Cyware Daily Threat Intelligence - July 01, 2026

A single click on a sponsored search result can now turn a developer’s Mac into a launchpad for credential theft and cryptocurrency loss. Cyware spotlights MacSync Stealer, which leverages Google Ads and a fake Anthropic CLI to hijack secrets, browser profiles, and wallets—leaving little evidence behind.
A critical unauthenticated RCE chain in UniFi OS Server exposes managed networks, doors, and cameras to root takeover with a single request. Attackers can bypass authentication, forge admin sessions, and seize control of downstream devices, with CVSS 10.0 severity across three chained vulnerabilities.
Phishing-as-a-service is fueling a new wave of business email compromise. The ARToken platform packages device code phishing and BEC workflows, targeting Microsoft 365 accounts and leveraging reply-pivot invoice fraud to breach finance teams and expose SharePoint and OneDrive data.
Top Malware Reported in the Last 24 Hours
MacSync Stealer tricks macOS developers via ads
MacSync Stealer is a newly identified macOS infostealer that targets users through Google Ads impersonating Anthropic’s Claude Code CLI. MacSync Stealer relies on social engineering to trick victims into running a terminal command, which initiates a triple-encoded zsh dropper that unpacks a secondary script. MacSync Stealer retrieves a .daily payload, decodes a base64+gzip script, and launches a daemon focused on data exfiltration. MacSync Stealer kills the Terminal process to erase evidence, uses a fake System Preferences prompt to capture login credentials, and unlocks the macOS keychain to decrypt saved secrets and collect browser profiles and crypto wallet extensions. For persistence, MacSync Stealer trojanizes Ledger applications and redirects victims to phishing pages. The primary targets are developers and crypto users on macOS, putting them at risk of account takeover and stolen funds. Researchers identified these tactics in recent campaigns.
Operation Navy Ghost backdoors PyPI Telegram bots
Operation Navy Ghost is a malicious package campaign that plants backdoors in trojanized Pyrogram forks distributed via PyPI, targeting Python developers managing Telegram bot infrastructure. Operation Navy Ghost activates when Pyrogram is imported or when the bot starts, registering hidden Telegram command handlers that allow attackers to execute Python code or shell commands on the server. Operation Navy Ghost enables commands such as "/asu print(os.environ)" and "/asi cat /etc/passwd" to extract environment variables and sensitive system data, while suppressing errors and disabling logging to evade detection. BleepingComputer reports that affected packages include VLifeGram, VLife-Gram, pyrogram-navy, pyrogram-styled, pyrogram-zeeb, kelragram, sepgram, and pyrogram-kelra, with a hardcoded “OWNERS” list for exclusive control. The campaign enables remote exposure of databases, credentials, and other high-value infrastructure tied to Telegram bot accounts.
Akira attacks ride SEO-poisoned software downloads
Akira ransomware deployments are enabled by a search-driven intrusion chain leveraging Bing SEO poisoning to direct victims to trojanized installers. Akira uses fake download sites serving tampered MSI files, including a malicious wrapper for Advanced-IP-Scanner.msi, which stages the BumbleBee loader and then AdaptixC2 for hands-on intrusion. Akira supports discovery, credential theft, and data exfiltration, setting up rapid ransomware deployment. Akira operators blend in by using legitimate tools and drivers to weaken defenses, making detection difficult. In the cited Swisscom intrusion, attackers moved from initial access to ransomware deployment in 44 hours.
Top Vulnerabilities Reported in Last 24 hours
UniFi servers exposed to one-shot takeover
CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 are a critical unauthenticated remote code execution chain in UniFi OS Server (each CVSS 10.0) that allow internet attackers to gain root access with a single request. Successful exploitation lets attackers bypass authentication, execute commands using shell metacharacters, and forge admin sessions, resulting in full control of the management plane. These vulnerabilities are exploitable for reading stored secrets and taking over downstream devices managed by the server. Bishop Fox disclosed the issues and published detection guidance. The fix is available in UniFi OS Server 5.0.8; rotate session-token signing keys and monitor for exploitation attempts. All internet-exposed UniFi OS Servers prior to this version are affected.
Cisco phone servers hit by webshell attacks
CVE-2026-20230 is a critical flaw in Cisco Unified Communications Manager (CVSS 10.0) that allows unauthenticated attackers to execute code and potentially escalate to root, enabling persistent server control. Successful exploitation lets adversaries abuse an SSRF path to deploy webshells, providing a stealthy foothold for further intrusion. Attackers are actively exploiting CVE-2026-20230 in the wild. The activity has been linked to BlackBasta and TA4922, with automation routed through Tor. Upgrade to the latest patched version; if patching is not possible, disable WebDialer. All unpatched Cisco Unified Communications Manager servers are at risk.
