Svoboda Cybersecurity Brief December 23, 2025

MacSync Malware Evades macOS Gatekeeper via Signed Swift App

A new variant of MacSync malware is delivered through a digitally signed, notarized Swift application within a disk image, bypassing macOS Gatekeeper checks. The malware steals iCloud keychain credentials, browser passwords, and cryptocurrency wallet data, using evasion techniques like inflated DMG files and internet connectivity checks.
Impact: Persistent data theft and backdoor access.
Mitigation: Revoke affected certificates (GNJLS3UYZ4), monitor for rogue processes, and update macOS security policies.
Source: BleepingComputer

Interpol-Led Operation Disrupts Ransomware, Arrests 574

Operation Sentinel, coordinated by Interpol, led to 574 arrests and the decryption of 6 ransomware strains, recovering $3 million linked to BEC and extortion. Key successes include stopping a $7.9M BEC wire transfer in Senegal and decrypting 30TB of data in Ghana.
Source: BleepingComputer

Malicious npm Package “lotusbail” Steals WhatsApp Credentials

A malicious npm package posing as a WhatsApp Web API library (lotusbail) has 56,000+ downloads and steals authentication tokens, messages, and contacts. It links attacker devices via WhatsApp’s pairing feature and uses RSA encryption + obfuscation for exfiltration.
Impact: Account takeover and persistent access.
Mitigation: Remove the package, check for linked devices in WhatsApp settings, and audit runtime behavior.
Source: BleepingComputer

Romanian Water Authority Hit by BitLocker Ransomware

Romanian Waters suffered a ransomware attack encrypting 1,000 systems using Windows BitLocker, though operational water infrastructure remained unaffected. Attackers left a ransom note demanding contact within 7 days.
Impact: Disrupted IT systems but no operational downtime.
Mitigation: Isolate affected systems, review BitLocker policies, and integrate into national cybersecurity monitoring.
Source: BleepingComputer

University of Phoenix Breach Exposes 3.5M Records via Clop Ransomware

Clop ransomware exploited a zero-day in Oracle EBS (CVE-2025-61882) to steal names, SSNs, and bank details of 3.5M students and staff. The university now offers free identity protection services.
Impact: Large-scale financial and identity theft risk.
Mitigation: Patch Oracle EBS, monitor for credential leaks, and enable multi-factor authentication.
Source: BleepingComputer

Ukrainian Nefilim Ransomware Affiliate Pleads Guilty

Artem Stryzhak admitted to targeting $200M+ revenue companies with Nefilim ransomware, earning 20% of ransoms. His co-conspirator, Volodymyr Tymoshchuk, remains at large with an $11M bounty.
Source: BleepingComputer

WatchGuard Firewall Zero-Day (CVE-2025-14733) Actively Exploited

Over 115,000 unpatched WatchGuard Firebox devices are vulnerable to RCE via IKEv2 VPN misconfigurations. Shadowserver detected 124,658 exposed instances.
Impact: Full device compromise.
Mitigation: Apply patches (Fireware OS 2025.1.4/12.11.6) or disable dynamic peer BOVPNs.
Source: BleepingComputer

Android Malware “Wonderland” Spreads via Dropper Apps

TrickyWonders group uses signed dropper apps (MidnightDat, RoundRift) to deploy the Wonderland SMS stealer, hijacking Telegram sessions for distribution. The malware intercepts OTPs and exfiltrates contacts.
Impact: Financial fraud and account takeover.
Mitigation: Block sideloading, monitor for unusual SMS activity.
Source: The Hacker News

Ploutus ATM Malware Gang Charged in US

54 members of Tren de Aragua were charged for using Ploutus malware to jackpot ATMs, stealing millions. The malware bypasses ATM security to dispense cash on command.
Source: SecurityWeek

UK Investigates China-Linked Cyber Incident

The UK government confirmed a breach at the Foreign Office, potentially exposing visa data. Hackers linked to Storm 1849 (China-affiliated) are suspected.
Source: SecurityWeek

Share this brief: https://svo.bz/CZo7