Threat actors are targeting people searching for pirated or cracked software with fake downloaders that include infostealing malware such as Lumma and Vidar.

Source: Bits and Splits via Shutterstock

Attackers are targeting people interested in pirated and cracked software downloads by abusing YouTube and Google search results.

Researchers from Trend Micro uncovered the activity on the video-sharing platform, on which threat actors are posing as "guides" offering legitimate software installation tutorials to lure viewers into reading the video descriptions or comments, where they then include links to fake software downloads that lead to malware, they revealed in a recent blog post.

On Google, attackers are seeding search results for pirated and cracked software with links to what appear to be legitimate downloaders, but which in reality also include infostealing malware, the researchers said.

Moreover, the actors "often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware, and make detection and removal more difficult," Trend Micro researchers Ryan Maglaque, Jay Nebre, and Allixon Kristoffer Francisco wrote in the post.

**Evasive & Anti-Detection Built Into the Campaign**

The campaign appears to be similar to one that surfaced about a year ago spreading Lumma Stealer — a malware-as-a-service (MaaS) commonly used to steal sensitive information like passwords and cryptocurrency-wallet data — via weaponized YouTube channels. At the time, the campaign was thought to be ongoing.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Though the Trend Micro did not mention if the campaigns are related, if they are, the recent activity appears to up the ante in terms of the variety of malware being spread and advanced evasion tactics, as well as the addition of malicious Google search results.

The malicious downloads spread by attackers often are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection, the researchers noted.

After infection, the malware lurking in the downloaders collects sensitive data from Web browsers to steal credentials, demonstrating "the serious risks of exposing your personal information by unknowingly downloading fraudulent software," the researchers wrote.

In addition to Lumma, other infostealing malware observed being distributed via fake software downloads on links posted on YouTube include PrivateLoader, MarsStealer, Amadey, Penguish, and Vidar, according to the researchers.

Overall, the campaign exploits the trust that people have in platforms such as YouTube and file-sharing services, the researchers wrote; it especially can affect people looking for pirated software who think they are downloading legitimate installers for popular programs, they said.

Related:Russia Carves Out Commercial Surveillance Success Globally

**Shades of a GitHub Campaign**

The thinking behind the campaign also is similar to one recently found abusing GitHub, in which attackers exploited the trust that developers have in the platform to hide the Remcos RAT in GitHub repository comments.

Though the attack vector is different, comments play a big role in spreading malware, the researchers explained. In one attack they observed, a video post purports to be advertising a free "Adobe Lightroom Crack" and includes a comment with a link to the software downloader.

Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer, which leads to a download of the malicious file that includes infostealing malware from the Mediafire file hosting site.

Another attack discovered by Trend Micro planted a shortened link to a malicious fake installer file from OpenSea, the NFT marketplace, as the third result in a search for an Autodesk download.

"The entry contains a shortened link that redirects to the actual link," the researchers wrote. "One assumption is that they use shortened links to prevent scraping sites from accessing the download link."

The link prompts the user for the actual download link and the zip file's password, presumably because "password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary," they noted.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

**Protect Your Organization From Malware**

As shown by the threat activity, attackers continue to use social engineering tactics to target victims and apply a variety of methods to avoid security defenses, including: using large installer files, password-protected zip files, connections to legitimate websites, and creating copies of files and renaming them to appear benign, the researchers noted.

To defend against these attacks, organizations should "stay updated on current threats and to remain vigilant regarding detection and alert systems," the researchers wrote. "Visibility is important because solely relying on detection can result in many malicious activities going unnoticed."

Employee training, as security experts often note, also goes a long way in ensuring employees don't fall for socially engineered attacks or try to download pirated software.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

This week on the Lock and Code podcast, we speak with Mallory Knodel about whether AI assistants are compatible with encrypted messaging apps.

_This week on the Lock and Code podcast…_

The era of artificial intelligence everything is here, and with it, come everyday surprises into exactly where the next AI tools might pop up.

There are major corporations pushing customer support functions onto AI chatbots, Big Tech platforms offering AI image generation for social media posts, and even Google has defaulted to include AI-powered overviews into everyday searches.

The next gold rush, it seems, is in AI, and for a group of technical and legal researchers at New York University and Cornell University, that could be a major problem.

But to understand their concerns, there’s some explanation needed first, and it starts with Apple’s own plans for AI.

Last October, Apple unveiled a service it is calling Apple Intelligence (“AI,” get it?), which provides the latest iPhones, iPads, and Mac computers with AI-powered writing tools, image generators, proof-reading, and more.

One notable feature in Apple Intelligence is Apple’s “notification summaries.” With Apple Intelligence, users can receive summarized versions of a day’s worth of notifications from their apps. That could be useful for an onslaught of breaking news notifications, or for an old college group thread that won’t shut up.

The summaries themselves are hit-or-miss with users—one iPhone customer learned of his own breakup from an Apple Intelligence summary that said: “No longer in a relationship; wants belongings from the apartment.”

