Jacob

Another new #FakeUpdates group seen. Not the typical popup, this time just a localized one on the screen. The domain serving the fake update is:
cdnreport[.]net

I wasn't able to get served, but looking through URLScan reports, there was a hit for dropping a MacOS Stealer:
https://urlscan.io/result/e4a10dd9-ffe0-40d6-a0e5-fdcfb1a0a3a9/

Hash: 5ca22e4ca383f0d7a769795720414c4c6fe9c24c20c85a56570fe022c57bd6f9

tefl.ie - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

Apr 25, 2024 at 3:25pmWeb
Show threadJacobApr 25, 2024
Another example of the fake update display, this time at the bottom of the page:
Show threadJacobMay 6, 2024
Saw this again today, still using cdnreport[.]net. Next stage is still down for me.