ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
إليك ترجمة المنشور إلى الدارجة المغربية (Darija) مع الحفاظ على البنية الأصلية:
ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, and the Industrialization of SIM Farms
TL;DR: North Korean actors target DeFi infrastructure for a $290M payday, researchers uncover "Living-off-the-Land" techniques in macOS, and a Belarus-based "SIM Farm-as-a-Service" platform fuels global cybercrime.
The cybersecurity landscape currently feels like a cycle of recurring mistakes. From messy supply chains and unvetted packages to AI tools that trust malicious inputs, attackers are finding that breaking the systems behind applications is often easier than breaking the apps themselves. This week’s bulletin highlights that while exploits may be simple, their scale and automation are reaching dangerous new levels.
State-Backed Crypto Heist: KelpDAO Hit for $290M
The decentralized finance (DeFi) space has suffered another massive blow. KelpDAO was targeted in a sophisticated attack resulting in the theft of $290 million. Analysis from LayerZero and Chainalysis suggests that North Korean threat actors, specifically those tracked as TraderTraitor, are likely behind the breach.
Unlike a typical smart contract exploit, this was an attack on off-chain infrastructure. Attackers compromised internal Remote Procedure Call (RPC) nodes to feed false data to a verification network. This "poisoning" of the infrastructure tricked the Ethereum contract into releasing funds based on a phantom token burn. To date, the Arbitrum Security Council has frozen over 30,000 ETH connected to the exploit.
macOS "Living-off-the-Land" (LotL) Abuse
New research from Cisco Talos reveals that attackers are bypassing macOS security controls by repurposing native features. Two primary methods were identified:
- Remote Application Scripting (RAS): Bad actors can use the
eppc://protocol to script the Finder remotely. - Spotlight Metadata Abuse: Attackers are hiding Base64-encoded payloads within "Finder comments." Because these comments are stored in Spotlight metadata—an area rarely examined by standard EDR solutions—malicious code can persist on a disk without triggering alerts.
By using built-in protocols like SMB, Git, and Netcat, adversaries can maintain visibility outside of standard SSH-based telemetry.
Supply Chain Malware Surge
The npm registry continues to be a primary vector for supply chain attacks. Several new malicious packages (including ixpresso-core and @genoma-ui/components) have been identified. These packages are designed to:
- Steal sensitive host data.
- Inject SSH backdoors into
~/.ssh/authorized_keys. - Spread the XWorm RAT.
- Self-propagate using the victim's npm tokens.
Furthermore, the StealTok campaign has seen over 130,000 users download malicious Chrome and Edge extensions that masquerade as TikTok video downloaders but actually implement covert data collection.
The Rise of Industrial SIM Farms: ProxySmart
A Belarus-based platform called ProxySmart is reportedly operating as a "SIM Farm-as-a-Service," supporting cybercrime on an industrial scale. Researchers identified 87 control panels across 17 countries, spanning 94 physical phone farm locations.
These farms use physical Android phones or 5G modems to enable smishing, OTP interception, and premium-rate fraud. While ProxySmart claims to be a legitimate "data-path proxy management platform," technical analysis suggests capabilities consistent with large-scale evasion and network fingerprint spoofing.
AI and Prompt Injection Vulnerabilities
Forcepoint has flagged 10 new Indirect Prompt Injection (IPI) payloads targeting AI agents. Attackers "poison" web content with hidden instructions. When an AI agent ingests the page, it fails to distinguish trusted instructions from malicious ones, potentially triggering financial fraud or API key theft.
In related AI news, Clarifai recently confirmed the deletion of 3 million profile photos originally scraped from OkCupid following an FTC settlement, highlighting ongoing privacy concerns regarding AI training data.
Additional Threats & News in Brief
- Active Exploits: VulnCheck warned of active RCE exploitation in MajorDoMo (smart home automation) and an authentication bypass in NETGEAR DGN2200 routers.
- Infrastructure Sabotage: Iran has claimed that U.S.-made networking equipment (Cisco, Juniper) contains firmware backdoors that were used to disable hardware during recent conflicts, even without internet access.
- Ransomware Infighting: The Krybit ransomware group successfully hacked the leak site of rival group 0APT after 0APT threatened to dox them.
- SilentGlass: The U.K. NCSC unveiled "SilentGlass," a plug-and-play hardware device designed to protect HDMI and DisplayPort connections from malicious interference.
Conclusion
The themes of this week's bulletin are clear: attackers are leveraging "simple" mistakes—unpatched servers, unvetted code, and default trust policies—to achieve massive results. Whether it is state-sponsored groups targeting DeFi or "SIM farms" enabling retail-level fraud, the most effective defense remains fundamental hygiene: patch early, limit access, and verify every input.
