Researchers from Mysk reported that WhatsApp uses a shared container linked to Meta applications, identified as group.com.facebook.family. On Apple devices, app group containers allow applications from the same developer to share data and resources.

Because Facebook, Instagram, and WhatsApp belong to the same ecosystem, the shared architecture could introduce privacy and security concerns if exploited alongside operating system vulnerabilities.

Shared Containers Raise Privacy Concerns

The researchers found that WhatsApp chat databases stored inside these containers are not encrypted at rest. This means the data may remain readable if attackers gain access to the device or exploit weaknesses in the operating system.

According to the report, the following risks were identified:

• Chat histories may be stored in plaintext
• Other Meta-owned apps could theoretically access shared data
• Users receive no alerts when such access occurs
• The issue affects both macOS and iOS environments

Researchers also demonstrated that WhatsApp chat histories could be extracted from iPhone backups, where the same unencrypted storage structure was observed.

The findings highlight an important distinction in security design. While WhatsApp uses end-to-end encryption to protect messages during transmission, that protection does not automatically secure data stored locally on the device.

macOS Vulnerability Increases Exposure Risk

The risk becomes more serious when combined with a recently disclosed macOS vulnerability tracked as CVE-2026-28910. The flaw affected Apple’s Archive Utility tool and reportedly allowed attackers to bypass App Sandbox protections.

By abusing this vulnerability, attackers could potentially:

• Access protected application containers
• Extract sensitive information from apps
• Bypass Apple’s Transparency, Consent, and Control protections
• Access chat histories from applications like WhatsApp

Researchers presented a proof-of-concept demonstration showing how the vulnerability could be combined with WhatsApp’s storage behavior to retrieve chat data.

Security Debate Around the Findings

Not all experts agree on the severity of the issue. WABetaInfo stated that although the databases may not be encrypted locally, Apple’s sandboxing system still provides strong isolation between applications.

From this perspective, attackers would still require elevated system privileges or a separate operating system exploit to access the stored data.

However, researchers at Mysk argue that shared app group permissions between Meta applications reduce isolation boundaries and increase the potential attack surface.

The discussion highlights broader concerns about local data protection in modern mobile ecosystems, especially when multiple applications share common storage environments.

Recommendations for Users

Security experts recommend several steps to reduce potential exposure risks:

• Enable encrypted Finder or iTunes backups
• Keep macOS and iOS updated with the latest security patches
• Use strong device passcodes and device encryption
• Limit unnecessary applications from the same developer ecosystem
• Regularly review application permissions and backup settings

At the time of reporting, there were no confirmed cases of widespread exploitation linked to the findings. However, the research highlights the importance of protecting sensitive data not only during transmission but also while stored on devices.

The post WhatsApp Chat Data Found Stored Without Encryption appeared first on First Hackers News.

ExifTool is widely used to read and modify metadata in images, PDFs, and multimedia files. Because the tool is heavily integrated into media workflows, automation pipelines, and digital asset management systems, the vulnerability creates a significant security risk in environments that handle untrusted files.

The implications of the ExifTool vulnerability extend to various sectors, where data integrity and security are paramount.

How the Vulnerability Works

The issue is linked to improper sanitization of metadata fields related to file creation dates on macOS. Researchers found that attackers can embed malicious commands inside image metadata fields such as FileCreateDate or DateTimeOriginal.

When ExifTool processes the manipulated file under specific conditions, the hidden command can be executed through the system shell.

The vulnerability becomes exploitable when:

• ExifTool processes raw metadata values using the -n flag
• Malicious metadata is copied through the -tagsFromFile feature
• Unsafe input reaches a system() execution call without proper filtering

Researchers observed that ExifTool internally builds system commands using metadata values extracted directly from files. While most parameters are sanitized, one execution path allowed unfiltered user-controlled data to be passed into a shell command.

This creates a command injection scenario where attackers can run arbitrary commands with the privileges of the user processing the file.

Security Risks and Patch Information

The vulnerability is especially dangerous for organizations using automated image-processing workflows, newsroom environments, or media management platforms where files are processed automatically.

Because the malicious payload is hidden inside metadata, the image itself may appear legitimate and bypass traditional security checks.

