DIGITAL LIFE

Alert: DarkSword spyware for iPhone linked to Russia

The DarkSword spyware for iPhone has been identified by the Google Threat Intelligence Group (GTIG), Lookout, and iVerify as part of a cyber espionage arsenal allegedly operated by groups linked to the Russian government. The attacks primarily targeted Ukrainian targets, but intrusion logs also point to Saudi Arabia, Turkey, and Malaysia. Apple has issued an official alert and recommends the immediate update of all devices.

The GTIG (Google Threat Intelligence Group), in conjunction with Lookout and iVerify, published this week a detailed analysis of two exploit kits: DarkSword and Coruna. The first targets iPhones with iOS versions 18.4 to 18.6.2 and can extract passwords, photos, cryptocurrency wallet credentials, WhatsApp and Telegram messages, browsing history, and call logs, erasing its traces after the intrusion. The second is a package of 23 components, identified in early March 2026.

The persistent threat group UNC6353 is using both tools in watering hole attacks (a technique that involves compromising legitimate websites frequented by targets, such as news portals and government platforms). iVerify estimates that up to 270 million users may be exposed. Lookout adds that about 15% of all iOS devices in use continue to run vulnerable versions of the operating system.

According to TechCrunch, which reported the results of the forensic analysis conducted by the investigators, the Coruna toolkit was originally developed by the US company L3Harris, a US defense contractor. L3Harris has not publicly confirmed this attribution. The tool is believed to have reached the hands of Russian operatives and Chinese cybercriminals through a path that investigators have not yet been able to fully reconstruct.

Rocky Cole, co-founder of iVerify, told TechCrunch: “All indications point to the Russian government.” Investigator Justin Albrecht, from Lookout, describes UNC6353 as “a well-funded threat actor, conducting attacks for financial gain and espionage in alignment with the requirements of Russian intelligence services.” Both claims are based on behavioral and infrastructure analysis, with no official confirmation from any government.

One noteworthy detail is the use of large-scale language models in the customization of both toolkits. The DarkSword server component contained AI-generated code with detailed technical comments, a serious operational security flaw for an agent linked to a state. Some experts warn, however, of the possibility that this is a deliberate false flag technique, intended to make it difficult to attribute to a specific actor.

How to protect yourself:

-Update iOS Settings > General > Software Update

-Restart your device A simple restart eliminates malware residing in volatile memory

-Enable isolation mode settings > privacy & security > isolation mode

-Avoid unverified websites do not click on links from unknown sources

Apple stated that it is “aware of a report indicating that this issue may have been exploited in a highly sophisticated attack against specific individuals in iOS versions prior to iOS 26.” All vulnerabilities were fixed with the release of iOS 26.3 in February 2026; the iOS 26.3.1 version, released in March, introduced additional fixes. Google reported the flaws to Apple at the end of 2025.

For high-risk users (journalists, activists, government officials), Lockdown Mode remains the most robust protection available on iOS. The feature disables features such as connection previews and the installation of configuration profiles, so its use should be considered on a case-by-case basis.

This case exposes a structural flaw in the cybersecurity tools market: the absence of effective post-sale control mechanisms. A tool developed by a private American contractor reached agents of adversarial states without any containment mechanism working. The debate on the regulation of the cyberweapons market (already underway after the Pegasus case) takes on new dimensions with the evidence of the use of artificial intelligence to lower the technical barrier to entry in this type of operation.

The DarkSword spyware for iPhone targeted devices running iOS 18.4 to 18.6.2, capable of extracting sensitive data without leaving a trace.

The UNC6353 group, with alleged links to the Russian government, used watering hole attacks against Ukrainian targets, among other countries.

The Coruna toolkit was allegedly developed by the American defense contractor L3Harris, according to forensic code analysis (attribution not confirmed by the company).

Up to 270 million iPhone users may be exposed, with 15% of iOS devices still running vulnerable versions.

All flaws are fixed in iOS 26.3 and later versions.

mundophone

TECH

Expanding computing resources with light for AI datacenters

A team of Korean researchers has developed the world's first technology that can freely connect and disconnect core computing resources such as memory and accelerators with "light" in next-generation artificial intelligence (AI) datacenters. Electronics and Telecommunications Research Institute (ETRI) announced the development of a new optical switch based datacenter resource interconnection technology (Optical Disaggregation, OD).

This technology is regarded as a core next-generation optical network technology that is designed to resolve the shortage of computing resources due to the increasing AI services and that enables faster and more efficient operation of future datacenters.

