Weekly Cyber Briefing 01.12.2025
Weekly Cyber Briefing: 01 December 2025
Scattered Lapsus$ Hunters target Zendesk users with fake domains; New macOS malware uses fake apps to steal data; Hundreds of npm Packages in major supply chain scare
The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our Head of Incident Response, Oliver Burnand.
Scattered Lapsus$ Hunters target Zendesk users with fake domains
A new campaign by the threat group Scattered Lapsus$ Hunters appears to be targeting users of the popular support platform Zendesk. Security researchers at ReliaQuest say they have uncovered more than 40 typo-squatted and impersonation domains, such as ‘znedesk.com’ or ‘vpn-zendesk.com’, that mimic legitimate Zendesk login portals.
Some of the fake sites host sham single-sign-on pages to harvest login credentials, while others are used to submit fraudulent support tickets to real Zendesk portals. Those tickets may be weaponised to trick help-desk staff into installing malware or handing over access, potentially giving attackers a foothold inside corporate networks. These tactics mirror earlier campaigns by the group, including attacks on platforms such as Salesforce, suggesting that support and SaaS-based infrastructure are now central to their operations.
Assured’s head of incident response reacts:
Typosquatting (or domain squatting) remains a serious problem for established brands. Many of our clients have, to their surprise, found impersonations of their websites across the internet and have had to go through the cumbersome process of proving ownership to ISPs, requesting takedowns, and pursuing legal action against the perpetrators.
The intended victims of typosquatting attacks are almost always your customers, employees, or partners. If the attack is successful, the question of who is responsible for the compromise arises. Perhaps more importantly, who bears the cost for the resulting compromise?
Ultimately, the answer to this question is irrelevant. From a brand-protection standpoint, legal responsibility is another matter. If a customer has lost money or an employee has handed credentials over to a threat actor through a typosquatting attack, they will, at minimum, associate the incident with your company and, at most, blame your company entirely. They wouldn’t blame the criminal who registered ‘rnicrosoft.com’, they’d blame Microsoft. If you’re serious about your reputation and brand protection, any losses are your responsibility.
Your best bet is to take the steps necessary to prevent these attacks in the first place. Our clients often ask us: “Outside of just purchasing every vaguely similar domain name to ours, what can we do to prevent and respond to these types of attacks?” This is our advice:
- Use automated typosquatting monitoring – services that continuously generate thousands of realistic typo combinations (keyboard walks, missing dots, homographs, wrong TLDs, etc.) and crawl them daily for:
- Live phishing/malware pages
- MX records pointing to real mail servers (credential harvesting)
- SSL certificates issued for your brand
- Defensive registration: but smarter, not endless. Instead of buying 5,000 garbage domains, prioritise:
-
- The 20–50 most dangerous/likely-to-be-abused typos (e.g., -login, -secure, -signin + .com/.co/.app)
- Internationalised domain names (IDNs) that look identical in some languages
- New gTLDs that matter to you (.bank, .sucks, .security, .google, etc.)
- Certificate Transparency (CT) Log Monitoring
- Free or cheap: get alerted the same day someone gets an SSL cert for “micr0soft.com” or “g00gle.com”. Tools: CertStream, CRT.sh alerts, or paid brand-protection platforms.
- DNS Firewall / RPZ (Response Policy Zones)
- Push known bad typo domains to your corporate DNS resolver so employees physically can’t resolve them (even if they type wrong).
- Browser/Endpoint Protection that Blocks Known Typo
- Many enterprise EDRs and secure web gateways now ingest typo feeds and automatically block them.
What should you do when you find an impersonated domain?
Immediate Takedown Paths:
-
- Hosting provider abuse helpdesk (usually 4–48 hours)
- Registrar abuse desk (the official abuse-reporting contact at the domain registrar)
- Registry takedown (some like .com/.net have trusted notifier programs that resolve in <24h)
- Google Safe Browsing / Microsoft SmartScreen urgent submission (gets it blocked in Chrome/Edge fast)
- You send a DMCA Digital Millennium Copyright Act (U.S. law, but respected worldwide by almost every hosting company) takedown notice to the web hosting provider + UDRP Uniform Domain-Name Dispute-Resolution Policy (ICANN’s global arbitration system).
