剣 KENSAI
← All posts · security · 2026-03-29 · 3 min

Infinity Stealer Targets macOS via ClickFix, Red Menshen BPFDoor Sleeper Cells Found in Telecoms, FBI Director Patel Hacked, RedLine Admin Extradited, TP-Link & BIND Patches

A new macOS infostealer called Infinity uses Cloudflare-themed ClickFix lures and Nuitka-compiled Python to evade detection. Rapid7 exposes Red Menshen's BPFDoor kernel implants lurking inside telecom backbone networks across the Middle East and Asia. A pro-Iranian hacking group claims responsibility for compromising FBI Director Kash Patel's personal account. The alleged RedLine malware administrator is extradited to the United States. TP-Link patches high-severity router vulnerabilities, and ISC ships BIND updates fixing memory-leak DoS flaws.


1. Infinity Stealer — New macOS Malware Uses ClickFix Lures and Nuitka Compilation

Malwarebytes researchers have documented Infinity Stealer, a new information-stealing malware targeting macOS systems through an attack chain that combines ClickFix social engineering with a Python payload compiled using the open-source Nuitka compiler — a first for macOS malware campaigns.

The Attack Chain

The infection begins with a fake Cloudflare CAPTCHA verification page hosted on the domain update-check[.]com. Victims are tricked into pasting a base64-obfuscated curl command into macOS Terminal, bypassing Gatekeeper and other OS-level protections:

Why Nuitka Matters

Unlike PyInstaller — which bundles Python bytecode that's relatively easy to decompile — Nuitka compiles Python source into C code, producing a native binary with no obvious bytecode layer. This makes static analysis and reverse engineering significantly harder, and explains why traditional antivirus engines are slow to detect it.

All stolen data is exfiltrated via HTTP POST to the C2 server, with Telegram notifications alerting the operators upon successful theft.

⚠️ Action Required

macOS users should never paste Terminal commands from websites they don't fully trust. Organizations should deploy endpoint detection that monitors for suspicious curl pipe chains and quarantine flag removal (xattr -d) patterns.

KENSAI Perspective

ClickFix attacks exploit a gap between web-layer security and endpoint protection — the user becomes the execution engine. KENSAI's web application scanning detects fake CAPTCHA pages and suspicious clipboard-hijacking JavaScript patterns that power ClickFix lures, catching the attack at the delivery stage before users ever reach Terminal.


2. Red Menshen Plants BPFDoor Sleeper Cells Across Telecom Backbone Networks

Rapid7 Labs has published a detailed report exposing how Red Menshen (also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18) — a China-nexus threat actor — has embedded kernel-level BPFDoor implants deep within telecommunications networks across the Middle East and Asia, creating what researchers describe as "some of the stealthiest digital sleeper cells" ever found in telecom infrastructure.

How BPFDoor Works

BPFDoor is fundamentally different from conventional malware. It doesn't open listening ports, maintain visible C2 channels, or generate beaconing traffic. Instead:

Initial Access Vectors

Red Menshen targets internet-facing infrastructure — VPN appliances, firewalls, and web platforms from Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts — to gain initial footholds. Post-exploitation uses CrossC2 beacons, Sliver, TinyShell Unix backdoors, keyloggers, and brute-force utilities for credential harvesting and lateral movement.

Strategic Implications

By compromising telecom backbone infrastructure, Red Menshen gains the ability to intercept government communications, monitor targets of interest, and maintain persistent access that survives standard incident response procedures. The use of kernel-level implants means that even comprehensive endpoint detection may miss BPFDoor unless organizations specifically hunt for BPF filter anomalies.

KENSAI Perspective

This campaign underscores why perimeter security testing must include edge infrastructure — VPNs, firewalls, and load balancers are prime targets for APT groups. KENSAI's external attack surface management identifies exposed edge devices and tests for known vulnerabilities in the exact product families Red Menshen targets.


3. Pro-Iranian Hacking Group Claims FBI Director Kash Patel's Personal Account Compromised

A pro-Iranian hacking group has publicly claimed responsibility for compromising the personal account of FBI Director Kash Patel, offering to make emails and documents from the account available for download. The claim, if verified, represents one of the most significant personal account compromises of a sitting U.S. intelligence chief in recent memory.

