HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2025 January(36) February(50) March(77) April(54) May(54) June(65) July(50) August(54) SEPTEMBER(61) October(61) November(51) December(27)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
|
25.12.25 |
Mamont Malware Shifts from Fake Stores to SMS & Chats | A recent report highlights Mamont Android banking malware activity in 2025, showing a surge in attacks targeting Russian banks' customers. The infection vector has shifted from fake app stores to direct phishing delivery, with malicious APKs distributed via SMS and popular messenger groups, often relayed from already compromised devices. | ALERTS | VIRUS |
|
25.12.25 |
Pytric and Rustric implants leveraged in UNG0801 malicious operations | A new malicious activity attributed to a persistent threat cluster designated as UNG0801 (aka Operation IconCat) has been reported in the wild. The campaign targets specifically Israeli enterprise environments. The attackers employ sophisticated social engineering techniques, utilizing Hebrew-language phishing lures that mimic internal corporate communications. | GROUP | |
|
25.12.25 |
MacSync Stealer malware | Jamf Threat Labs has identified an updated variant of the MacSync Stealer malware, that leverages code-signed binaries able to deliver the malicious payloads without user interaction. To evade detection, the attackers also inflate the malicious application bundle to over 25 MBs using decoy PDFs and employ a Swift-based helper to execute the malicious scripts. | VIRUS | |
|
25.12.25 |
CVE-2025-34392 - Barracuda Service Center absolute path traversal vulnerability | CVE-2025-34392 is a recently disclosed critical (CVSS score 10.0) absolute path traversal vulnerability affecting Barracuda Service Center, which is a web-based management console for Barracuda Managed Workplace (RMM). If successfully exploited the flaw might allow unauthorized attackers to perform arbitrary file write operations and remote code execution via malicious webshell upload. | VULNEREBILITY | |
|
25.12.25 |
Paper Werewolf campaign delivering EchoGather malware | Researchers from Intezer reported on a new malicious activity attributed to the Paper Werewolf threat group (aka GOFFEE). The attackers leverage XLL-based delivery techniques to distribute a custom backdoor dubbed EchoGather. | CAMPAIGN | |
|
25.12.25 |
Caminho and DCRAT malware variants leveraged by the Blind Eagle APT | Zscaler researchers identified a recent spear-phishing campaign attributed to the BlindEagle threat group that has been targeting Colombian institutions. The operation utilized phishing emails, a fake web portal, PowerShell scripts, steganography to hide payloads, and legitimate services like Discord to host arbitrary payloads. | VIRUS | |
|
25.12.25 |
AshTag malware distributed by the Ashen Lepus APT | Researchers from Palo Alto have detailed an evolving espionage campaign attributed to the Ashen Lepus APT group. This campaign has introduced a fully featured, modular .NET malware dubbed AshTag. The infection chain relies on social engineering and DLL side-loading performed by the AshenLoader malware. | APT | |
|
25.12.25 |
PyStoreRAT malware | A new sophisticated supply chain attack utilizing dormant GitHub accounts to distribute a previously undocumented malware dubbed PyStoreRAT has been reported in the wild. | VIRUS | |
|
25.12.25 |
RansomHouse RaaS | RansomHouse is a Ransomware-as-a-Service (RaaS) operation attributed to the threat actor Jolly Scorpius. This group employs a double-extortion method, generating revenue through ransoming encrypted files and sensitive data, and primarily targets virtualized environments through their MrAgent and Mario components. | RANSOM | |
|
25.12.25 |
SantaStealer - a new MaaS infostealer | Rapid7 Labs has identified a new infostealer variant dubbed SantaStealer, which is currently advertised on underground forums and offered for sale under the Malware-as-a-Service (MaaS) offering. Functionally, SantaStealer is designed to harvest sensitive data from browsers, including credentials, cookies, and credit card details. | VIRUS | |
|
25.12.25 |
Frogblight mobile malware | Frogblight is a sophisticated Android banking malware operating under the Malware-as-a-Service model and targeting specifically Turkish users through a combination of banking theft and spyware capabilities. As reported by the researchers from Securelist, the malware spreads via social engineering, utilizing phishing SMS messages that falsely warn victims of pending court cases. | VIRUS | |
|
25.12.25 |
CVE-2025-6389 - WordPress Sneeit Framework plugin vulnerability under active exploitation | CVE-2025-6389 is a recently disclosed critical (CVSS score 9.8) Remote Code Execution (RCE) vulnerability affecting Sneeit Framework plugin for WordPress. | VULNEREBILITY | |
|
25.12.25 |
Longlegs group attributed to multiple campaigns delivering ransomware | The Longlegs (aka Gold Salem, Storm-2603) threat actor group has established itself in early 2025 through the distribution of Warlock ransomware. The group gained notoriety in mid-2025 following exploitation of ToolShell, a collection of Microsoft SharePoint vulnerabilities. | GROUP | |
|
25.12.25 |
CVE-2025-58360 - OSGeo GeoServer XML External Entity (XXE) vulnerability | CVE-2025-58360 is a recently disclosed critical (CVSS score 9.8) XML External Entity (XXE) vulnerability affecting GeoServer, which is an open-source software server written in Java that allows for editing and sharing of geospatial data. If successfully exploited the flaw might allow an unauthenticated attacker to access arbitrary files from the server's file system or to conduct Server-Side Request Forgery (SSRF) attacks | VULNEREBILITY | |
| 13.12.25 | UDPGangster backdoor deployments attributed to the Seedworm APT | UDPGangster is a sophisticated backdoor attributed to the Seedworm APT group (aka MuddyWater). This malware distinguishes itself by utilizing the User Datagram Protocol (UDP) for its command-and-control (C2) communications. | VIRUS | |
| 13.12.25 | Makop ransomware incorporates GuLoader in recently observed campaign | A recent campaign involving Makop ransomware has been observed, with over 50% of the targets attributed to Indian businesses. Researchers at Acronis have shared details of the campaign, which include: | RANSOM | |
| 13.12.25 | Malspam campaign delivers Cobalt Strike to Russian orgs via maldocs and LNKs | Researchers have uncovered a financially motivated campaign dubbed “Operation FrostBeacon” that targets Russian enterprises. The actors run two parallel email-based infection chains: one uses archives with malicious LNK files disguised as PDFs, while the other weaponizes DOCX lures that exploit CVE-2017-0199 and then chain into CVE-2017-11882, with both paths converging on remote HTA execution. | CAMPAIGN | |
| 13.12.25 | NANOREMOTE backdoor | Elastic Security Labs has uncovered NANOREMOTE, a sophisticated new Windows backdoor likely tied to the same espionage actor behind FINALDRAFT and REF7707, which blends remote command execution, discovery, and advanced file transfer capabilities. | VIRUS | |
| 13.12.25 | MetaRAT (PlugX Variant) Activity Observed Targeting Japan | Recent reporting warns that a China-linked threat actor is conducting a targeted campaign against Japanese companies in the maritime and logistics sectors. The group is exploiting vulnerabilities in ICS devices (CVE-2024-21893 / CVE-2024-21887) to gain initial access, before deploying new variants of PlugX, including MetaRAT and Talisman. | VIRUS | |
| 13.12.25 | DroidLock Android malware | DroidLock is a new mobile malware variant for Android discovered recently by the researchers from Zimperium. The malware is distributed in a disguise of legitimate apps and spread via phishing websites. | VIRUS | |
| 13.12.25 | CVE-2025-44823 & CVE-2025-44824 - Nagios Log Server vulnerabilities | CVE-2025-44823 (CVSS Score 9.9) and CVE-2025-44824 (CVSS Score 8.5) are two vulnerabilities affecting Nagios Log Server that have been disclosed back in October. | VULNEREBILITY | |
| 13.12.25 | AdaptixC2 and Havoc tools among the updated arsenal of the Tomiris APT group | Researchers from Securelist reported on updated activities of the Advanced Persistent Threat (APT) group known as Tomiris. The threat actors have been increasingly relying on known public services like Telegram and Discord for command-and-control (C2) communications. | APT | |
| 13.12.25 | New campaign distributing ClayRAT mobile malware | Zimperium researchers have identified a new variant of the mobile malware known as ClayRAT. While the original malware focused on stealing SMS messages, call logs, and photos, this updated strain now exploits Android Accessibility Services in addition to default SMS privileges in an effort to gain deeper control over infected devices. | CAMPAIGN | |
| 13.12.25 | CVE-2025-9501 - W3 Total Cache WordPress plugin vulnerability | CVE-2025-9501 is a recently disclosed critical (CVSS score 9.0) pre-auth RCE vulnerability affecting the W3 Total Cache (W3TC) WordPress plugin. | VULNEREBILITY | |
| 13.12.25 | SeedSnatcher mobile malware | Researchers at Cyfirma have identified a new Android malware dubbed SeedSnatcher. Specifically designed to target cryptocurrency users, the malware is propagated through social channels like Telegram or WeChat. | VIRUS | |
| 13.12.25 | Monarch APT delivers ValleyRAT malware via Microsoft Teams impersonation | ReliaQuest researchers have identified a campaign conducted by the Advanced Persistent Threat (APT) group known as Monarch (aka Silver Fox, Void Arachne). | APT | |
| 13.12.25 | FvncBot mobile banking malware | FvncBot is a new Android banking trojan targeting Polish users that has been just recently discovered by the researchers from Intel471. | VIRUS | |
| 13.12.25 | DeadLock ransomware used vulnerable driver tactic in recent attacks | Exploitation of vulnerable drivers is a common tactic observed in attacks perpetrated by threat groups, known as Bring Your Own Vulnerable Driver (BYOVD). | RANSOM | |
| 13.12.25 | React2Shell flaw (CVE-2025-55182) exploited | According to reports, APT groups, including Earth Lamia and Jackpot Panda, began exploiting the newly disclosed React2Shell flaw (CVE-2025-55182) within hours of its publication, using both functional and broken public PoCs to scan the internet for vulnerable React Server Components and Next.js applications. | VULNEREBILITY | |
| 13.12.25 | JS#SMUGGLER | Researchers at Securonix recently published an article on a JavaScript loader known as JS#SMUGGLER, observed in multi-stage web-based malware campaigns. | VIRUS | |
| 13.12.25 | Shanya crypter | Ransomware attack groups use numerous tools to accomplish their goals, and a recently popular inclusion involves the Shanya crypter, a Packer-as-a-Service offering. Researchers at Sophos have published details of recently observed attacks in which Shanya-packed EDR Killer payloads were delivered. | VIRUS | |
| 5.12.25 | Benzona Ransomware | A new ransomware operation known as Benzona has surfaced, showing signs of rapid development and growing confidence. The malware encrypts victim files using the “.benzona” extension and drops a ransom note titled RECOVERY_INFO.txt, warning that sensitive data has already been exfiltrated. Victims are given a 72-hour deadline to negotiate via a Tor-based chat portal, with threats of data publication should they refuse. | RANSOM | |
| 5.12.25 | DupeRunner and AdaptixC2 malware deployed within the Operation DupeHike | The SEQRITE researchers have uncovered a targeted cyber espionage campaign dubbed Operation DupeHike. The campaign is focused on various sectors including HR, payroll, and administrative departments. The attack utilizes sophisticated social engineering tactics, deploying realistic decoy documents centered on employee financial bonuses to lure victims. | OPERATION | |
| 5.12.25 | Symbiote and BPFdoor Linux malware variants implement new eBPF filters | Symbiote and BPFdoor are two Linux malware strains known to utilize Berkeley Packet Filter (BPF) packet sniffer to monitor network traffic and send packets only on existing open ports, bypassing firewall rules and network protections. As reported by researchers from Fortinet, both called out malware families have recently implemented new extended Berkeley Packet Filters (eBPFs) within the distributed payloads. | VIRUS | |
| 5.12.25 | Datebug APT deploys malware targeting BOSS Linux systems | The Pakistan-based advanced persistent threat (APT) group known as Datebug (aka APT36, Transparent Tribe, Storm-0156) is reported to be behind recent attacks targeting Indian government entities running Bharat Operating System Solutions (BOSS) Linux. | APT | |
| 5.12.25 | CVE-2025-61757 - Oracle Fusion Middleware vulnerability | CVE-2025-61757 is a recently disclosed critical (CVSS score 9.8) missing authentication vulnerability affecting the Identity Manager product of Oracle Fusion Middleware. If successfully exploited the flaw might provide unauthenticated attackers with network access via HTTP to compromise Identity Manager leading up to takeover of the vulnerable Identity Manager instance by the threat actors. | VULNEREBILITY | |
| 5.12.25 | CVE-2025-12480 - Gladinet Triofox vulnerability | CVE-2025-12480 is a recently disclosed critical (CVSS score 9.1) improper access control vulnerability affecting Gladinet Triofox file server and storage solution. If successfully exploited the flaw might allow unauthenticated remote attackers access to the vulnerable application configuration pages and enable them to perform upload and execution of arbitrary payloads. | VULNEREBILITY | |
| 5.12.25 | LotusHarvest malware deployed in Operation Hanoi Thief | SEQRITE Labs’ researchers have identified "Operation Hanoi Thief," a malicious cyber campaign targeting IT professionals and HR recruiters in Vietnam. The campaign employs spear-phishing emails containing fake resumes to deliver malware used to steal confidential user data. | OPERATION | |
| 5.12.25 | Arkanix Stealer | Researchers at G DATA recently observed a new infostealer dubbed Arkanix. According to their findings, it was initially built in Python and distributed via Discord as a fake “utility,” but it quickly evolved — a native C++ “premium” version now exists, complete with VMProtect obfuscation. Its capabilities are standard for commodity stealers. | VIRUS | |
| 5.12.25 | Albiriox mobile RAT | Albiriox is a new Android malware operating under a Malware-as-a-Service (MaaS) model, designed to facilitate on-device fraud, VNC‑based remote control and overlay attacks. As reported by researchers from Cleafy, the malware spreads through social engineering, specifically targeting Austrian victims via fake applications distributed through SMS and WhatsApp lures | VIRUS | |
| 5.12.25 | CVE-2025-34299 - Monsta FTP vulnerability | CVE-2025-34299 is a recently disclosed critical (CVSS score 9.3) arbitrary file upload vulnerability affecting Monsta FTP solution (version 2.11.2 and earlier). If successfully exploited the flaw might allow unauthenticated remote attackers to perform arbitrary code execution by uploading a specially crafted file from malicious SFTP or FTP servers. | VULNEREBILITY | |
| 29.11.25 | TangleCrypt packer employed in recent StoneStop malware delivery campaign | The researchers from WithSecure have released a technical analysis of TangleCrypt, a previously undocumented packer identified in recent attacks utilizing StoneStop EDR killer malware. | VIRUS | |
