This activity was uncovered by the Atos Threat Research Center in early 2026. The goal is clear—compromise high-privilege users and gain direct access to critical systems.

How the Attack Starts

The attack begins with SEO poisoning across search engines like Bing, Yahoo, DuckDuckGo, and Yandex.

Attackers push fake GitHub repositories to the top of search results for queries related to popular admin tools. These repositories look legitimate and contain detailed documentation, but they don’t host malware directly.

The infection flow works like this:

• Fake GitHub repo acts as a trusted storefront
• README links redirect users to another repository
• Second repo hosts a malicious MSI installer
• Payload is executed on the victim system

This two-step setup helps attackers stay active even if one repository is removed.

Targeting High-Privilege Users

The campaign specifically mimics well-known administrative tools such as PsExec, AzCopy, Sysmon, LAPS, and WinDbg. These tools are typically used by administrators, DevOps teams, and security analysts.

This approach acts as a filtering mechanism:

• Only users searching for these tools are targeted
• Most victims already have elevated privileges
• A successful infection gives immediate high-level access

By abusing trust in commonly used tools, attackers increase the chances of execution without suspicion.

Malware Behavior and Execution

Once the malicious installer runs, a multi-stage RAT is deployed using JavaScript and fileless techniques.

The behavior includes:

• Obfuscated scripts install Node.js and trigger execution
• Payloads are decrypted in memory using AES-256
• Persistence is created through Windows Registry Run keys
• Malware runs under legitimate processes like conhost.exe
• Continuous communication with attacker infrastructure

The RAT allows attackers to execute commands, monitor systems, and extract sensitive data without obvious signs.

Blockchain-Based Command and Control

One of the most unique aspects of EtherRAT is its use of blockchain for command-and-control.

Instead of fixed servers, the malware retrieves its C2 address from the Ethereum network. This makes it extremely difficult to block or disrupt.

Key advantages for attackers:

• No fixed IP or domain to blacklist
• C2 can be updated instantly via blockchain transactions

Because public blockchain infrastructure is widely accessible, traditional takedown strategies become ineffective.

Ongoing Activity and Threat Impact

Researchers observed at least 40+ malicious GitHub repositories over several months, showing this is not a one-time campaign but an ongoing operation.

There are also similarities with techniques used by groups like Lazarus Group and MuddyWater, though attribution is still being analyzed.

Unlike typical large-scale malware campaigns, EtherRAT focuses on stealth and persistence. After initial access, attackers perform quiet reconnaissance instead of immediate disruptive actions.

Why This Matters

This campaign highlights a shift in cyber threats:

• Attackers target fewer users but with higher value
• Legitimate platforms like GitHub are used to build trust
• Decentralized technologies like blockchain increase resilience

Organizations should verify software sources, limit administrative privileges, and monitor unusual outbound traffic—especially connections to blockchain services.

EtherRAT shows how modern attackers are blending trusted platforms with advanced techniques to create highly targeted and durable threats.

The post EtherRAT Attack Targets Enterprise Admins appeared first on First Hackers News.

Researchers at Certo identified a spyware tool called KidsProtect, which presents itself as a parental monitoring app. This is a common disguise in the stalkerware space, where intrusive tracking features are marketed as safety tools.

But the reality is different. The platform is openly promoted in hacking communities with claims of stealth and stability, clearly targeting covert surveillance use rather than legitimate parental control.

Through a web dashboard, operators can monitor a device remotely with capabilities that go far beyond basic tracking. This includes listening to calls, accessing messages, tracking live location, and even capturing keystrokes—all without the victim’s knowledge.

Deep Device Control and Evasion Tactics

Once installed, the spyware runs silently in the background and gives attackers near-total visibility into the device.

Key functions include:

• Live microphone access and call recording
• Real-time GPS tracking
• Reading SMS and app messages (including WhatsApp and Telegram)
• Keystroke logging for capturing passwords
• Remote access to cameras
• Monitoring screen activity in real time

To achieve this level of control, the app abuses sensitive Android permissions such as access to location, microphone, camera, and storage. One of the most critical features it exploits is the Accessibility Service, which allows it to read screen content and interact with other apps—making real-time surveillance possible.

