The issue, tracked as CVE-2026-20245, carries a CVSS score of 7.8 and stems from improper input validation in the system’s command-line interface.

According to Cisco’s advisory, the flaw stems from insufficient sanitization of user-supplied input during the processing of uploaded files.

An authenticated attacker can exploit this weakness by uploading a specially crafted file, which triggers command injection and enables privilege escalation to the root user.

Once root access is obtained, attackers can fully compromise the SD-WAN management plane, manipulate configurations, and potentially impact connected edge devices. The attack requires netadmin-level privileges, meaning the threat is not directly exploitable by unauthenticated actors.

Cisco SD-WAN Vulnerability Exploit

However, Cisco warns that attackers may chain this vulnerability with other known flaws, such as CVE-2026-20182 or CVE-2026-20127, to gain the necessary access.

This significantly increases the risk in real-world environments where credential compromise or chained exploitation is feasible. Cisco’s Product Security Incident Response Team (PSIRT) confirmed that the vulnerability has already been exploited in limited attacks.

In observed cases, threat actors used the flaw to push unauthorized configuration changes to SD-WAN edge devices. This suggests post-exploitation activity aimed at persistence, lateral movement, or traffic manipulation within enterprise networks.

The vulnerability affects all Cisco Catalyst SD-WAN Manager deployments, including on-premises, Cisco SD-WAN Cloud, Cloud-Pro, and government (FedRAMP) deployments.

Systems exposed to the internet are considered at higher risk, especially if management interfaces are accessible externally. At the time of disclosure, Cisco had not released a software patch to address the issue, and no workarounds were available.

The company has advised customers to upgrade to a previously released fixed software version referenced in its May 2026 advisory. However, a dedicated fix for this specific vulnerability is still pending.

Cisco has provided guidance to help organizations detect potential compromise. Administrators are urged to review the scripts.log file located in /var/log/ for suspicious entries.

One example is the execution of commands such as “/usr/bin/vconfd_script_upload_tenant_list.sh” with unexpected file paths, such as malicious CSV uploads.

However, Cisco notes that these log entries may also appear during legitimate operations, making careful analysis essential to avoid false positives.

To support incident response efforts, organizations are strongly advised to collect forensic data using the “request admin-tech” command before applying any upgrades.

This ensures preservation of critical evidence that may help determine the extent of compromise. Cisco also recommends reviewing device configurations and logs after upgrading, as patching alone may not remediate systems that have already been breached.

If indicators of compromise are identified, customers should engage Cisco TAC for guided remediation steps. Simply upgrading affected systems without addressing persistence mechanisms or unauthorized changes may leave networks exposed.

This vulnerability was reported by Mandiant, highlighting ongoing collaboration between vendors and threat intelligence teams in identifying active threats.

Given the active exploitation and lack of immediate fixes, organizations using Cisco SD-WAN should prioritize access control, monitoring, and log analysis to reduce risk while awaiting a permanent patch.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User appeared first on Cyber Security News.

Traditional X.509 certificate chains require significant bandwidth, which would increase substantially with the adoption of robust post-quantum algorithms. MTCs solve this by replacing the heavy, serialized chain of signatures with compact Merkle Tree proofs.

Earlier this year, Google unveiled Merkle Tree Certificates to Shield HTTPS Against Quantum Threats, as Chrome is spearheading the transition to Merkle Tree Certificates (MTCs). 

For years, post-quantum cryptography discussions prioritized encryption over authentication. The logic was sound: “harvest now, decrypt later” attacks make encrypted traffic immediately vulnerable, while forging authentication signatures requires a live Cryptographically Relevant Quantum Computer (CRQC). That window is closing fast.

The NSA’s CNSA 2.0 suite mandates that national security systems migrate to post-quantum algorithms by 2030–2035. NIST’s draft transition guidance (IR 8547) would deprecate RSA-2048 and P-256 after 2030 and disallow them after 2035.

The EU’s post-quantum roadmap targets high-risk systems by the end of 2030. Most significantly, Google announced a 2029 migration deadline for its services, and Cloudflare issued a parallel commitment.

Go 1.27 also added ML-DSA, a NIST-standardized post-quantum signature scheme, directly to its standard library, signaling infrastructure readiness.

The Web PKI’s scale makes naive post-quantum migration painful. ML-DSA-44, one of NIST’s smaller standardized schemes, produces signatures of ~2,420 bytes, nearly 38× larger than ECDSA-P256’s 64 bytes.