| 29.11.25 | Flexible Ferret malware distribution campaigns continue to target macOS users | A new run of the malicious campaign dubbed "Contagious Interview" has been reported on by the researchers from JAMF. The attackers target macOS users, lure them to fake job websites, and then trick into downloading malware via a bogus software updates. | VIRUS | |
| 29.11.25 | W-8BEN Phishing Alert: Interactive Brokers users targeted via fake login pages | Interactive Brokers (IBKR) is a large, global securities firm offering an electronic trading platform for sophisticated investors, active traders, and institutions across a wide range of products. Recently, a phishing campaign was identified that impersonates a request for the W-8BEN tax form, primarily targeting non-U.S. residents to steal sensitive data. | PHISHING | |
| 29.11.25 | Recent ShadowV2 - a Mirai variant delivery campaign | FortiGuard Labs recently reported on ShadowV2, a Mirai-based malware, targeting IoT devices during the large-scale AWS disruption incident in October. | BOTNET | |
| 29.11.25 | StealC malware campaign targets Blender users | StealC malware was deployed in a campaign by Russian-linked threat actors targeting users of the popular open-source 3D creation suite, Blender. The multi-stage attack involves malicious .blend files published to legitimate 3D marketplaces. | VIRUS | |
| 29.11.25 | Silver Fox Campaign Uses Fake Apps & BYOVD | Researchers recently observed a “SwimSnake / Silver Fox” campaign distributing remote-control malware via SEO-boosted fake download sites that impersonate apps like Youdao Translator and WPS. The loaders perform multilayered decryption, use around 80 encrypted fallback C2 addresses, and deploy Gh0st-derived plugins to conceal payloads and support spying, remote command execution, and DDoS. | CAMPAIGN | |
| 29.11.25 | Banking malware spread to Brazilian users in campaign leveraging phishing and WhatsApp messaging | A sophisticated malware campaign, identified by K7 Security Labs as part of the "Water-Saci" operation, is targeting the Brazilian financial sector through a hybrid phishing and WhatsApp messaging propagation strategy. Initial access is gained via phishing emails with malicious .VBS attachments, followed by the deployment of Python scripts and Selenium webdriver used to hijack WhatsApp Web sessions. | VIRUS | |
| 29.11.25 | TamperedChef activity continues | TamperedChef is a cyber campaign utilizing malvertising and Search Engine Optimization (SEO) to distribute malicious payloads. The operation targets users searching for common software like web browsers, PDF editors, or product manuals. | CAMPAIGN | |
| 29.11.25 | Autumn Dragon APT activity | Autumn Dragon is a sophisticated cyber espionage campaign targeting government and media organizations across Southeast Asia. As reported by the researchers from CyberArmor, the campaign has been active since early 2025. It begins with spearphishing emails containing a malicious RAR archive that exploits CVE-2025-8088, a path traversal vulnerability in WinRAR. | APT | |
| 29.11.25 | Tsundere botnet | Researchers at Kaspersky have identified a growing botnet named Tsundere, which has been targeting Windows users since at least mid-2025. The malware is primarily propagated through fake MSI installers disguised as popular video games installers or other pirated software. | BOTNET | |
| 29.11.25 | New variant of Shai-Hulud worm found targeting npm packages | A new, aggressive wave of the "Shai Hulud" malware campaign has been reported, compromising hundreds of packages and impacting major organizations including Zapier, Postman, AsyncAPI, and ENS Domains. The malware operates like a sophisticated worm, autonomously spreading by re-publishing itself into other packages maintained by the compromised individual. | VIRUS | |
| 29.11.25 | CCLand Ransomware | A ransomware actor calling itself “CCLand Team” has recently surfaced. The group presents itself as purely financially motivated and appears to follow a conventional double-extortion model, claiming data theft, file encryption and threatening public disclosure. In the recent activity, they demanded USD 50,000 in Bitcoin with a one-week deadline. | RANSOM | |
| 23.11.25 | Sturnus mobile malware | A new Android malware called Sturnus has been discovered by MTI Security researchers and is reportedly used to target customers of financial institutions in Southern and Central Europe. The malware comes in a disguise of known legitimate apps, such as Google Chrome and Preemix Box. | VIRUS | |
| 23.11.25 | BadAudio malware distributed in campaigns attributed to Budminer APT group | Google’s Threat Intelligence Group has identified a sophisticated espionage campaign orchestrated by a threat actor known as Budminer (aka APT24 or Spicy Panda). Since at least 2022, the group has deployed a previously undocumented malware strain dubbed BadAudio to targeted Windows systems. | VIRUS | |
| 23.11.25 | Eternidade Stealer | The Eternidade stealer is a banking Trojan targeting Brazilian users. The campaign utilizes malicious scripts to propagate through WhatsApp and download the payload. This malware also features backdoor functionality, leveraging IMAP to identify the active C2. | VIRUS | |
| 23.11.25 | Backdoor NKNShell | Researchers have recently published a blog on a threat actor (Larva‑24010) who's been compromising a South Korean VPN provider’s official site to covertly install malware. The installer masquerades as a legitimate VPN client but triggers a PowerShell script that disables defenses and drops three key tools: the backdoor NKNShell, the remote-management agent MeshAgent, and the remote-shell gs‑netcat. | VIRUS | |
| 23.11.25 | Hospital-Impersonation Malspam Drives VIPKeylogger Targeting Across EU and Turkey | A new malspam campaign delivering VIPKeylogger is circulating across multiple regions, with the actor impersonating a prominent Turkish private hospital group / healthcare institution to establish credibility. The phishing email—bearing the subject “SİPARݪİMİZDİR HK.” and posed as a procurement-related message—arrived from a spoofed sender and carried a RAR attachment framed as a purchase order. | VIRUS | |
| 23.11.25 | Steganography .NET Loader spreading Lokibot | In its latest analysis, the Splunk Threat Research Team has dissected a .NET loader that uses steganography to smuggle the Lokibot credential-stealer. Hiding modules inside image resources and loading them at runtime, the loader evades static detection and embeds a dual-stage container that ultimately drops Lokibot. | VIRUS | |
| 23.11.25 | ShinySp1d3r Ransomware | ShinySp1d3r is a new ransomware variant offered for sale in a form of Ransomware as a Service (RaaS) model. The malware is attributed to the threat actor known as ShinyHunters. Researchers from BleepingComputer have reported on a discovery of a Windows encryptor variant of this ransomware. | RANSOM | |
| 23.11.25 | Threat actors delivering RMM packages with help of seasonal party invite lures | A highly active threat actor that specializes in using the ScreenConnect remote management and monitoring (RMM) software in its attacks has changed tactics and is now infecting its victims with multiple RMM tools, including LogMeIn Resolve and Naverisk. | HACKING | |
| 23.11.25 | DigitStealer – MacOS stealer | Jamf Threat Labs examined DigitStealer, a macOS infostealer spread through a deceptive disk image that prompts users to run a Terminal script, slipping past Gatekeeper controls. According to their analysis, after checking the system’s region and evading virtual machines, the malware moves through a multi-stage chain that blends AppleScript and obfuscated JXA to harvest browser data, VPN creds, and crypto-wallet information. | VIRUS | |
| 23.11.25 | Amatera stealer delivered via ClickFix in EVALUSION campaign | Social engineering is an important component of a successful attack by threat actor groups. Researchers at eSentire have highlighted a recent campaign, identified as EVALUSION, whereby targets are socially engineered to participate in their own compromise via the ClickFix technique. | CAMPAIGN | |
| 23.11.25 | GMER anti-rootkit utility | Dual-use tools are common components of attack campaigns by established threat actors. A highly popular tool that is often observed in such attacks is the anti-rootkit utility GMER. | CAMPAIGN | |
| 23.11.25 | RONINGLOADER | Researchers at Elastic recently published an article on RONINGLOADER, a multi-stage Windows loader used by the DragonBreath (APT-Q-27) group and delivered through tampered installers disguised as everyday apps like Chrome or Teams. | VIRUS | |
|
15.11.25 |
Attackers leverage software brand impersonation to deliver Gh0st RAT |
A report by Unit42 at Palo Alto Networks highlights two brand impersonation campaigns observed in 2025 that deliver a Gh0st RAT payload. |
||
|
15.11.25 |
A new malspam campaign impersonating the GLS delivery service has been reported by CERT AGID. The attackers leverage malicious emails themed with a failed parcel delivery and urge the recipients to open an attached XHTML file. |
|||
|
15.11.25 |
Researchers from Canva Threat Detection and Hunting team reported on an increased use of weaponized AppleScript (.scpt) files by the malicious threat actors. |
|||
|
15.11.25 |
The DanaBot malware has resurfaced with a new Windows variant, approximately six months after its activity was severely disrupted by the international law enforcement action, Operation Endgame. |
|||
|
15.11.25 |
A new report by researchers at Cisco Talos details recent activity related to the Kraken ransomware group. The group, established in early 2025, runs a double extortion operation with no specific industry or geographical focus. |
|||
|
15.11.25 |
SkyCloak campaigns target Russian and Belarusian military entities |
Russian and Belarusian military entities are targeted in a multi-stage attack, intent on allowing backdoor access for the attackers. Details of the activity, given the name Operation SkyCloak in a report published by Seqrite, are further corroborated in a report shared by researchers at Cyble. |
||
|
12.11.25 |
CHAMELEON#NET campaign - from DarkTortilla loader to FormBook payload |
A new sophisticated malspam campaign utilizing the DarkTortilla .NET malware loader to deliver the FormBook Remote Access Trojan (RAT) has been documented by the researchers from Securonix. The attack is initiated via phishing, where users are manipulated into downloading a compressed .BZ2 archive containing a highly obfuscated JavaScript dropper. |
||
|
12.11.25 |
A new phishing campaign targeting hospitality industry customers |
A recent phishing campaign reported by the researchers from Sekoia is targeting hospitality customers. A key intrusion tactic involves sending malicious emails to popular hospitality sector businesses that lure the staff into clicking a URL employing the "ClickFix" social engineering technique, ultimately manipulating them into executing a malicious PowerShell command. |
||
|
9.11.25 |
CVE-2025-6205 - DELMIA Apriso vulnerability exploited in the wild |
CVE-2025-6205 is a recently disclosed critical (CVSS score 9.1) missing authorization vulnerability affecting DELMIA Apriso from release 2020 through release 2025. If successfully exploited the flaw might allow attackers to gain privileged access to the vulnerable application instances. This vulnerability has been added just last week to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. |
||
|
9.11.25 |
Remote monitoring and management (RMM) tools are a common payload in today's threat landscape. A recent report by researchers at Proofpoint details campaigns against cargo and freight companies to attempt cargo theft. |
|||
|
9.11.25 |
A new variant of the BankBot mobile malware has been reported by the researchers from Cyfirma. This strain implements updated anti-emulation techniques. During initialization, it inspects device attributes like device manufacturer and model identifiers to detect virtualized or sandboxed environments, dynamically altering its behavior to evade automated analysis. |
|||
|
9.11.25 |
Recent activity focusing on organizations influencing U.S. policy |
China-linked actors continue to show interest in U.S. organizations with links to or involvement in policy issues, including an intrusion earlier this year into a U.S. non-profit organization that is active in attempting to influence U.S. government policy on international issues. |
||
|
9.11.25 |
New NGate mobile malware campaign targeting Polish banking users |
CERT Polska has uncovered a new mobile malware campaign called NGate that uses an NFC Relay attack to drain cash from victims' bank accounts at ATMs. The attack targets users of Polish banks and starts with a fake security message (email or SMS) concerning a technical issue or incident, tricking the victim into installing a malicious Android app. |
||
|
9.11.25 |
RMM Abuse Continues — Malicious LogMeIn Resolve Activity on the Rise |
In recent weeks we observed a decline in malicious ScreenConnect activity and a concurrent rise in campaigns abusing LogMeIn Resolve RMM (aka GoTo Resolve) – Using the “Unattended Access” feature within Resolve, which allows access to and control of computers or servers without an end user being present. |
||
|
9.11.25 |
CVE-2025-24893 - XWiki Platform injection vulnerability exploited in the wild |
CVE-2025-24893 is a recently disclosed template-injection vulnerability affecting XWiki, which is a open-source wiki software platform. If successfully exploited the flaw might allow unauthenticated attackers to inject and execute arbitrary Groovy code through crafted requests. |
||
|
9.11.25 |
Symantec has identified a new Agent Tesla campaign leveraging business-themed social engineering to target organizations across Latin America, Spain, and other international sectors. The actor impersonates a company that advertises outsourced management, consulting, and facility services. |
|||
|
9.11.25 |
CVE-2025-54247 is a recently disclosed improper input validation vulnerability affecting Adobe Experience Manager versions 6.5.23.0 and earlier. If successfully exploited the flaw might allow low-privileged attackers to bypass security measures and gain unauthorized read access. Product vendor has already released respective security patches to address this vulnerability. |
|||
|
9.11.25 |
Aramex, a global logistics and transportation company based in Dubai, offers services such as express courier delivery, freight forwarding, and supply chain management for businesses and consumers. Symantec has detected a new wave of phishing attacks that mimic Aramex services to steal credentials. |
|||
|
9.11.25 |
CVE-2025-54236 (aka SessionReaper) is a recently disclosed critical (CVSS score 9.1) improper input validation vulnerability affecting Adobe Commerce and Magento solution. If successfully exploited the flaw might allow an attacker for a session takeover through the Commerce REST API. |
|||
|
9.11.25 |
CVE-2025-11371 - Gladinet CenterStack LFI vulnerability exploited in the wild |
CVE-2025-11371 is a recently disclosed local file inclusion (LFI) vulnerability in Gladinet CenterStack and Triofox platforms, which are self-hosted file sharing solutions. If successfully exploited the flaw might allow attackers to perform unauthenticated remote file inclusion, retrieval of configuration keys and subsequent remote code execution. The vulnerability has been reported as being exploited in the wild. |
||
|
9.11.25 |
New phishing campaign targets Tether users with fake anti-money laundering notices |