The spyware is also built to stay hidden and resist removal. It disguises itself as a system-like app (for example, “WiFi Service”), registers as a Device Administrator, and includes anti-uninstall protection. Even after a device restart, it automatically relaunches using a BootReceiver component.

Victims are often tricked into disabling built-in protections like Google Play Protect, allowing the malware to operate freely without interruption.

A Growing Threat Through White-Label Resale

What makes this platform especially dangerous is its white-label model. Buyers can rebrand the spyware, set their own pricing, and distribute it as if it were their own product. This turns malware into a scalable business model rather than a single tool.

With entry costs starting relatively low, even non-technical users can launch their own spyware operation. This lowers the barrier to entry and allows the ecosystem to grow quickly, even when authorities shut down known stalkerware providers.

The spyware operates under package names like com.example.parentguard and supports Android devices from version 7 onwards. It also allows unencrypted (cleartext) traffic, increasing the risk of data exposure.

Overall, this platform shows how stalkerware is evolving—from isolated tools into commercialized services that enable widespread surveillance with minimal effort.

The post Android Spyware Platform Enables Resale appeared first on First Hackers News.

This activity has been closely analyzed by Mauro Eldritch, who has documented how this campaign is impacting high-value macOS users, especially in fintech and crypto sectors.

Initial Access and Social Engineering Flow

The attack typically begins with targeted outreach on Telegram, where threat actors impersonate trusted contacts such as colleagues or business partners. Victims—often executives or developers—receive urgent meeting requests designed to trigger quick action.

They are then redirected to phishing pages that closely resemble platforms like Zoom, Microsoft Teams, or Google Meet. These pages claim a technical issue and instruct the user to fix it manually.

Instead of a traditional exploit, the victim is guided to copy and execute a Terminal command. Because this action is user-initiated, many security tools interpret it as legitimate behavior.

Execution Chain and Malware Behavior

Once the command is executed, the infection chain unfolds in multiple stages designed to blend in with normal macOS activity.

• The first-stage binary (commonly seen as teamsSDK.bin) acts as a downloader that retrieves additional components
• Fake macOS applications are dropped, mimicking meeting tools or system prompts to appear legitimate
• These apps repeatedly request user passwords, often using poorly written prompts to trick the victim
• A secondary module (such as D1YrHRTg.bin) performs deep system profiling using native tools like sysctl

The profiling stage gathers extensive system intelligence, including host identifiers, operating system details, running processes, network configuration, and browser-related data from Chrome, Safari, Brave, and similar applications.

Interestingly, researchers observed flaws in parts of the malware. Some profiling components enter continuous loops, repeatedly sending the same data to command-and-control infrastructure, which can cause noticeable performance issues on infected machines.

To avoid execution barriers, the malware leverages macOS utilities like codesign to apply ad-hoc signatures, helping malicious binaries run under standard policies without raising immediate suspicion.

Credential Theft and Data Exfiltration

The final stage of the attack is handled by a stealer component referred to as macrasv2. This module focuses on extracting high-value data from the compromised system.

Targets include:

• Browser-stored credentials and active session cookies
• macOS Keychain entries containing saved secrets
• Files that can grant access to SaaS platforms, internal systems, or crypto wallets

All collected data is compressed into archive files (for example, user_ext.zip) and exfiltrated to attacker-controlled servers.

Persistence Mechanism

To maintain long-term access, additional components like minst2.bin are deployed. These create persistence by placing disguised binaries—often pretending to be legitimate services like OneDrive—inside directories labeled as security-related (such as an “Antivirus Service” folder).

The malware then registers itself as a LaunchAgent, ensuring execution every time the user logs in.

Why This Campaign Is Effective

This attack stands out because it avoids traditional exploitation techniques. By relying on user-executed commands and built-in macOS tools, the activity appears normal to many EDR solutions until after credentials and access tokens are already compromised.

For organizations where macOS devices are widely used—especially among developers and leadership—this creates a serious risk. A single compromised system can lead to broader access across internal infrastructure and financial assets.

Detection and Defensive Considerations

To counter this type of campaign, defenders need to shift focus toward behavior rather than just exploits.

