Ankura CTIX FLASH Update – April 1, 2026

Malware Activity

How Social Engineering and Supply‑Chain Threats Are Targeting macOS and Developers
Recent security research highlights a growing wave of attacks that rely on deception and trust, rather than traditional software vulnerabilities, to compromise macOS users and developers. One campaign, known as Infinity (or Infiniti) Stealer, uses fake Cloudflare‑style CAPTCHA pages to trick Mac users into pasting commands into the Terminal, which silently installs data‑stealing malware. Once running, the malware disguises itself as a legitimate macOS application and quietly collects sensitive information such as browser passwords, macOS Keychain data, cryptocurrency wallets, screenshots, and secrets stored in developer files. At the same time, a separate software supply‑chain attack targeted developers by compromising the popular Telnyx Python package on PyPI, embedding malware that activates automatically when the library is imported. To evade detection, attackers hid malicious code inside harmless‑looking WAV audio files, which extracted and executed malware in memory. Together, these incidents show how attackers are increasingly abusing user trust, familiar brands, and widely used open‑source tools. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

• BleepingComputer: New Infinity Stealer Malware Grabs macOS Data Via ClickFix Lures article
• SecurityWeek: Malware & ThreatsCloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs article
• BleepingComputer: Backdoored Telnyx PyPI Package Pushes Malware Hidden in WAV Audio article

Threat Actor Activity

Iran-linked Handala Hacks and Leaks FBI Director Kash Patel’s Personal Email

Iran-linked hacktivist group Handala Hack Team breached the personal Gmail account of FBI Director Kash Patel and leaked a cache of personal photos and older emails from 2010 and 2019. The FBI and U.S. Department of Justice confirmed the compromise but stressed that the data is historical and contains no government information, adding that mitigation steps have been taken. Handala framed the leak as retaliation for recent U.S. actions, including the FBI- and DOJ-led seizure of four (4) domains operated by Iran’s Ministry of Intelligence and Security (MOIS) and a $10 million U.S. bounty on Handala members, as well as broader US-Iran tensions. The seized domains were used for hack-and-leak operations, doxxing Israeli military and government personnel, threatening dissidents and journalists, and amplifying MOIS information operations. Assessed as a persona for Iran’s Ministry of Intelligence and Security, Handala has a broader record of disruptive and destructive activity, including wiping tens of thousands of devices at medical technology giant Stryker and targeting IT and service providers via compromised VPN accounts, RDP, and custom wiper malware. U.S. authorities warn that Handala and other MOIS actors also use social engineering and Telegram-based malware to spy on dissidents and opposition groups. The Patel incident underscores Handala’s focus on psychological impact, signaling, and high-profile targets rather than financial gain, and highlights the continued risk to Western officials and critical suppliers amid the U.S.-Israel-Iran conflict.

• Bleeping Computer: Handala Kash Patel Article
• The Hacker News: Handala Kash Patel Article
• The Record: Handala Kash Patel Article

Vulnerabilities

Actively Exploited F5 BIG-IP APM Vulnerability Escalates from DoS to Critical RCE Threat

Cybersecurity firm F5 Networks has reclassified a vulnerability affecting BIG-IP Access Policy Manager (APM), from a denial-of-service (DoS) issue to a critical pre-authentication remote code execution (RCE) flaw following new findings in March 2026, with active exploitation now confirmed in the wild. The vulnerability, tracked as CVE-2025-53521, enables unauthenticated attackers to execute arbitrary code on affected systems with configured access policies, facilitating webshell deployment, including fileless variants operating in memory, and potentially leading to full system compromise. The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and mandated remediation by no later than March 30, 2026. With over 240,000 BIG-IP instances exposed online, the attack surface remains significant, and researchers have observed active scanning activity targeting specific REST API endpoints to enumerate device information. F5 has released extensive indicators of compromise, including suspicious file artifacts, altered system binaries, anomalous log entries tied to unauthorized iControl REST API access and SELinux tampering, as well as stealthy HTTP traffic patterns designed to obscure attacker activity. Historically targeted by both nation-state and financially motivated threat actors for network intrusion, lateral movement, data exfiltration, and destructive attacks, BIG-IP devices represent a high-value target, and this reclassification from a lower-priority DoS vulnerability to actively exploited RCE underscores a substantial escalation in risk, requiring immediate patching, log analysis, and adherence to incident response and forensic best practices. CTIX analysts urge all administrators to patch their instances and follow the F5 guidelines to prevent exploitation.

• Bleeping Computer: CVE-2025-53521 Article
• The Hacker News: CVE-2025-53521 Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.