This week: a deserialization flaw in popular Minecraft mods enables remote code execution on servers and clients, Russian APT Blue Charlie swaps to 94 new phishing domains after its infrastructure was exposed, Google’s AI-powered fuzzing adds up to 31% more code coverage to open source security testing, and a new macOS infostealer disguised as a productivity app is selling on underground markets for $199 per month.
Stories Covered
Bleeding Pipe: Minecraft Mod Deserialization Flaw Enables Remote Code Execution
Researchers at Malwarebytes Labs disclosed a vulnerability dubbed Bleeding Pipe affecting a range of popular Minecraft mods built on top of the Java deserialization class used to exchange network packets between clients and servers. The flaw allows a remote attacker to send a specially crafted network payload to a vulnerable server, gaining remote code execution on the server — and potentially on connected clients as well. Affected mods identified by MMPA include EnderCore, Gatomancy, Logistics Pipes (versions older than 0.10.0.71), and others. The vulnerability had already been actively exploited by late July 2023 before the public disclosure. MMPA released a protective mod called Pipe Blocker that filters network traffic at the vulnerable deserialization entry points, providing a mitigation for server operators who cannot immediately update all affected mods. The core issue is architectural: deserialization allows data to control code execution flow, and when user-supplied network data reaches a deserialization routine without proper validation, it becomes a remote code execution vector — a pattern that has appeared repeatedly across Java frameworks for years. For anyone running a Minecraft modded server or playing on one: update affected mods immediately, install Pipe Blocker as an interim defense, and be aware that exploitation was already happening before the patch was widely distributed.
Russian APT Blue Charlie Rebuilds Infrastructure With 94 New Domains After Exposure
Recorded Future researchers detailed an infrastructure pivot by Blue Charlie, a Russian espionage APT active since approximately 2017 that also operates under the names Callisto, Star Blizzard, Cyborgium, and Coal Driver. The group targets governments, defense organizations, education institutions, political organizations, journalists, NGOs, and think tanks — the profile of an intelligence collection operation focused on information that can be weaponized through leak campaigns. After researchers publicly mapped Blue Charlie’s campaign and attributed specific actors involved in its operations, the group abandoned its previous domain infrastructure and shifted to 94 new phishing domains. Blue Charlie’s previous preferred technique involved the EvilGinx framework: appending a phishing domain with a path that mirrors a legitimate-looking URL — so a phishing link might look like http://phishingdomain.com/.sso.legitimate.gov, where the victim sees the SSO reference and assumes they are at an institutional login page when the controlling domain is entirely attacker-owned. The new domains drop the legitimate URL appending and instead combine two generic IT-sounding terms — something like storage-gateway.com — which makes them slightly less immediately convincing but harder to detect via pattern matching against known-legitimate domain strings. The infrastructure change is routine for mature APT groups: exposure does not neutralize the threat, it triggers a rebuild and a shift in tradecraft while the underlying capability and mission continue.
Google AI Fuzzing: LLMs Add Up to 31% More Code Coverage to Open Source Security Testing
Google published results from experiments applying large language models to OSS-Fuzz, its continuous fuzzing service for open source projects that has run since 2016 and has found and verified fixes for over 10,000 vulnerabilities across more than 1,000 open source projects. The core limitation OSS-Fuzz faces is coverage: estimated at roughly 30% of a typical project’s total codebase. Increasing coverage requires adding more fuzz targets — entry points the fuzzer can probe with malformed inputs — which traditionally requires manual work by the developers who maintain the project. Google’s experiments prompted LLMs to automatically generate additional fuzz targets for existing projects. After iterating on prompting strategies, they achieved 1.5% to 31% additional code coverage across tested projects with no manual developer intervention required. The significance is that vulnerability discovery through fuzzing has historically been bottlenecked by the effort required to expand coverage: each new fuzz target requires a developer who understands the codebase to define appropriate entry points and input structures. LLMs can draft those targets from existing code context, removing the manual labor bottleneck. Google’s stated long-term goals include extending OSS-Fuzz LLM assistance beyond C and C++ to Java and Python, and automating the project onboarding process so smaller open source projects without dedicated security resources can take advantage of continuous fuzzing without the upfront engineering investment.
XLoader macOS Malware Hides as OfficeNote, Sold as Malware-as-a-Service for $199/Month
SentinelOne researchers identified a new macOS variant of XLoader — previously known as FormBook, a keylogger and infostealer distributed as malware-as-a-service — bundled inside an Apple disk image file named officenote.dmg and signed with a developer certificate. The malware presents itself as OfficeNote, a productivity application. The previous macOS variant of XLoader required a Java runtime environment to execute, which limited its reach since Apple stopped shipping Java with macOS years ago. The new variant is written in C and Objective-C, which run natively on macOS without external dependencies. Apple revoked the developer signature after the malware was identified, which removes the trusted signature indicator, but does not prevent execution if a user bypasses the Gatekeeper warning. Multiple samples appeared on VirusTotal around July 2023, indicating the operators were running an active infection campaign. Underground forum advertisements priced the macOS variant at $199 per month or $299 for three months — significantly higher than the Windows version at $59 per month, reflecting the relative scarcity of effective macOS infostealers and the higher average value of data on macOS targets. The malware harvests clipboard data and browser directories from Firefox and Chrome, steals credentials and cookies, and establishes persistence via a Launch Agent so it continues running across reboots without any user interaction. Mac users: do not install software named OfficeNote from non-App Store sources, and treat any productivity application distributed as a DMG that asks for broad system permissions as suspicious regardless of whether it appears to have a valid signature.
Leave a Reply