Microsoft has issued a warning as macOS becomes a primary target for sophisticated information stealers like Atomic Stealer and MacSync. Shifting away from Windows-only tactics, attackers are using Python-based malware hidden behind fake disk image installers and malicious ads to harvest iCloud Keychains and financial data.
A new RaaS group named Vect has quickly matured, targeting high-value infrastructure in Brazil and South Africa with custom C++ malware. Distinguishing itself with the high-speed ChaCha20-Poly1305 algorithm and intermittent encryption, the group can paralyze Windows, Linux, and VMware ESXi systems with remarkable efficiency.
CISA has added CVE-2025-40551 to its KEV catalog, warning of a critical 9.8-rated flaw in SolarWinds Web Help Desk. With active exploitation confirmed, organizations are urged to patch immediately to prevent these systems from becoming launchpads for ransomware.
Top Malware Reported in the Last 24 Hours
React2Shell exploits lead to cryptominer deployment
Exploitation of the React2Shell vulnerability (CVE-2025-55182) has surged, with over 1.4 million attempts recorded in a single week. This critical vulnerability, found in version 19 of the React JavaScript library, allows unauthenticated remote code execution through a simple HTTP POST request. The exploitation activity intensified following the release of a Metasploit module, attracting both state-sponsored and cybercriminal actors. Notably, two IP addresses accounted for a significant portion of the attacks, with one responsible for deploying reverse shells and the other for launching XMRig cryptocurrency miners. These attacks targeted vulnerable instances, aiming to establish interactive access rather than simply stealing data.
Microsoft warns of macOS infostealer attacks
Microsoft has warned that information-stealing attacks are increasingly targeting macOS systems, expanding beyond Windows. These attacks leverage Python-based malware, utilizing social engineering techniques like malvertising to distribute fake disk image installers. Notable malware families involved include Atomic macOS Stealer, MacSync, and PXA Stealer, which can harvest sensitive data such as web browser credentials, iCloud Keychain information, and financial details. Attackers often initiate these campaigns through malicious advertisements, redirecting users to counterfeit sites that deploy the malware. Additionally, bad actors have been observed using popular messaging apps for malware distribution, further complicating the threat landscape.
New Vect ransomware variant targets organizations
Researchers have identified a new RaaS group called Vect, which has already targeted organizations in Brazil and South Africa. Launched in December 2025, Vect is actively recruiting affiliates and claims to use custom-built malware developed in C++, distinguishing itself from other groups that typically repurpose existing code. Its ransomware employs the ChaCha20-Poly1305 AEAD encryption algorithm, noted for its speed, and utilizes intermittent encryption techniques to enhance performance. Despite its recent emergence, Vect exhibits significant operational maturity, advertising cross-platform capabilities for Windows, Linux, and VMware ESXi. The group operates with strong security measures, including the use of Monero for payments and the TOX protocol for secure communications, indicating that it may be run by experienced threat actors. Vect employs a double extortion model, with its victims listed on a public leak site, suggesting a strategic approach to maximize pressure on targets.
Top Vulnerabilities Reported in the Last 24 Hours
SolarWinds Web Help Desk vulnerability exploited
A critical RCE vulnerability in SolarWinds Web Help Desk, identified as CVE-2025-40551, is being actively exploited, prompting a warning from the CISA. This vulnerability, which has a CVSS score of 9.8, allows unauthenticated attackers to gain admin-level access to help-desk systems through low complexity attacks. CISA has included this vulnerability in its Known Exploited Vulnerabilities catalog, emphasizing its seriousness. Discovered by Jimi Sebree of Horizon3.ai, CVE-2025-40551 is one of four critical vulnerabilities fixed in a recent update. The remaining vulnerabilities include authentication bypass issues that could enable attackers to execute unauthorized actions within the system. The potential for chaining these vulnerabilities raises significant concerns about data theft and ransomware attacks.
Hackers exploit Metro vulnerability in React Native
Hackers are actively exploiting a critical vulnerability, CVE-2025-11953, in the Metro server used by React Native, targeting developers to deliver malicious payloads on both Windows and Linux systems. This vulnerability allows unauthenticated attackers to execute arbitrary OS commands via POST requests on Windows, while on Linux and macOS, it can lead to the execution of arbitrary executables with limited control. The flaw is linked to the /open-url HTTP endpoint, which accepts unsanitized user-supplied URL values. Following its public disclosure, multiple proof-of-concept exploits emerged, leading to the identification of a campaign dubbed Metro4Shell. The attacks have delivered base-64 encoded PowerShell payloads that disable endpoint protections and establish connections to attacker-controlled servers. Approximately 3,500 React Native Metro servers are exposed online.
About the Author
