In the shadows of cyberspace, Cosmic Leopard, a Pakistan-linked threat group, has orchestrated Operation Celestial Force - a sophisticated malware campaign targeting Windows, Android, and macOS devices since 2018. Its toolkit includes a concoction of three malware, targeting Indian entities.

Meanwhile, a critical flaw is haunting Apple devices. This vulnerability in NSXPC allows unauthorized access, compromising user and business data, and posing severe privacy risks.

Looking for Olympics tickets? Beware the digital wolves in sheep's clothing! Proofpoint has uncovered a devious scam: fraudulent sites posing as a legitimate ticket vendor for the Paris 2024 Summer Olympic Games. This cunning counterfeit even appeared as a sponsored Google result, enticing unsuspecting fans. In this age of cyber trickery, where every too-good-to-be-true offer might be a cleverly disguised ruse, it's crucial to stay alert.

Top Malware Reported in the Last 24 Hours

Operation Celestial Force

A long-running malware campaign by Pakistan-linked threat group Cosmic Leopard has evolved to target Windows, Android, and macOS devices, using a suite of malware tools. The malware campaign, dubbed Operation Celestial Force, has been active since at least 2018. The malware tools include GravityRAT (for Windows, Android, and macOS), HeavyLift (an Electron-based malware loader for Windows and macOS), and GravityAdmin (a command-and-control tool). The campaign has predominantly targeted Indian entities and individuals likely belonging to the defense, government, and related technology sectors.

New phishing kit emerges

A new phishing toolkit allows cybercriminals to create Progressive Web Apps (PWAs) that display convincing corporate login forms to steal user credentials. PWAs integrate with the operating system and can have their own app icons, making them appear more legitimate to users. The toolkit includes a fake address bar showing the legitimate corporate login URL to make the phishing page look more convincing. Threat actors can create websites that promote fake software or remote management tools, and include a button to install a malicious PWA.

PhantomLoader drops SSLoad malware

The new SSLoad malware is being distributed using a previously unknown loader called PhantomLoader, which evades detection by modifying legitimate files. SSLoad has been used to deploy Cobalt Strike and employs various evasion techniques. The malware is delivered through an MSI installer, and its final payload communicates with a command-and-control server to download more malware. This development is part of a trend of phishing campaigns spreading remote access trojans for persistent operation.

Top Vulnerabilities Reported in the Last 24 Hours

Critical vulnerability in Apple platforms

A critical security flaw (CVE-2024-27801) in Apple platforms allows threat actors to gain unauthorized access, posing a serious risk to user and business data security. The vulnerability in the low-level implementation of NSXPC could enable attackers to compromise security features and gain extensive control over impacted devices. The potential consequences include data exfiltration, weakened privacy and security assurances, and risks for users and businesses.

Did Black Basta abuse Windows zero-day?

The Cardinal cybercrime group, that operates the Black Basta ransomware, may have exploited a recently patched Windows privilege escalation vulnerability as a zero-day before it was publicly disclosed, revealed Symantec. The vulnerability (CVE-2024-26169) occurs in the Windows Error Reporting Service and allows an attacker to elevate their privileges. The vulnerability was patched on March 12, but analysis of the group’s exploit tool suggests it may have been compiled prior to the patch, indicating it was used as a zero-day.

Firefox 127 comes with 15 patched bugs

Mozilla released Firefox 127, addressing 15 security vulnerabilities. The vulnerabilities fixed in this release range from high to low impact, with potential consequences including memory corruption, phishing vectors, and user confusion. Mozilla urges all users to update to Firefox 127 to ensure their browsers are protected against these vulnerabilities.

Top Scams Reported in the Last 24 Hours

**Phishing emails exploit Windows Search **

A new phishing campaign was found using HTML attachments to launch Windows searches on remote servers, allowing threat actors to deliver malware. The attackers abuse the Windows search protocol to hide malicious files and lure victims into clicking on them. The HTML attachment disguises itself as an invoice document and automatically opens a malicious URL when opened. If the automatic redirect fails, a clickable link serves as a backup. The search parameters disguise the server as a legitimate source, and if the victim clicks on the file, a batch script hosted on the server is triggered.

Criminals impersonate CISA employees

The CISA warned that criminals are impersonating its employees in phone calls and trying to trick victims into sending money. This is part of a broader trend where fraudsters use government employees' titles and names to make their scams appear more legitimate. The agency has reminded the public that its staff will never contact anyone and request wire transfers, cash, cryptocurrency, or gift cards, nor will they instruct people to keep discussions secret.

Fraudulent Olympics ticketing websites

Proofpoint discovered a fraudulent website, paris24tickets[.]com, claiming to sell tickets for the Paris 2024 Summer Olympic Games. The website appeared legitimate and even showed up as a sponsored result on Google. The site allowed users to select and purchase tickets, potentially collecting personal and payment information. The threat actors behind these sites may have been attempting to steal money and personal information from unsuspecting users. Proofpoint also found a related website, seatsnet[.]com, with numerous complaints of users not receiving tickets they paid for.