Current datacenters are designed based on a server-centric architecture in which CPUs, memory, storage, and accelerators (GPUs) are bundled within a single server.

In this architecture, only the limited resources installed on the same server can be utilized, leading to problems in which overall efficiency drops due to large deviations in resource utilization, such as some servers using only memory excessively while others use only the CPU.

In addition, most datacenters use electrical packet-based switches, which causes delays as multiple optical-electrical-optical conversions occur during the data switching process. These delays limit the performance of delay-sensitive operations such as connecting remote memory resources and large-scale AI training.

The Optical Disaggregation (OD) technology developed by ETRI fundamentally solved these structural limitations. When memory or accelerators within a server are insufficient, an optical switch can be used to instantly connect remote resources to the server via an optical switch.

This enables resources to be connected and disconnected rapidly and flexibly, exactly when needed and at the exact amount required, even for tasks demanding high-performance computing such as AI training or large-scale data analysis.

In particular, this technology is significant in terms of global technological competitiveness as it is the world's first case of connecting the Compute Express Link (CXL) standard with an optical switch.

Computing Resources with Light. Credit: Electronics and Telecommunications Research Institute(ETRI)

The research team successfully demonstrated the technology by building a verification system combining ETRI's in-house developed CPU adapter, memory blade, accelerator blade, and OD manager.

The experiment confirmed that when a service program requests additional resources, the optical path is automatically set to allocate the necessary memory and accelerators in real time, and the service is steadily provided. In other words, they demonstrated for the first time in the world a system that can provide light speed connection between datacenter resources using software control.

ETRI secured original patents related to CXL applied to this technology and filed 47 domestic and international patents for related technologies. In addition, the research results were presented at the Optical Fiber Communications Conference and Exposition (OFC) and the European Conference on Optical Communication (ECOC), the most prestigious conferences in the field of optical communication, gaining recognition for its technological prowess in the international academic community.

Furthermore, this research officially proved its excellence by being included in the "Top 100 Excellent National R&D Performances" selected by the Ministry of Science and ICT in 2023.

Lee Jun Ki, Director of Optical Network Research Section at ETRI, said, "Datacenter resources are being consumed rapidly worldwide due to the increase of AI services. This research achievement will serve as an important opportunity to resolve the datacenter resource shortage problem by efficiently sharing and utilizing memory and accelerators, and to accelerate the transition to sustainable future datacenters."

ETRI plans to apply this technology across a range of fields, including the advancement of national AI infrastructure, integration of cloud and supercomputing, and the development of eco-friendly datacenters for driving innovation across industries.

Provided by National Research Council of Science and Technology

DIGITAL LIFE

From demons to mega behemoths: How 'monstrous' scam networks are growing

New research led by the University of Portsmouth uncovers how scammers operate worldwide, dividing them into five "monstrous" categories. Published in the International Journal of Law, Crime and Justice, the study explores how the size of scam groups, specialized roles, and involvement of corrupt actors help scams work more effectively.

Fraud and scams are on the rise, with more than 3.31 million confirmed cases in 2024 according to the UK Finance Annual Fraud Report 2025, making it crucial to understand how scammers operate like businesses to adapt and succeed.

A team of criminologists and fraud experts, including researchers from the University of Portsmouth's School of Criminology and Criminal Justice, reviewed existing data, examined public cases and created a database of 97 fraudsters from Nigeria, Ghana and India.

The study examines how scams are designed to be more effective and convincing, often using supporting actors to carry them out. It builds on previous research into West African cybercrime, which aimed to help reduce the risk of people falling victim to online and telephone scams.

Fraudsters operate in many ways—and the scale of the problem varies dramatically. Some work alone, targeting victims locally or abroad, while others form small groups for scams like romance fraud. The research emphasizes large-scale operations with call centers of 10 to 200 people, showing just how big the problem has become.

The researchers used mythical creatures of various sizes to organize and describe their findings:

-Demons (sole traders)—independent actors who make quick decisions with little risk of betrayal and, despite limited resources, can target multiple victims.

-Gorgons (micro enterprises)—small groups use their combined skills to work more efficiently—these groups often form among friends or couples.

-Ogres (small and medium enterprises)—larger groups allow members to specialize, helping them grow operations with clear roles.

-Behemoths and Mega Behemoths (large enterprises)—they operate like companies, with call centers and global networks, showing how organized their scams are.

