Weekly Roundup: Interpol's Operation Ramz, macOS 'Reaper' Stealer, and Microsoft Defender Zero-Days
This week's cybersecurity landscape features Interpol's Operation Ramz arrests, a new macOS infostealer variant, and two actively exploited Microsoft Defender zero-days.
Interpol's Operation Ramz has resulted in the arrest of over 200 individuals and the seizure of 53 servers across 13 countries, dismantling infrastructure used for malware distribution, phishing, and online fraud. The operation, which targeted cybercrime networks in the Middle East and North Africa, identified at least 3,867 victims. Highlights include the takedown of an investment scam in Jordan and a phishing-as-a-service platform in Algeria. Ukrainian cyberpolice, working with U.S. law enforcement, also identified a suspect in Odesa who allegedly stole 28,000 customer accounts from a California online store using infostealer malware, making $721,000 in unauthorized purchases. Europol additionally took down 'First VPN,' a service used by ransomware operators, seizing 33 servers and identifying 506 users.
SentinelOne researchers have discovered a new macOS infostealer variant called 'Reaper,' part of the SHub Stealer family. The malware uses fake WeChat and Miro installers hosted on typosquatted domains to lure victims. It employs extensive anti-analysis techniques, including blocking developer tools and fingerprinting visitors. To bypass Apple's macOS Tahoe mitigations, Reaper leverages the applescript:// URL scheme to launch the Script Editor, avoiding traditional Terminal-based social engineering. Once executed, it prompts for the user's password to access Keychain items and decrypt credentials. Reaper harvests browser data, password manager extensions, iCloud account details, and introduces an AMOS-style Filegrabber module targeting business and financial documents. It also hijacks desktop cryptocurrency applications by replacing legitimate files. The malware establishes persistence by installing a backdoor, and it clears quarantine attributes and applies ad hoc code signing to bypass Gatekeeper.
Two Microsoft Defender zero-days are being actively exploited. CVE-2026-41091 (CVSS 7.8) is a privilege escalation vulnerability in the Microsoft Malware Protection Engine versions 1.1.26030.3008 and earlier, allowing attackers to gain SYSTEM privileges. CVE-2026-45498 (CVSS 7.5) impacts the Microsoft Defender Antimalware Platform versions 4.18.26030.3011 and earlier, enabling denial-of-service conditions. CISA has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to patch. Microsoft has released emergency patches to address these flaws.
This week's events highlight the ongoing battle against cybercrime, with law enforcement making significant arrests and takedowns. The emergence of sophisticated macOS malware like Reaper underscores the need for vigilance on all platforms. Meanwhile, the active exploitation of Microsoft Defender vulnerabilities serves as a reminder that even security software can be a target. Organizations are urged to apply patches promptly and remain alert to evolving threats.