CloudSEK Updates

The MacSync Stealer campaign represents a sophisticated macOS threat that leverages SEO poisoning, fake GitHub repositories, and ClickFix social engineering to deliver malware. Attackers manipulate search engine rankings to redirect users to fraudulent repositories impersonating legitimate software, where victims are tricked into executing malicious commands.

A new malware campaign is exploiting Ramadan shopping sentiment, luring Middle East users with fake discount coupons from trusted brands. Behind the offer lies a multi-stage attack that deploys a powerful RAT, enabling full system control and stealthy data exfiltration via AWS. The campaign highlights how seasonal themes and trusted brands are being weaponized at scale.

LSPosed, a powerful framework for rooted Android devices, has been weaponized by attackers to remotely inject fraudulent SMS messages and spoof user identities in modern payment ecosystems. This report exposes a critical vulnerability: the exploitation of LSPosed modules to intercept and modify sensitive system APIs, enabling precise identity theft and unauthorized financial transactions. It reveals the devastating potential of this technique for large-scale payment fraud and identity takeover.

The February 28 launch of Operation Epic Fury has pushed the Iran–Israel conflict into an open multi-domain war. While the strikes occurred in the Middle East, the ripple effects are already reaching Southeast Asia, where cyber operations, energy disruptions, financial sanctions, and geopolitical tensions could create immediate risk for governments, businesses, and critical infrastructure. This briefing explains why the region may soon find itself on the frontline of a wider cyber and economic confrontation.

More than 60 Iranian-aligned cyber groups mobilized within hours of the February 28, 2026 Iran-US escalation, as AI tools sharply lowered the barrier to targeting America’s internet-exposed critical infrastructure. The report shows how exposed ICS systems, default credentials, and AI-assisted reconnaissance are converging into a fast-growing national security risk.

The 28 February 2026 strikes accelerated an existing cyber threat to U.S. critical infrastructure, rather than creating it. This report examines who is targeting industrial control systems (ICS), how attacks are carried out, and the scale of the exposed attack surface. Critical infrastructure is a prime retaliation target due to high civilian impact, a large number of internet-exposed ICS devices, and long-standing underinvestment in OT cybersecurity.

CloudSEK has uncovered a malicious SMS spoofing campaign spreading a fake version of Israel’s “Red Alert” emergency app amid the ongoing conflict. Disguised as a trusted warning platform, the trojanized Android app can steal SMS, contacts, and location data while appearing legitimate. The report highlights how cybercriminals are weaponising public fear during crises to deploy mobile spyware with serious security and real-world implications.

The report examines the sharp escalation following the 28 February 2026 joint Israel–U.S. strikes on Iran, triggering a hybrid conflict blending kinetic attacks with unprecedented cyber operations. Iran faced near-total internet disruption, while retaliatory missile and cyber activity spread across Israel, the Gulf, and beyond. Over 150 hacktivist incidents were recorded, with global spillover risks to energy, finance, IT, and critical infrastructure sectors

CloudSEK researchers infiltrated Gunra’s newly launched RaaS affiliate program, gaining access to its live panel and ransomware locker. Our analysis reveals a highly optimized ChaCha20 + RSA-4096 hybrid encryption engine, multi-threaded execution, surgical file targeting, and offline stealth capabilities.