If exploited successfully, attackers could:

• Execute malicious commands on macOS systems
• Deploy malware or backdoors
• Steal sensitive information
• Move laterally across internal networks

Researchers from Kaspersky identified the vulnerability, and ExifTool developers addressed the issue in version 13.50.

The patched release changes how system commands are executed by replacing unsafe string-based command construction with safer argument-based execution methods. This prevents shell interpretation and significantly reduces the risk of command injection.

Users and organizations are strongly advised to update to ExifTool 13.50 or later immediately. Security experts also recommend processing untrusted files inside isolated environments such as sandboxes or virtual machines to reduce exposure to malicious media files.

The incident highlights an ongoing cybersecurity challenge where even trusted file-processing tools can become attack vectors if user-controlled input is not handled securely.

The post ExifTool Flaw Allows Mac System Compromise appeared first on First Hackers News.

This activity has been closely analyzed by Mauro Eldritch, who has documented how this campaign is impacting high-value macOS users, especially in fintech and crypto sectors.

Initial Access and Social Engineering Flow

The attack typically begins with targeted outreach on Telegram, where threat actors impersonate trusted contacts such as colleagues or business partners. Victims—often executives or developers—receive urgent meeting requests designed to trigger quick action.

They are then redirected to phishing pages that closely resemble platforms like Zoom, Microsoft Teams, or Google Meet. These pages claim a technical issue and instruct the user to fix it manually.

Instead of a traditional exploit, the victim is guided to copy and execute a Terminal command. Because this action is user-initiated, many security tools interpret it as legitimate behavior.

Execution Chain and Malware Behavior

Once the command is executed, the infection chain unfolds in multiple stages designed to blend in with normal macOS activity.

• The first-stage binary (commonly seen as teamsSDK.bin) acts as a downloader that retrieves additional components
• Fake macOS applications are dropped, mimicking meeting tools or system prompts to appear legitimate
• These apps repeatedly request user passwords, often using poorly written prompts to trick the victim
• A secondary module (such as D1YrHRTg.bin) performs deep system profiling using native tools like sysctl

The profiling stage gathers extensive system intelligence, including host identifiers, operating system details, running processes, network configuration, and browser-related data from Chrome, Safari, Brave, and similar applications.

Interestingly, researchers observed flaws in parts of the malware. Some profiling components enter continuous loops, repeatedly sending the same data to command-and-control infrastructure, which can cause noticeable performance issues on infected machines.

To avoid execution barriers, the malware leverages macOS utilities like codesign to apply ad-hoc signatures, helping malicious binaries run under standard policies without raising immediate suspicion.

Credential Theft and Data Exfiltration

The final stage of the attack is handled by a stealer component referred to as macrasv2. This module focuses on extracting high-value data from the compromised system.

Targets include:

• Browser-stored credentials and active session cookies
• macOS Keychain entries containing saved secrets
• Files that can grant access to SaaS platforms, internal systems, or crypto wallets

All collected data is compressed into archive files (for example, user_ext.zip) and exfiltrated to attacker-controlled servers.

Persistence Mechanism

To maintain long-term access, additional components like minst2.bin are deployed. These create persistence by placing disguised binaries—often pretending to be legitimate services like OneDrive—inside directories labeled as security-related (such as an “Antivirus Service” folder).

The malware then registers itself as a LaunchAgent, ensuring execution every time the user logs in.

Why This Campaign Is Effective

This attack stands out because it avoids traditional exploitation techniques. By relying on user-executed commands and built-in macOS tools, the activity appears normal to many EDR solutions until after credentials and access tokens are already compromised.

For organizations where macOS devices are widely used—especially among developers and leadership—this creates a serious risk. A single compromised system can lead to broader access across internal infrastructure and financial assets.

Detection and Defensive Considerations

To counter this type of campaign, defenders need to shift focus toward behavior rather than just exploits.

• Monitor unusual Terminal activity and command execution patterns
• Identify and block ClickFix-style phishing workflows
• Regularly audit LaunchAgents for suspicious or disguised entries
• Track outbound connections to uncommon ports or Telegram-related infrastructure
• Use sandbox environments like ANY.RUN to safely analyze suspicious files, URLs, and execution chains

Interactive sandboxing plays a key role in understanding how these multi-stage attacks operate, allowing defenders to reconstruct the full infection path and extract indicators for detection.

