Silent Harvest: Extracting Windows Secrets Under the Radar

Source: https://sud0ru.ghost.io/silent-harvest-extracting-windows-secrets-under-the-radar/

The threat titled "Silent Harvest: Extracting Windows Secrets Under the Radar" appears to describe a technique or set of techniques aimed at stealthily extracting sensitive information from Windows systems. Although detailed technical specifics are not provided in the source information, the title and context imply that the threat involves covert methods to access Windows secrets, which could include credentials, cryptographic keys, or other sensitive authentication material stored or cached on Windows machines. Such techniques often leverage legitimate Windows APIs, memory scraping, or subtle exploitation of system components to avoid detection by traditional security tools. The lack of affected versions and patch links suggests this might be a newly observed or theoretical method rather than a disclosed vulnerability with a known fix. The source being a Reddit NetSec post linked to an external blog indicates the information is emerging and may be based on research or proof-of-concept demonstrations rather than widespread exploitation. The minimal discussion and low Reddit score further suggest this is early-stage intelligence rather than a broadly recognized or exploited threat. However, the medium severity rating implies that if leveraged, this technique could enable attackers to gain unauthorized access to critical Windows secrets, potentially facilitating lateral movement, privilege escalation, or persistent access within compromised environments.

Reddit NetSec

Detailed information about Silent Harvest: Extracting Windows Secrets Under the Radar. Get real-time updates, technical details, and mitigation strategies.

Silent Harvest: Extracting Windows Secrets Under the Radar - Live Threat Intelligence - Threat Radar | OffSeq.com

Silent Harvest: Extracting Windows Secrets Under the Radar

Reddit Discussion: Silent Harvest: Extracting Windows Secrets Under the Radar

Fake Mac fixes trick users into installing new Shamos infostealer

Source: https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer/

The reported threat involves a new variant of the Shamos infostealer malware that is being distributed through deceptive phishing campaigns targeting macOS users. Attackers are leveraging fake 'Mac fixes'—likely fraudulent software updates, patches, or system repair tools—to trick users into downloading and installing the Shamos infostealer. Once installed, this malware is designed to stealthily harvest sensitive information from the infected system, which may include credentials, personal data, browser histories, and other confidential information. The delivery method relies heavily on social engineering, exploiting user trust in purported system fixes to bypass typical security awareness. Although no specific affected software versions are mentioned, the threat targets macOS environments, which traditionally have been less targeted than Windows but are increasingly attractive due to their growing market share and perceived security. The absence of known exploits in the wild suggests this campaign might be in early stages or limited distribution, but the high severity rating indicates significant potential impact if widely deployed. The technical details confirm the source as a Reddit InfoSec news post linking to a trusted cybersecurity news outlet, BleepingComputer, which lends credibility to the report. However, minimal discussion and low Reddit score imply limited current visibility or spread. Overall, this threat represents a sophisticated phishing vector combined with a potent infostealer payload aimed at macOS users, emphasizing the evolving threat landscape for Apple platforms.

Reddit InfoSec News

Detailed information about Fake Mac fixes trick users into installing new Shamos infostealer. Get real-time updates, technical details, and mitigation strategie

Fake Mac fixes trick users into installing new Shamos infostealer - Live Threat Intelligence - Threat Radar | OffSeq.com

Fake Mac fixes trick users into installing new Shamos infostealer

Reddit Discussion: Fake Mac fixes trick users into installing new Shamos infostealer

Investigation Report: APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery

CIRCL OSINT Feed

seemysitelive.store: Enriched via the dns module

Detailed information about Investigation Report: APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery. Get real-time updates, tech

Investigation Report: APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery - Live Threat Intelligence - Threat Radar | OffSeq.com

Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in a cookie, which is later used to redirect the user after authentication. The server then issues a 302 redirect to the attacker-controlled URL, appending sensitive OIDC tokens as query parameters. This allows an attacker to obtain the victim's tokens and perform full account takeover, including creating persistent admin users if the victim is an administrator. Tokens are further leaked via browser history, Referer headers, and server logs. This vulnerability impacts all Audiobookshelf deployments using OIDC; no IdP misconfiguration is required. The issue is fixed in version 2.28.0. No known workarounds exist.

CVE-2025-57800 is a critical vulnerability affecting the open-source self-hosted audiobook server Audiobookshelf, specifically versions 2.6.0 through 2.26.3. The issue arises from improper validation and restriction of redirect callback URLs during OpenID Connect (OIDC) authentication. An attacker can craft a malicious login link that causes the Audiobookshelf server to store an arbitrary callback URL in a cookie. After the victim authenticates, the server issues an HTTP 302 redirect to this attacker-controlled URL, appending sensitive OIDC tokens as query parameters. These tokens include access and ID tokens that grant full access to the victim's account. Because these tokens are exposed in the URL, they can be leaked through browser history, Referer headers, and server logs, significantly increasing the risk of compromise. An attacker who obtains these tokens can perform a full account takeover, including creating persistent administrator accounts if the victim has admin privileges. This vulnerability does not require any misconfiguration on the Identity Provider (IdP) side, making all Audiobookshelf deployments using OIDC authentication vulnerable. The flaw involves multiple CWE categories: CWE-523 (Unprotected Transport of Credentials), CWE-598 (Information Exposure), and CWE-601 (Open Redirect). The vulnerability has a CVSS v3.1 score of 8.8 (high severity), reflecting its network attack vector, low attack complexity, no privileges required, but requiring user interaction (victim must click the malicious link). The issue was publicly disclosed on August 22, 2025, and fixed in version 2.28.0. No known workarounds exist, and no exploits have been observed in the wild yet.

CVE Database V5

Detailed information about CVE-2025-57800: CWE-523: Unprotected Transport of Credentials in advplyr audiobookshelf affecting advplyr audiobookshelf. Get real-ti

CVE-2025-57800: CWE-523: Unprotected Transport of Credentials in advplyr audiobookshelf - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-57800: CWE-523: Unprotected Transport of Credentials in advplyr audiobookshelf

Tenda O3V2 1.0.0.12(3880) is vulnerable to Buffer Overflow in the fromSafeSetMacFilter function via the mac parameter.

Detailed information about CVE-2025-55613: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-55613: n/a

CVE-2025-55613: n/a

Description

Technical Details

Related Threats

CVE-2025-57800: CWE-523: Unprotected Transport of Credentials in advplyr audiobookshelf

CVE-2025-55637: n/a

CVE-2025-55634: n/a

CVE-2025-55631: n/a

CVE-2025-55630: n/a

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility