Mac Malware ‘JSCoreRunner’ Abuses Online PDF Tool to Spread
Researchers at Mosyle have identified JSCoreRunner, a previously unknown Mac malware distributed through a fake PDF conversion service. At the time of discovery, it recorded zero detections on VirusTotal, highlighting its ability to bypass traditional defenses. The finding aligns with an FBI warning issued on March 7th that cautioned users about the growing risk of malware being spread through free file conversion services, emphasizing how attackers exploit everyday tools for infection. The first-stage installer, FileRipple[.]pkg, presents a realistic PDF preview interface to mask malicious actions while quietly staging the infection. A second unsigned package, Safari14[.]1[.]2MojaveAuto[.]pkg, bypasses Apple’s Gatekeeper by avoiding signature validation, allowing it to execute without triggering alerts. This two-stage approach provides persistence and stealth, exposing a gap in macOS security protections. Apple has revoked the first package’s developer certificate, but the second stage remains a viable threat, proving that certificate revocation alone cannot disrupt the entire infection chain. Once deployed, JSCoreRunner focuses on hijacking Chrome profiles, traversing the Application Support directory to overwrite search settings, new tab configurations, and display names. These changes enable silent redirections to attacker-controlled results while supporting keylogging, cookie theft, and exposure to phishing payloads. To remain undetected, the malware suppresses crash reporting, disables Chrome’s session restoration prompts, and removes quarantine attributes from installed applications. Obfuscated JavaScript payloads coordinate execution, with command-and-control servers verifying infections before activating browser manipulation features. Analysts note that this campaign reflects a broader evolution in Mac-targeted threats, with attackers abusing routine online tools to trick users into self-installing malware. The end goal appears to be data theft and surveillance, signaling a shift toward more aggressive operations against Apple environments, which were once considered lower-priority targets. Effective defenses include validating installer hashes, restricting third-party utilities, monitoring endpoint behavior, and educating users about the risks associated with free online conversion tools.
Threat Actors Leverage Facebook Ads to Push Advanced Android Banking Trojan
Bitdefender researchers have uncovered a global malware campaign where attackers are abusing Facebook Ads to spread a sophisticated Android banking trojan disguised as a free version of TradingView Premium. Since late July 2025, dozens of malicious ads have been displayed to tens of thousands of users across the EU, drawing clicks by imitating TradingView’s official branding and pairing it with familiar visuals to build trust. Mobile users who install the fake app encounter a dropper that immediately requests broad permissions through deceptive update prompts, including accessibility access that enables full device control. After securing these permissions, the dropper self-deletes to conceal its role while unpacking a highly obfuscated payload tied to the Brokewell spyware family. The malware is designed to steal financial data, intercept two-factor authentication codes, overlay fake login screens on top of legitimate apps, hijack SMS messages, and exfiltrate sensitive information, while also enabling remote operators to activate the microphone, camera, and location tracking for surveillance. The trojan’s architecture emphasizes stealth and persistence, using native libraries to decrypt and execute hidden modules at runtime, alongside configuration files that dictate which legitimate applications should be targeted for overlays. Its command set includes clipboard scraping, screen recording, cookie theft, keystroke logging, and even toggling device settings to weaken security controls. Communications with operators are routed through encrypted channels to ensure resilient C2, allowing attackers to remotely issue instructions for credential harvesting, financial theft, and long-term espionage. This mobile campaign is an extension of an earlier wave that focused on desktop users through trading and cryptocurrency-themed malvertising but now prioritizes smartphones as the primary entry point. With mobile banking, payments, and cryptocurrency apps becoming deeply embedded in daily life, these operations underscore how mobile devices have shifted from secondary to primary targets for advanced malware. To reduce risk, users should limit installations to trusted app stores, carefully review permission requests, and rely on strong mobile security solutions to block trojanized apps before they execute.
Update: Threat Actors Exploit Microsoft Teams to Deploy PowerShell-Based Remote Access Malware
Security researchers have uncovered an ongoing campaign where attackers weaponize Microsoft Teams, a trusted collaboration platform, to deliver PowerShell-based malware and gain remote access to enterprise systems. By registering new or hijacked Teams tenants, adversaries often pose as IT support accounts, which are frequently labeled “IT SUPPORT” or “Help Desk” and adorned with checkmarks or generic prefixes, such as “admin” or “supportbotit”, to appear legitimate. Once contact is made, the attackers use voice or chat sessions to persuade employees to install legitimate remote assistance tools, such as QuickAssist or AnyDesk, thereby bypassing traditional email-based defenses. With control of the endpoint established, the attackers execute multi-stage PowerShell scripts that provide persistence, facilitate credential harvesting, conduct reconnaissance, and enable remote command execution. This approach marks a shift from older ransomware-linked campaigns, which began with phishing emails before moving to Microsoft Teams, with recent incidents skipping email entirely and leveraging Teams as the initial entry point. A detailed analysis reveals that the malware is engineered for stealth and resilience. The script contains hard-coded AES keys and IVs that enable defenders to link activity to the EncryptHub group, also tracked as Water Gamayun or LARVA-208. It establishes single-instance execution through mutexes and injects C# code into memory that calls ntdll[.]dll’s RtlSetProcessIsCritical, making the process crash the system if terminated. The malware collects host data, including the hardware UUID, operating system version, and public IP address, before encrypting and exfiltrating it, while also invoking native Windows credential prompts to harvest user logins stored locally in hidden files. Persistence is achieved through scheduled tasks disguised as “Google LLC Updater” or registry Run keys, each pulling backup scripts to maintain access even if the initial payload is removed. Command-and-control communications are AES-encrypted and routed through multiple fallback domains to ensure reliability. To defend against these threats, organizations should implement strict tenant allow/block lists in Teams, monitor for suspicious external accounts and anomalous process protections in PowerShell, and train users to treat unsolicited Teams chats or calls requesting software installation as high-risk.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
