• North America
• United States
• Sudo And Sudo Caching
• Telecommunications
• Credentials In Files
• Spearphishing Link
• Disable Or Modify Tools
• Match Legitimate Name Or Location
• Spectrum
• Unix Shell
• Ingress Tool Transfer
• Amos

New Clickfix Infostealer Campaign Targets macOS Users

Cybersecurity researchers have identified a new malware campaign that uses social engineering tactics to distribute an information stealer known as Atomic macOS Stealer (AMOS) targeting Apple macOS systems. The campaign employs typosquatting domains that mimic the U.S.-based telecom provider Spectrum, tricking users into executing a malicious shell script that steals system passwords and downloads the AMOS variant. The attack begins on a fake webpage that prompts users to complete a CAPTCHA verification, ultimately leading them to execute harmful commands under the guise of fixing a non-existent issue. The campaign is believed to be orchestrated by Russian-speaking cybercriminals, as indicated by the presence of Russian language comments in the malware's code.

• Resource Hijacking
• Network Service Discovery
• Exploitation For Client Execution
• Match Legitimate Name Or Location
• Escape To Host
• Docker
• External Remote Services
• Smb/Windows Admin Shares
• Unix Shell
• Remote System Discovery
• Lateral Tool Transfer
• Deploy Container
• Web Protocols
• Change Default File Association
• Ingress Tool Transfer
• United States
• Business Services
• Obfuscated Files Or Information
• North America
• Exploit Public-Facing Application

Cryptojacking Campaign Targets Misconfigured Docker APIs

A new malware campaign has emerged, targeting misconfigured Docker API instances to create a cryptocurrency mining botnet focused on mining Dero currency. The threat actor exploits insecurely published Docker APIs to gain access to running containerized infrastructures, propagating the malware through a worm-like mechanism to infect other exposed Docker instances. The attack utilizes two main components: a propagation malware named 'nginx' that scans for vulnerable Docker APIs, and a 'cloud' Dero cryptocurrency miner. This campaign has been linked to previous cryptojacking operations and poses a significant risk to any network with insecure Docker APIs.

• Dynamic-Link Library Injection
• Silver Fox
• Asia
• Regsvr32
• Reflective Code Loading
• Eastern Asia
• Valleyrat
• Process Discovery
• Web Protocols
• Scheduled Task
• File Deletion
• Powershell
• Obfuscated Files Or Information: Encrypted Or Encoded Data
• File And Directory Discovery
• Ingress Tool Transfer
• China
• Malicious File
• Masquerade Task Or Service
• Rundll32
• Disable Or Modify Tools

New Malware Campaign Targets Chinese-Speaking Users with Winos 4.0

Cybersecurity researchers have uncovered a malware campaign that employs fake software installers disguised as popular applications like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. First identified by Rapid7 in February 2025, the campaign utilizes a sophisticated multi-stage loader called Catena, which operates entirely in memory to evade traditional antivirus detection. The malware, attributed to a threat actor known as Silver Fox, specifically targets Chinese-speaking environments and has been active throughout 2025, adapting its tactics to maintain persistence and avoid detection. The campaign leverages trojanized NSIS installers and is characterized by its careful planning and execution.