A new phishing campaign has been observed, spoofing Tether and targeting its users with fraudulent anti-money laundering (AML) notice emails. Tether, a widely adopted stablecoin with tokens pegged 1-to-1 to fiat currencies and backed by reserves, is a popular target for such scams. |
||
|
9.11.25 |
Tangerine Turkey is a crypto mining campaign, delivered by the less-than-efficient mechanism of removable USB drives. The USB contains all the necessary components to complete the attack. Execution starts with a .vbs file which drops and executes a .bat. |
|||
|
9.11.25 |
BlueNoroff targets Crypto Sector with GhostCall and GhostHire campaigns |
Two new campaigns by the BlueNoroff APT group, dubbed GhostCall and GhostHire, targeting cryptocurrency and Web3 professionals, have been reported by Kaspersky. In GhostCall, attackers impersonate venture capitalists or startup founders luring victims into fake online meetings via Zoom or Teams and prompting them to install a “security update” that deploys multi-stage malware on macOS or Windows. |
||
|
9.11.25 |
Airstalk, a Windows-based malware recently discovered by researchers at Unit42 of Palo Alto Networks. The name is derived from the malware's use of the AirWatch API for mobile device management (MDM) for C2 communications. Variants written in both PowerShell and .NET have been observed, with the .NET variant having more capabilities. |
|||
|
9.11.25 |
Attackers linked to Russia continue activity against Ukraine |
Attacks against a large business services organization and a local government organization were recently observed by our Threat Hunter team. Fueled by a heavy reliance on Living-off-the-Land tactics and dual-use tools, the attacker's goal appears to be establishing persistence and theft of sensitive information. |
||
|
9.11.25 |
Microsoft patched a critical unauthenticated RCE in Windows Server Update Services (CVE‑2025‑59287) with an out-of-band update on Oct 23, 2025, after the initial October Patch Tuesday release proved incomplete. Exploit code and active attacks were observed within hours, prompting warnings from security vendors, incident responders and CISA’s KEV catalog. |
|||
|
9.11.25 |
An advanced Android malware strain named GhostGrab that is actively used to mine cryptocurrency and steal banking credentials from compromised devices has been reported by CYFIRMA. |
|||
|
28.10.25 |
DarkCloud Campaign Targets Thailand and Turkey in Dual-Variant Operation |
Symantec has observed two concurrent DarkCloud campaigns leveraging the same PE payload distributed via a RAR archive. Both campaigns share identical execution chains and TTPs, but differ in regional focus, language localization, and spoofed organizations. |
||
|
28.10.25 |
Agent Tesla campaign impersonates WeTransfer to phish wide range of targets |
Symantec has observed a new Agent Tesla campaign that uses WeTransfer-themed lures to deliver a 7z archive containing the malware. The campaign targets a wide range of sectors, including Technology and IT (global and Taiwan), Finance and Banking (UK), Manufacturing and Electric industries, News and Media (South Africa and Israel), Education (Falkland Islands), and other commercial sectors across multiple countries — indicating opportunistic, broad targeting rather than a single vertical. |
||
|
28.10.25 |
Dark Vision campaign: Procurement email → fake PDF update → LZH archive → signed PE + DLL |
A new Dark Vision campaign uses procurement-themed social engineering to push victims from a PDF to an LZH archive hosted on domain. The archive extracts a signed 64-bit executable (InstCont.exe) which side-loads a 64-bit DLL (Instup.dll). Targets observed across manufacturing, construction & tech sectors in Taiwan, Germany, the U.S., and Sweden. |
||
|
28.10.25 |
The Qilin threat group operates a very prolific Ransomware-as-a-Service (RaaS) business model. A report by researchers at Cisco Talos provides highlights of recent Qilin activity. North America and Europe are the most targeted regions, with manufacturing, professional and scientific services, and wholesale trade as the most impacted industries. |
|||
|
28.10.25 |
Phishing campaign impersonates Exness to steal trading account credentials |
Founded in 2008, Exness is a global online multi-asset broker that provides clients with the opportunity to trade Contracts for Difference (CFDs) across a variety of financial instruments, including forex, cryptocurrencies, indices, commodities and stocks. |
||
|
28.10.25 |
Symantec has observed a phishing campaign that is targeting organizations across Austria by impersonating the Österreichische Datenschutzbehörde (Austrian Data Protection Authority). Targeting multiple sectors including finance, insurance, IT consulting, manufacturing, healthcare, and public services |
|||
|
28.10.25 |
Group-IB has reported a new malware campaign by the Iran-linked APT group Seedworm (aka MuddyWater) deploying the Phoenix v4 backdoor, primarily targeting government, defense and international organizations in the Middle East with spillover activity across Europe, Africa and North America |
|||
|
28.10.25 |
A new campaign exploiting misconfigured Windows Internet Information Services (IIS) servers across the globe has been reported by the researchers from Elastic Security Labs. The initial compromise leveraged IIS web servers using ASP.NET machine keys - cryptographic keys used for encryption and data validation - that were exposed in publicly shared resources. |
|||
|
28.10.25 |
The state-sponsored threat group Brimstone (also known as ColdRiver, UNC4057, Star Blizzard, and Callisto) rapidly overhauled its operations following the May 2025 public disclosure of its LostKeys malware as reported by the researchers from Google. |
|||
|
28.10.25 |
CVE-2025-33073 - SMB Client Privilege Escalation vulnerability exploited in the wild |
CVE-2025-33073 is a high severity (CVSS score 8.8) privilege escalation vulnerability in Windows Server Message Block (SMB) Client that has been disclosed earlier in June 2025. |
||
|
28.10.25 |
CVE-2025-41243 is a recently disclosed high severity (CVSS score 8.1) remote code execution vulnerability affecting Spring Cloud Gateway WebFlux which is an API Gateway built on the reactive Spring WebFlux framework. |
|||
|
28.10.25 |
Released in early October 2025, Vidar Stealer has been fully rewritten in the C programming language and now runs multithreaded, allowing it to complete data-collection tasks far faster and more efficiently than before. |
|||
|
28.10.25 |
Caminho LaaS: Stealthy malware delivery via Image Steganography |
Arctic Wolf reported a new Loader-as-a-Service (LaaS) operation called Caminho, which originates in Brazil and leverages LSB steganography to conceal malicious payloads within image files. It is primarily delivered via spear-phishing emails carrying malicious JavaScript or VBScript files; when those scripts are executed, the loader retrieves an image containing a hidden payload, extracts it using LSB techniques and runs it directly in memory |
||
|
28.10.25 |
The Warlock ransomware first appeared in June 2025 and made an impact weeks later, after it was discovered exploiting the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) on July 19, 2025. Warlock is an unusual threat. |
|||
|
28.10.25 |
China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025. The same threat actors also compromised two government departments in the same African country during the same time period. |
|||
|
28.10.25 |
Cybersecurity researchers at Seqrite Labs have identified a new campaign utilizing CAPI backdoor, a previously undocumented .NET malware, likely targeting E-commerce and automotive industries. The analysis is based upon a discovered malicious ZIP archive, which suggests the infection chain begins with phishing emails. |
|||
|
28.10.25 |
UAC-0239 group targets Ukraine with OrcaC2 framework and FILEMESS stealer |
CERT-UA published details about recent activity associated with the threat group UAC-0239. The group engaged in campaigns against Ukranian Defense forces and local governments, initiated through spear phishing. The emails were socially engineered to appear as communications by the Security Service of Ukraine. |
||
|
28.10.25 |
Kaiji is a malware variant primarily targeting Linux-based servers and IoT devices by exploiting vulnerable internet-connected services. As reported by the researchers from Aquasec, the malware’s main objectives is to launch large-scale Distributed Denial of Service (DDoS) attacks and proxy malicious traffic, effectively leveraging infected devices as part of a botnet. |
|||
| 19.10.25 | Maverick banking trojan | A new campaign reported by Securelist researchers has been leveraging WhatsApp messenger to distribute a new sophisticated banking trojan named Maverick. The attack has been targeting Brazilian users and utilizing .ZIP archives containing malicious LNK files. | VIRUS | |
| 19.10.25 | Purseweb APT delivers updated BeaverTail and OtterCookie variants in the latest campaign | Cisco Talos researchers have identified a new campaign attributed to the Purseweb (aka Famous Chollima) threat group that targets job seekers using fake employment offers. The attackers deploy custom infostealing malware strains including BeaverTail and OtterCookie. | APT | |
| 19.10.25 | Operation Silk Lure delivers ValleyRAT | A spear-phishing campaign dubbed Operation Silk Lure, which targets Chinese HR and hiring teams in fintech, crypto exchanges and trading firms by weaponizing realistic résumés, has been uncovered by Seqrite Labs. Attackers send CVs containing malicious .lnk shortcuts that download a second-stage payload, deploy a script to create a hidden daily scheduled task for persistence, and then RC4-decrypt an in-memory loader that launches the final payload — ValleyRAT. | ALERTS | OPERATION |
| 19.10.25 | Katz Stealer delivered by PhantomVAI loader in a recent campaign | A new campaign leveraging PhantomVAI Loader to distribute information-stealing malware via an evasive, multi-stage infection chain has been reported by the researchers from Unit42. The loader, initially known as Katz Stealer Loader, was primarily used to deliver the Katz Stealer malware but recently has also been noted to deliver a variety of other infostealer variants such as DcRAT, AsyncRAT, XWorm or FormBook. | VIRUS | |
| 19.10.25 | CVE-2025-61882 - Oracle E-Business Suite 0-Day vulnerability | CVE-2025-61882 is a recently disclosed critical (CVSS score 9.8) zero-day vulnerability affecting the Oracle Concurrent Processing product within Oracle E-Business Suite (EBS). | VULNEREBILITY | |
| 19.10.25 | Recent Jewelbug APT activity | Chinese APT group Jewelbug (aka REF7707, CL-STA-0049, Earth Alux) has been highly active in recent months, targeting organizations in South America, South Asia, Taiwan and Russia. One of its intrusions was on the network of a Russian IT service provider and lasted for the first five months of 2025. | APT | |
| 19.10.25 | GhostBat RAT targets RTO Users | An Android malware campaign dubbed GhostBat RAT which impersonates RTO (Regional Transport Office) apps like mParivahan to deceive Indian users, has been reported by Cyble. The malware spreads via WhatsApp and SMS with shortened URLs pointing to GitHub-hosted APKs, as well as through compromised websites. | VIRUS | |
| 19.10.25 | TA585 delivers MonsterV2 via Phishing and Web Injections | A new threat actor dubbed TA585 has been observed conducting phishing campaigns that use tailored email lures, malvertising and web-injection techniques to redirect victims to attacker-controlled sites, sometimes even tagging GitHub users with fake security alerts to boost credibility and click-through rates. The group delivers a range of malware including the newly released MonsterV2, through these campaigns. | GROUP | |
| 19.10.25 | Updated Stealit campaign observed in the wild | The Stealit malware operation has recently upgraded its deployment strategy, incorporating Node.js's Single Executable Application (SEA) feature to distribute malicious payloads. FortiGuard Labs identified this shift following an increase in detections of a particular VB script that facilitates persistence on infected machines. | CAMPAIGN | |
| 19.10.25 | BeFirst Ransomware | BeFirst is a recent MedusaLocker ransomware variant observed in the wild. The malware encrypts user data and appends .befirst1 extension to the locked files. | RANSOM | |
| 19.10.25 | ClayRat Android spyware | A new malicious campaign distributing the ClayRAT Android spyware has been reported by the researchers from Zimperium. The malware employs highly effective social engineering tactics, utilizing fraudulent Telegram channels and phishing websites that mimic legitimate services like Google Photos, WhatsApp, and TikTok to convince the victims to install the malicious application. Once deployed, ClayRat exhibits vast surveillance capabilities. | VIRUS | |
| 19.10.25 | Astaroth banking trojan exploits GitHub | As per reports from McAfee, a new Astaroth campaign has been discovered that weaponizes legitimate GitHub repositories and image files, primarily targeting victims in South America. | VIRUS | |
| 19.10.25 | ChaosBot: Hiding on your system and communicating through Discord | Details regarding a newly identified, Rust-based malware dubbed ChaosBot have been shared by eSentire's Threat Response Unit. According to the report, the actors behind ChaosBot make use of varying methods to gain access to victim environments: | BOTNET | |
| 19.10.25 | Uptick of activity attributed to the RondoDox botnet | Trend Micro reported on renewed malicious activities attributed to the RondoDox botnet. The researchers identified early intrusion attempts, noting that botnet operators quickly leverage publicly disclosed flaws such as CVE-2023-1389 vulnerability affecting TP-Link routers. | ALERTS | BOTNET |
| 19.10.25 | SumUp users targeted with account takeover phishing emails | SumUp Payments Limited is a financial technology company that provides payment and point-of-sale solutions for small businesses and independent merchants. Lately, Symantec has observed phish runs that mimic SumUp and pose as account verification emails, to steal credentials. | PHISHING | |
| 19.10.25 | Latest Chaos Ransomware variant adds new features | The Chaos ransomware variant observed on the threat landscape in 2025 marks a significant evolution according to a latest blog from Fortinet. The malware has transitioned its codebase from .NET to C++ and integrated aggressive destructive extortion tactics alongside the traditional file encryption. | RANSOM | |
| 19.10.25 | Beware of fake 2025 Japan Population census emails | Symantec has detected a new wave of phishing runs targeting Japanese email users with fake 2025 Japan Population census emails. The emails use the subject line: | SPAM | |
| 19.10.25 | APAC Campaign: Malaysian Procurement Lures Load VIP Keylogger In-Memory | Symantec observed a new malspam campaign that is leveraging procurement emails while posing as a well-known Malaysian company specializing in construction and civil engineering, to distribute credential-stealing malware against organizations in Malaysia and beyond. | CAMPAIGN | |
| 19.10.25 | Multi-platform attacks leveraging IUAM ClickFix Generator phishing kit | The popular social engineering technique known as "ClickFix" is being rapidly commercialized according to the latest report from Unit 42 Palo Alto. | PHISHING | |
| 19.10.25 | HiveWare Ransomware | HiveWare is a new ransomware variant recently observed in the wild. The malware encrypts user data and appends .HIVELOCKED extension to the locked files. | RANSOM | |