A typical TLS handshake carries five signatures and two public keys. Swapping these with ML-DSA equivalents pushes a single handshake well beyond 10 KB.

Cloudflare’s research confirms the consequence: at that scale, a meaningful share of real-world TLS connections fail outright, and the rest slow down. Degrading every TLS connection globally is too steep a tradeoff for a threat that hasn’t yet materialized.

Let’s Encrypt Unveils Merkle Tree Certificates

MTCs reframe how certificates are issued and verified. Instead of signing each certificate individually, a CA issues certificates in batches, with a single post-quantum signature covering the entire batch. Clients (browsers) maintain these batch signatures, called landmarks, independently of the TLS handshake.

The result: an MTC handshake carries just one signature, one public key, and one inclusion proof smaller than today’s Web PKI handshake, even while using post-quantum algorithms.

MTCs also bake in Certificate Transparency by design. Every certificate exists as part of a published Merkle tree, making transparency intrinsic to issuance rather than bolted on afterward. Let’s Encrypt has operated CT logs built on Merkle trees since 2019, giving it direct operational experience with the core data structure.

The MTC ecosystem is already mobilizing:

• Cloudflare and Chrome are running a live MTC feasibility experiment against real internet traffic
• The IETF’s PLANTS working group is actively standardizing the design
• Chrome has declared MTCs its preferred path for post-quantum certificates on the public web

Let’s Encrypt is targeting a staging MTC environment in late 2026 and a production-ready environment in 2027. The rollout requires big changes across issuance infrastructure, the ACME protocol (RFC 9881), revocation tooling, and CT log infrastructure.

For existing subscribers, nothing changes today. Certificates will continue to be issued via ACME exactly as before. ACME client maintainers, however, should begin tracking the PLANTS working group and the mtcs@chromium.org mailing list now, as client-side changes will be required.

For server operators, the most urgent action today remains enabling hybrid post-quantum key exchange (X25519MLKEM768) the primary defense against harvest-now-decrypt-later attacks on encrypted traffic.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Let’s Encrypt Unveils Merkle Tree Certificates to Secure the Web Against Quantum Threats appeared first on Cyber Security News.

Tracked as CVE-2026-45495 and reported by Orange Tsai of DEVCORE, the flaw carries a CVSS v3 score of 7.5 and requires user interaction, for example, visiting a malicious webpage or opening a crafted file, to be exploited.

The vulnerability stems from improper validation during Edge’s processing of feedback log files. Specifically, Edge failed to properly validate a user-supplied file path before performing file operations.

An attacker who can trick a user into opening a malicious file or visiting a crafted page could exploit this flaw alongside other bugs to run code in the logged-in user’s context.

Because the exploit runs with the current user’s privileges, the impact ranges from data theft and browser profile compromise to local persistence or lateral movement where higher privileges exist.

According to the public advisory, the root cause is a path-validation defect in feedback log handling. By supplying a specially crafted path, an attacker can influence file operations in an unintended location.

While Microsoft’s advisory does not publish exploit code, the vulnerability’s characteristics (file-access path manipulation plus the need for user interaction) make social-engineering vectors malicious attachments, drive-by pages, or poisoned downloads—likely delivery mechanisms.

Microsoft’s release also coordinated updates for two additional Edge flaws discovered by the same researcher group:

• CVE-2026-45494 (CVSS 5.0): A navigation-handling weakness that can enable cross-origin script injection; user interaction required.
• CVE-2026-45492 (CVSS 4.3): Insufficient origin validation in cross-device managed sign-in, which can expose restricted functionality and be chained with other issues.

Microsoft has published fixes and urged users and administrators to apply updates immediately. Recommended actions:

• Update Edge to the latest stable release via Microsoft Update or the Edge About page.
• Apply operating system patches if prompted by Microsoft Update.
• Block or scrutinize untrusted attachments and links in email and messaging apps.
• Use least-privilege accounts for daily activities to limit exploit impact.
• Monitor endpoint detection systems for unusual file operations or new persistence mechanisms linked to browser processes.

The vulnerabilities were reported to Microsoft on May 20, 2026, with coordinated public advisories released and updated on June 4, 2026. Orange Tsai (@orange_8361) of the DEVCORE Research Team (@d3vc0r3) is credited with the findings.

