APT28’s Operation MacroMaze used macro-laced documents and webhook.site to exfiltrate data across Europe from Sept 2025 to Jan 2026.
Category: cybercrime/malcode
Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens
Cybersecurity researchers have disclosed what they say is an active “Shai-Hulud-like” supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages to enable credential harvesting and cryptocurrency key theft.
The campaign has been codenamed SANDWORM_MODE by supply chain security company Socket. As with prior Shai-Hulud attack waves, the malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments and automatically propagate by abusing stolen npm and GitHub identities to extend its reach.
“The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting,” the company said.
Predator spyware hooks iOS SpringBoard to hide mic, camera activity
Intellexa’s Predator spyware can hide iOS recording indicators while secretly streaming camera and microphone feeds to its operators.
The malware does not exploit any iOS vulnerability but leverages previously obtained kernel-level access to hijack system indicators that would otherwise expose its surveillance operation.
Apple introduced recording indicators on the status bar in iOS 14 to alert users when the camera or microphone is in use, displaying a green or an orange dot, respectively.
Spain arrests suspected hacktivists for DDoSing govt sites
Spanish authorities have arrested four alleged members of a hacktivist group believed to have carried out cyberattacks targeting government ministries, political parties, and various public institutions.
The group, which called itself “Anonymous Fénix” and claimed they were affiliated with the Anonymous hacker collective, conducted distributed denial-of-service (DDoS) attacks against targets in Spain and several South American countries, according to the Spanish Civil Guard.
The first attacks occurred in April 2023 and peaked after the flash floods that struck Valencia in late October 2024, when the group’s members attacked multiple government websites, claiming Spanish authorities were responsible for the deaths and destruction caused by the storm.
Unhackable metasurface holograms: Security technology can lock information with light color and distance
A research team led by Professor Junsuk Rho at POSTECH (Pohang University of Science and Technology) has developed a secure hologram platform that operates solely based on the wavelength of light and the spacing between metasurface layers. The technology makes hacking and counterfeiting virtually impossible, and is expected to be widely adopted for security cards, anticounterfeiting, and military communications. The paper is published in the journal Advanced Functional Materials.
With a growing number of hacking incidents and data breaches, the limitations of digital security are becoming increasingly evident. No matter how sophisticated an encryption scheme is, as long as it exists as code, it is difficult to completely eliminate the risk of intrusion. Motivated by this challenge, the team proposed a new approach that uses the physical conditions of light itself as a security key.
At the core of this innovation is the “metasurface,” an ultrathin optical device that arranges microscopic structures to control light. By illuminating a metasurface, a holographic image can be reconstructed in free space. However, conventional holograms have typically been limited in that a single device could store only one piece of information.
AI ‘blind spot’ could allow attackers to hijack self-driving vehicles
A newly discovered vulnerability could allow cybercriminals to silently hijack the artificial intelligence (AI) systems in self-driving cars, raising concerns about the security of autonomous systems increasingly used on public roads. Georgia Tech cybersecurity researchers discovered the vulnerability, dubbed VillainNet, and found it can remain dormant in a self-driving vehicle’s AI system until triggered by specific conditions. Once triggered, VillainNet is almost certain to succeed, giving attackers control of the targeted vehicle.
The research finds that attackers could program almost any action within a self-driving vehicle’s AI super network to trigger VillainNet. In one possible scenario, it could be triggered when a self-driving taxi’s AI responds to rainfall and changing road conditions. Once in control, hackers could hold the passengers hostage and threaten to crash the taxi.
The researchers discovered this new backdoor attack threat in the AI super networks that power autonomous driving systems.
ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware
Cybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) called MIMICRAT (aka AstarionRAT).
“The campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries and geographies serve as delivery infrastructure, a multi-stage PowerShell chain performs ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic,” Elastic Security Labs said in a Friday report.
According to the enterprise search and cybersecurity company, MIMICRAT is a custom C++ RAT with support for Windows token impersonation, SOCKS5 tunneling, and a set of 22 commands for comprehensive post-exploitation capabilities. The campaign was discovered earlier this month.