The post Lazarus Delivers “Mach-O Man” macOS Malware via ClickFix appeared first on First Hackers News.

A recent campaign shows attackers abusing shareable ChatGPT and Grok conversations, then promoting those links through Google Search ads. The goal? Convince macOS users to run Terminal commands that quietly install the Atomic macOS Stealer (AMOS).

This isn’t traditional malware distribution. It’s credibility-based delivery.

The Shift: Malware Hidden Behind Trust

Instead of hosting malware on suspicious domains, attackers are:

• Publishing malicious “how-to” conversations on legitimate AI platforms
• Boosting those pages using Google Ads
• Framing the instructions as helpful troubleshooting steps

For example, a user searching for something harmless like “clear disk space on macOS” may encounter a sponsored AI chat result. The page looks legitimate. The domain is trusted. The instructions appear technical and helpful.

But the recommended Terminal command downloads and executes malicious code.

No fake installer.
No cracked software.
Just copy, paste, and compromise.

The malicious instructions are hosted on legitimate AI domains via public sharing links. That removes the psychological red flag users often rely on.

Paid ads further amplify visibility, placing these AI-hosted pages at the top of search results — sometimes ahead of legitimate support content.

This is social engineering layered with platform trust.

The Target: Cryptocurrency and Browser Data

macOS infostealers like AMOS are part of a growing underground economy. Their primary targets include:

• Saved browser credentials
• Apple Keychain secrets
• Cryptocurrency wallets and seed phrases
• Chrome crypto extensions (over 100 reported targets)
• Wallet-themed phishing tied to brands like Ledger, Trezor, and Exodus

Some operators even advertise affiliate-style revenue sharing for crypto theft, highlighting how organized this ecosystem has become

What defenders should watch for

• Users copying Terminal commands from web pages
• Scripts that download and execute immediately
• Signed apps requesting unexpected permissions
• Unusual outbound traffic to crypto-related infrastructure

The bigger pattern is clear.

Modern macOS attacks don’t rely on obvious red flags anymore.

They rely on trusted platforms, legitimate domains, paid visibility, and signed applications to remove the moment where a user might hesitate.

That’s the shift defenders need to understand.

The post Threat Actors Leverage ChatGPT, Grok, and Google Ads to Deploy macOS AMOS Stealer appeared first on First Hackers News.

Security researchers report that this macOS-focused campaign has reached nearly 50,000 downloads and is backed by a fully operational attack infrastructure.

Malicious VS Code Extensions Identified

Investigators have linked three malicious extensions on the Open VSX marketplace to the same GlassWorm threat actor. All three share common command-and-control infrastructure, including the IP address 45.32.151.157, which has appeared in earlier GlassWorm activity.

This confirms the campaign is coordinated and actively maintained.

What’s New in Wave 4

This fourth wave represents a clear escalation compared to earlier versions.

• Unicode-based hiding techniques have been replaced with AES-256-CBC encrypted payloads
• The encrypted payloads are embedded in compiled JavaScript
• A hardcoded encryption key is reused across all malicious extensions
• Malware execution is delayed by 15 minutes to evade sandbox detection

Most automated security scans stop after five minutes, allowing the malware to execute only after security checks are complete.

Unlike earlier GlassWorm campaigns that targeted Windows systems, Wave 4 is exclusive to macOS.

This shift is strategic. Developers in cryptocurrency, Web3, and startup environments—GlassWorm’s primary targets—largely rely on Apple devices.

The macOS payload is platform-specific and includes:

• AppleScript for execution instead of PowerShell
• LaunchAgents for persistence instead of Registry keys
• Direct theft of data from the macOS Keychain

GlassWorm’s infrastructure continues to evolve to avoid disruption. The threat actor has introduced a new Solana wallet address while keeping older wallets active. The malware queries Solana blockchain transaction memos to retrieve command-and-control URLs, with the data encoded in base64 format.

This blockchain-based C2 mechanism is designed to be decentralized, difficult to takedown, and resistant to traditional disruption efforts. Infrastructure tracking also shows frequent IP rotation and the use of a dedicated exfiltration server.

