Malware Activity
Malware Threats Targeting Developers and Users
A new wave of cyber threats is actively targeting both developers and everyday users. The “GlassWorm” malware campaign has shifted its tactics to infect macOS systems via malicious extensions for coding platforms like VSCode, aiming to steal passwords, cryptocurrency keys, and even hijack wallets. Attempts to replace legitimate wallet software are currently unsuccessful. Despite warnings, over 33,000 downloads of these harmful extensions highlight their widespread reach. Simultaneously, cybersecurity experts have uncovered a low-cost, highly obfuscated Python-based malware called VVS Stealer, which is designed to stealthily extract sensitive data such as Discord credentials, browser info, and cookies. This malware can hijack active sessions and is often used by cybercriminals to spread further attacks, turning compromised systems into tools for larger malicious activities. Both threats emphasize the importance of vigilance. Developers and users are urged to delete suspicious software, update passwords, and monitor their systems for signs of infection to safeguard their data and digital assets. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New Glassworm Malware Wave Targets Macs with Trojanized Crypto Wallets Article
- TheHackerNews: New VVS Stealer Malware Targets Discord Article
Threat Actor Activity
DarkSpecture’s Zoom Stealer Campaign Exploits Browser Extensions to Collect Meeting Data
The Zoom Stealer campaign, uncovered by Koi Security, affects 2.2 million users across Chrome, Firefox, and Microsoft Edge through eighteen (18) extensions that collect data related to online meetings, such as URLs, IDs, topics, descriptions, and embedded passwords. This campaign is attributed to the China-linked threat actor DarkSpectre, which has targeted over 7.8 million users over seven (7) years through other campaigns like GhostPoster and ShadyPanda. DarkSpectre’s activities are linked to Chinese infrastructure, with evidence including ICP registrations, and code artifacts featuring Chinese-language elements. The campaign targets twenty-eight (28) video-conferencing platforms, collecting extensive meeting data that is exfiltrated via WebSocket connections. This data can be leveraged for corporate espionage, social engineering attacks, or selling meeting links to competitors. The extensions, including Chrome Audio Capture and Twitter X Video Downloader, are functional and remain on the Chrome Web Store despite being reported. DarkSpectre’s systematic collection of meeting data allows for potential large-scale impersonation operations, posing significant security threats. CTIX Analysts recommend users review extension permissions carefully and limit their use to minimize risks.
Vulnerabilities
Over 10,000 Fortinet Firewalls Remain Exposed to a Long-Exploited 2FA Bypass Flaw
More than 10,000 Fortinet FortiGate firewalls remain exposed online and vulnerable to active exploitation of a critical two-factor authentication bypass flaw first patched in July 2020. The vulnerability, tracked as CVE-2020-12812, allows attackers to bypass FortiToken 2FA by altering the case of usernames under specific LDAP configurations, enabling unauthorized access to unpatched systems. Despite long-standing guidance from Fortinet and warnings from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, the issue continues to be abused in-the-wild, including in ransomware activity. Recent telemetry from Shadowserver shows over 1,300 vulnerable devices located in the United States alone. The continued exposure highlights a broader trend of threat actors persistently targeting Fortinet products, including newer authentication bypass and zero-day flaws, and mirrors past state-sponsored activity such as exploitation by Volt Typhoon, underscoring the ongoing risk posed by delayed patching and insecure configurations in perimeter security infrastructure. CTIX analysts urge all administrators and cybersecurity personnel to ensure that their infrastructure security stays as current as possible to prevent exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its manage