What’s more interesting about the summaries, though, is how they interact with Apple’s messaging and text app, Messages.

Messages is what is called an “end-to-end encrypted” messaging app. That means that only a message’s sender and its recipient can read the message itself. Even Apple, which moves the message along from one iPhone to another, cannot read the message.

But if Apple cannot read the messages sent on its own Messages app, then how is Apple Intelligence able to summarize them for users?

That’s one of the questions that Mallory Knodel and her team at New York University and Cornell University tried to answer with a new paper on the compatibility between AI tools and end-to-end encrypted messaging apps.

Make no mistake, this research isn’t into whether AI is “breaking” encryption by doing impressive computations at never-before-observed speeds. Instead, it’s about whether or not the promise of end-to-end encryption—of confidentiality—can be upheld when the messages sent through that promise can be analyzed by separate AI tools.

And while the question may sound abstract, it’s far from being so. Already, AI bots can enter digital Zoom meetings to take notes. What happens if Zoom permits those same AI chatbots to enter meetings that users have chosen to be end-to-end encrypted? Is the chatbot another party to that conversation, and if so, what is the impact?

Today, on the Lock and Code podcast with host David Ruiz, we speak with lead author and encryption expert Mallory Knodel on whether AI assistants can be compatible with end-to-end encrypted messaging apps, what motivations could sway current privacy champions into chasing AI development instead, and why these two technologies cannot co-exist in certain implementations.

> “An encrypted messaging app, at its essence is encryption, and you can’t trade that away—the privacy or the confidentiality guarantees—for something else like AI if it’s fundamentally incompatible with those features.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 The new rules for AI and encrypted messaging, with Mallory Knodel (Lock and Code S06E01) 

Smishing messages that come with instructions to bypass iMessage's protection against links are on the rise

A smishing (SMS phishing) campaign is targeting iMessage users, attempting to socially engineer them into bypassing Apple’s built in phishing protection.

For months, iMessage users have been posting examples online of how phishers are trying to get around this protection. And, now, the campign is gaining traction, according to our friends at BleepingComputer.

It works like this: Under normal circumstances, iMessage will disable all links in messages from unknown senders to protect the user against clicking them by accident. However, if a user replies to a message or adds the sender to their contact list, the links are enabled, allowing the person to click on the link.

The text of the messages comes in all the variations that phishers love to use:

*   Undeliverable packages from USPS, EVRI, Royal Mail, DHL, Fedex, etc.
*   Unpaid road toll.
*   Owed shipping fees.
*   Other outstanding payments that you are unaware of.

But they all end in a similar way to this:

> “(Please reply Y, then exit the SMS, re-open the SMS activation link, or copy the link to open in Safari)”

Replying with Y (or actually anything) will enable the links and turn off iMessage’s built-in phishing protection. Clicking the link will then lead the recipient to whatever malicious website the phisher had in mind. Even if the user just replies with “Y” and then decides not to follow the link—because it looks slightly off—the phishers will know that they have found a likely target for more attacks.

It’s also important to know that there are similar instructions for the Chrome browser:

> “Reply with 1, exit the SMS message, and reopen the SMS activation link, or copy the link to Google Chrome to open it.)”

**How to avoid smishing scams**

*   Never reply to suspicious messages, even if it’s only a “Y” or “1.” It will tell the phishers they have a live number and they will bombard you with more attempts.
*   Never add a number you don’t know to your Contacts as that will disable the iMessage protection as well.
*   Don’t assume any message is the real deal. If you’re being asked to do something, contact the company directly via a known method you trust. If it turns out to be a fake, you should be able to report it to them, there and then.
*   If you live somewhere with a Do Not Call list or spam reporting service, make full use of it. Report bogus messages and numbers.
*   Your mobile device may already have some form of “safe” message ID enabled without you knowing. It’s tricky to give specific advice here because of the sheer difference of options available on models of phone, but the Options / Safety / Security / Privacy menus are a good place to start.
*   Check the link before you click it or copy it in your browser. Is it exactly what you would expect it to be? Scammers often use typosquatting techniques (for example evri\[.\]top instead of the legitimate evri\[.\]com, or they fabricate a link that uses the subdomain to make it look legitimate (for example usps.com-track.infoam\[.\]xyz). If it doesn’t look real then don’t click on it.
*   If a message sounds too good (or bad) to be true, it probably is.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 iMessage text gets recipient to disable phishing protection so they can be phished 

New year, same story. Despite Ivanti's commitment to secure-by-design principles, threat actors — possibly the same ones as before — are exploiting its edge devices for the nth time.

Source: Lobro via Alamy Stock Photo

A Chinese threat actor is once again exploiting Ivanti remote access devices at large.

If you had a nickel for every high-profile vulnerability affecting Ivanti appliances last year, you'd have a lot of nickels. There was the critical authentication bypass in its Virtual Traffic Manager (vTM), the SQL injection bug in its Endpoint Manager, a trio affecting its Cloud Services Appliance (CSA), critical issues with its Standalone Sentry and Neurons for IT Service Management (ITSM), plus dozens more.

