Lately, hackers have been turning up the heat on software developers. On the surface, this might seem like a puzzling move — why go after someone who’s literally paid to understand tech when there are plenty of less-savvy targets in the office? As it turns out, compromising a developer’s machine offers a much bigger payoff for an attacker.

Why developers are such high-value targets

For starters, compromising a coder’s workstation can give attackers a direct line to source code, credentials, authentication tokens, or even the entire development infrastructure. If the company builds software for others, a hijacked dev environment allows attackers to launch a massive supply chain attack, using the company’s products to infect its customer base. If the developer works on internal services, their machine becomes a perfect beachhead for lateral movement, allowing hackers to spread deeper into the corporate network.

Even when attackers are purely chasing cryptocurrency (and let’s face it, tech pros are much more likely to hold crypto than the average person), the malware used in these hits doesn’t just swap out wallet addresses; it vacuums up every scrap of valuable data it can find — especially those login credentials and session tokens. Even if the original attackers don’t care about corporate access, they can easily flip those credentials to initial access brokers or more specialized threat actors on the dark web.

Why developers are sitting ducks

In practice, developers aren’t nearly as good at understanding cyberthreats and spotting social engineering as they think they are. This misconception is a big reason why they often fall prey to cybercriminals. Professional expertise can often create a false sense of digital invincibility. This often leads technical professionals to cut corners on security protocols, bypass restrictions set by the security team, or even disable security software on their corporate machines when it gets in the way of their workflow. That mindset, combined with a job that requires them to constantly download and run third-party code, makes them sitting ducks for cyberattackers.

Attack vectors targeting developers

Once an attacker sets their sights on a software engineer, their go-to move is usually finding a way to slip malicious code onto the machine. But that’s just the tip of the iceberg — hackers are also masters at rebranding classic, battle-tested tactics.

Compromising open-source packages

One of the most common ways to hit a developer is by poisoning open-source software. We’ve seen a flood of these attacks over the past year. A prime example hit in March 2026, when attackers managed to inject malicious code into LiteLLM, a popular Python library hosted in the PyPI repository. Because this library acts as a versatile gateway for connecting various AI agents, it’s baked into a massive number of projects. These trojanized versions of LiteLLM delivered scripts designed to hunt for credentials across the victim’s system. Once stolen, that data serves as a skeleton key for attackers to infiltrate any company that was unlucky enough to download the infected packages.

Malware hidden in technical assignments

Every so often, attackers post enticing job openings for developers, complete with take-home test assignments that are laced with malicious code. For instance, in late February 2026, malicious actors pushed out web application projects built on Next.js via several malicious repositories, framing them as coding tests. Once a developer cloned the repo and fired up the project locally, a script would trigger automatically to download and install a backdoor. The attackers gained full remote access to the developer’s machine.

Fake development tools

Recently, our experts described an attack where hackers used paid search-engine ads to push malware disguised as popular AI tools. One of the primary baits was Claude Code, an AI coding assistant. This campaign specifically targeted developers looking for a way to use AI-assistants under the radar, without getting the green light from their company’s infosec team. The ads directed users to a malicious site that perfectly mimicked the official Claude Code documentation. It even included “installation instructions”, which prompted the user to copy and run a command. In reality, running that command installed an infostealer that harvested credentials and shuttled them off to a remote server.

Social engineering tactics

That said, attackers often stick to the basics when trying to plant malware. A recent investigation into a compromised npm package — Axios — revealed that hackers had gained access to a maintainer’s system using a shockingly simple “outdated software” ruse. The attackers reached out to the Axios repository maintainer while posing as the founder of a well-known company. After some back-and-forth, they invited him to a video interview. When the developer tried to join the meeting on what looked like Microsoft Teams, he hit a fake notification claiming his software was out of date and needed an immediate update. That “update” was actually a Remote Access Trojan, giving the attackers access to his machine.

Niche spam

Sometimes, even a blast of fake notifications does the trick, especially when it’s tailored to the audience. For example, just recently, attackers were caught posting fake alerts in the Discussions tabs of various GitHub projects, claiming there was a critical vulnerability in Visual Studio Code that required an immediate update. Because developers subscribed to those discussions received these alerts directly via email, the notifications looked like legitimate security warnings. Of course, the link in the message didn’t lead to an official patch; it pointed to a “fixed” version of VS Code that was actually laced with malware.

How to safeguard an organization

To minimize the risk of a breach, companies should lean into the following best practices:

• Make security a native part of your workflow. Use specialized solutions to vet your images, packages, dependencies, and components.
• Use threat intelligence feeds specifically focused on open-source components to check the packages used in software development.
• Make sure security awareness training covers everyone — including developers. Leverage specialized solutions like Kaspersky Automated Security Awareness Platform.
• Make sure developers are aware of the latest attack patterns — you can keep them in the loop by following the Development tag right here on this

Kaspersky official blog – ​Read More

• Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vector for initial access since Q2 2025.
• Public administration and health care tied as the most targeted industry verticals, each accounting for 24 percent of all engagements. This is the third consecutive quarter where public administration has been the most targeted industry vertical.  
• Pre-ransomware incidents made up just 18 percent of engagements this quarter, and we did not observe any ransomware deployment due to early and swift mitigation from Cisco Talos Incident Response (Talos IR). This is a slight increase from last quarter but overall very low compared to Q1 and Q2 2025, when we observed ransomware in 50 percent of engagements.

