SimpleHelp Bug Lets Hackers Create Rogue Remote Support Accounts

Article Link: https://www.bleepingcomputer.com/news/security/simplehelp-bug-lets-hackers-create-rogue-remote-support-accounts/

• A high-severity authentication bypass vulnerability has been disclosed in SimpleHelp remote management software, allowing unauthenticated attackers to create unauthorized technician accounts.
• Tracked as CVE-2026-48558, the vulnerability is caused by improper validation of identity assertions during OpenID Connect (OIDC) authentication, enabling attackers to bypass external user verification.
• Successful exploitation can grant elevated privileges, allowing threat actors to establish remote desktop sessions, deploy malicious scripts, and gain full control of managed endpoints.
• Organizations using affected versions of SimpleHelp should immediately upgrade to the latest patched release. Where immediate patching is not feasible, administrators should restrict access to the technician portal by implementing IP allowlists to limit connections to trusted sources and reduce the risk of unauthorized access.
• Additional information: https://simple-help.com/security/simplehelp-security-update-2026-05

New macOS ClickFix Attack Silently Mounts DMGs to Push Infostealer

Article Link: https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/

• Security researchers at Palo Alto Networks’ Unit 42 have identified a new variant of the ClickFix social engineering campaign targeting macOS users by silently mounting malicious disk image (DMG) files to deploy information-stealing malware.
• The attack begins with fake CAPTCHA verification pages. Rather than prompting users to solve a challenge, the pages trick victims into executing terminal commands. The commands then download and mount a hidden DMG, initiating the malware installation process.
• The latest ClickFix variant is particularly concerning because it bypasses recent macOS protections designed to prevent command-line paste attacks. Once executed, the malware can steal browser credentials, session cookies, and other sensitive information, potentially enabling account compromise and unauthorized access to enterprise environments.
• Organizations should block access to known malicious domains, configure endpoint security solutions to detect and prevent unauthorized DMG mounting and script execution, and educate users to avoid running Terminal commands provided by websites or unsolicited browser prompts.

WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool

Article Link: https://thehackernews.com/2026/06/whatsapp-vbscript-campaign-uses-fake.html

• Security researchers at Kaspersky have uncovered an active malware campaign that uses compromised WhatsApp accounts to distribute malicious Visual Basic Script (VBScript) files disguised as business and financial documents, ultimately installing legitimate remote monitoring and management (RMM) software on victims’ systems.
• The heavily obfuscated VBScript files mimic Microsoft Windows Update components and are delivered through WhatsApp Desktop and WhatsApp Web using deceptive filenames such as financial reports or account statements. When executed, the scripts download additional payloads, bypass security controls, and install ManageEngine RMM Central, providing attackers with remote access to compromised devices.
• The campaign has targeted users across multiple countries, including Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam, with the highest number of observed victims in Malaysia. Kaspersky also identified infrastructure overlaps with previous activity associated with Gh0st RAT and ValleyRAT, although the campaign has not been attributed to a specific threat actor.
• Organizations should block the execution of untrusted script files such as VBS, monitor for unauthorized RMM software deployments, and educate users to verify unexpected WhatsApp attachments, even when they appear to originate from trusted contacts, before opening them.

New Prinz Eugen Ransomware Prioritizes Recent Files for Encryption

Article Link: https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/

• Security researchers have identified a new Go-based ransomware operation named Prinz Eugen that uses a targeted encryption strategy and avoids leaving traditional ransom notes on compromised systems.
• Analysis from ThreatDown indicates that attackers likely gain initial access through stolen Remote Desktop Protocol (RDP) credentials before manually deploying the primary payload, servertool.exe. In observed incidents, the operators used the RemotePC RMM platform and a backdoor administrator account to maintain persistent access within victim environments.
• Unlike many modern ransomware operations, Prinz Eugen does not appear to follow a ransomware-as-a-service (RaaS) model. The malware prioritizes recently modified files during encryption, recursively scanning directories without depth limits to target data most likely to be actively used by organizations, including current business documents and operational files.
• The ransomware avoids dropping text-based ransom notes, instead moving extortion communications through external channels such as email, phone, or leak-site portals. This approach reduces forensic evidence and makes automated detection of the extortion stage more difficult.
• Security teams should strengthen remote access protections with multi-factor authentication, monitor for unauthorized RMM deployments and suspicious administrator accounts, review endpoint activity for living-off-the-land techniques, and preserve forensic evidence before allowing compromised systems to execute cleanup or self-deletion behaviors.

