Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

**Significant Enhancements to macOS Malware**

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc\_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED\_STRATEGY, while an additional method involves placing the payload inside the TARGET\_DEVICE\_FAMILY key under build settings and running it at a later phase.

**Advice for macOS Cyber Defenders**

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild

Carding -- the underground business of stealing, selling and swiping stolen payment card data -- has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

An image from one Chinese phishing group’s Telegram channel shows various toll road phish kits available.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the **U.S. Postal Service** to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “**smishing**” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the **Apple iMessage** service and through RCS, the functionally equivalent technology on **Google** phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.

**CARDING REINVENTED**

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company. Merrill has been studying the evolution of several China-based smishing gangs, and found that most of them feature helpful and informative video tutorials in their sales accounts on Telegram. Those videos show the thieves are loading multiple stolen digital wallets on a single mobile device, and then selling those phones in bulk for hundreds of dollars apiece.

“Who says carding is dead?,” said Merrill, who presented about his findings at the M3AAWG security conference in Lisbon earlier today. “This is the best mag stripe cloning device ever. This threat actor is saying you need to buy at least 10 phones, and they’ll air ship them to you.”

One promotional video shows stacks of milk crates stuffed full of phones for sale. A closer inspection reveals that each phone is affixed with a handwritten notation that typically references the date its mobile wallets were added, the number of wallets on the device, and the initials of the seller.

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different UK financial institutions.

Merrill said one common way criminal groups in China are cashing out with these stolen mobile wallets involves setting up fake e-commerce businesses on **Stripe** or **Zelle** and running transactions through those entities — often for amounts totaling between $100 and $500.

Merrill said that when these phishing groups first began operating in earnest two years ago, they would wait between 60 to 90 days before selling the phones or using them for fraud. But these days that waiting period is more like just seven to ten days, he said.

“When they first installed this, the actors were very patient,” he said. “Nowadays, they only wait like 10 days before \[the wallets\] are hit hard and fast.”

**GHOST TAP**

Criminals also can cash out mobile wallets by obtaining real point-of-sale terminals and using tap-to-pay on phone after phone. But they also offer a more cutting-edge mobile fraud technology: Merrill found that at least one of the Chinese phishing groups sells an Android app called “**ZNFC**” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“The software can work from anywhere in the world,” Merrill said. “These guys provide the software for $500 a month, and it can relay both NFC enabled tap-to-pay as well as any digital wallet. The even have 24-hour support.”

The rise of so-called “ghost tap” mobile software was first documented in November 2024 by security experts at **ThreatFabric**. **Andy Chandler**, the company’s chief commercial officer, said their researchers have since identified a number of criminal groups from different regions of the world latching on to this scheme.

Chandler said those include organized crime gangs in Europe that are using similar mobile wallet and NFC attacks to take money out of ATMs made to work with smartphones.

“No one is talking about it, but we’re now seeing ten different methodologies using the same modus operandi, and none of them are doing it the same,” Chandler said. “This is much bigger than the banks are prepared to say.”

A November 2024 story in the Singapore daily _The Straits Times_ reported authorities there arrested three foreign men who were recruited in their home countries via social messaging platforms, and given ghost tap apps with which to purchase expensive items from retailers, including mobile phones, jewelry, and gold bars.

“Since Nov 4, at least 10 victims who had fallen for e-commerce scams have reported unauthorised transactions totaling more than $100,000 on their credit cards for purchases such as electronic products, like iPhones and chargers, and jewelry in Singapore,” _The Straits Times_ wrote, noting that in another case with a similar modus operandi, the police arrested a Malaysian man and woman on Nov 8.

Three individuals charged with using ghost tap software at an electronics store in Singapore. Image: The Straits Times.

**ADVANCED PHISHING TECHNIQUES**

According to Merrill, the phishing pages that spoof the USPS and various toll road operators are powered by several innovations designed to maximize the extraction of victim data.