---

AI tool leveraged in phishing campaign 

Talos IR responded to a campaign that leveraged phishing, the most common means of initial access this quarter, to compromise the most targeted industry vertical this quarter: public administration. Notably, the actors leveraged the SoftrAI-based web application development service, marking the first time we have documented the use of a specific AI tool by an adversary in a phishing campaign. Softr was used to generate a credential harvesting page targeting users’ Microsoft Exchange and Outlook Web Access (OWA) accounts. 

State-sponsored and criminal actors have been observed abusing large language models (LLMs) to aid in the development of phishing lures, malicious scripts, and other tasks. DDoS-as-a-service actors have adopted AI algorithms for defense evasion and attack orchestration. While this is the first time we have documented the use of a specific AI tool in a Talos IR incident, we have moderate confidence that malicious actors have used Softr’s AI-powered web application creation platform since at May 2023, based on Cisco Umbrella data and other telemetry, and have done so with increasing frequency to date.    

This incident demonstrates how AI tools can lower the barrier to entry for less sophisticated actors and/or accelerate the speed of phishing and credential-harvesting campaigns. Using a form template and the “vibe coding” feature, a phishing page like the one used in this attack could be quickly created with a few AI prompts and no code. Phishing pages built with Softr can direct data to a disposable external data store, such as Google Sheets, and send alerts for new captures via email — all without code.    

Crimson Collective seen for the first time   

Talos IR experienced its first case involving Crimson Collective, a cyber extortion group that appeared in September 2025. This attack highlighted the use of valid accounts for initial access, the second most commonly observed means of initial access this quarter. This attack also notably involved targeting exploit weaknesses, the second-most observed security weakness, accounting for 25 percent of all engagements. We attribute this activity to Crimson Collective based on IPs associated with the group that were used to scan the victim’s ASA firewalls, as well as an overlap of observed tactics and techniques with publicly reported Crimson Collective attacks. 

The incident began when a GitHub Personal Access Token (PAT) was inadvertently published on a public-facing website, exposing the organization to adversaries for several months. Upon obtaining access, the adversary used TruffleHog, an open-source tool commonly utilized by security professionals, to scan thousands of victim GitHub repositories for additional secrets and sensitive information. This approach allows attackers to perform reconnaissance without triggering suspicion, as they are leveraging standard, legitimate tools. The attacker’s discovery of client secrets through TruffleHog enabled further access to the victim’s Azure cloud storage, where they used Microsoft Graph API calls to authenticate, explore, and exfiltrate data. The abuse of legitimate cloud APIs demonstrates a growing trend where threat actors use native platform functionality to blend into normal user activity, making detection more challenging. 

In addition to exfiltrating data, the adversary attempted to inject malicious code into multiple GitHub repositories. This code was designed to harvest any new secrets committed in the future, sending them to adversary-controlled infrastructure. Though these attempts were largely thwarted by the expiration of targeted secrets and effective security controls, the tactic reflects an emerging trend of supply chain and development environment attacks.  

Ransomware trends 

Ransomware experiences slight increase, remains low overall  

Pre-ransomware incidents made up just 18 percent of engagements this quarter, and we did not observe any ransomware encryption due to early and swift mitigation from Talos IR. This is a slight increase from last quarter, when ransomware and pre-ransomware collectively comprised 13 percent of engagements, but overall very low compared to Q1 and Q2 2025, when we observed ransomware in 50 percent of engagements. Attribution is challenging in pre-ransomware events because there are no encryptors or ransom notes, but we assess that Rhysida ransomware and MoneyMessage ransomware accounted for two of the engagements. 

While we did not observe many active and prolific ransomware-as-a-service (RaaS) operations, like Qilin or Akira, this likely does not indicate these major players are decreasing operations, as their data leak sites remain consistently active.    

Rhysida ransomware actors use uncommon backdoor, Meowbackconn  

Talos IR responded to a ransomware incident where the adversary attempted to deploy Rhysida ransomware. While the attack was mitigated in the pre-ransomware stage, we attribute this activity with moderate confidence to Rhysidabased on observed infrastructure that is associated with Rhysida activity and the use of Gootloader, which is commonly leveraged in Rhysida attacks during initial access. Notably, the actors deployed proxy-related DLLs (e.g., “meow_eu.dll”), which we assess were likely related to MeowBackConn, an uncommon backdoor that is closely associated with Gootloader, based on public reporting. 

This attack represents several trends that we observed throughout Talos IR engagements in Q1 2026. The environmental weaknesses that enabled this intrusion — exposed WinRM management ports, over-privileged service accounts, and critical logging gaps — directly echo this quarter’s most prominent security weaknesses, including vulnerable or exposed infrastructure, accounting for 25 percent of engagements. Furthermore, the adversary’s use of Remote Desktop Protocol (RDP) for lateral movement is consistent with RDP being the top technique for lateral movement for the previous two quarters (Q3 and Q4 2025).

Targeting

Public administration and health care were tied as the most targeted industry verticals. Notably, Q3 2025 marked the first time public administration emerged as the most targeted sector in Talos IR engagements, and it has retained that position since. Organizations within the public administration sector are attractive targets as they are often underfunded and use legacy equipment. These entities may have access to sensitive data as well as a low downtime tolerance, making them attractive to financially motivated and espionage-focused threat groups.

