Многоуровневые угрозы в киберпространстве: от нового стилера до международной группы хакеров Headline: Multi-layered Cyber Threats: From a New Stealer to an International Hacker Group

We have compiled the most significant cybersecurity news from the past week.

On September 11, experts from the business solutions cybersecurity firm Mosyle uncovered a new piece of malware capable of evading antivirus software and stealing cryptocurrency wallet data on Windows, Linux, and macOS. This was reported by Decrypt.

The malicious software named ModStealer was distributed through fake job ads for developers. Mosyle’s specialists noted that the scammers targeted IT professionals since they were likely to already have the environment set up for the stealer’s operation.

Shan Zhang, the Chief Information Security Officer at SlowMist, pointed out the distinctive features of ModStealer, highlighting its serious threat to the broader ecosystem of digital assets:

“Unlike traditional stealers, ModStealer is notable for its multi-platform support and covert execution chain operating in ‘zero detection’ mode.”

Upon execution, the malware scans browser extensions of cryptocurrency wallets, system credentials, and digital certificates. It then transmits the harvested information to the perpetrators’ remote servers. On macOS systems, the software automatically starts during each boot, masquerading as a background auxiliary program. Signs of infection include a hidden file named .sysupdater.dat and a connection to a suspicious server.

The primary objective of ModStealer is data theft, particularly targeting cryptocurrency wallets, credentials files, and configurations.

According to Reuters, the database of Vietnamese borrowers has been subjected to a hacking attack, allegedly organized by the international group Shiny Hunters.

The incident affected the National Credit Information Center of Vietnam, which stores sensitive data, including personal identification information, credit payment history, risk analysis, and credit card details.

Preliminary investigations detected signs of unauthorized access, and the extent of the data breach is still being evaluated. The authorities have not disclosed the number of affected accounts.

In a darknet advertisement, Shiny Hunters listed stolen data concerning over 160 million individuals for sale at $175,000.

During a special operation involving Ukrainian law enforcement, a group of ransomware attackers was dismantled in connection with attacks on the networks of global corporations.

According to Cyberpolice, since 2018, the attackers have targeted the infrastructures of leading organizations in France, Norway, Germany, the Netherlands, Canada, and the USA. Over the years, they have encrypted more than 1,000 servers and caused damages totaling 3 billion hryvnias.

The perpetrators have been detained; some are already facing trial, and their assets have been seized. One of the group’s leaders has been charged in absentia and is wanted internationally.

The FBI has announced a reward of up to $10 million for information leading to the whereabouts of a key member of an international hacking network. The suspect, Ukrainian citizen Volodymyr Tymoshchuk, has been added to the EU’s most wanted list.

On September 9, Apple held its annual product presentation. Among the numerous innovations, the company introduced a new security feature for the latest iPhone 17 and iPhone Air devices.

The Memory Integrity Enforcement function aims to prevent memory corruption errors, which are among the most common vulnerabilities exploited by developers of spyware and device manufacturers in forensic analysis used by law enforcement.

“Notorious spyware chains targeting iOS share a common trait with those aimed at Windows and Android: they exploit memory security vulnerabilities that are interchangeable, powerful, and prevalent across the industry,” stated the Apple blog.

According to TechCrunch, the new security technology could make the latest iPhones among the most secure devices on the planet. Experts commented to the publication that this innovation will likely complicate the work for malware and zero-day exploit developers.

A vulnerability in the Cursor AI code editor poses a risk to developers by allowing malicious tasks to run automatically in harmful repositories immediately upon opening them. This conclusion was reached by researchers from Oasis Security, as reported by Bleeping Computer.

Cursor AI is an AI-supported software development environment built on Visual Studio Code (VS Code) and deeply integrated with popular chatbots like ChatGPT and Claude.

According to media reports, this is one of the fastest-growing AI tools for programming, used by around a million users who generate over a billion lines of code daily.

The discovered vulnerability facilitates malware injection, captures work environments, steals credentials, and API tokens without needing to execute commands.

Oasis Security experts linked the issue to the disabling of the Workspace Trust feature in VS Code, which prevents automatic task execution without explicit developer consent. By default, Cursor AI executes tasks immediately after opening a project folder. An attacker could exploit this by adding a malicious file to an accessible repository.

After receiving warnings from the Cursor AI team, the developers stated that they do not intend to change their auto-run approach, believing that Workspace Trust disables AI and other features critical for users.

Oasis Security recommended that:

Decentralization is a defining characteristic of the blockchain industry, directly influencing security. The state of decentralization in the two leading ecosystems was discussed by Web3 researcher Vladimir Menaskop.