Questo è il secondo di una serie di articoli dedicati all’analisi della violenza di genere nel contesto digitale, in attesa del 25 novembre, Giornata Internazionale per l’Eliminazione della Violenza contro le Donne. Il focus qui è sulla evoluzione della tutela penale di fronte all’aggressione sessuale virtuale.

La nozione di Violenza Sessuale Virtuale (VSV) si riferisce a una serie di condotte aggressive e coercitive a sfondo sessuale che avvengono attraverso strumenti digitali, in assenza di contatto fisico tra l’autore e la vittima. Questo fenomeno, che colpisce in modo sproporzionato donne e ragazze, si articola in forme insidiose come anche la sextortion (estorsione sessuale) e l’abuso sessuale virtuale anche tramite deepfake.

Nonostante l’azione si svolga in uno spazio virtuale, l’intento e l’impatto psicologico della VSV non differiscono sostanzialmente dalla violenza agita nello spazio fisico. Entrambe mirano al dominio, al controllo e alla sopraffazione della vittima. L’ambiente digitale, offrendo anonimato e distanza fisica, può abbassare la percezione del rischio da parte del persecutore, amplificando il senso di impotenza della vittima.

La Sextortion si distingue dal Revenge Porn per la sua finalità strumentale. Consiste nel minacciare la diffusione di immagini intime, reali o manipolate, al fine di estorcere alla vittima ulteriore materiale sessuale, denaro, gift card o servizi. Questa dinamica rientra nel reato di Estorsione (Art. 629 c.p.), dove la prospettazione del danno (la diffusione) ha una chiara efficacia intimidatoria sulla vittima.

Un caso limite è rappresentato dall’abuso sessuale nel Metaverso, ovvero l’aggressione compiuta tramite avatar. Questo atto, pur essendo moralmente riprovevole e causando un impatto psicologico, solleva interrogativi sulla sua riconducibilità alla fattispecie della Violenza Sessuale (Art. 609-bis c.p.), che richiede la condotta materiale.

Il quadro normativo italiano e la giurisprudenza di legittimità

Il Diritto penale italiano, in assenza di una fattispecie autonoma di “Violenza Sessuale Virtuale” (VSV), ha affrontato la questione attraverso l’adattamento e l’interpretazione estensiva dell’Art. 609-bis c.p. e l’introduzione di nuove fattispecie.

Nonostante la formulazione letterale dell’Art. 609-bis c.p. sembri presupporre la materialità del contatto, la giurisprudenza di legittimità ha dato una risposta affermativa alla possibilità di configurare la violenza sessuale attraverso la rete, superando la necessità di una contestualità spaziale o di un contatto corporeo diretto.

La Corte di Cassazione ha consolidato l’orientamento secondo cui il reato può estrinsecarsi anche nel compimento di atti sessuali su se stessi (autoerotismo) effettuati a seguito di costrizione o induzione, come stabilito in diverse sentenze (ad esempio, la Sez. III, sent. n. 37076/12). In questa prospettiva, la Cassazione ha confermato la condanna per violenza sessuale realizzata mediante l’utilizzo di social network e webcam: in un caso specifico, il soggetto aveva compiuto atti di autoerotismo dopo essersi assicurato che alcune minori lo avrebbero guardato attraverso webcam (Sez. III, sent. n. 16616/15). Secondo questa interpretazione, il delitto, quando consiste nel compimento di atti sessuali su se stessi, può essere commesso anche in ambito virtuale, poiché la norma non richiede una contestualità spaziale, ma è essenziale che l’abuso venga effettivamente percepito dalla vittima.

La giurisprudenza ha esteso ulteriormente questo concetto, stabilendo che anche la prestazione sessuale a distanza possa integrare l’elemento oggettivo dell’Art. 609-bis c.p., purché sia accertata la costrizione. Ad esempio, il reato si perfeziona quando la condotta consiste nell’invio di messaggi whatsapp allusivi ed espliciti a una minorenne, costringendola a realizzare selfie intimi da inviare, sotto la minaccia di pubblicazione (sextortion) (Cass., Sez. III, sent. n. 25266/20). In tali contesti, la condotta è considerata violenza sessuale, e non estorsione (Art. 629 c.p.), in quanto l’obiettivo primario del reo è l’ottenimento dell’atto sessuale (l’invio di foto intime o l’autoerotismo coartato) e non solo un vantaggio patrimoniale (Cass., Sez. II, sent. n. 41985/21).

Nonostante questo orientamento giurisprudenziale sia condivisibile in quanto garantisce la tutela della vittima all’interno dell’ordinamento vigente, la stessa Cassazione riconosce una differente invasività nel caso di violenza sessuale virtuale rispetto a quella reale. Inoltre, il limite concettuale di ricondurre la Violenza Sessuale (Art. 609-bis c.p.) esclusivamente all’atto che genera contatto o un’azione su se stessi crea un vuoto normativo per l’abuso sessuale tramite avatar. Poiché l’atto di molestare l’avatar di un soggetto non è in grado di “toccare materialmente” la persona e non rientra nel compimento di atti autoerotici costretti sulla vittima, la sua riconducibilità al 609-bis è esclusa dalla giurisprudenza prevalente.

Contrasto al Deepfake e alla Sextortion

Alcune forme più comuni di VSV sono oggi contrastate efficacemente da due articoli del Codice Penale, introdotti o influenzati dal cosiddetto “Codice Rosso” (L. 69/2019):

Diffusione illecita di immagini o video sessualmente espliciti(Art. 612-ter c.p., Revenge Porn): che punisce la diffusione, senza consenso, di immagini o video sessualmente espliciti;

Illecita diffusione di contenuti generati o alterati con sistemi di intelligenza artificiale (Art. 612-quater c.p.)- Questo nuovo reato, introdotto con la Legge 132/2025, punisce specificamente la diffusione lesiva di contenuti generati o alterati con Intelligenza Artificiale (IA). L’introduzione del 612-quater è stata fondamentale per colmare la lacuna lasciata dal 612-ter, che si applicava solo a immagini realmente realizzate o sottratte, e per contrastare l’abuso sessuale virtuale.

La Sextortion viene ricondotta alla fattispecie di Estorsione(Art.629 c.p.), rientrando nel campo dei reati comuni realizzati mediante strumenti informatici.

La dimensione europea e l’impatto di genere

A livello europeo, la Direttiva (UE) 2024/1385 sulla lotta alla violenza contro le donne impone agli Stati membri l’obbligo di criminalizzare la creazione e diffusione di contenuti intimi tramite IA o photoshop (i cosiddetti deepfakes), rafforzando la tutela. Prevede, inoltre, pene detentive rigorose e l’obbligo di fornire assistenza specialistica, come centri antistupro e centri antiviolenza sessuale, e misure di rimozione del materiale.

Secondo i dati a disposizione circa il 90% delle vittime di diffusione non consensuale di immagini intime sono donne. L’impatto emotivo e psicologico sulla vittima è devastante, causando disturbi d’ansia, depressione e Disturbo Post-Traumatico da Stress (PTSD), configurando un danno biologico risarcibile. Nel contesto di revenge porn e sextortion, il danno è spesso aggravato dalla vittimizzazione secondaria (victim blaming), dove la donna viene colpevolizzata per aver prodotto il contenuto sessuale.

Prova digitale e tutela preventiva

La repressione dei crimini di VSV è strettamente legata alla capacità di acquisire e preservare la prova digitale (immagini, chat, post) in modo ammissibile in giudizio. Semplici screenshot hanno valore probatorio limitato e necessitano di essere supportati da metodologie di acquisizione tecnica forense che garantiscano l’autenticità e l’inalterabilità del contenuto web.

Un elemento cruciale della tutela in Italia è l’intervento preventivo e d’urgenza del Garante per la protezione dei dati personali, previsto dall’Art. 144-bis del Codice Privacy. Chiunque abbia un fondato timore di diffusione non consensuale di materiale sessualmente esplicito può presentare una segnalazione al Garante. Questo interviene entro quarantotto ore e notifica un provvedimento alle piattaforme digitali corredato dell’impronta hash del materiale. Questo codice univoco digitale consente alle piattaforme di identificare e bloccare automaticamente qualsiasi tentativo futuro di ricaricare lo stesso file, offrendo una protezione continua.

Verso una riforma integrata

La violenza sessuale virtuale rappresenta un attacco strutturale alla dignità e all’autodeterminazione. L’ordinamento italiano, pur avendo reagito prontamente con le nuove norme su deepfake e revenge porn, e pur grazie all’interpretazione evolutiva e meritoria della Cassazione che estende il reato di Violenza Sessuale alle condotte costrittive a distanza, evidenzia una rigidità dogmatica di fronte all’abuso sessuale puro nel Metaverso.

L’orientamento giurisprudenziale, che equipara l’atto sessuale coartato a distanza (ad esempio, l’autoerotismo imposto) al reato tradizionale, è fondamentale per la tutela della vittima, ma la Cassazione stessa riconosce una differente invasività rispetto all’atto commesso in presenza. Il limite concettuale, che esclude l’aggressione tramite avatar dal 609-bis c.p., impone una riflessione sull’adeguatezza del concetto di “atto sessuale” nell’era degli ambienti immersivi.

È cruciale che la risposta del legislatore non si limiti alla repressione ex post, ma valuti l’opportunità di introdurre una fattispecie ad hoc, come si è reso necessario per i deepfake, per superare il principio di materialità e tutelare l’integrità sessuale come bene giuridico non solo fisico, garantendo allo stesso tempo un bilanciamento tra la gravità delle condotte digitali e quelle fisiche. Parallelamente, è essenziale valorizzare gli strumenti di prevenzione e di tutela rapida (ex ante), come l’intervento del Garante Privacy, indispensabili per contenere il danno psicologico e sociale subito dalle donne.

L'articolo Dal corpo allo schermo: come l’abuso sessuale si è spostato nel mondo digitale proviene da Red Hot Cyber.

Numerose applicazioni web fanno affidamento su Apache Tomcat, un contenitore servlet Java open source di largo utilizzo. Il 27 ottobre 2025, Apache ha rivelato due vulnerabilità: CVE-2025-55752 e CVE-2025-55754, che interessano diverse versioni di Tomcat.

Le versioni interessate includono Apache Tomcat da 11.0.0-M1 a 11.0.10, da 10.1.0-M1 a 10.1.44 e da 9.0.0-M11 a 9.0.108, con anche le versioni precedenti di fine ciclo di vita (EOL) vulnerabili.

La necessità di un’immediata applicazione di patch negli ambienti aziendali è sottolineata dal fatto che il primo può comportare il rischio di esecuzione di codice remoto (RCE) in determinate configurazioni, mentre il secondo offre la possibilità di manipolazione della console.

La vulnerabilità più grave, CVE-2025-55752, riguarda un bug di path traversal introdotto nella correzione di un precedente bug (60013). Gli URL riscritti vengono normalizzati prima della decodifica, consentendo agli aggressori di manipolare i parametri di query e di aggirare le protezioni per directory sensibili come /WEB-INF/ e /META-INF/.

Quando le richieste PUT sono attivate, una configurazione in genere limitata agli utenti di fiducia, si può verificare il caricamento di file nocivi, provocando così l’esecuzione di codice da remoto. Questa vulnerabilità, identificata da Chumy Tsai di CyCraft Technology, è stata classificata come estremamente grave, il che mette in evidenza il suo possibile impatto sui sistemi non aggiornati che utilizzano Tomcat in ambiente di produzione.

Oltre al problema di attraversamento, il CVE-2025-55754 risolve un bug di neutralizzazione impropria delle sequenze di escape ANSI nei messaggi di registro di Tomcat. Nei sistemi Windows dotati di console che supportano ANSI, gli aggressori potrebbero creare URL per iniettare sequenze che manipolano la visualizzazione della console, gli appunti o addirittura inducono gli amministratori a eseguire comandi.

Questa falla interessa Tomcat dalla versione 11.0.0-M1 alla 11.0.10, dalla 10.1.0-M1 alla 10.1.44 e dalla 9.0.0.40 alla 9.0.108, oltre a versioni EOL selezionate come dalla 8.5.60 alla 8.5.100.

Identificato da Elysee Franchuk di MOBIA Technology Innovations, il problema nasce dai log non sottoposti a escape, che consentono alle sequenze di controllo di influenzare il comportamento del terminale senza autenticazione.

Apache invita gli utenti ad aggiornare alle versioni mitigate: Tomcat 11.0.11, 10.1.45 o 9.0.109 e successive, che risolvono entrambe le vulnerabilità tramite una gestione URL migliorata e l’escape dei log.