Initial access

Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing was the top initial access vector in the first half of 2025, at which point it was surpassed by exploitation of public-facing applications, likely due to the widespread exploitation of vulnerabilities in on-premises Microsoft SharePoint servers, collectively referred to as ToolShell. Since then, we have observeda steady decrease in the exploitation of public-facing applications as an initial access vector from a high of 62 percent to only 18 percent in Q1 2026. Similarly, in this quarter, valid accounts returned to its pre-ToolShell baseline as the second most observed means of gaining initial access, comprising 24 percent of Talos IR engagements. We assess the decline in ToolShell exploitation is likely due to the widespread availability of emergency patches and enhanced security detections, highlighting the importance of timely patching.

Recommendations for addressing top security weaknesses

Implement properly configured MFA and other access control solutions  

35 percent of engagements this quarter involved multi-factor authentication (MFA) weaknesses, an increase from last quarter. This includes incidents where threat actors bypassed MFA and where MFA was either missing or only partially enabled, particularly on remote access services. Adversaries were able to bypass MFA by registering new devices to previously compromised accounts, and in one instance, by configuring Outlook clients to connect directly to Exchange servers, circumventing MFA requirements. Addressing these weaknesses, especially by restricting self-service MFA enrollment and enforcing strong, centralized authentication policies, is essential to reducing risk and strengthening organizational resilience. 

Conduct robust patch management   

Vulnerable or exposed infrastructure was another top security weakness accounting for 25 percent of all engagements, a slight decrease from last quarter. This included exploiting a vulnerability (CVE-2025-20393) in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, as well as a vulnerability (CVE-2023-20198) in the web UI feature in Cisco IOS XE Software. Talos also observed exposed management ports (such as WinRM open to the internet), which enabled rapid attacker movement and reconnaissance.  

Configure centralized logging capabilities across the environment   

Finally, 18 percent of engagements this quarter involved organizations with insufficient logging capabilities, which hindered investigative efforts. Understanding the full context and chain of events performed by an adversary on a targeted host is vital not only for remediation but also for enhancing defenses and addressing any system vulnerabilities for the future. To address this issue, Talos IR recommends organizations implement a security information and event management (SIEM) solution for centralized logging. In the event an adversary deletes or modifies logs on the host, the SIEM will contain the original logs to support a forensics investigation. Additionally, Talos IR offers a Log Architecture Assessment service, which provides a focused review of an organization’s logs and overall log strategy to identify gaps and offer recommendations that give a complete view of the security environment and strengthen incident response readiness 

MITRE ATT&CK appendix 

The tables below represent the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples and the number of times seen. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note that this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include: 

• Phishing was the top method of initial access, replacing exploitation of public-facing applications which was dominant in the prior two quarters. 
• Web-based C2 was the most common C2 pattern. Application Layer Protocol over web protocols was observed most often, indicating adversaries frequently blended C2 into normal-looking traffic. 
• Lateral movement primarily relied on common remote administration channels. SMB/Windows Admin Shares was the top lateral movement technique, with WMI and RDP also heavily used, suggesting attackers repeatedly leveragedstandard enterprise remote management paths once inside. RDP was the top technique for lateral movement in the prior two quarters.  
• Defense evasion frequently focused on weakening visibility and endpoint protections. Impair defenses by disabling/modifying tools appeared multiple times, alongside log/trace reduction behaviors (e.g., clear command history and file deletion), indicating a recurring emphasis on reducing detection and forensic evidence.

