A new macOS infostealer called Infinity uses Cloudflare-themed ClickFix lures and Nuitka-compiled Python to evade detection. Rapid7 exposes Red Menshen's BPFDoor kernel implants lurking inside telecom backbone networks across the Middle East and Asia. A pro-Iranian hacking group claims responsibility for compromising FBI Director Kash Patel's personal account. The alleged RedLine malware administrator is extradited to the United States. TP-Link patches high-severity router vulnerabilities, and ISC ships BIND updates fixing memory-leak DoS flaws.
Malwarebytes researchers have documented Infinity Stealer, a new information-stealing malware targeting macOS systems through an attack chain that combines ClickFix social engineering with a Python payload compiled using the open-source Nuitka compiler — a first for macOS malware campaigns.
The infection begins with a fake Cloudflare CAPTCHA verification page hosted on the domain update-check[.]com. Victims are tricked into pasting a base64-obfuscated curl command into macOS Terminal, bypassing Gatekeeper and other OS-level protections:
/tmp, removes the quarantine flag, and executes it via nohup — passing C2 address and token via environment variables before self-deletingUpdateHelper.bin).env filesUnlike PyInstaller — which bundles Python bytecode that's relatively easy to decompile — Nuitka compiles Python source into C code, producing a native binary with no obvious bytecode layer. This makes static analysis and reverse engineering significantly harder, and explains why traditional antivirus engines are slow to detect it.
All stolen data is exfiltrated via HTTP POST to the C2 server, with Telegram notifications alerting the operators upon successful theft.
macOS users should never paste Terminal commands from websites they don't fully trust. Organizations should deploy endpoint detection that monitors for suspicious curl pipe chains and quarantine flag removal (xattr -d) patterns.
ClickFix attacks exploit a gap between web-layer security and endpoint protection — the user becomes the execution engine. KENSAI's web application scanning detects fake CAPTCHA pages and suspicious clipboard-hijacking JavaScript patterns that power ClickFix lures, catching the attack at the delivery stage before users ever reach Terminal.
Rapid7 Labs has published a detailed report exposing how Red Menshen (also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18) — a China-nexus threat actor — has embedded kernel-level BPFDoor implants deep within telecommunications networks across the Middle East and Asia, creating what researchers describe as "some of the stealthiest digital sleeper cells" ever found in telecom infrastructure.
BPFDoor is fundamentally different from conventional malware. It doesn't open listening ports, maintain visible C2 channels, or generate beaconing traffic. Instead:
Red Menshen targets internet-facing infrastructure — VPN appliances, firewalls, and web platforms from Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts — to gain initial footholds. Post-exploitation uses CrossC2 beacons, Sliver, TinyShell Unix backdoors, keyloggers, and brute-force utilities for credential harvesting and lateral movement.
By compromising telecom backbone infrastructure, Red Menshen gains the ability to intercept government communications, monitor targets of interest, and maintain persistent access that survives standard incident response procedures. The use of kernel-level implants means that even comprehensive endpoint detection may miss BPFDoor unless organizations specifically hunt for BPF filter anomalies.
This campaign underscores why perimeter security testing must include edge infrastructure — VPNs, firewalls, and load balancers are prime targets for APT groups. KENSAI's external attack surface management identifies exposed edge devices and tests for known vulnerabilities in the exact product families Red Menshen targets.
A pro-Iranian hacking group has publicly claimed responsibility for compromising the personal account of FBI Director Kash Patel, offering to make emails and documents from the account available for download. The claim, if verified, represents one of the most significant personal account compromises of a sitting U.S. intelligence chief in recent memory.
Iranian-linked cyber operations have escalated significantly in 2025-2026, with groups targeting U.S. government officials, political campaigns, and critical infrastructure. The targeting of personal accounts — which typically lack the security controls of government systems — remains a preferred vector for nation-state actors seeking to access sensitive communications that may spill across personal and professional contexts.
This incident follows a well-documented pattern: nation-state actors target personal accounts of high-value individuals because personal email, cloud storage, and messaging apps rarely have the MFA enforcement, monitoring, and access controls of government systems.
Personal account security is the weakest link for any organization's leadership. While KENSAI's primary focus is enterprise security testing, our attack surface reconnaissance can identify personal account exposure — leaked credentials, linked services, and social engineering vectors — that could be exploited to reach organizational assets through executive targeting.
Hightower Holding, a U.S.-based holdings company, has disclosed a data breach affecting approximately 130,000 individuals. The company confirmed that attackers stole names, Social Security numbers, and driver's license numbers from its environment.
The combination of SSNs and driver's license numbers makes this breach particularly dangerous for identity theft — these are the exact credentials needed for fraudulent account openings, tax return fraud, and synthetic identity creation.
Financial services firms handling PII at this scale must maintain continuous security validation. KENSAI's automated penetration testing identifies data exposure risks — from misconfigured storage buckets to SQL injection paths that reach PII databases — before attackers find them.
Hambardzum Minasyan of Armenia has been extradited to the United States on charges of being involved in the development and administration of the RedLine infostealer malware — one of the most prolific credential-stealing malware families in history.
RedLine has been one of the dominant infostealers since its emergence in 2020, responsible for stealing millions of credentials, financial data, and cryptocurrency wallet information. The malware was sold as a Malware-as-a-Service (MaaS) offering, with operators paying subscription fees for access to the builder, C2 infrastructure, and support channels.
The extradition follows Operation Magnus in late 2024, which disrupted RedLine and META infostealer infrastructure. This latest action demonstrates that law enforcement is pursuing not just the infrastructure but the individuals behind major malware operations.
While law enforcement disruptions help, organizations can't rely on takedowns to protect them. RedLine-stolen credentials continue circulating on dark web markets long after the malware is disrupted. KENSAI's credential exposure monitoring identifies leaked credentials associated with your domains, allowing password resets before stolen data is weaponized.
TP-Link has released patches for multiple high-severity vulnerabilities in its router firmware that could allow attackers to bypass authentication, execute arbitrary commands, and decrypt configuration files.
Given the widespread deployment of TP-Link routers in both consumer and SMB environments, and the recent FCC scrutiny of foreign-manufactured networking equipment, organizations should prioritize these firmware updates. Exposed router management interfaces are a favorite target for both botnets and APT groups.
Network equipment vulnerabilities are consistently among the most exploited attack vectors. KENSAI's external scanning identifies exposed router management interfaces and tests for known firmware vulnerabilities — catching misconfigurations before they become entry points.
The Internet Systems Consortium (ISC) has released updates for BIND DNS server software patching high-severity vulnerabilities that could be exploited to cause out-of-memory conditions through specially crafted domain queries, leading to memory leaks in BIND resolvers.
DNS infrastructure is a high-value target because resolver outages can cascade into widespread service disruptions. Organizations running BIND resolvers should apply updates immediately.
DNS infrastructure is foundational — when it fails, everything fails. KENSAI's infrastructure scanning identifies BIND version exposure and known vulnerabilities in DNS configurations, ensuring your resolution infrastructure isn't an overlooked weak point.
From macOS infostealers to telecom APT campaigns — the attack surface is expanding. KENSAI continuously maps and tests your external exposure.
Start Free Scan →KENSAI Security Research · Daily Threat Intelligence · March 29, 2026