Copy, paste, and lose everything - MassJacker turns a simple action into a costly mistake. The operation leverages 778,000 fraudulent wallet addresses to siphon digital assets from unsuspecting victims. It has targeted victims by replacing copied cryptocurrency wallet addresses with those controlled by attackers.

Exploited in the wild and patched just in time. Microsoft has released security updates fixing 57 vulnerabilities, including six zero-days actively exploited by attackers. The update also addresses 17 Edge browser vulnerabilities, reinforcing the critical need for immediate patching before these flaws can be leveraged for malicious purposes.

A botnet is turning home routers into attack platforms, and there’s still no fix in sight. The Ballista botnet is actively exploiting a remote code execution flaw in TP-Link Archer routers, allowing attackers to inject commands without authentication. With thousands of compromised devices and growing, the botnet uses Tor domains for stealth and has been traced back to an Italian-based threat actor.

Top Malware Reported in the Last 24 Hours

New Ballistic botnet exploits unpatched flaw

The Ballista botnet is exploiting an unpatched vulnerability (CVE-2023-1389) in TP-Link Archer routers. This remote code execution flaw allows unauthenticated command injection due to lack of input sanitization in the locale API of the routers' web management interface. The Ballista botnet has been targeting over 6,000 Archer routers since early 2025, spreading automatically through this vulnerability. The botnet uses Tor domains for stealth and has been linked to an Italian-based threat actor. It installs a dropper that downloads and executes malware binaries on compromised devices, employing persistence, system exploration, and anti-detection techniques. The malware can execute remote shell commands, launch DoS/DDoS attacks, and has affected various sectors in the U.S., Australia, China, and Mexico. 

New XCSSET malware variant emerges

Microsoft has discovered a new variant of XCSSET, a sophisticated modular malware that targets macOS. This variant, first seen since 2022, has enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. It is known for infecting Xcode projects and propagates by leveraging the idea that project files are shared among developers. The malware steals and exfiltrates files and system information, including digital wallet data and notes. The new variant is characterized by its modular approach, encoded payloads, improved error handling, and heavy use of scripting languages, UNIX commands, and legitimate binaries.

MassJacker: New clipboard hijacking operation 

A clipboard hijacking operation called MassJacker uses over 778,000 cryptocurrency wallet addresses to steal digital assets from compromised computers. The operation was discovered by CyberArk, who found that around 423 wallets linked to the operation had $95,300 at the time of analysis, with a single Solana wallet amassing over $300,000 in transactions. The malware is distributed via pesktop[.]com, a site that hosts pirated software and malware. The operation uses clipboard hijacking malware to replace copied cryptocurrency wallet addresses with ones controlled by the attackers, causing victims to unknowingly send money to the attackers. 

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft fixes 57 bugs

Microsoft released security updates to address 57 vulnerabilities in its software, including six zero-days that have been actively exploited. Of these, six are rated critical, 50 are important, and one is low in severity. The six actively exploited vulnerabilities include CVE-2025-24983, CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, and CVE-2025-26633, which allow for privilege escalation, information disclosure, and code execution. The updates also address 17 vulnerabilities in Microsoft's Edge browser. CVE-2025-24983 is a use-after-free in Win32k driver. This vulnerability has been exploited in the wild via a backdoor named PipeMagic. 

Industrial giants release patches

Siemens and Schneider Electric have released their March 2025 Patch Tuesday ICS security advisories, while the CISA has published two advisories. Schneider Electric has issued three new advisories for vulnerabilities in EcoStruxure products, including a critical issue in Power Automation System User Interface and Microgrid Operation Large, a high-severity authentication bypass, and a medium-severity sensitive information disclosure issue. Siemens has published 11 new advisories, addressing several critical vulnerabilities in products such as Sinamics S200 servo drive system, SiPass controller, Simatic, Industrial Edge for Machine Tools, Simit, and others. CISA's advisories describe vulnerabilities in Optigo Networks capture tools and a Schneider Electric Uni-Telway Driver vulnerability.

Apple patches WebKit 0-day

Apple has released a security update to address a zero-day vulnerability (CVE-2025-24201) that has been exploited in highly sophisticated attacks. The flaw, found in the WebKit web browser engine, could allow an attacker to craft malicious web content that can break out of the Web Content sandbox. Apple resolved the issue with improved checks and noted that it's a supplementary fix for an attack that was blocked in iOS 17.2. The update is available for iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1, and visionOS 2.3.2.