ALERTS 2025 APRIL HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(0) November(0) December(0) 2025 January(36) February(50) March(77) April(54) May(0) June(0) July(0) August(0) SEPTEMBER(0) October(0) November(0) December(0)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 29.4.25 | CVE-2025-3928 - Commvault Web Server vulnerability | CVE-2025-3928 is a recently disclosed unspecified vulnerability affecting Commvault Web Server. If successfully exploited, the flaw could enable remote, authenticated attackers to gain unauthorized access to the vulnerable systems and allow them for deployment and execution of arbitrary webshells. | VULNEREBILITY | |
| 29.4.25 | ELENOR-corp - a new Mimic ransomware variant | ELENOR-corp is a new ransomware variant from the Mimic malware family just recently identified in the wild and reported to be targeting the healthcare sector. The attackers have been also leveraging a persistent Clipper malware as well as a Python-based infostealer during the activities preceding the ransomware payload deployment. | RANSOM | |
| 29.4.25 | Multi-Stage malware campaign targeting South Korean entities linked to Konni APT | A sophisticated multi-stage malware campaign potentially linked to the North Korean Konni APT group has been observed targeting entities primarily in South Korea. The attack begins with a ZIP file containing a disguised .lnk shortcut which executes an obfuscated PowerShell script designed to download and run additional malicious payloads. | APT | |
| 29.4.25 | RevolverRAT targeting users with malicious emails | RevolverRAT, a newly disclosed Remote Access Trojan is initially spread via targeted emails in the recipient's native language claiming to be a copyright claim that needs to be addressed. The emails request that users click a link which results in an installation of software vulnerable to DLL side-loading attacks. | VIRUS | |
| 29.4.25 | DslogdRAT malware distribution | A recent campaign spreading DslogdRAT malware has been targeting organizations in Japan as reported by JPCERT. The attackers have been exploiting a vulnerability in Ivanti Connect Secure (CVE-2025-0282) to deliver the malicious payloads. DslogdRAT has the functionality to execute arbitrary commands received from the C2 servers (according to the hardcoded configuration data). | VIRUS | |
| 29.4.25 | Spoofed Driver and Vehicle Licensing Agency (DVLA) email notifications appear in phish runs | The Driver and Vehicle Licensing Agency (DVLA) is British government's organization responsible for maintaining records of drivers in Great Britain and vehicles for entire United Kingdom. Recently, Symantec has observed phishing attempts mimicking DVLA, enticing users to open fake notification emails. | PHISHING | |
| 29.4.25 | China-linked threat actors exploit NFC Tech | China-linked threat actors are exploiting NFC technologies for fraudulent activities targeting financial institutions worldwide, causing significant losses. Sophisticated tools like Z-NFC and King NFC are used to facilitate illegal transactions. These tools leverage Near Field Communication (NFC) technology, which is essential for contactless payments and applications relying on Host Card Emulation (HCE). | EXPLOIT | |
| 29.4.25 | AsyncRAT malware campaign using Cloudflare Tunnels | A malware campaign using Cloudflare tunnels to deploy AsyncRAT has been reported. The attack vector starts with a phishing email containing a malicious .ms-library file which when opened downloads a PDF shortcut (LNK file) that triggers a series of scripts. | VIRUS | |
| 29.4.25 | Ammyy Admin and PetitPotato deployed in targeted MS-SQL Server attacks | An emerging threat campaign targeting poorly managed MS-SQL servers has been observed, aiming to deploy Ammyy Admin and PetitPotato malware for remote access and privilege escalation. The attackers exploit vulnerable servers, execute commands to gather system information and use WGet to install the malware. They also enable RDP services and add new user accounts to maintain persistent access. | VIRUS | |
| 29.4.25 | Phishing campaign targets Norinchukin Bank users with fake login pages | Norinchukin (Nochu) Bank, founded in 1923, is a Japanese cooperative bank that supports the agricultural sector. It serves as the national institution for JA Bank, a group of agricultural cooperatives. Recently, Symantec detected a phishing campaign targeting the bank’s online banking services. | CAMPAIGN | |
| 24.4.25 | PE32 Ransomware | PE32 ransomware is a newly discovered malware strain that leverages Telegram for C2 operations. It employs a dual-extortion model, charging separate fees for file decryption and data non-disclosure. Despite its messy and simplistic code, which uses basic Windows libraries, it poses a significant threat to systems with weak security hygiene. | RANSOM | |
