Infiniti Stealer Campaign Targets macOS Users via Fake Cloudflare CAPTCHA Pages

A new macOS malware called ‘Infiniti Stealer’ is spreading through fake Cloudflare CAPTCHA pages that trick users into running malicious Terminal commands. The attack uses social engineering (ClickFix) instead of vulnerabilities allowing it to bypass security controls. Infiniti Stealer runs in multiple stages and steals sensitive data highlighting the growing risk to macOS users.

Pulse ID: 69c72fba45868caa2fc6a152
Pulse Link: https://otx.alienvault.com/pulse/69c72fba45868caa2fc6a152
Pulse Author: cryptocti
Created: 2026-03-28 01:32:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #Cloud #CyberSecurity #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #SocialEngineering #bot #cryptocti

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

A new phishing campaign is targeting TikTok for Business accounts using adversary-in-the-middle (AitM) techniques. The attackers employ Cloudflare Turnstile to evade detection and create convincing lookalike pages impersonating TikTok for Business or Google Careers. Victims are tricked into clicking malicious links, leading to credential theft. The campaign aims to seize control of business accounts, which can be used for malvertising and malware distribution. Multiple domains are involved in hosting the phishing pages. Additionally, a separate campaign using SVG file attachments to deliver malware has been observed in Venezuela, with potential links to BianLian ransomware activity.

Pulse ID: 69c6d346df59de3f16b61387
Pulse Link: https://otx.alienvault.com/pulse/69c6d346df59de3f16b61387
Pulse Author: AlienVault
Created: 2026-03-27 18:58:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #AitM #BianLian #Cloud #CyberSecurity #Google #InfoSec #Malvertising #Malware #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #SVG #bot #AlienVault

AI Infrastructure Supply Chain Poisoning Alert

A supply chain poisoning attack on LiteLLM, a popular AI model gateway, was detected by NSFOCUS Technology CERT. The TeamPCP group compromised the Trivy security scanning tool used in LiteLLM's release process, allowing them to publish malicious versions 1.82.7 and 1.82.8 on PyPI. These versions contained credential-stealing programs that collected sensitive data and, if a Kubernetes cluster was detected, deployed privileged Pods and implanted persistent backdoors. The attack impacted numerous dependent packages and potentially affected millions of users. The incident highlights the growing risks in AI infrastructure and the need for robust supply chain security measures.

Pulse ID: 69c6d3a930c99b3993018f22
Pulse Link: https://otx.alienvault.com/pulse/69c6d3a930c99b3993018f22
Pulse Author: AlienVault
Created: 2026-03-27 18:59:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #OTX #OpenThreatExchange #PyPI #SupplyChain #bot #AlienVault

Inside Keitaro Abuse Part 2: One Platform, Many Threats

This analysis examines how threat actors abuse Keitaro, an advertising performance tracker, for various malicious purposes. The report covers a wide range of threats, including malware delivery, phishing, scams, and illegal content distribution. Key findings include the use of Keitaro for cloaking and traffic distribution in malvertising campaigns, spam operations leveraging Keitaro for cryptocurrency wallet draining, and the abuse of Keitaro in investment scams. The report also highlights specific threat actors and their tactics, such as domain hijacking for adult content delivery and the use of fake arrests as clickbait for investment scams. Overall, the analysis demonstrates how Keitaro's features make it attractive to cybercriminals seeking to maximize their reach with minimal effort.

Pulse ID: 69c643d531ed0d8ae740f7dc
Pulse Link: https://otx.alienvault.com/pulse/69c643d531ed0d8ae740f7dc
Pulse Author: AlienVault
Created: 2026-03-27 08:46:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Malvertising #Malware #Nim #OTX #OpenThreatExchange #Phishing #RAT #Spam #bot #cryptocurrency #AlienVault

Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka

A new macOS infostealer called Infiniti Stealer has been discovered, utilizing ClickFix delivery and Python/Nuitka compilation. The malware spreads through a fake CAPTCHA page, tricking users into running a command themselves. The final payload is a Python-based stealer compiled with Nuitka, making it harder to analyze and detect. The malware targets sensitive data including browser credentials, macOS Keychain entries, cryptocurrency wallets, and developer files. It employs anti-analysis techniques and exfiltrates data via HTTP POST requests. This campaign demonstrates the adaptation of Windows-based techniques to target Mac users and showcases the increasing sophistication of macOS malware.

Pulse ID: 69c65110c392e209625c97d5
Pulse Link: https://otx.alienvault.com/pulse/69c65110c392e209625c97d5
Pulse Author: AlienVault
Created: 2026-03-27 09:42:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #CyberSecurity #HTTP #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #Python #RAT #Windows #bot #cryptocurrency #AlienVault

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a Southeast Asian government organization between June and August 2025. Three distinct activity clusters were identified: Stately Taurus, CL-STA-1048, and CL-STA-1049. Stately Taurus used USB-propagated malware to deploy the PUBLOAD backdoor. CL-STA-1048 employed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, and other tools. CL-STA-1049 utilized a novel Hypnosis loader to deploy FluffyGh0st RAT. These clusters show significant overlap with known China-aligned campaigns, suggesting a coordinated effort to establish persistent access and exfiltrate sensitive data from government networks. The convergence of multiple threat actors indicates a complex, well-resourced operation with a common strategic objective.