L'articolo Vulnerabilità in Apache Tomcat: aggiornare subito per evitare rischi sicurezza proviene da Red Hot Cyber.

No matter what kind of computer or phone you are reading this on, it probably has a graphics system that would have been a powerful computer on its own back in the 1980s. When the IBM PC came out, you had two choices: the CGA card if you wanted color graphics, or the MDA if you wanted text. Today, you might think: no contest, we want color. But the MDA was cheaper and had significantly higher resolution, which was easier to read. But as free markets do, companies see gaps and they fill them. That’s how we got the Hercules card, which supported high-resolution monochrome text but also provided a graphics mode. [The 8-bit Guy] has a look at these old cards and how they were different from their peers.

Actually, the original MDA card could do eight colors, but no one knew because there weren’t any monitors it could work with, and it was a secret. The CGA resolution was a whopping 640×200, while the MDA was slightly better at 720×350. If you did the Hercules card, you got the same 720×350 MDA resolution, but also a 720×348 graphics mode. Besides that, you could keep your monitor (don’t forget that, in those days, monitors typically required a specific input and were costly).

These cards were huge and full of chips, although the 1986 version of the Hercules did have an ASIC, which helped. If you wrote software back in those days, you might remember that the CGA buffer was at address B800:0000, but monochrome cards were at B000:0000. That was inconvenient, but it did allow the wealthy to have two monitors: a color and a monochrome.

[The 8-bit Guy] likes games, and he shows off games that supported Hercules versus running them in color. It turns out, just because a game or other piece of software could run on Hercules graphics didn’t mean it should. Some games did a good job. Others just scaled up their CGA graphics with predictably sketchy results. There was even a software solution, and at the speeds of a PC, you can imagine how that went, too.

[The 8-bit Guy] has talked to us about old graphics before, and points out that if you knew a few tricks, CGA wasn’t as bad as you think. Then things evolved to super CGA, EGA, VGA, and beyond.

youtube.com/embed/hblpFQ2ObCg?…

hackaday.com/2025/10/27/rememb…

Secondo un nuovo rapporto di Microsoft Threat Intelligence, il gruppo Storm-2657, mosso da motivazioni finanziarie, sta conducendo attacchi su larga scala contro università e aziende, utilizzando account rubati dai dipendenti per reindirizzare gli stipendi sui propri conti bancari.

Gli esperti definiscono questo tipo di attacco “pirateria delle buste paga”. Durante la campagna, gli aggressori hanno cercato di accedere a piattaforme HR basate su cloud, come Workday, per alterare i dati di pagamento delle vittime.

Un’indagine di Microsoft ha rivelato che la campagna era attiva dalla prima metà del 2025. Gli aggressori hanno utilizzato e-mail di phishing accuratamente progettate per rubare codici di autenticazione a più fattori utilizzando schemi Adversary-in-the-Middle ( AitM ).

Dopo aver ottenuto le credenziali di accesso, si sono infiltrati nelle caselle di posta dei dipendenti e nei servizi HR aziendali, dove hanno modificato i parametri di pagamento. Per nascondere le loro tracce, Storm-2657 ha creato regole di Outlook che eliminavano automaticamente le notifiche di Workday relative a qualsiasi modifica del profilo.

Microsoft ha registrato almeno 11 compromissioni di account andate a buon fine in tre università. Questi indirizzi sono stati poi utilizzati per inviare migliaia di email di phishing ad altri campus, per un totale di circa 6.000 potenziali vittime in 25 università.

Alcuni messaggi sembravano notifiche di malattia o un’indagine su un incidente nel campus. Gli oggetti includevano “Caso simile al COVID segnalato: controlla lo stato del tuo contatto” o “Segnalazione di cattiva condotta da parte del corpo docente“. Altre email imitavano le email delle risorse umane e contenevano link a documenti presumibilmente ufficiali su retribuzioni e compensi. Google Docs, uno strumento comune in ambito accademico, è stato spesso utilizzato per camuffarsi, rendendo gli attacchi difficili da rilevare.

Una volta ottenuto l’accesso, gli aggressori hanno modificato i profili delle vittime, sostituendo spesso i conti bancari utilizzati per i trasferimenti di stipendio. In alcuni casi, hanno anche aggiunto i propri numeri di telefono come dispositivi MFA , riuscendo così a mantenere il controllo del profilo all’insaputa del proprietario. Queste operazioni sono state registrate nei log di Workday come eventi “Modifica account” o “Gestisci scelte di pagamento“, ma gli utenti non ne sono stati informati a causa dei filtri e-mail.

Microsoft sottolinea che gli attacchi non sono correlati a vulnerabilità dei prodotti Workday in sé. Il problema risiede nella mancanza o nella debolezza della protezione MFA. Pertanto, l’azienda esorta le organizzazioni a migrare verso metodi di autenticazione avanzati e resistenti al phishing: chiavi FIDO2, Windows Hello for Business e Microsoft Authenticator.

Si consiglia agli amministratori di forzare questi metodi in Entra ID e di implementare l’autenticazione senza password.

La pubblicazione di Microsoft delinea le richieste di strumenti di sicurezza in grado di rilevare segnali di intrusione, da regole di posta elettronica sospette a modifiche nei dettagli di pagamento e nuovi dispositivi MFA.

L’azienda riferisce inoltre di aver già contattato alcune organizzazioni interessate, fornendo loro informazioni sui TTP utilizzati e raccomandazioni per ripristinare la sicurezza.

L'articolo Arriva la “pirateria delle buste paga”! E il bonifico dello stipendio va ai criminali proviene da Red Hot Cyber.

La preparazione delle aziende al ransomware risulta in ritardo mentre gli avversari utilizzano l’IA lungo tutta la catena d’attacco per accelerare intrusione, cifratura ed estorsione

Milano – 27 ottobre 2025 – Secondo il report State of Ransomware 2025 di CrowdStrike (NASDAQ: CRWD), il 76% delle organizzazioni a livello globale fatica a eguagliare la velocità e la sofisticazione degli attacchi potenziati dall’intelligenza artificiale. Con un 89% che considera la protezione basata su IA essenziale per colmare il divario, i risultati mostrano chiaramente che a decidere sul futuro della sicurezza informatica, che siano gli avversari o i difensori, sarà chi saprà sfruttare il vantaggio nell’uso dell’IA.

“Dallo sviluppo di malware all’ingegneria sociale, gli avversari stanno utilizzando l’IA per accelerare ogni fase degli attacchi, riducendo drasticamente il tempo di reazione dei difensori”, ha dichiarato Elia Zaitsev, CTO di CrowdStrike. “Il report State of Ransomware 2025 di CrowdStrike conferma che le difese tradizionali non possono competere con la velocità o la sofisticazione degli attacchi basati su IA. Il tempo è la valuta della difesa informatica moderna e nell’attuale panorama delle minacce guidate dall’IA ogni secondo conta”.

Principali risultati del report State of Ransomware 2025

• Le difese tradizionali non tengono il passo: il 48% delle organizzazioni indica le catene d’attacco automatizzate dall’IA come la principale minaccia ransomware odierna, mentre l’85% ritiene che il rilevamento tradizionale stia diventando obsoleto contro gli attacchi potenziati da IA
• la velocità definisce l’esito della sicurezza: quasi il 50% delle organizzazioni teme di non riuscire a rilevare o rispondere con la stessa rapidità con cui agiscono gli attacchi basati su IA; meno di un quarto riesce a riprendersi entro 24 ore e circa il 25% subisce gravi interruzioni o perdite di dati
• l’ingegneria sociale evolve con l’IA: il phishing resta un vettore di attacco principale, con l’87% degli intervistati che afferma che l’IA rende gli inganni più convincenti e i deepfake emergono come un importante motore dei futuri attacchi ransomware
• pagare il riscatto alimenta nuovi attacchi: l’83% delle organizzazioni che hanno pagato un riscatto è stato colpito di nuovo e nel 93% dei casi i dati sono stati comunque rubati
• il divario nella leadership: il 76% segnala una discrepanza tra la percezione da parte dei dirigenti sul livello di preparazione al ransomware e la reale prontezza, e ciò rileva la necessità urgente di un impegno a livello di consiglio di amministrazione per modernizzare le difese

L’approccio “agentico” di CrowdStrike per superare le minacce potenziate dall’IA

CrowdStrike pone i difensori in vantaggio nella corsa per la superiorità nell’IA, fornendo velocità, intelligence e automazione efficaci per fermare le minacce e le operazioni di ransomware basate su IA, prima che esse possano causare interruzioni, cifrature o estorsioni. Attraverso la Agentic Security Platform, la Agentic Security Workforce di CrowdStrike pone gli analisti della sicurezza al comando di agenti IA “mission-ready” in grado di gestire flussi di lavoro critici e automatizzare attività dispendiose in termini di tempo, ribaltando così il fattore tempo a favore dei difensori. Il risultato è una protezione basata su IA che mantiene i difensori sempre un passo avanti rispetto alle minacce guidate dall’intelligenza artificiale.

La versione integrale del report State of Ransomware 2025 di CrowdStrike è disponibile qui.

Informazioni su CrowdStrike

CrowdStrike (NASDAQ: CRWD), leader globale nella cybersicurezza, ha ridefinito la sicurezza moderna grazie alla piattaforma cloud-native più avanzata al mondo per la protezione delle aree critiche di rischio aziendale – endpoint, workload cloud, identità e dati.

Basata sul CrowdStrike Security Cloud e su un’IA di livello mondiale, la piattaforma CrowdStrike Falcon® utilizza indicatori di attacco in tempo reale, intelligence sulle minacce, tecniche in evoluzione degli avversari e telemetria arricchita proveniente da tutta l’azienda per offrire rilevamenti estremamente accurati, protezione e remediation automatizzate, attività di threat hunting di alto livello e un’osservabilità prioritaria delle vulnerabilità.

Progettata nativamente per il cloud con un’architettura a singolo agente leggero, la piattaforma Falcon garantisce implementazioni rapide e scalabili, protezione e prestazioni superiori, riduzione della complessità e valore immediato.

Prova gratuita: crowdstrike.com/trial

L'articolo CrowdStrike: Il 76% delle organizzazioni fatica a contrastare gli attacchi AI proviene da Red Hot Cyber.

La vicepresidente esecutiva della Commissione europea per la sovranità tecnologica, la sicurezza e la democrazia, Henna Virkkunen, ha annunciato che saranno introdotte nuove tecnologie per monitorare lo stato dei cavi sottomarini, con l’obiettivo di aumentare la sicurezza nella regione del Baltico.

Si prevede che l’intelligenza artificiale sarà ampiamente utilizzata per l’analisi dei dati. La Commissione europea stanzierà milioni di euro a questo scopo. Al forum di Riga, la Vicepresidente della Commissione Europea ha parlato dell’importanza della sicurezza delle infrastrutture e dei cavi sottomarini, che ha destato preoccupazione nella regione baltica negli ultimi mesi.

Nel contesto della guerra ibrida, ha osservato, i paesi aggressori stanno compiendo numerosi tentativi di destabilizzare la regione: dalle azioni alle frontiere esterne al sabotaggio di infrastrutture critiche e alle violazioni dello spazio aereo.

“Il Mar Baltico è per molti versi al centro di questi eventi. Quando si tratta di cavi sottomarini e infrastrutture critiche, è fondamentale migliorare lo scambio di informazioni e, naturalmente, utilizzare le nuove tecnologie. Pertanto, prevediamo di istituire centri di monitoraggio dei cavi sottomarini in ogni regione dell’UE. La regione del Baltico è stata scelta come sito pilota per tali centri”, ha affermato Virkkunen.

Secondo lei, la Commissione Europea sta stanziando10 milioni di euro per istituire i centri e altri 10 milioni di euro per testare la resilienza delle infrastrutture critiche. “Dobbiamo identificare meglio le minacce, proteggere le infrastrutture e rispondere più rapidamente agli incidenti. La massima priorità è l’uso di nuove tecnologie e un approccio diverso alla raccolta dati e al monitoraggio situazionale”, ha osservato.

Le nuove tecnologie includono principalmente l‘intelligenza artificiale, ha spiegato Virkkunen. Sarà utilizzata per l’analisi dei dati. Includeranno anche droni sottomarini e cavi moderni con sensori in grado di rilevare movimenti o danni: “Stiamo combinando queste tecnologie e creando un sistema di scambio di informazioni tra i paesi dell’UE. In questo ambito, stiamo lavorando a stretto contatto con la NATO, poiché l’alleanza è attiva nel Mar Baltico e si occupa della protezione delle infrastrutture critiche”.

