GlassWorm malware wave targets macOS developers via malicious extensions
Malware Activity
Summary
Hide ▲
Show ▼
Chinese-speaking threat actors used a compromised SonicWall VPN appliance in December 2025 to deliver a VMware ESXi exploit toolkit that Huntress says likely chained CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The campaign used a compromised Domain Admin account to pivot via RDP to domain controllers, stage data for exfiltration, and break out of a guest VM into the ESXi hypervisor. Huntress found build artifacts suggesting the toolkit may have been developed as early as February 2024, but it could not confirm with 100% certainty that the exploitation matched Broadcom’s original zero-day disclosure.
Related Happenings
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
Vulnerability
H score34
First: 15.06.2026 16:00
Last: 15.06.2026 16:00
Sources 1
About this happening:
**Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
VulnerabilityAbout this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/Mitigation
H score35
First: 15.06.2026 09:17
Last: 15.06.2026 09:17
Sources 1
About this happening:
Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/MitigationAbout this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
H score36
First: 02.06.2026 23:01
Last: 02.06.2026 23:01
Sources 1
About this happening:
A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware ActivityAbout this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
H score19
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
H score20
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
Timeline
-
08.01.2026 23:27 1 articles · 6mo ago
Huntress analyzes SonicWall-linked VMware ESXi exploit toolkit
Technical Analysis UpdateHuntress analyzed December 2025 attacks against VMware ESXi environments in which a compromised SonicWall VPN appliance provided initial access, a compromised Domain Admin account was used to pivot via RDP to domain controllers, and the toolkit deployed MAESTRO (exploit.exe), MyDriver.sys, VSOCKpuppet, and GetShell Plugin (client.exe). Huntress also noted build paths containing simplified Chinese and an English-language README, suggesting a well-resourced developer operating in a Chinese-speaking region.
Show sources
- VMware ESXi zero-days likely exploited a year before disclosure — www.bleepingcomputer.com — 08.01.2026 23:27
-
01.01.2026 17:18 3 articles · 6mo ago
GlassWorm malware wave targets macOS developers via malicious extensions
Initial DisclosureEarlier GlassWorm waves appeared in **October**, returned in **early November**, and reappeared in **early December** before shifting to a **macOS-only** wave in **January 2026**.
Show sources
- New GlassWorm malware wave targets Macs with trojanized crypto wallets — www.bleepingcomputer.com — 01.01.2026 17:18
- New GlassWorm malware wave targets Macs with trojanized crypto wallets — www.bleepingcomputer.com — 01.01.2026 17:18
- Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm — thehackernews.com — 02.02.2026 07:04