New from Lorenzo Franceschi-Bicchierai, confirmation that the advanced cross-platform cyberespionage backdoor 'Careto' was (as long suspected?) run by Spain 🇪🇸👀 Read: "Mysterious hacking group Careto was run by the Spanish government": techcrunch.com/2025/05/23/mys…

Stoked for Jaron Bradley's soon to be released 2nd-book: "Threat Hunting macOS" 😍📚 (And was honored to write its forward). Jaron is an outstanding researcher, speaker, trainer, & friend, and this book will become an essential macOS security resource. linkedin.com/feed/update/ur…

Secure Boot focused role within SEAR at Apple. Come join a highly impactful team working on some of the most fun problems in this space! jobs.apple.com/en-us/details/…

New Research! seqrite.com/blog/operation… We have found an interesting campaign targeting an entity of Chinese telecom with VELETRIX implant. The implant uses anti-sandbox, shellcode obfuscation technique via IPV4 and execution via EnumCalendarInfo leading to Vshell implant.

Full blog post of this thread here for sharing about finding packet sniffers on Linux with /proc/net/packet inspection. sandflysecurity.com/blog/detecting…

1/8: Our team investigated yet another #macOS #stealer hidden behind a fake CleanMyMac website. It all started with an impersonating domain: cleanmymacpro[.]net, and resulted in a chain of hidden requests. Here’s how the malware is delivered and what tricks are used 👇

As always, another fun read by alden :) there are some really cool techniques too!

Not only is Huntress a generous supporter of our Foundation, they also consistently publish top-notch research on emerging macOS threats 🤩 Their latest (by alden & Stuart Ashenbrenner 🇺🇸 🇨🇦): "Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion": huntress.com/blog/inside-bl…

Securonix researchers look into a campaign that uses .lnk files to deliver remote payloads hosted on attacker-controlled Cloudflare Tunnel subdomains. This leads to a Python-based shellcode loader that executes Donut-packed payloads entirely in memory. securonix.com/blog/analyzing…

⏳ Just one week left to submit your talk to #OBTS v8 objectivebythesea.org/v8/cfp.html (CFP closes June 30th). We’ve expanded to 3 days of talks this year, making room for even more cutting-edge research +  first-time speakers. So submit your Apple security-themed proposal today!

Telegram Intelligence: Getting Started Guide for Analysis Guide by Braian Arroyo and Marcos Volpe: - Existing structures in Telegram - User profiling: Basic Profile Data, URL structure, - Telegram Bots - Recommended Safety Practices - Telegram dorks ciberprisma.org/2025/04/20/tel…

✨Call for Presentations✨ TeamT5 Threat Analyst Summit encourages pioneering research that addresses not only technical challenges but also the legal, policy, economic, psychological, and societal aspects of #cybersecurity. More detail👉pse.is/7kbept #CFP #summit

2FA Bypass Techniques📝

Malware sample by a Discord CDN redirect from an alleged Xbox game ROM -- with a few clever tricks! Hiding a payload within the RGB color values of an embedded image inside a wallpaper picture... stored, saved and served on the Internet Archive 😂😬🙃 youtu.be/LwKOS10lblk

V8 Security is hiring in Munich, Germany: google.com/about/careers/… Great opportunity to work on some really hard and interesting problems in the security space!

New Linux Drama. > Bcachefs (filesystem) wants to be in kernel > dev pushes PR after merge-window > claims bugfix, user data at risk > Linus says nah, that’s a new feature > HUGE Flamewar begins tl;dr Bcachefs is not in kernel anymore lol

🚨 New macOS backdoor alert: North-Korean hackers are disguising a Zoom update that drops malware built to hijack laptops and steal data & passwords. If you or your devs run macOS, keep scrolling.👇

What's the future for your Intel Mac? eclecticlight.co/2025/07/04/wha… via Howard Oakley, Eclectic Light Co

Elastic Security Labs has observed multiple campaigns that appear to be leveraging commercial AV/EDR evasion framework SHELLTER to load malware. SHELLTER is a commercial evasion framework that helps red teams bypass AV and EDR tools. elastic.co/security-labs/…

Since 2020, over 620 drivers , 80+ certificates, and 60+ WHCP accounts have been associated with threat actor campaigns. From investigating the dataset, we identified overlaps in certificates and #WHCP accounts used to sign drivers used by unrelated threat actors and groups—the