A new crypto-stealing infostealer, a $10m FBI bounty for a Ukrainian hacker, and other cybersecurity news

This week’s top cybersecurity news: new malware, an FBI bounty, and tougher iPhone defenses.

We round up the week’s most important cybersecurity news.

Researchers discover a new crypto-stealing infostealer

On 11 September, security specialists at business-focused firm Mosyle uncovered new malware capable of evading antivirus tools and stealing data from browser crypto wallets on Windows, Linux and macOS, Decrypt reports.

The ModStealer malware was distributed via fake job ads for developers. Mosyle said scammers targeted IT professionals because they likely already had the environment needed for the stealer to run.

SlowMist’s chief information security officer, Shan Zhang, highlighted ModStealer’s features and the serious threat to the wider digital-asset ecosystem:

“Unlike traditional stealers, ModStealer stands out for its cross-platform support and a stealthy execution chain in ‘zero-detection’ mode.”

Once executed, the malware scans browser wallet extensions, system credentials and digital certificates, then exfiltrates the data to attackers’ remote servers. On macOS, it autostarts at every boot, masquerading as a background helper. Signs of infection include a hidden file named .sysupdater.dat and connections to a suspicious server.

The primary aim of ModStealer is data theft—specifically from crypto wallets, credential files and configurations.

A large-scale attack on Vietnam

According to Reuters, Vietnam’s borrower database was hit by a cyberattack, allegedly by the international group Shiny Hunters.

The incident affected the National Credit Information Center of Vietnam, which stores sensitive data including personal information, credit payments, risk analyses and credit-card details.

A preliminary investigation found signs of unauthorised access, with the scale of the leak still being assessed. Authorities did not disclose how many accounts were affected.

A dark-web listing by Shiny Hunters offers stolen data on more than 160 million people for $175,000.

The FBI offers $10m for information on a leading Ukrainian hacker

During a special operation involving Ukrainian police, a ransomware group suspected of attacking the networks of global companies was neutralised.

Since 2018, the attackers targeted infrastructure at leading organisations in France, Norway, Germany, the Netherlands, Canada and the United States, encrypting more than 1,000 servers and causing losses of 3 billion hryvnias, according to the Cyber Police.

The suspects were detained; some have already appeared in court, and their assets have been frozen. One of the group’s leaders was notified of suspicion in absentia and placed on an international wanted list.

The FBI announced a reward of up to $10m for information on the whereabouts of a key member of the network. The suspect, Ukrainian citizen Volodymyr Tymoshchuk, has been placed on the EU’s most-wanted list.

The iPhone becomes one of the most secure devices

On 9 September Apple held its annual product presentation. Among various unveilings, the company introduced a new security technology for the latest iPhone 17 and iPhone Air devices.

The Memory Integrity Enforcement feature is designed to prevent memory-corruption bugs. These are among the most common vulnerabilities used by spyware developers and by makers of forensic phone-analysis tools used by law enforcement.

“Known spyware chains used against iOS have something in common with those targeting Windows and Android: they exploit memory safety vulnerabilities that are interchangeable, powerful, and exist across the industry,” the Apple blog says.

According to TechCrunch, the new security technology could make the latest iPhones among the most secure devices on the planet. Experts told the outlet it will likely make life harder for makers of malware and zero-day exploits.

Researchers find a loophole in Cursor AI

A vulnerability in the Cursor AI code editor exposes developers to the risk of automatically executing tasks from a malicious repository immediately after opening it. That is the conclusion of researchers at Oasis Security, reports Bleeping Computer.

Cursor AI is an AI-assisted development environment built on Visual Studio Code (VS Code) and deeply integrated with popular chatbots such as ChatGPT and Claude.

According to the outlet, it is one of the fastest-growing AI tools for programming, with around a million users generating more than a billion lines of code daily.

The discovered flaw allows malware to be injected, workspaces to be hijacked, and credentials and API tokens to be stolen without the need to run commands.

Oasis Security linked the problem to disabling the Workspace Trust feature in VS Code, which blocks automatic task execution without the developer’s explicit consent. In its default configuration, Cursor AI runs tasks immediately after a project folder is opened. An attacker can exploit this by adding a malicious file to an accessible repository.

After receiving a warning, the Cursor AI developers said they do not intend to change the auto-run approach. In their view, Workspace Trust disables AI and other features important to users.

Oasis Security advised:

• use a different editor to open unknown projects;
• inspect repositories before opening them;
• avoid exporting sensitive credentials globally in shell profiles.

Also on ForkLog:

• THORChain’s founder lost $1.3m in cryptocurrency.
• An AI service for cyberattacks has emerged on the dark web.
• In the United States, a crypto ATM operator was charged with facilitating fraud.
• Attackers hacked the SwissBorg crypto platform and stole $40m.
• Hackers attacked the JavaScript ecosystem to replace crypto wallets.

What to read this weekend?

Decentralisation is a defining characteristic of the blockchain industry, with direct implications for security. Web3 researcher Volodymyr Menaskop explains its state across the two leading ecosystems.