Secondo l’ospite del forum, tecnologia, sicurezza e democrazia sono oggi strettamente interconnesse. La tecnologia può essere utilizzata per scopi illeciti e i paesi con una leadership tecnologica ottengono vantaggi sia economici che in termini di sicurezza.

Pertanto, se l’Europa vuole essere un attore forte sulla scena globale, deve investire nelle sue capacità: nell’intelligenza artificiale, nelle tecnologie quantistiche, nei semiconduttori e nella sicurezza informatica.

L'articolo La Commissione Europea potenzia la sicurezza dei cavi sottomarini con nuove tecnologie proviene da Red Hot Cyber.

L’autorità garante della concorrenza australiana ACCC ha affermato che agli abbonati ai piani Microsoft 365 Personal e Family è stato chiesto di pagare prezzi più alti per Copilot o di annullare l’abbonamento.

Secondo l’ACCC, questa informazione era falsa o fuorviante, perché esisteva una terza opzione non divulgata per gli abbonati, che avrebbero potuto mantenere il loro piano “classico” esistente, senza Copilot o il ricarico sul prezzo. Con l’integrazione di Copilot, i prezzi sono aumentati da $109 a $159 per il piano Personale e da $139 a $179 per il piano Famiglia.

“A seguito di un’indagine dettagliata, sosterremo in tribunale che Microsoft ha deliberatamente omesso il riferimento ai piani Classic nelle sue comunicazioni e ne ha nascosto l’esistenza fino a quando gli abbonati non hanno avviato la procedura di cancellazione per aumentare il numero di consumatori con piani integrati Copilot più costosi”, ha affermato la presidente dell’ACCC Gina Cass-Gottlieb. “Le app di Microsoft Office incluse negli abbonamenti 365 sono essenziali nella vita di molte persone e, dato che le alternative al pacchetto in bundle sono limitate, annullare l’abbonamento è una decisione che molti non prenderebbero alla leggera.”

L’ACCC ha dichiarato di aver avviato la sua indagine dopo aver ricevuto numerose segnalazioni da parte dei consumatori e aver esaminato le discussioni online, anche su Reddit.

Microsoft ha affermato che sta esaminando il caso dell’ACCC e che è “impegnata a collaborare in modo costruttivo con l’ente regolatore e a garantire che le nostre pratiche rispettino tutti gli standard legali ed etici”.

Secondo l’ACCC, Microsoft ha inviato due email ai propri clienti e pubblicato un post sul blog sull’integrazione di Copilot e sugli aumenti di prezzo che si sarebbero applicati al prossimo rinnovo automatico degli abbonati interessati. Il post è stato successivamente rimosso.

L’organismo di controllo della concorrenza sta ora chiedendo sanzioni, ingiunzioni, dichiarazioni, risarcimenti ai consumatori e spese.

L'articolo Australia: Microsoft accusata di pratiche ingannevoli sui rinnovi di Microsoft 365 proviene da Red Hot Cyber.

Introduction

Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire.

GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims to investment-related meetings linked to Zoom-like phishing websites. The victim would join a fake call with genuine recordings of this threat’s other actual victims rather than deepfakes. The call proceeds smoothly to then encourage the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that result in infection chains deployed on an infected host.

GhostCall campaign attack flow

In the GhostHire campaign, BlueNoroff approaches Web3 developers and tricks them into downloading and executing a GitHub repository containing malware under the guise of a skill assessment during a recruitment process. After initial contact and a brief screening, the user is added to a Telegram bot by the recruiter. The bot sends either a ZIP file or a GitHub link, accompanied by a 30-minute time limit to complete the task, while putting pressure on the victim to quickly run the malicious project. Once executed, the project downloads a malicious payload onto the user’s system. The payload is specifically chosen according to the user agent, which identifies the operating system being used by the victim.

GhostHire campaign attack flow

We observed the actor utilizing AI in various aspects of their attacks, which enabled them to enhance productivity and meticulously refine their attacks. The infection scheme observed in GhostHire shares structural similarities of infection chains with the GhostCall campaign, and identical malware was detected in both.

We have been tracking these two campaigns since April 2025, particularly observing the continuous emergence of the GhostCall campaign’s victims on platforms like X. We hope our research will help prevent further damage, and we extend our gratitude to everyone who willingly shared relevant information.

The relevant information about GhostCall has already been disclosed by Microsoft, Huntability, Huntress, Field Effect, and SentinelOne. However, we cover newly discovered malware chains and provide deeper insights.

The GhostCall campaign

The GhostCall campaign is a sophisticated attack that uses fake online calls with the threat actors posing as fake entrepreneurs or investors to convince targets. GhostCall has been active at least since mid-2023, potentially following the RustBucket campaign, which marked BlueNoroff’s full-scale shift to attacking macOS systems. Windows was the initial focus of the campaign; it soon shifted to macOS to better align with the targets’ predominantly macOS environment, leveraging deceptive video calls to maximize impact.

The GhostCall campaign employs sophisticated fake meeting templates and fake Zoom updaters to deceive targets. Historically, the actor often used excuses related to IP access control, but shifted to audio problems to persuade the target to download the malicious AppleScript code to fix it. Most recently, we observed the actor attempting to transition the target platform from Zoom to Microsoft Teams.

During this investigation, we identified seven distinct multi-component infection chains, a stealer suite, and a keylogger. The modular stealer suite gathers extensive secret files from the host machine, including information about cryptocurrency wallets, Keychain data, package managers, and infrastructure setups. It also captures details related to cloud platforms and DevOps, along with notes, an API key for OpenAI, collaboration application data, and credentials stored within browsers, messengers, and the Telegram messaging app.

Initial access

The actor reaches out to targets on Telegram by impersonating venture capitalists and, in some cases, using compromised accounts of real entrepreneurs and startup founders. In their initial messages, the attackers promote investment or partnership opportunities. Once contact is established with the target, they use Calendly to schedule a meeting and then share a meeting link through domains that mimic Zoom. Sometimes, they may send the fake meeting link directly via messages on Telegram. The actor also occasionally uses Telegram’s hyperlink feature to hide phishing URLs and disguise them as legitimate URLs.

Overall behavior of the phishing site

Upon accessing the fake site, the target is presented with a page carefully designed to mirror the appearance of Zoom in a browser. The page uses standard browser features to prompt the user to enable their camera and enter their name. Once activated, the JavaScript logic begins recording and sends a video chunk to the /upload endpoint of the actor’s fake Zoom domain every second using the POST method.

Initial page mimicking Zoom call joining behavior

Once the target joins, a screen resembling an actual Zoom meeting appears, showing the video feeds of three participants as if they were part of a real session. Based on OSINT we were monitoring, many victims initially believed the videos they encountered were generated by deepfake or AI technology. However, our research revealed that these videos were, in fact, real recordings secretly taken from other victims who had been targeted by the same actor using the same method. Their webcam footage had been unknowingly recorded, then uploaded to attacker-controlled infrastructure, and reused to deceive other victims, making them believe they were participating in a genuine live call. When the video replay ended, the page smoothly transitioned to showing that user’s profile image, maintaining the illusion of a live call.

Fake Zoom meeting

Approximately three to five seconds later, an error message appears below the participants’ feeds, stating that the system is not functioning properly and prompting them to download a Zoom SDK update file through a link labeled “Update Now”. However, rather than providing an update, the link downloads a malicious AppleScript file onto macOS and triggers a popup for troubleshooting on Windows.

Clicking the link on macOS (left) and on Windows (right)

On macOS, clicking the link directly downloads an AppleScript file named Zoom SDK Update.scpt from the actor’s domain. A small “Downloads” coach mark is also displayed, subtly encouraging the user to execute the script by imitating genuine Apple feedback. On Windows, the attack uses the ClickFix technique, where a modal window appears with a seemingly harmless code snippet from a legitimate domain. However, any attempt to copy the code—via the Copy button, right-click and Copy, or Ctrl+C—results in a malicious one-liner being placed in the clipboard instead.

Malicious code upon ClickFix

We observed that the actor implemented beaconing activity within the malicious web page to track victim interactions. The page reports back to their backend infrastructure—likely to assess the success or failure of the targeting. This is accomplished through a series of automatically triggered HTTP GET requests when the victim performs specific actions, as outlined below.

In September 2025, we discovered that the group is shifting from cloning the Zoom UI in their attacks to Microsoft Teams. The method of delivering malware remains unchanged. Upon entering the meeting room, a prompt specific to the target’s operating system appears almost immediately after the background video starts—unlike before. While this is largely similar to Zoom, macOS users also see a separate prompt asking them to download the SDK file.

General fake prompt to update the SDK file (left) and Windows-specific (right)

We were able to obtain the AppleScript (Zoom SDK Update.scpt) the actor claimed was necessary to resolve the issue, which was already widely known through numerous research studies as the entry point for the attack. The script is disguised as an update for the Zoom Meeting SDK and contains nearly 10,000 blank lines that obscure its malicious content. Upon execution, it fetches another AppleScript, which acts as a downloader, from a different fake link using a curl command. There are numerous variants of this “troubleshooting” AppleScript, differing in filename, user agent, and contents.

Snippets of the AppleScript disguised as a Zoom SDK update

If the targeted macOS version is 11 (Monterey) or later, the downloader AppleScript installs a fake application disguised as Zoom or Microsoft Teams into the /private/tmp directory. The application attempts to mimic a legitimate update for Zoom or Teams by displaying a password input popup. Additionally, it downloads a next-stage AppleScript, which we named “DownTroy”. This script is expected to check stored passwords and use them to install additional malware with root privileges. We cautiously assess that this would be an evolved version of the older one, disclosed by Huntress.

Moreover, the downloader script includes a harvesting function that searches for files associated with password management applications (such as Bitwarden, LastPass, 1Password, and Dashlane), the default Notes app (group.com.apple.notes), note-taking apps like Evernote, and the Telegram application installed on the device.

Another notable feature of the downloader script is a bypass of TCC (Transparency, Consent, and Control), a macOS system designed to manage user consent for accessing sensitive resources such as the camera, microphone, AppleEvents/automation, and protected folders like Documents, Downloads, and Desktop. The script works by renaming the user’s com.apple.TCC directory and then performing offline edits to the TCC.db database. Specifically, it removes any existing entries in the access table related to a client path to be registered in the TCC database and executes INSERT OR REPLACE statements. This process enables the script to grant AppleEvents permissions for automation and file access to a client path controlled by the actor. The script inserts rows for service identifiers used by TCC, including kTCCServiceAppleEvents, kTCCServiceSystemPolicyDocumentsFolder, kTCCServiceSystemPolicyDownloadsFolder, and kTCCServiceSystemPolicyDesktopFolder, and places a hex-encoded code-signature blob (in the csreq style) in the database to meet the requirement for access to be granted. This binary blob must be bound to the target app’s code signature and evaluated at runtime. Finally, the script attempts to rename the TCC directory back to its original name and calls tccutil reset DeveloperTool.

In the sample we analyzed, the client path is ~/Library/Google/Chrome Update —the location the actor uses for their implant. In short, this allows the implant to control other applications, access data from the user’s Documents, Downloads, and Desktop folders, and execute AppleScripts—all without prompting for user consent.

Initial infection flow

Multi-stage execution chains

According to our telemetry and investigation into the actor’s infrastructure, DownTroy would download ZIP files that contain various individual infection chains from the actor’s centralized file hosting server. Although we haven’t observed how the SysPhon and the SneakMain chain were installed, we suspect they would’ve been downloaded in the same manner. We have identified not only at least seven multi-stage execution chains retrieved from the server, but also various malware families installed on the infected hosts, including keyloggers and stealers downloaded by CosmicDoor and RooTroy chains.

The actor has been introducing new malware chains by adapting new programming languages and developing new components since 2023. Before that, they employed standalone malware families, but later evolved into a modular structure consisting of launchers, injectors, installers, loaders, and droppers. This modular approach enables the malicious behavior to be divided into smaller components, making it easier to bypass security products and evade detection. Most of the final payloads in these chains have the capability to download additional AppleScript files or execute commands to retrieve subsequent-stage payloads.

Interestingly, the actor initially favored Rust for writing malware but ultimately switched to the Nim language. Meanwhile, other programming languages like C++, Python, Go, and Swift have also been utilized. The C++ language was employed to develop the injector malware as well as the base application within the injector, but the application was later rewritten in Swift. Go was also used to develop certain components of the malware chain, such as the installer and dropper, but these were later switched to Nim as well.

ZoomClutch/TeamsClutch: the fake Zoom/Teams application

During our research of a macOS intrusion on a victim’s machine, we found a suspicious application resembling a Zoom client executing from an atypical, writable path — /tmp/zoom.app/Contents/MacOS — rather than the standard /Applications directory. Analysis showed that the binary was not an official Zoom build but a custom implant compiled on macOS 14.5 (24F74) with Xcode 16 beta 2 (16C5032a) against the macOS 15.2 SDK. The app is ad‑hoc signed, and its bundle identifier is hard‑coded to us.zoom.com to mimic the legitimate client.

