Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm malware wave targets macOS developers via malicious extensions

Malware Activity
First reported
Last updated
Happening score
H score 14
2 unique sources, 3 articles

Summary

Hide ▲

Chinese-speaking threat actors used a compromised SonicWall VPN appliance in December 2025 to deliver a VMware ESXi exploit toolkit that Huntress says likely chained CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The campaign used a compromised Domain Admin account to pivot via RDP to domain controllers, stage data for exfiltration, and break out of a guest VM into the ESXi hypervisor. Huntress found build artifacts suggesting the toolkit may have been developed as early as February 2024, but it could not confirm with 100% certainty that the exploitation matched Broadcom’s original zero-day disclosure.

Related Happenings

Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)

Vulnerability
H score34 First: 15.06.2026 16:00 Last: 15.06.2026 16:00 Sources 1

About this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
H score35 First: 15.06.2026 09:17 Last: 15.06.2026 09:17 Sources 1

About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...

AI-built ransomware toolkit with AD discovery and EDR evasion

Malware Activity
H score36 First: 02.06.2026 23:01 Last: 02.06.2026 23:01 Sources 1

About this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...

Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis

Technical Analysis
H score19 First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
H score20 First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Timeline

  1. 08.01.2026 23:27 1 articles · 6mo ago

    Huntress analyzes SonicWall-linked VMware ESXi exploit toolkit

    Technical Analysis Update

    Huntress analyzed December 2025 attacks against VMware ESXi environments in which a compromised SonicWall VPN appliance provided initial access, a compromised Domain Admin account was used to pivot via RDP to domain controllers, and the toolkit deployed MAESTRO (exploit.exe), MyDriver.sys, VSOCKpuppet, and GetShell Plugin (client.exe). Huntress also noted build paths containing simplified Chinese and an English-language README, suggesting a well-resourced developer operating in a Chinese-speaking region.

    Show sources
  2. 01.01.2026 17:18 3 articles · 6mo ago

    GlassWorm malware wave targets macOS developers via malicious extensions

    Initial Disclosure

    Earlier GlassWorm waves appeared in **October**, returned in **early November**, and reappeared in **early December** before shifting to a **macOS-only** wave in **January 2026**.

    Show sources