New Obscura Ransomware Variant Encrypts Networks

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Jaguar Land Rover (JLR) has confirmed a data breach following a recent cyberattack that disrupted its operations. The attack, which forced JLR to shut down systems and instruct staff not to report to work, involved data theft. The company is collaborating with the U.K. National Cyber Security Centre (NCSC) to investigate the incident. A group called 'Scattered Lapsus$ Hunters', associated with Lapsus$, Scattered Spider, and ShinyHunters, has claimed responsibility for the breach, sharing screenshots of an internal JLR SAP system and claiming ransomware deployment. This attack is part of a broader pattern of Salesforce data theft attacks, which have impacted numerous organizations this year. The FBI has issued a flash alert on UNC6040 and UNC6395, groups targeting Salesforce platforms, exploiting OAuth tokens and using vishing campaigns. The group 'Scattered Lapsus$ Hunters 4.0' announced it is shutting down on September 12, 2025, possibly to avoid law enforcement attention. However, cybersecurity researchers believe the group will continue conducting attacks quietly despite their claims of going dark. ShinyHunters and Scattered Spider, two distinct cybercrime groups, have been collaborating on attacks, leveraging each other's strengths in large-scale data theft and social engineering. This collaboration has targeted major companies across multiple sectors, including retail, insurance, and aviation. The groups have used tactics such as vishing, domain spoofing, and VPN obfuscation for data exfiltration. Recent attacks have impacted Farmers Insurance, with 1.1 million customers affected by a breach involving a third-party vendor's Salesforce database. The group 'Scattered Lapsus$ Hunters' claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement to gain access to sensitive user data. Google confirmed the creation of a fraudulent account in its LERS platform but stated that no data was accessed. The groups have been observed using similar domain formats and registry characteristics, suggesting a coordinated effort. This collaboration poses a significant threat to organizations, requiring a shift in defensive strategies to focus on behavioral patterns and proactive detection measures. The groups are now targeting Salesforce customers and may expand to financial services and technology providers. A new Telegram channel emerged, conflating ShinyHunters, Scattered Spider, and LAPSUS$, claiming to develop a ransomware-as-a-service solution. BreachForums has been commandeered by international law enforcement and turned into a honeypot. Workday confirmed a breach involving a third-party CRM system, likely linked to ShinyHunters' Salesforce attacks. Attackers used social engineering to impersonate Workday's HR department, gaining access to business contact information. Workday quickly blocked access to the compromised system and adopted additional internal security measures. The attack on Allianz Life involved the theft of personal information of 1.1 million individuals, impacting nearly 1.4 million customers. The stolen data includes email addresses, names, genders, dates of birth, phone numbers, and physical addresses. The attackers used a malicious OAuth app to gain access to Salesforce instances, and the extortion demands were signed as coming from ShinyHunters, a known extortion group. The breach was first reported by TechCrunch and confirmed by Allianz Life on July 16. The compromised data was hosted on a Salesforce database, affecting multiple companies. Scattered Spider has resumed attacks targeting the financial sector, despite previous claims of going 'dark'. The group gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management. They accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network. The group attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories. Their recent activity undercuts claims of ceasing operations, suggesting a strategic move to evade law enforcement pressure. Scattered Spider is part of a broader online entity called The Com and shares significant overlap with ShinyHunters and LAPSUS$. The group's retirement claims are likely a strategic retreat to reassess practices, refine tradecraft, and evade ongoing efforts to disrupt their activities. Scattered Spider may regroup or rebrand under a different alias in the future, similar to ransomware groups. The group's farewell letter is viewed as a strategic retreat to complicate attribution efforts and evade law enforcement. Scattered Spider's recent activity includes targeted intrusions against a U.S. banking organization, using sophisticated tactics to evade detection. The UK National Crime Agency (NCA) has arrested two teenagers, Owen Flowers and Thalha Jubair, linked to the Scattered Spider hacking collective. Owen Flowers, 18, from Walsall, and Thalha Jubair, 19, from East London, are scheduled to appear at Westminster Magistrates Court. Flowers was previously arrested in September 2024 for his alleged involvement in the Transport for London (TfL) attack and was released on bail. Additional evidence links Flowers to attacks against U.S. healthcare companies, including SSM Health Care Corporation and Sutter Health. Thalha Jubair was charged with conspiracies to commit computer fraud, money laundering, and wire fraud, affecting at least 47 U.S. organizations. Jubair and his accomplices have received at least $115 million in ransom payments from victims. The TfL cyberattack in August 2024 disrupted internal systems and online services, and compromised customer data including names, contact details, and addresses. TfL provides transportation services to over 8.4 million Londoners through its surface, underground, and Crossrail transport systems. In May 2023, TfL experienced another security breach when the Clop ransomware gang stole data from one of its suppliers' MOVEit Managed File Transfer (MFT) servers. A member of the notorious cybercrime group Scattered Spider has turned himself in to authorities in Las Vegas. The suspect, identified by the FBI's Las Vegas Cyber Task Force, faces charges including extortion and computer-related crimes. The Clark County District Attorney's Office is seeking to transfer the juvenile to the criminal division to face charges as an adult. Meanwhile, two other suspected members, Thalha Jubair and Owen Flowers, were arrested in the UK for their involvement in the Transport for London (TfL) hack. Despite the group's announcement of shutting down operations, security researchers remain skeptical, pointing to evidence of continued activity. Three members of Scattered Spider were arrested in September 2025, following their announcement of shutting down operations. Noah Urban, a key member of Scattered Spider, was sentenced to ten years in prison for his role in SIM-swapping and cybercrime activities. Urban's role involved social engineering to gain access to sensitive systems, using tactics such as SIM-swapping and phishing. Urban's activities included breaching T-Mobile's customer service portal and exploiting a Twilio employee's credentials. The group 0ktapus, which includes Scattered Spider members, was involved in high-profile breaches, including the theft of personal information from Gemini Trust. A man from West Sussex was arrested in connection with a ransomware attack that disrupted operations at several European airports, including Heathrow. The ransomware variant used in the attack was identified as HardBit, described as an "incredibly basic" variant. The attack affected Collins Aerospace baggage and check-in software, causing flight delays at multiple airports. The Co-operative Group in the U.K. reported a loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack caused a revenue reduction of £206 million ($277 million) and additional losses of £20 million ($27 million) expected for the second half of 2025. The Co-op Group operates 2,300 food retail stores and 59 franchise stores. The cyberattack forced the Co-op to shut down parts of its IT systems, causing disruptions to back-office and call-center services. Scattered Spider affiliates were responsible for the Co-op cyberattack, stealing personal data of 6.5 million members. The Co-op had to rebuild its Windows domain controllers and extend system unavailability due to the attack. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response to the attack prevented encryption but resulted in significant financial impact and operational disruptions. The Co-op implemented manual processes, rerouted items, and offered discounts to mitigate the impact of the cyberattack. The Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco, due to the cyberattack. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.