For example, a would-be smishing victim might enter their personal and financial information, but then decide the whole thing is scam before actually submitting the data. In this case, anything typed into the data fields of the phishing page will be captured in real time, regardless of whether the visitor actually clicks the “submit” button.

Merrill said people who submit payment card data to these phishing sites often are then told their card can’t be processed, and urged to use a different card. This technique, he said, sometimes allows the phishers to steal more than one mobile wallet per victim.

Many phishing websites expose victim data by storing the stolen information directly on the phishing domain. But Merrill said these Chinese phishing kits will forward all victim data to a back-end database operated by the phishing kit vendors. That way, even when the smishing sites get taken down for fraud, the stolen data is still safe and secure.

Another important innovation is the use of mass-created Apple and Google user accounts through which these phishers send their spam messages. One of the Chinese phishing groups posted images on their Telegram sales channels showing how these robot Apple and Google accounts are loaded onto Apple and Google phones, and arranged snugly next to each other in an expansive, multi-tiered rack that sits directly in front of the phishing service operator.

The ashtray says: You’ve been phishing all night.

In other words, the smishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

Notably, none of the phishing sites spoofing the toll operators or postal services will load in a regular Web browser; they will only render if they detect that a visitor is coming from a mobile device.

“One of the reasons they want you to be on a mobile device is they want you to be on the same device that is going to receive the one-time code,” Merrill said. “They also want to minimize the chances you will leave. And if they want to get that mobile tokenization and grab your one-time code, they need a live operator.”

Merrill found the Chinese phishing kits feature another innovation that makes it simple for customers to turn stolen card details into a mobile wallet: They programmatically take the card data supplied by the phishing victim and convert it into a digital image of a real payment card that matches that victim’s financial institution. That way, attempting to enroll a stolen card into Apple Pay, for example, becomes as easy as scanning the fabricated card image with an iPhone.

An ad from a Chinese SMS phishing group’s Telegram channel showing how the service converts stolen card data into an image of the stolen card.

“The phone isn’t smart enough to know whether it’s a real card or just an image,” Merrill said. “So it scans the card into Apple Pay, which says okay we need to verify that you’re the owner of the card by sending a one-time code.”

**PROFITS**

How profitable are these mobile phishing kits? The best guess so far comes from data gathered by other security researchers who’ve been tracking these advanced Chinese phishing vendors.

In August 2023, the security firm Resecurity discovered a vulnerability in one popular Chinese phish kit vendor’s platform that exposed the personal and financial data of phishing victims. Resecurity dubbed the group the **Smishing Triad**, and found the gang had harvested 108,044 payment cards across 31 phishing domains (3,485 cards per domain).

In August 2024, security researcher **Grant Smith** gave a presentation at the DEFCON security conference about tracking down the Smishing Triad after scammers spoofing the U.S. Postal Service duped his wife. By identifying a different vulnerability in the gang’s phishing kit, Smith said he was able to see that people entered 438,669 unique credit cards in 1,133 phishing domains (387 cards per domain).

Based on his research, Merrill said it’s reasonable to expect between $100 and $500 in losses on each card that is turned into a mobile wallet. Merrill said they observed nearly 33,000 unique domains tied to these Chinese smishing groups during the year between the publication of Resecurity’s research and Smith’s DEFCON talk.

Using a median number of 1,935 cards per domain and a conservative loss of $250 per card, that comes out to about $15 billion in fraudulent charges over a year.

Merrill was reluctant to say whether he’d identified additional security vulnerabilities in any of the phishing kits sold by the Chinese groups, noting that the phishers quickly fixed the vulnerabilities that were detailed publicly by Resecurity and Smith.

**FIGHTING BACK**

Adoption of touchless payments took off in the United States after the Coronavirus pandemic emerged, and many financial institutions in the United States were eager to make it simple for customers to link payment cards to mobile wallets. Thus, the authentication requirement for doing so defaulted to sending the customer a one-time code via SMS.

Experts say the continued reliance on one-time codes for onboarding mobile wallets has fostered this new wave of carding. KrebsOnSecurity interviewed a security executive from a large European financial institution who spoke on condition of anonymity because they were not authorized to speak to the press.