It all started last January, when two serious vulnerabilities were discovered in Ivanti's Connect Secure (ICS) and Policy Secure gateways. By the time of disclosure, the vulnerabilities were already being exploited by a suspected Chinese-nexus threat actor, UNC5337, believed to be an entity of UNC5221.

Now, one year and one secure-by-design pledge later, threat actors have returned to haunt Ivanti all over again, via a new critical vulnerability in ICS which also affects Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Ivanti has further warned of a second, slightly less severe bug that hasn't been observed in exploits yet.

"Just because we're seeing these often doesn't necessarily mean that they're easy to pull off — it's a highly sophisticated group that is doing this," Arctic Wolf CISO Adam Marrè points out, in defense of the downtrodden IT vendor. "Engineering is not easy, and secure engineering is even more difficult. So even though you may be following the principles of secure-by-design, that doesn't mean that someone isn't going to be able to come along and either with new technologies, or new techniques, and enough time and resources, hack in."

Related:New AI Challenges Will Test CISOs & Their Teams in 2025

**2 More Security Bugs in Ivanti Devices**

As yet unexploited (as far as researchers can tell) is CVE-2025-0283, a buffer overflow opportunity in ICS versions prior to 22.7R2.5, Policy Secure before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3. The "high" severity 7.0 out of 10-rated issue in the Common Vulnerability Scoring System (CVSS) could enable an attacker to escalate their privileges on a targeted device, but requires them to be authenticated first.

CVE-2025-0282 — rated a "critical" 9.0 in CVSS — does not come with that same caveat, allowing for code execution as root with no authentication required. Ivanti disclosed few details regarding the exact cause of the issue, but researchers from watchTowr were able to successfully reverse engineer an exploit after comparing ICS's patched and unpatched versions.

Related:Best Practices & Risks Considerations in LCNC and RPA Automation

According to Mandiant, a threat actor began exploiting CVE-2025-0282 in mid-December, deploying the same "Spawn" family of malware tied to UNC5337 exploits of previous Ivanti bugs. Those tools include:

*   The SpawnAnt installer, which drops its malware colleagues and persists through system upgrades
    
*   SpawnMole, which facilitates back-and-forth communications with attacker infrastructure
    
*   SpawnSnail, a passive secure shell (SSH) backdoor
    
*   SpawnSloth, which tampers with logs to conceal evidence of malicious activity
    

"The threat actor's malware families demonstrate significant knowledge of the Ivanti Connect Secure appliance," says Mandiant senior consultant Matt Lin. In fact, besides UNC5337 and its spawn, researchers also observed two more unrelated but equally bespoke malware deployed to infected devices. One — DryHook, a Python script — is designed to steal user credentials off targeted devices.

The other, PhaseJam, is a bash shell script that enables remote and arbitrary command execution. Most creative, though, is its ability to maintain persistence through sleight of hand. If an administrator attempts to upgrade their device — a process that would unseat PhaseJam — the malware will instead show them a fake progress bar that simulates each of the 13 steps one might expect in a legitimate update. Meanwhile, in the background, it prevents the legitimate update from running, thereby ensuring that it lives another day.

Related:Cybercriminals Don't Care About National Cyber Policy

DryHook and PhaseJam might have been the work of UNC5337, Mandiant noted, or another threat actor altogether.

**Time to Update**

Data from The ShadowServer Foundation suggests that north of 2,000 ICS instances could be vulnerable at the time of writing, with the greatest concentration in the US, France, and Spain.

Source: The Shadowserver Foundation

Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA) have published instructions for mitigating CVE-2025-0282, emphasizing that network defenders should run Ivanti's built-in Integrity Checker Tool (ICT) to seek out infections, and implement patches immediately.

"We have released a patch addressing vulnerabilities related to Ivanti Connect Secure," an Ivanti spokesperson tells Dark Reading. "There has been limited exploitation of one of the vulnerabilities and we are actively working with affected customers. Ivanti’s ICT has been effective in identifying compromise related to this vulnerability. Threat actor exploitation was identified by the ICT on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix. We strongly advise customers to closely monitor their internal and external ICT as part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure."

It may be worth noting that unlike ICS, Policy Secure and ZTA gateways won't be receiving their patches until Jan. 21. In its security advisory, Ivanti stated that ZTA gateways "cannot be exploited when in production," and that Policy Secure is designed to not be Internet-facing, reducing the risk of exploitation via CVE-2025-0282 or similar vulnerabilities.

"It's important that administrators here are doing the right things," Marrè says, noting, "That may result in some downtime, which can be disruptive for organizations, which can lead to them putting it off, or not fixing it as thoroughly and as well as they should."