The most concerning development in this wave is GlassWorm’s move beyond credential theft. The malware now actively targets Ledger Live and Trezor Suite, attempting to replace legitimate wallet applications with trojanized versions.

This capability significantly raises the risk for developers and cryptocurrency users, as it directly threatens hardware-protected digital assets.

Mitigation and Recommendations

A successful attack could allow threat actors to manipulate wallet interfaces, redirect transactions, harvest recovery phrases, and monitor hardware wallet communications, effectively undermining the security guarantees of air-gapped devices.

GlassWorm’s trajectory shows a steady expansion in both capability and ambition. The campaign has moved away from earlier stealth techniques and operating system limitations, now focusing on deeper system integration and higher-value targets.

Current observations show that, as of late December 2025, infrastructure used to deliver compromised wallet components is not yet serving active payloads. This suggests the operation is staged and awaiting the next execution phase.

The malware also enforces strict validation checks during deployment, rejecting unusually small files. This points to careful engineering choices designed to reduce detection and prevent malformed executions.

Overall, GlassWorm represents a responsive and evolving adversary. The operator clearly adapts to public disclosures, refining tools and methods while keeping core infrastructure alive. The threat should be considered ongoing rather than dormant.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post GlassWorm malware uses malicious VS Code extensions to attack macOS systems appeared first on First Hackers News.

Attackers are using AI chats on OpenAI’s ChatGPT and xAI’s Grok. They push these chats to the top of search results using SEO tricks, making them look like trusted troubleshooting guides.

The danger is that users don’t download anything suspicious. No installers, no malware files, and no warnings. All it takes is searching on Google, clicking a result, and copy-pasting a command.

This attack works by abusing three types of trust: search engines, legitimate platforms, and AI-generated advice.

When users search basic macOS tips like “clear disk space on macOS,” top results lead them to real ChatGPT or Grok pages.

These pages look professional and safe, offering step-by-step instructions.

But when the victim runs the Terminal command, it triggers a hidden multi-stage attack that steals credentials, gains higher access, and sends data out silently.

Exploiting Trust Through AI

This is a major evolution in social engineering. Attackers are not pretending to be trusted platforms anymore—they are turning trusted platforms into weapons using poisoned search results.

The malware doesn’t need to look like safe software when it can pretend to be helpful guidance.

During the investigation, Huntress confirmed similar poisoned results for searches like “how to clear data on iMac,” “clear system data on iMac,” and “free up storage on Mac,” proving this is a broad, intentional campaign—not a one-off case.

The presence of similar campaigns on both ChatGPT and Grok shows that a coordinated attacker is actively targeting these platforms.

The AMOS delivery method makes this even more dangerous. The first command runs a bash script that tricks users into entering their system password for “verification.”

Instead of showing a real macOS login prompt, the script checks the password quietly in the background using the dscl-authonly command—no system dialog, no Touch ID, and no warning.

Once the password is confirmed, the script stores it in plaintext and uses it to gain full admin access through sudo -S without asking the user again.
It then installs the main stealer payload in a hidden .helper folder inside the user’s home directory.
Finally, it replaces genuine crypto wallet apps like Ledger and Trezor with fake versions designed to steal seed phrases.

New AI-Enabled Attack Methods

The stealer quietly gathers data from crypto wallets, browser passwords, the macOS Keychain, and other sensitive files.

Its persistence method is also very stealthy. A LaunchDaemon runs a hidden AppleScript loop that checks the active user every second, keeping the malware running nonstop.

f the .helper malware stops for any reason, the watchdog brings it back almost instantly.
This keeps it running all the time — even after a restart or if someone tries to kill the process — and lets it access user-level passwords and app data that normal background services can’t touch.

For defenders, this attack is difficult to spot. The infection starts with a harmless-looking Terminal command, so signature-based tools see nothing unusual.

Detection now depends on noticing odd behavior: unexpected osascript password checks, strange dscl-authonly activity, hidden files in the home directory, or processes using sudo with piped passwords.

For users, the danger is even more subtle. Nothing feels suspicious. Copying a command from ChatGPT seems normal and helpful — not risky.

As AI becomes part of everyday tasks, this technique will spread fast. It’s easy to scale and hard to block with traditional defenses.