| 19.10.25 | FoalShell and StallionRAT malware deployed by Cavalry Werewolf APT | Cavalry Werewolf APT has been observed to enhance its malicious toolkit with customized malware. According to the report published by BI.ZONE Threat Intelligence, the threat actors have been conducting phishing campaigns by assuming the identities of personnel from various governmental bodies. | VIRUS | |
| 19.10.25 | VampireBot malware distributed by the BatShadow threat group | Aryaka Threat Research Labs has recently discovered a new campaign conducted by the Vietnamese threat group known as BatShadow. This operation relies heavily on sophisticated social engineering, primarily targeting digital marketers and job applicants. The attackers impersonate recruiters, distributing ZIP archives containing decoy PDF files with malicious executables packed alongside them. | VIRUS | |
| 19.10.25 | Protection Highlight: Symantec Static Data Scanner - Proactive Protection Against DonutLoader with Command-Line Emulation | As the threat landscape continues to evolve, attackers are increasingly relying on sophisticated social engineering techniques to trick users into executing malicious code. These attacks often bypass traditional file-based detection methods, making proactive, behavior-based security measures more critical than ever. | ALERTS | GROUP |
| 19.10.25 | Turkey-Focused Snake Keylogger Campaign Expands Across Sectors and Regions | Symantec recently observed a malspam campaign delivering Snake Keylogger that abused the brand of a prominent Turkish financial institution to lend credibility to fraudulent messages. The emails carried subject lines such as “HESAP EKSTRESI” (account statement). | CAMPAIGN | |
| 19.10.25 | JA Net Bank Phishing Pressures Users with Urgency & Compliance Lures | A phishing campaign is impersonating JAネットバンク (JA Net Bank), using official-sounding messages that cite the 犯罪収益移転防止法 (Act on Prevention of Transfer of Criminal Proceeds) to add credibility. Victims are urged to complete “customer information and transaction purpose” verification or risk account restrictions. | PHISHING | |
| 19.10.25 | SORVEPOTEL: New WhatsApp malware campaign | As per a report from Trend Micro, a new self-propagating Windows malware campaign dubbed SORVEPOTEL is spreading through WhatsApp messages that deliver malicious ZIP attachments. When opened on a desktop, the ZIP extracts a shortcut (.LNK) file that executes hidden PowerShell and batch commands to download payloads, establish persistence, and connect to attacker-controlled servers. | CAMPAIGN | |
| 4.10.25 | ModStealer - a new macOS malware | Security firm Mosyle and follow-up reports detailed the emergence of ModStealer, a cross-platform infostealer distributed via malvertising campaigns, often disguised as fake software downloads or job advertisements. | VIRUS | |
| 4.10.25 | SEO fraud activities conducted by the UAT-8099 threat group | Cisco Talos has published details regarding UAT-8099, a cybercrime group focused on search engine optimization (SEO) fraud and the theft of miscellaneous sensitive data such as credentials, configuration files, logs, and more. This threat group specifically targets vulnerable Internet Information Services (IIS) servers globally, with confirmed victims spanning across universities, technology companies, and telecom providers, among others. | GROUP | |
| 4.10.25 | Confucius Threat Group Deploys New Anondoor Backdoor | The cyber-espionage group Confucius, known for targeting government and critical industries across South Asia has been observed leveraging sophisticated phishing campaigns primarily against high-value targets in Pakistan, showing a major technical evolution. | GROUP | |
| 4.10.25 | ProSpy & ToSpy - Android Spyware in UAE | New spyware campaigns targeting privacy-conscious Android users in the UAE has been reported by ESET. The campaigns deploy two previously undocumented spyware families, ProSpy and ToSpy, disguised as legitimate Signal or ToTok apps distributed via phishing sites and fake app stores. | VIRUS | |
| 4.10.25 | WARMCOOKIE Operators Expand Infrastructure, Refine Tactics | Researchers recently published a report on the WARMCOOKIE backdoor, revealing that its operators have expanded their infrastructure and refined their tactics. First observed in recruitment-themed phishing campaigns, WARMCOOKIE is still active and capable of host fingerprinting, command execution, screenshot capture, and delivery of additional payloads. | ALERTS | OPERATION |
| 4.10.25 | CORS vulns exploited to deliver Latrodectus via injected FakeCaptcha | According to recent reports, Lunar Spider (aka Gold SwathMore) has evolved its toolkit by exploiting CORS misconfigurations on websites—mainly in Europe—to inject a “FakeCaptcha” overlay that tricks victims into running malicious commands. The injected JavaScript creates a fake verification UI, copying a PowerShell command into the clipboard, which, when executed, initiates an MSI loader. | EXPLOIT | |
| 4.10.25 | DarkCloud's infostealer recent activity | A new activity delivering the DarkCloud version 3.2 payload has been reported by the researchers from eSentire. The attack is initiated via targeted spear-phishing campaign with financial lure that delivers the infostealing malware within the .zip archive attachment. | VIRUS | |
| 4.10.25 | GuLoader campaign targets Francophone Businesses, deploying MassLogger | Symantec has observed a new GuLoader campaign in which actors are impersonating a well-known hospitality and luxury resort/events group in Morocco. Sending fraudulent quotation requests with the subject line “DEMANDE DEVIS N° 25090358.” | CAMPAIGN | |
| 4.10.25 | Acreed Infostealer | Acreed is an advanced infostealer variant first discovered in early 2025 and sold on underground markets. Once on the infected machine, Acreed deploys JavaScript modules designed for financial theft, performing cryptocurrency clipping (replacing legitimate wallet addresses on web pages) and clipboard hijacking. | VIRUS | |
| 4.10.25 | New LockBit ransomware variant 5.0 found in the wild | The LockBit ransomware group has resurfaced following a February 2024 disruption, deploying an new variant dubbed LockBit 5.0. A new research published by Trend Micro has confirmed the existence of Windows, Linux, and ESXi variants, signifying the group’s continued cross-platform strategy targeting entire enterprise networks, including virtualized environments. | RANSOM | |
| 4.10.25 | CVE-2025-10035 - Fortra GoAnywhere MFT vulnerability | CVE-2025-10035 is a recently disclosed critical (CVSS score 10.0) deserialization vulnerability affecting Fortra GoAnywhere which is comprehensive managed file transfer (MFT) software. | VULNEREBILITY | |
| 4.10.25 | New Android malware Klopatra | Klopatra is a newly observed Android malware which functions as both a banking Trojan and Remote Access Trojan (RAT). A report provided by researchers at Cleafy shares technical details and campaign activity associated with this threat. Highlights from the report include: | VIRUS | |
| 4.10.25 | Olymp Loader: Emerging Malware-as-a-Service | A new assembly-written Malware-as-a-Service called Olymp Loader advertised as “FUD” (fully undetectable) has been reported by Outpost24. It includes anti-debugging, code-signing and crypter options and targets browsers, Telegram and crypto wallets. | ALERTS | VIRUS |
| 4.10.25 | Rise in Jumbo lottery phishing emails as Halloween nears | Lately, Symantec has observed Halloween themed jumbo lottery phish runs targeting Japanese users. Threat actors have recently initiated jumbo lottery phish runs that masquerade as lottery campaign announcement emails. | PHISHING | |
| 4.10.25 | XWorm RAT uses Excel Add-Ins for Fileless Attack | A malware campaign delivering the XWorm .NET RAT using shellcode hidden inside Office attachments has been observed by Forcepoint. As part of the multi-stage attack, a phishing email is sent with a seemingly benign .xlam workbook that embeds an Ole10Native stream containing encrypted shellcode. | VIRUS | |
| 4.10.25 | New XCSSET Malware variant targets Xcode Projects | Microsoft Threat Intelligence has identified a new variant of XCSSET malware targeting Xcode projects. The malware employs run-only compiled AppleScripts for stealthy execution, now targets a broader range of browsers including Firefox, steals information from Telegram, hijacks clipboards by substituting wallet addresses and establishes persistence via LaunchDaemons and Git commits. | ALERTS | VIRUS |
| 4.10.25 | Oyster backdoor spread via malicious Teams Setup | A recent campaign has been reported by Blackpoint SOC in which attackers are abusing SEO poisoning and malvertising to trick users into downloading trojanized Microsoft Teams installers that deliver the Oyster (also known as Broomstick) backdoor. | VIRUS | |
| 27.9.25 | SVG phishing campaigns deliver infostealer and cryptominer payloads | Symantec has observed an uptick in malicious spam (malspam) using Scalable Vector Graphics (SVG) file attachments to initiate malicious activity. A report by security researchers at Fortinet corroborates this trend, highlighting recent SVG-based campaigns delivering Amatera Stealer and PureMiner. | PHISHING | |
| 27.9.25 | Activities of the DeceptiveDevelopment threat group | In a recent publication, ESET reserchers report on a financially motivated threat group called DeceptiveDevelopment. The group has been active since at least 2023 and primarily targets software developers across all major operating systems (Windows, Linux, macOS), particularly those involved in cryptocurrency and Web3 projects. | GROUP | |
| 27.9.25 | New YiBackdoor Malware | Cybersecurity researchers at Zscaler ThreatLabz have identified YiBackdoor, a newly discovered malware family exhibiting significant source code overlaps with the established loaders IcedID and Latrodectus. YiBackdoor operates as a powerful, modular backdoor capable of executing arbitrary commands, capturing screenshots, and extensive system information collection. | VIRUS | |
| 27.9.25 | RedNovember threat group targets global entities for espionage | A report by Insikt Group at Recorded Future details recent activity of a China-backed threat actor named RedNovember (previously known as TAG-100). | APT | |
| 27.9.25 | Operation Rewrite leads to BadIIS malware distribution | Researchers from Palo Alto reported on a SEO poisoning campaign, dubbed "Operation Rewrite". The primary tool used by the attackers in this operation is the BadIIS malware, that can intercept and modify web traffic, utilizing compromised legitimate servers to deliver malicious content. | OPERATION | |
| 27.9.25 | CVE-2025-53690 - Deserialization of Untrusted Data vulnerability affecting multiple Sitecore products | CVE-2025-53690 is a recently disclosed critical (CVSS score 9.0) ViewState deserialization of untrusted data vulnerability affecting Sitecore products including Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) and Experience Commerce (XC) | VULNEREBILITY | |
| 27.9.25 | Bitpanda users targeted by new phishing campaign | Recently, Symantec has observed phish runs targeting users of Bitpanda GmbH, an Austrian digital asset platform headquartered in Vienna. | ALERTS | PHISHING |
| 27.9.25 | SystemBC botnet - new infrastructure uncovered | Black Lotus Labs at Lumen Technologies has identified new infrastructure belonging to the SystemBC botnet, a large-scale operation averaging 1,500 daily victims. Unlike typical botnets using residential IPs, SystemBC exploits Virtual Private Server (VPS) systems to create high-volume, persistent proxies that fuel malicious activities for various criminal groups. | BOTNET | |
| 27.9.25 | New malware distribution campaign attributed to the Rustfly APT group | Rustfly APT group (also known as UNC1549 or Nimbus Manticore) is engaged in a sustained cyberespionage operation targeting defense manufacturing, telecommunications, and aviation sectors. Recently published report from Checkpoint reveals a heightened focus from this APT group on Western Europe, particularly Denmark, Sweden, and Portugal. The attackers employ sophisticated spear-phishing campaigns, posing as HR recruiters to lure victims to fake career portals. | APT | |
| 27.9.25 | XWorm disguised as “Unreal Engine Auto Update” hosted on GitHub’s CDN | An individual or group has been disguising XWorm malware as an “Unreal Engine Auto Updater” and hosting it on raw[.]githubusercontent[.]com, GitHub’s CDN endpoint that serves raw file contents from public repositories. | ALERTS | VIRUS |
| 27.9.25 | ClickFix techniques used in BeaverTail malware distribution on macOS and Windows systems | The ClickFix social engineering technique relies on tricking users into running malicious commands by presenting fake CAPTCHAs. As reported by Gitlab, a recent campaign leveraging ClickFix techniques has been observed to spread a new BeaverTail malware variant. Previously targeting software developers, the APT group behind this malware has now shifted its focus to marketing, cryptocurrency trading and retail sectors. | VIRUS | |
| 27.9.25 | Leafperforator APT leverages Nepalese protest movement for mobile malware distribution | A recent activity reported by the researchers from StrikeReady demonstrates a popular trend where geopolitical events serve as bait for targeted cyber threats. | APT | |
| 27.9.25 | DarkCloud Campaign Targets European Energy, Finance, and Maritime Sectors | Symantec has observed a DarkCloud malspam run that used invoice/shipping-themed lures to deliver a Windows stealer. The attackers spoofed two German industrial suppliers (one industrial-machinery vendor, one tank/storage-construction firm) while using logistics and invoice-style social engineering. | ALERTS | CAMPAIGN |
| 27.9.25 | HybridPetya - a Petya/NotPetya offshoot with a UEFI bootkit | ESET security researchers have identified new malware samples, dubbed HybridPetya, which exhibit characteristics of the impactful Petya and NotPetya campaigns from 2016-2017. | VIRUS | |
| 27.9.25 | New campaign distributing SnakeDisk worm and the Toneshell backdoor | IBM X-Force identified a new malicious operation attributed to the threat actor known as Fireant (aka Hive0154, Mustang Panda). | CAMPAIGN | |
| 27.9.25 | XillenStealer malware | In their latest report, Cyfirma's analysts reveal XillenStealer as an open-source, Python-based information stealer readily available on GitHub. | ALERTS | VIRUS |
| 27.9.25 | RevengeHotels New Tactics Deliver Potent VenomRAT | Securelist researchers have identified RevengeHotels, also known as TA558, as a cybercriminal group targeting the hospitality and tourism industries to steal credit card data. | VIRUS | |
| 27.9.25 | WhiteCobra Targets Developer Tools for Data Heists | KOI Research has identified WhiteCobra, a sophisticated threat actor, in a year-long campaign targeting users of VSCode, Cursor, and Windsurf. | GROUP | |
| 17.9.25 | EvilAI Malware Mimics Legitimate Tools | As reported by Trend Micro researchers, a new malware campaign dubbed EvilAI is posing a threat by impersonating legitimate productivity and AI-powered tools. | VIRUS | |
| 17.9.25 | Phishing Campaign Targets UK Government Gateway User IDs and Passwords | Symantec has observed a phishing campaign delivering HTML attachments via email that masquerade as official GOV.UK Government Gateway confirmations. The email (subject: "Confirmation - Government Gateway") spoofed a no-reply government address and carried a file named attachement.service.gov.uk.html. | PHISHING | |