| 24.4.25 | Proton66 Infrastructure tied to expanding malware campaigns and C2 operations | Proton66 has emerged as a central hub for malicious cyber activity, hosting infrastructure used in C2 operations and phishing campaigns involving malware like GootLoader, SpyNote and XWorm. | VIRUS | |
| 24.4.25 | ToyMaker IAB paves way for Cactus ransomware | Initial Access Brokers are oftentimes the first step in a successful campaign for a threat actor. The access brokers work their way into an environment, collect relevant data, and then sell that information to a threat actor for further compromise. | RANSOM | |
| 24.4.25 | Weaponized Alpine Quest App used to spy on Russian military via Telegram Bot | A modified version of the popular Android navigation app Alpine Quest, has been found carrying spyware targeting Russian military personnel. The spyware, bundled within the app collects sensitive information like phone numbers, account details, contacts and geolocation. | BOTNET | |
| 24.4.25 | A recent FormBook distribution campaign observed in the wild | A new FormBook distribution campaign has been reported by the researchers from Fortinet. The attackers leverage malicious Word documents containing an exploit for CVE-2017-11882, which is an older vulnerability affecting the Equation Editor component in Microsoft Office. | CAMPAIGN | |
| 24.4.25 | Billbug APT continues campaigns in Southeast Asia | The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. | APT | |
| 24.4.25 | RustoBot botnet activity | RustoBot is a new Rust-based botnet variant distributed via exploitation of vulnerabilities in unpatched TOTOLINK devices. | BOTNET | |
| 22.4.25 | Ransomware group Interlock enhances tactics with ClickFix and Infostealers | Reports indicate that the ransomware group Interlock has advanced its attack methods by incorporating ClickFix social engineering techniques alongside infostealers. | RANSOM | |
| 22.4.25 | Gunra Ransomware | Another ransomware actor operating under the name Gunra has recently surfaced, allegedly claiming several victims in the healthcare, electronics, and beverage manufacturing sectors, as listed on their onion website. In recent activity, the ransomware they deploy appends a .encrt extension to encrypted files and drops a ransom note named r3adm3.txt in multiple directories. | RANSOM | |
| 22.4.25 | SuperCard X Android malware | A new Android malware campaign, identified as a malware-as-a-service called SuperCard X, has been observed targeting users in Italy. Delivered via socially engineered smishing and phone calls, the intent of the campaign is financial theft. | VIRUS | |
| 22.4.25 | PasivRobber - Spyware targeting macOS platform | PasivRobber is a new malware variant targeting the macOS platform that has been recently identified in the wild. Its main function is to ex-filtrate miscellaneous data from the macOS systems including information from 3rd party apps, web browsers, emails, cookies, chat messages (WeChat and QQ), screenshots, etc. | ||
| 18.4.25 | PteroLNK malware | PteroLNK is a new Pterodo malware variant recently distributed in the wild and attributed to the Shuckworm APT (aka Gamaredon). The malware comes in form of an obfuscated VBScript with a downloader and a LNK dropper components. | VIRUS | |
| 18.4.25 | A recent campaign attributed to the Fritillary APT group | A new malicious campaign targeting diplomatic entities in Europe has been attributed to the cyberespionage group called Fritillary (aka Midnight Blizzard, APT29). According to a recent research by Checkpoint, the attackers have been leveraging a new custom malware loader dubbed GrapeLoader as well as an updated variant of the WineLoader backdoor. | APT | |
| 18.4.25 | New fileless malware campaign drops XWorm & Rhadamanthys | A new malware campaign has been observed using JScript and obfuscated PowerShell commands to deploy highly evasive malware variants such as XWorm and Rhadamanthys. The campaign targets Windows systems employing scheduled tasks or deceptive ClickFix CAPTCHA screens to trick users into executing malicious payloads. | VIRUS | |
| 18.4.25 | DragonForce Ransomware's Campaign Intensifies in 2025 | In 2024, DragonForce ransomware actors were highly active, claiming around 93 victims on their leak website, with likely more that were not disclosed. We're still in early 2025, and the group has already "allegedly" claimed over 40 organizations as potential victims across multiple countries and sectors. | RANSOM | |
| 18.4.25 | Multi-stage attacks delivering Agent Tesla variants | Malspam email campaigns are the rule rather than the exception these days. Delivering multi-stage attacks through malicious attachments is the norm. Researchers at Palo Alto Networks have published a report sharing details about such campaigns using variants of Agent Tesla as the final payload. | VIRUS | |
| 18.4.25 | Malicious VSCode extensions infecing users with cryptominer | A set of VSCode extensions posing as legitimate development tools has been observed infecting users with the XMRig cryptominer for Monero in a new cryptojacking campaign. | CRYPTOCURRENCY | |