That expert said the lag between the phishing of victim card data and its eventual use for fraud has left many financial institutions struggling to correlate the causes of their losses.

“That’s part of why the industry as a whole has been caught by surprise,” the expert said. “A lot of people are asking, how this is possible now that we’ve tokenized a plaintext process. We’ve never seen the volume of sending and people responding that we’re seeing with these phishers.”

To improve the security of digital wallet provisioning, some banks in Europe and Asia require customers to log in to the bank’s mobile app before they can link a digital wallet to their device.

Addressing the ghost tap threat may require updates to contactless payment terminals, to better identify NFC transactions that are being relayed from another device. But experts say it’s unrealistic to expect retailers will be eager to replace existing payment terminals before their expected lifespans expire.

And of course Apple and Google have an increased role to play as well, given that their accounts are being created en masse and used to blast out these smishing messages. Both companies could easily tell which of their devices suddenly have 7-10 different mobile wallets added from 7-10 different people around the world. They could also recommend that financial institutions use more secure authentication methods for mobile wallet provisioning.

Neither Apple nor Google responded to requests for comment on this story.

How Phished Data Turns into Apple & Google Wallets

Two critical OpenSSH vulnerabilities discovered! Qualys TRU finds client and server flaws (CVE-2025-26465 & CVE-2025-26466) enabling MITM and…

Two critical OpenSSH vulnerabilities discovered! Qualys TRU finds client and server flaws (CVE-2025-26465 & CVE-2025-26466) enabling MITM and DoS. Upgrade to 9.9p2 now to protect your systems.

Qualys Threat Research Unit (TRU) has discovered two security weaknesses in OpenSSH, a widely used tool across various operating systems for secure remote login, file transfers, and other critical functions. 

The first vulnerability, identified as CVE-2025-26465, exposes the OpenSSH client to machine-in-the-middle attacks. This flaw “allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled” and set or ‘yes’ or ‘ask,’ the blog post read.

Further probing revealed that this vulnerability exists regardless of the VerifyHostKeyDNS setting and does not require any user interaction or specific DNS records. It was introduced in OpenSSH version 6.8p1 and affects versions up to 9.9p1.

Moreover, this flaw allows an attacker to impersonate a legitimate server, potentially compromising the integrity of the SSH connection and enabling data interception or manipulation. This can lead to compromised SSH sessions, allowing hackers to view or manipulate sensitive data, move across critical servers, and exfiltrate valuable information. It is worth noting that while VerifyHostKeyDNS is typically disabled, it was enabled by default on FreeBSD systems for nearly a decade, increasing the potential impact of this flaw.

The second vulnerability, tracked as CVE-2025-26466, affects both the OpenSSH client and server. This flaw allows a pre-authentication denial-of-service attack, consuming excessive memory and CPU resources.  This can lead to system outages and prevent legitimate users, including administrators, from accessing critical servers. Repeated exploitation can lead to prolonged outages and server management issues, potentially affecting an enterprise’s operations and maintenance tasks.  

This vulnerability was introduced more recently, in OpenSSH version 9.5p1, and also affects versions up to 9.9p1. Fortunately, several existing OpenSSH server configurations, such as LoginGraceTime, MaxStartups, and PerSourcePenalties, can mitigate this denial-of-service attack.

The Qualys TRU responsibly disclosed these vulnerabilities to the OpenSSH developers, and a fix is available in OpenSSH version 9.9p2. Users and administrators must immediately upgrade to this latest version to protect their systems from these newly identified threats. Any delay could leave systems vulnerable to data breaches, unauthorized access, and denial-of-service attacks, potentially disrupting operations and leading to dangerous consequences.

It must be noted that OpenSSH has faced security challenges in the past, such as Hackread.com reporting the regreSSHion vulnerability (CVE-2024-6387) also discovered by Qualys in 2024. This flaw could have allowed unauthenticated remote code execution with root privileges on Linux systems using glibc, emphasizing the need for thorough testing and potential regressions in security-sensitive software. 

