Malware Activity
Banshee Stealer Resurfaces with Enhanced Stealth, Targeting MacOS
Banshee Stealer, a macOS-focused information-stealing malware, has resurfaced since its source code was leaked in late 2024. Banshee was first discovered in August 2024 under a malware-as-a-service (MaaS) model, being sold to cybercriminals for $3,000 a month for its data harvesting capabilities. Banshee is built to steal data from web browsers, cryptocurrency wallets, and system files. The latest variant of the malware introduces a new encryption method modeled on Apple’s XProtect built-in anti-malware tool. The advanced encryption allows the new Banshee variant to bypass antivirus systems and evade detection by blending in with normal operations. It is also notable that the variant removed a Russian language check criteria from its infection chain which previously prevented the malware from executing on hosts where Russian was set as the default system language. Banshee is being spread via phishing websites and fake GitHub repositories that purport to host legitimate software for download such as Google Chrome, Telegram, and TradingView. The continued development of Banshee should be a reminder that macOS systems are still susceptible to, and a target of malware infections. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Recruitment Database of UN's Aviation Agency Breached
The International Civil Aviation Organization (ICAO), part of the United Nations, has confirmed a data breach involving the theft of approximately 42,000 records from its recruitment database. The breach was first reported when a threat actor, using the handle "Natohub," leaked an archive of these documents on the BreachForums hacking forum. The stolen records include personal information such as names, email addresses, dates of birth, and employment histories, but no financial details, passwords, or passport information. The breach, spanning recruitment application data from April 2016 to July 2024, is limited to ICAO's recruitment systems and does not impact aviation safety or security operations. ICAO has stated that it is actively investigating the incident and has implemented additional security measures to prevent future attacks. Efforts are underway to assess the impact and notify affected individuals. The Natohub account, which leaked the ICAO data, had previously claimed access to the personal data of 14,000 UN delegates. This incident follows a history of cyberattacks on UN entities, including a 2019 breach of UN networks in Vienna and Geneva and a 2024 cyberattack on the United Nations Development Programme (UNDP) claimed by the 8Base ransomware gang. The United Nations Environmental Programme (UNEP) also experienced a data breach in 2021, exposing over 100,000 employee records.
Vulnerabilities
Critical GFI KerioControl Vulnerability Under Active Exploitation by Threat Actors
A critical vulnerability in GFI KerioControl firewalls is being actively exploited by threat actors to achieve one-click remote code execution (RCE). This flaw, tracked as CVE-2024-52875, is caused by improper input sanitization leading to multiple HTTP response splitting vulnerabilities, allowing attackers to perform reflected cross-site scripting (XSS) attacks by injecting malicious inputs into HTTP headers. Discovered by security researcher Egidio Romano, the flaw impacts KerioControl versions 9.2.5 through 9.4.5, and has persisted in the software for about seven (7) years. Exploitation involves crafting a malicious URL that, when clicked by an authenticated administrator, uploads a malicious ".img" file via the firmware upgrade feature, granting root access to the firewall. GreyNoise reported that exploitation attempts began on December 28, 2024, originating from IP addresses in Singapore and Hong Kong, despite a patch being released on December 19, 2024. With nearly 24,000 internet-exposed instances worldwide, including in Iran, Uzbekistan, Italy, and the United States, the flaw poses a high risk, especially since attackers can combine social engineering tactics with unauthenticated access to vulnerable URI paths. CTIX analysts strongly advise impacted users to update to version 9.4.5 Patch 1, which addresses the vulnerability and strengthens defenses against XSS exploits.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