What We Know

Context

Iranian-linked cyber operations have escalated significantly in 2025-2026, with groups targeting U.S. government officials, political campaigns, and critical infrastructure. The targeting of personal accounts — which typically lack the security controls of government systems — remains a preferred vector for nation-state actors seeking to access sensitive communications that may spill across personal and professional contexts.

🔶 High-Profile Target Pattern

This incident follows a well-documented pattern: nation-state actors target personal accounts of high-value individuals because personal email, cloud storage, and messaging apps rarely have the MFA enforcement, monitoring, and access controls of government systems.

KENSAI Perspective

Personal account security is the weakest link for any organization's leadership. While KENSAI's primary focus is enterprise security testing, our attack surface reconnaissance can identify personal account exposure — leaked credentials, linked services, and social engineering vectors — that could be exploited to reach organizational assets through executive targeting.


4. Hightower Holding Data Breach Impacts 130,000 Individuals

Hightower Holding, a U.S.-based holdings company, has disclosed a data breach affecting approximately 130,000 individuals. The company confirmed that attackers stole names, Social Security numbers, and driver's license numbers from its environment.

Breach Details

The combination of SSNs and driver's license numbers makes this breach particularly dangerous for identity theft — these are the exact credentials needed for fraudulent account openings, tax return fraud, and synthetic identity creation.

KENSAI Perspective

Financial services firms handling PII at this scale must maintain continuous security validation. KENSAI's automated penetration testing identifies data exposure risks — from misconfigured storage buckets to SQL injection paths that reach PII databases — before attackers find them.


5. Alleged RedLine Malware Administrator Extradited to the United States

Hambardzum Minasyan of Armenia has been extradited to the United States on charges of being involved in the development and administration of the RedLine infostealer malware — one of the most prolific credential-stealing malware families in history.

RedLine's Impact

RedLine has been one of the dominant infostealers since its emergence in 2020, responsible for stealing millions of credentials, financial data, and cryptocurrency wallet information. The malware was sold as a Malware-as-a-Service (MaaS) offering, with operators paying subscription fees for access to the builder, C2 infrastructure, and support channels.

The extradition follows Operation Magnus in late 2024, which disrupted RedLine and META infostealer infrastructure. This latest action demonstrates that law enforcement is pursuing not just the infrastructure but the individuals behind major malware operations.

KENSAI Perspective

While law enforcement disruptions help, organizations can't rely on takedowns to protect them. RedLine-stolen credentials continue circulating on dark web markets long after the malware is disrupted. KENSAI's credential exposure monitoring identifies leaked credentials associated with your domains, allowing password resets before stolen data is weaponized.


6. TP-Link Patches High-Severity Router Vulnerabilities

TP-Link has released patches for multiple high-severity vulnerabilities in its router firmware that could allow attackers to bypass authentication, execute arbitrary commands, and decrypt configuration files.

Key Vulnerabilities

⚠️ Patch Now

Given the widespread deployment of TP-Link routers in both consumer and SMB environments, and the recent FCC scrutiny of foreign-manufactured networking equipment, organizations should prioritize these firmware updates. Exposed router management interfaces are a favorite target for both botnets and APT groups.

KENSAI Perspective

Network equipment vulnerabilities are consistently among the most exploited attack vectors. KENSAI's external scanning identifies exposed router management interfaces and tests for known firmware vulnerabilities — catching misconfigurations before they become entry points.


7. BIND DNS Updates Patch High-Severity Memory-Leak Vulnerabilities

The Internet Systems Consortium (ISC) has released updates for BIND DNS server software patching high-severity vulnerabilities that could be exploited to cause out-of-memory conditions through specially crafted domain queries, leading to memory leaks in BIND resolvers.

Impact

DNS infrastructure is a high-value target because resolver outages can cascade into widespread service disruptions. Organizations running BIND resolvers should apply updates immediately.

KENSAI Perspective

DNS infrastructure is foundational — when it fails, everything fails. KENSAI's infrastructure scanning identifies BIND version exposure and known vulnerabilities in DNS configurations, ensuring your resolution infrastructure isn't an overlooked weak point.