Administrators should prioritize the CVE-2026-45495 update given its code-execution potential and ensure patching across user endpoints to reduce exposure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code appeared first on Cyber Security News.

Beginning Sunday, May 31, 2026, an external threat actor launched a high-volume brute-force campaign targeting Dashlane user accounts. The attacker focused specifically on the platform’s device registration API endpoints, flooding them with automated requests designed to guess the 6-digit one-time tokens sent via email or generated by authenticator apps.

Dashlane’s automated security controls responded as intended, triggering account lockouts across targeted accounts before the attack was fully contained.

The threat actor exploited Dashlane’s device registration flow, which is triggered whenever a user adds a new device, such as a mobile phone or computer, to their account.

Upon successful 2FA verification, Dashlane registers the device and automatically downloads a copy of the encrypted vault to that device. By brute-forcing valid 6-digit tokens for a subset of accounts, attackers were able to complete the registration flow, effectively authorizing the device and downloading encrypted vault copies without the account holder’s knowledge.

Fewer than 20 personal plan users had their encrypted vaults exfiltrated. All affected users were directly notified by Dashlane.

Despite the vault downloads, Dashlane maintains that the stolen data remains effectively inaccessible. Vault contents are protected by the user’s Master Password, which is never transmitted to Dashlane servers in plaintext and is never stored a core principle of Dashlane’s zero-knowledge architecture.

The encryption stack Argon2 + AES-256-CBC + HMAC-SHA256 makes brute-forcing the Master Password statistically infeasible even over extended timeframes. There is no evidence that Dashlane’s internal infrastructure was compromised at any point during the incident.

On June 4, 2026, Dashlane announced the completion of its investigation, confirming no additional customer impact. Remediation steps included:

• Blocking malicious traffic at the network level.
• Reactivating suspended and locked-out user accounts.
• Deploying additional verification layers to the device registration flow.
• Hardening API endpoint protections to detect and filter future malicious traffic.

The incident underscores that even robust password managers can be targeted at the authentication perimeter rather than the encryption layer itself, making strong 2FA configuration and Master Password hygiene critical defensive controls for all users.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Dashlane Details How Hackers Managed to Download Encrypted Password Vaults appeared first on Cyber Security News.

The findings highlight a growing supply chain risk in agent ecosystems, where skills serve as reusable components that can execute code and influence model behavior.

The Trail of Bits research shows that attackers can evade detection mechanisms using simple obfuscation and packaging tricks rather than advanced exploitation techniques.

In one case targeting ClawHub, researchers inserted over 100,000 newline characters to push malicious code beyond the scanner’s inspection window.

This caused truncation in the analysis pipeline, allowing harmful logic to pass undetected while also confusing integrated scanning engines such as VirusTotal’s Code Insight.

ClawHub, Cisco, Vercel Skill Checks Bypassed

Further testing against Cisco’s open-source skill-scanner and Vercel’s skills.SH integrations revealed additional weaknesses. These platforms rely on a mix of static analysis, pattern matching, and LLM-based inspection.

However, Trail of Bits researchers found these defenses can be bypassed when malicious content is hidden in less obvious formats, such as compiled Python bytecode (.pyc) or archive-based files like..docx.

One demonstrated attack involved a seemingly benign text-formatting skill that included precompiled Python bytecode.

While the visible source code appeared harmless, the bytecode secretly extracted environment variables, enabling potential data exfiltration.

Because scanners focused primarily on readable source files, the malicious payload remained undetected and was classified as safe.

Another effective technique used indirect execution paths. A skill instructed the AI agent to retrieve operational logic from a document containing a hidden script.

This method bypassed both signature-based detection and LLM reasoning, as the malicious behavior was not directly exposed in the primary skill definition.

Trail of Bits Researchers also successfully used prompt injection to manipulate LLM-based scanners. In one example, a skill disguised a malicious package registry configuration as a standard enterprise setup.

By framing the behavior as a legitimate corporate requirement, the scanner downgraded the risk to low severity. It approved the skill, despite its potential to redirect dependency installations to attacker-controlled infrastructure.

These bypasses underscore fundamental limitations in current scanning approaches. Static analysis struggles with complex or hidden file formats. At the same time, LLM-based systems can be misled by persuasive or contextually framed instructions.