• Monitor unusual Terminal activity and command execution patterns
• Identify and block ClickFix-style phishing workflows
• Regularly audit LaunchAgents for suspicious or disguised entries
• Track outbound connections to uncommon ports or Telegram-related infrastructure
• Use sandbox environments like ANY.RUN to safely analyze suspicious files, URLs, and execution chains

Interactive sandboxing plays a key role in understanding how these multi-stage attacks operate, allowing defenders to reconstruct the full infection path and extract indicators for detection.

The post Lazarus Delivers “Mach-O Man” macOS Malware via ClickFix appeared first on First Hackers News.

While some of these issues require prior access or valid credentials, the overall risk remains significant—especially for organizations relying heavily on SonicWall firewalls to protect their networks. Immediate attention and updates are strongly recommended.

Major Security Risks Identified

The most serious issue involves a flaw in how access controls are handled. Under certain conditions, an attacker on a nearby network could bypass normal authentication checks and gain access to sensitive management functions.

This type of access can be highly dangerous. If exploited, attackers may be able to:

• Change firewall rules
• Disable security protections
• Modify system configurations

In addition to this, two other vulnerabilities affect users who already have access to the system. One allows attackers to move outside restricted directories and interact with protected services, while another can overload the system and force the firewall to crash.

Breakdown of the Vulnerabilities

The advisory highlights three key issues that administrators should be aware of:

• Access control bypass flaw – Allows unauthorized access to management functions from adjacent networks
• Path traversal issue – Lets authenticated users reach restricted system areas
• Buffer overflow vulnerability – Can be used to crash the firewall and disrupt operations

Each of these issues presents a different level of risk, but together they create a serious security concern for affected systems.

What Organizations Should Do

SonicWall has provided fixes and recommended actions to reduce the risk. Organizations using SonicOS should review the advisory and apply updates as soon as possible.

Delaying patches could leave systems exposed to attacks that impact both security and uptime. Ensuring that firewall software is up to date is critical to maintaining a strong defense.

These vulnerabilities highlight how even core security systems like firewalls can become targets. A single flaw can lead to access bypass or service disruption, affecting the entire network.

Staying updated, applying patches quickly, and monitoring systems closely remain essential steps in preventing such risks.

The post SonicWall Flaw Allows Access Bypass and Firewall Crash appeared first on First Hackers News.

With this approach, users will no longer have to depend on shared cloud storage limits. Instead, WhatsApp aims to provide its own storage environment specifically built for messaging data. This is especially important as chat backups today include large files like high-resolution images, videos, and voice notes, which quickly consume available space.

All data stored in this system will be protected with end-to-end encryption by default. This means that messages remain private, and even WhatsApp itself cannot access the content. By keeping backups encrypted at all times, the platform is aiming to reduce the risk of unauthorized access or data exposure.

Enhanced Security with Passkeys

To strengthen protection further, WhatsApp is planning to introduce passkey-based authentication for backup access. Instead of using traditional passwords or long encryption keys, users will be able to unlock their backups using biometric methods such as fingerprint or facial recognition.

This makes the process both simpler and more secure. The authentication is tied directly to the user’s device, which reduces the risk of attacks like phishing, credential theft, or brute-force attempts. The passkey is securely stored and can sync across trusted devices, allowing users to restore backups without needing to remember complex credentials.

At the same time, WhatsApp is expected to keep alternative options available. Users who prefer using passwords or encryption keys will still have that choice, ensuring flexibility for different security preferences.

Storage Options and Rollout Plans

The upcoming system is also expected to introduce dedicated storage plans for backups. Early expectations suggest a small free storage tier for basic use, along with larger paid options for users who need more capacity. This would allow users to manage their backup storage without affecting their personal cloud accounts.

Despite this shift, WhatsApp is likely to continue supporting third-party backups for users who prefer their current setup. This ensures a smoother transition without forcing immediate changes.

The feature is still in development and has not yet been released publicly. It is expected to go through multiple testing phases to ensure stability, security, and compatibility with existing systems before a wider rollout begins.