The implant is written in Swift and functions as a macOS credentials harvester, disguised as the Zoom videoconferencing application. It features a well-developed user interface using Swift’s modern UI frameworks that closely mimics the Zoom application icon, Apple password prompts, and other authentic elements.

ZoomClutch prompting the victim to enter their password

ZoomClutch steals macOS passwords by displaying a fake Zoom dialog, then sends the captured credentials to the C2 server. However, before exfiltrating the data, ZoomClutch first validates the credentials locally using Apple’s Open Directory (OD) to filter out typos and incorrect entries, mirroring macOS’s own authentication flow. OD manages accounts and authentication processes for both local and external directories. Local user data sits at /var/db/dslocal/nodes/Default/users/ as plists with PBKDF2‑SHA512 hashes. The malware creates an ODSession, then opens a local ODNode via kODNodeTypeLocalNodes (0x2200/8704) to scope operations to /Local/Default.

It subsequently calls verifyPassword:error: to check the password, which re-hashes the input password using the stored salt and iterations, returning true if there is a match. If verification fails, ZoomClutch re-prompts the user and shortly displays a “wrong password” popup with a shake animation. On success, it hides the dialog, displays a “Zoom Meeting SDK has been updated successfully” message, and the validated credentials are covertly sent to the C2 server.

ZoomClutch success window displayed after password validation

All passwords entered in the prompt are logged to ~/Library/Logs/keybagd_events.log. The malware then creates a file at ~/Library/Logs/<username>_auth.log to store the verified password in plain text. This file is subsequently uploaded to a C2 URL using curl.

With medium-high confidence, we assess that the malware was part of BlueNoroff’s workflow needed to initiate the execution flow outlined in the subsequent infection chains.

The TeamsClutch malware that mimics a legitimate Microsoft Teams functions similarly to ZoomClutch, but with its logo and some text elements replaced.

TeamsClutch authentication and success windows

DownTroy v1 chain

The DownTroy v1 chain consists of a launcher and a dropper, which ultimately loads the DownTroy.macOS malware written in AppleScript.

• Dropper: a dropper file named "trustd", written in Go
• Launcher: a launcher file named "watchdog", written in Go
• Final payload: DownTroy.macOS written in AppleScript

The dropper operates in two distinct modes: initialization and operational. When the binary is executed with a machine ID (mid) as the sole argument, it enters initialization mode and updates the configuration file located at ~/Library/Assistant/CustomVocabulary/com.applet.safari/local_log using the provided mid and encrypts it with RC4. It then runs itself without any arguments to transition into operational mode. In case the binary is launched without any arguments, it enters operational mode directly. In this mode, it retrieves the previously saved configuration and uses the RC4 key NvZGluZz0iVVRGLTgiPz4KPCF to decrypt it. It is important to note that the mid value must first be included in the configuration during initialization mode, as it is essential for subsequent actions.

It then decodes a hard-coded, base64-encoded string associated with DownTroy.macOS. This AppleScript contains a placeholder value, %mail_id%, which is replaced with the initialized mid value from the configuration. The modified script is saved to a temporary file named local.lock within the <BasePath> directory from the configuration, with 0644 permissions applied, meaning that only the script owner can modify it. The malware then uses osascript to execute DownTroy.macOS and sets Setpgid=1 to isolate the process group. DownTroy.macOS is responsible for downloading additional scripts from its C2 server until the system is rebooted.

The dropper implements a signal handling procedure to monitor for termination attempts. Initially, it reads the entire trustd (itself) and watchdog binary files into memory, storing them in a buffer before deleting the original files. Upon receiving a SIGINT or SIGTERM signal indicating that the process should terminate, the recovery mechanism activates to maintain persistence. While SIGINT is a signal used to interrupt a running process by the user from the terminal using the keyboard shortcut Ctrl + C, SIGTERM is a signal that requests a process to terminate gracefully.

The recovery mechanism begins by recreating the <BasePath> directory with intentionally insecure 0777 permissions (meaning that all users have the read, write, and execute permissions). Next, it writes both binaries back to disk from memory, assigning them executable permissions (0755), and also creates a plist file to ensure the automatic restart of this process chain.

• trustd: trustd in the <BasePath> directory
• watchdog: ~/Library/Assistant/SafariUpdate and watchdog in the <BasePath> directory
• plist: ~/Library/LaunchAgents/com.applet.safari.plist

The contents of the plist file are hard-coded into the dropper in base64-encoded form. When decoded, the template represents a standard macOS LaunchAgent plist containing the placeholder tokens #path and #label. The malware replaces these tokens to customize the template. The final plist configuration ensures the launcher automatic execution by setting RunAtLoad to true (starts at login), KeepAlive to true (restarts if terminated), and LaunchOnlyOnce to true.

• #path is replaced with the path to the copied watchdog
• #label is replaced with com.applet.safari to masquerade as a legitimate Safari-related component

The main feature of the discovered launcher is its ability to load the same configuration file located at ~/Library/Assistant/CustomVocabulary/com.applet.safari/local_log. It reads the file and uses the RC4 algorithm to decrypt its contents with the same hard-coded 25-byte key: NvZGluZz0iVVRGLTgiPz4KPCF. After decryption, the loader extracts the <BasePath> value from the JSON object, which specifies the location of the next payload. It then executes a file named trustd from this path, disguising it as a legitimate macOS system process.

We identified another version of the loader, distinguished by the configuration path that contains the <BasePath> — this time, the configuration file was located at /Library/Graphics/com.applet.safari/local_log. The second version is used when the actor has gained root-level permissions, likely achieved through ZoomClutch during the initial infection.

CosmicDoor chain

The CosmicDoor chain begins with an injector malware that we have named “GillyInjector” written in C++, which was also described by Huntress and SentinelOne. This malware includes an encrypted baseApp and an encrypted malicious payload.

• Injector: GillyInjector written in C++
• BaseApp: a benign application written in C++ or Swift
• Final payload: CosmicDoor.macOS written in Nim

The syscon.zip file downloaded from the file hosting server contains the “a” binary that has been identified as GillyInjector designed to run a benign Mach-O app and inject a malicious payload into it at runtime. Both the injector and the benign application are ad-hoc signed, similar to ZoomClutch. GillyInjector employs a technique known as Task Injection, a rare and sophisticated method observed on macOS systems.

The injector operates in two modes: wiper mode and injector mode. When executed with the --d flag, GillyInjector activates its destructive capabilities. It begins by enumerating all files in the current directory and securely deleting each one. Once all files in the directory are unrecoverably wiped, GillyInjector proceeds to remove the directory itself. When executed with a filename and password, GillyInjector operates as a process injector. It creates a benign application with the given filename in the current directory and uses the provided password to derive an AES decryption key.

The benign Mach-O application and its embedded payload are encrypted with a customized AES-256 algorithm in ECB mode (although similar to the structure of the OFB mode) and then base64-encoded. To decrypt, the first 16 bytes of the encoded string are extracted as the salt for a PBKDF2 key derivation process. This process uses 10,000 iterations, and a user-provided password to generate a SHA-256-based key. The derived key is then used to decrypt the base64-decoded ciphertext that follows.

Base application and payload decryption

The ultimately injected payload is identified as CosmicDoor.macOS, written in Nim. The main feature of CosmicDoor is that it communicates with the C2 server using the WSS protocol, and it provides remote control functionality such as receiving and executing commands.

Our telemetry indicates that at least three versions of CosmicDoor.macOS have been detected so far, each written in different cross-platform programming languages, including Rust, Python, and Nim. We also discovered that the Windows variant of CosmicDoor was developed in Go, demonstrating that the threat actor has actively used this malware across both Windows and macOS environments since 2023. Based on our investigation, the development of CosmicDoor likely followed this order: CosmicDoor.Windows in Go → CosmicDoor.macOS in Rust → CosmicDoor in Python → CosmicDoor.macOS in Nim. The Nim version, the most recently identified, stands out from the others primarily due to its updated execution chain, including the use of GillyInjector.

Except for the appearance of the injector, the differences between the Windows version and other versions are not significant. On Windows, the fourth to sixth characters of all RC4 key values are initialized to 123. In addition, the CosmicDoor.macOS version, written in Nim, has an updated value for COMMAND_KEY.

The same command scheme is still in use, but other versions implement only a few of the commands available on Windows. Notably, commands such as 345, 90, and 45 are listed in the Python implementation of CosmicDoor, but their actual code has not been implemented.

SilentSiphon: a stealer suite for harvesting

During our investigation, we discovered that CosmicDoor downloads a stealer suite composed of various bash scripts, which we dubbed “SilentSiphon”. In most observed infections, multiple bash shell scripts were created on infected hosts shortly after the installation of CosmicDoor. These scripts were used to collect and exfiltrate data to the actor’s C2 servers.

The file named upl.sh functions as an orchestration launcher, which aggregates multiple standalone data-extraction modules identified on the victim’s system.
upl.sh
├── cpl.sh
├── ubd.sh
├── secrets.sh
├── uad.sh
├── utd.sh
The launcher first uses the command who | tail -n1 | awk '{print $1}' to identify the username of the currently logged-in macOS user, thus ensuring that all subsequent file paths are resolved within the ongoing active session—regardless of whether the script is executed by another account or via Launch Agents. However, both the hard-coded C2 server and the username can be modified with the -h and -u flags, a feature consistent with other modules analyzed in this research. The orchestrator executes five embedded modules located in the same directory, removing each immediately after it completes exfiltration.

The stealer suite harvests data from the compromised host as follows:

1. upl.sh is the orchestrator and Apple Notes stealer.
   It targets Apple Notes at /private/var/tmp/group.com.apple.notes.
   It stores the data at /private/var/tmp/notes_<username>.
2. cpl.sh is the browser extension stealer module.
   It targets:

• Local storage for extensions: the entire “Local Extension Settings” directory of Chromium-based web browsers, such as Chrome, Brave, Arc, Edge, and Ecosia
• Browser’s built-in database: directories corresponding to Exodus Web3 Wallet, Coinbase Wallet extension, Crypto.com Onchain Extension, Manta Wallet, 1Password, and Sui wallet in the “IndexedDB” directory
• Extension list: the list of installed extensions in the “Extensions” directory
  Stores the data at /private/var/tmp/cpl_<username>/<browser>/*

• Credentials stored in the browsers: Local State, History, Cookies, Sessions, Web Data, Bookmarks, Login Data, Session Storage, Local Storage, and IndexedDB directories of Chromium-based web browsers, such as Chrome, Brave, Arc, Edge, and Ecosia
• Credentials in the Keychain: /Library/Keychains/System.keychain and ~/Library/Keychains/login.keychain-db
  It stores the data at /private/var/tmp/ubd_<username>/*

• Version Control: GitHub (.config/gh), GitLab (.config/glab-cli), and Bitbucket (.bit/config)
• Package manager: npm (.npmrc), Yarn (.yarnrc.yml), Python pip (.pypirc), RubyGems (.gem/credentials), Rust cargo (.cargo/credentials), and .NET Nuget (.nuget/NuGet.Config)
• Cloud/Infrastructure: AWS (.aws), Google Cloud (.config/gcloud), Azure (.azure), Oracle Cloud (.oci), Akamai Linode (.config/linode-cli), and DigitalOcean API (.config/doctl/config.yaml)
• Cloud Application Platform: Vercel (.vercel), Cloudflare (.wrangler/config), Netlify (.netfily), Stripe (.config/stripe/config.toml), Firebase (.config/configstore/firebase-tools.json), Twilio (.twilio-cli)
• DevOps/IaC: CircleCI (.circleci/cli.yml), Pulumi (.pulumi/credentials.json), and HashiCorp (.vault-token)
• Security/Authentication: SSH (.ssh) and FTP/cURL/Wget (.netrc)
• Blockchain Related: Sui Blockchain (.sui), Solana (.config/solana), NEAR Blockchain (.near-credentials), Aptos Blockchain (.aptos), and Algorand (.algorand)
• Container Related: Docker (.docker) and Kubernetes (.kube)
• AI: OpenAI (.openai)
  It stores the data at /private/var/tmp/secrets_backup_<current time>/<username>/*

• Password manager: 1Password 8, 1Password 7, Bitwarden, LastPass, and Dashlane
• Note-taking: Evernote and Notion
• Collaboration suites: Slack
• Messenger: Skype (inactive), WeChat (inactive), and WhatsApp (inactive)
• Cryptocurrency: Ledger Live, Hiro StacksWallet, Tonkeeper, MyTonWallet, and MetaMask (inactive)
• Remote Monitoring and Management: AnyDesk
  It stores the data at /private/var/tmp/<username>_<target application>_<current time>/*

• On macOS version 14 and later:
  
  • Telegram’s cached resources, such as chat history and media files
  • Encrypted geolocation cache
  • AES session keys used for account takeover
  • Legacy sandbox cache

  
  

• On macOS versions earlier than 14:
  
  • List of configured Telegram accounts
  • Export-key vault
  • Full chat DB, messages, contacts, files, and cached media
    It stores the data at /private/var/tmp/Telegrams_<username>/*

  
  

These extremely extensive targets allow the actor to expand beyond simple credentials to encompass their victims’ entire infrastructure. This includes Telegram accounts exploitable for further attacks, supply chain configuration details, and collaboration tools revealing personal notes and business interactions with other users. Notably, the attackers even target the .openai folder to secretly use ChatGPT with the user’s account.

