Malware Activity
Hiding in Plain Sight as Malware Abuses Trust and Everyday Technology
Recent research highlights two major cybercrime campaigns that show how attackers are becoming more subtle and deceptive in stealing sensitive data. In one case, hackers compromised Magento‑based online stores by hiding credit‑card‑stealing malware inside a nearly invisible, one‑pixel SVG image embedded directly in a website’s code. When customers clicked “checkout,” they were shown a convincing fake payment page that quietly captured and encrypted their card details before sending them to attacker‑controlled servers. In a separate campaign targeting macOS users, attackers used fake Apple‑themed web pages to trick victims into launching the built‑in Script Editor, a trusted macOS tool, to run hidden malicious code. This approach bypassed newer Apple security warnings and installed Atomic Stealer malware, which can harvest passwords, browser data, cryptocurrency wallets, and financial information. Together, these campaigns demonstrate how attackers are shifting away from obvious malware tactics and instead abuse trusted technologies and user habits to remain hidden longer and increase their success. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Hackers Use Pixel-Large SVG Trick to Hide Credit Card Stealer article
- BleepingComputer: New macOS Stealer Campaign Uses Script Editor in ClickFix Attack article
Threat Actor Activity
UNC6783 Targets BPOs and Zendesk Support in Ongoing Data Extortion Campaign
Google Threat Intelligence Group (GTIG) recently highlighted ongoing activity from a financially motivated threat actor tracked as UNC6783, linked to a persona known as “Raccoon,” that continues to target high value enterprises across multiple sectors. The actor’s primary strategy focuses on compromising business process outsourcing (BPO) providers that support these organizations, though direct targeting of internal helpdesk and support teams has also been observed. Attacks rely heavily on social engineering and commonly abuse live chat interactions to redirect employees to spoofed Okta login pages hosted on domains impersonating the victim organization using legitimate Zendesk infrastructure, often following an
- Bleeping Computer: UNC6783 New Campaign Article
- Security Week: UNC6783 New Campaign Article
- Cyber News Network: UNC6783 IOCs and TTPs Campaign Report
Vulnerabilities
Adobe Reader Zero-Day Campaign Leveraging Malicious PDFs for Data Theft and Full System Compromise
Threat actors have been actively exploiting a highly sophisticated, previously unknown zero-day vulnerability in Adobe Reader since at least December 2025, using socially engineered PDF lures (like “Invoice540.pdf”) to entice victims into opening malicious files. These PDFs execute obfuscated JavaScript upon opening (requiring no further user interaction) and abuse unpatched functionality to invoke privileged Acrobat APIs (including util.readFileIntoStream and RSS.addFeed), enabling extensive local data harvesting, system fingerprinting, and exfiltration to attacker-controlled infrastructure. The campaign, identified by EXPMON researcher Haifei Li, has been observed targeting users for months and is confirmed to work against fully updated Adobe Reader versions, significantly elevating its risk profile. The exploit operates as a multi-stage framework capable of retrieving additional payloads and facilitating follow-on activity, including potential remote code execution (RCE) and sandbox escape (SBX), which could ultimately grant full system control. Analysis also reveals the use of Russian-language phishing lures tied to oil and gas sector events, indicating targeted social engineering. With the final payload conditions still unclear and no patch currently available, defenders are advised to monitor for indicators such as “Adobe Synchronizer” in HTTP/HTTPS User-Agent strings and restrict untrusted PDF execution, as the campaign represents a high-confidence, actively exploited threat requiring immediate vigilance.
- Bleeping Computer: Adobe Reader Zero-Day Vulnerability Article
- The Hacker News: Adobe Reader Zero-Day Vulnerability Article
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