This move reflects a broader industry trend toward building self-contained ecosystems that prioritize privacy, security, and better control over user data, rather than relying entirely on external platforms.

The post WhatsApp Tests Safer Cloud Backup for Messages appeared first on First Hackers News.

The issue came to light after data linked to the company appeared on dark web forums. Initial findings suggest that attackers were able to access the repository following an earlier breach involving the Checkmarx breach that impacted the company weeks before.

This shows how cyber attacks don’t always end with the first compromise. In many cases, attackers return later to extract more data or expand their access.

What Happened

The incident appears to be connected to a previous supply chain attack that occurred in March 2026. Attackers likely used that initial access to move deeper into internal systems and eventually reach the GitHub repository.

Weeks later, some of that data was leaked publicly, bringing the incident into focus. This highlights a common pattern in modern attacks—initial access followed by delayed exploitation.

Impact on Customers

Despite the seriousness of the situation, Checkmarx has stated that customer environments are not directly affected. The exposed repository was separate from production systems, and company policies do not allow customer data to be stored in such repositories.

Key points include:

• The affected repository is not connected to live customer systems
• Customer data is not stored in the exposed environment
• Ongoing analysis is being conducted to confirm what data was leaked

The company has also stated that it will notify customers immediately if any sensitive information is found during the investigation.

Investigation and Ongoing Analysis

Checkmarx is working with external forensic experts to understand the full scope of the breach. The investigation is focused on identifying what data was accessed, how attackers moved within the environment, and whether any additional systems were affected.

Security teams are also analyzing the leaked data to verify its contents and assess any potential risks.

Response and Containment Measures

To control the situation, the company has taken immediate steps to secure its systems. Access to the affected GitHub repository has been restricted, and internal security teams are closely monitoring for any further suspicious activity.

These actions are aimed at preventing additional exposure and supporting the ongoing forensic investigation.

What Organizations Should Do

Organizations using Checkmarx solutions are advised to stay updated through official communications. While there is no confirmed impact on customers, it is important to remain cautious and informed.

Security teams should review any updates provided by the company and reach out through official support channels if they have concerns or require clarification.

This incident highlights how supply chain attacks can evolve over time. Even after the initial breach is contained, attackers may still have access that can be used later.

It also reinforces the importance of separating development environments from production systems, as this can significantly reduce the impact of such exposures.

In today’s threat landscape, a single breach is rarely the end—it is often just the beginning of a longer attack chain.

The post Checkmarx Breach: GitHub Repository Exposure Confirmed appeared first on First Hackers News.

The attack starts with a targeted phishing email sent to specific organizations, particularly government-related entities. The email is designed to look legitimate, pretending to come from an internal consultant and referencing a real-looking project to gain trust.

To make the message more convincing, it is marked as urgent and includes a request for a read receipt. This increases the chances that the recipient will open the attachments without suspicion.

This multi stage malware attack poses serious threats to organizations, as its multi-layered nature complicates detection and remediation efforts.

The email contains two files with slightly misspelled names to appear like quick internal documents:

• A Word file pretending to be a report
• A PDF file that looks like an official document

These small tricks are used to make the attack look normal and believable.

How the Multi-Stage Attack Works

The infection process is carefully designed and happens in multiple steps. This layered approach helps the malware stay hidden during each stage.

When the Word file is opened, it asks the user to enable macros. If the user allows it, hidden code runs in the background and downloads a malicious file from an external server. This technique helps bypass basic security checks.

At the same time, the PDF file acts as another attack path. It shows a fake error message asking the user to update their PDF reader. If the user clicks the prompt, it downloads another malicious file disguised as a legitimate application.

Once installed, the malware:

• Connects to remote servers using trusted services
• Uses tools like developer tunnels to maintain access
• Sends stolen data through platforms like Discord
• Executes commands on the infected system

By using legitimate platforms, the malware blends in with normal network traffic, making it difficult to detect.

Evasion Techniques and Why It’s Dangerous

This malware uses several techniques to avoid being detected by security systems. It checks for analysis environments, hides its code, and uses trusted services to carry out its activities.

