Shamos macOS Infostealer: Malvertising Lures, BYOD Gaps, and Sector Expansion
Shamos, a new Atomic macOS Stealer (AMOS) variant attributed to COOKIE SPIDER, is targeting U.S. tech and education sectors via malvertising and fake support sites.
Read more
![[DEEP RESEARCH] Verified for Hire: How Fox Tempest Turned Code Signing Into a Criminal Utility](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/06/zzz.png)
[DEEP RESEARCH] Verified for Hire: How Fox Tempest Turned Code Signing Into a Criminal Utility
The certificate was real. The identity behind it was fraudulent—and the signing pipeline was rented to other criminals.
![[FORECAST] The VPN You Retired on Paper Is Still Selling Access](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/06/zz-3.png)
[FORECAST] The VPN You Retired on Paper Is Still Selling Access
A forecast for when legacy VPN compatibility debt becomes ransomware access — and what to verify before certainty arrives.
![[SIGNALS WEEKLY] Converging on Exposed Management Planes](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/06/z-2.png)
[SIGNALS WEEKLY] Converging on Exposed Management Planes
The management plane blinked. Everyone treated it like plumbing until the attacker used it like a front door. PeopleSoft PSEMHUB, REDCap, VPN gear, SD-WAN managers, logging sidecars — different products, same pattern. The exposed control layer keeps turning into the incident path.
![[DEEP RESEARCH] The bad IP was never the Actor.](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/06/zz-2.png)
[DEEP RESEARCH] The bad IP was never the Actor.
A bad IP can be accurate and still tell the wrong story.