves against with a new update to the app.

Google's threat intelligence team on Wednesday released a report revealing how multiple hacker groups that serve Russian state interests are targeting Signal, the end-to-end encrypted messaging tool that has become widely accepted as a standard for private communications and is now often used by Ukrainians, including in the Ukrainian military's battlefield communications. Those Russia-linked groups, which Google has given the working names UNC5792 and UNC4221, are taking advantage of a Signal feature that allows users to join a Signal group by scanning a QR code from their phone. By sending phishing messages to victims, often over Signal itself, both hacker groups have spoofed those group invites in the form of QR codes that instead hide javascript commands that link the victim's phone to a new device—in this case, one in the hands of an eavesdropper who can then read every message the target sends or receives.

“It looks exactly like a group invite, and everything would function exactly like that, except when you scan it, it links the device out,” says Dan Black, a Google cyberespionage researcher and former NATO analyst. “It instantly pairs your device with theirs. And all your messages are now, in real time, being delivered over to the threat actor while you're receiving them.”

Two months ago, Google began warning the Signal Foundation that maintains the private communications platform about Russia's use of the QR code phishing technique, and Signal last week finished rolling out an update for iOS and Android designed to counter the trick. The new safeguard warns users when they link a new device and checks with them again at a randomized interval a few hours after that device is added to confirm that they still want to share all messages with it. Signal now also requires a form of authentication such as entering a passcode or using FaceID or TouchID on iOS to add a new linked device.

In fact, Signal had already been working to update those forms of phishing protections aimed specifically at exploitation of its linked device feature prior to Google's warning, says Signal's senior technologist, Josh Lund. But Google's report about Russia's spying in Ukraine provided an “acute” example of the problem that pushed them to move quickly to protect users, he says.

“We're really grateful to the Google team for their help in making Signal more resilient to this type of social engineering,” says Lund, using the cybersecurity term for tricks that deceive victims into giving hackers sensitive information or access to their systems.

Both Google and Signal emphasized that the phishing technique Google has seen in use in Ukraine doesn't suggest that Signal's encryption is broken or that the app's messages can otherwise be eavesdropped in transit. Instead, the trick essentially combines two legitimate features—QR-code group invites and QR-code device linking that pairs a smartphone with a laptop—invisibly swapping one with the other to deceive users. “Phishing is a big problem on the internet, and it's never nice to hear that someone has fallen victim to one of these attacks,” Lund says. “But we're trying to do our best to keep users safe, and we think these recent improvements will really help.”

Google notes that it's seen Russia use similar techniques to target other communications platforms like WhatsApp and Telegram, too. But the hackers tied to Russia's military have focused on Signal because of its widespread tactical use in the Ukrainian military. One of the two hacker groups that has exploited the QR code phishing technique, for instance, has disguised the codes as invites to groups associated with an artillery guidance app used by the Ukrainian military called Kropyva. In other instances, the spoofed QR codes have impersonated invites to other groups from a trusted contact, or security alerts from Signal itself.

Russia's hackers have targeted Signal as part of the country's war efforts in Ukraine since as early as 2023, a year into its full-scale invasion, says Google's Black. That's when the Russian hacker group known as Sandworm, a notorious unit of Russia's GRU military intelligence agency, began pivoting from disruptive cyberattacks to tactical espionage that included penetrating tablet computers used by the Ukrainian military. In some cases, Sandworm's hackers have also aided front-line Russian troops in off-loading Signal messages from captured devices, including by using the linked-device feature to pair compromised phones with their own PCs. Google says that Turla, a hacker group linked to Russia's FSB security agency, has also targeted Signal messages on PCs that it's infected with malware.

Google's Black says that the company's analysts nonetheless waited to highlight Russia's use of the QR-code phishing technique to target Signal until the Signal Foundation could push out new protections, in part to prevent other hackers from copying the technique. Black warns, in fact, that Russia's targeting of Signal in Ukraine shouldn't be seen as a problem limited to Ukraine nor to military conflicts in general. The trick is just as likely to be used for targeting dissidents and activists who use Signal worldwide, or even a broader set of targets. In December, for instance, US officials recommended Americans use end-to-end encrypted apps in response to the Chinese hacker group Salt Typhoon's widespread penetrations of US telecom networks.