These flaws in OpenSSH highlight that even widely trusted and well-maintained software like OpenSSH can be susceptible to vulnerabilities, making regular software updates, monitoring for suspicious activity, and implementing security best practices essential to protect systems.

Critical OpenSSH Vulnerabilities Expose Users to MITM and DoS Attacks

The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn how it…

The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn how it steals credentials and evades detection.

Cybersecurity researchers at FortiGuard Labs have discovered a new variant of the Snake Keylogger, also known as the 404 Keylogger, targeting Windows users. As per their research, shared with Hackread.com, this malware is designated AutoIt/Injector.GTY!tr, and has been linked to over 280 million blocked infection attempts globally, primarily concentrated in China, Turkey, Indonesia, Taiwan, and Spain. 

Researchers note that this Snake Keylogger variant typically spreads through phishing emails containing malicious attachments or links. It targets popular web browsers like Chrome, Edge, and Firefox, stealing sensitive information such as credentials and data by logging keystrokes, capturing credentials, and monitoring the clipboard. The stolen data is then exfiltrated to its command-and-control (C2) server via email (SMTP) and Telegram bots. 

According to FortiGuard Labs’ technical report, the malware employs AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. AutoIt can create standalone executables that can bypass standard antivirus solutions whereas AutoIt-compiled binary adds a layer of obfuscation, making detection and analysis more challenging.  

Malware Activity -Source Fortinet

The graph shows the fluctuating activity levels of AutoIt/Injector.GTY detections, suggesting potential campaigns between 1 Jan-12 Feb 2025. It is important to note that this graph represents detected instances, and the actual number of infections could be higher. 

During the attack, the malware drops a copy of itself as “ageless.exe” in the %Local\_AppData%\\supergroup folder with hidden attributes and places “ageless.vbs” in the %Startup% folder. This script uses WScript.Shell() to run “ageless.exe” upon system startup, ensuring persistence.  This method is commonly used because the Windows Startup folder allows scripts to run without administrative privileges.  

After executing “ageless.exe,” the malware injects its malicious payload into a legitimate .NET process, “RegSvcs.exe,” using process hollowing, which involves suspending “RegSvcs.exe,” deallocating its original code, allocating new memory, and injecting the malicious payload. Upon resuming, the process executes the injected code, allowing the malware to hide within a trusted process, evading detection.  

Snake Keylogger retrieves the victim’s geolocation using websites like checkipdyndnsorg and exfiltrates stolen credentials via SMTP and Telegram bots using HTTP Post requests.  Moreover, the malware can detect access to folders containing browser login credentials and other sensitive data. It uses modules to steal data from browser autofill systems, including credit card details and captures keystrokes using the SetWindowsHookEx API with the WH\_KEYBOARD\_LL flag, allowing it to log sensitive input.  

The image shows the various techniques Snake Keylogger employs during the attack, including Collection, Credential Access, Defense Evasion, Exfiltration, Lateral Movement, Privilege Escalation, Reconnaissance, and Resource Development, etc. providing a concise overview of the diverse malicious capabilities of the Snake Keylogger.

Snake Keylogger MITRE ATT&CK Matrix – Source Fortinet

This is a sophisticated, feature-rich variant, and a threat to Windows users worldwide. Organizations and individuals use a combination of advanced threat protection and proactive security measures to defend against this and other emerging keylogger threats.

Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots

The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control over infected systems.
This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor's malicious payload into an external process, waitfor.exe,

Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks

Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections…

Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections and data theft.

Cybersecurity researchers at Microsoft Threat Intelligence have identified a new strain of the XCSSET malware targeting macOS users. This modular malware focuses on attacking Apple developers by infecting Xcode projects, tools necessary for building applications on the macOS platform.

While the current spread of this updated version appears limited, experts are urging developers and organizations to implement precautionary measures to safeguard their systems.

