Newly discovered phishing campaign delivers XMRig cryptominer through fake CrowdStrike job offer emails
A newly discovered phishing campaign has been using fake job offers to distribute the XMRig cryptominer. The attackers impersonate a well-known cybersecurity company, sending phishing emails claiming recipients have been selected for a junior developer role and need to download a "CRM application" from a fake portal.
The malicious site offers downloads for Windows and macOS, but both deliver a Windows executable written in Rust, equipped with evasion mechanisms like debugger detection and CPU checks. After passing these checks, the malware displays a fake error message while silently downloading configuration files and launching the cryptominer.
The XMRig miner operates in the background, consuming minimal CPU resources to avoid detection and maintaining persistence through registry modifications and startup scripts. Job seekers are advised to verify recruiter communications, avoid unsolicited downloads, and confirm email authenticity through official company channels. Employers rarely require candidates to download third-party applications or make payments during the hiring process.
Student, teacher data from K–12 districts exposed by data breach involving PowerSource support portal
PowerSchool, a major provider of cloud-based K-12 education software, confirmed a cybersecurity breach impacting its SIS platform, used by over 60 million students globally. The breach, discovered on December 28, 2024, involved unauthorized access to the PowerSource customer support portal using compromised credentials. Attackers exploited a maintenance tool to export sensitive data, including names, addresses, and in some cases, Social Security numbers, grades and medical information of students and teachers.
PowerSchool has assured that not all SIS customers were affected, and only a subset may need to notify stakeholders. The company has engaged cybersecurity experts to investigate, rotated passwords and tightened policies. While the incident was not ransomware related, PowerSchool paid a ransom to prevent data leaks, though no guarantees exist that the data is permanently deleted.
Affected individuals are being offered credit monitoring and identity protection services. The company is also monitoring the dark web for potential leaks and assisting impacted districts with communication resources. Investigations are ongoing, with a detailed report expected by January 17, 2025.
New Banshee stealer variant evades detection through Apple’s XProtect encryption algorithm
A new variant of the Banshee infostealing malware for macOS has been evading detection by adopting string encryption methods similar to those used by macOS's native security features.
Initially launched as a stealer-as-a-service in 2024, Banshee’s source code was leaked later that year, leading to the public shutdown of the original project. This leak has allowed other developers to improve the malware, including changes to its encryption techniques and targeting approach.
The malware now encrypts its strings and decrypts them only during execution, enabling it to bypass static detection methods and potentially operate undetected for longer periods. It is distributed through deceptive repositories impersonating legitimate software, targeting data stored in popular browsers and stealing credentials, cryptocurrency wallets and system information. Despite the shutdown of its original operation, phishing campaigns continue to spread the malware, leveraging its leaked code for ongoing attacks.
Data breach at BayMark Health Services, largest U.S. addiction treatment provider, disclosed
BayMark Health Services, North America's largest substance use disorder treatment provider, is notifying patients of a data breach that exposed personal and health information. Based in Texas, the organization delivers medication-assisted treatment (MAT) services for substance use and mental health disorders to over 75,000 patients daily across more than 400 locations in 35 U.S. states and three Canadian provinces.
The breach occurred between September 24 and October 14, 2024, and was discovered after an IT disruption on October 11. Attackers accessed sensitive data, including names, Social Security numbers, driver's license numbers, dates of birth, insurance information and treatment details. BayMark has offered affected patients a year of free identity monitoring services for those whose Social Security or driver's license numbers were exposed.
The breach was claimed by the RansomHub ransomware gang, which reported stealing 1.5TB of data and uploading it to their dark web leak site.
STIIIZY cannabis brand discloses theft of customers’ personal and purchase data
Popular cannabis brand STIIIZY disclosed a data breach after attackers compromised its point-of-sale (POS) vendor, stealing sensitive customer information, including government IDs and purchase histories. The breach was first identified on November 20, 2024, when STIIIZY was notified by its vendor that accounts had been compromised by a cybercrime group. Investigations revealed the data was stolen between October 10 and November 10, 2024.
The stolen information included names, addresses, birthdates, driver’s license and passport numbers, medical cannabis card details, transaction histories and photos. Not all categories of data were compromised for every affected individual, and the breach only impacted customers at specific STIIIZY locations in California, including San Francisco, Alameda and Modesto.
While STIIIZY has not disclosed details about the vendor breach, the Everest ransomware group claimed responsibility, alleging it stole data from over 422,000 customers. Everest also shared screenshots of stolen customer IDs and company documents on its leak site.
