thepinknews.com
Jan 06
Written by Sophie Perry
The website belonging to the Free Speech Union (FSU) is down after a trans activism group BASH BACK hacked it and exposed its list of donors.
The Free Speech Union's website is current unavailable (PinkNews)
The website belonging to the Free Speech Union (FSU) is down after trans activism group BASH BACK hacked it and exposed its list of alleged donors.
The group, which vandalised offices belonging to the Equality and Human Rights Commission (EHRC) in London in October, published a list of names of people who have allegedly donated to the FSU’s various campaigns.
Shortly after publication of PinkNews’ article, the BASH BACK website also went down, with a 404 error page visible instead.
The freedom of speech organisation, founded by Conservative peer and journalist Toby Young, was said – according to GB News – to be undertaking an “independent security briefing” into BASH BACK, inspired by an article in the Daily Mail which detailed future BASH BACK targets, including the offices of health secretary Wes Streeting and prime minister Keir Starmer.
At the time of that article’s publication, BASH BACK stated the information about its targets was publicly available information.
“The Free Speech Union commissioned a ‘security’ report on us,” BASH BACK wrote on BlueSky on Monday (5 January), “so we tested their security. Turns out – it sucks.”
By Monday evening the FSU’s website was unavailable and stated “maintenance mode is on” but by Tuesday morning a 404 error code appears when attempting to access it.
PinkNews will not publish any of the names listed in the hacked list, and is also unable to verify its content.
A spokesperson for BASH BACK described the FSU in a statement as an “organisation for defending bigots”.
“Instead of fighting for the free speech of pro-Palestine activists, such as the prisoners currently on hunger strike, they move heaven and earth to defend every sexist, racist, and transphobe that crosses their path,” they wrote.
“The FSU has said nothing about the police banning the use of common Arabic phrases, the abuse of activists in prison, or the censorship imposed on the public around Britain’s involvement in genocide.
“Instead, their focus is on defending those who preach hatred. The public deserves to know who is funding the FSU’s activities, and we are glad to be able to reveal it.”
They went on to state the FSU “purports to be an advocacy group for freedom of expression” but instead “represent a security fund for attention-seeking reactionaries backed by the ultra-wealthy”.
“They use their funders’ deep pockets to repress ordinary people and impose a two-tier justice system where wealthy transphobes and racists can preach hate whilst those who oppose genocide are imprisoned and abused, or otherwise subject to police violence,” the spokesperson continued.
“In a time where free speech is under attack, not by ‘wokism’ or minorities, but by an increasingly authoritarian state, the so-called ‘Free Speech Union’ sets its sights instead on protecting powerful bigots from the consequences of their public tantrums.”
9to5mac.com
Arin Waichulis
| Jan 9 2026 - 7:19 am PT
Mosyle, a popular Apple device management and security firm, has exclusively shared details with 9to5Mac on a previously unknown macOS malware campaign. While crypto miners on macOS aren’t anything new, the discovery appears to be the first Mac malware sample uncovered in the wild that contains code from generative AI models—officially confirming what was inevitable.
At the time of discovery, Mosyle’s security research team says the threat was undetected by all major antivirus engines. This comes nearly a year after Moonlock Lab warned about chatter on dark web forums indicating how large language models were being used to write malware targeting macOS.
The campaign, which Mosyle is calling SimpleStealth, is spreading through a convincing fake website impersonating the popular AI app, Grok. The threat actors are using a look-alike domain to trick users into downloading a malicious macOS installer. When launched, victims are presented with what appears to be a full-functioning Grok app that looks and behaves like the real thing. This is a common technique used to keep the application front and center while malicious activity quietly runs in the background, allowing the malware to operate longer without being noticed.
According to Mosyle, SimpleStealth is designed to bypass macOS security safeguards during its first execution. The app prompts the user for their system password under the guise of completing a simple setup task. This allows the malware to remove Apple’s quarantine protections and prepare its true payload. From the user’s perspective, everything appears normal as the app continues to display familiar AI-related content that the real Grok app would.
Behind the scenes, however, the malware deploys the stealthy Monero (XMR) crypto miner that boasts having “quicker payouts” and being “confidential and untraceable” on its website. To stay hidden, the mining activity only starts when the Mac has been idle for at least a minute and stops immediately when the user moves the mouse or types. The miner further disguises itself by mimicking common system processes like kernel_task and launchd, making it far harder for users to spot abnormal behavior.
In evidence seen by 9to5Mac, the use of AI is found throughout the malware’s code, which features unusually long-winded comments, a mix of English and Brazilian Portuguese, and repetitive logic patterns that are characteristic of AI-generated scripts.
Overall, this situation is alarming for several reasons. Primarily because AI is lowering the barrier to entry for attackers faster than concerns around ‘malware-as-a-service’ could ever. Virtually anyone with internet access can now craft samples like SimpleStealth, significantly accelerating the pace at which new threats can be created and deployed.
The best way to stay safe is to avoid downloading anything from third-party sites. Always source your apps directly from the Mac App Store or directly from developer websites you trust.
Indicators of Compromise
Below you can find the Indictors of Compromise (IoCs) of the SimpleStealth sample for your own research or to improve detection at your organization. Exercise caution around visiting any observed domains.
Malware family: SimpleStealth
Distribution name: Grok.dmg
Target platform: macOS
Observed domain: xaillc[.]com