Trusted Notifier / Law-Enforcement Fast Lanes
Many brand-protection firms (and some in-house teams) have “trusted flagger” status with GoDaddy, Namecheap, Cloudflare, Google, Microsoft, etc. This can shave days or weeks off the process.
Legal Pressure That Actually Works
John Doe lawsuits and disclosure orders against privacy-protected registrars (especially in the EU and US) are surprisingly fast now, if you have experienced counsel.
New macOS malware uses fake apps to steal data
Security researchers at Jamf have uncovered a new macOS malware chain that uses staged scripts, fake installer decoys, and a persistent Go-based backdoor to penetrate victims’ machines. Victims are approached via bogus job interviews or fake software-update prompts, coaxed into running a Terminal command. That command installs a loader which then downloads different payloads depending on whether the Mac uses an Intel or Apple silicon chip, installs a hidden startup agent, and finally displays a decoy app mimicking a Chrome-style password prompt to phish credentials. Once active, the backdoor maintains a connection to a hard-coded command server, allowing attackers to harvest system data, extract browser profile and credential information, upload or download files, and run arbitrary shell commands. Once the malware establishes a backdoor, organisations often need to isolate affected systems, conduct forensic investigations, and rebuild or wipe compromised machines, all of which disrupts normal operations.
Assured’s head of incident response reacts:
It isn’t uncommon for advanced persistent threats (APTs) like those from FlexibleFerret to slip past EDR tools, which are designed to catch infections through:
i)Signatures,
ii)Behavioural analysis
iii)Heuristics* (or pattern matching).
If you’re interested in how this variant bypassed these features:
Signatures & Heuristics: CDrivers is a new malware variant, making signature comparison impossible. CDrivers also use dynamic imports**, string encryption, and code obfuscation to hide malicious strings and APIs, meaning no obvious red flags for static analysis tools to alert on and bypassing heuristics. And like many multi-stage loaders, CDrivers decrypts its payloads within live memory itself – avoiding writing to disk and triggering file-based scans.
Behavioural analysis: CDrivers leverages legitimate macOS mechanisms (like LaunchAgents (~/Library/LaunchAgents/) for persistence, mimicking benign system services. EDRs often actually whitelist these paths to avoid false positives, allowing anomalous behaviour to unfold in these ‘trusted’ locations. Execution within CDrivers happens via embedded binaries that blend with standard processes, evading process-hollowing detection.
So, what are some footprints you can see to detect CDrvier backdoor malware?
| Response action | Method | What to Look For | Tools/Commands |
| Malware Scans | Run full system scans with reputable AV/EDR. Apple’s XProtect catches basics, but use add-ons for advanced threats. | Known signatures for CDrivers payloads (e.g., Go binaries in /tmp or user dirs). | – Built-in: Update macOS (System Settings > General > Software Update) to refresh XProtect. – Free: Malwarebytes (download from malwarebytes.com; scan for “CDrivers” or Go droppers). – Paid: Jamf Protect or SentinelOne (now detect CDrivers variants via behavioral rules). – Command: mdfind “kMDItemFSName == ‘CDrivers*'” (Spotlight search for files). |
| Persistence Mechanisms | Inspect LaunchAgents/Daemons for fakes. CDrivers hides here as “update” services. | Plists like com.apple.updateservice.plist in ~/Library/LaunchAgents/ with suspicious paths or scripts. | – Command: ls -la ~/Library/LaunchAgents/ /Library/LaunchAgents/ /Library/LaunchDaemons/ – Unload suspicious: launchctl unload ~/Library/LaunchAgents/suspicious.plist – Tool: plutil -p ~/Library/LaunchAgents/*.plist (Parse for anomalies like remote fetches). |
| Running Processes | Monitor for unsigned Go binaries or loaders. | Processes like curl with odd args, or unnamed Go exes in memory. | – Command: `ps aux |
| Network Activity | Check for C2/exfil. CDrivers uses Dropbox APIs and hard-coded servers. | Outbound to fragmented Dropbox hosts or unknown IPs. | – Command: netstat -an | grep ESTABLISHED – Tool: Little Snitch (free trial) or Wireshark (capture traffic; filter for HTTPS to dropbox.com). |
| Credentials & Files | Hunt for theft artifacts. Fake Chrome prompts dump creds. | Unusual browser extensions or files in ~/Library/Application Support/Google/Chrome/. | – Command: find ~ -name “*chrome*update*” -type f – Check Keychain: Keychain Access app > Search for recent additions. |
If your investigation identifies anything suspicious, take the usual incident response steps (and add these to your incident response plan or malware playbook if they would be useful):
- Isolate the Device: Disconnect from Wi-Fi and Ethernet. Disable Bluetooth (System Settings > Bluetooth). If enterprise, quarantine via MDM (e.g., Jamf Pro).