| 18.4.25 | DOGE BIG BALLS Ransomware | A new ransomware campaign has been reported exploiting the name of a prominent figure within the Department of Government Efficiency (DOGE) to trick victims. The attack delivers a modified variant of Fog ransomware dubbed "DOGE BIG BALLS Ransomware." | RANSOM | |
| 18.4.25 | Linux based BPFDoor observed in Asia and Middle East | BPFDoor is a Linux based backdoor that has been observed in attacks against various industries in Asia and the Middle East. Named for its use of Berkeley Packet Filtering, the malware implements a filter that activates functionality based on specific sequences found during network packet inspection. | VIRUS | |
| 18.4.25 | CVE-2025-30208 - Vite Arbitrary File Read vulnerability | CVE-2025-30208 is a recently disclosed Arbitrary File Read vulnerability affecting Vite, which is a frontend build and development tool for web applications. | VULNEREBILITY | |
| 15.4.25 | SpyNote Campaign Masquerades as a MissAV mobile app | Porn remains one of the most effective social engineering vectors due to high curiosity-driven engagement, the stigma that discourages victims from reporting, and the ease with which it can be weaponized through mobile-based attacks such as fake APKs. | CAMPAIGN | |
| 15.4.25 | Turkish Employment Agency Impersonated in a Snake Keylogger campaign | Symantec has recently observed a Snake Keylogger campaign targeting organizations in Turkey, including those in the Aerospace & Defense and Financial Services sectors. | CAMPAIGN | |
| 15.4.25 | ZeroTrace Stealer | ZeroTrace Stealer is a new infostealing malware that recently emerged on the threat landscape. The malware builder has been distributed via various underground forums and file-sharing platforms while advertised as being created for educational and research purposes ony. | VIRUS | |
| 15.4.25 | Pulsar RAT malware | Pulsar is a new remote access trojan (RAT) variant recently identified in the wild. This C#-based malware is based on the Quasar RAT strain and has miscellaneous functionality including keylogging, cryptocurrency wallet clipping, infostealing, file management, remote shell and command execution, among others. | VIRUS | |
| 15.4.25 | PelDox Ransomware | Unlike typical ransomware, PelDox does not inform victims about the encryption of their files or demand payment for decryption. After encrypting the files and appending the ".lczx" extension, the ransomware displays a full-screen message. | RANSOM | |
| 15.4.25 | HijackLoader new modular enhancements for stealth and evasion | HijackLoader (also known as GHOSTPULSE or IDAT Loader) is a malware loader capable of delivering second-stage payloads and offers a variety of modules mainly used for configuration information, evasion of security software, and injection/execution of code. | ||
| 12.4.25 | NanoCrypt Ransomware | NanoCrypt is another "run-of-the-mill" ransomware variant discovered in the wild. The malware encrypts user data and appends .ncrypt to the name of locked files. The ransom note dropped in the form of a text file called README.txt indicates that this malware has been created "for fun" and not intended for any harmful activity. | RANSOM | |
| 12.4.25 | Chaos Ransomware Variant Targets IT Staff via Fake Security Tool | Chaos ransomware variants continue to emerge, mostly used by actors targeting individual machines through drive-by-download social engineering. These attacks typically demand a smaller ransom compared to double-extortion ransomware actors who target larger organizations through more complex attack chains. | RANSOM | |
| 12.4.25 | New Amethyst Stealer variant distributed by Sapphire Werewolf group | Distribution of a new and updated Amethyst Stealer variant has been observed in the wild. The campaign is attributed to the threat actor known as Sapphire Werewolf. | VIRUS | |
| 12.4.25 | CVE-2025-31161 - CrushFTP authentication bypass vulnerability exploited in the wild | CVE-2025-31161 is a recently disclosed critical (CVSS score 9.8) authentication bypass vulnerability affecting CrushFTP file transfer solution. If successfully exploited, the flaw could grant unauthenticated attackers admin level access to the underlying server via crafted HTTP requests. | VULNEREBILITY | |
| 12.4.25 | Neptune RAT | Neptune RAT is a highly modular, multi-functional remote access Trojan. The malware contains numerous DLL plugins which provide functionality. Available features include, but are not limited to, the following: | VIRUS | |
| 12.4.25 | Salary Adjustment PDF Lure Redirects to AWS-Hosted Outlook Credential Phish | Symantec has observed a new phishing campaign in which threat actors are leveraging PDFs to redirect users to a phishing page hosted on AWS S3. | PHISHING | |
| 12.4.25 | CVE-2025-1094 - PostgreSQL SQL injection vulnerability | CVE-2025-1094 is a recently disclosed high severity (CVSS score 8.1) SQL injection vulnerability affecting PostgreSQL, which is an open-source relational database management system (RDBMS). If successfully exploited, the flaw might lead up to a remote code execution due to improperly sanitized SQL inputs. | ALERTS | VULNEREBILITY |