The collected information is immediately archived with the ditto -ck command and uploaded to the initialized C2 server via curl command, using the same approach as in ZoomClutch.

RooTroy chain

We identified a ZIP archive downloaded from the file hosting server that contains a three-component toolset. The final payload, RooTroy.macOS, was also documented in the Huntress’s blog, but we were able to obtain its full chain. The archive includes the following:

• Installer: the primary installer file named "rtv4inst", written in Go
• Loader: an auxiliary loader file named "st" and identified as the Nimcore loader, written in Nim
• Injector: an injector file named "wt", which is identified as GillyInjector, written in C++
• Final payload: RooTroy.macOS, written in Go

Upon the execution of the installer, it immediately checks for the presence of other components and terminates if any are missing. Additionally, it verifies that it has accepted at least two command-line arguments to function properly, as follows.
rvt4inst <MID> <C2> [<Additional C2 domains…>]

• MID (Machine ID): unique identifier for victim tracking
• C2: primary command‑and‑control domain
• Additional C2 values can be supplied

On the first launch, the installer creates several directories and files that imitate legitimate macOS components. Note that these paths are abused only for camouflage; none are genuine system locations.

The installer uses the hard‑coded key 3DD226D0B700F33974F409142DEFB62A8CD172AE5F2EB9BEB7F5750EB1702E2A to serialize its runtime parameters into an RC4‑encrypted blob. The resulting encrypted value is written as .cfg inside /Library/Google/Cache/.

The installer then implements a naming mechanism for the plist name through dynamic bundle ID generation, where it scans legitimate applications in /Applications to create convincing identifiers. It enumerates .app bundles, extracts their names, and combines them with service-oriented terms like “agent”, “webhelper”, “update”, “updater”, “startup”, “service”, “cloudd”, “daemon”, “keystone.agent”, “update.agent”, or “installer” to construct bundle IDs, such as “com.safari.update” or “com.chrome.service”. If the bundle ID generation process fails for any reason, the malware defaults to “com.apple.updatecheck” as a hard-coded fallback identifier.

The installer then deploys the auxiliary binaries from the ZIP extraction directory to their final system locations. The Nimcore loader (st) is copied to /Library/Application Support/Logitechs/bin/Update Check. The GillyInjector binary is renamed to cpumons in the /Library/Storage/CPU path. Both files receive 0755 permissions to ensure executability.

Later, a persistence mechanism is implemented through macOS Launch Daemon plists. The plist template contains four placeholder fields that are filled in during generation:

• The Label field receives the dynamically generated bundle ID.
• The SERVER_AUTH_KEY environment variable is populated with the GillyInjector’s path /Library/Storage/CPU/cpumons that is RC4-encrypted using the hard-coded key "yniERNUgGUHuAhgCzMAi" and then base64-encoded.
• The CLIENT_AUTH_KEY environment variable receives the hard-coded value "..".
• The Program field points to the installed Nimcore loader’s path.

The installer completes the persistence setup by using legitimate launchctl commands to activate the persistence mechanism, ensuring the Nimcore loader is executed. It first runs “launchctl unload <bundle ID>.plist” on any existing plist with the same name to remove previous instances, then executes “launchctl load <bundle ID>.plist” to activate the new persistence configuration through /bin/zsh -c.

The second stage in this execution chain is the Nimcore loader, which is deployed by the installer and specified in the Program field of the plist file. This loader reads the SERVER_AUTH_KEY environment variable with getenv(), base64-decodes the value, and decrypts it with the same RC4 key used by the installer. The loader is able to retrieve the necessary value because both SERVER_AUTH_KEY and CLIENT_AUTH_KEY are provided in the plist file and filled in by the installer. After decryption, it invokes posix_spawn() to launch GillyInjector.

GillyInjector is the third component in the RooTroy chain and follows the same behavior as described in the CosmicDoor chain. In this instance, however, the password used for generation is hard-coded as xy@bomb# within the component. The baseApp is primarily responsible for displaying only a simple message and acts as a carrier to keep the injected final payload in memory during runtime.

The final payload is identified as RooTroy.macOS, written in Go. Upon initialization, RooTroy.macOS reads its configuration from /Library/Google/Cache/.cfg, a file created by the primary installer, and uses the RC4 algorithm with the same 3DD226D0B700F33974F409142DEFB62A8CD172AE5F2EB9BEB7F5750EB1702E2A key to decrypt it. If it fails to read the config file, it removes all files at /Library/Google/Cache and exits.

As the payload is executed at every boot time via a plist setup, it prevents duplicate execution by checking the .pid file in the same directory. If a process ID is found in the file, it terminates the corresponding process and writes the current process ID into the file. Additionally, it writes the string {"rt": "4.0.0."} into the .version file, also located in the same directory, to indicate the current version. This string is encrypted using RC4 with the key C4DB903322D17C8CBF1D1DB55124854C0B070D6ECE54162B6A4D06DF24C572DF.

This backdoor executes commands from the /Library/Google/Cache/.startup file line by line. Each line is executed via /bin/zsh -c "[command]" in a separate process. It also monitors the user’s login status and re-executes the commands when the user logs back in after being logged out.

Next, RooTroy collects and lists all mounted volumes and running processes. It then enters an infinite loop, repeatedly re-enumerating the volumes to detect any changes—such as newly connected USB drives, network shares, or unmounted devices—and uses a different function to identify changes in the list of processes since the last iteration. It sends the collected information to the C2 server via a POST request to /update endpoint with Content-Type: application/json.

The data field in the response from the C2 server is executed directly via AppleScript with osascript -e. When both the url and auth fields are present, RooTroy connects to the URL with GET method and the Authorization header to retrieve additional files. Then it sleeps for five seconds and repeats the process.

Additional files are loaded as outlined below:

1. Generate a random 10-character file name in the temp directory: /private/tmp/[random-chars]{10}.zip.
2. Save the downloaded data to that file path.
3. Extract the ZIP file using ditto -xk /private/tmp/[random-chars]{10}.zip /private/tmp/[random-chars]{10}.
4. Make the file executable using chmod +x /private/tmp/[random-chars]{10}/install.
5. Likely install additional components by executing /bin/zsh /private/tmp/[random-chars]{10}/install /private/tmp/[random-chars]{10} /private/tmp/[random-chars]{10}/.result.
6. Check the .result file for the string “success”.
7. Send result to /report endpoint.
8. Increment the cid field and save the configuration.
9. Clean up all temp files.

We also observed the RooTroy backdoor deploying files named keyboardd to the /Library/keyboard directory and airmond to the /Library/airplay path, which were confirmed to be a keylogger and an infostealer.

RealTimeTroy chain

We recently discovered GillyInjector containing an encrypted RealTimeTroy.macOS payload from the public multiscanning service.

• Injector: GillyInjector written in C++
• baseApp: the file named “ChromeUpdates” in the same ZIP file (not secured)
• Final payload: RealTimeTroy.macOS, written in Go

RealTimeTroy is a straightforward backdoor written in the Go programming language that communicates with a C2 server using the WSS protocol. We have secured both versions of this malware. In the second version, the baseApp named “ChromeUpdates” should be bundled along with the injector into a ZIP file. While the baseApp data is included in the same manner as in other GillyInjector instances, it is not actually used. Instead, the ChromeUpdates file is copied to the path specified as the first parameter and executed as the base application for the injection.

This will be explained in more detail in the GhostHire campaign section as the payload RealTimeTroy.macOS performs actions identical to the Windows version, with some differences in the commands. Like the Windows version, it injects the payload upon receiving command 16. However, it uses functionality similar to GillyInjector to inject the payload received from the C2. The password for AES decryption and the hardcoded baseApp within RealTimeTroy have been identified as being identical to the ones contained within the existing GillyInjector (MD5 76ACE3A6892C25512B17ED42AC2EBD05).

Additionally, two new commands have been added compared to the Windows version, specifically for handling commands via the pseudo-terminal. Commands 20 and 21 are used to respectively spawn and exit the terminal, which is used for executing commands received from command 8.

We found the vcs.time metadata within the second version of RealTimeTroy.macOS, which implies the commit time of this malware, and this value was set to 2025-05-29T12:22:09Z.

SneakMain chain

During our investigation into various incidents, we were able to identify another infection chain involving the macOS version of SneakMain in the victims’ infrastructures. Although we were not able to secure the installer malware, it would operate similar to the RooTroy chain, considering the behavior of its loader.

• Installer: the primary installer (not secured)
• Loader: Identified as Nimcore loader, written in Nim
• Final payload: SneakMain.macOS, written in Nim

The Nimcore loader reads the SERVER_AUTH_KEY and CLIENT_AUTH_KEY environment variables upon execution. Given the flow of the RooTroy chain, we can assume that these values are provided through the plist file installed by an installer component. Next, the values are base64-decoded and then decrypted using the RC4 algorithm with the hard-coded key vnoknknklfewRFRewfjkdlIJDKJDF, which is consistently used throughout the SneakMain chain. The decrypted SERVER_AUTH_KEY value should represent the path to the next payload to be executed by the loader, while the decrypted CLIENT_AUTH_KEY value is saved to the configuration file located at /private/var/tmp/cfg.

We have observed that this loader was installed under the largest number of various names among malware as follows:

• /Library/Application Support/frameworks/CloudSigner
• /Library/Application Support/frameworks/Microsoft Excel
• /Library/Application Support/frameworks/Hancom Office HWP
• /Library/Application Support/frameworks/zoom.us
• /Library/Application Support/loginitems/onedrive/com.onedrive.updater

The payload loaded by the Nimcore loader has been identified as SneakMain.macOS, written in the Nim programming language. Upon execution, it reads its configuration from /private/var/tmp/cfg, which is likely created by the installer. The configuration’s original contents are recovered through RC4 decryption with the same key and base64 decoding. In the configuration, a C2 URL and machine ID (mid) are concatenated with the pipe character (“|”). Then SneakMain.macOS constructs a JSON object containing this information, along with additional fields such as the malware’s version, current time, and process list, which is then serialized and sent to the C2 server. The request includes the header Content-Type: application/json.

As a response, the malware receives additional AppleScript commands and uses the osascript -e command to execute them. If it fails to fetch the response, it tries to connect to a default C2 server every minute. There are two URLs hard-coded into the malware: hxxps://file-server[.]store/update and hxxps://cloud-server[.]store/update.

One interesting external component of this chain is the configuration updater. This updater verifies the presence of the configuration file and updates the C2 server address to hxxps://flashserve[.]store/update with the same encryption method, while preserving the existing mid value. Upon a successful update, it outputs the updated configuration to standard output.

Beside the Nim-based chain, we also identified a previous version of the SneakMain.macOS binary, written in Rust. This version only consists of a launcher and the Rust-based SneakMain. It is expected to create a corresponding plist for regular execution, but this has not yet been discovered. The Rust version supports two execution modes:

• With arguments: the malware uses the C2 server and mid as parameters
• Without arguments: the malware loads an encrypted configuration file located at /Library/Scripts/Folder Actions/Check.plist

This version collects a process list only at a specific time during execution, without checking newly created or terminated processes. The collected list is then sent to the C2 server via a POST request to hxxps://chkactive[.]online/update, along with the current time (uid) and machine ID (mid), using the Content-Type: application/json header. Similarly, it uses the osascript -e command to execute commands received from the C2 server.

DownTroy v2 chain

The DownTroy.macOS v2 infection chain is the latest variant, composed of four components, with the payload being an AppleScript and the rest written in Nim. It was already covered by SentinelOne under the name of “NimDoor”. The Nimcore loader in this chain masquerades as Google LLC, using an intentional typo by replacing the “l” (lowercase “L”) in “Google LLC” with an “I” (uppercase “i”).