Lin adds, "We’ve observed organizations that have historically acted promptly in response to these threats did not experience the same negative impacts when compared to organizations that failed to do the same." He also acknowledges, "All the swirl that takes place in the background once one of these patches is announced.

"Security teams across orgs have to scramble to not just patch, but also understand whether they’re vulnerable, and if so, do they only need to patch, or have they already been breached? And if they have been breached, that starts another incident response, which creates massive workflows across companies around the world. It’s important to not lose sight of the toil and exhaustion that defenders go through when assessing these scenarios and not be hyper critical of their initial reaction times."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Threat Actors Exploit a Critical Ivanti RCE Bug, Again

Growing sales of the System for Operative Investigative Activities (SORM), a Russian wiretapping platform, in Central Asia and Latin American suggests increasing risks for Western businesses.

Source: Golden Dayz via Shutterstock

A half-dozen governments in Central Asia and Latin American have purchased the System for Operative Investigative Activities (SORM) wiretapping technology from Russian providers, expanding their — and potentially Russian intelligence's — ability to intercept communications.

The technology includes monitoring equipment placed inside a telecommunications provider's facility, which delivers information to the client government's intelligence agency, including mobile numbers, phones identifiers, geolocation, names, email addresses, and IP addresses. That's according to threat intelligence firm Recorded Future, which found in an analysis that the former Soviet territories of Belarus, Kazakhstan, Kyrgyzstan, and Uzbekistan, and the Latin American nations of Cuba and Nicaragua, have very likely acquired the technology to wiretap citizens.

Western companies and citizens should take measures to protect their communications and to understand the risks of surveillance when traveling to countries that have lax civil protections against wiretapping, says a threat analyst with Recorded Future's Insikt threat intelligence group, who asked to remain anonymous due to the sensitivity of the topic.

"Obviously, in countries that don't employ SORM — even Western countries — surveillance frameworks are not immune to abuse, but it's important to look holistically at this when there's evidence of these systems being built with Russian-company inputs in a country with a history of state surveillance operations," the analyst says. "Particularly, human rights defenders, activists, journalists, members of civil society, but also foreign travelers, \[could all be targets\]."

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

The expansion of Russia's SORM kit highlights the gains of digital surveillance technology worldwide. The companies behind the spyware tools used by authoritarian governments — such as NSO Group's Pegasus and Intellexa Consortium's Predator — have made inroads globally, as the companies refine their ability to evade roadblocks on sales to sanctioned nations, according to an in-depth report published by the Atlantic Council in September. Overall, 41% of the 195 countries worldwide have licensed commercial spyware, including 14 of the 27 countries in the European Union, according to the Atlantic Council.

Wiretapping technology and spyware are often used for legitimate reasons, whether that be law enforcement investigations of suspected criminals or intelligence gathering against nation-state rivals. However, in countries with few protections for civil liberties, or poor regulation of digital surveillance technologies, abuses inevitably follow for governments that deploy it without adequate oversight, according to the Atlantic Council analysts.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

"Spyware makes it easier for states to penetrate even the most robust commercial technologies, cell phones, computers, and communications services; makes it far easier to act against citizens beyond state borders; and even provides governments with the ability to target senior officials, both domestically and abroad, where they might otherwise have no means to do so," the Atlantic Council analysts stated in the report. "Where that information is used to facilitate repression and abuse, its harms are untenable."

**The Spyware Nexus: An R Joins the Three I's**

The Atlantic Council identified 435 "entities" — companies and people associated with commercial spyware — and found that two-thirds lead back to three nations: Israel, Italy, and India. Now, Russia has become a major provider of surveillance technology as well.

Existing law in Russia requires that telecommunications providers install and maintain monitoring devices that meet SORM regulations, but the firms are not authorized to access the capabilities of the devices nor audit communications collection, according to Recorded Future's report. Countries in Russia's sphere of influence have passed similar laws mandating SORM-compliant technology, which is typically installed and serviced by Russian providers, likely giving Russia the ability to access intercepted communications.

Related:Unconventional Cyberattacks Aim to Take Over PayPal Accounts

Record Future used a variety of indicators for the adoption of SORM, including marketing materials and the websites of the providers of SORM technologies. The largest providers of SORM technology are companies called Citadel, Norsi-Trans, and Protei, who — along with five other identified technology firms — are likely exporting SORM products and services to at least 15 telecommunications companies, the firm found.

The risks of illicit digital surveillance are growing, argues Vitor Ventura, manager for EMEA and Asia at Cisco's Talos threat intelligence group.

"In certain countries, it might just be legal to do certain kind of interceptions for reasons that are not allowed in other countries, or because you have a law that says that if national security is at risk, you can do whatever you want," he says, adding that there has been a global boom in surveillance technology over the past few years.

"I don't think that the law is changing that much — I just think that there is a bigger appetite, and there's a lot more being offered," he says. "The prices eventually came down, and everyone that has the money for \[surveillance technology\] will actually go for it."

