XCSSET is back with a vengeance. Microsoft uncovered a new variant of the macOS-targeting malware, now with better obfuscation, stronger persistence, and stealthier infection methods. This version randomly generates payloads to dodge detection, injects itself into Xcode projects, and still goes after digital wallets, Notes app data, and system files.

SonicWall and Palo Alto Networks customers have an urgent patching assignment. SonicWall’s authentication bypass bug lets attackers sidestep security in SonicOS. Meanwhile, Palo Alto’s PAN-OS vulnerability allows unauthenticated access to management interfaces. While no major exploits have been reported, researchers have already spotted attempts. Patch now, before attackers make these vulnerabilities their next playground.

Russian hackers are getting creative with Microsoft 365 phishing. Since mid-January, three distinct groups have been impersonating high-profile officials, luring victims into fake Teams meetings and chatrooms. These attacks exploit Device Code Authentication, granting attackers stealthy access to compromised accounts.

Top Malware Reported in the Last 24 Hours

XCSSET malware resurfaces, targets macOS

Microsoft has found a new variant of the XCSSET malware, which targets macOS users. The new variant features better obfuscation techniques, updated ways to stay active, and new infection methods. It can still target digital wallets, collect data from the Notes app, and steal system information. This version generates payloads more randomly, making detection harder, and uses new methods to inject itself into Xcode projects. Additionally, it has updated methods to ensure it stays active after restarts.

PirateFi drops Vidar info-stealer

A free-to-play game called PirateFi, available on Steam, has been spreading the Vidar info-stealer to users. It was listed on Steam from February 6 to 12 and was downloaded by around 1,500 users before being flagged for malware. Steam is warning those affected to reinstall Windows to be safe. Those who downloaded the game should change passwords and enable MFA for potentially compromised accounts. The malware was cleverly concealed in the game files, leading to concerns about user safety, despite Steam’s measures to prevent such threats.

New Golang-based backdoor uses Telegram

Netskope discovered a new Golang-based backdoor that uses Telegram for C2 communications. The malware, possibly of Russian origin, acts as a backdoor once executed and checks if it's running under a specific location. If not, it copies itself to that location and launches a new process. The malware uses an open-source library for Golang bindings for the Telegram Bot API, allowing it to interact with the Telegram Bot API to receive new commands. It currently supports three commands: executing commands via PowerShell, relaunching itself, and self-destructing. The output of these commands is sent back to the Telegram channel. 

Top Vulnerabilities Reported in the Last 24 Hours

Google could leak YouTube email addresses

A security researcher named Brutecat discovered that Google could leak the email addresses of YouTube channels, despite Google's promise to protect privacy. Brutecat found two vulnerabilities in Google’s People API related to blocking YouTube users. This blocking relied on a “Gaia” ID, which is used by all Google products, meaning blocking on YouTube affects other services too. Google has fixed these vulnerabilities.

PAN-OS and SonicWall firewalls under attack

Palo Alto Networks and SonicWall customers are urged to patch their products due to active exploitation of vulnerabilities. SonicWall identified an authentication bypass bug, CVE-2024-53704, affecting SonicOS and warned that this issue, rated CVSS 8.2, allows attackers to bypass authentication. Additionally, Palo Alto Networks released a security update for CVE-2025-0108, which allows unauthenticated access to the PAN-OS management web interface but doesn't enable remote code execution. Despite no known malicious exploits, researchers observed multiple attempts to exploit this vulnerability.

Top Scams Reported in the Last 24 Hours

Device Code Authentication phishing

Starting in mid-January 2025, Volexity found that Russian threat actors were running social-engineering and spear-phishing campaigns aimed at Microsoft 365 accounts. These attackers impersonated various high-profile individuals, including those from the U.S. Department of State, Ukrainian Ministry of Defence, and the European Union Parliament. The messages prompted users to join a Microsoft Teams meeting, access applications as external M365 users, or join a secure chatroom. Successful attacks led to unique ways attackers accessed information from compromised accounts, though they all used Device Code Authentication attacks. These attacks come from Russian threat actors, including CozyLarch, UTA0304, and UTA0307. 

Fake Adobe Drive X steals credentials

Cofense found a phishing scheme that uses a real Microsoft login page to deceive users into allowing access to a malicious Adobe Drive X app. This app redirects victims to a fake Microsoft login page that aims to steal their login details. The attack begins with a phishing email that looks like an Office 365 password reset request. It includes a link to a genuine Microsoft authentication page, making it seem trustworthy. When users enter their credentials, they are asked to allow permissions for the "Adobe Drive X" app, which requests access to their email and profile information.