Additionally, constraints such as limited context windows and selective file inspection create blind spots that attackers can exploit repeatedly.

The issue is compounded by the rapid growth of public skill marketplaces, where users can install third-party skills with minimal verification.

Unlike curated environments, these platforms often prioritize usability and speed over rigorous security controls, increasing exposure to malicious uploads.

Trail of Bits researchers conclude that automated scanning alone is insufficient to secure AI skill ecosystems.

They recommend adopting traditional supply chain security practices, including curated repositories, strict access controls, and version pinning.

Until stronger safeguards are developed, organizations are advised to treat all public AI skills as untrusted code and avoid deploying them in sensitive environments.

The post ClawHub, Cisco, Vercel’s Malicious Skill Detector Bypassed to upload Malicious Skills appeared first on Cyber Security News.

The platform enables Claude, GPT, VS Code Copilot, Cursor, and any MCP-compatible AI agent to autonomously orchestrate penetration testing workflows, vulnerability discovery, and enterprise evasion payloads, replacing days of manual tooling with minutes of AI-driven analysis.

HexStrike AI operates as a FastMCP server that bridges large language models (LLMs) with a curated arsenal of offensive security tools.

The architecture positions an Intelligent Decision Engine as the orchestration brain, analyzing targets, selecting optimal tooling, and executing multi-phase assessments without requiring constant human direction.

The platform supports six AI client integrations out of the box: Claude Desktop, Cursor, VS Code Copilot, Roo Code, 5ire (partial), and any standards-compliant MCP agent.

BOAZ Red Team Integration

The most operationally significant addition in this fork from Muhammad Osama, Yenn503, and Aoxley is the full integration of BOAZ (Bypass, Obfuscate, Adapt, Zero-Trust) developed by Thomasxm, an open-source multilayered AV/EDR evasion framework.

BOAZ is wired into HexStrike through five dedicated MCP tools and transforms the platform from a scanning engine into a complete red team payload pipeline.

The BOAZ workflow within HexStrike follows a defined payload pipeline: MSFVenom generation → entropy analysis → BOAZ evasion layer → enterprise-grade stealth binary.

127- Security Tools Arsenal

HexStrike ships with 127 classified security tools, of which 53 are auto-installed via install/install_all.sh and the remaining 74 require manual installation due to licensing constraints, specialized dependencies, or platform-specific requirements.

Manual installation targets tools with broader enterprise impact: wireless (aircrack-ng, kismet), cloud auditing (kube-hunter, scout-suite, checkov, terrascan, falco), web proxy (Burp Suite, ZAProxy), and OSINT platforms (Maltego, Censys-CLI).

Full installation requires approximately 24 GB of disk space and 60–90 minutes of compile time the bulk attributable to building the LLVM-based Akira and Pluto obfuscators from source (~30 minutes each). The fork is available to clone from GitHub.

HexStrike AI explicitly scopes legitimate use to: authorized penetration testing engagements with written permission, bug bounty program participation within defined scope, CTF competitions, and red team exercises with organizational approval.

Unauthorized testing, data exfiltration, and malicious activities are explicitly prohibited in the project documentation.

Check Point Research previously highlighted the dual-use risk of LLM orchestration frameworks like HexStrike, noting that the same abstraction layer that makes the tool powerful for defenders can direct offensive capabilities at scale with minimal human oversight a risk vector that security teams must account for in their defensive posture.

The post HexStrike AI RED-TEAM With 127 Security Tools and BOAZ Red Team Integration appeared first on Cyber Security News.

Instead of obvious phishing pages, these sites look almost identical to real project portals, complete with professional designs and links pointing to actual GitHub repositories.

The moment a user clicks the download button, something very different happens behind the scenes.

Rather than getting the software they came for, victims are silently routed through a hidden traffic-filtering layer known as a Traffic Distribution System, or TDS.

This system acts as a gatekeeper, deciding which users get redirected to malware and which receive a harmless file. It screens for location, browser type, VPN usage, and whether a security researcher might be watching, making it extremely difficult to detect or catch in the act.

Analysts at Check Point Research investigated this large-scale campaign and found that the fake sites load a JavaScript script hosted on Amazon’s CloudFront network.

This script intercepts the very first download click and quietly hands the user off to the TDS, with no visible sign that anything unusual has occurred.

Check Point said in a report shared with Cyber Security News (CSN) that the operation specifically targets tools trusted by security professionals, including Ghidra, dnSpy, and SpiderFoot.