| 9.4.25 | GiftedCrook infostealer deployed in UAC-0226 campaign | According to a recent security alert released by Ukraine's Computer Emergency Response Team (CERT-UA), a new wave of targeted attacks against various military and governmental entities in Ukraine has been detected. The campaign dubbed as UAC-0226 distributes phishing emails containing .xlsm attachments with malicious macros. | VIRUS | |
| 9.4.25 | CVE-2025-29927 - Next.js middleware authorization bypass vulnerability | CVE-2025-29927 is a recently disclosed vulnerability (CVSS score 9.1) affecting Next.js, which is an open-source web development javascript framework. If successfully exploited, the flaw might allow the attackers for an authorization bypass attack via specially crafted HTTP requests potentially leading to protected content exposure. | VULNEREBILITY | |
| 9.4.25 | This Vidar stealer is not your Sysinternals tool | Vidar is an information stealing malware that has been active since 2018. It is a Malware-as-a-Service offering which has been used by attackers to steal sensitive data, such as credentials stored in browsers, applications, and cloud storage services. | VIRUS | |
| 9.4.25 | EncryptHub attackers leverage MSC files for payload delivery | A recent campaign attributed to EncryptHub (Water Gamayun) group has seen the threat actors to leverage Microsoft Management Console vulnerability (tracked as CVE-2025-26633) files for malicious payload execution. | VIRUS | |
| 9.4.25 | HollowQuill campaign luring users with disguised malicious PDFs | HollowQuill campaign has been targeting academic institutions and government agencies worldwide through weaponized PDF documents. The attack employs social engineering tactics, disguising malicious PDFs as research papers, grant applications, decoy research invitations, or government communiques to entice unsuspecting users. | CAMPAIGN | |
| 9.4.25 | Springtail APT group targets South Korean government entities | The Springtail (aka Kimsuky) APT group recently engaged in campaigns targeting South Korean government entities. The campaigns leveraged government-themed messaging (one being tax related and another regarding a policy on the topic of sex offenders) to distribute malicious LNK files as malspam attachments. | APT | |
| 9.4.25 | From Phishing to LINE Scams: Rakuten Securities users at risk | Over the past few weeks, a phishing actor has been launching campaign after campaign targeting Rakuten Securities users in an attempt to steal their credentials | PHISHING | |
| 9.4.25 | ModiLoader deployed via .SCR in Taiwanese Freight Impersonation | Malware actors have been abusing Windows screensavers file format (.scr) for some time now. While they might appear harmless, they are essentially executable programs with a different file extension. | VIRUS | |
| 4.4.25 | CVE-2024-54085 - AMI MegaRAC BMC authentication bypass vulnerability | CVE-2024-54085 is a critical (CVSS score 10.0) authentication bypass vulnerability affecting AMI MegaRAC Baseboard Management Controller (BMC) which is a remote server management platform. If successfully exploited, the flaw might allow remote unauthenticated attackers to access the remote management interface (Redfish) and further lead up to more severe compromise of the vulnerable server. | ALERTS | VULNEREBILITY |
| 4.4.25 | Lockbit 4.0 ransomware | Lockbit 4.0 is the most recent iteration of the infamous ransomware attributed to the threat actor called Syrphid. The ransomware is operated based on a Ransomware-as-a-Service (RaaS) model with various affiliates carrying out the attacks and often employing different tactics, techniques, and procedures (TTPs). | RANSOM | |
| 4.4.25 | RolandSkimmer campaign | A new credit card skimming campaign dubbed RolandSkimmer has been reported by the researchers from Fortinet. The attack starts with .zip archives containing malicious .lnk files being delivered to the intended victims. | CAMPAIGN | |
| 4.4.25 | CVE-2024-4577 makes a return in recent malware campaigns | A high severity CVE (CVSS: 9.8), CVE-2024-4577, has recently been disclosed to be in use in an active malware campaign targeting companies within the APJ region. | ||
| 4.4.25 | Latest Gootloader variant spread via malvertisements | Latest Gootloader variant has been observed to abuse Google Ads platform for distribution. The malware has been leveraging malvertisements directed at users searching for various legal templates such as NDA agreements, etc. | VIRUS | |
| 4.4.25 | CrazyHunter - a new Prince ransomware variant | CrazyHunter is a new Go-based ransomware variant based on the open-source Prince encryptor malware family. The malware encrypts user data and drops ransom note in form of a text file called "Decryption Instructions.txt". This note is written in identical format as the one observed from older Prince ransomware variant deployments. | RANSOM | |