This classification makes it easier to understand how different types of scammers work, adapt, and react to things like law enforcement, new technology and competition, which can help guide better actions and international efforts to fight fraud.

Lead author, Professor Mark Button, from the School of Criminology and Criminal Justice and Director of the Center for Cybercrime and Economic Crime at the University of Portsmouth, said, "This research builds on my previous work in West Africa and India by looking at the whole infrastructure behind scams, including the size and type of operations involved. What's new here is the focus on large-scale scams.

"Some of these operations run like big businesses, generating hundreds of millions of pounds and employing hundreds of people. And it's not just about the scammers themselves—there's a whole network of people including corrupt individuals, website designers and money launderers who make these scams possible.

"We decided to use mythological monster names to get across the point that while the scale of these operations sound like the stuff of fiction, this is a very real threat."

Dr. Branislav Hock from the University of Portsmouth's Faculty of Humanities and Social Sciences, said, "The study also introduces the idea of 'scamvolution,' where scams evolve much like species do—only the ones that adapt survive. Scammers tweak their methods to stay ahead of law enforcement, sometimes even using AI.

"Big operations often copy how real businesses are run and certain regions become hotspots for cybercrime because of local social, economic or cultural factors."

The research further examines scams carried out by external actors against individuals and organizations, mostly online, including phishing, romance scams, and consumer fraud. It highlights the need for targeted law enforcement, coordinated action by the anti-scam community and investment in technology to help detect and prevent these scams.

Professor Button added, "Our study highlights the need for more research on how these individuals work together. Understanding these roles could help law enforcement target critical points in scam networks."

Provided by University of Portsmouth

APPLE

Apple warns of spyware that can jnvade iPhones and steal user data; learn how to protect your device

Apple has issued a security alert for iPhone users after the discovery of spyware capable of invading devices and stealing personal data. The company advises that devices be updated immediately to avoid attacks that could compromise sensitive information.

The problem mainly affects phones that still run older versions of the iOS system, released between March and August 2025. According to security researchers, between 220 million and 270 million iPhones may still be vulnerable.

The malicious software, identified by experts as a sophisticated digital espionage tool, can access messages, emails, contacts, location, and even cryptocurrency wallets. In some cases, the attack occurs through infected links or compromised websites, exploiting flaws in the Safari browser and in the system's graphic resources.

In addition to its intrusion capabilities, the spyware stands out for acting quickly and without leaving traces. After collecting the data, it can erase evidence of the intrusion, making it difficult for the user or security systems to detect. Devices running the latest and most up-to-date versions of iOS 15 through iOS 26 are already protected, according to Apple.

Investigations conducted by companies such as Google, Lookout, and iVerify indicate that the tool has already been used in campaigns targeting different groups around the world, including users in Ukraine, Saudi Arabia, Turkey, and Malaysia, as well as cryptocurrency investors.

Given the seriousness of the situation, Apple recommended that users install the latest version of iOS, which fixes the exploited vulnerabilities. It is also advised to avoid clicking on suspicious links and, in cases of higher risk, to activate additional protection features, such as the system's "lock mode."

"We thoroughly investigated these issues as soon as they were identified and released software updates as quickly as possible to the latest versions of the operating system in order to fix the vulnerabilities and stop these attacks," the company said in a statement.

What is DarkSword, and how can it be used to hack iPhones? DarkSword, according to researchers, is an exploit chain—a type of cyberattack in which a hacker uses multiple software vulnerabilities to infiltrate a user’s device and pull information from it. These combined exploits allow hackers to attack a device via multiple entry points, making them harder to defend against. 

The Google Threat Intelligence Group said in a report released on Wednesday that DarkSword “uses six different vulnerabilities to fully compromise a vulnerable iOS device.”

Lookout, which published its findings in coordination with Google, said DarkSword uses such vulnerabilities to gain higher-level permissions and privileges in a phone’s systems in order to “access sensitive information and exfiltrate it off the device.” 

Lookout found that hacks using DarkSword start with web browser Safari before moving into other phone systems. The exploit tool employs a “hit-and-run” tactic, the cybersecurity company explained, extracting information within seconds or, “at most,” minutes before cleaning up the data it collected and exiting.

McCoy tells TIME the attacks made through web browsers are called “drive-by downloads,” during which a user need only click on a link, rather than make a download to their device, in order for a hacker to gain access to their information. 

