Infinity Stealer Targets macOS via ClickFix, Red Menshen BPFDoor Sleeper Cells Found in Telecoms, FBI Director Patel Hacked, RedLine Admin Extradited, TP-Link & BIND Patches
A new macOS infostealer called Infinity uses Cloudflare-themed ClickFix lures and Nuitka-compiled Python to evade detection. Rapid7 exposes Red Menshen's BPFDoor kernel implants lurking inside telecom backbone networks across the Middle East and Asia. A pro-Iranian hacking group claims responsibility for compromising FBI Director Kash Patel's personal account. The alleged RedLine malware administrator is extradited to the United States. TP-Link patches high-severity router vulnerabilities, and ISC ships BIND updates fixing memory-leak DoS flaws.
1. Infinity Stealer — New macOS Malware Uses ClickFix Lures and Nuitka Compilation
Malwarebytes researchers have documented Infinity Stealer, a new information-stealing malware targeting macOS systems through an attack chain that combines ClickFix social engineering with a Python payload compiled using the open-source Nuitka compiler — a first for macOS malware campaigns.
The Attack Chain
The infection begins with a fake Cloudflare CAPTCHA verification page hosted on the domain update-check[.]com. Victims are tricked into pasting a base64-obfuscated curl command into macOS Terminal, bypassing Gatekeeper and other OS-level protections:
- Stage 1: The decoded Bash script writes the Nuitka loader to
/tmp, removes the quarantine flag, and executes it vianohup— passing C2 address and token via environment variables before self-deleting - Stage 2: An 8.6 MB Mach-O binary containing a 35 MB zstd-compressed archive unpacks the final payload (
UpdateHelper.bin) - Stage 3: The Infinity Stealer performs anti-analysis checks, then harvests credentials from Chromium and Firefox browsers, macOS Keychain entries, cryptocurrency wallets, and plaintext secrets in developer
.envfiles
Why Nuitka Matters
Unlike PyInstaller — which bundles Python bytecode that's relatively easy to decompile — Nuitka compiles Python source into C code, producing a native binary with no obvious bytecode layer. This makes static analysis and reverse engineering significantly harder, and explains why traditional antivirus engines are slow to detect it.
All stolen data is exfiltrated via HTTP POST to the C2 server, with Telegram notifications alerting the operators upon successful theft.
⚠️ Action Required
macOS users should never paste Terminal commands from websites they don't fully trust. Organizations should deploy endpoint detection that monitors for suspicious curl pipe chains and quarantine flag removal (xattr -d) patterns.
KENSAI Perspective
ClickFix attacks exploit a gap between web-layer security and endpoint protection — the user becomes the execution engine. KENSAI's web application scanning detects fake CAPTCHA pages and suspicious clipboard-hijacking JavaScript patterns that power ClickFix lures, catching the attack at the delivery stage before users ever reach Terminal.
2. Red Menshen Plants BPFDoor Sleeper Cells Across Telecom Backbone Networks
Rapid7 Labs has published a detailed report exposing how Red Menshen (also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18) — a China-nexus threat actor — has embedded kernel-level BPFDoor implants deep within telecommunications networks across the Middle East and Asia, creating what researchers describe as "some of the stealthiest digital sleeper cells" ever found in telecom infrastructure.
How BPFDoor Works
BPFDoor is fundamentally different from conventional malware. It doesn't open listening ports, maintain visible C2 channels, or generate beaconing traffic. Instead:
- Kernel-level traffic inspection: BPFDoor abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the Linux kernel
- Magic packet activation: The implant remains completely dormant until it receives a specially crafted "trigger" packet, then spawns a reverse shell
- No persistent listener: Without the trigger, BPFDoor is invisible to port scans, netflow analysis, and most endpoint detection tools
- Cross-platform: Variants support TCP, UDP, and ICMP trigger protocols across multiple operating systems
Initial Access Vectors
Red Menshen targets internet-facing infrastructure — VPN appliances, firewalls, and web platforms from Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts — to gain initial footholds. Post-exploitation uses CrossC2 beacons, Sliver, TinyShell Unix backdoors, keyloggers, and brute-force utilities for credential harvesting and lateral movement.
Strategic Implications
By compromising telecom backbone infrastructure, Red Menshen gains the ability to intercept government communications, monitor targets of interest, and maintain persistent access that survives standard incident response procedures. The use of kernel-level implants means that even comprehensive endpoint detection may miss BPFDoor unless organizations specifically hunt for BPF filter anomalies.
KENSAI Perspective
This campaign underscores why perimeter security testing must include edge infrastructure — VPNs, firewalls, and load balancers are prime targets for APT groups. KENSAI's external attack surface management identifies exposed edge devices and tests for known vulnerabilities in the exact product families Red Menshen targets.
3. Pro-Iranian Hacking Group Claims FBI Director Kash Patel's Personal Account Compromised
A pro-Iranian hacking group has publicly claimed responsibility for compromising the personal account of FBI Director Kash Patel, offering to make emails and documents from the account available for download. The claim, if verified, represents one of the most significant personal account compromises of a sitting U.S. intelligence chief in recent memory.