| 17.9.25 | Phishing Emails Masquerade as Internal Messages to Deliver SHTML Credential Traps | A newly identified phishing campaign, discovered by Symantec, leverages SHTML attachments disguised as password-protected documents to harvest employee credentials. | PHISHING | |
| 17.9.25 | NPM packages infected by self-replicating worm | Malicious activity reported by multiple sources was observed impacting numerous packages in the npm JavaScript repository. The activity revolves around a self-replicating worm named Shai-Hulud, which after infecting a locally available NPM, searches for and infects other accessible packages based on user access. It's responsible for stealing secrets, exfiltrating data, and marking private GitHub projects as public for impacted users. | HACKING | |
| 17.9.25 | CVE-2025-5086 - Delmia Apriso vulnerability | CVE-2025-5086 is a recently disclosed critical (CVSS score 9.0) deserialization of untrusted data vulnerability affecting DELMIA Apriso Manufacturing Operations Management (MOM) software. | VULNEREBILITY | |
| 17.9.25 | Maranhão Stealer | A recent campaign involving the Maranhão Stealer has been identified by the researchers from Cyble. The attack is targeting gaming users through social engineering websites hosted on cloud platforms. | ALERTS | VIRUS |
| 17.9.25 | kkRAT: A new Remote Access Trojan | A malware campaign targeting China-speaking users has been identified, deploying a previously undocumented kkRAT alongside ValleyRAT and FatalRAT. | VIRUS | |
| 17.9.25 | Buterat Backdoor Targeting Enterprise and Government Networks | The Lat61 Threat Intelligence Team from Point Wild has identified Backdoor.Win32.Buterat, a sophisticated malware designed for persistent, long-term network infections. | VIRUS | |
| 17.9.25 | Contagious Interview operation continues | SentinelLABS has identified North Korean threat actors associated with the "Contagious Interview" campaign cluster exhibiting a sophisticated approach to operational security. | OPERATION | |
| 17.9.25 | New Go-Based ZynorRAT Leverages Telegram for Linux and Windows | The Sysdig Threat Research Team (TRT) has identified ZynorRAT, a novel Go-based Remote Access Trojan (RAT) demonstrating robust command and control (C2) features for both Linux and Windows platforms. | ||
| 12.9.25 | Yurei ransomware | First observed in September, Yurei is a new ransomware group whose operations incorporate a double-extortion model of both file encryption and data theft. | RANSOM | |
| 12.9.25 | AMOS Stealer malware continues to be distributed via cracked apps | rend Micro's latest report reveals a sophisticated campaign leveraging the AMOS infostealer (also known as Atomic macOS Stealer). Attackers employ social engineering, disguising the malware binaries as cracked software or tricking users into pasting malicious commands into the macOS Terminal thus bypassing built-in protections like Gatekeeper. | ||
| 12.9.25 | Fireant group continues activity in Myanmar with ToneShell backdoor | ToneShell is a backdoor that is deployed by the Fireant (aka Mustang Panda) threat group. Security researchers at Intezer have published details about a recently observed variant, with related activity indicating that the group continues acting against targets in Myanmar. | ALERTS | GROUP |
| 12.9.25 | BlackField (aka BlackFL) Ransomware | BlackField (aka BlackFL) is a double-extortion ransomware actor first observed around July 2025. Analysis of its ransomware demonstrates the typical double-extortion model, using both encryption and data theft to pressure victims. | RANSOM | |
| 12.9.25 | BlackNevas Ransomware | BlackNevas is a ransomware variant that initially emerged in November 2024. This encryptor targets businesses and critical infrastructure across Asia, North America, and Europe, with a strong focus on the Asia-Pacific region. | RANSOM | |
| 12.9.25 | Luno - Linux botnet with cryptomining and DDoS capabilities | Cyble researchers have identified a new sophisticated Linux botnet campaign dubbed "Luno." This malware framework combines cryptocurrency mining with modular DDoS attack capabilities, showcasing advanced features like process masquerading, binary replacement, and a self-update mechanisms, indicative of professional threat actor involvement. | ALERTS | BOTNET |
| 12.9.25 | NightshadeC2 Botnet emerges | NightshadeC2 is a newly identified botnet uncovered by eSentire, notable for its advanced stealth and persistence techniques. It is distributed through trojanized installers of legitimate software such as CCleaner, ExpressVPN and others, as well as phishing campaigns using fake ClickFix-themed landing pages. | BOTNET | |
| 12.9.25 | Kamasers Malware | Kamasers is a bot with backdoor capabilities that has recently been observed in the wild. Once deployed, it communicates with its C2 server to retrieve commands that enable it to download and execute files, perform HTTP and DNS flooding attacks, access local files, load malicious JavaScript, and direct browsers to attacker-specified URLs. | VIRUS | |
| 12.9.25 | NFSkate's RatOn Android Banking Trojan | In a recent report, ThreatFabric MTI analysts have identified a sophisticated new Android banking trojan dubbed "RatOn," crafted by the NFSkate threat actor group. RatOn represents a significant advancement in mobile cybercrime by combining classic overlay attacks with powerful Automated Transfer System (ATS) functionalities and NFC relay capabilities. | VIRUS | |
| 12.9.25 | New Threat Actor GhostRedirector Targets Windows Servers with SEO Fraud and Backdoors | In a recent report, ESET researchers have identified a new threat actor, GhostRedirector, that has compromised at least 65 Windows servers across Brazil, Thailand, and Vietnam. Operating in diverse sectors including insurance, healthcare, retail, and education, this actor utilizes a sophisticated custom toolkit. | GROUP | |
| 12.9.25 | Gentlemen Ransomware | Gentlemen is a newly emerged ransomware threat group as reported by Trend Micro researchers. The attackers have been observed to leverage legitimate drivers, abuse Group Policy Objects (GPO) as well as deliver KillAV tools aimed at disabling installed security products in the targeted environments | RANSOM | |
| 12.9.25 | Tamperedchef Malware Lurks in AppSuite PDF Editor | According to a report from Truesec a sophisticated malware campaign masquerading as a free utility, "AppSuite PDF Editor," which silently deploys an information-stealing malware named "Tamperedchef" has been identified. This operation employs highly obfuscated code, possibly AI-generated, and exploits Google advertising to achieve widespread distribution. | CAMPAIGN | |
| 12.9.25 | RapperBot: Fast-moving IoT botnet exploits NVRs for DDoS | RapperBot is a fast-moving IoT botnet that is quickly turning compromised DVRs and NVRs into nodes for large-scale DDoS attacks. | BOTNET | |
| 12.9.25 | Credential theft: Threat actors spoof Hungarian Post (Magyar Posta Zrt.) services | A new wave of phishing attacks targeting Hungarian Post (Magyar Posta Zrt.) services has been identified by Symantec, aiming to steal user credentials. | PHISHING | |
| 12.9.25 | TinyLoader delivers stealers while clipping wallets | In a recent report, researchers have spotlighted TinyLoader, a stealthy malware loader harnessed to siphon cryptocurrency and deploy additional payloads like Redline Stealer and DCRat. | ALERTS | VIRUS |
| 12.9.25 | XWorm adopts multi-stage infection chain | Trellix has identified a shift in the XWorm backdoor campaign, which has evolved from simple .lnk-based delivery to a more deceptive, multi-stage infection chain | VIRUS | |
| 12.9.25 | TAG-150 MaaS group deploys their Castle family of malware | TAG-150 is a newly identified threat actor group which operates as a Malware-as-a-Service (MaaS) provider. Activity associated with TAG-150 is highlighted by deployment of multiple custom developed malware, CastleBot, CastleLoader, and CastleRAT. | GROUP | |
| 12.9.25 | GPUGate: Malware campaign targets IT Pros via GitHub and Google Ads | A sophisticated malware campaign dubbed GPUGate, which exploits GitHub's infrastructure and Google Ads to distribute a malicious payload targeting IT professionals in Western Europe, has been reported by Arctic Wolf. | ALERTS | VIRUS |
| 12.9.25 | Salat Stealer: Go-Based Infostealer as Malware-as-a-Service | Salat Stealer, a Go-based infostealer offered under a Malware-as-a-Service model, has been reported by Cyfirma. Likely operated by Russian-speaking actors, the malware employs layered persistence techniques, including registry Run keys, scheduled tasks, process masquerading and modifications to Windows Defender exclusions to evade detection. | VIRUS | |
| 12.9.25 | Obscura: New Go-based ransomware emerges | A new ransomware variant known as Obscura has emerged, adding itself to the growing list of active ransomware families targeting organizations in 2025. | RANSOM | |
| 12.9.25 | Stealerium: An Open-Source Infostealer Fueling Widespread Attacks | Stealerium is an open-source infostealer that has been observed in recent activity. The malware has been deployed by multiple groups across various campaigns over the last few months. | VIRUS | |
| 12.9.25 | LockBeast ransomware | LockBeast is a ransomware variant that combines file encryption with data theft to pressure victims into payment. Upon execution, it encrypts files with strong cryptographic algorithms, appends a victim-specific identifier plus the “.lockbeast” extension, and drops a ransom note named README.TXT. | RANSOM | |
| 6.9.25 | Phishing campaign targets GMO Aozora Net Bank customers | GMO Aozora Net Bank, an online-only bank in Japan established in 2018 by the GMO Internet and Aozora Bank groups, offers customized financial services for both individuals and businesses. | PHISHING | |
| 6.9.25 | AI Waifu RAT exploits AI enthusiasm | AI Waifu RAT is a newly identified Remote Access Trojan spreading in LLM role-playing communities by posing as an AI interaction or research tool. | AI | |
| 6.9.25 | APT28 introduces NotDoor Backdoor | A new backdoor called NotDoor, attributed to APT28, a Russian intelligence-linked threat group, has been identified by LAB52. Delivered via Microsoft OneDrive with DLL side-loading, NotDoor uses an Outlook VBA macro to monitor emails for trigger words, enabling command execution, data exfiltration and file uploads. | APT | |
| 6.9.25 | Indonesian-Language Agent Tesla Campaign Targets Firms Across Southeast Asia | Symantec has observed a new Agent Tesla campaign targeting organizations in Southeast Asia, including both local companies and regional branches of large international firms. | ALERTS | VIRUS |
| 6.9.25 | Iran-Nexus campaign exploits Omani MFA Mailbox | A recent campaign exploiting the Oman Ministry of Foreign Affairs was first reported by ClearSky, with Dream Security researchers providing further insights. | CAMPAIGN | |
| 6.9.25 | Jackpot ransomware |
A new ransomware variant named Jackpot, linked to the
MedusaLocker family, has emerged leveraging a double extortion strategy
that combines file encryption with the theft of sensitive data.
|
RANSOM | |
| 6.9.25 | MystRodX Backdoor | As per recent reports from XLab, a new backdoor named MystRodX has been discovered, implemented in C++ and equipped with an extensive range of capabilities. It supports file management, port forwarding, reverse shell access and socket management, while also embedding anti-debugging and anti-VM techniques to bypass security analysis. | ALERTS | VIRUS |
| 6.9.25 | Masslogger actor switched from direct archive attachment to Discord CDN URL | Masslogger, an information-stealing malware active since 2020, continues to rank among the most prevalent threats. It is designed to harvest credentials stored in browsers, email clients, and messaging applications. | VIRUS | |
| 6.9.25 | Desolator Ransomware | The Desolator ransomware group, also referred to as The Desolated Collective, is a relatively new actor recently observed in the wild. Alleged victims include construction and engineering firms in Latin America and Southern Europe, and a technology and software developer in Southeast Asia. | RANSOM | |
| 6.9.25 | TinkyWinkey keylogger | A new Windows keylogger, dubbed TinkyWinkey, analyzed by Cyfirma, leverages a service-based persistence model and DLL injection into trusted processes to evade detection while maintaining continuous surveillance. | VIRUS | |
| 6.9.25 | North Korean Vedalia expands espionage via Operation HanKook Phantom | An espionage campaign dubbed Operation HanKook Phantom, attributed to North Korean threat actor Vedalia (also known as APT37, ScarCruft), has been reported by Seqrite targeting South Korean academic and research organizations. | APT | |
| 31.8.25 | Xworm RAT delivered through ScreenConnect disguised as a Fake Video file | A recent campaign has been observed using AI-themed lures to trick victims into downloading a digitally signed ScreenConnect installer disguised as a video file. Once executed, the installer secretly establishes a hidden remote session and initiates a multi-stage infection chain. | VIRUS | |
| 31.8.25 | SpyNote Android RAT spreads through fake Play Store sites. | A new campaign is distributing the SpyNote Android RAT through deceptive websites mimicking Google Play Store pages, tricking users into installing dropper APKs. | ALERTS | VIRUS |
| 31.8.25 | Silver Fox Abuses Legit Drivers to Deploy RAT | Researchers at Check Point observed a Silver Fox campaign where they exploited a Microsoft-signed vulnerable driver (amsdk.sys) in an attempt to silently disable EDR and antivirus protections on Windows 10 and 11. | VIRUS | |
| 31.8.25 | TASPEN Impersonation Malware Exploits Indonesian Pensioners | A sophisticated mobile malware campaign, potentially linked to Chinese actors, is actively targeting Indonesian pensioners and civil servants by impersonating PT Dana Tabungan dan Asuransi Pegawai Negeri (TASPEN), a state-owned pension fund. | EXPLOIT | |
| 31.8.25 | ShadowSilk: A Mixed-Language APT Targeting Government in Asia | A recently published report details the ShadowSilk threat actor group, a mixed-language (Chinese and Russian) actor primarily focused on data exfiltration from government targets. | ALERTS | APT |
| 31.8.25 | SmartApeSG uses fake CAPTCHAs to deploy NetSupport RAT and StealC v2 | A multi-stage attack chain linked to SmartApeSG is exploiting compromised websites by injecting fake CAPTCHA pages that trick users into executing hidden commands through a ClickFix-style script. | VIRUS | |
| 31.8.25 | Hook v3 evolves into banking, spyware and ransomware extortion | A new variant of the Hook Android banking trojan has emerged, evolving beyond credential theft to include ransomware-style extortion via full-screen cryptocurrency payment overlays. | VIRUS | |
| 31.8.25 | Cephalus Ransomware | In mid‑August 2025, researchers observed two ransomware incidents involving a new variant dubbed “Cephalus.” According to their findings, the attackers gained entry via RDP using accounts without MFA and appeared to exfiltrate data via MEGA before deploying the payload. | RANSOM | |
| 31.8.25 | "PlugX" Backdoor Powers UNC6384's Diplomatic Espionage | A sophisticated cyber-espionage campaign, attributed to the PRC-nexus threat actor UNC6384, is actively targeting diplomats in Southeast Asia and other global entities. | ALERTS | VIRUS |
| 31.8.25 | ZipLine: Building Trust, Exploiting Trust – A New Attack Vector | The sophisticated social engineering campaign, "ZipLine," targets US companies across diverse sectors like manufacturing, semiconductors, and biotech, seeking valuable data, vendor networks, or exploitable infrastructure. Unlike traditional phishing, ZipLine initiates contact via a company's public "Contact Us" form, generating initial legitimacy. | EXPLOIT | |