• Installer: the primary installer file named "installer", written in Nim
• Dropper: a dropper file named "CoreKitAgent", written in Nim
• Loader: an auxiliary loader file named "GoogIe LLC" and identified as Nimcore loader, written in Nim
• Final payload: DownTroy.macOS, written in AppleScript

The installer, which is likely downloaded and initiated by a prior malicious script, serves as the entry point for this process. The dropper receives an interrupt (SIGINT) or termination signal (SIGTERM) like in the DownTroy v1 chain, recreating the components on disk to recover them. Notably, while the previously described RooTroy and SneakMain chains do not have this recovery functionality, we have observed that they configure plist files to automatically execute the Nimcore loader after one hour if the process terminates, and they retain other components. This demonstrates how the actor strategically leverages DownTroy chains to operate more discreetly, highlighting some of the key differences between each chain.

The installer should be provided with one parameter and will exit if executed without it. It then copies ./CoreKitAgent and ./GoogIe LLC from the current location to ~/Library/CoreKit/CoreKitAgent and ~/Library/Application Support/Google LLC/GoogIe LLC, respectively. Inside of the installer, com.google.update.plist (the name of the plist) is hard-coded to establish persistence, which is later referenced by the dropper and loader. The installer then concatenates this value, the given parameter, and the dropper’s filename into a single string, separated by a pipe (“|”).

This string is encrypted using the AES algorithm with a hard-coded key and IV, and the resulting encrypted data is then saved to the configuration file.

• Key: 5B77F83ECEFA0E32BA922F61C9EFFF7F755BA51A010DB844CA7E8AD3DB28650A
• IV: 2B499EB3865A7EF17264D15252B7F73E
• Configuration file path: /private/tmp/.config

It fulfills its function by ultimately executing the copied dropper located at ~/Library/CoreKit/CoreKitAgent.

The dropper in the DownTroy v2 chain uses macOS’s kqueue alongside Nim’s async runtime to manage asynchronous control flow, similar to CosmicDoor, the Nimcore loader in the RooTroy chain, and the Nim version of SneakMain.macOS. The dropper monitors events via kqueue, and when an event is triggered, it resumes the corresponding async tasks through a state machine managed by Nim. The primary functionality is implemented in state 1 of the async state machine.

The dropper then reads the encrypted configuration from /private/tmp/.config and decrypts it using the AES algorithm with the hard-coded key and IV, which are identical to those used in the installer. By splitting the decrypted data with a “|”, it extracts the loader path, the plist path, and the parameter provided to the installer. Next, it reads all the contents of itself and the loader, and deletes them along with the plist file in order to erase any trace of their existence. When the dropper is terminated, a handler function is triggered that utilizes the previously read contents to recreate itself and the loader file. In addition, a hard-coded hex string is interpreted as ASCII text, and the decoded content is written to the plist file path obtained from the configuration.

In the contents above, variables enclosed in %’s are replaced with different strings based on hard-coded values and configurations. Both authentication key variables are stored as encrypted strings with the same AES algorithm as used for the configuration.

• %label% -> com.google.update
• %server_auth_key% -> AES-encrypted selfpath (~/Library/CoreKit/CoreKitAgent)
• %client_auth_key% -> AES-encrypted configuration
• %program% -> loader path (~/Library/Application Support/Google LLC/GoogIe LLC)

The core functionality of this loader is to generate an AppleScript file using a hard-coded hex string and save it as .ses in the same directory. The script, identified as DownTroy.macOS, is designed to download an additional malicious script from a C2 server. It is nearly identical to the one used in the DownTroy v1 chain, with the only differences being the updated C2 servers and the curl command option.

We have observed three variants of this chain, all of which ultimately deploy the DownTroy.macOS malware but communicate with different C2 servers. Variant 1 communicates with the same C2 server as the one configured in the DownTroy v1 chain, though it appears in a hex-encoded form.

The configuration file path used by variant 1 is the same as that of SneakMain. This indicates that the actor transitioned from the SneakMain chain to the DownTroy chain while enhancing their tools, and this variant’s dropper is identified as an earlier version that reads the plist file directly.

SysPhon chain

Unlike other infection chains, the SysPhon chain incorporates an older set of malware: the lightweight version of RustBucket and the known SugarLoader. According to a blog post by Field Effect, the actor deployed the lightweight version of RustBucket, which we dubbed “SysPhon”, alongside suspected SugarLoader malware and its loader, disguised as a legitimate Wi-Fi updater. Although we were unable to obtain the suspected SugarLoader malware sample or the final payloads, we believe with medium-low confidence that this chain is part of the same campaign by BlueNoroff. This assessment is based on the use of icloud_helper (a tool used for stealing user passwords) and the same initial infection vector as before: a fake Zoom link. It’s not surprising, as both malicious tools have already been attributed to BlueNoroff, indicating that the tools were adapted for the campaign.

Considering the parameters and behavior outlined in the blog post above, an AppleScript script deployed icloud_helper to collect the user’s password and simultaneously installed the SysPhon malware. The malware then downloaded SugarLoader, which connected to the C2 server and port pair specified as a parameter. This ultimately resulted in the download of a launcher to establish persistence. Given this execution flow and SugarLoader’s historical role in retrieving the KANDYKORN malware, it is likely that the final payload in the chain would be KANDYKORN or another fully-featured backdoor.

SysPhon is a downloader written in C++ that functions similarly to the third component of the RustBucket malware, which was initially developed in Rust and later rewritten in Swift. In March 2024, an ELF version of the third component compatible with Linux was uploaded to a multi-scanner service. In November 2024, SentinelOne reported on SysPhon, noting that it is typically distributed via a parent downloader that opens a legitimate PDF related to cryptocurrency topics. Shortly after the report, a Go version of SysPhon was also uploaded to the same scanner service.

SysPhon requires a C2 server specified as a parameter to operate. When executed, it generates a 16-byte random ID and retrieves the host name. It then enters a loop to conduct system reconnaissance by executing a series of commands:

The results of these commands are then sent to the specified C2 server inside a POST request with the following User-Agent header: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0). This User-Agent is the same as the one used in the Swift implementation of the RustBucket variant.
ci[random ID][hostname][macOS version][timezone][install log][boot time][hw model][current time][process list]
After sending the system reconnaissance data to the C2 server, SysPhon waits for commands. It determines its next action by examining the first character of the response it receives. If the response begins with 0, SysPhon executes the binary payload; if it’s 1, the downloader exits.

AI-powered attack strategy

While the video feeds for fake calls were recorded via the fabricated Zoom phishing pages the actor created, the profile images of meeting participants appear to have been sourced from job platforms or social media platforms such as LinkedIn, Crunchbase, or X. Interestingly, some of these images were enhanced with GPT-4o. Since OpenAI implemented the C2PA standard specification metadata to identify the generated images as artificial, the images created via ChatGPT include metadata that indicates their synthetic origin, which is embedded in file formats such as PNGs.

EXIF metadata of images generated by GPT-4o

Among these were images whose filenames were set to the target’s name. This indicates the actor likely used the target’s publicly available profile image to generate a suitable profile for use alongside the recorded video. Furthermore, the inclusion of Zoom’s legitimate favicon image leads us to assess with medium-high confidence that the actor is leveraging AI for image enhancement.

Victim’s profile image enhanced using GPT-4o

In addition, the secrets stealer module of SilentSiphon, secrets.sh, includes several comment lines. One of them uses a checkmark emoticon to indicate archiving success, although the comment was related to the backup being completed. Since threat actors rarely use comments, especially emoticons, in malware intended for real attacks, we suggest that BlueNoroff uses generative AI to write malicious scripts similar to this module. We assume they likely requested a backup script rather than an exfiltration script.

Comments that appear to be AI-generated in the secrets stealer module

The GhostHire campaign

The GhostHire campaign was less visible than GhostCall, but it also began as early as mid-2023, with its latest wave observed recently. It overlaps with the GhostCall campaign in terms of infrastructure and tools, but instead of using video calls, the threat actors pose as fake recruiters to target developers and engineers. The campaign is disguised as skill assessment to deliver malicious projects, exploiting Telegram bots and GitHub as delivery vehicles. Based on historical attack cases of this campaign, we assess with medium confidence that this attack flow involving Telegram and GitHub represents the latest phase, which started no later than April this year.

Initial access

The actor initiates communication with the target directly on Telegram. Victims receive a message with a job offer along with a link to a LinkedIn profile that impersonates a senior recruiter at a financial services company based in the United States.

Fake LinkedIn profile

We observed that the actor uses a Telegram Premium account to enhance their credibility by employing a custom emoji sticker featuring the company’s logo. They attempt to make the other party believe they are in contact with a legitimate representative.

Fake Telegram account

During the investigation, we noticed suspicious changes made to the Telegram account, such as a shift from the earlier recruiter persona to impersonating individuals associated with a Web3 multi-gaming application. The actor even changed their Telegram handle to remove the previous connection.

The same Telegram account changed to impersonate a Web3 company founder

During the early stages of our research and ongoing monitoring of publicly available malicious repositories, we observed a blog post published by a publicly cited target. In this post, the author shares their firsthand experience with a scam attempt involving the same malicious repositories we already identified. It provided us with valuable insight into how the group initiates contact with a target and progresses through a fake interview process.

Following up on initial communication, the actor adds the target to a user list for a Telegram bot, which displays the impersonated company’s logo and falsely claims to streamline technical assessments for candidates. The bot then sends the victim an archive file (ZIP) containing a coding assessment project, along with a strict deadline (often around 30 minutes) to pressure the target into quickly completing the task. This urgency increases the likelihood of the target executing the malicious content, leading to initial system compromise.

The project delivered through the ZIP file appears to be a legitimate DeFi-related project written in Go, aiming at routing cryptocurrency transactions across various protocols. The main project code relies on an external malicious dependency specified in the go.mod file, rather than embedding malicious code directly into the project’s own files. The external project is named uniroute. It was published in the official Go packages repository on April 9, 2025.

We had observed this same repository earlier in our investigation, prior to identifying the victim’s blog post, which later validated our findings. In addition to the Golang repository, we discovered a TypeScript-based repository uploaded to GitHub that has the same download function.

Uniroute malicious package is referenced via go.mod in the DeFi-related project

Upon execution of the project, the malicious package is imported, and the GetUniRoute() function is called during the initialization of the unirouter at the following path: contracts/UniswapUniversalRouter.go. This function call acts as the entry point for the malicious code.

Entry point of malicious function

The malicious package consists of several files:
uniroute
├── README.md
├── dar.go
├── go.mod
├── go.sum
├── lin.go
├── uniroute.go
└── win.go
The main malicious logic is implemented in the following files:

1. uniroute.go: the main entry point
2. win.go: Windows-specific malicious code
3. lin.go: Linux-specific malicious code
4. dar.go: macOS (Darwin)-specific malicious code

The main entry point of the package includes a basic base64-encoded blob that is decoded to a URL hosting the second-stage payload: hxxps://download.datatabletemplate[.]xyz/account/register/id=8118555902061899&secret=QwLoOZSDakFh.

Base64-encoded C2 URL in the malicious package

When the User-Agent of the running platform is detected, the corresponding payload is retrieved and executed. The package utilizes Go build tags to execute different code depending on the operating system.

• Windows (win.go). Downloads its payload to %TEMP%\init.ps1 and performs anti-antivirus checks by looking for the presence of the 360 Security process. If the 360 antivirus is not detected, the malware generates an additional VBScript wrapper at %TEMP%\init.vbs. The PowerShell script is then covertly executed with a bypassed execution policy, without displaying any windows to the user.
• Linux (lin.go). Downloads its payload to /tmp/init and runs it as a bash script with nohup, ensuring the process continues running even after the parent process terminates.
• macOS (dar.go). Similarly to Linux, downloads its payload to /tmp/init and uses osascript with nohup to execute it.

We used our open source package monitoring tool to discover that the actor had published several malicious Go packages with behavior similar to uniroute. These packages are imported into repositories and executed within a specific section of the code.

Malicious TypeScript project

Not only did we observe attacks involving malicious Golang packages, but we also identified a malicious Next.js project written in TypeScript and uploaded to GitHub. This project includes TypeScript source code for an NFT-related frontend task. The project acts in a similar fashion to the Golang ones, except that there is no dependency. Instead, a malicious TypeScript file within the project downloads the second-stage payload from a hardcoded URL.