**Know Your Telecom Tech, Wiretapping Laws**

Companies that have employees based in nations with weaker civil liberty protections should note that adopting privacy and encryption tools can help mitigate the risk, but providers of virtual private network (VPN) services often are subject to the same laws as telecommunications providers, according to the Recorded Future report, and might also be turning over intelligence to government agencies.

In many ways, the cyber-risks mirror those argued by the US government in regards to Russian cybersecurity firm Kaspersky, whose antivirus products were banned in mid-2024, the Recorded Future analyst says.

"These \[telecom\] companies might be able to go into systems and have access to such a vast range of data — there's definitely a high intelligence value there," the analyst says. "The same risks that apply to Kaspersky are equally as applicable to Russian SORM providers."

Companies should keep apprised of the spread of the technology in the future. For example, one Russian provider, Protei, markets SORM in trade shows in Africa, the Middle East, and Latin America, raising the likelihood that countries in those regions will adopt the wiretapping platform at some time in the future.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia Carves Out Commercial Surveillance Success Globally

SUMMARY Cybersecurity researchers at Check Point detected a new version of Banshee Stealer in late September 2024, distributed…

**SUMMARY**

*   **Banshee Stealer targets macOS users, distributed via fake GitHub repositories and phishing sites.**

*   **The malware steals browser credentials, cryptocurrency wallets, 2FA codes, and system details.**

*   **It evades detection using Apple’s XProtect algorithm and deceptive system pop-ups.**

*   **Threat actors expanded targets by removing regional restrictions in the malware.**

*   **Source code leaked in November 2024, but risks remain with evolving cyber threats.**

Cybersecurity researchers at Check Point detected a new version of Banshee Stealer in late September 2024, distributed via phishing websites and fake GitHub repositories. According to their investigation, shared exclusively with Hackread.com this infostealer resembles popular software like Google Chrome, Telegram, and TradingView.

For your information, Banshee macOS Stealer targets macOS users and steals browser credentials, cryptocurrency wallets, and other sensitive data. It was first detected by Elastic Security Labs in August 2024 and was advertised on underground forums like XSS, Exploit, and Telegram, as a “stealer-as-a-service”. 

This newly discovered version includes a string encryption algorithm “stolen” from Apple’s own XProtect antivirus engine, which allowed it to evade detection for over two months. In addition, it doesn’t include its Russian language check, which was previously used to prevent the malware from targeting specific regions, indicating an expansion in its potential targets.

Check Point has identified multiple campaigns distributing the malware through phishing websites, although it’s unclear if they are carried out by previous customers. Threat actors utilized GitHub repositories for Banshee distribution, targeting macOS users with Banshee and Windows users with Lumma Stealer. Malicious repositories were created over three waves, appearing legitimate with stars and reviews, and luring users into downloading malware

Screenshot via CPR

Banshee Stealer can harvest data from web browsers, cryptocurrency wallets, and files with specific extensions, including stealing login credentials from web browsers like Chrome, Brave, Edge, and Vivaldi. It also targets browser extensions, specifically those for cryptocurrency wallets, potentially compromising your digital assets.

Additionally, it can capture your Two-Factor Authentication (2FA) credentials, bypassing an extra layer of security for your accounts. Furthermore, it drains off software and hardware details from your device, along with your external IP address and macOS passwords, giving attackers a complete picture of your system.

Also, Banshee Stealer utilizes deceptive pop-ups that mimic legitimate system prompts. These pop-ups can trick you into unknowingly revealing your macOS password, granting the malware administrative access to your system. The malware employs anti-analysis techniques to avoid detection by security tools.

This makes it difficult to identify its presence on your device using traditional methods. Once stolen, your data is sent to the attacker’s command-and-control servers through encrypted and encoded channels, making it challenging to track or intercept. Its source code leaked online in November 2024, leading to its shutdown. Still, it highlights how cyber threats are evolving continually. 

“Businesses must recognize the broader risks posed by modern malware, including costly data breaches that compromise sensitive information and damage reputations, targeted attacks on cryptocurrency wallets that threaten digital assets, and operational disruptions caused by stealthy malware that evades detection and inflicts long-term harm before being identified,” CPR researchers noted in the blog post.

Ms. Ngoc Bui, Cybersecurity Expert at Menlo Security, a Mountain View, Calif.-based provider of browser security commented on the latatest development stating, _“_This new Banshee Stealer variant exposes a critical gap in Mac security. While companies are increasingly adopting Apple ecosystems, the security tools haven’t kept pace. Even leading EDR solutions have limitations on Macs, leaving organizations with significant blind spots. We need a multi-layered approach to security, including more trained hunters on Mac environments._“_

1.  **Fake Google Meet Alerts Install Malware on Windows, macOS**
2.  **“HM Surf” macOS Flaw Lets Attackers Access Camera and Mic**
3.  **Hackers Could Exploit Microsoft Teams on macOS to Steal Data**
4.  **TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App**
5.  **Lazarus Group Hits macOS with RustyAttr Trojan in Fake Job PDFs**

Banshee Stealer Hits macOS Users via Fake GitHub Repositories

The most recent iteration of the open source infostealer skates by antivirus programs on Macs, using an encryption mechanism stolen from Apple's own antivirus product.