| 31.8.25 | Datebug threat group uses custom malware to target Linux BOSS systems | The Datebug threat group (aka APT36, Transparent Tribe) is a Pakistan-based group known to target various industries (government. media, military) primarily situated in India. In recent activity, the group was observed targeting the Linux BOSS operating system with custom malware, notably those systems associated with the Indian government. | VIRUS | |
| 31.8.25 | Biotech and Semiconductor Firms Impersonated to Spread Snake Keylogger | Symantec has identified an actor running two coordinated malspam campaigns that impersonated well-known companies to distribute Snake Keylogger, a prevalent information-stealing malware designed to harvest credentials, system details, and other sensitive data before transmitting them to attacker-controlled Telegram bots. | ALERTS | VIRUS |
| 31.8.25 | New Android Backdoor Impersonates Antivirus to Spy on Russian Business Leaders | A new sophisticated Android malware, Android.Backdoor.916.origin, has been identified, specifically targeting executives of Russian businesses. | VIRUS | |
| 31.8.25 | Anatsa - Android banking malware | Anatsa, a banking Trojan targeting Android devices, has been in circulation since 2020. A recently observed campaign saw the malware being downloaded after installation of a decoy document reader application from the Google Play Store. Some features present in the recent release include: | VIRUS | |
| 31.8.25 | Gayfemboy malware campaign | A stealthy malware strain, dubbed "Gayfemboy," has been observed exploiting a range of vulnerabilities to infiltrate systems. Most recent attacks target vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco. | ALERTS | CAMPAIGN |
| 26.8.25 | Gigabud Malware Masquerades as Grab Super-App in Southeast Asia | A recent variant of the Gigabud Android malware has been found impersonating the popular GRAB super-app—offering ride-hailing, food delivery, and digital payments—widely used across Southeast Asia. The trojanized APK, named Grab.apk, was detected in Thailand, disguised as the legitimate application. | VIRUS | |
| 26.8.25 | Sinobi Ransomware | The Sinobi ransomware ransom note uses standard double-extortion techniques. It mixes intimidation (stolen documents, 7-day deadline, threats of leaks) with persuasion (test decryption and stolen file list). | RANSOM | |
| 26.8.25 | Global Industries and Government Agencies Targeted in Remcos Campaign | A recently observed malspam campaign is leveraging impersonation of a global supplier in the valves and actuators industry to deliver Remcos RAT. The lure comes in the form of emails with the subject line “Price quote” or “Quotation” and a malicious archive (Quote_pdf.z) as attachment. | ALERTS | CAMPAIGN |
| 26.8.25 | APT36 is evolving with new delivery techniques | A new campaign by APT36(aka Transparent Tribe) has been reported, leveraging phishing emails containing ZIP archives with malicious .desktop files disguised as PDFs to target users. | APT | |
| 26.8.25 | Phishing campaign targeting Kazakhstan’s Public Sector | A phishing campaign in Kazakhstan has been discovered that is targeting public sector clients by mimicking official government login portals and using Telegram’s Bot API as a covert channel to exfiltrate stolen credentials. | CAMPAIGN | |
| 26.8.25 | FamiPay users targeted by new phishing campaign | Recently, Symantec has observed phish runs targeting users of FamiPay, a Japanese digital wallet and mobile payment service offered by FamilyMart. | CAMPAIGN | |
| 26.8.25 | Fake IBM Trusteer Mobile App Used in SpyNote Campaign | During ongoing monitoring of mobile threats, Symantec identified a malicious Android application masquerading as an IBM security product. The app, distributed under the name IBMTMOBILE.apk, was hosted on a domain designed to typosquat IBM Trusteer. | CAMPAIGN | |
| 26.8.25 | TA-NATALSTATUS cryptojacking campaigns | TA-NATALSTATUS is a threat actor engaged in conduct of cryptojacking operations around the world. The attackers are targeting vulnerable Redis server instances for the purpose of cryptominer malware deployments. | CRYPTOCURRENCY | |
| 26.8.25 | Warlock Ransomware Leverages SharePoint ToolShell vulnerability (CVE-2025-53770) for Widespread Attacks | Warlock ransomware threat actors have been aggressively targeting organizations globally by exploiting a critical vulnerability (CVE-2025-53770) in Microsoft SharePoint, known as the ToolShell exploit chain. | ALERTS | RANSOM |
| 26.8.25 | BQTLOCK Ransomware | BQTLOCK is a new ransomware variant offered for sale in the form of a Ransomware-as-a-Service (Raas) model. The malware has the functionality to encrypt user data and append .bqtlock extension to the locked files. | RANSOM | |
| 26.8.25 | SHAMOS macOS malware | SHAMOS is a new variant of AMOS (aka Atomic macOS Stealer) malware targeting the macOS platform. The malware is sold by the threat group known as Cookie Spider in form of a MaaS (Malware-as-a-Service) offering. | VIRUS | |
| 26.8.25 | QuirkyLoader: A stealthy new malware loader | A newly identified malware loader dubbed QuirkyLoader has emerged as a sophisticated cyber threat, actively distributing a range of infostealers and RATs including Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos and others. | ALERTS | VIRUS |
| 26.8.25 | Fake Electricity subsidy App phishing campaign | An Android phishing campaign impersonating an Indian government electricity subsidy scheme has been discovered. Victims are lured through YouTube and a GitHub-hosted phishing site mimicking an official subsidy portal. | PHISHING | |
| 26.8.25 | VIP Keylogger Spreads via Multi-Org Impersonation Campaign | Symantec has recently observed a series of malicious email campaigns delivering VIP Keylogger, in which attackers impersonated multiple legitimate organizations across industries such as logistics, engineering, and manufacturing—leveraging run-of-the-mill purchase orders, quotations, shipment notices, and sales contracts for social engineering. | CAMPAIGN | |
| 26.8.25 | Turkish Bank-themed Malspam spreads Snake Keylogger Across Sectors | Symantec has identified a recent malspam campaign distributing Snake Keylogger under the guise of a major financial institution in Turkey. | VIRUS | |
| 26.8.25 | Deployment of the RealBlindingEDR tool among the recent activities of the Crypto24 threat group | Threat actor known as Crypto24 has been observed to recently conduct multi-stage attacks against high-profile organizations from various sectors. | ALERTS | GROUP |
| 26.8.25 | CVE-2024-36401 in OSGeo GeoServer GeoTools exploited in a recent resource monetization campaign | According to latest report from Palo Alto Networks, a new campaign leveraging exploits of a remote code execution (RCE) vulnerability CVE-2024-36401 has been spotted in the wild. | VULNEREBILITY | |
| 26.8.25 | SoupDealer Loader malware | SoupDealer is a new loader malware variant observed recently in the wild and targeting users from Turkey. The malware is Java-based and distributed via malicious .jar attachments in malspam campaigns. | VIRUS | |
| 26.8.25 | ConfuserEx Obfuscation Spotted in Latest DarkCloud Stealer Campaign | A recent threat report from Unit 42 (Palo Alto Networks) highlights an evolved infection chain delivering the DarkCloud Stealer, now using ConfuserEx for obfuscation and a final payload written in Visual Basic 6. | ALERTS | CAMPAIGN |
| 26.8.25 | CORNFLAKE.V3 in “ClickFix” campaign | Researchers have uncovered a new campaign where the CORNFLAKE.V3 backdoor is being used, spread through fake CAPTCHA “ClickFix” pages run by the threat group UNC5518. | CAMPAIGN | |
| 26.8.25 | UNC1151 leverages macro-enabled Spreadsheets and Cloud C2 in latest campaign | The UNC1151 APT group has been observed conducting a malware campaign targeting Ukraine and Poland through malicious archive files containing decoy spreadsheets with embedded obfuscated macros. | APT | |
| 26.8.25 | MountBot Botnet | Researchers recently reported MountBot, a new IoT botnet first observed in April exploiting ASUS AiCloud vulnerabilities and operating on the same infrastructure as RapperBot. | BOTNET | |
| 20.8.25 | Fake Flash updates deliver Winos Trojan | A new Silver Fox campaign masquerading as a Flash plugin update has been observed. Users are lured through fake online tools, such as counterfeit translation sites, where they are prompted to install a fraudulent Flash update. | VIRUS | |
| 20.8.25 | EncryptHub attackers exploit MMC CVE-2025-26633 vulnerability for payload delivery | A recent campaign attributed to threat group EncryptHub (aka LARVA-208 and Water Gamayun), blends social engineering with the exploitation of the Microsoft Management Console (MMC) vulnerability tracked as CVE-2025-26633, dubbed MSC EvilTwin. | EXPLOIT | |
| 20.8.25 | Cracked Games lead to Lumma Stealer and SectopRAT infections | A multi-stage malware campaign has been uncovered where users searching for cracked games are tricked into downloading installers that first deploy Lumma Stealer and then install SectopRAT. | ALERTS | VIRUS |
| 20.8.25 | Modular PipeMagic backdoor masquerades as a ChatGPT application | Recent activity by a financially motivated threat actor group involved deployment of the modular PipeMagic malware under the guise of a ChatGPT desktop application. | VIRUS | |
| 20.8.25 | Recent vulnerabilities affecting Adobe Experience Manager (CVE-2025-54253 / CVE-2025-54254 / CVE-2025-49533) | Three vulnerabilities affecting Adobe Experience Manager (AEM) software solutions have been recently disclosed. The vulnerabilities are tracked as follows: | VULNEREBILITY | |
| 20.8.25 | njRAT masquerades as browser-based Minecraft Game | The renewed hype around Minecraft, driven by its upcoming film adaptation, is being exploited by cybercriminals who are distributing what appears to be a browser-based clone of the game but in reality conceals njRAT, a powerful remote access trojan. | ALERTS | VIRUS |
| 20.8.25 | Android malware masquerading as GiftFlipSoft | A sophisticated Android banking malware dubbed Lazarus Stealer, masquerading as the seemingly benign GiftFlipSoft app has been observed. | VIRUS | |
| 20.8.25 | NOVABLIGHT MaaS after Wallets | NOVABLIGHT is a sophisticated new Malware-as-a-Service (MaaS) information stealer leveraging Telegram and Discord for both distribution and operational support. Posing as an "educational tool," it stealthily distributes itself through social engineering lures like fake video game installers often repackaged with French-language titles. | CRYPTOCURRENCY | |
| 20.8.25 | PhantomCard mobile malware | A novel NFC-based malware, dubbed PhantomCard, has been identified in the wild and is actively targeting Android banking customers. | VIRUS | |
| 20.8.25 | Charon Ransomware | Charon represents a recently identified ransomware variant that utilizes DLL-injection techniques for the compromise of targeted endpoints. | RANSOM | |
| 20.8.25 | Phishing emails targeting U-Next users pose account takeover risk | U-Next is a Japanese video streaming platform (OTT). Recently, Symantec detected a phishing campaign targeting U-Next's users and its accounts. | PHISHING | |
| 20.8.25 | A new variant of the FireWood Linux malware found in the wild | A new variant of the Linux malware dubbed FireWood has been discovered in the wild. The malware is linked to Project Wood malware family and attributed to the Gelsemium APT group. | ALERTS | VIRUS |
| 20.8.25 | CVE-2017-11882 exploits still lead to malicious infections | CVE-2017-11882 is an older vulnerability affecting the Equation Editor component in Microsoft Office. If successfully exploited the flaw might allow attackers remote code execution on the targeted systems. | VULNEREBILITY | |
| 20.8.25 | BytesFromHeaven ransomware | A new ransomware strain, BytesFromHeaven, has surfaced in the wild. Upon execution, the malware encrypts user data, appends random extensions to locked files, and changes the desktop wallpaper to signal a successful attack. | RANSOM | |
| 20.8.25 | SmartLoader delivered via Github repositories | A new campaign leveraging Github repositories to deliver the SmartLoader malware has been reported in the wild. The repositories are disguised as projects involving automation tools, DDoS protection applications, software cracks or game hacks. | ALERTS | VIRUS |
| 20.8.25 | New malicious campaign delivering PS1Bot malware | A new malicious operation delivering PowerShell-based malware variant dubbed PS1Bot has been reported by the researchers from Cisco Talos. | VIRUS | |
| 25.7.25 | Chaos Ransomware Group Surfaces with Aggressive Tactics | A newly identified ransomware-as-a-service group called Chaos has rapidly gained traction, launching double extortion attacks primarily in the U.S., with additional victims in the U.K., India, and New Zealand. Cisco Talos links the group to former BlackSuit (Royal) operators based on overlapping tactics and tooling. | RANSOM | |
| 25.7.25 | Malicious Hangul Word Processor documents delivering RokRAT | In a change from previous distribution methods, a recent campaign saw the RokRAT malware delivered through Hangul Word Processor documents (.hwp) rather than previously observed .lnk files. The HWP document embeds a legitimate executable and a malicious DLL responsible for initial payload execution. | VIRUS | |
| 25.7.25 | Chinese APT Clusters Escalate Attacks on Taiwan's Semiconductor Sector | The Taiwanese semiconductor industry has become the primary target of a series of sophisticated spear-phishing campaigns orchestrated by three distinct Chinese state-sponsored threat actor groups: UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp. | ALERTS | APT |
| 25.7.25 | Recent malicious activities attributed to the UNG0002 threat group | A new cluster of malicious activities dubbed "Operation AmberMist" has been attributed to the threat group known as UNG0002. The attackers have been focusing on victims from various industry sectors and distributing miscellaneous payloads including Shadow RAT, Blister DLL Implant, and INET RAT. | GROUP | |
| 25.7.25 | DCHSpy malware distributed by the Seedworm APT group | A new campaign distributing mobile DCHSpy surveillanceware malware has been reported in the wild. The activity is attributed to the Seedworm APT group (aka MuddyWater). DCHSpy has the functionality to collect and exfiltrate various data from the compromised devices including: stored contacts, SMS messages, local files, call logs, WhatsApp messenger data and more. | VIRUS | |
| 25.7.25 | Greedy Sponge threat group distributes AllaKore RAT and SystemBC malware to Mexican organizations | A financially-motivated threat group known as Greedy Sponge has been reported to conduct a new campaign spreading AllaKore RAT and SystemBC malware to Mexican organizations. | ALERTS | VIRUS |
| 25.7.25 | New ACR Stealer variant features updates aimed at detection evasion | ACR Stealer is a C++based infostealer variant that emerged on the threat landscape last year. A new campaign distributing this malware has been reported now in the wild. | VIRUS | |
| 25.7.25 | New wave of extortion scam: "Hitman" threaten acid attacks in exchange for Litecoin | Lately, Symantec has observed a sudden theme change in extortion scam emails. In general, these emails make use of threatening language in order to extort money from the recipients. Scammers appear to have kicked off a new extortion scam campaign by imposing as professional hitmen offering services such as destruction to property or injury. | CRYPTOCURRENCY | |