The campaign has been active since at least December 2025, with recorded malware delivery confirmed from early January 2026. VirusTotal telemetry shows more than 5,000 submissions tied to related samples, and researchers note the real exposure is likely much higher.

The fact that the impersonated tools are used daily by security researchers makes this campaign particularly alarming, since it targets the very people trained to spot these threats.

Three distinct malware families serve as the final payloads. RemusStealer is a newly emerged infostealer targeting data from more than 20 browsers, including cryptocurrency wallets, password managers, and two-factor authentication tools.

AnimateClipper silently monitors the clipboard and swaps copied wallet addresses with attacker-controlled ones, potentially redirecting real funds without the victim ever realizing it.

A third payload named SessionGate is a multi-stage loader with heavy obfuscation and one-time-key delivery that makes it extraordinarily difficult for analysts to examine.

Hackers Impersonate Ghidra, dnSpy, and SpiderFoot

More than 100 active fake websites have been identified in this cluster, all sharing the same CloudFront-hosted scripts and campaign identifiers.

Sites like ghidralite[.]com and dnspy[.]org appear near the top of Google results for relevant queries, lending them a false sense of authority.

When a user hovers over the download button, the browser status bar even shows a real GitHub URL, so cautious users may not notice anything is wrong.

The JavaScript loaded by these pages listens for the user’s first interaction and intercepts it before normal navigation can proceed. On Chrome it captures a mousedown event; on Firefox it uses a click event.

It then generates a TDS runtime URL, redirects the user silently, and cancels the original navigation entirely. The victim ends up somewhere completely different from where they intended, and the whole process is invisible.

SessionGate: Built to Resist Every Analyst

Among all payloads found, SessionGate stood out for how aggressively it resists analysis.

The initial downloaded file is a 7-Zip archive around 20 MB, but the actual executable inside is only 15 MB, with the remaining 5 MB being obfuscated loader code designed to break tools like IDA’s decompiler.

Functions can exceed 500 KB in size, and encrypted strings are placed inside code regions to confuse disassemblers further.

The decryption key for the final payload stage is generated server-side and released only once per victim session. If a researcher tries to replay the chain from a different IP address, the server returns a valid-looking but useless key, making the payload completely unreadable.

Security teams are strongly advised to download software exclusively from official project pages or verified repositories, verify file hashes after downloading, and actively monitor outbound connections to the C2 domains and infrastructure identified in this campaign.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites appeared first on Cyber Security News.

The campaign hit dozens of packages across multiple maintainer accounts in a rolling wave that lasted less than two hours, making it a fast and highly efficient supply chain strike.

The attack compromised 57 npm packages across more than 286 malicious versions on June 3, 2026. The largest target was @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK with over 408,000 monthly downloads, struck first at 23:30 UTC on that day.

Within an hour, more than 50 additional packages belonging to the maintainer jagreehal were also poisoned, including ai-sdk-ollama, which counts more than 120,000 monthly downloads.

Researchers at StepSecurity identified and analyzed the full attack chain, naming the technique “Phantom Gyp.”

StepSecurity report, shared with Cyber Security News (CSN), explains how the attacker exploited a 157-byte binding.gyp file to trigger code execution during installation, completely sidestepping the preinstall and postinstall lifecycle checks that most security scanners are built to catch.

The payload is a new variant of the Miasma worm, a self-spreading supply chain malware family that had already hit 32 packages under the @redhat-cloud-services npm namespace just two days earlier.

The attacker left a taunt in 195 GitHub repository descriptions, a reversed string that decodes to “Shai-Hulud: Here We Go Again,” a direct reference to StepSecurity’s prior Red Hat analysis. This attack is not random; it is calculated and persistent.

binding.gyp Supply Chain Attack

The binding.gyp method works because npm automatically runs node-gyp rebuild when it spots that file, treating it as a signal the package contains native C or C++ code.

The attacker embedded a shell command using gyp’s own command substitution syntax, silently launching a malicious payload while returning a fake source filename so the build shows no errors. Tools that only scan package.json for install scripts see nothing suspicious at all.

The malicious root index.js weighs 4.5 MB while the legitimate package entry point is only 27 KB, a size gap that should raise immediate suspicion.