Source: Charles Walker Collection via Alamy Stock Photo

The macOS infostealer "Banshee" has been spotted skating by antivirus programs using a string encryption algorithm it stole from Apple.

Banshee has been spreading since July, primarily via Russian cybercrime marketplaces, where it was sold as a $1,500 "stealer-as-a-service" for Macs. It's designed to steal credentials from browsers — Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera — and browser extensions associated with cryptocurrency wallets — Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. Plus, it lifts additional information about targeted systems, including software and hardware specifications, and the password needed to unlock the system.

It was far from a perfect tool, widely detected by antivirus programs, thanks in part to its being packaged entirely in plaintext. But on Sept. 26, researchers from Check Point observed a more potent variant. This more successful variant remained otherwise undetected for months, primarily because it was encrypted with the same algorithm used by Apple's Xprotect antivirus tool for macOS.

**Banshee Malware Steals From XProtect**

XProtect is Apple's decade-and-a-half-old anti-malware engine for macOS. To detect and block malware, it uses "Remediator" binaries, which combine various methods and tools for antivirus-ing, including YARA rules, which contain patterns and signatures associated with known threats.

Check Point found that the same encryption algorithm that protects XProtect's YARA rules also concealed the September variant of Banshee.

It's not clear how the malware author — nom de guerre "0xe1" or "kolosain" — gained access to that algorithm.

"It could be that they performed a reverse engineering of the XProtect binaries, or even read relevant publications, but we can't confirm it," Antonis Terefos, reverse engineer at Check Point Research, speculates. "Once the string encryption of macOS XProtect becomes known — meaning the way the antivirus is storing the YARA rules is reverse-engineered — threat actors can easily 'reimplement' the string encryption for malicious purposes," he says.

Either way, the effect was significant. "The majority of the antivirus solutions in VirusTotal detected the initial Banshee samples using plaintext, but once the developer introduced this novel string encryption algorithm, none of the approximately 65 antivirus engines in VirusTotal detected it," he says.

That remained the case for around two months. Then, on Nov. 23, Banshee's source code was leaked on the Russian language cybercrime forum "XSS." 0xe1 shuttered his malware-as-a-service (MaaS) operation, and antivirus vendors incorporated associated YARA rules in due course. But even after that point, Terefos reports, the encrypted Banshee remained undetected by most engines on VirusTotal.

**How Banshee Stealer Is Spreading in Cyberattacks**

Since late September, Check Point has identified more than 26 campaigns spreading Banshee. Broadly speaking, they can be grouped into two clusters.

In three waves of campaigns lasting from mid-October to early November, threat actors spread the infostealer via GitHub repositories. The repositories promised users cracked versions of popular software, like Adobe programs and various image and video editing tools. The malware was concealed behind generic file names such as "Setup," "Installer," and "Update." This same cluster of activity also targeted Windows users with the popular Lumma Stealer.

The remaining campaigns spread Banshee via phishing sites, of one form or another. In these cases, the attackers disguised the malware as various popular software programs, including Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. If a visitor was using macOS, they'd get a download link.

More, varying campaigns could be on the way, now that Banshee has been leaked. Thus, Terefos says, "Despite macOS traditionally being regarded as more secure, Banshee’s success demonstrates the importance for macOS users to remain vigilant and aware of the threats."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes.

Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement.

The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like _Candy Crush_ and dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening without users’ or even app developers’ knowledge.

“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising ‘bid stream,’” rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.

The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples’ mobile phones.

“This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way,” Edwards says.

Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps.

The list includes dating sites Tinder and Grindr; massive games such as _Candy Crush_, _Temple Run_, _Subway Surfers_, and _Harry Potter: Puzzles & Spells_; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.

The full list can be found here. Multiple security researchers have published other lists of apps included in the data, of varying sizes. Our version is relatively larger because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app that had slight name variations to make it easier for readers to search for apps they have installed.

Although this dataset came from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or is licensed to use it.

Much of the location data attached to these app names does not have a time stamp. But there are indications it dates from 2024. One of the apps listed is _Call of Duty: Mobile_, and specifically its Season 5 iteration, which launched in May 2024.

Gravy is a company that powers much of the rest of the location data industry. It collates mobile phone location data from various sources, then sells that to commercial companies or, through its subsidiary Venntel, to US government agencies. Norwegian outlet NRK and I previously revealed the flow of location data from a handful of ordinary apps to Gravy and then to Venntel. Venntel’s clients have included Immigration and Customs Enforcement, Customs and Border Protection, the IRS, the FBI, and the Drug Enforcement Administration.

Venntel has also provided the underlying data for another government-bought surveillance tool called Locate X. 404 Media and a group of other outlets showed last year how that tool, made by a company called Babel Street, could be used to monitor visitors to out-of-state abortion clinics.

But the newly hacked data shows for the first time just how many apps could be part of a location data supply chain, even if their developers are not aware of it. Most app developers and companies included in the list did not respond to a request for comment. Flightradar24 said in an email that it had never heard of Gravy, but that it does display ads, which “help keep Flightradar24 free.”

Tinder said in an email that “Tinder takes safety and security very seriously. We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app” but did not answer questions about ads inside the app.

Muslim Pro, one of the Muslim prayer apps included in the list, said in an email that it was not aware of Gravy. “Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users,” the email said. That does not necessarily mean that a member of the advertising ecosystem can’t extract such data, though. (In 2020 I revealed Muslim Pro was selling its users’ location data to a company called X-Mode, whose clients included US military contractors; Muslim Pro stopped the practice after my reporting.)

A Grindr spokesperson told 404 Media in an email that “Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.” Grindr was previously found to have allowed data brokers to obtain its users’ location data.

It’s important that the data appears to be sourced through real-time bidding, because that dictates who is responsible (rogue members of the advertising industry and the tech giants that facilitate that industry), how users can protect themselves (attempting to block ads), and the fact that massive app publishers may not even be aware their users’ data is being harvested and therefore might not know how to stop it. An app developer will know if it implemented location-data-gathering code itself. It might not know that some company, somewhere, is silently listening in on the advertising process and siphoning data from their app.

Surveillance firms can obtain RTB data by acquiring ad tech companies and posing as prospective advertisers. The spy-run location data company doesn’t need to successfully place an ad; instead, it is able to gather data on devices by simply being plugged into that industry. Location data in this case can also include a users’ IP address, which is then geolocated to give their coarse location.

Last January, 404 Media reported on an Israeli surveillance company called Patternz, which was sourcing masses of location data through the RTB process.

In an exposed training video, Patternz showed some of the popular apps it got location data from: 9GAG, Kik, sports app FUTBIN, caller ID apps such as CallApp and Truecaller; and various word, sudoku, and solitaire puzzle games. Every one of these apps are also in the Gravy data. This suggests that Gravy, or wherever Gravy got that data from, also sourced it from interacting with the advertising system rather than location-tracking code baked into the apps.

404 Media shared some of the location data with another security researcher with knowledge of the advertising and location data industries. “It appears that at least some of this data would likely have been sourced from advertising related, real-time bidding,” Krzysztof Franaszek, founder of Adalytics, a digital forensics firm, told 404 Media after reviewing the data. He pointed out some of the user-agents in the file, which show how a user’s device connected to a service, referenced “afma-sdk.” That is a string used by Google’s Mobile Ads SDK (software development kit). In other words, in some cases, it is Google’s advertising platform that is delivering the ads that are eventually leading to this tracking by outside companies and potentially government contractors.

Google did not respond to multiple requests for comment for this article. Neither did Apple.

Franaszek also says that “a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS \[Global Navigation Satellite System\]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK.”

“What we’re seeing here in this data appears to me to be a huge diversity of apps,” Edwards says. “That’s not what you see from an SDK ingestion; that’s what you see from bulk RTB ingestions.”

In December the Federal Trade Commission banned another location data company called Mobilewalla from collecting consumer data “from online advertising auctions for purposes other than participating in those auctions.” In other words, the agency banned Mobilewalla from participating in the RTB process for building datasets on peoples’ devices. The FTC also said Venntel and Gravy collected data without obtaining user consent, ordered the company to delete historical location data, and banned it from selling data related to sensitive areas like health clinics and places of worship, except in “limited circumstances” involving national security or law enforcement.

404 Media has verified the hacked Gravy data in various ways. Some files include credentials for Gravy’s Snowflake instances, a data warehousing tool. 404 Media checked that the URLs in the hacked files do correspond to real Snowflake instances. One file called “users” contains a long list of companies. Some of these firms denied having any relationship with Gravy; Cuebiq, another location data firm mentioned in the file, told 404 Media it “routinely evaluates available data in the market to determine if they are an appropriate fit for our business. Most do not make it past the evaluation stage to production, as was the case here. Cuebiq tested a limited data sample, which was never made available to our customers, and the data was deleted at the end of the limited trial.”

404 Media also sent a section of the data to another data broker called Datonics. “We investigated the matter described in your email, and the segment IDs in those files are those of Gravy, not Datonics,” the company said in an email.

Unacast, which merged with Gravy in 2023, did not respond to multiple requests for comment, both on the hack and whether it or any of its suppliers have derived location data from the real-time bidding process.

Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location

Texas has become a leading enforcer of internet rules. Its latest probe includes some platforms that privacy experts describe as unusual suspects.

Over the past decade, Texas attorney general Ken Paxton has wielded his office’s significant resources to investigate well-known tech giants including Google and Meta over how they moderate content and treat rivals. He helped win settlements against Apple for allegedly misleading users and is suing TikTok for allegedly endangering children's privacy. Now, Paxton’s latest tech investigation includes an expansive number of targets, WIRED has learned.

