- \n
- A new group hit crypto companies via fake interviews and macOS malware.<\/li>\n
- A stealth GPU miner spread through search spam and AI chatbots.<\/li>\n
- A vigilante hacker was booted from GitHub and GitLab after posting Microsoft zero-days.<\/li>\n
- CrowdStrike and Google dismantled a network targeting open-source developers.<\/li>\n<\/ul>\n<\/div>\n
New group hit crypto firms via fake interviews and macOS malware<\/h2>\n
Researchers at Wiz<\/a> uncovered a large-scale cryptocurrency theft campaign attributed to a previously unknown group, JINX-0164.<\/p>\n
Since mid-2025, the attackers have targeted blockchain developers through fake online interviews. During the exchange, the victim was redirected to a spoofed videoconferencing site. There, under the pretext of installing a client or fixing a “technical error,” the developer was persuaded to download an infected file.<\/p>\n
The group\u2019s toolkit includes sophisticated malware adapted for both Intel and Apple Silicon architectures:<\/p>\n
- \n
- AUDIOFIX.<\/strong> Disguised as a system audio driver. It steals passwords, SSH keys, crypto wallet data, and sessions from Discord and Telegram. The software enables lateral movement across a company\u2019s internal network, infiltration of infrastructure, and injection of malicious code into active projects;<\/li>\n
- MiniRAT.<\/strong> Previously used in a supply-chain attack. It was distributed through a trojanized version of the legitimate npm package @velora-dex\/sdk, used in DeFi<\/a> projects. MiniRAT allows remote command execution and loading of additional modules.<\/li>\n<\/ul>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-17d87df402bc8945-5685156759025245.webp\")
Source: Wiz.<\/figcaption><\/figure>\n Experts note that JINX-0164\u2019s tactics \u2014 a focus on crypto, targeting developers via fake recruiting, and the use of specific VPN services (for example, Astrill VPN) \u2014 resemble the modus operandi of North Korean groups such as BlueNoroff. However, Wiz found no direct technical overlaps in infrastructure to conclusively tie JINX-0164 to Pyongyang.<\/p>\n
Stealth GPU miner spread via search spam and AI chatbots\u00a0<\/h2>\n
As part of an ongoing cryptomining campaign, attackers are targeting high-performance graphics processing units (GPUs), according to Microsoft<\/a>.<\/p>\n
Infection occurs via malicious download pages for system utilities often installed on powerful PCs. Among them: CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.<\/p>\n
Microsoft researchers found the attack begins when users search for these tools and follow malicious links boosted in results via SEO. Some April reports indicate users also landed on malicious domains after interacting with AI assistants. In those cases, victims asking a chatbot for software download recommendations received poisoned links in generated responses.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-127dbf44eb5d2214-5685156160241549.webp\")
Example of an AI chatbot response with an infected link. Source: Microsoft.<\/figcaption><\/figure>\n Once a system is infected, the attacker gains persistent access by deploying the standard remote management tool ScreenConnect. The core of the malware masquerades as innocuous apps like the VLC player and sets itself to autorun. To evade defenses, the malware hides its code inside legitimate Windows system files and adds itself to antivirus exclusions.\u00a0<\/p>\n
After establishing a stealthy foothold, it downloads and launches a miner to secretly extract cryptocurrency using the victim\u2019s GPU power. The campaign uses the gminer, lolMiner, and SRBMiner-MULTI GPU miners.<\/p>\n
Microsoft noted the operators\u2019 behavior stands out for its “targeting and monetization strategy built from the ground up to maximize GPU-mining revenue from each compromised device” instead of chasing scale.<\/p>\n
Vigilante hacker kicked off GitHub and GitLab after posting Microsoft zero-days<\/h2>\n
Microsoft blocked the GitHub account of a cybersecurity researcher known as Nightmare-Eclipse and deleted his Microsoft account. GitLab then followed suit.<\/p>\n
The dispute stemmed from financial disagreements and exploit disclosure policy. As claimed<\/a> by Nightmare-Eclipse, Microsoft ignored his vulnerability reports and refused to pay MSRC bounties that can reach $250,000.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-6565f63e3fb56e0c-5685156243738943.webp\")
Source: GitLab.<\/figcaption><\/figure>\n In response, the researcher began publishing discovered zero-day vulnerabilities<\/a> openly and said he will release another batch on July 14, 2026.<\/p>\n
He disclosed:<\/p>\n
- \n
- BlueHammer.<\/strong> Locally elevates privileges in Windows Defender. Allows an attacker with standard user access to escalate to full SYSTEM rights;<\/li>\n
- RedSun.<\/strong> Exploits a different antivirus code flaw than BlueHammer but achieves a similar outcome;<\/li>\n
- UnDefend.<\/strong> A tool aimed at sabotaging Windows Defender. The exploit makes the system believe an endpoint is protected and the antivirus is functioning correctly, while effectively depriving Defender of the ability to detect malware;<\/li>\n
- GreenPlasma.<\/strong> A vulnerability that grants SYSTEM privileges via the CTFMon system service responsible for alternative text input and language bars;<\/li>\n
- MiniPlasma.<\/strong> A local privilege escalation exploit via the Windows cloud filter driver cldflt.sys. Successfully grants SYSTEM rights even on fully updated Windows 11 versions;<\/li>\n
- YellowKey.<\/strong> A critical vulnerability in BitLocker disk encryption. With physical access, an attacker can bypass protections and open encrypted data with minimal effort, nullifying the technology\u2019s purpose.<\/li>\n<\/ul>\n
In addition, Nightmare-Eclipse announced<\/a> the creation of a “dead man\u2019s switch<\/span>” \u2014 an automated system that will dump new exploits online if he is arrested or physically eliminated.<\/p>\n
CrowdStrike and Google dismantled a network targeting open-source developers<\/h2>\n
In a joint operation, CrowdStrike, Shadowserver, and Google took down<\/a> an infrastructure used to spread malware and steal passwords from open-source software developers.<\/p>\n