Tactic	Technique	Example	Estimated times observed
Reconnaissance	T1589.002: Gather Victim Identity Information: Email Addresses	The adversary enumeratedinternal processes and identifiedvendor emails to facilitate their fraudulent ordering scheme.	1
	T1595: Active Scanning	The adversary scanned public-facing websites to understand the target environment.	2
	T1593: Search Open Websites/Domains	The adversary scanned the web to obtain Github PATs.	1
Initial access	T1566: Phishing	The adversary used malicious emails and social engineering to compromise user accounts and facilitate fraudulent purchase orders.	5
	T1189: Drive-by compromise	The adversary registered several domains that masquerade as being related to VMware, and manipulated the SEO to show them at the top when searching for keywords such as VMware	3
	T1078: Valid Accounts	The adversary successfully gained access to the environment by using compromised user credentials	4
	T1190: Exploit public-facing applications	Two internet facing Linux servers running Apache and an LMS application were targeted.	3
Execution	T1204.002: User Execution: Malicious File	The victim downloaded a malicious installer on their personal host, connected the host to their company’s network, transferred the malware to their primary domain controller, then executed the malware.	3
	T1204.001: User Execution: Malicious link	The victim clicked on a link that led to a fake DocuSign document hosted on adobe[.]com	5
	T1059.001: Command and Scripting Interpreter: PowerShell	The adversary used PowerShell commands and scripts for execution.	4
	T1059.006: Command and Scripting Interpreter: Python	The adversary used automated Python scripts to interact with the environment.	1
	T1059.005: Command and Scripting Interpreter: MSHTA	The adversary attempted to use mshta.exe to retrieve and execute a remote malicious payload from an external URL.	1
Persistence	T1556.006: ModifyAuthentication Process: Multi-Factor Authentication	The adversary registered their own malicious MFA devices to maintain access to compromised accounts.	2
	T1219: Remote Access Software	The adversary installed and used AnyDesk for unauthorized remote access.	1
	T1053.005: Scheduled Task/Job: Scheduled Task	The adversary configured tasks to run on a schedule or at system startup.	1
	T1505: Server Software Component	The adversary installed malware on breached devices to facilitateremote command execution via HTTP.	1
Privilege escalation	T1068: Exploitation for Privilege Escalation	The adversary escalated to SYSTEM level privileges, which may have provided access to cached credentials in memory or registry hive.	1
	T1548: Abuse Elevation Control Mechanism	The adversary used ExecutionPolicy Bypass in PowerShell and attempted to add users to the local Administrators group.	1
	T1078 Valid Accounts	The adversary bypassed standard access controls by using compromised accounts with existing high-level privileges.	1
Defense evasion	T1070.003: Indicator Removal on Host: Clear Command History	The adversary used the terminal emulator “ConEmu” to run commands, intentionally avoiding log generation.	2
	T1070.001: Indicator Removal: Clear Windows Event Logs	The adversary deleted logs on compromised devices to limit forensic findings.	1
	T1556: ModifyAuthentication Process	The adversary set up an Outlook client Outlook client to connect to the Exchange Server and was able to send messages via that path which bypasses the requirement for MFA via Duo.	1
	T1562.001: Impair Defenses: Disable or Modify Tools	The adversary was able to uninstall EDR agents from hosts and attempted to delete Windows Defender policies.	4
Credential access	T1003.002: OS Credential Dumping: Security Account Manager	The adversary saved SAM and SYSTEM registry hives to extract local account hashes.	2
	T1003.003: OS Credential Dumping: NTDS	The adversary dumped the ntds.dit file from Domain Controllers to obtain domain-wide credential hashes.	1
	T1003.005: Cached Domain Credentials	The adversary gained NT hashes for multiple domain accounts from cached logon information.	1
	T1557: Adversary-in-the-Middle	The adversary  used an AiTMproxy to capture credentials and session tokens.	1
Discovery	T1087.003: Account Discovery: Email Account	The adversary used Graph API calls to verify long lists of email addresses and retrieve associated user GUIDs.	1
	T1580: Cloud Infrastructure Discovery	The adversary performed enumeration of the environment, including gathering OneDrive metadata (drive IDs and child item counts) and user roles.	1
	T1069.002: Permission Groups Discovery: Domain Groups	The adversary used commands like net group “domain admins” /domain to find high-privilege accounts.	1
	T1526: Cloud Service Discovery	The adversary ran the legitimate cybersecurity tool TruffleHog to discover repositories containingclient secrets and personal information.	1
Lateral movement	T1021.002: Remote Services: SMB/Windows Admin Shares	The adversary used PsExec(communicated over SMB) to move laterally from the compromised domain controller to other servers.	4
	T1047: Windows Management Instrumentation	The adversary used PowerShell scripts to leverage WMI (Get-WmiObject) to query remote computers.	3
	T1021.001: Remote Services: Remote Desktop Protocol	The adversary used RDP connections between hosts.	3
Collection	T1530: Data from Cloud Storage Object	The analysis of M365 Audit Logs showed multiple FileAccessedand FileDownloaded events for documents stored in SharePoint and OneDrive.	1
	T1040 Network Sniffing	The adversary executed monitor capture commands on specific interfaces to intercept and capture network traffic.	1
Command and control	T1071.001: Application Layer Protocol: Web Protocols	The adversary used MeshAgentto communicate with the C2 server over WebSockets.	5
	T1102: Web Service	The adversary leveraged a Telegram URL to issue instructions and download links.	1
	T1572: Protocol Tunneling	The adversary used a second-stage script to create an HTTPS tunnel directly to the C2 system.	1
	T1201: Traffic Signaling	The adversary communicated with external infrastructure using regular beaconing or other signaling patterns to maintain C2 or check in with their C2 server.	1
Exfiltration	T1567.002: Exfiltration Over Web Service	The adversary accessed and exfiltrated internal data, specifically SharePoint files, via web-based channels.	1
	T1041: Exfiltration Over C2 Channel	The adversary exfiltrated approximately 2,500 client secrets and personal information.	2
Impact	T1657: Financial Theft	The adversary used company resources to place orders totaling hundreds of thousands of US dollars for various products which were successfully delivered.	1
	T1486 Data Encrypted for Impact	The adversary encrypted victim data.	1
	T1531 Account Access Removal	The adversary disabled admin accounts and deleted service accounts in the Active Directory (AD) and Azure	1
Software	Rhysida	A RaaS, known for posing as a cybersecurity team that “helps” its victims identify security weaknesses in their networks.	Pre-ransomware engagement
	SocGholish	A JavaScript-based loader malware that has been used since at least 2017, primarily for initial access.	1
	Money Message	A ransomware that emerged in March 2023, and is capable of targeting Windows and Linux systems (including VMware ESXiservers).	Pre-ransomware engagement

Cisco Talos Blog – ​Read More

In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations.