****What is XCSSET?****

XCSSET was first identified by Trend Micro in 2020. It has since gained a reputation as a sneaky piece of malware. This latest version builds upon its predecessor’s capabilities with major improvements in its design, making it even harder to detect and defend against.

According to Microsoft’s findings, the new variant comes equipped with advanced obfuscation techniques, more sophisticated persistence mechanisms, and updated methods for infecting systems. These upgrades make XCSSET a persistent and stealthy threat that can carry out a mix of different malicious activities, including targeting digital wallets, stealing data from the Notes app, stealing sensitive system information, and exfiltrating files.

****Harder to Detect****

One of the main capabilities of this new XCSSET variant is its focus on evasion. To avoid detection by anti-virus and other security tools, the malware generates its payloads in a highly randomized manner. It randomizes both the encoding process and the number of iterations used, creating challenges for researchers attempting to analyze the code.

What’s more, older versions of XCSSET relied on a single tool, xxd (hexdump), for encoding its payloads. The latest version, however, adds Base64 encoding to its arsenal, further complicating analysis efforts. Even the names of the malware’s modules have been obfuscated, making it difficult to discern their purpose or function within the code.

****Harder to Remove****

The new XCSSET variant employs two innovative methods to ensure it remains active on infected systems, even after a reboot or user logout.

1.  **“zshrc” Method**: This tactic involves creating a hidden file called ~/.zshrc_aliases to house the malicious payload. The malware then manipulates the ~/.zshrc configuration file, adding a command that automatically loads the malicious file whenever a new shell session starts. This means that every time a user opens their terminal, the malware activates in the background.
2.  **“Dock” Method**: This approach hijacks the macOS Dock. The malware downloads a signed utility called “dockutil” from a remote command-and-control server to modify Dock items. It replaces the legitimate “Launchpad” app with a malicious version, ensuring that the malware executes every time the user interacts with the Dock.

****Targeting Xcode Projects****

As its name suggests, XCSSET primarily targets Xcode, Apple’s powerful integrated development environment (IDE) for macOS. The malware infiltrates Xcode projects using one of three placement strategies: **TARGET**, **RULE**, or **FORCED\_STRATEGY**. These strategies determine how and where the malicious payload is embedded within the project files.

Additionally, the malware can target the TARGET_DEVICE_FAMILY key within the project’s build settings. By inserting its code here, XCSSET ensures that the payload only activates when the app is built and run on specific devices, evading detection during development or testing phases.

> Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information… pic.twitter.com/oWfsIKxBzB
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) February 17, 2025

****How to Protect Yourself****

If you are an Apple developer or a macOS user in general, here are some simple yet vital tips to protect your devices from XCSSET malware:

*   **Inspect Xcode Projects**: Always review and verify Xcode projects, especially if they are downloaded from external repositories or shared by third parties.
*   **Stick to Trusted Sources**: Download apps and tools exclusively from official Apple channels or reputable software platforms. Avoid third-party app stores or unofficial downloads.
*   **Keep Up with the Updates**: Keep up-to-date with the latest security advisories from Microsoft, Apple, and other cybersecurity organizations.

New XCSSET Malware Variant Targeting macOS Notes App and Wallets

PRESS RELEASE

AUSTIN, Texas, Feb. 13, 2025 /PRNewswire/ -- enQase, a groundbreaking quantum-safe security solution, launches today to safeguard the most sensitive information against the threat of quantum attacks. This innovative solution addresses the urgent calls from leading business technology analyst, cybersecurity experts, and governments worldwide who are stressing the importance to fortify digital defenses against quantum computing threats.

The urgency to act is because the stakes are high, as malicious hackers who acquire highly sensitive encrypted data today could decrypt soon with quantum computers – thus the term "harvest now, decrypt later".

Why enQase exists 

In August 2024, the National Institute of Standards and Technology (NIST) released its recommendations for PQC urging all sectors to urgently begin transitioning to higher levels of cryptographic protection.