Among the websites researchers identified as being used in DarkSword attacks was one with a gov.ua address, according to iVerify, which the company noted indicates that the Ukrainian government’s server had been compromised. In another instance, Google found that hackers targeted Saudi Arabian iPhone users through a website disguised to resemble the social media and messaging app Snapchat. 

"DarkSword appears to be a surveillance and intelligence gathering tool, blanket pulling data including Wi-Fi passwords, text messages, call history, root location history, browser history, SIM card and cellular data as well as health, notes and calendar databases, though it does also look for crypto wallets,” iVerify said in a news release on Wednesday. 

It has been used since “at least” November 2025 by “multiple commercial surveillance vendors and suspected state-sponsored actors” to exploit millions of targets, according to Google.

mundophone

TECH

New X-ray vision for electronics lets scientists monitor working chips remotely

A groundbreaking advancement is reshaping how scientists observe the inner workings of electronic chips—ushering in a new era where semiconductor devices can be monitored in real-time without physical interference or shutdowns. This revolutionary technique leverages terahertz (THz) waves—an emerging, safe form of electromagnetic radiation—to non-invasively detect the minute electrical changes inside fully operational, sealed semiconductor components. The implications for electronics engineering, security, and safety-critical systems are profound, potentially transforming chip diagnostics and quality control across diverse industries.

Traditional methods for inspecting semiconductor devices demand either direct physical contact using electrical probes, dismantling of chip packaging, or device deactivation. These approaches are inherently intrusive, disruptive, and often impractical in real-world, high-stakes scenarios. Now, an international coalition of researchers, spearheaded by Adelaide University’s Terahertz Engineering Laboratory under Professor Withawat Withayachumnankul, have demonstrated a pioneering method that overcomes these hurdles. By employing terahertz waves, they monitor electrical activity deep within chips in real-time, even as the devices operate under full load.

A team of international researchers have developed a breakthrough way to observe what is happening inside electronic chips while they are operating—without touching them, taking them apart, or switching them off. The new technique uses terahertz waves, a safe and non-ionizing form of electromagnetic radiation, to detect tiny movements of electrical charge inside fully packaged semiconductor devices. For the first time, this allows scientists and engineers to monitor electronic components as they function in the real world.

The study, published in the IEEE Journal of Microwaves, involves researchers from Adelaide University in Australia, US technology company Virginia Diodes Inc, the Hasso Plattner Institute and the University of Potsdam, Germany.

Adelaide University Group Leader of the Terahertz Engineering Laboratory (TEL), Professor Withawat Withayachumnankul, said that semiconductors underpin almost every modern technology, from smartphones and medical devices to vehicles, power grids and defense systems.

"Yet once a chip is sealed inside its protective packaging, it becomes extremely difficult to tell what is happening inside it," Prof Withayachumnankul said.

"Most existing inspection methods require physical electrical probes, exposed chips, or devices to be powered down—making them impractical in many scenarios.

"This research is a first step towards a long-standing problem in electronics. We can now observe electrical activity inside a working semiconductor device from the outside, without damaging it or interrupting its operation."

Image generated by AI, demonstrating how the new technique using terahertz waves works. Credit: Adelaide University

The study demonstrates that terahertz waves can non-invasively detect changes in electric current inside common electronic components such as diodes and transistors.

The method is sensitive enough to pick up changes occurring in regions far smaller than the terahertz wavelength itself, something previously thought to be impractical due to fundamental noise limits.

To achieve this, the researchers developed an ultra-sensitive detection system using a specialized homodyne quadrature receiver, which can pick up very small changes in terahertz signals.

"This approach allows the system to cancel out background noise and isolate the faint signal produced by electrical activity inside the device," Prof Withayachumnankul said.

"The result is a real-time view of electronics at work, even when the active region is buried deep inside sealed packaging."

The researchers say that the signals they observed were caused by genuine electrical motion, not heat or electronic interference. The technique was shown to work across a range of commonly used semiconductor components, demonstrating its robustness and broad relevance.

The implications for society and industry are significant, Prof Withayachumnankul said.

"Because terahertz radiation is non-ionizing and safe, the technique also offers a safer alternative to inspection methods that rely on X-rays or invasive probing.

"This makes it particularly attractive for safety-critical applications, such as high-power electronics, where devices cannot easily be taken offline."

The work could also benefit the security and defense sectors.

"Being able to remotely and non-invasively assess electronic activity could help verify the integrity of critical hardware, detect malfunctioning or compromised components, and monitor systems where physical access is limited or undesirable," according to lead investigator Dr. Chitchanok Chuengsatiansup, Professor of Cybersecurity at the Hasso Plattner Institute and the University of Potsdam.

