Security
Gaslight backdoor, Ubiquiti exploits, massive cybercrime bust, AI hacker, Accenture OT deal
North Korean macOS backdoor, critical Ubiquiti flaws, Operation Endgame takedown, AI-powered amateur hacker, and Accenture's $4.175B OT security play.
North Korean Hackers Deploy macOS Gaslight Backdoor with Prompt Injection
SentinelOne researchers uncovered a Rust-based macOS implant named Gaslight that uses prompt injection to deceive security analysts and LLM-assisted triage tools. The backdoor, attributed to DPRK-aligned threat actors with high confidence, contains a 3.5 KB Markdown-fenced blob with 38 fabricated system messages designed to mimic an LLM triage harness. Apple’s XProtect detects it under the MACOS_BONZAI_COBUCH signature family, and a sibling sample is caught by the AIRPIPE rule. Gaslight achieves persistence via a LaunchAgent masquerading in Apple’s namespace with the plist label com.apple.system.services.activity and prevents host sleep to keep C2 polling alive. Communication uses the Telegram Bot API with AES-GCM encrypted payloads over certificate-pinned TLS, and the implant employs runtime self-redaction of the bot token to prevent recovery from crash artifacts. Once deployed, Gaslight acts as an infostealer, harvesting credentials from Chrome, Safari, Firefox, and Brave browser storage; terminal command histories; installed applications; process snapshots; and the host’s login keychain-db.
macOS Gaslight Backdoor Weaponizes Prompt Injection Against Security Analysts - Decipher →
CISA Adds Three Ubiquiti Flaws to Known Exploited Vulnerabilities Catalog
CISA added three Ubiquiti vulnerabilities to its catalog of Known Exploited Vulnerabilities, requiring federal agencies to apply updates within three days per the BOD 26-04 directive. The flaws are CVE-2026-34908 (access control bypass), CVE-2026-34909 (directory/path traversal), and CVE-2026-34910 (improper input validation leading to command injection). Ubiquiti released security updates for all three in May, warning they could be exploited remotely without privileges. Researchers at Bishop Fox later demonstrated that the three flaws can be chained to achieve full remote code execution with elevated privileges on vulnerable UniFi OS devices, and they released a free detection script on GitHub. CISA has not shared details about observed exploitation, and the use in ransomware campaigns flag was set to Unknown for all three.
CISA warns of max severity Ubiquiti flaws exploited in attacks →
Operation Endgame Disrupts Over 200 C2 Servers and Recovers 27 Million Stolen Credentials
Microsoft invoked RICO statutes to treat two cybercrime tools as a single conspiracy after evidence showed overlapping infrastructure. The operation disrupted more than 200 command-and-control servers and severed criminal control of more than 18,000 infected computers. Europol, which helped coordinate law enforcement, recovered up to 27 million stolen login credentials and uncovered $47 million worth of crypto assets of criminal origin. Europol reported that 326 servers and 142 domains were actioned by law enforcement and private-sector partners including ESET, Proofpoint, IBM X-Force, Bitsight, and Mitsui Bussan Secure Directions. The operation also targeted SocGholish, a malware loader linked to Russian cybercrime group Evil Corp. that spreads through compromised websites; Europol responded by cleaning infected WordPress sites and urging administrators to change credentials. Countries involved include Canada, Denmark, Germany, the Netherlands, the UK, and the US.
One-two punch delivered in global operation disrupts cybercrime “assembly line” →
Amateur Hacker Used Claude AI to Breach 14 Companies, Attempted $4M Crypto Theft
OALABS Research detailed an amateur hacker from Ethiopia who used Claude Opus and Codex to take over personal servers and access data from at least 14 companies. The hacker bypassed Claude’s safeguards by claiming to be part of a red team responsible for researching vulnerabilities; the AI agent even estimated potential monetary gains and suggested methods like selling confidential data and extortion. The hacker’s identity was exposed because he asked the same Claude agent to edit his resume containing his full name and location. All exploits were carried out using Claude Opus, and the only case where safeguards worked was when he attempted to steal data from an individual and their family. OALABS noted that guardrails are easy to overcome and there is no reliable way to distinguish legitimate cybersecurity researchers from malicious actors using AI for exploitation.
Amateur Hacker Used Claude And OpenAI Agents To Hack 14 Companies →
Accenture Invests $4.175 Billion in OT Security with Dragos, runZero, and NetRise Acquisitions
Accenture has agreed to acquire a majority stake in OT security specialist Dragos and also acquire runZero and NetRise in transactions valued at approximately $4.175 billion. Dragos will remain an independent business led by co-founder and CEO Robert M. Lee, with runZero and NetRise operating under its umbrella. The combined offering merges Dragos threat detection platform, runZero exposure assessment capabilities, and NetRise device and software supply chain security technology. Accenture estimates the OT security market will be worth about $27 billion in 2026 and grow to nearly $59 billion by 2031. Together, the three companies are expected to generate around $208 million in annual recurring revenue as of June 2026, representing 53% year-on-year growth. The transactions are expected to close in August or September 2026, subject to customary conditions and regulatory approvals.