Experts, including the World Economic Forum, recommend combining PQC with Quantum Random Number Generation (QRNG) to provide organizations with the strongest protection against future quantum computing threats. While PQC is anticipated to offer good data security, the integration of both technologies is considered the most comprehensive approach to safeguarding sensitive information in the post-quantum era.

Certain limitations that have prompted organizations and sectors to explore more comprehensive security solutions for their most highly sensitive information include:

*   Theoretical foundations: PQC standards are grounded on theoretical analyses and projections of quantum computer capabilities. The security of these algorithms relies on mathematical assumptions that may be challenged as quantum technology advances.
    
*   Deterministic Algorithms: PQC utilizes deterministic algorithms, which could potentially be vulnerable to unforeseen weaknesses or breakthroughs in quantum computing.
    
*   Reliance on PRNGs: PQC implementations often depend on Pseudo-Random Number Generators (PRNGs) for key generation and other random values. The security of these systems could be compromised if the PRNGs are found to be predictable or vulnerable to quantum attacks.
    

In comparison, enQase takes quantum-safe security beyond conventional standards by harnessing the power of quantum mechanics to fortify and 'enQase' NIST's PQC standards. This innovative approach provides organizations with unparalleled assurance that their information will remain secure today, against "Harvest now, Decrypt later" attacks, and well into the future.

How enQase ensures future-proof security

In an era where traditional encryption methods are increasingly vulnerable, enQase stands as a beacon of innovation. Our quantum-enhanced security platform doesn't just meet today's standards—it defines tomorrow's.

The comprehensive platform leverages PQC, Quantum Random Number Generator (QRNG), digital Quantum Key Distribution (dQKD), and Quantum Key Distribution (QKD). At the forefront of innovation, enQase offers an industry-first hybrid key distribution system that uniquely combines both QKD and dQKD technologies.

enQase offers unparalleled deployment flexibility, with options ranging from Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), perpetual licensing and on-premises hardware solutions. The platform seamlessly integrates with existing infrastructure while ensuring full-stack interoperability and scalability to meet evolving security needs.

"enQase counters this threat with a robust data security solution that leverages quantum mechanics to enhance NIST Post-Quantum Cryptography (PQC) protection. The platform offers unique deployment flexibility and scalability demanded by Global 500 companies and government organizations to protect their entire information lifecycle."  
     -Mike Kramer, co-founder and CEO of enQase.

enQase solutions are fully compliant with NIST and ETSI guidelines, positioning clients at the forefront of secure networks. enQase simplifies quantum security management through an intuitive central console, reducing the need for specialized expertise while delivering practical, business-centric solutions.

As global quantum security pioneers with 15 patents, enQase continuously innovates and develops next-generation solutions, including advanced QKD implementations for terrestrial and space-based networks.

About enQase

enQase offers security beyond PQC; the only comprehensive, flexible, scalable solution that utilizes enhanced quantum technologies to protect data against current and future quantum threats without compromising operational performance.

The company's technology addresses critical shortcomings in existing cybersecurity measures, particularly in the face of emerging quantum computing threats. By offering a truly future-proof solution, enQase enables businesses to stay ahead of sophisticated quantum and AI-driven hacking attempts.

enQase offers versatile solutions spanning various deployment options, including SaaS, Cloud, PaaS, on-premises, and hardware-based implementations. Recognizing that every organization safeguards sensitive data —and for certain industries the stakes are far higher— enQase ensures that critical sectors such as finance, healthcare, government, critical infrastructure, and defense, are equipped to shield their most sensitive information with unwavering vigilance.

For more information about how enQase can secure an organization's future, visit www.enqase.com.

Introducing enQase for Quantum-Safe Security

Researchers earned a $50,500 Bug Bounty after uncovering a critical supply chain flaw in a newly acquired firm,…

Researchers earned a $50,500 **Bug Bounty** after uncovering a critical supply chain flaw in a newly acquired firm, highlighting security risks in business acquisitions.

Two cybersecurity researchers have walked away with a $50,500 bug bounty after finding a critical vulnerability in a major company’s software supply chain. The exploit targeted a recently acquired company, exposing a flaw that could have widespread ramifications.

