CyberNews: 19/10/2025 Edition

Today’s roundup

Summary

A new malicious campaign is observed targeting macOS developers. Threat actors are utilizing Google advertisements to promote fake platforms for Homebrew, LogMeIn, and TradingView. These deceptive sites deliver infostealing malware, including AMOS (Atomic macOS Stealer) and Odyssey, compromising targeted developers' systems.

Europol, in a coordinated effort dubbed Operation SIMCARTEL, announced the disruption of a sophisticated cybercrime-as-a-service (CaaS) platform. This operation led to 26 searches, seven arrests, and the seizure of infrastructure, which included a large SIM farm. The platform enabled customers to carry out extensive crimes such as phishing and investment fraud, facilitating the creation of an estimated 49 million fake accounts globally.

The Winos 4.0 (ValleyRAT) threat actors have expanded their operations beyond China and Taiwan to include targets in Japan and Malaysia. The campaign uses phishing emails containing PDFs disguised as official documents from Finance Ministries to deliver the HoldingHands RAT (also known as Gh0stBins). This advanced malware employs layered evasion techniques, including digitally signed EXE files and a multi-stage infection flow leveraging Windows Task Scheduler to complicate detection.

The Everest ransomware group has claimed responsibility for a cyberattack on Collins Aerospace, a major aviation and defense technology company. This breach previously disrupted check-in and boarding systems at several European airports, including Heathrow, Brussels, and Berlin, in September. The Everest group's leak site briefly went offline after the claim, leading to speculation of a law enforcement takedown or tactical retreat, though it has since reappeared. Collins Aerospace, a subsidiary of RTX, provides critical systems integral to global air and naval defense infrastructure.

Want to dig deeper?

Malware Families