“The use case for these techniques is just so wide," says Black. “We've seen history tell us a very particular story in terms of tradecraft, that the things that happen in Ukraine don't seem to stay confined there.”

A Signal Update Fends Off a Phishing Technique Used in Russian Espionage

The campaign heavily uses Dropbox folders and PowerShell scripts to evade detection and quickly scrapped infrastructure components after researchers began poking around.

North Korea-linked threat groups are increasingly using living-off-the-land (LotL) techniques and trusted services to evade detection, with a recent Kimsuky campaign showcasing the use of PowerShell scripts and storing data in Dropbox folders, along with improved operational security.

In the campaign, dubbed "DEEP#DRIVE" by security firm Securonix, the threat group used fake work logs, insurance documents, and crypto-related files to convince users to download and run a zipped shortcut file that gathers system configuration information and then executes PowerShell and .NET scripts. The attack tools upload the system data to Dropbox folders and then download additional commands and capabilities for further compromise.

While the attackers showed some interest in quick financial wins — such as targeting cryptocurrency users — for the most part, the threat group focused on stealing sensitive data from South Korean government agencies and businesses, says Tim Peck, a senior threat researcher at Securonix.

"We observed evidence of both espionage and financial motivation, though leaning more toward espionage," he says. "This aligns with Kimsuky's historical targeting of South Korean government agencies, enterprises, and strategic industries."

North Korean cyber-operations groups have consistently targeted South Korea and the US, with South Korean government agencies and companies among the most popular targets. In September 2024, the FBI warned that North Korean groups planned to launch a surge of attacks against organizations with significant cryptocurrency reserves, and Kimsuky launched a similar multistage attack against South Korean targets last year.

**A Prolific Group**

Kimsuky isn't monolithic, but has five threat groups that have overlap with what other companies consider to be the same group, says threat intelligence firm Recorded Future. One group tends to focus on the healthcare and hospitality sectors, for example, while another focuses on cryptocurrency markets.

By mid-2023, Kimsuky became the most prolific North Korean group. (More recent data not available.) Source: Recorded Future's "North Korea's Cyber Strategy" report

The Kimsuky groups accounted for the most attacks identified as North Korean in origin between 2021 and 2023, according to Recorded Future's "North Korea Cyber Strategy" report. In 2024, the groups continued to account for a high volume of attacks, says Mitch Haszard, senior threat intelligence analyst with Recorded Future.

"These groups conduct high volume phishing campaigns, primarily targeting individuals and organizations in South Korea, while occasionally targeting entities in other countries," he says. "In the activity we see, these groups appear to be going for volume, rather than more time-consuming, tailored spear-phishing operations."

Other well known North Korean groups, such as Lazarus and Andariel, are not as prolific as the Kimsuky threat actors. While some of those groups are more focused on gathering sensitive information, nearly all also have a financial motivation.

**Thousands of Victims?**

In the DEEP#DRIVE campaign, following the compromise of a system, the Kimsuky group's attack scripts upload data on the system configuration to one of several Dropbox folders. While the Securonix researchers were not able to gather intelligence from all the suspected Dropbox locations, they uncovered signs of more than 8,000 configuration files, although some appear to be duplicates, Peck says.

While that means they likely came from the same victim organizations, the campaign appears to be quite successful, he says.

"There were two factors which contributed to the 'uniqueness' of the configuration file, the username, and IP address," Peck says. "Some usernames were associated with dozens of similar IP addresses, which could indicate lateral movement by the attacker — \[that is\], infecting dozens of machines from the same entity."

The data from a compromised system includes the host IP address, the system uptime, details about the OS type and version, any installed security software, and a list of running processes.