The payload is buried under four layers of obfuscation including a ROT cipher, AES-128-GCM encryption, and a runtime-switching trick that downloads the Bun JavaScript runtime in under one second to execute the final stage outside of Node.js.

This clever move specifically evades security tooling that only monitors Node.js process activity.

Credential Theft, Worm Propagation, and AI Backdoors

Once active, the malware operates as a comprehensive credential harvester purpose-built for CI/CD environments, targeting AWS keys, GCP credentials, Azure tokens, HashiCorp Vault tokens, GitHub Actions secrets, and 1Password vaults.

It scrapes GitHub Actions runner memory directly to pull masked secrets out in unmasked form, the same technique observed in the TanStack compromise from May 2026. Stolen credentials are encrypted and uploaded to programmatically created repositories under the attacker-controlled GitHub account liuende501.

The worm does not stop at stealing credentials. It uses stolen npm tokens to enumerate every package a compromised maintainer owns, inject the binding.gyp payload into each one, and republish with forged SLSA provenance and Sigstore signing.

This makes reinfected packages appear fully legitimate even to tools specifically designed to verify supply chain integrity.

The malware also injects backdoor configuration files into AI coding assistants like Claude Code, Cursor, and Gemini, so every AI-assisted suggestion inside a poisoned project could be quietly influenced by the attacker.

StepSecurity advises teams to immediately audit repositories and CI pipelines for any affected packages, treating all credentials from compromised environments as stolen and rotating them right away.

Teams should also look for injected AI assistant files such as .claude/setup.mjs, .cursor/rules/setup.mdc, and .vscode/setup.mjs in their project repositories.

Blocking outbound network access to github.com/liuende501 and the Bun download endpoint is strongly recommended as an immediate containment measure.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts appeared first on Cyber Security News.

The campaign, dubbed Operation FlutterBridge, marks a sharp escalation in tactics from financially motivated attackers who have been active since at least 2023.

The malware at the center of this campaign is called FlutterShell, a backdoor built using Google’s Flutter framework. It is designed to look and feel like a real application while quietly running malicious code in the background.

What makes FlutterShell particularly dangerous is that it goes beyond basic spying. It gives attackers full remote control over the infected system, including the ability to execute commands, read and write files, and steal sensitive data.

Researchers from Unit 42, the threat intelligence division of Palo Alto Networks, identified and tracked this campaign under the activity cluster CL-CRI-1089.

Unit 42 said in a report shared with Cyber Security News (CSN) that the attackers have been spreading malware via malvertising since at least 2023, targeting both Windows and macOS users through separate, ongoing operations.

The campaign uses hundreds of verified Google Ads accounts tied to shell companies to distribute the malware at scale.

Ads were crafted to appear legitimate and reached a broad global audience, with a focus on English-speaking countries and Western European markets including France and Germany. Google confirmed it suspended the advertiser accounts after being notified by Unit 42.

What sets FlutterBridge apart from earlier operations is how aggressively the attackers adapted.

When one shell company, AdsParkPro LTD, was removed from Google Ads in January 2026, the actors resurfaced just two weeks later under a new verified account and released a fresh malware variant.

Hackers Use Malicious Ads

FlutterShell uses a clever architecture that keeps its malicious code off the device entirely. Instead of embedding harmful instructions in the app binary, the malware loads a remote webpage through a built-in browser component called a WebView.

That webpage contains the actual attack logic, sent as commands over a channel named flutterInvoke. This design lets attackers change what the malware does at any moment, without updating the app itself.

Three distinct versions of FlutterShell were identified during the investigation. The first posed as a podcast player called PodcastsLounge, while the two later versions appeared as PDF viewers named PDF-Brain and PDF-Ninja.

All three were fully functional applications, making it extremely hard for users to notice anything suspicious. At the time of analysis, all three had zero detections on VirusTotal and had passed Apple’s notarization process with valid developer IDs.

Once installed, the malware fingerprints the machine and then targets Google Chrome. It modifies Chrome’s settings file to redirect every new tab and search query to an attacker-controlled site loaded with ads.

The process is completely silent and users see no warning. The PDF-Brain and PDF-Ninja versions also weaponized an AI summarization feature, secretly routing document content through attacker servers before delivering results to the user.

The Evolving Infrastructure Behind CL-CRI-1089

The shell companies powering this ad campaign showed clear signs of fraud infrastructure. All had minimal online presence, templated websites, and were led by Ukrainian nationals with no verifiable professional history.