Rumble, Quora, and WeChat are among the 15 companies from which Texas has demanded answers by next week about their collection and use of data of people under 18 years old. Paxton announced the investigation in a press release last month but named only four of the companies being probed—Character.AI, Red­dit, Insta­gram, and Dis­cord. WIRED obtained the names of additional targeted companies through a public records request. They also include Kick, Kik, Pinterest, Telegram, Twitch, Tumblr, WhatsApp, and Whisper.

Paxton’s office did not respond to requests for comment, including about how it chose which businesses to investigate. But the variety of companies questioned highlights the sprawling reach of a new Texas law aimed at increasing oversight of minors’ use of social media and chat services.

Three experts in youth privacy regulations who have been following Paxton’s enforcement efforts say the new investigation should be treated credibly, and they believe it could result in companies agreeing to improve their practices. The alternative could be up to hundreds of millions of dollars in penalties per company. “When you bring all the statutes together, Texas has a pretty significant hammer,” says Paul Singer, a partner and section chair at the law firm Kelley Drye & Warren.

Spokespeople for Character.AI and Tumblr say they take safety issues seriously. Meta and WeChat declined to comment. Other companies under investigation did not respond to requests for comment.

Paxton launched his probe three days after the families of an 11-year-old girl and 17-year-old boy in Texas sued chatbot startup Character.AI, claiming the company designed its product in an unsafe way that exposed the kids to sexualized and violent responses. In October, a similar case was filed in Florida by the family of a 14-year-old who shot himself to death allegedly following conversations with a Character.AI chatbot. Character.AI later introduced an experience aimed at kids and plans to roll out parental controls.

Other services under investigation including Kik, Instagram, and Discord have faced public scrutiny over their use by children. But less so WeChat, a messaging app popular among Chinese Americans, and Quora, a forum for crowdsourcing information that’s recently expanded into AI chatbots.

Paxton’s interest in Rumble, a YouTube-like website popular among US conservative political commentators, is also perhaps unexpected given his track record of partisan views about social media companies. Rumble has touted itself as a haven for free expression, unlike platforms that engage in allegedly heavier content moderation. Paxton is a Republican and has criticized platforms that unfairly silence Texans.

The privacy experts who spoke with WIRED described Rumble, Quora, and WeChat as unusual suspects but declined to speculate on the rationale behind their inclusion in the investigation. Josh Golin, executive director of the nonprofit Fairplay, which advocates for digital safety for kids, says concerns aren’t always obvious. Few advocacy groups worried about Pinterest, for example, until the case of a British teen who died from self-harm following exposure to sensitive content on the platform, he says.

Paxton’s press release last month called his new investigation “a critical step toward ensuring that social media and AI companies comply with our laws designed to protect children from exploitation and harm.”

The United States Congress has never passed a comprehensive privacy law, and it hasn’t significantly updated child online safety rules in a quarter century. That has left state lawmakers and regulators to play a big role.

Paxton’s investigation centers on compliance with Texas’ Securing Children Online through Parental Empowerment Act, or SCOPE, which went into effect in September. It applies to any website or app with social media or chat functions and that registers users under the age of 18, making it more expansive than the federal law, which covers only services catering to under-13 users.

SCOPE requires services to ask for users’ age and provide parents or guardians power over kids’ account settings and user data. Companies also are barred from selling information gathered about minors without parental permission. In October, Paxton sued TikTok for allegedly violating the law by providing inadequate parental controls and disclosing data without consent. TikTok has denied the allegations.

The investigation announced last month also referenced the Texas Data Privacy and Security Act, or TDPSA, which became effective in July and requires parental consent before processing data about users younger than 13. Paxton’s office has asked the companies being investigated to detail their compliance with both the SCOPE Act and the TDPSA, according to legal demands obtained through the public records request.

In total, companies must answer eight questions by next week, including the number of Texas minors they count as users and have barred for registering an inaccurate birthdate. Lists of whom minors’ data is sold or shared with have to be turned over. Whether any companies have already responded to the demand couldn’t be learned.

Tech company lobbying groups are challenging the constitutionality of SCOPE Act in court. In August, they secured an initial and partial victory when a federal judge in Austin, Texas, ruled that a provision requiring companies to take steps to prevent minors from seeing self-harm and abusive content was too vague.

But even a complete win might not be a salve for tech companies. States including Maryland and New York are expected to enforce similar laws starting later this year, says Ariel Fox Johnson, an attorney and principal of the consultancy Digital Smarts Law & Policy. And state attorneys general could resort to pursuing narrower cases under their tried-and-true laws barring deceptive business practices. “What we see is often information gets shared or sold or disclosed in ways families didn’t expect or understand,” Johnson says. “As more laws are enacted that create firm requirements, it seems to be becoming more clear that not everybody is in compliance.”

Tag

#apple