"This research opens the door to smarter, self-diagnosing electronics, new ways of monitoring complex integrated circuits, and faster development of next-generation chips."

Provided by University of Adelaide

TECH

Wearable thermoelectric technology uses thin films to generate electricity from body heat

Seoul National University College of Engineering has announced that a research team led by Prof. Jeonghun Kwak of the Department of Electrical and Computer Engineering, with co-first authors Dr. Juhyung Park and Dr. Sun Hong Kim, has developed a flexible and thin "pseudo-transverse thermoelectric generator" capable of producing electricity from body heat. The research findings appear in Science Advances.

Thermoelectric generators, which convert temperature differences into electricity, are attracting attention as a next-generation energy technology for wearable electronics because they can supply power without batteries. In particular, thin-film thermoelectric generators are lightweight and flexible, allowing them to be comfortably attached to skin or clothing.

However, this thin structure also presents a limitation. Thermoelectric generators require a temperature difference between hot and cold sides to generate electricity. When such a device is attached flat to the skin, body heat passes directly through the thin film and dissipates into the surrounding air—similar to heat passing through a sheet of paper. As a result, little to no temperature difference is formed across the device, making electricity generation difficult.

Previous studies have attempted to address this problem by bending the device or constructing three-dimensional, pillar-like structures. However, these methods increase thickness and volume, undermining the advantages of thin, flexible film-based devices.

(Left) In conventional thermoelectric generators, body heat escapes vertically through the thin substrate, preventing electricity generation within the device. (Right) The proposed pseudo-transverse thermoelectric generator employs a dual thermal conductivity substrate composed of two materials with different thermal conductivities, redirecting vertical heat flow into a horizontal direction to create a temperature difference and successfully generate electricity. Credit: Science Advances (2026).

Redirecting heat with dual substrates...To address this challenge, Prof. Kwak's team proposed a new approach that fundamentally redirects the flow of heat. They successfully designed a "dual thermal conductivity substrate" by incorporating thermally conductive copper nanoparticles into only selected regions of a stretchable silicone (PDMS) substrate, creating areas with high and low thermal conductivity within a single substrate.

When thermoelectric semiconductors are placed at the boundary between these regions, heat from the skin does not escape vertically but instead flows laterally along the high-thermal-conductivivity region. As a result, relatively warm and cool areas form on the substrate surface, creating a temperature difference that enables electricity generation even in a thin-film structure.

Through this approach, the study is the first to demonstrate that electricity can be generated even in thin films by maintaining a temperature difference through a new substrate structure that redirects heat flow. The research team named this technology a "pseudo-transverse thermoelectric generator," as it structurally mimics the conventional transverse thermoelectric effect.

Wearable power for future devices...The developed wearable thermoelectric generator can convert body heat into electricity even in a completely flat configuration, without requiring bending or structural deformation. It is fabricated using an ink-based printing process, ensuring high flexibility. Additionally, the device offers scalability, allowing its size and shape to be freely designed and scaled up easily, similar to assembling modular blocks.

These features are expected to allow the pseudo-transverse wearable thermoelectric generator to be widely used as a self-powered energy technology for various devices, including smart clothing, health monitoring sensors, and wearable electronics.

Prof. Kwak stated, "This study addresses the limitations of conventional thin wearable thermoelectric generators through a new structural approach that controls heat flow. Its significance lies particularly in presenting a new thermoelectric platform capable of generating a temperature difference while maintaining a fully planar structure.

"This technology has strong potential to be used as a power source for a wide range of wearable sensors and electronic devices that can be attached to the skin or clothing."

Provided by Seoul National University

DIGITAL LIFE

AI tools malware campaign detected targeting programmers

Kaspersky has identified a malware campaign targeting AI tools that uses sponsored ads on Google to distribute infostealers disguised as Claude Code, OpenClaw, and Doubao. The attackers accurately mimic the official documentation of these tools, inducing programmers to execute installation commands that compromise their systems. Once infected, devices are exposed to the theft of credentials, source code of active projects, browser sessions, and cryptocurrency wallet data.

The central mechanism of this campaign distinguishes it from email phishing or supply chain attacks. When searching for "Claude Code download," sponsored ads appear at the top of the results, redirecting to fraudulent pages hosted on Squarespace. These pages are visually identical to the official documentation and copy the installation instructions verbatim, making manual detection virtually impossible for a user without prior suspicions.