Investigators found the companies were registered roughly a year before their first ad spend, a tactic to age the accounts and slip past early fraud detection filters.

The connection to earlier campaigns ran deep. FlutterShell shares its core command structure with a previously documented macOS malware called JSCoreRunner, including functions for executing commands, reading files, and listing directories.

The key difference is that JSCoreRunner embedded its logic statically in the binary, while FlutterShell retrieves it dynamically, making detection far more difficult.

Security teams are advised to block the known C2 domains and monitor for suspicious changes to Chrome’s Secure Preferences file.

Watching for the IOPlatformUUID fingerprinting command and unexpected Chrome process restarts with custom launch arguments can help identify infected systems before further damage is done.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems appeared first on Cyber Security News.

The attackers use SEO poisoning to push a spoofed Anthropic install page to the top of search results. Once a user lands there, the trap is set.

The campaign is designed for a very specific audience. Rather than targeting IT professionals, it goes after first-time developers and non-technical users excited about a new tool.

These users have no baseline for what a real installation process looks like, making them more likely to follow instructions without question. The delivery chain is six stages deep and almost entirely fileless after the first step.

Analysts from Cyderes, through their threat research unit Howler Cell, identified this active SEO poisoning campaign targeting users searching for Claude Code installation guides.

According to Cyderes report shared with Cyber Security News (CSN), attackers placed a spoofed Anthropic install page at the top of search results and used a ClickFix lure to execute a malicious MSHTA command via the Windows Run dialog.

The final payload is a reflective .NET infostealer that beacons to Russian infrastructure for credential exfiltration.

The consequences of a successful infection are serious. Stolen credentials, drained accounts, and compromised identities are among the real-world outcomes Howler Cell flagged in their analysis.

Many victims have no enterprise security controls between them and a spoofed download page. Anthropic is not compromised and its brand is simply being impersonated.

What makes this campaign stand out is the deliberate targeting logic. Operators tracked Claude Code’s rapid adoption and turned it into an attack surface.

The delivery chain was engineered to defeat file inspection, AMSI scanning, EDR telemetry, sandbox analysis, and IOC matching at every layer.

Hackers Use Fake Claude Code Install Page

The attack starts when a user searches for “Claude Code install” and clicks what looks like a legitimate Anthropic setup page.

The page instructs the visitor to open the Windows Run dialog and paste a pre-staged mshta.exe command, framed as a required step.

This is the ClickFix method, a social engineering technique that disguises attacker-controlled MSHTA commands as routine setup steps.

Stage 1 begins when mshta.exe retrieves a 6.7 MB MP3/HTA polyglot payload from download.version-516[.]com/claude.

This file passes as playable audio during security scans while hiding an executable HTA script block inside.

When mshta.exe processes the file, it skips the audio and runs the hidden script. Security tools inspecting the file header see a legitimate MP3, not a threat.

Stage 2 uses the HTA to register a scheduled task via a COM object, spawning a 32-bit PowerShell process. Targeting the 32-bit binary is intentional because EDR coverage is often weighted toward 64-bit activity.

The script performs an AMSI bypass, RC4 decryption, and victim fingerprinting via an MD5 hash of the machine and username. Stage 3 fetches a 17 MB obfuscated script in memory from a unique subdomain on oakenfjrod[.]ru, leaving nothing on disk.

Reflective .NET Infostealer: Fileless and Hard to Catch

The final stage is a reflective .NET infostealer that runs entirely within the existing PowerShell process address space. It leaves no file artifact, spawns no new process, and creates no image-load event for defenders to anchor on.

The loading method mirrors techniques used by advanced tools like Cobalt Strike, but executed fully from PowerShell.

The infostealer beacons over HTTPS to 185[.]177[.]239[.]255:443 for command and control and credential theft. SensitiveFileRead telemetry confirmed browser credential store access during execution.

EDR platforms with .NET assembly load visibility can detect this where file-based controls cannot. Defenders should treat any Claude Code install page prompting a Run dialog paste as a likely infection event.

Blocking mshta.exe outbound HTTPS connections covers Stage 1 regardless of obfuscation. DNS queries to any subdomain of oakenfjrod[.]ru are a strong compromise indicator, and wildcard domain blocking is far more effective than per-subdomain IOC matching.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer appeared first on Cyber Security News.