Jun 06, 2025The Hacker NewsMalware / Endpoint Security Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems. The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum. "macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation," security researcher Koushik Pal said in a report published this week. "The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries." It's believed that the activity is the work of Russian-speaking cybercriminals owing to the presence of Russian language comments in the malware's source code. The starting point of the attack is a web page that impersonates Spectrum ("panel-spectrum[.]net" or "spectrum-ticket[.]net"). Visitors to the sites in question are served a message that instructs them to complete a hCaptcha verification check to in order to "review the security" of their connection before proceeding further. However, when the user clicks the "I am human" checkbox for evaluation, they are displayed an error message stating "CAPTCHA verification failed," urging them to click a button to go ahead with an "Alternative Verification." Doing so causes a command to be copied to the users' clipboard and the victim is shown a set of instructions depending on their operating system. While they are guided to run a PowerShell command on Windows by opening the Windows Run dialog, it's substituted by a shell script that's executed by launching the Terminal app on macOS. The shell script, for its part, prompts users to enter their system password and downloads a next-stage payload, in this case, a known stealer called Atomic Stealer. "Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure," Pal said. "The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction 'Press & hold the Windows Key + R' was displayed to both Windows and Mac users." The disclosure comes amid a surge in campaigns using the ClickFix tactic to deliver a wide range of malware families over the past year. "Actors carrying out these targeted attacks typically utilize similar techniques, tools, and procedures (TTPs) to gain initial access," Darktrace said. "These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads." The links distributed using these vectors typically redirect the end user to a malicious URL that displays a fake CAPTCHA verification check in an attempt to deceive users into thinking that they are carrying out something innocuous, when, in reality, they are guided to execute malicious commands to fix a non-existent issue. The end result of this effective social engineering method is that users end up compromising their own systems, enabling threat actors to bypass security controls. The cybersecurity company said it identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States. And these campaigns are gaining steam, adopting several variations but operating with the same end goal of delivering malicious payloads, ranging from trojans to stealers to ransomware. Earlier this week, Cofense outlined an email phishing campaign that spoofs Booking.com, targeting hotel chains and the food services sector with fake CAPTCHAs that lead to XWorm RAT, PureLogs Stealer, and DanaBot. The fact that ClickFix is flexible and easy to adapt makes it an attractive malware distribution mechanism. "While the exact email structure varies from sample to sample, these campaigns generally provide Booking[.]com-spoofing emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers," Cofense said. The email security firm said it has also observed ClickFix samples mimicking cookie consent banners, wherein clicking on the "Accept" button causes a malicious script file to be downloaded. The user is subsequently prompted to run the script to accept cookies. In one April 2025 incident analyzed by Darktrace, unknown threat actors were found to utilize ClickFix as an attack vector to download nondescript payloads to burrow deeper into the target environment, conduct lateral movement, send system-related information to an external server via an HTTP POST request, and ultimately exfiltrate data. "ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses," Darktrace said. "By tricking endpoint users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data." Other ClickFix attacks have employed phony versions of other popular CAPTCHA services like Google reCAPTCHA and Cloudflare Turnstile for malware delivery under the guise of routine security checks. These fake pages are "pixel-perfect copies" of their legitimate counterparts, sometimes even injected into real-but-hacked websites to trick unsuspecting users. Stealers such as Lumma and StealC, as well as full-fledged remote access trojans (RATs) like NetSupport RAT are some of the payloads distributed via bogus Turnstile pages. "Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they've been conditioned to click through these as quickly as possible," SlashNext's Daniel Kelley said. "Attackers exploit this 'verification fatigue,' knowing that many users will comply with whatever steps are presented if it looks routine." Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