| 25.7.25 | CVE-2025-53770 - Critical SharePoint Zero-Day vulnerability exploited in the wild | Microsoft has patched a zero-day vulnerability in SharePoint following reports of its exploitation in the wild. The vulnerability (CVE-2025-53770), dubbed ToolShell, affects on-premises SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems. | VULNEREBILITY | |
| 19.7.25 | Scanception: A sophisticated QR Code phishing campaign | A phishing campaign dubbed Scanception has been observed targeting organizations in key sectors such as healthcare, finance and others. The attack begins with phishing emails containing PDF attachments that appear legitimate but include embedded QR codes. | PHISHING | |
| 19.7.25 | SquidLoader malware targets financial institutions | A new campaign leveraging SquidLoader malware for malicious payload delivery has been reported to target financial institutions in Hong Kong, Singapore, China and Australia. The attack chain is initiated via targeted malspam disguised as invoice related correspondence. | CAMPAIGN | |
| 19.7.25 | KawaLocker Ransomware | KawaLocker (aka KAWA4096) is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends random extensions to the locked files. Ransom note is dropped in form of a text file called “!!Restore-My-file-Kavva.txt” with the victims asked to contact the attackers via the Tox messenger for further instructions. | RANSOM | |
| 19.7.25 | Matanbuchus 3.0 | A newer version of the Matanbuchus malware loader has been observed in the wild. Recent attacks notably exploit Microsoft Teams’ external call feature, with attackers impersonating IT support staff to trick victims into running malicious PowerShell scripts disguised as a Notepad++ updater. | ALERTS | VIRUS |
| 19.7.25 | New Lcrypt0rx ransomware variant observed in campaigns also delivering H2miner malware | According to the latest report from Fortinet, a new H2miner malware campaign has been found to overlap with Lcrypt0rx ransomware deployments. Lcrypt0rx is a VBScript-based variant that appends .lcryx extension to the encrypted files. | RANSOM | |
| 17.7.25 | Emmenhtal leveraged by MaaS operators in recent campaigns | In a recent report published by Cisco Talos, researchers highlighted recent campaigns that used Emmenhtal to deliver various payloads. One campaign included the Emmenhtal loader contained within a phishing mail archive attachment, while another hosted Emmenhtal on various GitHub repositories to deliver the Amadey payload. | CAMPAIGN | |
| 17.7.25 | New wave of Tech Support Scams exploits legitimate chat platforms and uses brand impersonation | Tech/Fund Support scam techniques are continuously evolving to appear more legitimate. Previously, scammers included phone numbers in phishing emails, relying on victims to initiate contact. | SPAM | |
| 17.7.25 | DeadLock Ransomware | Another ransomware actor known as "DeadLock" has been observed making the rounds. Upon successful compromise, encrypted files are appended with a .dlock extension. At this time, it is unconfirmed whether the actor engages in double-extortion tactics (i.e., threatening to sell data if the ransom is not paid). | RANSOM | |
| 17.7.25 | XWorm disguised as Epstein Files | Amid renewed public interest in the Epstein case and debates around the release of related files, cybercriminals are leveraging this topical news for social engineering lures. One actor has been observed spreading XWorm, a known commodity malware often sold on Telegram channels and underground forums, disguised as fake Epstein files (Epstein files2.exe). | ALERTS | VIRUS |
| 17.7.25 | Many branches in the AsyncRAT tree | A recently published report highlights the extensive branching of derivative RATs traceable to AsyncRAT. AsyncRAT is a highly modular Remote Access Trojan that fundamentally allows an attacker to control a compromised system. | VIRUS | |
| 17.7.25 | Octalyn Stealer Targets Crypto, VPNs, and Browser Data via Deceptive Forensic Toolkit | Octalyn Stealer is a sophisticated new malware masquerading as a legitimate forensic toolkit on GitHub. Designed for large-scale data theft and exfiltration, it illicitly targets sensitive user data, including VPN configurations, browser credentials (passwords, cookies, auto-fill, browsing history), and critical cryptocurrency wallet information for Bitcoin, Ethereum, Litecoin, and Monero. | VIRUS | |
| 17.7.25 | Konfety mobile malware | Konfety is a mobile malware variant identified in a recent distribution campaign. The malware employs an unique technique of malforming the file ZIP structure in an effort to avoid detection and forensic analysis. | ALERTS | VIRUS |
| 17.7.25 | CVE-2025-52488 - DNN platform vulnerability | CVE-2025-52488 is a recently disclosed vulnerability affecting DNN Platform, which is an open-source web content management system (CMS) based on the .NET Framework. | VULNEREBILITY | |
| 17.7.25 | New mobile crypto-stealing malware SparkKitty | A new mobile crypto-stealing malware, SparkKitty, has infiltrated Android and iOS devices via Google Play and the Apple App Store. | VIRUS | |
| 17.7.25 | WeevilProxy malware targets cryptocurrency users | WeevilProxy is a new malware variant observed to be targeting prevalently cryptocurrency users. The campaigns' main propagation relies on arbitrary advertising campaigns via Google ads or miscellaneous social networks. | CRYPTOCURRENCY | |
| 17.7.25 | Global - a new BlackLock ransomware variant | Global is a new ransomware variant believed to be a rebrand of the BlackLock ransomware strain. According to the report published by the EclecticIQ researchers, the malware is sold as part of a Ransomware-as-a-Service (RaaS) offering by the threat actors previously associated with an older ransomware family known as Mamona. | ALERTS | RANSOM |
| 17.7.25 | Interlock RAT via FileFix scheme | A newly observed Interlock RAT variant is being delivered through PHP scripts, marking a shift from previous JavaScript-based methods. | VIRUS | |
| 17.7.25 | New variant of macOS malware ZuRu observed in the wild | Researchers have observed a new macOS-based ZuRu malware variant being spread in the wild. The malware is distributed via trojanized macOS application bundles and it is leveraging the open-source Khepri framework for performing post-infection activities. | VIRUS | |
| 17.7.25 | Web Injection Campaign: JSFireTruck | Palo Alto Networks Unit 42 has uncovered a large-scale campaign, dubbed JSFireTruck, that injects heavily obfuscated JavaScript into legitimate websites. | HACKING | |
| 17.7.25 | Amos Stealer Adds Backdoor | In a significant shift, researchers have observed that Atomic macOS Stealer (AMOS) has added a persistent backdoor to its payload, enabling long-term remote access to infected Macs. | VIRUS | |
| 17.7.25 | Sainbox RAT delivered via fake software installers | A new campaign delivering a variant of Gh0stRAT dubbed Sainbox RAT via fake software installers have been reported in the wild. The attackers masquerade the malware binaries as apps well known in China such as DeepSeek, Sogou or WPS Office. | CAMPAIGN | |
| 17.7.25 | Cloudflare temporary tunnels used to serve up payloads | A recently observed campaign leverages legitimate cloud services like TryCloudflare to host and deliver highly evasive RATs such as AsyncRAT, XWorm, VenomRAT, and Remcos. | CAMPAIGN | |
| 17.7.25 | SafePay ransomware | SafePay is a ransomware variant initially discovered back last year. Over the time the attackers behind this strain have been reported to compromise over 200 victims across various sectors. | RANSOM | |
| 17.7.25 | Mobile Threat: Qwizzserial | In mid-2025, researchers observed a sharp rise in Qwizzserial, a newly discovered Android malware designed to steal banking credentials and intercept SMS-based two-factor authentication codes. | VIRUS | |
| 12.7.25 | CVE-2025-47812 – Wing FTP Server vulnerability exploited in the wild | CVE-2025-47812 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Wing FTP Server, which is a cross-platform file transfer software. | ALERTS | VULNEREBILITY |
| 12.7.25 | New Pay2Key ransomware campaign leverages I2P network | A ransomware-as-a-service (RaaS) operation distributing a new variant of the Pay2Key malware has been reported in the wild. Dubbed as Pay2Key.I2P the campaign has been linked to the activities of the Fox Kitten APT group. | RANSOM | |
| 12.7.25 | Malicious scripts lead to XWorm RAT | Campaigns distributing the XWorm remote access trojan often leverage various scripting languages. The most frequently observed malicious scripts include batch files, and those written in Visual Basic, JavaScript, and PowerShell. | VIRUS | |
| 12.7.25 | Phishing Campaign Masquerades as "Ordre des Experts-Comptables" Document | Symantec has observed a phishing campaign leveraging a deceptive HTML attachment disguised as an official document from l’Ordre des Experts-Comptables, the French national order of chartered accountants. | CAMPAIGN | |
| 9.7.25 | NordDragonScan infostealer | NordDragonScan is a new Windows-based infostealing malware variant identified by the researchers from Fortinet. Recently observed campaigns leverage malicious .HTA files in order to deliver infostealing payload to the intended victims. | ALERTS | VIRUS |
| 9.7.25 | RondoDox botnet | RondoDox is new botnet identified recently by the researchers from Fortinet. RondoDox has been reported to leverage two high severity vulnerabilities for spreading: CVE-2024-3721 and CVE-2024-12856. | BOTNET | |
| 9.7.25 | Datebug APT attacks against BOSS Linux systems | Datebug threat group (also known as APT36 or Transparent Tribe) has been reported to conduct a new campaign targeting the BOSS Linux systems. | APT | |
| 9.7.25 | NimDoor - a Nim-based malware for macOS | NimDoor is a newly identified macOS malware variant for the macOS platform. Compiled in the Nim programming language, the malware targets Web3 and Cryptocurrency-related platforms. The attackers leverage social engineering tactics to approach their victims. | VIRUS | |
| 6.7.25 | Malicious Abuse of ConnectWise (ScreenConnect) | Over the past several months, we have observed a sharp increase in the malicious use of the popular Remote Monitoring and Management (RMM) tool ConnectWise by ransomware operators, Initial Access Brokers, APTs, and other eCrime actors. | APT | |
| 6.7.25 | Remcos malspam campaign starts with a tar archive | A recently observed Remcos campaign began with a malicious email containing a .tar archive attachment. The archive contains a .lnk file which launches PowerShell to download the Remcos payload. | CAMPAIGN | |
| 6.7.25 | Janela RAT delivered in a recent campaign | Janela RAT (Remote Access Trojan) is a modified variant of a malware known as BX RAT. Janela RAT has been previously seen spread in campaigns targeting banking users from the LATAM region. | VIRUS | |
| 6.7.25 | Blackmoon’s expanding arsenal | The Blackmoon banking trojan, known for targeting users of online financial services, particularly in South Korea, has evolved into a more deceptive and multi-functional threat. | VIRUS | |
| 6.7.25 | DEVMAN - a new DragonForce ransomware variant | DEVMAN is a new customized ransomware variant from the DragonForce malware family. The malware encrypts data and appends .DEVMAN extension to locked files. | RANSOM | |
| 6.7.25 | GIFTEDCROOK malware upgraded for document theft via Telegram | An enhanced version of the GIFTEDCROOK malware, operated by the UAC-0226 threat group has been reported, marking a significant upgrade from its earlier capabilities first observed in February 2025. | VIRUS | |
| 2.7.25 | Braodo infostealer hosts downloaded components on GitHub | A recently observed campaign involving Braodo stealer malware leveraged GitHub to house multiple components downloaded in the attack chain. | ALERTS | VIRUS |
| 2.7.25 | CVE-2025-4322: WordPress Motors theme privilege escalation vulnerability | CVE-2025-4322 is a critical unauthenticated privilege escalation vulnerability (CVSS 9.8) affecting the WordPress Motors theme in versions up to 5.6.67. | VULNEREBILITY | |
| 2.7.25 | EmailJS and HubSpot Abused in CCMA Phishing Scheme | A new phishing campaign is circulating under the guise of a legal summons from South Africa’s Commission for Conciliation, Mediation and Arbitration (CCMA), leveraging urgency and fear to pressure recipients into action. | PHISHING | |
| 28.6.25 | Lotus V2 loader malware leveraged by the Lotus Spider threat group | A new campaign leveraging the Lotus V2 loader and attributed to the Lotus Spider threat group has been reported in the wild. The attack chain makes use of fake CAPTCHA-based delivery tactics leading the victims to execution of PowerShell scripts which in turn download and run malicious .MSI installers. | VIRUS | |
| 28.6.25 | Software Being Repackaged for Malware Delivery | Researchers have uncovered a rising trend where cybercriminals repackage legitimate commercial software (examples: SonicWall’s SSL VPN NetExtender) to deliver infostealers. | VIRUS | |
| 27.6.25 | Dire Wolf Ransomware | Dire Wolf is a new ransomware threat group discovered in the wild. The attackers have been focusing their efforts mostly on manufacturing and technology sectors. | RANSOM | |
| 27.6.25 | Open-source tools leveraged in attacks targeting the financial sector in Africa | Researchers from Palo Alto have recently reported on an ongoing campaign targeting financial institutions across Africa. The attackers are distributing various open-source tools often advertised as penetration testing or remote administration utilities including PoshC2, Chisel or Classroom Spy. | CAMPAIGN | |
| 27.6.25 | Prometei Botnet evolves with Self-Updating Linux variants | As per the latest report by Palo Alto Networks’ Unit 42, the Prometei botnet has resurfaced with enhanced capabilities, particularly in its Linux variants (v3 and v4). Known for mining Monero and stealing credentials, Prometei has adopted a self-update mechanism and a domain generation algorithm (DGA) to bolster its resilience and maintain persistent C2 connectivity, even if existing domains are taken down. | BOTNET | |
| 27.6.25 | NightSpire Ransomware | Between March and June 2025, NightSpire ransomware actors claimed responsibility for attacks affecting 64 entities across 33 countries, with a globally dispersed victim base. | RANSOM | |
| 25.6.25 | Wedding Invite scam deploys SpyMax RAT on Indian Android devices | An Android phishing campaign dubbed “Wedding Invitation” has been observed targeting mobile users across India by distributing spyware-laced APK files via WhatsApp and Telegram. | VIRUS | |
| 25.6.25 | Python-based ransomware variant spread in a recent campaign | As reported by researchers from Tinexta, a new campaign spreading a Python ransomware variant has been observed in the wild. The attackers make use of publicly accessible GitHub repositories to host the malicious .ISO binaries . | RANSOM | |
| 25.6.25 | PylangGhost - a new Python-based Remote Access Trojan | PylangGhost is a new RAT (Remote Access Trojan) variant discovered recently by the researchers from Cisco Talos. As the name suggests the malware is written in Python and shares some code similarities and functionalities with an older RAT strain known as GolangGhost. | VIRUS | |
| 25.6.25 | Shadow Vector: SVG Smuggling campaign targets Colombian users | A phishing malware campaign dubbed Shadow Vector has been reported, targeting users in Colombia through malicious SVG files disguised as urgent court notifications. | CAMPAIGN | |
