Threat
alerts

Jamf Threat Labs has identified a significant evolution in the deployment tactics of the MacSync Stealer malware. Previously reliant on social engineering techniques such as "ClickFix" or "drag-to-terminal" instructions, threat actors have shifted towards a more sophisticated approach. The malware is now being distributed as a code-signed Swift application, significantly increasing its ability to bypass standard macOS security controls.

Rapid7 Labs has uncovered a new, actively developing Malware-as-a-Service (MaaS) threat known as "SantaStealer". Currently promoted via Telegram and underground forums (specifically the Russian-language forum Lolz), this malware is an evolution of the previously identified "BluelineStealer".

CVE-2025-55182 is a critical, unauthenticated RCE in React Server Components affecting React 19.x and Next.js. This unsafe deserialisation flaw is actively exploited by a bifurcated landscape: PRC-linked groups targeting espionage and persistence, alongside cybercriminals deploying ransomware. Post-exploitation tradecraft has escalated rapidly, now featuring novel Linux backdoors like "PeerBlight," WAF evasion, and direct attacks on cloud control planes.

Threat actors are increasingly pivoting toward social engineering strategies, specifically towards the "ClickFix" tactic that tricks users into manually running malicious scripts. This technique effectively circumvents standard perimeter defences, such as "Mark-of-the-Web" (MOTW) controls and browser sandboxes.

After a period of silence, the notorious JavaScript-based malware loader Gootloader has resurfaced according to researchers. Known for compromising legitimate websites to poison search engine results (SEO poisoning), the group has returned with a mature, highly specialized criminal supply chain and a suite of new evasion techniques that challenge traditional detection methods.

A critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287, is under active exploitation. The flaw, caused by an unsafe deserialisation of untrusted data, allows a remote, unauthenticated attacker to gain full NT AUTHORITY\SYSTEM privileges on an affected server. This allows them to push malicious packages disguised as legitimate Microsoft security updates. Worth to note: servers are only vulnerable if the WSUS role is explicitly enabled.

The intrusion into F5's product development environment was allegedly attributed to another suspected China-nexus actor, UNC5221. A threat cluster specialised in long-term cyber espionage missions with a dwell time of approximately 393 days. In 2023, the threat actor UNC5174 was observed actively exploiting a critical N-day vulnerability (CVE-2023-46747) in F5 BIG-IP appliances to gain initial network access.

F5 disclosed a security incident that internal corporate environment had been breached stating that in August 2025 a nation-state threat actor established foothold and maintained long-term, persistent access to specific F5 systems. In previous breaches, threat actor designated UNC5174 leveraged a chain of two vulnerabilities to achieve unauthenticated remote code execution. Their tactics, techniques, and procedures (TTPs) include the deployment of custom, in-memory malware such as the SNOWLIGHT downloader and the GOHEAVY tunneler, which are designed to evade traditional disk-based antivirus and forensic analysis.

The npm ecosystem was subjected to one of its most significant supply chain attacks to date. A threat actor compromised the account of a prolific open-source maintainer and published malicious versions of 18 popular packages, including chalk and debug. These have been detected and removed in several hours from discovery.