Apple Issues Spyware Threat Notifications Across 150+ Countries
Apple has confirmed a new wave of mercenary spyware operations targeting high-profile individuals, with the French national Computer Emergency Response Team (CERT-FR) reporting at least four rounds of Apple threat notifications in 2025. These alerts were issued on March 5, April 29, June 25, and September 3, warning users that devices tied to their iCloud accounts had been explicitly targeted by highly sophisticated intrusion attempts. According to CERT-FR, most attacks exploited zero-day vulnerabilities or employed zero-click exploits that required no user interaction, allowing for the silent compromise of iPhones and other Apple devices. Victims include journalists, activists, politicians, senior officials, lawyers, and corporate executives in strategic industries, highlighting both the geopolitical and commercial motivations of mercenary spyware developers. Threat notifications are delivered via email and SMS, and are also displayed prominently at the top of account.apple.com, ensuring users are directly alerted to potential compromises. CERT-FR linked the recent wave of warnings to Apple’s emergency security updates addressing CVE-2025-43300, an ImageIO zero-day, chained with WhatsApp zero-click flaw CVE-2025-55177 in what Apple described as an “extremely sophisticated attack.” In response, WhatsApp urged affected individuals to reset devices to factory defaults, while Apple has recommended immediate patching, enabling Lockdown Mode for targeted users, and contacting Access Now’s Digital Security Helpline for rapid-response support. Apple emphasized that it does not attribute these campaigns to specific actors or countries, though the scale and precision reflect mercenary-grade espionage. The incident reinforces the urgent need for continuous patching, proactive monitoring of high-risk accounts, and enterprise-level defense-in-depth strategies against nation-state and mercenary spyware operators.
VMScape Attack Exposes Guest-to-Host Data Leakage on AMD and Intel CPUs
Researchers from ETH Zurich have unveiled VMScape (CVE-2025-40300), a new speculative execution side-channel attack capable of breaking guest-host isolation in virtualized environments. The technique exploits incomplete isolation of branch prediction units (BPUs), enabling a malicious guest VM to influence indirect branch prediction in a host process, including QEMU. By using a Spectre-BTI style branch target injection, attackers can misguide QEMU into speculatively executing disclosure gadgets, leaking sensitive data into shared cache structures. Experiments demonstrated that VMScape can exfiltrate memory from QEMU at a rate of 32 bytes per second with 98.7% accuracy, allowing a 4KB disk encryption key to be leaked in just over 12 minutes. Notably, the attack works against unmodified QEMU hypervisors running on default hardware mitigations, affecting AMD Zen 1–Zen 5 and Intel “Coffee Lake” CPUs, while newer “Raptor Cove” and “Gracemont” architectures appear unaffected. The implications for cloud environments are serious, as a threat actor could rent a VM from a provider and use VMScape to target secrets from co-resident workloads or the hypervisor itself. While the complexity of the attack and the need for sustained execution time limit widespread abuse, it highlights the fragility of hardware-assisted isolation in multi-tenant systems. ETH Zurich disclosed the issue to AMD and Intel on June 7, prompting AMD to publish a bulletin on September 11 and Linux kernel developers to release mitigations. These patches enforce an Indirect Branch Prediction Barrier (IBPB) on VMEXIT, flushing the BPU state during guest-to-host transitions with minimal performance cost. Organizations relying on virtualized infrastructure should apply the latest kernel and vendor updates, closely monitor hypervisor patch advisories, and enforce strong tenant isolation policies to reduce exposure to advanced cross-VM leakage techniques.
Malvertising Campaign Exploits GitHub Repositories to Deliver Backdoors
Security researchers have identified a sophisticated malvertising campaign that abuses GitHub’s infrastructure by manipulating “dangling commits” within legitimate repositories to spread counterfeit GitHub Desktop installers. Unsuspecting users, redirected from malicious ads or compromised project pages, download what appears to be the official GitHubDesktopSetup-x64[.]exe, but instead execute a dropper. The dropper launches a Windows Script Host script, which then uses obfuscated PowerShell commands to load a malicious DLL. Once established, the payload communicates persistently with attacker-controlled C2 servers, enabling remote code execution, credential harvesting, data exfiltration, and potential lateral movement within enterprise networks. Researchers noted the campaign’s stealth through process masquerading, scheduled task persistence, and script-level obfuscation, tactics designed to evade antivirus and EDR visibility. What makes this campaign notable is its innovative use of dangling commits—temporary code snapshots not visible in main project branches—which attackers leverage to insert malicious download links into README files or release notes. This tactic bypasses standard repository monitoring and exploits developer trust, enabling counterfeit installers to spread widely across the open-source ecosystem. The end goal appears to be the deployment of a modular backdoor with the capability to install additional malware, including cryptominers or espionage tools. Mitigation requires strict source validation: users should verify signatures and checksums before installing software, while developers must prune dangling commits, enforce branch protections, and monitor metadata for unauthorized changes. Organizations should also deploy behavioral EDR to flag anomalous PowerShell or script activity, and GitHub has been notified to improve visibility around dangling commit abuse.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