May 30, 2025Ravie LakshmananCryptocurrency / Cybercrime The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against a Philippines-based company named Funnull Technology Inc. and its administrator Liu Lizhi for providing infrastructure to conduct romance baiting scams that led to massive cryptocurrency losses. The Treasury accused the Taguig-headquartered company of enabling thousands of websites involved in virtual currency investment scams that caused Americans to lose billions of dollars annually. "Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses," the agency said in a press release. The average loss is estimated to be over $150,000 per individual. Funnull, also called Fang Neng CDN (funnull[.]io, funnull[.]com, funnull[.]app, and funnull[.]buzz), was first attracted the attention of the cybersecurity community in June 2024 after it was implicated in the supply chain attack of widely-used Polyfill[.]io JavaScript library. Last year, an analysis by Silent Push revealed that the infrastructure associated with Funnull has been used to promote investment scams, fake trading applications, and suspect gambling networks. The infrastructure has been codenamed Triad Nexus. Then earlier this February, the cybersecurity company attributed Funnull to a practice dubbed infrastructure laundering wherein the company rented IP addresses from mainstream hosting providers such as Amazon Web Services (AWS) and Microsoft Azure to host criminal websites. Highlighting this aspect, the Treasury said Funnull enables virtual currency investment scams by acquiring IP addresses in bulk from major cloud services companies across the world and selling them to cybercriminals to host scam platforms and other malicious web content. "Funnull generates domain names for websites on its purchased IP addresses using domain generation algorithms (DGAs) – programs that generate large numbers of similar but unique names for websites – and provides web design templates to cybercriminals," the agency pointed out. "These services not only make it easier for cybercriminals to impersonate trusted brands when creating scam websites but also allow them to quickly change to different domain names and IP addresses when legitimate providers attempt to take the websites down." The Treasury also accused Funnull of purchasing Polyfill[.]io with the intent to redirect visitors of legitimate websites to scam websites and online gambling sites, some of which it said are linked to Chinese criminal money laundering operations. Furthermore, the department alleged that its administrator Liu, a Chinese national, was in possession of spreadsheets and other documents that contained information about the company's employees, their performance, and their work progress. The tasks assigned to them included assigning domain names to criminal actors for virtual currency investment fraud, phishing scams, and online gambling sites. In a standalone flash alert, the U.S. Federal Bureau of Investigation (FBI) said it identified 548 unique Funnull Canonical Names (CNAME) linked to over 332,000 unique domains since January 2025. "Between October 2023 and April 2025, multiple patterns of IP address activity were observed from several domains using Funnull infrastructure," the FBI said. "During this time frame, hundreds of domains using Funnull infrastructure simultaneously migrated from one IP address to another either on the same exact day or within the same timeframe." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Google I/O 2025 happened earlier this week, and while there was no new hardware to speak of, the company barraged developers with new AI announcements, search features and bafflingly pricy subscriptions. First up is the new AI Mode chatbot in search. AI Mode handles more complex queries than traditional search, somewhere between striking up a chat with Gemini and barreling into a traditional Google search. You could, for example, compare multiple cars you’re considering buying or parse travel options for your next big vacation. AI Mode can simulate how you might look in a new piece of clothing (you have to upload a photo of yourself first to do so), and Google can even track pricing in your size and preferred color. AI Mode augments Google’s AI Overviews, powered by Gemini. You’ve probably seen them summarizing your search requests (and often getting things wrong, in my experience). When the Overviews do get things right, it means you never have to leave Google Search, which is great for Google but not for the places where Google got the answer. In fact, the News/Media Alliance says AI Mode is theft. President and CEO Danielle Coffey said, “Google just takes content by force and uses it with no return, the definition of theft.” The most interesting announcement for me was Google’s latest upgrades to video generation and AI video creation tools. Google It unveiled Veo 3, the first iteration of Google’s AI video generator that can make videos with sound slightly more realistic (less unhinged video). It’s joined by a new filmmaking app called Flow, which is based on the experimental VideoFX feature Google’s been working on for a few years. With Flow, you can edit and extend existing shots, add and choose camera movement and perspective controls and even fold AI video content generated with Veo into projects. But it still looks kinda weird. — Mat Smith Get Engadget's newsletter delivered direct to your inbox. Subscribe right here! The news you might have missed The Dyson PencilVac is the most stick-like stick vacuum ever What to expect at WWDC 2025: A new look, Apple Intelligence and more Google’s most powerful AI tools aren’t for us The best Memorial Day tech sales from Amazon, Apple, Samsung and more So far: laptops, speakers, cordless vacuums. In years past, we’ve seen solid Memorial Day sales on many of our favorite tablets, headphones, charging accessories, robot vacuums and more. That’s on top of all the seasonal items that usually get discounted at this time, like smart grills, pizza ovens and outdoor tech. If you’re tempted but not entirely sold, here’s your reminder that Amazon Prime Day typically happens in July. Maybe you can wait. Continue reading. ​​ Google’s $250 subscription for AI Got too much money? Google Maybe you want access to the most impressive AI features Google revealed this week. Maybe you want to play around with Flow. Well, you need either AI Pro ($20 a month) or the insane $250 sub to AI Ultra for some of the most intriguing, creativity-threatening features. Don’t worry, though! AI Ultra has an introductory offer of $125 for the first three months! What. A. Deal. Google is trying to justify its pricing by including YouTube Premium and 30TB of cloud