We’ve gathered the most important cybersecurity news from the past week.

  • A new group attacked crypto companies through fake interviews and malware targeting macOS.
  • A hidden GPU miner was spread via search spam and AI chatbots.
  • A hacker known as Nightmare-Eclipse was banned from GitHub and GitLab after publishing Microsoft zero-day exploits.
  • CrowdStrike and Google dismantled a network targeting open-source developers.

New Group Attacks Crypto Companies via Fake Interviews and macOS Malware

Researchers from Wiz uncovered a large-scale cryptocurrency theft campaign orchestrated by a previously unknown group, JINX-0164.

Since mid-2025, the attackers have targeted blockchain project developers through fake online interviews. During these interactions, victims were redirected to a counterfeit video conferencing site, where they were persuaded to download infected files under the pretext of installing a client or fixing a "technical error".

The group employs sophisticated malware tailored for both Intel and Apple Silicon architectures:

  • AUDIOFIX. Masquerades as a system audio driver. This program steals passwords, SSH keys, cryptocurrency wallet data, and sessions from Discord and Telegram. It allows hackers to navigate the company's internal network, infiltrate infrastructure, and inject malicious code into ongoing projects;
  • MiniRAT. Previously used for supply chain attacks, it was distributed through a compromised version of the legitimate npm package @velora-dex/sdk, utilized in DeFi projects. MiniRAT enables remote command execution and the downloading of additional modules.
Source: Wiz.

Experts note that JINX-0164’s tactics—focusing on the crypto industry, targeting developers through fake recruitment, and using specific VPN services (like Astrill VPN)—bear similarities to the methods of North Korean groups such as BlueNoroff. However, Wiz found no direct technical matches in the infrastructure that would definitively link JINX-0164 to Pyongyang.

Hidden GPU Miner Spread via Search Spam and AI Chatbots

As part of an ongoing campaign for hidden cryptocurrency mining, attackers have targeted high-performance graphics processing units (GPUs), according to specialists from Microsoft.

Infection occurs through malicious download pages for system utilities typically installed by owners of powerful PCs, including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.

Microsoft researchers found that the attack begins when users search for one of these utilities and click on malicious links boosted in search results through SEO optimization. However, some April reports indicate that users were directed to malicious domains after interacting with AI assistants. In these cases, victims requesting software download recommendations from chatbots received infected links in the generated responses.

Example of an AI chatbot response with a malicious link. Source: Microsoft.

Once the system is infected, the attacker gains persistent access by deploying the standard remote management tool ScreenConnect. The main part of the virus disguises itself as harmless applications like VLC player and is set to launch at startup. To bypass security, the malware hides its code within official Windows system files and adds itself to antivirus exceptions.

Once the malware is securely and discreetly established, it downloads and runs a program for hidden cryptocurrency mining using the victim's GPU resources. The campaign employs GPU miners such as gminer, lolMiner, and SRBMiner-MULTI.

Microsoft noted that the attackers' behavior stands out due to their "targeting and monetization strategy, designed from the ground up to maximize mining revenue from each compromised device" rather than relying on mass infections.

Hacker Nightmare-Eclipse Banned from GitHub and GitLab After Publishing Microsoft Zero-Day Exploits

Microsoft has blocked the GitHub account of cybersecurity researcher Nightmare-Eclipse and deleted his Microsoft account. GitLab subsequently supported this initiative.

The conflict arose from financial disagreements and exploit disclosure policies. As Nightmare-Eclipse claims, Microsoft ignored his vulnerability reports and refused to pay rewards under the MSRC program, which can reach up to $250,000.

Source: GitLab.

In response, the researcher began publicly disclosing the discovered zero-day vulnerabilities and announced that he would release a new batch on July 14, 2026.