What We Know
- The group claims access to personal email correspondence and documents from Patel's account
- The compromised account appears to be a personal (non-government) account
- The group has offered the stolen data for public download
- U.S. government agencies have not publicly confirmed or denied the breach as of publication
Context
Iranian-linked cyber operations have escalated significantly in 2025-2026, with groups targeting U.S. government officials, political campaigns, and critical infrastructure. The targeting of personal accounts — which typically lack the security controls of government systems — remains a preferred vector for nation-state actors seeking to access sensitive communications that may spill across personal and professional contexts.
🔶 High-Profile Target Pattern
This incident follows a well-documented pattern: nation-state actors target personal accounts of high-value individuals because personal email, cloud storage, and messaging apps rarely have the MFA enforcement, monitoring, and access controls of government systems.
KENSAI Perspective
Personal account security is the weakest link for any organization's leadership. While KENSAI's primary focus is enterprise security testing, our attack surface reconnaissance can identify personal account exposure — leaked credentials, linked services, and social engineering vectors — that could be exploited to reach organizational assets through executive targeting.
4. Hightower Holding Data Breach Impacts 130,000 Individuals
Hightower Holding, a U.S.-based holdings company, has disclosed a data breach affecting approximately 130,000 individuals. The company confirmed that attackers stole names, Social Security numbers, and driver's license numbers from its environment.
Breach Details
- Data stolen: Full names, Social Security numbers (SSNs), and driver's license numbers
- Impact scope: Approximately 130,000 individuals
- Attack vector: Not yet publicly disclosed
- Discovery timeline: Breach notification filed with state regulators
The combination of SSNs and driver's license numbers makes this breach particularly dangerous for identity theft — these are the exact credentials needed for fraudulent account openings, tax return fraud, and synthetic identity creation.
KENSAI Perspective
Financial services firms handling PII at this scale must maintain continuous security validation. KENSAI's automated penetration testing identifies data exposure risks — from misconfigured storage buckets to SQL injection paths that reach PII databases — before attackers find them.
5. Alleged RedLine Malware Administrator Extradited to the United States
Hambardzum Minasyan of Armenia has been extradited to the United States on charges of being involved in the development and administration of the RedLine infostealer malware — one of the most prolific credential-stealing malware families in history.
RedLine's Impact
RedLine has been one of the dominant infostealers since its emergence in 2020, responsible for stealing millions of credentials, financial data, and cryptocurrency wallet information. The malware was sold as a Malware-as-a-Service (MaaS) offering, with operators paying subscription fees for access to the builder, C2 infrastructure, and support channels.
- Millions of credentials stolen across enterprise and consumer targets worldwide
- MaaS model lowered the barrier for entry, enabling less sophisticated criminals to deploy sophisticated malware
- International law enforcement cooperation between the U.S. and Armenia made the extradition possible
The extradition follows Operation Magnus in late 2024, which disrupted RedLine and META infostealer infrastructure. This latest action demonstrates that law enforcement is pursuing not just the infrastructure but the individuals behind major malware operations.
KENSAI Perspective
While law enforcement disruptions help, organizations can't rely on takedowns to protect them. RedLine-stolen credentials continue circulating on dark web markets long after the malware is disrupted. KENSAI's credential exposure monitoring identifies leaked credentials associated with your domains, allowing password resets before stolen data is weaponized.
6. TP-Link Patches High-Severity Router Vulnerabilities
TP-Link has released patches for multiple high-severity vulnerabilities in its router firmware that could allow attackers to bypass authentication, execute arbitrary commands, and decrypt configuration files.
Key Vulnerabilities
- Authentication bypass: Allows unauthenticated attackers to gain administrative access to the router management interface
- Command injection: Enables execution of arbitrary OS commands on the router, potentially leading to full device compromise
- Configuration file decryption: Allows attackers to extract and decrypt router configuration data, including stored credentials and network topology information
⚠️ Patch Now
Given the widespread deployment of TP-Link routers in both consumer and SMB environments, and the recent FCC scrutiny of foreign-manufactured networking equipment, organizations should prioritize these firmware updates. Exposed router management interfaces are a favorite target for both botnets and APT groups.
KENSAI Perspective
Network equipment vulnerabilities are consistently among the most exploited attack vectors. KENSAI's external scanning identifies exposed router management interfaces and tests for known firmware vulnerabilities — catching misconfigurations before they become entry points.
7. BIND DNS Updates Patch High-Severity Memory-Leak Vulnerabilities
The Internet Systems Consortium (ISC) has released updates for BIND DNS server software patching high-severity vulnerabilities that could be exploited to cause out-of-memory conditions through specially crafted domain queries, leading to memory leaks in BIND resolvers.
Impact
- Denial of service: Specially crafted DNS queries can trigger memory leaks that eventually exhaust available memory, causing resolver crashes
- Widespread exposure: BIND remains one of the most widely deployed DNS server implementations globally
- Remote exploitation: The vulnerabilities can be triggered remotely by sending malicious queries to affected resolvers
DNS infrastructure is a high-value target because resolver outages can cascade into widespread service disruptions. Organizations running BIND resolvers should apply updates immediately.
KENSAI Perspective
DNS infrastructure is foundational — when it fails, everything fails. KENSAI's infrastructure scanning identifies BIND version exposure and known vulnerabilities in DNS configurations, ensuring your resolution infrastructure isn't an overlooked weak point.