- Kill Active Components: From Step 1, unload/quit any suspicious processes/agents. Block domains: Add to /etc/hosts (e.g., 127.0.0.1 api.ipify.org).
- Change Credentials: Assume compromise—update passwords for all accounts (Apple ID, email, banking) from a clean device. Enable 2FA everywhere.
- Automated Removal: Run Malwarebytes or Intego in full scan mode—quarantine hits. For Jamf Protect users, it automatically blocks or quarantines Go payloads.
- Manual Cleanup:
- Delete suspicious files/plists: rm -rf ~/Library/LaunchAgents/suspicious.plist (backup first!).
- Clear caches: rm -rf ~/Library/Caches/* and browser data (Chrome > Clear Browsing Data).
- Reinstall affected apps: E.g., if Chrome was spoofed, uninstall/reinstall from the official site.
- Advanced: Boot to Recovery Mode (Command+R on startup) > Reinstall macOS (non-destructive; preserves files but overwrites system). Or, for belt and braces, erase the disk in Disk Utility and perform a clean install.
- Verify: Re-scan post-cleanup. Monitor logs: log show –predicate ‘process == “curl”‘ –last 1d for residuals.
* Heuristics – in plainer English, is a feature designed to flag things like unusual API calls, code structures, or runtime actions that resemble known malware tactics. EDR providers constantly update these and are therefore more advanced than standard signature detection.
** Dynamic imports mean that the malware does not contain the usual long list of imported macOS API function names inside the binary at compile time.
Hundreds of npm packages in major supply chain scare
In recent weeks, the open-source software registry npm has been hit by a large-scale supply-chain attack. Malicious worm ‘Shai-Hulud’ infected hundreds of npm packages with malicious code. When developers install one of these compromised packages, the malware executes hidden scripts that silently harvest sensitive credentials such as cloud-service API keys, version-control tokens and CI/CD secrets. With valid credentials, the worm automatically republishes infected versions of packages belonging to that maintainer, spreading across the ecosystem. This greatly amplifies the risk, because even a single initial compromise can cascade into widespread contamination of software dependencies used by projects worldwide.
Assured’s head of incident response reacts:
At risk of preaching to the converted and banging the supply chain risk drum alongside every other cybersecurity advisor, it’s impossible to ignore that the npm ecosystem is a prime target for cyber criminals. The Shai-Hulud is yet another example of malware targeting this ecosystem, primarily affecting developers and businesses that rely on open-source JavaScript packages. Last week, I gave some guidance on what businesses can do to counter these supply chain threats. But to add some thoughts that have occurred to me since then: If you’re a conscientious cyber professional, you might consider collaborating with ecosystems by reporting suspicions to npm/GitHub security teams, and in turn, following their advisories for bulk removals.
To report these:
- Visit the npm support page and create a ticket.
- Select “Security” or “Report a vulnerability/malware” as the category.
- Provide details: Your name, email, package name, version, evidence of the issue (e.g., suspicious behaviour, stolen credentials), and any audit report info from npm audit.
- For package-specific issues, include the package’s issue tracker link if available.
On top of this, you can monitor sources such as the npm blog and cybersecurity feeds for emerging variants. Shai-Hulud is scaling rapidly, with more than 1,000 new repos appearing every 30 minutes.
