The Good | Joint Operations Dismantle Cybercrime Infrastructure, Infostealers & Malicious VPNs
Over 200 individuals and another 382 suspects have been rounded up in Interpol’s Operation Ramz, an initiative targeting cybercrime networks across the Middle East and North Africa.
Spanning thirteen countries and working alongside cybersecurity partners, police seized 53 servers used for malware distribution, phishing campaigns, and online fraud responsible for attacks with at least 3867 confirmed victims.
The third major crackdown organized by Interpol this year, highlights of the operation include dismantling an investment scam in Jordan and a phishing-as-a-service (PHaaS) platform in Algeria, and confiscating devices, servers, and data linked to various operations in Qatar, Oman, and Morocco.
Ukrainian cyberpolice, alongside U.S. law enforcement, have identified a suspect in Odesa allegedly responsible for operating an infostealer malware campaign. Between 2024 and 2025, the accused targeted users of a California-based online store, compromising 28,000 customer accounts. He then exploited 5,800 of these stolen session tokens to make $721,000 in unauthorized purchases.
The suspect managed the digital infrastructure required to harvest, process, and sell the stolen account credentials through specialized online forums and Telegram bots. As authorities continue to build the formal charge, they have seized several phones, bank cards, and other digital evidence confirming his involvement in the attacks.
Europol has taken “First VPN”, used frequently to facilitate ransomware deployments and data theft, offline in a joint operation led by French and Dutch authorities. Investigators have seized 33 servers across 27 countries, confiscated all its related domains, and arrested the platform’s administrator.
Threat actors previously promoted the service on cybercrime forums as a “privacy-focused tool” that ignored police data requests. Authorities have now identified all users of the platform, sharing intelligence on 506 individuals to support ongoing global investigations into connected fraud schemes and ransomware attacks.
The Bad | New macOS Stealer Variant Masquerades as Apple, Google & Microsoft in Multi-Stage Attack
SentinelOne researchers have identified a new macOS infostealer variant using the build tag “Reaper”, the latest evolution within the SHub Stealer malware family.
The infection chain uses fake WeChat and Miro installers hosted on typosquatted domains to lure in victims. The websites employ extensive anti-analysis techniques, blocking developer tools and fingerprinting visitors to avoid virtual environments.
To sidestep Apple’s recent macOS Tahoe mitigations, the malware abandons traditional “ClickFix” social engineering in Terminal, instead leveraging the applescript:// URL scheme to launch the macOS Script Editor.
The malicious HTML from the webpage creates a script deliberately padded with ASCII art to hide the malicious command. On execution, the script displays a message indicating it is downloading an Apple security update.
Once executed, the AppleScript prompts the user for their password to access protected Keychain items and decrypt credentials. Reaper extensively harvests browser data, password manager extensions, and iCloud account details.
On top of this, the variant introduces an AMOS-style Filegrabber module that targets business and financial documents, dividing the stolen data into 70MB chunked ZIP archives for exfiltration.
The Reaper malware also actively hijacks desktop cryptocurrency applications by terminating the active processes and replacing the legitimate core app.asar file. To bypass macOS Gatekeeper, the script clears quarantine attributes and applies ad hoc code signing to the modified application bundle.
Reaper is an example of SHub operators extending beyond credential and wallet theft. Unlike earlier SHub builds, this variant establishes persistence by installing a persistent backdoor on the compromised machine.
Since the infection chain layers in spoofs of trusted software and big brand names, macOS defenders are reminded to watch for unplanned AppleScript activity, suspicious outbound traffic, and any unexpected creation of LaunchAgents and related files.
The Ugly | Two Microsoft Defender Zero-Days Allow SYSTEM Privileges & Trigger DoS States
Two Microsoft zero-days affecting its Defender antimalware suite are being actively exploited to trigger denial-of-service (DoS) states on unpatched Windows devices. The first flaw, tracked as CVE-2026-41091 (CVSS: 7.8), is a privilege escalation vulnerability impacting the Microsoft Malware Protection Engine versions 1.1.26030.3008 and earlier. This engine provides scanning, detection, and cleaning functions for Microsoft’s native security software. The vulnerability arises from an improper link resolution weakness before file access (‘link following’) in Defender, which attackers can leverage to successfully gain SYSTEM-level privileges on compromised machines.
The second vulnerability, tracked as CVE-2026-45498 (CVSS: 7.5), impacts the Microsoft Defender Antimalware Platform versions 4.18.26030.3011 and earlier. The platform underpins the suite of security tools used by Microsoft’s System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials. If successfully exploited, this flaw allows threat actors to trigger DoS conditions on unpatched Windows devices.
Microsoft warns two Defender vulnerabilities are being actively exploited in the wild.https://t.co/zWPNKTIidF
CVE-2026-41091 could allow attackers to gain SYSTEM privileges locally.
CISA added both to KEV… pic.twitter.com/S2PQ9D2fch
— The Hacker News (@TheHackersNews) May 21, 2026
Microsoft has since released updated versions for both the engine and platform to mitigate these issues. While the vendor notes that default configurations should automatically install these critical platform updates, administrators are strongly advised to manually verify whether Windows Defender Antimalware Platform updates and malware definitions are configured to verify and autoinstall the updates. According to its security advisory, users should check their Antimalware ClientVersion number in the Windows Security settings.
In response to active in-the-wild exploitation, CISA has added both flaws to its Known Exploited Vulnerabilities catalog and issued a mandate requiring Federal Civilian Executive Branch (FCEB) agencies to thoroughly secure their Windows servers and endpoints by June 3, 2026.
from SentinelOne https://ift.tt/7XuiTGw
via IFTTT
No comments:
Post a Comment