New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis

Article Link: https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html

• Security analysts have uncovered a previously undocumented Rust-based macOS implant and information stealer named Gaslight that uses embedded prompt injection techniques to manipulate AI-powered malware analysis tools and interfere with automated security investigations.
• The malware has been linked to North Korea-aligned threat actors. Its most notable feature is a Markdown-fenced payload containing 38 fabricated system messages, out-of-memory errors and token expirations, designed to influence large language model (LLM)-based triage agents into aborting or refusing analysis of the malicious artifact.
• Beyond its AI-targeting capabilities, Gaslight functions as a persistent backdoor by establishing a Telegram-based command-and-control channel that enables attackers to execute remote shell commands, terminate processes, and exfiltrate files. The malware maintains persistence through a macOS LaunchAgent disguised as a legitimate system service.
• Organizations should strengthen macOS monitoring practices by reviewing unauthorized LaunchAgent activity, restricting suspicious script execution, monitoring Telegram-based outbound communications, and ensuring AI-assisted security workflows include human validation to prevent malicious input manipulation from affecting automated analysis decisions.
• Additional information: https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/

Bluekit Phishing-as-a-Service: Browser-in-the-Middle, Evolved

Article Link: https://www.netcraft.com/blog/bluekit-phishing-as-a-service-threat

• New findings confirm that BlueKit, a sophisticated Phishing-as-a-Service (PhaaS) platform, has moved from development into active large-scale operations, using a Browser-in-the-Middle (BitM) attack model to steal enterprise credentials.
• Unlike traditional adversary-in-the-middle phishing frameworks that rely on reverse proxies to intercept traffic, BlueKit uses a legitimate session-replay script engine to open authentic corporate login portals inside an attacker-controlled browser. The system streams the live visual interface directly to the victim via active network connections, silently capturing text inputs, multi-factor authentication codes, and authenticated session tokens simultaneously.
• The platform incorporates a layered anti-detection framework designed to evade automated analysis, including dynamic JavaScript obfuscation, randomized HTML generation, custom CAPTCHA pages impersonating trusted services, browser fingerprinting, and WebRTC-based checks to identify scanning environments or proxy usage.
• This operation creates significant risks for enterprise identity security because the phishing experience closely mirrors legitimate authentication portals while maintaining the attacker’s browser session throughout the login process. BlueKit operators can monitor victim activity in real time through an administrative panel and maintain access using stolen authentication sessions.
• Organizations should strengthen identity protections by adopting phishing-resistant authentication methods such as WebAuthn and hardware security keys, enforcing device-based access controls, monitoring suspicious authentication patterns, and improving phishing analysis workflows to account for emerging Browser-in-the-Middle techniques.

Nearly 15,000 Infected Websites Cleaned in SocGholish Crackdown

Article Link: https://www.malwarebytes.com/blog/news/2026/06/nearly-15000-infected-websites-cleaned-in-socgholish-crackdown

• International law enforcement agencies have disrupted the long-running SocGholish (FakeUpdates) malware operation as part of Operation Endgame, taking down 106 malicious servers and domains while cleaning nearly 15,000 compromised websites used to distribute malware.
• Active since at least 2017, SocGholish compromises legitimate websites, often through stolen credentials, to deliver fake browser and software update prompts. Victims who interact with these alerts can unknowingly install backdoors that provide attackers with access for ransomware deployment, data theft, and additional malware activity.
• The coordinated operation involved multiple international agencies, including the Dutch police and Public Prosecution Service, the Royal Canadian Mounted Police, the FBI, the German Federal Criminal Police Office, Europol, and Eurojust. Authorities also removed malicious code from infected WordPress sites and urged affected organizations to update software, enable multi-factor authentication (MFA), and rotate credentials.
• The takedown disrupts a major malware distribution pathway used by cybercriminal groups, reducing access to thousands of trusted websites that had been weaponized to target users. Organizations should strengthen website security by enforcing MFA, monitoring for unauthorized changes, and maintaining updated content management system.

Additional information: https://www.theregister.com/security/2026/06/24/microsoft-uses-ai-to-link-two-malware-operations-in-racketeering-suit/5261656

Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack

Article Link: https://www.securityweek.com/cal-water-finds-no-evidence-of-ot-activity-after-hackers-claimed-they-could-disrupt-water-supply/

• California Water Service (Cal Water) confirmed that an investigation into a cyberattack claimed by the Iran-linked Handala group found no evidence that attackers accessed or disrupted the utility’s operational technology (OT) environment or industrial control systems (ICS).
• The threat actor claimed it had the ability to impact water operations after gaining access to Cal Water systems, but the investigation determined the activity was limited to compromised user accounts and third-party platforms. Attackers reportedly accessed customer account information and leaked approximately 5 GB of data, including files containing personal information.
• The incident highlights the ongoing cybersecurity risks facing critical infrastructure providers, particularly water utilities that often rely on aging OT environments and legacy systems that can be difficult to secure or modernize. While no operational disruption occurred, unauthorized access to industrial systems could create serious public safety consequences.
• The attack also demonstrates how cyber activity tied to geopolitical conflicts can increase risks to essential services, as state-aligned or suspected state-backed groups may target public infrastructure to create disruption, collect intelligence, or generate fear even without directly impacting operations.