Cleaning up potentially infected environments:
| Action | Description | Why It Helps |
| Review and Audit Dependencies | Immediately scan all npm dependencies, especially those related to Zapier, ENS, or high-download packages. Use tools like npm audit or third-party scanners (e.g., Snyk or Socket) to identify vulnerable versions. | Detects infected packages early; the worm has hit over 700, so targeted audits prevent widespread infection. |
| Rotate All Secrets | Change GitHub tokens, npm credentials, AWS/cloud keys, and CI/CD secrets used in package installs or builds. | The worm’s primary goal is credential theft—rotation neutralises exfiltrated data before attackers can exploit it. |
| Scan for Suspicious Repositories | Check your GitHub account for unfamiliar repos with descriptions like “Sha1-Hulud: The Second Coming” or random names containing .json files of stolen data. Delete and report them via GitHub’s abuse tools. | Attackers use these for data dumps; early detection stops further propagation. |
| Remove Malicious Packages | Uninstall and block any flagged packages (npm and GitHub are actively removing them, but verify manually). Monitor for re-uploads. | Halts execution of the worm’s payload, which includes installing a rogue ‘bun’ runtime for evasion. |
And then to add some preventive best practices to counter the threats before they take hold:
| Practice | Implementation Tips | Benefits |
| Pin Package Versions | Use package-lock.json or tools like npm’s overrides to lock dependencies to trusted, audited versions. Avoid dynamic version ranges (e.g., ^1.0.0). | Prevents automatic pulls of malicious updates; the worm exploits version hijacking. |
| Enforce Multi-Factor Authentication (MFA) | Require MFA on all GitHub, npm, and related accounts (e.g., via authenticator apps). Use hardware keys for high-value accounts. | Blocks social engineering attacks that hijack developer accounts—the worm’s entry point. |
| Disable Risky Scripts | Turn off postinstall scripts in CI/CD pipelines (e.g., via .npmrc config: ignore-scripts=true). Review all scripts before enabling. | The worm uses these for payload execution; disabling reduces attack surface without breaking most workflows. |
| Adopt Supply Chain Security Tools | Integrate automated scanners like Safe-Chain, Dependabot, or GitHub Advanced Security to block malicious packages pre-install. Conduct regular SBOM (Software Bill of Materials) audits. | Proactively filters threats; AI-evasion tactics in Shai-Hulud make manual checks insufficient. |
| Monitor and Educate Teams | Set up alerts for unusual package publishes or downloads. Train developers on phishing/social engineering via simulated attacks. | The worm spreads via hijacked maintainer accounts—awareness catches anomalies early. |
| Diversify and Isolate Dependencies | Limit npm use to vetted internal mirrors or proxies (e.g., Verdaccio). Segment dev environments with zero-trust principles. | Reduces blast radius; if one package is compromised, it doesn’t infect the entire ecosystem. |
Topics
- AI
- Application Security
- Authentication
- Aviation
- Business Continuity
- Business Risk
- Car Hacking
- Certification & Accreditation
- ciso
- Cl0p
- Cloud
- Cloud Security
- CNI
- Compliance
- Cyber attacks
- cyber crime
- Cyber insurance
- Cyber Law
- Cyber Resilience
- Cyber Risk
- Data Breaches
- Directors and NEDs
- Diversity
- Encryption
- Ethical Hacking
- Events
- government
- Hiring & Firing
- Human Factor Risk
- Incident Response
- Insider Threat
- Internet of Things
- Internet of Things (IoT)
- Labour
- Leadership
- Legislation
- Legislation & Regulation
- Malware
- Mental Health
- multi stakeholder
- network
- network security
- open source
- OS
- Passwords and Authentication
- Phishing
- Policies
- Privacy
- Public Sector
- Quantum
- Ransomware
- Regulation
- report
- reporting
- Salesforce
- security by design
- security foundation
- Social Media
- Supply Chain Risk
- Sustainability
- terminology
- Threat Intelligence
- Training & Awareness
- vendor management
- vendors
- Venture Capital
- Vulnerability Disclosure
- Vulnerability Management
- windows
- windows10
- zero-day
- zero-trust
Latest articles
Features 27.11.2025
AI Autopsy: A New npm Campaign Spells Trouble for the Software Supply Chain
The ‘IndonesianFood’ campaign has already flooded npm with over 150,000 spammy packages across multiple accounts
Assured Reacts 25.11.2025
Assured Reacts: Delinea Report Claims Cyber Insurance Premiums Soar and Controls Tighten
We are staggered by how little of the Cyber Insurance Report from Delinea resonates with our lived experience as cyber insurance specialists.
Features 25.11.2025
AI Autopsy: How Significant Is Google’s AI-Enabled Malware Discovery?
Have we reached a tipping point in dynamic malware generation and obfuscation?