He reported:

  • BlueHammer. Locally escalates privileges in Windows Defender, allowing an attacker with regular user access to elevate rights to maximum SYSTEM;
  • RedSun. Exploits a different vulnerability in the antivirus code than BlueHammer but leads to a similar outcome;
  • UnDefend. A tool aimed at sabotaging Windows Defender's operation. The exploit tricks the system into believing the endpoint is protected and the antivirus is functioning correctly, while effectively disabling Defender's ability to detect malicious code;
  • GreenPlasma. A vulnerability that allows SYSTEM privileges through the CTFMon system service, responsible for alternative text input and language panels;
  • MiniPlasma. An exploit for local privilege escalation via the Windows cloud filter driver cldflt.sys, successfully granting SYSTEM rights even on fully updated versions of Windows 11;
  • YellowKey. A critical vulnerability in BitLocker disk encryption technology, allowing an attacker with physical access to the device to bypass protective mechanisms and access encrypted data with minimal effort, completely undermining the purpose of this technology.

Additionally, Nightmare-Eclipse claimed to have created a "dead man's switch"—an automated system that will leak new exploits online in the event of his arrest or physical elimination.

CrowdStrike and Google Dismantle Network Targeting Open Source Developers

In a joint operation, CrowdStrike, Shadowserver, and Google dismantled a network for distributing malware and stealing passwords from open-source software developers.

The target was the hackers behind the Glassworm botnet, which had been attacking supply chains in the OS ecosystem for two years.

The Glassworm hackers employed several strategies to spread their malware, including:

  • Publishing infected extensions in marketplaces used by developers;
  • Malvertising—buying sponsored links in search results to trick victims into downloading malicious software;
  • Using credentials stolen in previous hacks to take over developers' accounts and inject hacker code directly into their projects.

According to CrowdStrike, the hackers managed to "poison" over 300 repositories on GitHub. Specialists dismantled four command-and-control servers relying on the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar, and virtual private servers. This deprived the attackers of access to infected computers and halted further malware delivery.

Scammers in Odessa Used Advanced AI Technologies to Steal About 2.5 Million Hryvnias

Ukrainian law enforcement, in collaboration with Kazakhstan's cyber police, uncovered a large criminal organization in Odessa.

The phone scammers targeted citizens of Kazakhstan. Preliminary estimates indicate the damage amounted to about 2.5 million hryvnias (approximately $57,000 at the time of writing).

The scammers employed advanced social engineering tools, including deepfake technology and AI-generated videos. They posed as law enforcement, bank employees, or telecom company representatives, creating an illusion of threat. Under the pretext of "protecting accounts" or avoiding fictitious criminal prosecution, they convinced individuals to install malware on their smartphones to steal funds.

According to the investigation, the illegal network was organized by two residents of Odessa. The call centers operated as a coordinated business with their own CRM system and clear role distribution. The staff included HR managers, administrators, IT specialists, and operators of various levels.

During a search, law enforcement detained nine individuals and seized equipment, records of "black" accounting, vehicles, and cash. They face up to 12 years in prison with asset confiscation.

Carnival Corporation Confirms Data Breach Affecting 6 Million Customers

The world’s largest cruise operator, Carnival Corporation, has officially confirmed a massive data breach affecting nearly 6 million individuals.

The incident occurred on April 10, 2026, due to a social engineering attack: the attackers deceived one of the employees and gained access to corporate systems. As a result, the company began mass notifications to affected individuals.

According to BleepingComputer, the hacking group ShinyHunters claimed responsibility for the breach. The attackers stated they stole terabytes of corporate information.

Message from ShinyHunters on the dark web. Source: BleepingComputer.

Analysis of the breach revealed that hackers accessed databases of the Holland America loyalty program participants. Compromised information includes names, birth dates, email addresses, gender, and geographical locations of customers.

This incident marks another blow to Carnival's reputation: in 2020 and 2021, the cruise operator's systems were already successfully attacked by hackers, compromising personal and financial data of passengers and crew.

Also on ForkLog:

  • A hacker intercepted a $15 million GUA airdrop.
  • Fake Uniswap ads on Google netted scammers $400,000.
  • Squid denied a $3 million contract hack.
  • Socket identified an attack on cryptocurrency and AI system developers.
  • 10,000 critical vulnerabilities: Anthropic reported initial results of Project Glasswing.
  • Stablecoins EURR and USDR from StablR lost their peg after a $2.8 million hack.

What to Read This Weekend?

The weekend is a great time not only to rewatch favorite films but also to rethink them. ForkLog has started early and explored why the main character of Mike Leigh's classic film "Naked," Johnny, is not just a misanthrope with a Manchester accent, but an early prototype of a crypto-punk without the internet.