**Kimsuky Improves Its OpSec**

The campaign also highlighted North Korean cyber-operations groups' improvements to operational security. The group used OAuth-based authentication on its Dropbox folders, preventing traditional URL-blocking or network-based defenses from following the links. The threat actors also quickly took down components of their infrastructure soon after the Securonix researchers began investigating, Securonix's Peck says.

"This level of operational awareness is not always present in phishing-driven malware campaigns," he says.

For companies, the threat group's tactics underscore that the hidden file extensions should be disabled, shortcut files should be blocked from executing in user folders, and only signed PowerShell scripts be allowed to execute. Those three countermeasures make the attackers' activity much easier to detect, Peck says.

In addition, companies in targeted industries — such as cryptocurrency exchanges and government agencies — should bolster their email security and regularly train employees on how to spot phishing threats, says Recorded Future's Haszard.

"Most North Korean cyberattacks still start with social engineering and a phish," he says. "Companies should ensure that they have an email security solution in place and regularly train employees on phishing threats, as well as conduct simulated phishing tests."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

North Korea's Kimsuky Taps Trusted Platforms to Attack South Korea

Acquisition strengthens Deepwatch Platform capabilities with actionable insights and risk-based prioritization.

Source: Gajus via Adobe Stock Photo

NEWS BRIEF

Deepwatch, an artificial intelligence (AI) and human cyber-resilience platform provider, has announced its acquisition of security intelligence solutions startup Dassana. Deepwatch plans to integrate Dassana's AI-powered risk and threat exposure management technology, CISO Copilot, into its Deepwatch Platform.

The integration will also allow CISOs and security leaders to get real-time insights into their security posture, said Deepwatch CEO John DiLullo in a statement. The acquisition will give Deepwatch's internal SOC operations and customers better tools around automation, compliance reporting, and proactive security management.

Dassana's products integrate with existing security infrastructure and aggregate and normalize data from various security tools to provide a unified view of an organization's security environments. Organizations gain real-time visibility into their security posture and can apply the actionable insights to expedite remediation efforts and enhance the effectiveness of security controls. CISO Copilot automates evidence collection for compliance, allocates resources based on business impact, and accesses real-time board-level metrics, allowing CISOs to make data-driven decisions.

"By joining forces with Dassana, our mission to democratize and make our AI capabilities available to companies of all sizes has taken a giant leap forward," DiLullo said. "We believe cyber-resilience should be available to all and that everyone deserves to conduct their businesses free from the scourge of cyber attacks."

Financial details of the deal were not disclosed.

**About the Author**

Deepwatch Acquires Dassana to Boost Cyber-Resilience With AI

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

**Significant Enhancements to macOS Malware**

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc\_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED\_STRATEGY, while an additional method involves placing the payload inside the TARGET\_DEVICE\_FAMILY key under build settings and running it at a later phase.

**Advice for macOS Cyber Defenders**

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild

Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections…

Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections and data theft.

Cybersecurity researchers at Microsoft Threat Intelligence have identified a new strain of the XCSSET malware targeting macOS users. This modular malware focuses on attacking Apple developers by infecting Xcode projects, tools necessary for building applications on the macOS platform.

While the current spread of this updated version appears limited, experts are urging developers and organizations to implement precautionary measures to safeguard their systems.

****What is XCSSET?****

XCSSET was first identified by Trend Micro in 2020. It has since gained a reputation as a sneaky piece of malware. This latest version builds upon its predecessor’s capabilities with major improvements in its design, making it even harder to detect and defend against.

According to Microsoft’s findings, the new variant comes equipped with advanced obfuscation techniques, more sophisticated persistence mechanisms, and updated methods for infecting systems. These upgrades make XCSSET a persistent and stealthy threat that can carry out a mix of different malicious activities, including targeting digital wallets, stealing data from the Notes app, stealing sensitive system information, and exfiltrating files.

****Harder to Detect****

One of the main capabilities of this new XCSSET variant is its focus on evasion. To avoid detection by anti-virus and other security tools, the malware generates its payloads in a highly randomized manner. It randomizes both the encoding process and the number of iterations used, creating challenges for researchers attempting to analyze the code.