Phishing

In 2025, phishing attacks were used for initial access in 40% of incidents, maintaining their prevalence. Attackers ramped up cascaded phishing campaigns, where attackers leveraged the trust of the initial compromised account to create specialized phishing attempts, within the network and out of it, aimed at trusted partners and third parties.

Email composition trends

The content of phishing emails changed somewhat. Transitioning away from spam offers, they took the form of workflow-style emails — IT, travel, and other everyday business tasks that look familiar to employees and executives. Travel and logistics lures in particular surged, while political lures dropped off. Internal expensing and travel emails, even when legitimate, are often repetitive and come from disparate sources with changeable formats or poorly-rendered templates, leading to a lowered guard toward spotting malicious intent. Attackers were likely aiming to steal credentials, payment information, or MFA tokens via fake single sign-on (SSO) pages.

In reviews of thousands of blocked-email keywords, 60% contained subject lines with “request,” “invoice,” “fwd,” “report,” and similar. IT-focused phishing keywords turned more technical, to words like “tampering,” “domain,” “configuration,” “token,” and others, showing that attackers were making plays toward IT and security workflows.

Attackers also abused Microsoft 365 Direct Send to capitalize on internal email trust. Direct Send is the method by which networked devices like printers and scanners deliver documents to users. The messages appear to be sent and received by the same email address. These internal messages do not receive the same scrutiny that external emails do, from employees or automated email filters. Direct Send allowed attackers to spoof internal email addresses and deliver highly convincing lures from inside the organization, without compromising real accounts, to target key attack services and deliver high-impact damage.

MFA and identity attacks

Identity and access management (IAM) applications have grown popular with organizations hoping to consolidate user privileges. Unfortunately, it has also grown in popularity with attackers. Nearly a third of 2025 MFA spray attacks targeted IAM, turning the tools companies used to maintain access control into a point of failure. Device compromise surged by 178%, largely driven by voice phishing designed to trick administrators into registering malicious devices.

MFA spray and device compromise

MFA attack strategy changed by sector. A successful attack could glean SSO tokens and give adversaries the ability to change user roles and credentials, or even the MFA policies themselves. Attackers increasingly exploited authentication workflows to gain and maintain access.

Spray attacks were deployed against networks with predictable identity behavior, while diverse, unmanaged, or high-turnover device ecosystems proved weaker to device compromise attacks.

Notably, higher education was the most targeted device compromise sector. Several factors could contribute to the trend:

·       Diverse unmanaged device population

·       Poorly patched and managed operating systems

·       Necessarily low new-device verification policies

·       Large, public-facing directories for targeted phishing

Higher education was a very unfavorable target for MFA spray attacks, however. Passwords and MFA are also highly varied and segmented, and most universities have strong login portal policies, enforced lockouts, and login attempt limits.

Guidance for defenders

As always, prioritize based on your own environment.

Organizations should keep in mind that living-off-the-land binaries (LOLBins) and open-source and dual-use tools, which are not inherently malicious, are key to further exploitation. Blocking external IPs from using a feature, enabling Microsoft’s newer “Reject Direct Send” control, tightening SPF/DMARC enforcement, and treating “internal-looking” emails with the same scrutiny as inbound mail are currently the most effective defenses.

Likewise, MFA attack protection should be tailored to the style of environment and sector.

MFA spray attacks work well on stable, scaled identity controls. Counter these attacks with strong lockout policies, good password hygiene, and conditional access.

Device compromise works best on variable networks where devices change over fast and MFA use is spotty. Work on establishing better device hardening and management, session controls, and strict phishing-resistant MFA with enrollment governance. Solutions such as Cisco Duo provide controls for phishing-resistant MFA, device trust, and secure enrollment, helping reduce risk from phishing and identity-based attacks. Solutions such as Cisco Duo provide controls for phishing-resistant MFA, device trust, and secure enrollment, helping reduce risk from phishing and identity-based attacks.

This blog only scratched the surface on 2025 threat trends. See the full Year in Review report for a detailed explanation of Microsoft 365 Direct Send and how it was used for attacks, infographic breakdowns of MFA spray vs. device compromise attacks, the full list of targeted tools and sectors by percentage, and more.

Cisco Talos Blog – ​Read More

Editor’s note: The research is authored by Mauro Eldritch, offensive security expert and a founder of BCA LTD, a company dedicated to threat intelligence and hunting. You can find Mauro on X. 

The recent wave of ClickFix attacks has introduced several new ways to compromise users, establishing itself as a technique that is likely here to stay. We have observed Lazarus Group using this method to distribute a range of malware, from well-known families to more unusual variants such as PyLangGhostRAT, a Python-based vibe-ported of the original Go version, along with other oddities. 

In this article, we analyze the next stage of this campaign: a newly identified macOS malware kit that is currently being actively distributed. 

Key Takeaways 

• What’s happening: Lazarus Group is running an active campaign using fake meetings and social engineering to steal credentials and data. 

• Who is targeted: Employees and business leaders communicating via Telegram and external partners. 

• How access is gained: Users are tricked into executing commands under the guise of fixing meeting issues. 

• What tools attackers are using: A new macOS malware kit, Mach-O Man, built as native binaries to target macOS environments. 

• What attackers are after: Credentials and active sessions that allow immediate access to business systems. 