OT edge devices targeted in Chaya_006
CVE-2025-67038 is an unauthenticated command injection vulnerability in Lantronix serial-to-IP converters (CVSS not specified) exploited in the Chaya_006 campaign to target OT edge devices. Successful exploitation allows attackers to gain persistent control over environments in manufacturing, utilities, and critical infrastructure. Attackers pair CVE-2025-67038 with massive brute-force attempts against internet-exposed OpenWrt interfaces, leading to unauthorized access and potential full network compromise. Attackers have reverse-engineered vendor patches to weaponize the flaw faster. Update Lantronix EDS5000 to 2.2.0R1 and EDS3000 to 3.2.0.0R2, and ensure OpenWrt interfaces are not using default credentials. All unpatched and internet-exposed devices are at risk.
Top Threat Actors Reported in Last 24 hours
MacSync Stealer mimics Claude Code ads
MacSync Stealer is a newly identified macOS infostealer of suspected criminal origin, with a primary motive of credential and cryptocurrency theft. MacSync Stealer leverages Google Ads malvertising and impersonates Anthropic’s Claude Code CLI to lure developers into running a malicious Terminal command. MacSync Stealer retrieves a .daily payload, decodes a base64+gzip script, and launches a daemon for data exfiltration. MacSync Stealer uses a fake System Preferences prompt to harvest login credentials, unlocks the macOS keychain, and collects browser profiles and crypto wallet extensions. MacSync Stealer targets developer workstations and macOS users managing production credentials or wallets. The campaign includes attempts to cover tracks by terminating Terminal and persistence by trojanizing Ledger applications to redirect victims to phishing pages. Researchers have documented these tactics in recent incidents.
ARToken fuels Microsoft 365 invoice phish
ARToken is a phishing-as-a-service platform of suspected criminal origin, with a primary motive of business email compromise and financial fraud. ARToken packages device code phishing, PRT persistence, and BEC workflows into an affiliate-ready toolkit, and researchers tie ARToken to EvilTokens through overlapping infrastructure. ARToken deploys vendor-impersonation invoice fraud targeting Microsoft 365 accounts, using reply-pivot tactics to hijack ongoing email threads. ARToken leverages Cloudflare Workers for resilient lure delivery and implements a seven-layer anti-analysis system with XOR-encrypted payloads to evade defenders. ARToken targets finance teams, turning invoice processing into a pathway for mailbox access, fraudulent payments, and exposure of SharePoint/OneDrive data. Cisco Talos mapped ARToken’s activity to MITRE ATT&CK techniques including T1566.002, T1528, T1098.001, T1114.002, T1550.001, T1531, T1583.006, T1027, and T1497.001.
Frequently Asked Questions
What is MacSync Stealer? MacSync Stealer is a newly identified macOS infostealer pushed through Google Ads that impersonate Anthropic’s Claude Code CLI, turning a simple “install” into credential theft and crypto wallet hijacking. It relies on social engineering to get victims to run a terminal command, which kicks off a triple-encoded zsh dropper that unwraps into a secondary script.
What is Operation Navy Ghost? Operation Navy Ghost is a malicious package campaign that plants backdoors in trojanized Pyrogram forks on PyPI, aiming straight at Python developers who run Telegram bot infrastructure. Once installed, it activates when Pyrogram is imported or when the bot starts, then quietly registers hidden Telegram command handlers that let attackers run Python code or shell commands on the server.
What is Akira? Akira ransomware deployments are being enabled by a search-driven intrusion chain that uses Bing SEO poisoning to funnel victims toward trojanized installers, rather than relying solely on email lures. In the case described, a victim searching for legitimate IT tooling is led to a fake download site serving a tampered MSI (including a malicious wrapper for Advanced-IP-Scanner.msi), which stages the BumbleBee loader and then AdaptixC2 for hands-on intrusion.
What is CVE-2026-34908? A critical unauthenticated RCE chain in UniFi OS Server lets an internet attacker gain root access with a single request, potentially exposing managed networks, doors, and cameras (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, each CVSS 10.0). The chain works by bypassing the authentication gateway and then using shell metacharacters to execute commands and forge admin sessions, turning the management plane itself into the entry point.
What is CVE-2026-20230? A critical flaw in Cisco Unified Communications Manager allows unauthenticated attackers to execute code and potentially escalate to root, enabling long-term server control (CVE-2026-20230). In reported attacks, adversaries abuse an SSRF path to deploy webshells, giving them a quiet foothold for follow-on intrusion.
What is Chaya_006? Attackers behind the Chaya_006 campaign are targeting OT edge devices to gain persistent control over environments that keep real-world operations running, with risk concentrated in manufacturing, utilities, and critical infrastructure. The campaign exploits an unauthenticated command injection in Lantronix serial-to-IP converters (CVE-2025-67038) and pairs it with massive brute-force attempts against internet-exposed OpenWrt interfaces.
What is ARToken? ARToken is a phishing-as-a-service platform targeting Microsoft 365 that packages device code phishing, PRT persistence, and business email compromise (BEC) workflows into an affiliate-ready toolkit, and researchers tie it to EvilTokens through overlapping infrastructure patterns. Recent activity centers on vendor-impersonation invoice fraud aimed at accounts-payable staff, using real vendor relationships and reply-pivot tactics to hijack ongoing email threads.