The target was the hackers behind the Glassworm botnet, which for two years attacked supply chains in the OS<\/span> ecosystem.<\/p>\n
Glassworm operators used several strategies to distribute malicious code, including:<\/p>\n
- \n
- publishing infected extensions in developer marketplaces;<\/li>\n
- malvertising \u2014 buying sponsored search results to trick victims into downloading malware;<\/li>\n
- using credentials stolen in prior breaches to take over developer accounts and inject malicious code directly into their projects.<\/li>\n<\/ul>\n
According to CrowdStrike, the hackers managed to “poison” more than 300 GitHub repositories. Specialists dismantled four command-and-control servers that relied on the Solana blockchain<\/a>, the BitTorrent peer-to-peer network, Google Calendar, and virtual private servers. This severed the attackers\u2019 access to infected machines and halted further malware delivery.<\/p>\n
In Odessa, scammers used advanced AI to steal about 2.5 million hryvnias<\/h2>\n
Ukrainian law enforcement, together with Kazakhstan\u2019s cyber police, exposed<\/a> a large criminal organization in Odessa.<\/p>\n
The phone scammers targeted citizens of Kazakhstan. Preliminary losses total around 2.5 million hryvnias (about $57,000 at the time of writing).<\/p>\n
The fraudsters used advanced social engineering tools, including deepfakes and AI-generated video. Posing as law enforcement officers, bank employees, or telecom staff, they created a sense of threat. Under the pretense of “protecting the account” or avoiding fabricated criminal charges, they convinced victims to install malware on their smartphones to steal funds.<\/p>\n
According to investigators, two Odessa residents organized the illegal network. The call centers operated like a streamlined business with their own CRM system and clear role distribution. Staff included HR managers, administrators, IT specialists, and operators of various levels.\u00a0<\/p>\n
During searches, police detained nine people and seized equipment, off-the-books accounting records, cars, and cash. The suspects face up to 12 years in prison with asset confiscation.<\/p>\n
Carnival, the world\u2019s largest cruise operator, confirms breach affecting 6 million customers<\/h2>\n
Carnival Corporation, the world\u2019s largest cruise line operator, officially confirmed<\/a> a large-scale data leak impacting nearly 6 million people.<\/p>\n
The incident occurred on April 10, 2026, via a social-engineering attack: the intruders tricked an employee and gained access to corporate systems. The company then began mass notifications to affected individuals.<\/p>\n
According to BleepingComputer<\/a>, the ShinyHunters group claimed responsibility, saying they stole terabytes of corporate data.\u00a0<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-6d078b0824b8c806-5685156754196441.webp\")
A ShinyHunters post on the dark web. Source: BleepingComputer.<\/figcaption><\/figure>\n Analysis indicates the hackers obtained databases of Holland America loyalty program members. Compromised information includes names, dates of birth, email addresses, gender, and customers\u2019 locations.<\/p>\n
It\u2019s another reputational blow for Carnival: in 2020<\/a> and 2021<\/a>, the company\u2019s systems suffered successful cyberattacks that exposed passengers\u2019 and crew members\u2019 personal and financial data.<\/p>\n
Also on ForkLog:<\/p>\n
- \n
- Hacker hijacked<\/a> a $15 million GUA airdrop.<\/li>\n
- Fake Uniswap ads on Google netted<\/a> scammers $400,000.<\/li>\n
- Squid denied<\/a> a $3 million contract hack.<\/li>\n
- Socket identified<\/a> an attack targeting crypto and AI developers.<\/li>\n
- 10,000 critical vulnerabilities: Anthropic reported<\/a> initial Project Glasswing results.<\/li>\n
- StablR\u2019s EURR and USDR stablecoins lost their pegs<\/a> after a $2.8 million hack.<\/li>\n<\/ul>\n
What to read this weekend?<\/h2>\n
The weekend is a chance not only to rewatch favorites, but to rethink them. ForkLog got a head start and explored why Johnny, the protagonist of Mike Leigh\u2019s classic “Naked,” is not just a misanthrope with a Manchester accent, but an early prototype of a cypherpunk without the internet.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
We\u2019ve compiled the week\u2019s key cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":97699,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"This week\u2019s top cybersecurity: crypto heists, GPU cryptojacking, dev-targeted botnets, and more.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-97698","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"16","promo_type":"1","layout_type":"1","short_excerpt":"This week\u2019s top cybersecurity: crypto heists, GPU cryptojacking, dev-targeted botnets, and more.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/97698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=97698"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/97698\/revisions"}],"predecessor-version":[{"id":97700,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/97698\/revisions\/97700"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/97699"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=97698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=97698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=97698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Fake Uniswap ads on Google netted<\/a> scammers $400,000.<\/li>\n
- Hacker hijacked<\/a> a $15 million GUA airdrop.<\/li>\n
- RedSun.<\/strong> Exploits a different antivirus code flaw than BlueHammer but achieves a similar outcome;<\/li>\n
- MiniRAT.<\/strong> Previously used in a supply-chain attack. It was distributed through a trojanized version of the legitimate npm package @velora-dex\/sdk, used in DeFi<\/a> projects. MiniRAT allows remote command execution and loading of additional modules.<\/li>\n<\/ul>\n
- AUDIOFIX.<\/strong> Disguised as a system audio driver. It steals passwords, SSH keys, crypto wallet data, and sessions from Discord and Telegram. The software enables lateral movement across a company\u2019s internal network, infiltration of infrastructure, and injection of malicious code into active projects;<\/li>\n