• How data is exfiltrated: Sensitive data is sent via Telegram, blending into normal communication traffic.  

• What this leads to: Account takeover, financial loss, and exposure of business-critical data. 

• How SOCs should respond: Identify credential exposure early by introducing ANY.RUN’s cross-platform analysis capabilities during triage that offers a 36% higher detection rate.

New Lazarus ClickFix macOS Campaign: Why Companies Are at Risk 

Lazarus Group is actively running a campaign that turns routine business communication into a direct path to credential theft and data loss. 

The attack targets business leaders through Telegram, often using compromised accounts of colleagues or contacts. Victims receive what appears to be a legitimate meeting invitation and are redirected to a fake collaboration platform that mimics Zoom, Microsoft Teams, or Google Meet. The scenario is familiar and urgent, which lowers suspicion and increases the likelihood of interaction. 

Instead of exploiting a technical vulnerability, the attackers rely on a simple instruction. The user is prompted to “fix” a connection issue by copying and executing a command. This step shifts control to the attacker without triggering many traditional security controls, because the action is performed by the user themselves. 

From that moment, the operation is focused on extracting business value as quickly as possible. The attacker collects credentials, browser sessions, and system-stored secrets, including macOS Keychain data. These assets provide immediate access to corporate systems, SaaS platforms, and financial resources. 

Telegram is used again as an exfiltration channel, allowing stolen data to be transferred through a legitimate service that blends into normal traffic.  

By the time the activity is recognized as malicious, credentials may already be compromised and sensitive data already exfiltrated. At that point, the organization is dealing with: 

• Unauthorized access to business systems and accounts  

• Financial loss through fraudulent transactions or misuse of access  

• Exposure of sensitive data leading to regulatory and reputational impact 

At the core of this operation is a newly identified macOS malware kit, “Mach-O Man”, discovered by the Quetzal Team. Built as a set of Go-based Mach-O binaries, it reflects a shift toward native macOS threats. The following sections break down how this kit operates across each stage of the attack chain. 

Technical Analysis of the Mach-O Man Kit 

The Stager 

As described earlier, in this ClickFix campaign, the victim is invited to a meeting via Telegram, typically by a compromised contact sharing a link.  

When the user visits it, they are taken to a site impersonating a legitimate meeting platform such as Zoom, Meet, or Teams. The page then displays a fake error message claiming that, to resolve the issue, the user must copy and paste a command into their terminal. 

Thanks to ANY.RUN’s Interactive Sandbox, we can safely execute this command and observe the malicious behavior inside a secure macOS VM, without risk to our systems.  

See live sandbox analysis of fake Mach-O Man kit apps 

Trusted by 15,000 organizations worldwide, including 74 Fortune 100 companies, ANY.RUN accelerates triage & response by enabling SOC teams to analyze URLs and files within a private, real-time virtual environment, reproducing the full attack flow across Windows, macOS, Linux, and Android.  

The result is faster, more consistent decisions across the SOC, with earlier identification of threats, reduced response time, and lower risk of incidents escalating into financial and operational impact. 

Pasting and running the command in the terminal leads to the installation of malware. In this case, it executes teamsSDK.bin, the stager and initial component of the Mach-O Man kit. 

When executed in our laboratory, we observed an interesting behavior: when run without arguments, the binary displays a usage message indicating how to activate it and revealing support for impersonating Google, Zoom, Teams, and “System”. 

Fun fact: if you try to choose Google, it politely states that it is “not yet implemented”. A surprisingly polished touch. 

When invoked correctly, it downloads a fake macOS Application impersonating one of the previously mentioned platforms, with “System” referring to generic macOS system prompts presented to the user. To ensure execution, the malware uses macOS’ codesign utility to apply an ad-hoc signature to the application bundle, making it appear properly signed to the system. 

All applications are virtually identical, differing only in minimal visual cues. They prompt the user for their password in broken English three times in a row. 

The first two attempts always shake the window, indicating that the password is incorrect (even if not), while the third one disappears as if the authentication had succeeded. 

Independently, at the end they all display Zoom’s logo along with a message stating that the installation was successful. 

Running them interactively from the shell reveals errors during execution. Many interesting failures will be discussed throughout the analysis of the remaining components, suggesting that exhaustive testing was not conducted. 

In the background, the next stage is downloaded, typically named in the format D1{??????}.bin. Some examples we were able to retrieve include D1YrHRTg.bin, D1yCPUyk.bin, and D1ozPVNG.bin. At the same time, the malware performs basic fingerprinting via sysctl queries, collecting information such as CPU details and system boot time. 

Let’s check the next stage. 

The Profiler 

This second binary, D1YrHRTg.bin (or any other variant you are able to retrieve), acts as a system profiler. It registers the host with the C2 and sends a system profile. 

The first notable behavior is that, when executed without arguments, it once again displays a usage message, a rather kind gesture. 

This module relies on sysctl and local userland tools to build a comprehensive profile of the host, including hostname, a unique identifier, CPU type, boot time, operating system details, network configuration, running processes, and a list of browser extensions, with dedicated targeting of Brave, Vivaldi, Opera, Chrome, Firefox, and Safari. 

This information is written to a text file and sent to the C2 server. 

As previously noted, some of these modules are faulty.  