| 3.4.25 | New phishing campaign targets Monex Securities users | Lately, Symantec has observed phish runs targeting users of Monex Securities (マネックス証券), one of the Japan's leading online securities company through the merger of Monex, Inc. and Nikko Beans, Inc. The company offers individual investors with different financial services. | PHISHING | |
| 3.4.25 | DarkCloud Stealer via TAR archives in Multi-Sector Spanish Campaign | A company in Spain that specializes in mountain and skiing equipment is being spoofed in an email campaign. The actors behind this attack are targeting Spanish companies and local offices of international organizations. | VIRUS | |
| 3.4.25 | CVE-2024-20439 - Cisco Smart Licensing Utility static credential vulnerability | CVE-2024-20439 is a static credential vulnerability (CVSS score 9.8) affecting Cisco Smart Licensing Utility. If successfully exploited, the flaw could allow attackers to gain administrative privileges for the application's API. | VULNEREBILITY | |
| 3.4.25 | CPU_HU cryptomining malware | A new campaign distributing cryptomining malware dubbed CPU_HU has been reported in the wild. The attackers target vulnerable or misconfigured PostgreSQL instances in efforts to deploy XMRig-C3 cryptominer binaries. Similar malware variant (also known as PG_MEM) has been distributed last year in campaigns attributed to the same threat actors. The most recent campaign implements additional detection evasion techniques including fileless payload execution. | VIRUS | |
| 3.4.25 | Salvador Stealer - a new mobile malware | Salvador Stealer is a newly discovered Android malware variant. The infostealer is spread under the disguise of legitimate mobile banking apps. The malware delivery is a multistage process that uses a separate malicious dropper .apk binary responsible for final payload execution. Salvador Stealer aims at collection and exfiltration of user confidential data including banking details and credentials. | VIRUS | |
| 3.4.25 | Recent activities deploying Konni RAT malware | Konni RAT is a well known remote access trojan (RAT) variant active on the threat landscape for several years. The malware has the functionality to exfiltrate sensitive data from compromised machines, achieve persistence on the infected endpoints and execute remote commands received from attackers. | VIRUS | |
| 3.4.25 | CVE-2024-48248 - NAKIVO Backup and Replication absolute path traversal vulnerability | CVE-2024-48248 is a recently identified absolute path traversal vulnerability (CVSS score 8.6) affecting NAKIVO Backup and Replication solution. If successfully exploited, the flaw might enable unauthenticated attackers to read arbitrary files on the target hosts leading to sensitive information exposure. | VULNEREBILITY | |
| 2.4.25 | Masslogger Bank-Themed Phishing Primarily Targets Romania, With Broader European Reach | Symantec has observed a Masslogger campaign primarily targeting organizations in Romania, where attackers are impersonating a Romanian bank. In addition to Romanian entities, the campaign has also impacted organizations in several other countries across Europe and beyond. | VIRUS | |
| 2.4.25 | TsarBot Android malware | TsarBot is a new Android banking trojan reported to be targeting over 750 different banking, financial and cryptocurrency-related applications. | VIRUS | |
| 1.4.25 | New SnakeKeylogger multistage Info-stealer campaign | SnakeKeylogger is an info-stealer malware that harvests credentials and other sensitive data. It targets a wide range of applications such as web browsers like Google Chrome, Mozilla Firefox, and email clients such as Microsoft Outlook and Thunderbird. | ALERTS | VIRUS |
| 1.4.25 | Crocodilus Android malware | Crocodilus is a new mobile banking trojan variant identified recently on the threat landscape. The malware has extensive remote control and infostealing functionalities, allowing the attackers for application overlay attacks, remote access to the compromised devices, theft of credentials/data stored on the mobile device, keylogging and execution of commands received from C2 servers, among others. | ALERTS | VIRUS |
| 1.4.25 | New CoffeeLoader malware | CoffeeLoader is a new sophisticated malware loader designed to implement secondary payloads while evading detection. This loader leverages a packer that executes code on a system’s GPU. CoffeeLoader can establish persistence via the Windows Task Schedule and can maintain persistence via a scheduled task with a hard-coded name. | VIRUS | |
| 1.4.25 | MassLogger Targets Businesses Worldwide via Procurement-themed Phishing | MassLogger, an information-stealing malware designed to capture credentials, keystrokes, and clipboard data from victims, has been gaining prevalence in the threat landscape, with campaigns of various sizes and victimology observed worldwide. | ALERTS | PHISHING |