Pulse ID: 69c5e4ddc46bf7f11bc53115
Pulse Link: https://otx.alienvault.com/pulse/69c5e4ddc46bf7f11bc53115
Pulse Author: AlienVault
Created: 2026-03-27 02:01:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #China #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Malware #OTX #OpenThreatExchange #PUBLOAD #RAT #RCE #StatelyTaurus #Taurus #USB #Unit42 #bot #AlienVault

The Certificate Decoding Illusion: How Blank Grabber Stealer Hides Its Loader

BlankGrabber, a Python-based information stealer, employs sophisticated techniques to evade detection and exfiltrate sensitive data. It uses a multi-stage infection chain, starting with a batch file loader that disguises the payload as certificate data. The malware implements anti-analysis measures, including sandbox and virtualization checks. It harvests a wide range of data, including browser information, system details, and credentials from various applications. BlankGrabber utilizes Windows Management Instrumentation for system discovery, captures screenshots and webcam images, and attempts to disable Windows Defender. The malware achieves persistence through startup folder manipulation and exfiltrates data using Telegram bots and public web services.

Pulse ID: 69c643beac5889d953fd8ba4
Pulse Link: https://otx.alienvault.com/pulse/69c643beac5889d953fd8ba4
Pulse Author: AlienVault
Created: 2026-03-27 08:45:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Telegram #Windows #bot #AlienVault

BRUSHWORM and BRUSHLOGGER uncovered

A South Asian financial institution was targeted with two custom malware components: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger. BRUSHWORM features anti-analysis checks, encrypted configuration, scheduled task persistence, modular payload downloading, USB worm propagation, and extensive file theft. BRUSHLOGGER uses DLL side-loading to capture system-wide keystrokes with window context tracking. The malware's low sophistication and implementation flaws suggest an inexperienced author, possibly using AI code-generation tools. Multiple testing versions were discovered on VirusTotal, indicating iterative development. The malware components combine to create a functional collection platform with modular loading, USB propagation, broad file theft, air-gap bridging, and persistent keystroke capture.

Pulse ID: 69c643be1c9656febe1f3cc6
Pulse Link: https://otx.alienvault.com/pulse/69c643be1c9656febe1f3cc6
Pulse Author: AlienVault
Created: 2026-03-27 08:45:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Asia #BackDoor #CyberSecurity #InfoSec #KeyLogger #Malware #OTX #OpenThreatExchange #RAT #Rust #SouthAsia #USB #VirusTotal #Worm #bot #AlienVault

The Return of the Kinsing

A Canary Intelligence team analysis revealed the resurgence of the Kinsing malware, exploiting three CVEs: CVE-2023-46604 (ActiveMQ), CVE-2023-38646 (Metabase), and CVE-2025-55182 (React2Shell). The attacks, originating from IP 212.113.98.30, converged on a shared staging host at 78.153.140.16. The malware's tactics include downloading and installing a Go-based Linux binary and a stealthy libsystem.so component. The exploitation methods involve retrieving and executing malicious scripts, leading to the installation of Kinsing's core components. This cluster of activity demonstrates how older malware families can remain relevant by exploiting new vulnerabilities without significantly changing their core binaries.

Pulse ID: 69c56e3a416f1f2fb18c3436
Pulse Link: https://otx.alienvault.com/pulse/69c56e3a416f1f2fb18c3436
Pulse Author: AlienVault
Created: 2026-03-26 17:34:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ActiveMQ #CyberSecurity #ICS #InfoSec #Kinsing #Linux #Malware #OTX #OpenThreatExchange #RAT #bot #AlienVault

GlassWorm attack installs fake browser extension for surveillance

GlassWorm is a sophisticated malware targeting developers through compromised code repositories and package managers. It executes in stages, starting with a stealthy infection that fingerprints the machine and fetches further payloads via the Solana blockchain. The malware steals sensitive data, including cryptocurrency wallets and development credentials, installs a Remote Access Trojan (RAT), and deploys a fake Chrome extension for extensive surveillance. It uses distributed hash tables and blockchain for resilient command and control. While initially focused on developers with potential cryptocurrency assets, the stolen information could enable wider supply chain attacks. Prevention strategies include careful package management, regular extension audits, and up-to-date anti-malware solutions.

Pulse ID: 69c59ad1d050c7b6a823051e
Pulse Link: https://otx.alienvault.com/pulse/69c59ad1d050c7b6a823051e
Pulse Author: AlienVault
Created: 2026-03-26 20:45:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #Chrome #ChromeExtension #CyberSecurity #FakeBrowser #InfoSec #Mac #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SupplyChain #Trojan #Worm #bot #cryptocurrency #developers #AlienVault