Malicious TypeScript-based project

The malicious behavior is implemented in pages/api/hello.ts, and the hello API is fetched by NavBar.tsx with fetch('/api/hello').
wallet-portfolio
├── README.md
├── components
│ ├── navBar
│ │ ├── NavBar.tsx ##### caller
...
├── data
├── next.config.js
├── package-lock.json
├── package.json
├── pages
│ ├── 404.tsx
│ ├── _app.tsx
│ ├── _document.tsx
│ ├── api
│ │ ├── 404.ts
│ │ ├── app.ts
│ │ ├── hello.ts ##### malicious
...
│ ├── create-nft.tsx
│ ├── explore-nfts.tsx
...
We have to point out that this tactic isn’t unique to BlueNoroff. The Lazarus group was the first to adopt it, and the Contagious Interview campaign also uses it. However, the GhostHire campaign stands apart because it uses a completely different set of malware chains.

DownTroy: multi-platform downloader

Upon accessing the URL with the correct User-Agent, corresponding scripts are downloaded for each OS: PowerShell for Windows, bash script for Linux, and AppleScript for macOS, which all turned out to be the DownTroy malware. It is the same as the final payload in the DownTroy chains from the GhostCall campaign and has been expanded to include versions for both Windows and Linux. In the GhostHire campaign, this script serves as the initial downloader, fetching various malware chains from a file hosting server.

DownTroy delivery process

Over the course of tracking this campaign, we have observed multiple gradual updates to these DownTroy scripts. The final version shows that the PowerShell code is XOR-encrypted, and the AppleScript has strings split by individual characters. Additionally, all three DownTroy strains collect comprehensive system information including OS details, domain name, host name, username, proxy settings, and VM detection alongside process lists.

Full infection chain on Windows

In January 2025, we identified a victim who had executed a malicious TypeScript project located at <company name>-wallet-portfolio, which followed the recruiter persona from the financial company scenario described earlier. The subsequent execution of the malicious script created the files init.vbs and init.ps1 in the %temp% directory.

The DownTroy script (init.ps1) was running to download additional malware from an external server every 30 seconds. During the attack, two additional script files, chsplitobf.ps1 and sinst.bat, were downloaded and executed on the infected host. Though we weren’t able to obtain the files, based on our detection, we assess the PowerShell script harvests credentials stored in a browser, similar to SilentSiphon on macOS.

In addition, in the course of the attack, several other payloads written in Go and Rust rather than scripts, were retrieved from the file hosting server dataupload[.]store and executed.

Overall Windows infection chain

New method for payload delivery

In contrast to GhostCall, DownTroy.Windows would retrieve a base64-encoded binary blob from the file hosting server and inject it into the cmd.exe process after decoding. This blob typically consists of metadata, a payload, and the loader code responsible for loading the payload. The first five bytes of the blob represent a CALL instruction that invokes the loader code, followed by 0x48 bytes of metadata. The loader, which is 0xD6B bytes in size, utilizes the metadata to load the payload into memory. The payload is written to newly allocated space, then relocated, and its import address table (IAT) is rebuilt from the same metadata. Finally, the payload is executed with the CreateThread function.

Binary blob structure

The metadata contains some of the fields from PE file format, such as an entry point of the payload, imagebase, number of sections, etc, needed to dynamically load the payload. The payload is invoked by the loader by referencing the metadata stored separately, so it has a corrupted COFF header when loaded. Generally, payloads in PE file format should have a legitimate header with the corresponding fields, but in this case, the top 0x188 bytes of the PE header of the payload are all filled with dummy values, making it difficult to analyze and detect.

UAC bypass

We observed that the first thing the actor deployed after DownTroy was installed was the User Account Control (UAC) bypass tool. The first binary blob fetched by DownTroy contained the payload bypassing UAC that used a technique disclosed in 2019 by the Google Project Zero team. This RPC-based UAC bypass leveraging the 201ef99a-7fa0-444c-9399-19ba84f12a1a interface was also observed in the KONNI malware execution chain in 2021. However, the process that obtains the privilege had been changed from Taskmgr.exe to Computerdefaults.exe.

The commands executed through this technique are shown below. In this case, this.exe is replaced by the legitimate explorer.exe due to parent PID spoofing.

In other words, the actor was able to run DownTroy with elevated privileges, which is the starting point for all further actions. It also executed init.vbs, the launcher that runs DownTroy, with elevated privileges.

RooTroy.Windows in Go

RooTroy.Windows is the first non-scripted malware installed on an infected host. It is a simple downloader written in Go, same to the malware used in the GhostCall campaign. Based on our analysis of RooTroy’s behavior and execution flow, it was loaded and executed by a Windows service named NetCheckSvc.

Although we did not obtain the command or installer used to register the NetCheckSvc service, we observed that the installer had been downloaded from dataupload[.]store via DownTroy and injected into the legitimate cmd.exe process with the parameter -m yuqqm2ced6zb9zfzvu3quxtrz885cdoh. The installer then probably created the file netchksvc.dll at C:\Windows\system32 and configured it to run as a service named NetCheckSvc. Once netchksvc.dll was executed, it loaded RooTroy into memory, which allowed it to operate in the memory of the legitimate svchost.exe process used to run services in Windows.

RooTroy.Windows initially retrieves configuration information from the file C:\Windows\system32\smss.dat. The contents of this file are decrypted using RC4 with a hardcoded key: B3CC15C1033DE79024F9CF3CD6A6A7A9B7E54A1A57D3156036F5C05F541694B7. This key is different from the one used in the macOS variant of this malware, but the same C2 URLs were used in the GhostCall campaign: readysafe[.]xyz and safefor[.]xyz.

Then RooTroy.Windows creates a string object {"rt": "5.0.0"}, which is intended to represent the malware’s version. This string is encrypted using RC4 with another hardcoded string, C4DB903322D17C8CBF1D1DB55124854C0B070D6ECE54162B6A4D06DF24C572DF. It is the same as the key used in RooTroy.macOS, and it is stored at C:\ProgramData\Google\Chrome\version.dat.

Next, the malware collects device information, including lists of current, new and terminated processes, OS information, boot time, and more, which are all structured in a JSON object. It then sends the collected data to the C2 server using the POST method with the Content-Type: application/json header.

The response is parsed into a JSON object to extract additional information required for executing the actual command. The commands are executed based on the value of the type field in the response, with each command processing its corresponding parameters in the required object.

If the received value of type is 2 or 3, the responses include a common source field within the parsed data, indicating where the additional payload originates. Depending on the value of source, the data field in the parsed data contains either the file path where the payload is stored on the disk, the C2 server address from which it should be downloaded, or the payload itself encoded in base64. Additionally, if the cipher field is set to true, the key field is used as the RC4 decryption key.

If the value of type is set to 2, the injection mode, referred to as peshooter in the code, is activated to execute an additional payload into memory. This mode checks whether the payload sourced from the data field is encrypted by examining the cipher value as a flag in the parsed data. If it is, the payload is decrypted with the RC4 algorithm. If no key is provided in the key value, a hardcoded string, A6C1A7CE43B029A1EF4AE69B26F745440ECCE8368C89F11AC999D4ED04A31572, is used as the default key.

If the pid value is not specified (e.g., set to -1), the process with the name provided in the process field is executed in suspended mode, with the optional argument value as its input. Additionally, if a sid value is provided at runtime, a process with the corresponding session ID is created. If a pid value is explicitly given, the injection is performed into that specific process.

Before performing the injection, the malware enables the SeDebugPrivilege privilege for process injection and unhooks the loaded ntdll.dll for the purpose of bypassing detection. This is a DLL unhooking technique that dynamically loads and patches the .text section of ntdll.dll to bypass the hooking of key functions by security software to detect malicious behavior.

Once all the above preparations are completed, the malware finally injects the payload into the targeted process.

If the value of type is set to 3, self-update mode is activated. Similar to injection mode, it first checks whether the payload sourced from the data is encrypted and, if so, decrypts it using RC4 with a hardcoded key: B494A0AE421AFE170F6CB9DE2C1193A78FBE16F627F85139676AFC5D9BFE93A2. A random 32-byte string is then generated, and the payload is encrypted using RC4 with this string as the key. The encrypted payload is stored in the file located at C:\Windows\system32\boot.sdl, while the generated random key is saved unencrypted in C:\Windows\system32\wizard.sep. This means the loader will read the wizard.sep file to retrieve the RC4 key, use it to decrypt the payload from boot.sdl, and then load it.

After successfully completing the update operation, the following commands are created under the filename update-[random].bat in the %temp% directory:
@echo off
set SERVICE_NAME=NetCheckSvc
sc stop %SERVICE_NAME% >nul 2>&1
sc start %SERVICE_NAME% >nul 2>&1
start "" cmd /c del "%~f0" >nul 2>&1
This batch script restarts a service called NetCheckSvc and self-deletes, which causes the loader netchksvc.dll to be reloaded. In other words, the self-update mode updates RooTroy itself by modifying two files mentioned above.

According to our telemetry, we observed that the payload called RealTimeTroy was fetched by RooTroy and injected into cmd.exe process with the injected wss://signsafe[.]xyz/update parameter.

RealTimeTroy in Go

The backdoor requires at least two arguments: a simple string and a C2 server address. Before connecting to the given C2 server, the first argument is encrypted using the RC4 algorithm with the key 9939065709AD8489E589D52003D707CBD33AC81DC78BC742AA6E3E811BA344C and then base64 encoded. In the observed instance, this encoded value is passed to the “p” (payload) field in the request packet.

The entire request packet is additionally encrypted using RC4 algorithm with the key 4451EE8BC53EA7C148D8348BC7B82ACA9977BDD31C0156DFE25C4A879A1D2190. RealTimeTroy then sends this encrypted message to the C2 server to continue communication and receive commands from the C2.

Then the malware receives a response from the C2. The value of “e” (event) within the response should be 5, and the value of “p” is decoded using base64 and then decrypted using RC4 with the key 71B743C529F0B27735F7774A0903CB908EDC93423B60FE9BE49A3729982D0E8D, which is deserialized in JSON. The command is extracted from the “c” (command) field in the JSON object, and the malware performs specific actions according to the command.

Upon receiving the file download command (16), the d (data) field in the response contains a JSON object. If the u (url) field is initialized, a connection is established to the specified URL using the m (method) and h (headers) fields provided in the same JSON object. If the connection returns a 200 status code (success), the response body is written to the file path indicated by the r (rpath) value in the response.

While the u value is not initialized, the malware writes the value of the b (buffer) field from the response to the path provided through the r field. It continues writing b until the e (eof) flag is set and then sends the xxHash of the total downloaded contents to the C2 server. This allows for the downloading of the larger file contents from the C2 server.

When receiving the process injection command (19), the d in the response includes another JSON object. If the l (local) flag within this object is set to true, a t (total) amount of data is read from b starting at the f (from) position specified in the object. The xxHash value of b is then validated to ensure it matches the provided h (hash) value. If the l flag is false, b is instead read from the file path specified as fp (file path). The payload is then injected into cmd.exe with the same method as the peshooter used in RooTroy.

The result is then serialized and secured with a combination of RC4 encryption and base64 encoding before being sent to the C2 server. The key used for encryption, 71B743C529F0B27735F7774A0903CB908EDC93423B60FE9BE49A3729982D0E8D, is the same key used to decrypt the response object.

CosmicDoor.Windows written in Go

CosmicDoor.Windows is the Windows version of CosmicDoor written in Go and has the same features as macOS versions. The C2 server address wss://second.systemupdate[.]cloud/client is hardcoded in the malware. It processes a total of seven commands, passed from the C2.

The command 234 is for collecting device information such as user name, computer name, OS, architecture, Windows version, and boot time.

The command 12 serves two primary functions. The first is to execute a command line passed as a parameter using cmd.exe /c, while the second is to perform code injection. This injection capability is nearly identical to the peshooter functionality found in RooTroy, but it is considered an enhanced version.

Within CosmicDoor, the peshooter feature can accept up to six parameters using the shoot or shoote command to configure code injection options. If a file path is provided in the PATH parameter, the next payload is read from that file on the system. Conversely, if a string beginning with http is specified, the next payload is retrieved through HTTP communication instead.

Then it checks the SID, PID, and REASON parameters. If PID is not passed, CosmicDoor defaults to creating notepad.exe in suspended mode and assigns it a target for injection, and the SID determines the session ID that runs notepad.exe. If no SID is passed, it defaults to the token of the current process. REASON means to pass ARGS to the payload by default if no value greater than 0 is passed.