Some of its key evasion methods include:

• Hiding malicious code inside compiled scripts
• Using trusted cloud services for communication
• Disguising files with familiar names and branding
• Delivering payloads in stages instead of all at once

Because of these methods, the malware can remain active for a long time without being noticed. It can steal data, monitor systems, and give attackers remote access.

This attack shows a growing trend where cybercriminals rely on trusted platforms and multi-step infections to bypass traditional defenses. Organizations should focus on monitoring behavior, restricting macros, and educating users to recognize suspicious emails.

The post Multi Stage Malware Attack Uses Obfuscation to Evade Detection appeared first on First Hackers News.

As AI systems become more powerful, there is growing concern that they could be misused to generate harmful biological information. This could be exploited by advanced threat groups or individuals with malicious intent. To reduce these risks, OpenAI is inviting experts to test the model and find weaknesses before attackers do, as part of the gpt 5.5 bio bug bounty program.

The program brings together cybersecurity researchers, biosecurity specialists, and AI red teamers to identify vulnerabilities and improve the model’s safety controls.

The Challenge: Finding a Universal Jailbreak

The main objective of this program is to discover a “universal jailbreak.” In simple terms, this means creating a single prompt that can bypass the model’s built-in safety protections.

Participants are asked to design one prompt that can successfully make the model answer a set of restricted biological questions. The challenge must be completed in a clean session without triggering any warnings or safety systems.

This requires a strong understanding of:

• Prompt engineering techniques
• AI model behavior and responses
• Handling sensitive biological queries

The testing is limited to a controlled environment, ensuring that all experiments are conducted safely.

Rewards and Timeline

Because this is a complex and high-risk challenge, OpenAI is offering significant rewards for successful findings.

Key details include:

• A top reward of $25,000 for the first complete successful jailbreak
• Additional rewards for partial findings that provide useful insights
• Applications open until June 22, 2026
• Testing runs from April 28 to July 27, 2026

The structured timeline ensures that researchers have enough time to test while maintaining controlled access.

Who Can Participate

Access to the program is restricted to ensure responsible testing and prevent misuse of sensitive information.

To participate:

• Researchers must apply with relevant experience in AI or biology
• Selected participants may receive direct invitations
• An active ChatGPT account is required
• All participants must sign a Non-Disclosure Agreement (NDA)

This ensures that all findings remain confidential and are handled responsibly.

Why This Program Matters

This initiative highlights the growing importance of securing advanced AI systems. As models become more capable, the risks also increase, especially in sensitive areas like biology.

By working with experts and encouraging responsible testing, OpenAI aims to strengthen its safety systems and prevent potential misuse. This approach helps build more secure and reliable AI technologies for the future.

At the same time, it shows how collaboration between researchers and organizations is essential to stay ahead of emerging threats.

The post GPT-5.5 Bio Bug Bounty Boosts AI Safety appeared first on First Hackers News.

This campaign involves a Linux version of the GoGra backdoor, showing that the group is expanding beyond its earlier Windows-based operations. By using trusted cloud services, the malware blends into normal network traffic, allowing it to bypass many standard security tools that typically look for suspicious external connections.

The attack appears to focus on espionage rather than financial gain. Evidence suggests that targets are mainly located in South Asia, with attackers using region-specific document names to make their phishing attempts more convincing. This level of targeting shows a carefully planned and strategic operation.

Outlook Mailbox Malware Explained

The attackers gain access through social engineering, tricking users into opening files that appear harmless. These files are often disguised as official documents, but they actually contain hidden malicious code.

Once the file is opened, the malware quietly installs itself in the background. It avoids drawing attention while setting up persistence, ensuring it can continue running even after the system is restarted.

Some key characteristics of the infection process include:

• Disguised files that look like PDFs or official documents
• Malware hidden inside Linux executable files
• Silent installation without visible signs
• Persistence mechanisms that allow it to survive reboots

This approach makes it difficult for users to realize they have been infected until much later.

How the Backdoor Uses Microsoft Infrastructure

What makes this attack particularly sophisticated is how it uses Microsoft’s own services as a communication channel. Instead of connecting to suspicious servers, the malware interacts with legitimate cloud infrastructure, which helps it stay hidden.