What’s more, older versions of XCSSET relied on a single tool, xxd (hexdump), for encoding its payloads. The latest version, however, adds Base64 encoding to its arsenal, further complicating analysis efforts. Even the names of the malware’s modules have been obfuscated, making it difficult to discern their purpose or function within the code.

****Harder to Remove****

The new XCSSET variant employs two innovative methods to ensure it remains active on infected systems, even after a reboot or user logout.

1.  **“zshrc” Method**: This tactic involves creating a hidden file called ~/.zshrc_aliases to house the malicious payload. The malware then manipulates the ~/.zshrc configuration file, adding a command that automatically loads the malicious file whenever a new shell session starts. This means that every time a user opens their terminal, the malware activates in the background.
2.  **“Dock” Method**: This approach hijacks the macOS Dock. The malware downloads a signed utility called “dockutil” from a remote command-and-control server to modify Dock items. It replaces the legitimate “Launchpad” app with a malicious version, ensuring that the malware executes every time the user interacts with the Dock.

****Targeting Xcode Projects****

As its name suggests, XCSSET primarily targets Xcode, Apple’s powerful integrated development environment (IDE) for macOS. The malware infiltrates Xcode projects using one of three placement strategies: **TARGET**, **RULE**, or **FORCED\_STRATEGY**. These strategies determine how and where the malicious payload is embedded within the project files.

Additionally, the malware can target the TARGET_DEVICE_FAMILY key within the project’s build settings. By inserting its code here, XCSSET ensures that the payload only activates when the app is built and run on specific devices, evading detection during development or testing phases.

> Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information… pic.twitter.com/oWfsIKxBzB
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) February 17, 2025

****How to Protect Yourself****

If you are an Apple developer or a macOS user in general, here are some simple yet vital tips to protect your devices from XCSSET malware:

*   **Inspect Xcode Projects**: Always review and verify Xcode projects, especially if they are downloaded from external repositories or shared by third parties.
*   **Stick to Trusted Sources**: Download apps and tools exclusively from official Apple channels or reputable software platforms. Avoid third-party app stores or unofficial downloads.
*   **Keep Up with the Updates**: Keep up-to-date with the latest security advisories from Microsoft, Apple, and other cybersecurity organizations.

New XCSSET Malware Variant Targeting macOS Notes App and Wallets

London, United Kingdom, 18th February 2025, CyberNewsWire

Intel by Intruder now uses AI to contextualize NVD descriptions, helping security teams assess risk faster.

Intruder, a leader in attack surface management, has launched AI-generated descriptions for Common Vulnerabilities and Exposures (CVEs) within its free vulnerability intelligence platform, Intel. This new feature enhances cybersecurity professionals’ ability to quickly understand and assess vulnerabilities, addressing a common pain point: the often vague and technical descriptions provided by the National Vulnerability Database (NVD).

With thousands of vulnerabilities published every year, security teams rely on NVD as a key resource for researching CVEs. However, NVD descriptions frequently lack clarity or context, making it difficult to determine potential impact at a glance. Intel’s AI summaries transform NVD descriptions into clear, concise, and actionable insights, helping teams assess and respond to risks faster.

> “Vulnerability management is challenging enough without the added complexity of deciphering cryptic CVE descriptions,” said **Chris Wallis, CEO & Founder of Intruder**. “With Intel’s AI Overviews, we’re making it easier for security professionals to quickly gauge what a vulnerability is and decide what action to take.”

Additionally, Intruder’s in-house security experts manually review the AI descriptions of the most critical vulnerabilities. These expert-reviewed CVEs are clearly marked in Intel with a “Verified by Intruder” label.

Intel, which is completely free to use, already provides powerful features such as a real-time feed of trending CVEs, a unique hype score rated out of 100, and in-depth analysis from Intruder’s security team. The addition of AI-generated CVE descriptions further strengthens Intel’s value as a go-to resource for cybersecurity professionals.

**Availability**

The AI-generated CVE descriptions are **available now** within **Intel** at intel.intruder.io. Cybersecurity professionals can access Intel for free today.