This campaign is a turning point for macOS security. The real shift isn’t AMOS itself — it’s the delivery method that slips past both security tools and human judgment.

Today’s attacks don’t just target machines — they target habits and our growing trust in AI.

The post 𝗔𝗠𝗢𝗦 𝗦𝘁𝗲𝗮𝗹𝗲𝗿 𝗦𝗽𝗿𝗲𝗮𝗱 𝘃𝗶𝗮 𝗔𝗯𝘂𝘀𝗲𝗱 𝗖𝗵𝗮𝘁𝗚𝗣𝗧 & 𝗚𝗿𝗼𝗸 𝗖𝗵𝗮𝘁𝘀 appeared first on First Hackers News.

MacOS password-stealing malware

Atomic Stealer (AMOS) was first found in April 2023 and is sold as malware-as-a-service (MaaS) on hacker forums and Telegram. It has evolved from Go to C++, with some versions using Python scripts or Mach-O binaries. Spread through malvertising, it steals browser passwords, cryptocurrency wallets, and instant messaging data.

Execution Flow: Atomic Stealer pretends to be a legitimate installer and tries to access files like /Users/$USER/Library/Application Support/Google/Chrome/Default/Login Data to steal Chrome login credentials.

Poseidon Stealer: Created by “Rodrigo4,” supposedly a former Atomic Stealer developer, Poseidon Stealer spreads through fake installers, Google ads, and malicious emails. It uses an encoded AppleScript to run its main logic and tricks users into entering their passwords during installation.

How It Works:
Once installed, Poseidon Stealer prompts users for their password and steals browser passwords, cryptocurrency wallets, macOS Notes, and Telegram data, sending them to attacker-controlled servers.

Cthulhu Stealer: Sold on Telegram by the “Cthulhu Team,” this malware is written in Go and spread through fake app installers. It steals browser credentials, cryptocurrency wallets, and files like .png, .jpg, and .pdf.

How It Works:
Cthulhu Stealer tricks users with fake password prompts, including MetaMask requests. It saves stolen data in /Users/Shared/NW and uploads it to a command-and-control server.

Recommendation:

To protect against these threats, organizations should deploy advanced detection tools like Cortex XDR, which can analyze credential theft and sensitive data exfiltration. These tools help monitor suspicious AppleScript executions and unauthorized file access.

Additionally, adopting multi-layered defense strategies and staying updated on emerging threats are essential for protecting sensitive information.

Indicators of Compromise (IoC):

• SHA256 Hashes for Atomic Stealer:
• 599e6358503a0569d998f09ccfbdeaa629d8910f410e26df0ffbd68112e77b05
• a33705df80d2a7c2deeb192c3de9e7f06c7bfd14b84f782cf86099c52a8b0178
• IP Addresses for Atomic Stealer C2 Servers:
• 94.142.138[.]177
• 194.169.175[.]117
• SHA256 Hashes for Poseidon Stealer:
• 9f4f286e5e40b252512540cc186727abfb0ad15a76f91855b1e72efb006b854c
• 5880430d86d092ac56bfa4aec7e245e3d9084e996165d64549ccb66b626d8c56
• IP Addresses for Poseidon Stealer C2 Servers:
• 194.59.183[.]241
• 70.34.213[.]27

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post MacOS password-stealing malware is spreading rapidly appeared first on First Hackers News.

Patch updates

On January 27, 2025, Apple released critical updates for iPhones, iPads, Macs, Apple Watches, Apple TVs, Vision Pro, and Safari to address a zero-day vulnerability and other security issues.

Key updates include:

• iOS 18.3 & iPadOS 18.3: Fixes a zero-day flaw; urgent update for supported devices.
• macOS Sequoia 15.3, Sonoma 14.7.3, Ventura 13.7.3: Patches for system stability and security.
• watchOS 11.3: Security enhancements for Series 6 and later.
• tvOS 18.3 & visionOS 2.3: Performance and security updates.
• Safari 18.3: Resolves browser vulnerabilities on macOS Ventura and Sonoma.

Apple’s updates address active exploits targeting vulnerabilities discovered in late 2024. These flaws allowed attackers to bypass memory protections, affecting devices with outdated software. Users on older iOS, macOS, or Safari versions were at high risk.