This one, in particular, exhibits a self-sabotaging behavior, occasionally entering an endless loop that repeatedly posts the system profile text file to the C2 server, exhausting system resources and making its presence quite obvious to the victim. 

Next, a new binary called minst2.bin is retrieved from the /payload C2 endpoint, marking the beginning of the persistence stage. 

The Persistence Mechanism 

minst2.bin was slightly trickier to debug, as it does not come bundled with a usage helper, so I had to manually fine-tune both the number and type of arguments required. After reverse engineering how the previous stage invokes it, I found that it takes the machine UUID, a payload URL, and a filename as arguments, and proceeds to download a remote file named localencode, saving it locally as OneDrive and setting it up to run at as a startup item. 

To achieve this, it creates a folder called “Antivirus Service”, where it stores this binary, and sets up a LaunchAgent, the macOS equivalent of a Windows Service, to execute it at startup. From that point on, it re-invokes the malware kit at every login. 

Moving on to the final stage, this script cleans up by deleting all ZIP files and downloaded fake applications (*.app) from the temporary directory. The parent process then proceeds to download the final binary in the kit: macrasv2. 

The Stealer 

Obtained from the same /payload endpoint, macrasv2 is the final stealer and the main component of the chain.  

See sandbox analysis of macrasv2 

It stages all previously collected data, including, but not limited to, browser extension data, stored browser credentials and cookies (typically kept in SQLite databases), macOS Keychain entries, and other files of interest, consolidating them into a temporary directory. Since this is an empty laboratory, the number of staged files is relatively small. 

From there, the data is archived into a file named user_ext.zip, preparing it for exfiltration. 

Exfiltration is carried out through a familiar channel, Telegram. In this case, however, the operators exposed their bot token, effectively allowing third parties to interact with the bot. This not only weakens their operational security but also simplifies reporting and potential takedown efforts. 

This makes it trivial to both read the bot’s messages, send messages on its behalf, and even identify its owner. 

Finally, the malware invokes a self-deletion script named delete_self.sh, which simply removes itself and other components using the system’s rm command. 

With this, the full infection cycle is complete. Thanks to ANY.RUN’s macOS analysis capabilities, we were able to fully reconstruct it in record time. It is worth noting that this is a novel (previously unseen) malware, which would typically require significantly more time to disassemble and analyze using traditional methods. 

Let’s now move on to the ATT&CK Matrix, followed by the IOCs and other interesting details. 

Additional Observations 

• The malware is badly written, with certain components entering infinite loops that may expose its presence due to system resource starvation.  

• Operational security weaknesses were identified, such as exposed Telegram bot tokens and C2 endpoints with missing authentication.  

• The use of ad-hoc code signing indicates an attempt to bypass macOS execution controls without valid developer credentials.  

• Network traffic analysis shows that the malware primarily communicates over ports 8888 and 9999. Additionally, HTTP requests consistently use a User-Agent string associated with the Go programming language (e.g., Go-http-client), which aligns with other observed components of the toolset.  

• The adversary’s infrastructure exposed multiple services, including WinRM, Chrome Remote Desktop, Remote Desktop Protocol (RDP), and a replica of the C2 server running on port 110.  

• Reverse engineering analysis indicates that multiple components of the malware are written in Go. This is supported by the presence of Go-specific strings and referenced artifacts within the binaries, including characteristic function naming conventions, runtime structures, and the use of the standard Go HTTP client in network communications.  

Defending Against Lazarus Attacks: How CISOs Can Minimize Risk 

Trust-abuse phishing, exemplified by campaigns like Mach-O Man, exploits legitimate platforms to bypass conventional security measures. Attackers manipulate human psychology with urgent meeting requests or fake technical issues, tricking users into executing malicious commands or disclosing credentials.  

For SOC teams, the difficulty lies in detecting these attacks early, as they often slip past signature-based defenses by leveraging trusted services and user-driven actions. 

Close Detection Gaps with Stronger Cross-Platform Triage 

To combat these threats, SOCs must adopt interactive sandboxing as a cornerstone of their triage process. Unlike automated solutions, ANY.RUN eliminates critical blind spots for security teams by enabling analysis of malicious files and URLs across Windows, macOS, Linux, and Android in a single interface.  

Instead of juggling separate solutions for each OS, SOC teams gain a unified sandbox environment where they can manually simulate user interactions, uncover hidden attack stages, and capture behavioral IOCs, such as unusual sysctl queries in macOS or Mach-O binary execution.  

For business processes, this means streamlined triage, reducing analysis time and integrating seamlessly with SIEM/SOAR for automated threat investigations.  

ANY.RUN delivers full attack context (process chains, network connections, system changes), which is especially critical for companies with hybrid infrastructures (corporate Windows, macOS for developers/designers, Linux servers, and employee Android devices), where traditional sandboxes cover only part of the risk. 