The duo, Lupin (Roni Carta) and Snorlhax, have a history of collaboration; recently turned their focus to the often-overlooked area of business acquisitions. They noticed that these integrations frequently present security gaps as newly acquired entities may not always uphold the same rigorous security standards as their parent companies. This insight guided their hunt for a “game-changing” vulnerability.

Their approach began with a detailed examination of the acquired company’s online presence, including its code repositories and package registries. The researchers employed advanced techniques, transforming JavaScript files into Abstract Syntax Trees (ASTs) and Docker image analysis to identify dependencies and uncover possible flaws. This investigation led them to a DockerHub organization linked to the acquisition.

The real breakthrough occurred after the researchers downloaded and examined a Docker image. Inside, they discovered the complete source code for the company’s backend systems. But the story did not end there, as the researchers unearthed even more sensitive information.

According to Lupin’s technical blog post, the duo discovered that a “.git” folder was still included in the image. Within the folder, they found an authorization token for GitHub Actions (GHS). This token, if exploited, could have given the attacker the capability to manipulate the company’s build pipelines. The token could have allowed them to inject malicious code, tamper with software releases, or even gain access to additional repositories.

Further investigation revealed that the Docker image had removed the .npmrc configuration file, but the researchers recognized that earlier layers of the image could still hold traces of it. They leveraged tools like Dive and Dlayer to explore these layers, ultimately locating a private npm token. This token provided read-and-write access to the target company’s private packages.

The team realized they now had a path to insert malicious code into one of the private packages, which the company’s developers, pipelines, and production systems would then automatically fetch. Since these were private packages, the attack would bypass security scans, enabling them to compromise systems at every level leading to large-scale data theft and data breaches.

Software supply chain vulnerabilities have affected thousands of businesses in recent months. Cyberattacks targeting companies like Snowflake Inc., Blue Yonder, and MOVEit Transfer continue to be exploited, impacting organizations worldwide.

The good news is that the duo documented their findings and demonstrated the vulnerability’s impact to the impacted company’s security team. Their report outlined how attackers could use a poisoned npm package to harvest secrets, infiltrate into internal systems, and compromise CI/CD pipelines. As a result, the company awarded the researchers a $50,500 bug bounty, recognizing the severity of the vulnerability.

This incident shows how attacks can succeed when multiple overlooked flaws come together. In this case, the issue originated from software supply chain gaps and security flaws in a newly acquired company. The team pointed out the importance of securing every part of the build process, from the code itself to the components and external packages involved. It’s an example of how protecting a software development pipeline isn’t simple; it requires careful attention to every detail.

1.  Multichain hack: Hacker returns $1m, keeps $150k as bug bounty
2.  Apple Launches ‘Apple Intelligence’ – $1M Bug Bounty for Security
3.  Google Launches $250,000 kvmCTF Bug Bounty for KVM Exploits

Duo Wins $50K Bug Bounty for Supply Chain Flaw in Newly Acquired Firm

People around the world learned about the latest advancements in the American space industry! This was made possible…

People around the world learned about the latest advancements in the American space industry! This was made possible by Holiverse, a decentralized digital platform built on the Polygon blockchain, which organized a live broadcast on February 8 from NASA’s Kennedy Space Center (Florida, USA), covering the event dedicated to the launch of the memory capsule to the Moon alongside the privately developed Peregrine lunar lander.

This compact lunar “cargo carrier” embarked on its journey carrying scientific instruments, NASA’s equipment, and cultural artefacts including a digital copy of the U.S. Constitution.

****The Historical Significance of the Lunar Mission****

The mission was launched in January from Cape Canaveral, Florida, aboard a SpaceX Falcon 9 rocket. The initiative to send a digital copy of the U.S. Constitution to the Moon was led by Copernic Space co-founder Grant Blaisdell. In collaboration with Spacebit founder Pavlo Tanasyuk, they later plan to send a physical copy of the key American legal document to Earth’s natural satellite.