The user copies the commands and executes them. At this point, instead of installing the development tool, it installs malware on your system.

According to Kaspersky, the malware installed varies depending on the victim's operating system:

-Operating: Windows  System: Amatera  Malware targeted data: User directories, browsers, cryptocurrency wallets

-Operating: macOS  System: AMOS Browser  Malware targeted data: data wallets, confidential files

Amatera operates according to a Malware-as-a-Service (MaaS) model, which means that the infrastructure is available to multiple criminal groups, not just the original perpetrators. AMOS, on the other hand, is an infostealer with a documented history of previous campaigns targeting Apple devices, described by Kaspersky itself in previous reports.

Claude Code and OpenClaw: high-value targets...The choice of imitated tools is not random. Claude Code is a development agent created by Anthropic, with increasing adoption in software engineering teams globally. OpenClaw, in turn, is an open-source tool that has accumulated more than 190,000 stars on GitHub and is among the most sought after by programmers in 2026. The popularity of these platforms makes them prime targets for imitation: the more users search for installation instructions, the greater the likelihood of clicking on a fraudulent ad.

Kaspersky also identified similar campaigns imitating Doubao, a ByteDance tool with a presence mainly in the Asian market. Its relevance to the European context is not justified in the statement.

A pattern that is not new...This is not the first campaign to exploit users' interest in AI tools. In December 2025, Kaspersky documented a similar attack in which attackers distributed an infostealer for macOS through Google Ads. A chat interface mimicked a ChatGPT tutorial and guided users to install the Atlas Browser, with the instructions hosted on a website that simulated the presence of OpenAI. The pattern is the same: exploiting the trust that programmers place in sponsored search results.

What the press release doesn't say...Kaspersky does not present verifiable technical indicators of compromise, such as malicious domains, file hashes, or command and control server addresses. Without this data, security teams lack a concrete basis for implementing preventative blocks. The press release also does not quantify the number of identified victims or the affected countries, preventing an objective assessment of the campaign's true scale.

How to reduce the risk...Kaspersky presents four recommendations for programmers and IT teams:

Always verify that download links point to the official websites of the projects.

Review any command-line instructions before executing them, especially when copied from external sources.

Do not follow installation guides that have not been specifically requested or that are not fully understood.

Use endpoint security solutions with the ability to detect infostealers and malicious downloads.

A sophisticated, ongoing malware campaign active as of March 2026 is actively targeting software developers and programmers by impersonating popular AI coding tools and, in a separate campaign, through fake, highly convincing job interviews. The primary goal of these campaigns is to steal sensitive data, including credentials, browser-stored passwords, cryptocurrency wallets, and internal company code.

Key aspects of the AI tool malware campaign(below)

Targets & method: Attackers are targeting developers searching for tools like Claude Code, OpenClaw, and others. They use Google Search ads to display fake, malicious, top-ranked websites that mimic official sites.

Malware distribution (Claude Fraud): This campaign, often called "Claude Fraud," has two main vectors:

macOS (MacSync Infostealer): Fake landing pages use a "ClickFix" terminal command technique to persuade users to execute malicious code.

Windows (Trojanized Extension): A malicious VS Code extension masquerades as an official Claude Code plugin, executing PowerShell silently to bypass Defender and download additional payloads.

Impact: Over 15,600 victims have been documented, and the attackers are actively adapting by using new domains (e.g., Squarespace-hosted pages) when their sites are taken down. 

"Contagious Interview" Campaign (Job-Themed Attack)

Vector: Attackers conduct fake, detailed technical interviews with software developers at reputable firms.

Method: Victims are convinced to download "assignments" or "coding tools" that actually contain malware.

Target: Developers at large enterprise solution providers and media firms are being targeted, with the goal of infiltrating corporate networks. 

Recommendations for protection(below):

Verify downloads: Only download AI tools from official, verified vendors.

Beware of sponsored ads: Avoid clicking on "Sponsored" search results for popular tools; use direct URLs.

Inspect commands: Carefully review any command-line instructions (especially copy-pasted curl or chmod commands) from websites before running them.

Check vs code extensions: Verify the publisher of any vs Code extension before installation.

Monitor for IOCs: Check for unusual osascript activity on macOS or unexpected powershell.exe execution from Code.exe on Windows. 

These campaigns are part of a broader trend of "malvertising" and social engineering that leverages the high demand for AI tools among developers to bypass traditional security measures. 

https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/

mundophone