svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief January 02, 2026

Private VPN — just $1.2/mo

GlassWorm Malware Targets Macs with Trojanized Crypto Wallets

A new wave of GlassWorm malware is targeting macOS users via malicious extensions on the Open VSX marketplace, masquerading as development tools. The malware steals cryptocurrency wallets, iCloud Keychain data, and developer credentials (e.g., GitHub, npm tokens) using AppleScript for stealth.
Impact: Over 50,000 downloads recorded; targets crypto/Web3 professionals.
Mitigation: Verify extensions before installation, monitor for unusual process activity, and inspect Solana C2 endpoints.
Source: BleepingComputer

RondoDox Botnet Exploits Critical React2Shell Flaw

The RondoDox botnet is exploiting CVE-2025-55182 (React2Shell, CVSS 10.0) to hijack IoT devices and web servers, deploying cryptocurrency miners and Mirai variants. The botnet uses “/nuts/bolts” to eliminate competing malware and maintain persistence via cron jobs.
Impact: 90,300 vulnerable instances globally, primarily in the U.S. (68,400).
Mitigation: Patch Next.js, segment IoT networks, deploy WAFs, and block C2 infrastructure.
Source: The Hacker News

OceanLotus Targets China’s Xinchuang Initiative with Custom Malware

OceanLotus is exploiting China’s domestic tech ecosystem (Xinchuang) by weaponizing CVE-2023-52076 (Atril RCE) and deploying ELF Trojans tailored for local platforms. The group also targets IoT devices with passive backdoors.
Impact: Geopolitical espionage aligned with supply-chain compromises.
Mitigation: Patch Atril viewers, scrutinize phishing lures, and monitor for anomalous Python downloaders.
Source: The Hacker News

North Korean IT Workers Infiltrate Crypto Firms, Amazon Blocks 1,800 Accounts

North Korean operatives stole $2B in crypto in 2025, pivoting to fake IT job placements to compromise exchanges. Amazon thwarted 1,800 DPRK-linked hires, detecting subtle anomalies like “typed command delays.”
Impact: Credential theft, source code leaks, and prolonged network access.
Mitigation: Enhance vetting for remote hires, monitor developer environments, and enforce MFA.
Source: The Hacker News

GhostAd and SkyWalk Adware Drain Mobile Resources

GhostAd (Android) and SkyWalk (iOS) adware campaigns silently generate fake ad impressions. GhostAd uses Kotlin coroutines to sustain background ad-loading, while SkyWalk hides ads in invisible browser windows.
Impact: Millions of downloads, battery/data drain, and advertiser fraud.
Mitigation: Audit apps for suspicious SDKs (e.g., Pangle, Vungle) and monitor background processes.
Source: The Hacker News

Magecart Evolves into Full Identity Theft

A new Magecart campaign hijacks checkout flows with localized payloads targeting Stripe, PayPal, etc., combining payment skimming with credential theft for long-term account persistence.
Impact: Fraudulent transactions, ATOs, and admin access abuse.
Mitigation: Sanitize input fields, monitor for hidden Luhn-valid junk cards, and enforce CSP policies.
Source: The Hacker News

AWS IAM Key Deletion Delay Allows Attacker Persistence

Researchers found a 4-second window where revoked AWS keys remain usable due to IAM eventual consistency, enabling attackers to generate new keys.
Impact: Undetected post-revocation access.
Mitigation: Use temporary credentials/IAM roles, and automate key rotation.
Source: The Hacker News

IPCola Proxy Botnet Offers 1.6M Compromised IPs

The IPCola proxy service sells access to 1.6M infected devices via GaGaNode SDK, which enables RCE. Most victims are in India, Brazil, and the U.S.
Impact: Mass proxy abuse for anonymized attacks.
Mitigation: Block GaGaNode SDK traffic and audit device traffic patterns.
Source: The Hacker News

ErrTraffic Toolkit Automates Fake Glitch Scams

The ErrTraffic service automates ClickFix attacks via fake browser errors, pushing info-stealers and banking trojans through spoofed updates.
Impact: Cross-platform malware delivery (Windows, macOS, Android).
Mitigation: Educate users on fake error prompts and block known C2 domains.
Source: The Hacker News

KMSAuto Malware Operator Extradited to South Korea

A Lithuanian national was extradited for distributing 2.8M copies of clipboard-stealing malware via fake Windows activation tools, stealing $1.2M in crypto.
Source: The Hacker News

Disney Fined $10M for COPPA Violations on YouTube

Disney illegally collected children’s data via YouTube ads without parental consent, settling with the FTC for $10M.
Source: The Hacker News

Share this brief: https://svo.bz/ob9g

If you want to support us, you can donate here: Donate