For more information, users visit www.intruder.io or follow Intruder on LinkedIn and Twitter.

**About Intruder**

Intruder was founded in 2015 to solve the information overload crisis in vulnerability management. Its mission from day one has been to help divide the needles from the haystack, focusing on what matters, while ignoring the rest. Effective cyber security is about getting the basics right. Intruder helps do that, saving time on the easy stuff, so users can focus on the rest. It has been awarded multiple accolades, was selected for GCHQ’s Cyber Accelerator, and is now proud to have over 3,000 happy customers all over the world.

Intruder Enhances Free Vulnerability Intelligence Platform ‘Intel’ with AI-Generated CVE Descriptions

Researchers earned a $50,500 Bug Bounty after uncovering a critical supply chain flaw in a newly acquired firm,…

Researchers earned a $50,500 **Bug Bounty** after uncovering a critical supply chain flaw in a newly acquired firm, highlighting security risks in business acquisitions.

Two cybersecurity researchers have walked away with a $50,500 bug bounty after finding a critical vulnerability in a major company’s software supply chain. The exploit targeted a recently acquired company, exposing a flaw that could have widespread ramifications.

The duo, Lupin (Roni Carta) and Snorlhax, have a history of collaboration; recently turned their focus to the often-overlooked area of business acquisitions. They noticed that these integrations frequently present security gaps as newly acquired entities may not always uphold the same rigorous security standards as their parent companies. This insight guided their hunt for a “game-changing” vulnerability.

Their approach began with a detailed examination of the acquired company’s online presence, including its code repositories and package registries. The researchers employed advanced techniques, transforming JavaScript files into Abstract Syntax Trees (ASTs) and Docker image analysis to identify dependencies and uncover possible flaws. This investigation led them to a DockerHub organization linked to the acquisition.

The real breakthrough occurred after the researchers downloaded and examined a Docker image. Inside, they discovered the complete source code for the company’s backend systems. But the story did not end there, as the researchers unearthed even more sensitive information.

According to Lupin’s technical blog post, the duo discovered that a “.git” folder was still included in the image. Within the folder, they found an authorization token for GitHub Actions (GHS). This token, if exploited, could have given the attacker the capability to manipulate the company’s build pipelines. The token could have allowed them to inject malicious code, tamper with software releases, or even gain access to additional repositories.

Further investigation revealed that the Docker image had removed the .npmrc configuration file, but the researchers recognized that earlier layers of the image could still hold traces of it. They leveraged tools like Dive and Dlayer to explore these layers, ultimately locating a private npm token. This token provided read-and-write access to the target company’s private packages.

The team realized they now had a path to insert malicious code into one of the private packages, which the company’s developers, pipelines, and production systems would then automatically fetch. Since these were private packages, the attack would bypass security scans, enabling them to compromise systems at every level leading to large-scale data theft and data breaches.

Software supply chain vulnerabilities have affected thousands of businesses in recent months. Cyberattacks targeting companies like Snowflake Inc., Blue Yonder, and MOVEit Transfer continue to be exploited, impacting organizations worldwide.

The good news is that the duo documented their findings and demonstrated the vulnerability’s impact to the impacted company’s security team. Their report outlined how attackers could use a poisoned npm package to harvest secrets, infiltrate into internal systems, and compromise CI/CD pipelines. As a result, the company awarded the researchers a $50,500 bug bounty, recognizing the severity of the vulnerability.

This incident shows how attacks can succeed when multiple overlooked flaws come together. In this case, the issue originated from software supply chain gaps and security flaws in a newly acquired company. The team pointed out the importance of securing every part of the build process, from the code itself to the components and external packages involved. It’s an example of how protecting a software development pipeline isn’t simple; it requires careful attention to every detail.

1.  Multichain hack: Hacker returns $1m, keeps $150k as bug bounty
2.  Apple Launches ‘Apple Intelligence’ – $1M Bug Bounty for Security
3.  Google Launches $250,000 kvmCTF Bug Bounty for KVM Exploits

Tag

#intel