As Kent Halliburton stood in a bathroom at the Rosewood Hotel in central Amsterdam, thousands of miles from home, running his fingers through an envelope filled with 10,000 euros in crisp banknotes, he started to wonder what he had gotten himself into. Halliburton is the cofounder and CEO of Sazmining, a company that operates bitcoin mining hardware on behalf of clients-a model known as "mining-as-a-service."
The campaign spreads the Odyssey Stealer and AMOS (Atomic macOS Stealer) malware families. Both families focus on stealing system information, browser data, and crypto wallet login details. The attacks are carefully designed to exploit developers' trust. The fake Homebrew and TradingView sites display seemingly legitimate download portals with buttons such as Copy command. When a user clicks the button, a hidden, base64-encoded Terminal command is copied to the clipboard.
Organizations are heavily investing in zero trust, a security framework that requires strict verification and ongoing monitoring of every user, device, and application. As of 2025, the size of the zero trust market is estimated at $38.37 billion USD and is projected to grow to $86.57 billion USD by 2030. Investmentsinclude not only tools but also organizational transformation, policy overhaul, and long-term architectural changes. When combined with strong, phishing-resistant multi-factor authentication (MFA) and AI-powered threat detection, a move toward zero trust will significantly enhance cybersecurity. However, help desks often lack robust identity verification, creating a critical vulnerability.
Gladinet vulnerability exploited in the wild A vulnerability affecting Gladinet's CentreStack and Triofox products has been exploited in the wild, Huntress warns. CentreStack is a mobile access and secure sharing solution while Triofox is a secure file access solution. Huntress earlier this year discovered exploitation of CVE-2025-30406, a hardcoded machine key issue affecting the products, and it has now detected exploitation of a new vulnerability, CVE-2025-11371, which allows unauthenticated local file inclusion. Gladinet is aware of the issue and is in the process of providing a workaround to customers until a patch is developed.
Cybersecurity Researcher Jeremiah Fowler discovered a database that lacked password protection as well as encryption, exposing 85,361 files (158 GB in total). The records included invoices, claims, and emails that contained policy holder names, addresses, phone numbers, email addresses, and other personally identifiable information (PII). The personal information of pets were also exposed, including their names, ages, breeds, medical histories, microchip numbers, and more.
The attack chains, per the cybersecurity company, leverage ZIP archives containing decoy PDF documents along with malicious shortcut (LNK) or executable files that are masked as PDF to trick users into opening them. When launched, the LNK file runs an embedded PowerShell script that reaches out to an external server to download a lure document, a PDF for a marketing job at Marriott.
Dutch mobile security company ThreatFabric said it discovered the campaign in August 2025 after users in Australia reported scammers managing Facebook groups promoting "active senior trips." Some of the other territories targeted by the threat actors include Singapore, Malaysia, Canada, South Africa, and the U.K. The campaigns, it added, specifically focused on elderly people looking for social activities, trips, in-person meetings, and similar events. These Facebook groups have been found to share artificial intelligence (AI)-generated content, claiming to organize various activities for seniors.
FileFix is a variation on ClickFix, a newish type of social-engineering technique first spotted last year that tricks victims into running malware on their own devices using fake fixes and login prompts. These types of attacks have surged by 517 percent in the past six months, according to researchers at antivirus and internet security software vendor ESET, making them second most common attack vector behind phishing.
Instead of sending unsolicited phishing emails, attackers initiate contact through a company's public 'Contact Us' form, tricking employees into starting the conversation. What follows are weeks of professional, credible exchanges, often sealed with fake NDAs, before delivering a weaponized ZIP file carrying MixShell, a stealthy in-memory malware.
