Malware 'RingReaper' Evades Linux EDRs Using io_uring

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Researchers have demonstrated a new attack method that steals user data by embedding malicious prompts in images. These prompts are invisible in full-resolution images but become visible when the images are downscaled by AI systems. The attack exploits aliasing artifacts introduced by resampling algorithms, allowing hidden text to emerge and be interpreted as user instructions by the AI model. This can lead to data leakage or unauthorized actions. The method has been successfully tested against several AI systems, including Google Gemini CLI, Vertex AI Studio, Gemini's web interface, Gemini's API, Google Assistant on Android, and Genspark. The attack was developed by Kikimora Morozova and Suha Sabi Hussain from Trail of Bits, building on a 2020 theory presented in a USENIX paper. The researchers have also released an open-source tool, Anamorpher, to create images for testing the attack. They recommend implementing dimension restrictions and user confirmation for sensitive tool calls as mitigation strategies.

A critical server-side request forgery (SSRF) vulnerability in Docker Desktop for Windows and macOS allows attackers to hijack the host system by running malicious containers. The flaw, identified as CVE-2025-9074, has a severity rating of 9.3. It enables unauthorized access to user files on the host system, even with Enhanced Container Isolation (ECI) enabled. The vulnerability was discovered by security researcher Felix Boulet, who demonstrated a proof-of-concept exploit that does not require code execution rights inside the container. The flaw affects Docker Desktop on Windows and macOS but not the Linux version. Docker released a patch in version 4.44.3. The exploit can be triggered by a web request from any container to the Docker Engine API at 192.168.65.7:2375 without authentication. The exploit involves posting a JSON payload to /containers/create to bind the host C:\ drive to a folder in the container and using a startup command to access host files. The exploit can be initiated by posting to /containers/{id}/start to launch the container and start the execution. The vulnerability allows an attacker to proxy requests through the vulnerable application and reach the Docker socket, enabling various HTTP request methods depending on the SSRF flaw. The article further elaborates on the differences in impact between the Windows and macOS versions of Docker Desktop, noting that macOS has additional safeguards that mitigate the risk compared to Windows. The vulnerability allows attackers to control containers, mount the host’s file system, and escalate privileges to those of an administrator. On Windows, an attacker could exploit the flaw to mount the host’s file system and overwrite a system DLL to obtain administrative privileges on the host. The macOS version of the application can be exploited to take full control of other containers, or to backdoor the Docker app by mounting and modifying its configuration. A variant of a recently disclosed campaign abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. The attack chain involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. The threat actors run a Base64-encoded payload to download a shell script downloader from a .onion domain. The shell script alters SSH configurations to set up persistence and installs tools such as masscan, libpcap, libpcap-dev, zstd, and torsocks. The dropper launches Masscan to scan the internet for open Docker API services at port 2375 and propagate the infection. The binary includes checks for ports 23 (Telnet) and 9222 (remote debugging port for Chromium browsers) for potential future exploitation. The malware utilizes a Go library named chromedp to interact with the web browser and siphon cookies and other private data. The malware transmits details to an endpoint named "httpbot/add," indicating potential botnet activity. The attackers also block external access to the exposed Docker API by writing a command in the crontab file to create a cron job that executes every minute. The attackers deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The attackers' scripts scan for two additional open ports, namely 23 (Telnet) and 9222 (remote debugging for Chromium browsers). The attackers use a modified Alpine Linux image that includes a base64-encoded shell command to execute the payload. The container executes the decoded shell command, which installs curl and tor, launches a Tor daemon in the background, and waits for the confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The docker-init.sh script enables persistent SSH access by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem. The docker-init.sh script writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using whichever firewall utility is available. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it to /tmp/system, grants execute permissions, and runs it. The Go binary functions as a dropper, extracting and executing an embedded second-stage binary, and parses the host’s utmp file to identify logged-in users. The binary scans for other exposed Docker APIs, attempts to infect them via the same container creation method, and removes competitor containers after gaining access.