GlassWorm malware wave targets macOS developers via malicious extensions
Malware Activity
Summary
Hide ▲
Show ▼
Chinese-speaking threat actors used a compromised SonicWall VPN appliance in December 2025 to deliver a VMware ESXi exploit toolkit that Huntress says likely chained CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The campaign used a compromised Domain Admin account to pivot via RDP to domain controllers, stage data for exfiltration, and break out of a guest VM into the ESXi hypervisor. Huntress found build artifacts suggesting the toolkit may have been developed as early as February 2024, but it could not confirm with 100% certainty that the exploitation matched Broadcom’s original zero-day disclosure.
Related Happenings
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
DigiCert hit by network compromise
Incident
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
DigiCert disclosed an **early April** **support environment compromise** that exposed **initialization codes** for approved **EV code-signing certificate orders**, creating a path...
DigiCert hit by network compromise
IncidentAbout this happening: DigiCert disclosed an **early April** **support environment compromise** that exposed **initialization codes** for approved **EV code-signing certificate orders**, creating a path...
Latest development: 04.05.2026 15:46
By April 17, DigiCert revoked 60 certificates tied to the support-portal compromise, including 27 explicitly linked to the threat actor and 11 used to sign Zhong Stealer, and canceled pending orders to close attacker access. DigiCert also enforced multi-factor authentication for administrative workflows, blocked access to initialization codes from proxied support users, restricted file types for support chat and Salesforce case attachments, and improved logging.
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityAbout this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
Timeline
-
08.01.2026 23:27 1 articles · 4mo ago
Huntress analyzes SonicWall-linked VMware ESXi exploit toolkit
Technical Analysis UpdateHuntress analyzed December 2025 attacks against VMware ESXi environments in which a compromised SonicWall VPN appliance provided initial access, a compromised Domain Admin account was used to pivot via RDP to domain controllers, and the toolkit deployed MAESTRO (exploit.exe), MyDriver.sys, VSOCKpuppet, and GetShell Plugin (client.exe). Huntress also noted build paths containing simplified Chinese and an English-language README, suggesting a well-resourced developer operating in a Chinese-speaking region.
Show sources
- VMware ESXi zero-days likely exploited a year before disclosure — www.bleepingcomputer.com — 08.01.2026 23:27
-
01.01.2026 17:18 3 articles · 4mo ago
GlassWorm malware wave targets macOS developers via malicious extensions
Initial DisclosureEarlier GlassWorm waves appeared in **October**, returned in **early November**, and reappeared in **early December** before shifting to a **macOS-only** wave in **January 2026**.
Show sources
- New GlassWorm malware wave targets Macs with trojanized crypto wallets — www.bleepingcomputer.com — 01.01.2026 17:18
- New GlassWorm malware wave targets Macs with trojanized crypto wallets — www.bleepingcomputer.com — 01.01.2026 17:18
- Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm — thehackernews.com — 02.02.2026 07:04