storage. But YouTube Premium is $14 per month — what about the other $200-plus? Continue reading. OpenAI buys Jony Ive’s design startup for $6.5 billion This week’s technology wildcard. io OpenAI is buying Jony Ive’s startup, io, for $6.5 billion. And to celebrate, it took a black and white photo on an iPhone. Ive and his design studio, LoveForm, will continue to work independently of OpenAI. However, the other cofounders will become OpenAI employees alongside about 50 other engineers, designers and researchers. Does this mean physical OpenAI devices on the horizon? Apparently, it won’t be a phone or a wearable. Continue reading. The Fujifilm X Half is a tiny $850 digital camera With an optional retro date stamp. Fujifilm The latest trend-baiting camera from Fujifilm is, well, adorable. The X Half is an 18-megapixel digital compact camera, but it uses half of a 1-inch sensor to shoot 3:4 vertical photos. The name comes from half-frame cameras that use a 35mm film frame sawed in half, which were popular in the ’60s, like the famous Olympus Pen F. It was great for ’60s photographers, who could double-up the shots on a single roll of film — but that’s not really an issue in the digital era. The X Half has the same 3:4 vertical ratio as Fuji’s Instax Mini instant cameras, so you can make prints using an Instax Mini printer. Fujifilm had a viral hit with the X100 VI, so the even more unique (and tiny!) X Half could appeal to a similar group of shooters. It’s now on pre-order for $850 (in black, charcoal silver and silver) with shipping set to start on June 12. Continue reading. Netflix figured out a way to make ads even worse Yeah, it’s using AI. Netflix will roll out AI-generated ads in 2026, which will play in the middle of a show or whenever users hit pause in its ad-supported plans. Netflix has been steadily increasing subscription costs for its ad-free plans, so maybe 2026 will offer a final push to the pricier subscriptions. Continue reading.This article originally appeared on Engadget at https://www.engadget.com/general/the-morning-after-engadget-newsletter-111549412.html?src=rss

May 21, 2025Ravie LakshmananMalware / Artificial Intelligence Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence (AI)-powered platform to synthesize images and videos from text and image prompts. Launched in June 2024, it's developed by Kuaishou Technology, which is headquartered in Beijing, China. As of April 2025, the service has a user base of more than 22 million, per data from the company. "The attack used fake Facebook pages and ads to distribute a malicious file which ultimately led to the execution of a remote access Trojan (RAT), granting attackers remote control of the victim's system and the ability to steal sensitive data," Check Point said. First detected in early 2025, the campaign leads unsuspecting users to a spoofed website such as klingaimedia[.]com or klingaistudio[.]com, where they are asked to create AI-generated images or videos directly in the browser. However, the website does not generate the multimedia count as advertised. Rather, it offers the option to a purported image or video that, in reality, is a malicious Windows executable hidden using double extensions and Hangul Filler (0xE3 0x85 0xA4) characters. The payload is included in a ZIP archive and acts as a loader to launch a remote access trojan and a stealer that then establishes contact with a command-and-control (C2) server and exfiltrates browser-stored credentials, session tokens, and other sensitive data. The loader, besides monitoring for analysis tools such as Wireshark, OllyDbg, Procmon, ProcExp, PeStudio, and Fiddler, makes Windows Registry changes to set up persistence and launches the second-stage by injecting it into a legitimate system process like "CasPol.exe" or "InstallUtil.exe" to evade detection. The second-stage payload, obfuscated using .NET Reactor, is the PureHVNC RAT that contacts a remote server (185.149.232[.]197) and comes with capabilities to steal data from several cryptocurrency wallet extensions installed on Chromium-based browsers. PureHVNC also adopts a plugin-based approach to capture screenshots when window titles matching banks and wallets are opened. Check Point said it identified no less than 70 promoted posts from fake social media pages impersonating Kling AI. It's currently not clear who is behind the campaign, but evidence gathered from the fake website's web page and some of the ads show that they could be from Vietnam. The use of Facebook malvertising techniques to distribute stealer malware has been a tried-and-tested tactic of Vietnamese threat actors, who have been increasingly capitalizing on the popularity of generative AI tools to push malware. Earlier this month, Morphisec revealed that a Vietnamese threat actor has been leveraging fake AI-powered tools as a lure to entice users into downloading an information stealer malware dubbed Noodlophile. "This campaign, which impersonated Kling AI through fake ads and deceptive websites, demonstrates how threat actors are combining social engineering with advanced malware to gain access to users' systems and personal data," Check Point said. "With tactics ranging from file masquerading to remote access and data theft, and signs pointing to Vietnamese threat groups, this operation fits into a broader trend of increasingly targeted and sophisticated social media-based attacks." The development comes as The Wall Street Journal reported that Meta is battling an "epidemic of scams," with cyber criminals flooding Facebook and Instagram with various kinds of scams ranging from romance baiting to sketchy bargain ads to fake giveaways. Many of the scam pages are operated from China, Sri Lanka, Vietnam, and the Philippines, the report added. According to Rest of World, phony job ads on Telegram, Facebook, and other social media are being increasingly used to lure young Indonesians and get trafficked to scam compounds in Southeast Asia, from where they are coerced into running investment scams and defraud victims across the world. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