The rollout highlights Apple’s use of Rapid Security Responses to quickly fix critical vulnerabilities without full software updates.

Apple recommends enabling automatic updates for device security. To manually update:

• iPhone/iPad: Go to Settings > General > Software Update.
• Mac: Open System Settings and select Software Update.
• Apple Watch: Use the Watch app on your iPhone, then go to General > Software Update.
• Apple TV: Go to Settings > System > Software Updates.
• Vision Pro: Apply updates via the Vision Pro settings menu.

Experts stress the importance of updates to protect against malware, ransomware, and cyber threats. Apple’s quick action helps keep its ecosystem secure.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Apple Releases Security Update: Patches for iOS Zero-Day and macOS appeared first on First Hackers News.

macOS Sequoia Update

The release of macOS Sequoia has caused widespread frustration among developers of macOS security tools. Patrick Wardle, founder of the Mac and iOS security startup DoubleYou, expressed concern over the recurring challenges that arise whenever Apple launches a new update.

Patrick Wardle, a developer of macOS security tools, expressed frustration, stating, “It’s incredibly frustrating to repeatedly deal with users blaming our tools for breaking their Macs.” He stressed the need for Apple to conduct more rigorous testing before releasing updates.

The problems seem to arise from changes in the network stack, which have affected several security products. A CrowdStrike sales engineer mentioned in a Slack group for Mac administrators that the company had to delay support for Sequoia due to these changes, adding, “There’s quite a lot going on with the changes in the network stack.”

According to TechCrunch, several companies quickly responded to the issues caused by the macOS Sequoia update.

CrowdStrike issued a “Tech Alert” to its customers and is waiting for an Apple update before offering official support. Despite the challenges, SentinelOne claimed to have provided full support for Sequoia right after its release. However, a SentinelOne Support account had warned users not to upgrade their systems until they had a supported agent in place.

After upgrading to macOS Sequoia, ESET warned customers about network issues but later confirmed their products are compatible.

Problems aren’t limited to enterprise tools—users have reported issues with DNS, firewalls, and apps like Firefox. Security researchers noted that Sequoia’s firewall could block web access after the update.

The problems with macOS Sequoia affect not just enterprise security tools but also individual users. Security researcher Will Dormann reported issues with DNS and firewall operations on Mastodon. Additionally, researcher Wacław Jacek mentioned that the OS firewall might block web browsing after the upgrade. These disruptions also impact common applications, such as the Firefox browser.

The post macOS Sequoia update disrupts multiple security tools appeared first on First Hackers News.

RATs are often delivered via phishing email attachments or bundled with seemingly legitimate applications, like video games. On September 5, Intego reported the release of a new version of HZ RAT targeting macOS.

Previous reports indicate that HZ RAT originates from China, though Intego hasn’t disclosed specific attribution. This recent macOS malware provides attackers with full remote administrative access and first appeared on Windows PCs in 2022 before targeting Macs.

The macOS Malware HZ RAT 

According to the Moonlock report, HZ RAT can spy on users and steal data, functioning as a sophisticated remote access trojan that grants full administrative control. It can take screenshots, log keystrokes, steal data from Google Password Manager, and target user information on popular Chinese Mac apps like WeChat and DingTalk.

Once installed, the malware connects to a command-and-control server, allowing attackers to upload, download, and execute files remotely. It spreads through watering hole attacks, fake Google Ads, and website impersonation.

The malware can collect data such as:

• IP address
• Bluetooth and Wi-Fi data
• Network info
• Hardware specs
• App lists
• WeChat and DingTalk information
• Usernames and websites from Google Password Manager

Though it doesn’t steal passwords directly, it may use leaked credentials from the dark web. The goal appears to be data collection, and it’s difficult for security providers to detect.

Intego found malware posing as the OpenVPN Connect app. A 2022 analysis of the Windows version linked it to Chinese IPs, with 80% of them active but unreachable, and 20% inactive.

Recommendation

To protect your Mac, always download apps from trusted sources like the Apple App Store. Keep your operating system and security software up to date, and be cautious of any suspicious emails, links, or attachments.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post New macOS malware allows attackers to control devices remotely appeared first on First Hackers News.