Earth Preta is stepping up its game. Trend Micro uncovered a new campaign where attackers use the Microsoft Application Virtualization Injector to sneak malicious payloads. The malware masquerades as an Electronic Arts application, deploying a backdoor to exfiltrate data.

Proofpoint identified FrigidStealer, a fresh macOS malware spread by TA2727, an unknown but sophisticated threat actor. The campaign tricks users into bypassing Gatekeeper protections, allowing FrigidStealer to quietly siphon browser data, Apple Notes, and cryptocurrency credentials. With attackers refining their approach to slip past Apple’s defenses, even a cautious click could prove costly.

Search results aren't what they seem. CloudSEK exposed a large-scale Search Engine Poisoning campaign targeting over 150 Indian government, educational, and financial websites. Attackers manipulate search rankings to redirect users to fraudulent rummy and investment scams. Mobile users are sent to scam pages, while desktop users see error messages.

Top Malware Reported in the Last 24 Hours

Earth Preta exploits Microsoft utility tool

Trend Micro spotted a new Earth Preta campaign that has been using a tool called Microsoft Application Virtualization Injector to inject malicious payloads into a program called waitfor.exe when ESET antivirus is detected. The attack drops multiple files, including both legitimate and malicious programs, and uses a fake PDF to mislead the victim. The malware, which is a modified version of a backdoor called TONESHELL, is disguised as a legitimate Electronic Arts application and connects with a command-and-control server to send out data. 

Winnti targets Japanese firms

The China-linked threat actor known as Winnti started a new campaign called RevivalStone that targeted Japanese companies in manufacturing, materials, and energy sectors in March 2024. The latest attack chain exploited an SQL injection vulnerability in an ERP system to drop web shells and deliver an improved version of the Winnti malware. The intrusion was expanded to breach a managed service provider and propagate the malware further. The new Winnti malware has been updated with obfuscation, updated encryption algorithms, and evasion by security products. 

FrigidStealer: new macOS info-stealer

Proofpoint discovered a new malware campaign that distributes a new Apple macOS malware called FrigidStealer. This campaign is attributed to a previously undocumented threat actor known as TA2727, which also distributes malware for other platforms such as Windows and Android. The malware campaign targets users based on their geography or device, serving different payloads accordingly. FrigidStealer is installed on macOS devices and requires users to explicitly launch the unsigned app to bypass Gatekeeper protections. It then steals sensitive information from web browsers, Apple Notes, and cryptocurrency related apps.

Top Vulnerabilities Reported in the Last 24 Hours

Bugs in Xerox VersaLink printers

Security vulnerabilities in Xerox VersaLink C7025 Multifunction printers could let attackers capture authentication credentials through pass-back attacks using LDAP and SMB/FTP services. These attacks exploit a flaw that enables attackers to change the printer's settings, leading it to send credentials to them. This could allow attackers to access Windows Active Directory and compromise other servers and file systems. The vulnerabilities—CVE-2024-12510 and CVE-2024-12511—affect firmware versions 57.69.91 and earlier.

Two new OpenSSH flaws

Qualys reported two new vulnerabilities, CVE-2025-26465 and CVE-2025-26466, in OpenSSH. The first vulnerability allows attackers to execute MITM attacks on OpenSSH clients with the VerifyHostKeyDNS option enabled. This attack can happen without user interaction, posing significant risks to organizations using SSH. The second vulnerability leads to a DoS attack that can disrupt system resources and lock out legitimate users. Affected OpenSSH versions range from 6.8p1 to 9.9p1 for CVE-2025-26465 and from 9.5p1 to 9.9p1 for CVE-2025-26466. 

Top Scams Reported in the Last 24 Hours

SEO poisoning targeted Indian government websites

CloudSEK found a large-scale Search Engine Poisoning (SEP) campaign that targets Indian government, educational, and financial websites. This attack misleads users by changing search engine rankings, redirecting them to scam sites related to rummy and investments. More than 150 Indian government portals are impacted. The attack involves various black-hat SEO tactics in this campaign, such as manipulating referrer headers, cloaking, keyword stuffing, and exploiting system vulnerabilities. A notable tactic includes redirecting users based on their device type, with malicious scripts embedded in government sites determining these redirects. Mobile users might be sent to rummy scam sites, while desktop users may receive error pages.