After installation, the backdoor uses Microsoft APIs to communicate with a real Outlook mailbox. It regularly checks for new messages that contain instructions from the attacker. These commands are processed on the infected system, and the results are sent back through email responses.

The malware is designed to clean up after itself, deleting messages once they are used. This reduces traces of the attack and makes forensic investigation more difficult.

The main capabilities of the backdoor include:

• Receiving commands through Outlook mailbox messages
• Executing those commands on the infected machine
• Sending results back via email
• Removing evidence after communication

Because all of this happens through trusted services, the activity can easily go unnoticed in normal network monitoring.

Why This Attack Is Concerning

This campaign highlights a growing trend where attackers abuse legitimate platforms to hide their operations. By using trusted services like Microsoft’s cloud, they can bypass many traditional defenses that rely on detecting suspicious traffic.

The impact of such an attack can be serious. Attackers may gain long-term access to systems, collect sensitive data, and monitor user activity without being detected. Since the malware operates quietly and removes traces of its actions, it can remain active for extended periods.

This also shows how threat actors are evolving their techniques, moving toward more stealthy and persistent methods. Organizations can no longer rely only on basic perimeter defenses and must adopt more advanced monitoring strategies.

To reduce risk, security teams should pay close attention to unusual system behavior, unexpected background services, and abnormal use of cloud APIs. Monitoring activity from endpoints that do not typically interact with such services can help identify potential threats early.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Hackers Hide GoGra Backdoor in Outlook Mailboxes appeared first on First Hackers News.

Many users experience slow performance during meetings or while switching between chats, particularly on older laptops or systems with low memory. This new mode is designed to solve that problem by making Teams smarter about how it uses system resources. The rollout is expected to begin in early May 2026 and will gradually reach users worldwide by mid-May.

Instead of applying the same performance settings to every device, Teams will now adapt based on the hardware it is running on. This means users with lower-end devices can still have a smooth experience without needing upgrades.

How Efficiency Mode Works

When Efficiency Mode is active, Teams automatically adjusts its behavior to reduce strain on the system. These changes happen in the background without requiring user input.

Some of the key improvements include:

• Video quality is dynamically lowered during meetings to reduce CPU and bandwidth usage while still maintaining clear communication
• The app launches faster by avoiding heavy initial loading, showing a simpler interface instead of opening a chat window immediately
• Background processes are minimized to prevent unnecessary memory and CPU consumption
• A visual indicator appears in the app so users know when Efficiency Mode is active

These adjustments help reduce lag, improve responsiveness, and make meetings more stable, especially when multiple apps are running at the same time.

Automatic Enablement and User Control

Efficiency Mode is automatically enabled on devices that are likely to benefit from it. This ensures users get better performance without needing to change any settings.

However, Microsoft also gives users full control. If someone prefers the standard experience with full visuals and higher resource usage, they can disable Efficiency Mode in the settings. This flexibility allows users to choose between performance and full feature usage based on their needs.

Importantly, Microsoft has confirmed that this feature does not affect compliance, privacy, or security settings, making it safe for both personal and enterprise use.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What IT Teams Should Know

For organizations, this update is relatively simple to manage. Since the feature is enabled automatically, most environments will not require configuration changes.

Still, IT teams should be aware of a few key points:

• Helpdesk teams should understand how the feature works to assist users with questions
• Employees may need guidance on how to turn the feature on or off
• Internal documentation may need updates to reflect the new behavior of Teams
• Monitoring user feedback can help determine if the feature improves productivity

By preparing ahead, organizations can ensure a smooth transition and better user experience.

Why This Matters

Efficiency Mode is an important step in making Teams more accessible and reliable across different types of devices. Not all users have high-performance systems, and performance issues can disrupt communication and collaboration.

By optimizing how Teams uses CPU, memory, and network resources, Microsoft is improving usability without removing core features. This means more users can participate in meetings, collaborate effectively, and stay productive regardless of their device limitations.

In the long run, features like this help reduce the gap between high-end and low-end devices, making modern workplace tools more inclusive and efficient.

The post Microsoft Teams Boosts Performance on Low-End Devices appeared first on First Hackers News.