Finally, CosmicDoor allocates space inside of the targeted process’s memory space for the payload, the hardcoded shellcode for the loader, and ARGS to write the data, and then invokes the loader code to execute the final payload from memory. If FUNC is set at this point, it calls the corresponding export function of the loaded payload. This usage is also well displayed inside CosmicDoor.
"ERROR: Invalid syntax.\n"
"Examples:\n"
"\tshoot [SID] [PID] [REASON] [PATH] [ARGS] [FUNC]\n"
"Parameter List:\n"
"\t[SID] Session ID.\n"
"\t[PID] Process ID.\n"
"\t[REASON] reason.\n"
"\t[PATH] the path of PE file.\n"
"\t[ARGS] the arguments of PE file.\n"
"\t[FUNC] Export function of PE file.\n";

Bof loader written in Rust

Bof loader is assumed to be one of the payloads downloaded from dataupload[.]store by DownTroy. It is a loader protected by Themida and written in Rust. The malware was created with the name nlsport.dll, and unlike other malware, it is registered with security support providers and loaded with SYSTEM privileges by the LSASS process at Windows boot time. In this instance, the malicious behavior is implemented in the SpLsaModeInitialize export function inside the DLL file and it contains the string that indicates its work path C:\Users\Molly.

The loader employs the NTDLL unhooking technique, a method also used by other malware families. After unhooking, the loader reads two files. The first one contains an RC4 key, while the second holds a payload encrypted with that key.

• RC4 key: C:\Windows\system32\wand.bin
• Encrypted payload: C:\Windows\system32\front.sdl.

The loader then decrypts the payload, allocates memory in the current process, and executes the decrypted shellcode via the NtCreateThreadEx function. This is very similar to the injection feature implemented within RooTroy, written in Golang.

During our focused monitoring of the threat actor’s infrastructure, we discovered that one of the instances was signed with a valid certificate from a legitimate Indian company.

Victims

Our telemetry detected infection events from various countries affected by both campaigns. We have observed several infected macOS hosts located in Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India and Hong Kong infected by the GhostCall campaign since 2023. The victims of the GhostHire campaign, which resumed its activities starting this year, have been identified as individuals in Japan and Australia.

We observed that many stolen videos and profile images have been uploaded to the actor’s public storage server. These were utilized to convince victims in the course of the GhostCall campaign. We closely examined the uploaded data and found that most victims were executives at tech companies and venture capital funds in the Web3/blockchain industry located in the APAC region, particularly in Singapore and Hong Kong.

Attribution

In 2022, we already uncovered the PowerShell script that BlueNoroff heavily relied on to collect base system information and execute commands from its C2 server. This script is considered to be an earlier version of DownTroy. Moreover, leveraging trusted resources attributed to venture capital funds to attack the cryptocurrency-related industry was a primary attack method of the SnatchCrypto campaign. Additionally, the tendency to create phishing domains using the names of venture capital firms and the use of Hostwinds hosting to build these phishing sites also overlaps with past cases of BlueNoroff observed in our previous research.

In late-2023, we provided an insight into the early stage of the BlueNoroff’s GhostCall campaign to our customers. The actor utilized JavaScript and AppleScript to raise an issue regarding IP access control on Windows and macOS respectively. In this instance, the JavaScript ultimately downloaded a VBScript file, which has been identified as a VBScript version of DownTroy. This version shares a C2 server with CosmicDoor.Windows. The AppleScript was used against a victim in August 2023, and fetched from a fake domain support.video-meeting[.]online, which shared its resolved IP address (104.168.214[.]151) with the ObjCShellZ malware’s C2 server swissborg[.]blog.

We assess with medium-high confidence that BlueNoroff is behind both campaigns when comprehensively considering the infrastructure, malware, attack methods, final targets, and motives behind the attacks used in both campaigns.

Conclusion

Our research indicates a sustained effort by the actor to develop malware targeting both Windows and macOS systems, orchestrated through a unified command-and-control infrastructure. The use of generative AI has significantly accelerated this process, enabling more efficient malware development with reduced operational overhead. Notably, AI will make it easier to introduce new programming languages and add new features, thereby complicating detection and analysis tasks. Furthermore, AI supports the actor’s ability to maintain and expand their infrastructure, enhancing their overall productivity.

Beyond technical capabilities, the actor leverages AI to refine sophisticated social engineering tactics. The AI-powered, tailored approach enables the attackers to convincingly disguise themselves, operating with detailed information, allowing for more meticulous targeted attacks. By combining compromised data with AI’s analytical and productive capabilities, the actor’s attack success rate has demonstrably increased.

The actor’s targeting strategy has evolved beyond simple cryptocurrency and browser credential theft. Upon gaining access, they conduct comprehensive data acquisition across a range of assets, including infrastructure, collaboration tools, note-taking applications, development environments, and communication platforms (messengers). This harvested data is exploited not only against the initial target but also to facilitate subsequent attacks, enabling the actor to execute supply chain attacks and leverage established trust relationships to impact a broader range of users.

Kaspersky products detect the exploits and malware used in this attack with the following verdicts:

Indicators of compromise

More IoCs are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

AppleScript
e33f942cf1479ca8530a916868bad954 zoom_sdk_support.scpt
963f473f1734d8b3fbb8c9a227c06d07 test1
60bfe4f378e9f5a84183ac505a032228 MSTeamsUpdate.scpt

ZoomClutch
7f94ed2d5f566c12de5ebe4b5e3d8aa3 zoom

TeamsClutch
389447013870120775556bb4519dba97 Microsoft Teams

DownTroy v1 chain
50f341b24cb75f37d042d1e5f9e3e5aa trustd
a26f2b97ca4e2b4b5d58933900f02131 watchdog, SafariUpdate
6422795a6df10c45c1006f92d686ee7e 633835385.txt

CosmicDoor in Rust
931cec3c80c78d233e3602a042a2e71b dnschk
c42c7a2ea1c2f00dddb0cc4c8bfb5bcf dnschk

CosmicDoor in Python
9551b4af789b2db563f9452eaf46b6aa netchk

CosmicDoor chain
76ace3a6892c25512b17ed42ac2ebd05 a
19a7e16332a6860b65e6944f1f3c5001 a

SilentSiphon
c446682f33641cff21083ac2ce477dbe upl
e8680d17fba6425e4a9bb552fb8db2b1 upl.sh
10cd1ef394bc2a2d8d8f2558b73ac7b8 upl.sh
a070b77c5028d7a5d2895f1c9d35016f cpl.sh
38c8d80dd32d00e9c9440a498f7dd739 secrets.sh
7168ce5c6e5545a5b389db09c90038da uad.sh
261a409946b6b4d9ce706242a76134e3 ubd.sh
31b88dd319af8e4b8a96fc9732ebc708 utd.sh

RooTroy chain
1ee10fa01587cec51f455ceec779a160 rtv4inst
3bbe4dfe3134c8a7928d10c948e20bee st, Update Check
7581854ff6c890684823f3aed03c210f wt
01d3ed1c228f09d8e56bfbc5f5622a6c remoted

RealTimeTroy chain
5cb4f0084f3c25e640952753ed5b25d0 Chrome Update

SneakMain in Rust
1243968876262c3ad4250e1371447b23 helper, wt
5ad40a5fd18a1b57b69c44bc2963dc6b 633835387.txt
6348b49f3499d760797247b94385fda3 ChromeUpdate

SneakMain chain
17baae144d383e4dc32f1bf69700e587 mdworker
8f8942cd14f646f59729f83cbd4c357b com.password.startup
0af11f610da1f691e43173d44643283f CloudSigner, Microsoft Excel, Hancom Office HWP, zoom.us, com.onedrive.updater
7e50c3f301dd045eb189ba1644ded155 mig

TripleWatch stealer
0ca37675d75af0e7def0025cd564d6c5 keyboardd

DownTroy v2 chain
d63805e89053716b6ab93ce6decf8450 CoreKitAgent
e9fdd703e60b31eb803b1b59985cabec GoogIe LLC
f1d2af27b13cd3424556b18dfd3cf83f installer
b567bfdaac131a2d8a23ad8fd450a31d CoreKitAgent
00dd47af3db45548d2722fe8a4489508 GoogIe LLC
6aa93664b4852cb5bad84ba1a187f645 installer
d8529855fab4b4aa6c2b34449cb3b9fb CoreKitAgent
eda0525c078f5a216a977bc64e86160a GoogIe LLC
ab1e8693931f8c694247d96cf5a85197 installer

SysPhon chain
1653d75d579872fadec1f22cf7fee3c0 com.apple.sysd
529fe6eff1cf452680976087e2250c02 growth
a0eb7e480752d494709c63aa35ccf36c com.apple.secd
73d26eb56e5a3426884733c104c3f625 Wi-Fi Updater

VBScript
358c2969041c8be74ce478edb2ffcd19 init.vbs
2c42253ebf9a743814b9b16a89522bef init.vbs

DownTroy.Windows
f1bad0efbd3bd5a4202fe740756f977a init.ps1
a6ce961f487b4cbdfe68d0a249647c48 init.ps1
8006efb8dd703073197e5a27682b35bf init.ps1
c6f0c8d41b9ad4f079161548d2435d80 init.ps1
f8bb2528bf35f8c11fbc4369e68c4038 init.ps1

Bof loader
b2e9a6412fd7c068a5d7c38d0afd946f nlsport.dll
de93e85199240de761a8ba0a56f0088d

File hosting server
system.updatecheck[.]store
dataupload[.]store
safeupload[.]online
filedrive[.]online

AppleScript C2
hxxp://web071zoom[.]us/fix/audio/4542828056
hxxp://web071zoom[.]us/fix/audio-fv/7217417464
hxxp://web071zoom[.]us/fix/audio-tr/7217417464
hxxps://support.ms-live[.]us/301631/check
hxxps://support.ms-live[.]us/register/22989524464UcX2b5w52
hxxps://support.ms-live[.]us/update/02583235891M49FYUN57

ZoomClutch/TeamsClutch C2
hxxps://safeupload[.]online/uploadfiles
hxxps://api.clearit[.]sbs/uploadfiles
hxxps://api.flashstore[.]sbs/uploadfiles
hxxps://filedrive[.]online/uploadfiles

DownTroy C2
hxxps://bots.autoupdate[.]online:8080/test
hxxps://writeup[.]live/test
hxxps://safeup[.]store/test
hxxps://api[.]clearit[.]sbs/test
hxxps://api[.]flashstore[.]sbs/test

CosmicDoor C2
ws://web.commoncome[.]online:8080/client
ws://first.longlastfor[.]online:8080/client
wss://firstfromsep[.]online/client
second.systemupdate[.]cloud
second.awaitingfor[.]online

RooTroy C2
safefor[.]xyz
readysafe[.]xyz

RealTimeTroy C2
instant-update[.]online
signsafe[.]xyz

TripleWatch stealer C2
hxxps://metamask.awaitingfor[.]site/update

SilentSiphon C2
hxxps://urgent-update[.]cloud/uploadfiles
hxxps://dataupload[.]store/uploadfiles
hxxps://filedrive[.]online/uploadfiles

SneakMain.macOS C2
hxxps://chkactive[.]online/update
hxxps://file-server[.]store/update
hxxps://cloud-server[.]store/update
hxxps://flashserve[.]store/update

Additional C2 servers
download.datatabletemplate[.]xyz
check.datatabletemplate[.]shop
download.face-online[.]world
root.security-update[.]xyz
real-update[.]xyz
root.chkstate[.]online
secondshop[.]online
signsafe[.]site
secondshop[.]store
botsc.autoupdate[.]xyz
first.system-update[.]xyz
image-support[.]xyz
pre.alwayswait[.]site

securelist.com/bluenoroff-apt-…

Running suspicious software in a virtual machine seems like a basic precaution to figure out whether said software contains naughty code. Unfortunately it’s generally rather easy to detect whether or not one’s software runs inside a VM, with [bRootForce] going through a list of ways that a VirtualBox VM can be detected from inside the guest OS. While there are a range of obvious naming issues, such as the occurrence of the word ‘VirtualBox’ everywhere, there many more subtle ways too.

Demonstrated is the PoC ‘malware’ application called Al-Khaser, which can be used to verify one’s anti-malware systems, such as when trying to unleash a debugger on a piece of malware, run it inside a VM, along with many more uses. Among its anti-virtualization features are specific registry key names and values, file system artefacts, directory names, MAC addresses, virtual devices, etc.

In order to squeeze by those checks, [bRootForce] created the vbox_stealth shell script for Bash-blessed systems in order to use the VirtualBox Manager for the renaming of hardware identifier, along with the VBoxCloak project’s PowerShell script that’s used inside a Windows VirtualBox guest instance to rename registry keys, kill VirtualBox-specific processes, and delete VirtualBox-specific files.

Theoretically this should make it much harder for any malware to detect that it’s not running inside Windows on real hardware, but as always there are more subtle ways that are even harder to disguise.

youtube.com/embed/-On6bWFXuM8?…

hackaday.com/2025/10/27/making…