Ramin Nafisi

Join MSTIC‑MIRAGE, MSTIC’s global team of elite malware intelligence, reverse engineering, and security research specialists. Work alongside a world-class team of REs and TI analysts to uncover, analyze, research, track, and disrupt some of the world’s most advanced and consequential cyber threats (US-based candidates with senior-level+ RE experience): https://t.co/Gf9Hykej7U

New blog post: Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack. https://t.co/I05I2pYgMi In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime. This defense-in-depth approach is especially valuable when facing supply chain-driven attacks that might introduce malicious dependencies that evade traditional vulnerability assessment tools. In these scenarios, the ability to correlate telemetry across data planes, such as endpoint or container behavior and runtime anomalies, becomes essential. Leveraging these insights enables security teams to rapidly identify compromised devices, flag suspicious packages, and contain the threat before it propagates further.

Microsoft Incident Response – Detection and Response Team (DART) uncovered SesameOp, a new backdoor that uses the OpenAI Assistants API for C2. DART shared the findings with OpenAI, who identified and disabled an API key and associated account. https://t.co/HlSydzE7Xv SesameOp uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then decrypts and executes locally. Once the tasks are completed, it sends the results back to OpenAI as a message. To stay under the radar, the backdoor uses compression and encryption. Microsoft and OpenAI jointly investigated the threat actor’s use of the OpenAI Assistants API. This threat does not represent a vulnerability or misconfiguration, but a way to misuse built-in capabilities of the OpenAI Assistants API, which is being deprecated in August 2026. Microsoft and OpenAI continue to collaborate to better understand and disrupt how threat actors attempt to misuse emerging technologies.

Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. https://t.co/EiRNH37RFI This new XCSSET variant improves browser targeting, clipboard hijacking, and persistence mechanisms. It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealth, and expands data exfiltration capabilities. We shared these findings with Apple and collaborated with GitHub to take down repositories affected by XCSSET. This publication reflects our broader commitment to disrupting attacks and dismantling attacker operations. Alongside our findings, we are sharing actionable detections, recommendations, and best practices to help organizations defend against this threat with confidence.