According to the innovators, this mission is essential for preserving humanity’s legacy. “Our project represents a symbolic bridge between America’s past and its promising future, ensuring that the principles of freedom and democracy remain unchanged, even beyond Earth,” says Pavlo Tanasyuk.

****The U.S. Constitution on the Moon: Holiverse Made the Presentation Accessible to a Global Audience****

On February 8, 2025, Holiverse partnered with Spacebit to present a specially crafted physical copy of the U.S. Constitution at Cape Canaveral, prepared for its upcoming lunar mission. To ensure that this milestone was seen by more than just the event’s invited guests, Holiverse hosted a live video broadcast on its platform. Thanks to modern technology, people from around the world could take part in this historic moment, regardless of their location.

The celebratory evening was dedicated to showcasing the collaborative efforts behind this groundbreaking mission. The audience was also introduced to the next steps in lunar and space exploration.

****Future Prospects and Plans****

Scientists and engineers continue to advance their work. By the end of 2025, a team of space industry partners plans to send a physical copy of the U.S. Constitution to the Moon as part of an upcoming mission. Active preparations are underway, with the document being placed in a capsule made from high-strength materials capable of withstanding the extreme conditions of space.

This scientific mission is taking on profound historical significance by preserving cultural heritage beyond Earth. The memory capsule, an extraordinary “lunar archive,” also contains photographs, children’s messages from multiple countries, and drawings.

Holiverse Makes NASA’s Latest Achievements Accessible to Everyone

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for…

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for malicious purposes. Learn how this threat works and how to protect yourself.  

Cybersecurity researchers at Netskope have discovered a new, functional, but possibly still-in-development, Golang-based backdoor that uses Telegram for command and control (C2).

This malware (Trojan.Generic.37477095), apparently of Russian origin, takes advantage of cloud services like Telegram, which are easy for attackers to use and difficult for researchers to monitor. This method of C2 communication avoids the need for dedicated attacker infrastructure. Other cloud platforms like OneDrive, GitHub, and Dropbox could also be misused in this way.

Upon execution, the malware, compiled in Go, initiates an “installSelf” function. This function checks if the malware is running from the designated location and filename: “C:\\Windows\\Temp\\svchost.exe”. If it does not, the malware copies itself to that location, creates a new process to launch the copy, and then terminates the original instance. This process, executed in an initialization function, ensures the malware runs from the intended location before proceeding. 

Detect It Easy tool used by researchers shows malware acting like a backdoor upon execution (Screenshot via Netskope)

For C2 communication, the backdoor employs an open-source Go package to interact with Telegram. It establishes a bot instance using the Telegram BotFather feature and a specific token (8069094157:AAEyzkW\_3R3C-tshfLwgdTYHEluwBxQnBuk in the analysed sample). The malware then monitors a designated Telegram chat for new commands.

The malware supports four commands, but only three are currently implemented. It validates the length and content of received messages before execution. The “/cmd” command requires two messages: the command itself, followed by a PowerShell command to be executed.

In the next phase, the malware sends a Russian-language prompt (“Enter the command:”) to the chat after receiving the initial command and then waits for the subsequent PowerShell command. This command is then executed in a hidden PowerShell window. 

The “/persist” command replicates the initial installation check and process, relaunching the malware and exiting. The “/screenshot” command, while not fully implemented, still sends a “Screenshot captured” message to the Telegram channel. 

The “/selfdestruct” command deletes the malware file (C:\\Windows\\Temp\\svchost.exe) and terminates the process, notifying the Telegram channel with a “Self-destruct initiated” message. All command outputs are transmitted back to the Telegram channel via the “sendEncrypted” function.

This exploitation of cloud applications for malicious purposes highlights the challenges faced by defenders.

“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from a defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted in their technical blog post.

To stay protected, ensure you have up-to-date and reputable antivirus and anti-malware software installed on all your devices. These solutions should be capable of detecting and blocking malicious files, including Go-based executables.

Tag

#git