VulnHub

The latest Security Affairs Malware newsletter covers several significant malware threats that have emerged recently. Notably, a group identified as Stan Ghouls is targeting users in Russia and Uzbekistan using the NetSupport Remote Access Trojan (RAT), which allows attackers to control infected systems remotely. Another concerning development is the discovery of ZeroDayRAT, a new spyware designed to infiltrate both Android and iOS devices. Additionally, researchers have uncovered a Linux botnet named SSHStalker, which utilizes old-school IRC methods to compromise new victims. These activities demonstrate the evolving tactics of cybercriminals and emphasize the need for users and organizations to remain vigilant against these persistent threats.

Apple has addressed a serious zero-day vulnerability, identified as CVE-2026-20700, which was used in targeted attacks last year. This flaw, a memory corruption issue in the dyld component of Apple's operating systems, could allow attackers to execute arbitrary code on affected devices. Specifically, the vulnerability impacts versions of iOS prior to iOS 26 and was reportedly exploited in sophisticated attacks against select individuals. Users of these older versions should update their devices to protect against potential exploitation.

A North Korea-associated hacking group known as UNC1069 is targeting cryptocurrency organizations to steal sensitive information from both Windows and macOS systems. Their approach involves social engineering tactics, including the use of a compromised Telegram account to set up a fake Zoom meeting. This deception leads victims to download malware through a method called ClickFix, which researchers believe may also utilize AI-generated content to enhance its effectiveness. The implications of these attacks are significant, as they not only threaten the financial security of targeted companies but also highlight the evolving tactics used by cybercriminals in the cryptocurrency sector. Protecting against such sophisticated schemes is increasingly critical for organizations in this space.

Researchers have identified a new spyware kit called ZeroDayRAT, which is being distributed via Telegram. This toolkit is said to allow attackers to fully compromise both iOS and Android devices, functioning at a level typically associated with resources available to nation-states. The implications of this spyware are significant, as it can potentially give hackers complete access to personal data and device controls. Users of mobile devices, especially those who may be targeted for sensitive information, should be particularly cautious. The emergence of such advanced tools raises serious concerns about mobile security and privacy.

A new strain of malware known as GlassWorm has been found targeting macOS systems through compromised OpenVSX extensions. This malware aims to steal sensitive information, including passwords, cryptocurrency wallet data, and developer credentials. Users who have installed these extensions may be at risk, highlighting a significant security issue for developers and crypto users on macOS. Researchers emphasize the importance of vigilance when installing third-party extensions and recommend that users ensure their software is up-to-date. This incident underscores the need for better security practices in the software development ecosystem to prevent such attacks.

North Korean hackers are targeting macOS developers by luring them to malicious projects on GitHub and GitLab that are opened with Visual Studio Code. The attackers use these repositories to trick users into executing harmful code, potentially compromising their systems. This tactic poses a significant risk to developers who may unknowingly download and run these malicious projects, which could lead to data breaches or further exploitation of their systems. As these attacks exploit popular development tools, developers need to be vigilant about the sources of the projects they access. This incident emphasizes the ongoing threat posed by state-sponsored hackers and the need for heightened awareness in the software development community.

A new wave of the GlassWorm malware campaign is targeting macOS developers by distributing malicious extensions for Visual Studio Code and OpenVSX. These extensions contain trojanized versions of popular cryptocurrency wallet applications, which can compromise users' sensitive information and funds. Developers who install these malicious extensions may unknowingly expose themselves and their projects to significant risks. The attack highlights the ongoing vulnerabilities within software development environments and the need for developers to be cautious about the tools and extensions they use. Users are advised to verify the authenticity of any extensions before installation, especially those related to cryptocurrency.

A new version of the MacSync Stealer malware has been discovered, which poses a serious risk to macOS users. Unlike earlier versions, this malware can execute without requiring user interaction with the terminal, making it easier for attackers to infect systems. The malware is reportedly distributed through a signed Swift application, which could mislead users into thinking it's legitimate software. This change in the malware's operation means that even less tech-savvy users could fall victim to it, potentially leading to unauthorized access to sensitive information. Users of macOS should be particularly cautious about the applications they install and ensure they come from trusted sources.

A recent report from Check Point Research reveals a troubling trend of cyber criminals targeting company insiders to gain unauthorized access to sensitive information. Hackers are using platforms like the darknet and Telegram to recruit employees from major organizations, including banks, telecom companies, and tech firms. They are reportedly offering payments of up to $15,000 for insider access to companies such as Apple, Coinbase, and the Federal Reserve. This practice raises significant security concerns, as it can lead to data breaches and financial losses for these organizations. Companies must be vigilant about insider threats and implement stronger security measures to protect against this growing risk.

Apple has released security updates to address two vulnerabilities in WebKit, identified as CVE-2025-14174 and CVE-2025-43529, which are currently being exploited in the wild. The first vulnerability, CVE-2025-14174, was previously patched by Google for its Chrome desktop browser, but details were limited at that time. This flaw allows for out-of-bounds memory access, potentially enabling attackers to execute arbitrary code. Users of Apple devices, particularly those running Safari or any applications reliant on WebKit, should prioritize updating their systems to safeguard against these vulnerabilities. Ignoring these updates could leave devices exposed to active exploitation.