The Super Smash Bros. Melee tournament Full House 2025 finals ended in the most anticlimactic way Sunday — and it’s all because of an extremely rare glitch. The tourney featured a showdown between fourth-ranked Kurtis “Moky” Pratt and Cody Schwab, the second-ranked player in the Melee community. The two players both selected the Melee speed demon Fox McCloud and duked it out at Pokémon Stadium. When the stage transformed into its forest phase, both players were separated by a tree obstacle and began baiting each other to see who would make the first move. Naturally, biding time in Smash Bros. Melee looks like the combatants rapidly dashing in place, a term known in the fighting game community as wavedashing. What is usually seen as mundane baiting quickly evolved into something far more interesting: a rare glitch. greatest commentator curse of all time there’s just no way LMAOOOOO pic.twitter.com/pVktbdfVDS— hungrybox (@LiquidHbox) May 19, 2025 Moky’s Fox was positioned in the splintered tree and idly wavedashed a little too much, triggering a glitch found on the Pokémon Stadium’s forest variant that, when the technique is done perfectly, will allow the player to phase through the stage. Unfortunately, the exploit led Moky to an untimely demise, giving the match to Cody and missing out on a $2,000 payday. Funny enough, guest commentator and Melee player, Juan “Hungrybox” Debiedma, mentioned the glitch possibly happening moments before the incident came to pass. The anticlimactic results stunned everyone in attendance, with Hungrybox screaming at the result and Moky and Cody looking at each other in disbelief. Moky would later head to X (formerly known as Twitter) to vent about the hilarious mishap, posting, “there’s just no way LMAOOOOO.” Polygon reached out to both Moky and Cody for a comment on the 24-year-old glitch, but hasn’t received a response from the pro players. Super Smash Bros. Melee is still kicking after all these years, and regardless of how many more Smash games Nintendo gives us, some players feel that Melee perfected the formula. In the two decades that the game has existed, players have shared numerous reports of glitches; some exploits could cause a Black hole, while others could apparently cause you to potentially lose out on winning $2,000.  

May 14, 2025Ravie LakshmananCybercrime / Cryptocurrency A Chinese-language, Telegram-based marketplace called Xinbi Guarantee has facilitated no less than $8.4 billion in transactions since 2022, making it the second major black market to be exposed after HuiOne Guarantee. According to a report published by blockchain analytics firm Elliptic, merchants on the marketplace have been found to peddle technology, personal data, and money laundering services. "The USDT stablecoin is the primary payment method, with the market having received $8.4 billion in transactions to date," the company said. "Some transactions can be linked to funds stolen by North Korea." Xinbi, like HuiOne, has offered its services to scammers in Southeast Asia, including those responsible for so-called romance baiting schemes (formerly referred to as "pig butchering"), which has become one of the most lucrative forms of cybercrime in recent years. What's notable about these criminal bazaars is that they are entirely run on Telegram, becoming a one-stop shop to avail a wide range of services, ranging from technical tools to money laundering services to pull off online fraud at an industrial scale. Xinbi Guarantee, per Elliptic, has 233,000 users, with merchants broken down to broad categories related to money laundering, Starlink satellite internet equipment, fake IDs, and databases of stolen personal information used to target potential victims. Other vendors go a step further by offering to stalk and intimidate any chosen target within China, provide women to act as egg donors or surrogates, or even engage in sex trafficking, indicating that the illicit services go beyond cyber scams. "The marketplace is seeing strong growth - with Q4 2024 the first quarter to see inflows of more than $1 billion," Elliptic said. "Transaction volumes on Chinese-language Guarantee marketplaces such as Huione and Xinbi Guarantee dwarf those of the first generation of Tor-based darknet marketplaces." But perhaps the most interesting aspect of Xinbi is that it claims to be an "investment and capital-guarantee group company" registered in the U.S. state of Colorado by someone named Mohd Shahrulnizam Bin Abd Manap. According to the state corporate register, the company was incorporated in August 2022. It has since been marked as "Delinquent" for failing to file its periodic reports. Both Xinbi and HuiOne Guarantee have also been used to launder cryptocurrency assets stolen by North Korea following the hack of the Indian cryptocurrency exchange WazirX last July, with $220,000 in USDT sent to the wallet addresses controlled by the former on November 12, 2024. In response to the findings, Elliptic said Telegram has shut down thousands of channels belonging to the two services, effectively disrupting the two largest marketplaces that have engaged in over $35 billion in USDT transactions. The development comes weeks after the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) designated Cambodia-based HuiOne Group as a "primary money laundering concern" in a bid to limit its access to the U.S. financial system. "These platforms also provide a window onto a China-based underground banking system, based around stablecoins and other digital payments, which is being leveraged for money laundering on a significant scale," Elliptic said. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    