When integrated into your SOC workflows, ANY.RUN’s Sandbox delivers measurable impact, enabling security teams to: 

• Identify Credential Exposure Earlier: Detect threats in under 60 seconds and reduce breach probability before escalation begins  

• Reduce MTTR: Achieve up to 21 minutes faster response time and 50% quicker IOC extraction  

• Detect More Relevant Threats: Identify up to 58% more threats with real-time, sandbox-verified intelligence  

• Minimize High-Severity Incidents: Earlier detection lowers escalation rates and limits impact on business operations  

• Improve SOC Efficiency Without Hiring: Increase team performance up to 3x and reduce Tier 1 workload by 20% 

 
For businesses, this means fewer breaches, lower financial impact per incident, and more predictable security outcomes. Organizations gain control over both risk exposure and operational costs, rather than reacting after damage occurs. 

About ANY.RUN 

ANY.RUN helps over 15,000 organizations and 600,000 security professionals identify and understand threats before they turn into incidents. 

The solutions combine interactive sandbox analysis and real-time threat intelligence into a single workflow, allowing SOC teams to analyze files and URLs, observe full attack behavior, and make faster, more accurate decisions. Instead of relying on delayed indicators or assumptions, analysts see what the threat actually does and what risk it creates for the business. 

By strengthening monitoring, triage, and response, ANY.RUN enables organizations to detect more threats earlier, reduce response time, and limit the impact of credential theft, data exposure, and account compromise. 

The result is a more predictable and efficient SOC, where decisions are made faster, incidents are contained earlier, and business risk is reduced. 

IOCs and TTPs 

Network IOCs 

IP Addresses 

• 172[.]86[.]113[.]102  

• 144[.]172[.]114[.]220  

Domains 

• update-teams[.]live  

• livemicrosft[.]com  

URLs 

• h[tt]p://172[.]86[.]113[.]102/Onedrive  

• h[tt]ps://update-teams[.]live/teams  

• h[tt]p://172[.]86[.]113[.]102/localencode  

• livemicrosft[.]com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1  

File-based IOCs 

File Names 

File Paths 

File Hashes (SHA256) 

• eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5 (com.onedrive.launcher.plist)  

• eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5 (com.onedrive.launcher.tmp)  

• 0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90 (D1yCPUyk.bin)  

• 0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90 (D1YrHRTg.bin)  

• a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614 (localencode / OneDrive)  

• 85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c (macrasv2)  

• cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260 (MauroDPRKSamples.zip)  

• 4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b (minst2.bin)  

• 89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938 (SystemApp.zip)  

• dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6 (TeamsApp.zip)  

• 871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3 (teamsSDK.bin)  

• 24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9 (ZoomApp.zip)  

Host-based IOCs 

Persistence Artifacts 

• ~/Library/LaunchAgents/com.onedrive.launcher.plist  

• ~/Library/LaunchAgents/com.onedrive.launcher.tmp  

Suspicious Directories / Files 

• ~/Library/.initialized  

• /Users/$USER/.local/bin/OneDrive  

• $TMPDIR/geniex_client_sleep_state  

Code / Binary Artifacts 

Strings 

• geniex-client/core  

• geniex-client/protocol  

• geniex-client/Internal/vss  

• geniex_client_sleep_state  

• geniex config file too short  

• com.onedrive.launcher  

• Die command received, initiating self-destruction  

• hobocopy_%d  

Build Artifact 

• GoBuildID: 
  XSnX8a5Y1OweX0Ob6lfO/ZYlrxu-H_BNvt5ptXb3c/8HR_X2LwoFzXXN4Fti_K/xaM13na_g6snvgcy0x9t  

Encryption Keys 

• RC4Key: 
  a73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491  

• RC4Key: 
  5476bbf8ddb2fb056295f09ebe05e20a7d1cf29ea279cd4613c87544013e080fef35c97b3511ef9c0f12e505a1d805628ba10483dc9290508f94d153ee94d5c4 

ATT&CK Matrix 

Execution 

• User Execution (T1204)  

Persistence 

• Create or Modify System Process: Launch Agent (T1543.001)  

Privilege Escalation 

• Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)  

Defense Evasion 

• File and Directory Permissions Modification (T1222)  

• Virtualization/Sandbox Evasion (T1497)  

Credential Access 

• Credentials from Password Stores (T1555)  

• Unsecured Credentials (T1552)  

Discovery & Collection 

• System Information Discovery (T1082)  

• Process Discovery (T1057)  

• System Time Discovery (T1124)  

• File and Directory Discovery (T1083)  

• Data from Local System (T1005)  

• Archive Collected Data (T1560)  

Exfiltration 

• Exfiltration Over Web Service: Exfiltration to Cloud Storage / Web Service (T1567)  

Data is exfiltrated via Telegram bot API, using a legitimate web service to evade detection. 

References 

Original Quetzal Team Article: https://open.substack.com/pub/quetzalteam/p/north-koreas-safari-hunting-for-rats  

Original LevelBlue Labs Intelligence Pulse: https://otx.alienvault.com/pulse/69d9c62d24ae9bc8d5653f56  

Session 1: https://app.any.run/tasks/937afde2-5e3c-4eb0-a7d1-6124f0f3ed18 

Session 2: https://app.any.run/tasks/777b23e8-25ea-45b5-a998-d2e1c400c9d1 

Session 3: https://app.any.run/tasks/7f771a62-fcda-4a33-8e99-ab068fae8500 

Session 4: https://app.any.run/tasks/94b9bc1f-86 -4069-8222-1cb511d78ad9

The post New Lazarus APT Campaign: “Mach-O Man” macOS Malware Kit Hits Businesses appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More