| 21.6.25 | Amatera Stealer | Amatera is a recently identified infostealer variant believed to be an evolution of the older ACR Stealer malware. It has been reported as being offered for sale via the malware-as-a-service (MaaS) model. | VIRUS | |
| 21.6.25 | CVE‑2025‑49113 – Post‑Auth Remote Code Execution vulnerability in Roundcube | CVE-2025-4123 is a recently disclosed critical (CVSS score 9.9) Post‑Auth Remote Code Execution (RCE) vulnerability affecting Roundcube, which is a free and open-source webmail application. | VULNEREBILITY | |
| 21.6.25 | Discord Vanity Link Flaw Exploited in New Malware Campaign Dropping AsyncRAT and Skuld Stealer | A new sophisticated malware campaign aimed at financial gain from cryptocurrency users is exploiting a subtle weakness in Discord's invitation system to distribute an information stealer called Skuld and the AsyncRAT. Targeted victims have been identified primarily in Austria, France, Germany, Slovakia, Vietnam, the Netherlands, the United States, and the United Kingdom. | EXPLOIT | |
| 21.6.25 | Stargazers malware campaign targets Minecraft players via fake mods | A large-scale malware campaign operated by the Stargazers Ghost Network is actively targeting Minecraft players, according to a recent report from Checkpoint. | CAMPAIGN | |
| 21.6.25 | Modified XWorm RAT distributed through trojanized MSI | A China-linked threat actor distributing a trojanized MSI installer posing as a WhatsApp setup to deliver a customized XWorm Remote Access Trojan (RAT) has been reported targeting users in East and Southeast Asia. | VIRUS | |
| 21.6.25 | New variant of the Godfather mobile malware employs virtualization techniques | A new variant of the Godfather Android banking malware has been discovered in the wild. The malware leverages on-device virtualization techniques to hijack several legitimate applications. | ||
| 21.6.25 | CVE-2023-0386 - Linux Kernel Improper Ownership Management vulnerability exploited in the wild | CVE-2023-0386 is a high severity (CVSS score 7.8) Improper Ownership Management vulnerability affecting the Linux Kernel. | VULNEREBILITY | |
| 21.6.25 | FIN7-linked GrayAlpha uses PowerShell loaders and TDS to spread NetSupport RAT | GrayAlpha, a cybercriminal group associated with FIN7, has been reported conducting a sophisticated malware campaign using multiple infection vectors to distribute NetSupport RAT via custom PowerShell loaders, PowerNet and MaskBat. | APT | |
| 21.6.25 | New Librarian Ghouls Campaign | A new cyber espionage campaign by APT group "Librarian Ghouls" (also known as Rare Werewolf and Rezet) was observed targeting organizations primarily in Russia, Belarus and Kazakhstan focusing on industrial organizations and engineering schools, along with sectors like rocket, aviation, space, defense, and petrochemical industries. | CAMPAIGN | |
| 21.6.25 | HijackLoader campaign delivers DeerStealer payload | A recent campaign leveraging the HijackLoader malware has been observed to distribute the DeerStealer malicious payload. | CAMPAIGN | |
| 21.6.25 | Threat Actors Abuse Paste.ee and use Unicode Deception to Deploy XWorm RAT | A sophisticated malware campaign initiated by a deceptively named JavaScript file designed to download a malicious payload was observed. | VIRUS | |
| 21.6.25 | XDSpy campaign employs whitespace-obfuscated LNK files | A new XDSpy malware campaign, attributed to the SadFuture threat actor, has been observed targeting Eastern European and Russian government entities. | VIRUS | |
| 21.6.25 | Financial communications lead to malware downloads for Taiwanese users | A threat actor has been targeting users in Taiwan through campaigns masquerading as communications from official financial entities. | VIRUS | |
| 21.6.25 | CVE-2025-48828 - a new vBulletin RCE vulnerability | CVE-2025-48828 is a recently disclosed critical (CVSS score 9.0) template engine vulnerability affecting vBulletin, which is a commercial forum software platform. | VULNEREBILITY | |
| 21.6.25 | MintsLoader Malware Campaign Hits Italian PEC Users | A new MintsLoader malware campaign has targeted Italy, showcasing the attacker's strategy of adapting to the local Italian work calendar. | VIRUS | |
| 21.6.25 | Pickai Backdoor | A new backdoor malware dubbed Pickai (AI Pickpocket) has been observed spreading through vulnerabilities in the popular ComfyUI framework. Written in C++, Pickai spreads through innocuous-looking configuration files like JSON and TMUX settings. | VIRUS | |
| 21.6.25 | Hackers Weaponize Legitimate 'Netbird' Tool in Phishing Campaign Targeting CFOs | A new fake recruiter spear-phishing campaign has been observed targeting high-level financial executives at banks, energy companies, insurers, and investment firms across Africa, Canada, Europe, the Middle East, and South Asia. | PHISHING | |
| 21.6.25 | CVE-2025-4123 - Grafana XSS and Full-Read SSRF vulnerability | CVE-2025-4123 is a recently discovered high severity (CVSS score 7.6) open redirect vulnerability affecting Grafana, which is an open-source data visualization platform. | VULNEREBILITY | |
| 13.6.25 | CyberEye RAT | CyberEye is a modular Remote Access Trojan that relies on Telegram for its C2 communications. Using a publicly available builder, its implants can be customized to include features like anti-analysis, cryptocurrency hijacking, and persistence. | VIRUS | |
| 13.6.25 | Spectra Ransomware | Spectra is a new ransomware variant found in the wild just this year. The malware belongs to the well known Chaos ransomware family. | RANSOM | |
| 13.6.25 | Stealth Falcon exploits Zero-Day Vulnerability CVE-2025-33053 | As reported by Check Point, the APT group Stealth Falcon has been observed exploiting a zero-day vulnerability (CVE-2025-33053) in a new malware campaign. | VULNEREBILITY | |
| 13.6.25 | Unusual Fog ransomware activity | In a recent report, the Symantec and Carbon Black Threat Hunter Team analyzed a Fog ransomware attack that targeted a financial institution in Asia. | RANSOM | |
| 13.6.25 | FIN6 abuses Job Portals and Cloud Infrastructure to evade detection | A malware campaign attributed to the threat actor FIN6, posing as job applicants on platforms like LinkedIn and Indeed, has been observed in the wild. Once a target is lured, the threat actor sends phishing emails containing non-clickable URLs that lead to cloud-hosted “resume” sites on AWS. | GROUP | |
| 13.6.25 | Chinese threat actor groups target cybersecurity vendor |
According to a recent report from SentinelLabs, China-backed
threat actors have deployed ShadowPad and PurpleHaze malware in global
campaigns.
|
GROUP | |
| 13.6.25 | Myth Stealer malware | Myth is a new Rust-based infostealing malware discovered recently in the wild. The malware has been previously advertised on various Telegram groups and lately reported as being distributed via fraudulent gaming websites and online portals offering software cracks, among others. | VIRUS | |
| 11.6.25 | Exploitaiton of Wazuh CVE-2025-24016 vulnerability leads to Mirai botnet distribution | New campaigns distributing variants of the popular Mirai botnet have been reported in the wild. The attackers have been exploiting critical (CVSS score 9.9) CVE-2025-24016 deserialization vulnerability affecting Wazuh Server which might allow for a remote code execution on the vulnerable devices. | BOTNET | |
| 11.6.25 | Datarip - a new MedusaLocker ransomware variant | Datarip ransomware is a new malware strain from the MedusaLocker ransomware family recently seen in the wild. The malware encrypts sensitive data while appending ".datarip" extension to the locked files. | RANSOM | |
| 11.6.25 | DuplexSpy RAT | DuplexSpy is a new Remote Access Trojan (RAT) variant identified in the wild. The malware is written in C#, has modular architecture and uses DLL injection technique for in-memory payload execution. | VIRUS | |
| 11.6.25 | DragonClone malicious operation | DragonClone is a new malicious campaign identified in the wild. The attackers have been targeting the Chinese Telecom Industry and distributing Veletrix and VShell malware implants as payloads. | OPERATION | |
| 11.6.25 | Golden Piranha - a new banking threat | Golden Piranha is the name of an emerging banking trojan identified by the researchers from SCILabs. The malware is leveraging Google Chrome browser extensions in order to steal banking related inputs from miscellaneous banking website forms. | ||
| 7.6.25 | Interlock ransomware group deploys a new RAT named "NodeSnake" | Interlock ransomware group has been observed deploying a new RAT named "NodeSnake" and targeting educational institutions. | RANSOM | |
| 7.6.25 | APT41 using custom malware "TOUGHPROGRESS" to exploit Google Calendar | Threat Actor group APT41 has been observed using custom malware named TOUGHPROGRESS, which leverages Google Calendar events as its C2 channel, allowing it to hide malicious commands in seemingly benign public calendar entries. | APT | |
| 7.6.25 | Cheating in games might get you Blitz'ed | Blitz is a multi-stage malware composed of downloader and botnet components. A recent report by researchers at Palo Alto Networks provides details of campaigns attempting to proliferate this malware | VIRUS | |
| 7.6.25 | Android malware targets users in India by pretending to be a government app | In some recently observed malicious activity, a fake government application was found to be targeting Android users in India. | VIRUS | |
| 7.6.25 | Chaos RAT malware | A new Golang-based 5.0.3 variant of the Chaos RAT (Remote Access Trojan) has been recently discovered in the wild. | VIRUS | |
| 7.6.25 | Increased activity of DCRAT malware in Latin America | DCRAT (aka Dark Crystal RAT) is a modular RAT (Remote Access Trojan) offered for sale in form of Malware-as-a-Service (MaaS) model for last several years. | VIRUS | |
| 7.6.25 | AMOS malware for macOS spread via Clickfix social engineering techniques | A new campaign delivering the AMOS malware for macOS has been reported to leverage Clickfix social engineering techniques. | VIRUS | |
| 7.6.25 | Fake CAPTCHAs deliver multi-stage PowerShell downloaders | CAPTCHAs are used to determine whether a website visitor is human versus a bot. Malware campaigns have introduced fake CAPTCHAs into the attack chain to encourage interaction by the proposed victim. ClickFix is a name often given to such behavior. | VIRUS | |
| 7.6.25 | ViperSoftX activities continues via fake software | According to recent reports ViperSoftX continues to circulate widely across the globe, with a noticeable uptick in South Korea. | VIRUS | |
| 7.6.25 | CVE-2025-27920 - Srimax Output Messenger Directory Traversal vulnerability | CVE-2025-27920 is a recently discovered directory traversal vulnerability affecting Srimax Output Messenger software. | VULNEREBILITY | |
| 4.6.25 | New campaigns delivering Crocodilus mobile malware | A new variant of the Crocodilus mobile malware has been spread in recent campaigns targeting users in Europe and South America. | CAMPAIGN | |
| 4.6.25 | CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability | CVE-2023-38950 is a path traversal vulnerability affecting ZKTeco BioTime which is a web-based time and attendance management software. | VULNEREBILITY | |
| 4.6.25 | Exploiting the hype around popular AI tools to distribute various malware via fraudulent installers | Threat Actors are exploiting the hype around AI to distribute various malware strains. By capitalizing on the public's eagerness to access popular AI tools (such as ChatGPT, Copilot, DALL-E, Gemini, Midjourney, and Sora) Threat Actors are creating convincing but fraudulent installers. | AI | |
| 4.6.25 | Telegram-Based Email Credential Theft – Fake FedEx Invoice Campaign | Shipping companies are frequently exploited in social engineering attacks due to their global recognition, trusted brand image, and association with package notifications, invoices, and delivery updates—topics that easily trigger urgency, curiosity, and user interaction. These characteristics make them prime targets for phishing and credential theft campaigns. | CAMPAIGN | |
| 4.6.25 | EddieStealer delivered through ClickFix | EddieStealer is a Rust-based information stealer malware which has recently been observed as the payload of ClickFix campaigns. | VIRUS | |
| 4.6.25 | Latest PureHVNC RAT deployment campaigns | New campaigns delivering the PureHVNC RAT have been reported in the wild. The threat actors conduct multi stage operations and make use of miscellaneous components in their attacks including malicious .lnk files, PowerShell code, JavaScript, AutoIt, etc. | CAMPAIGN | |
| 4.6.25 | Python-based Lyrix Ransomware | Lyrix ransomware is a new Python based ransomware discovered in underground forums. It behaves in a manner similar to most current ransomware families | RANSOM | |
| 4.6.25 | New Katz Stealer malware-as-a-service compromises Web browsers | Katz Stealer operates as a multi-feature credential-stealing Malware-as-a-Service, designed for extensive system reconnaissance and data theft. It targets a vast array of sensitive information, including saved passwords, cookies, and session tokens from popular web browsers (Chrome, Edge, Brave, Firefox), cryptocurrency wallet files, and private keys via keyword matching. | VIRUS | |
| 4.6.25 | Earth Lamia exploits various SQL injection vulnerabilities | APT threat actor Earth Lamia exploits vulnerabilities in web applications to gain access to organizations, using various SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations for data exfiltration. | APT | |
| 4.6.25 | Recent VenomRAT activity |
A recent activity attributed to the VenomRAT malware has
been spotted in the wild. Malware is spread from a phishing website
disguised as AV software download page.
|
VIRUS | |
| 4.6.25 | PumaBot - a new botnet on the rise | PumaBot is a new Go-based botnet strain identified recently in the wild. Unlike some more common botnet variants, PumaBot does not rely on scanning the Internet for vulnerable devices but instead targets very specific ones via a list of IP addresses retrieved from the attacker C2 servers. | BOTNET | |
| 4.6.25 | Zanubis mobile malware latest activity | Zanubis is an Android banking malware active in the threat landscape since at least 2022. The malware has been known to mostly target banks and financial entities in South America but also expanding over time and adding theft of virtual cards and cryptocurrency to its portfolio. | ||
| 4.6.25 | AsyncRAT malspam campaigns observed | We've recently observed some malspam campaigns leveraging multiple downloads, starting with box.com, to deliver an AsyncRAT payload. | VIRUS | |
| 4.6.25 | Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress | Fancy Bear (aka APT28, Sofacy, Pawn Storm, Sednit, STRONTIUM, Tsar Team, and Threat Group-4127) is a Russian Threat Actor group that uses spearphishing to deliver SpyPress, a malicious JavaScript payload, by exploiting cross-site scripting (XSS) vulnerabilities in webmail interfaces to exfiltrate sensitive email data from high-value webmail servers. | ALERTS | PHISHING |
| 4.6.25 | Bofamet Stealer malware | Bofamet is a new Python-based infostealer found in the wild. The malware collects miscellaneous information from the compromised endpoints including: credentials, system information, browser cookies, Telegram session data, Discord tokens, screenshots, Steam configuration files, etc. | VIRUS | |
| 28.5.25 | AppleProcessHub infostealer for macOS | AppleProcessHub is the name of a new infostealer variant targeting the macOS platform and masquerading as a system process. | VIRUS | |
| 28.5.25 | Swan Vector APT campaign | A newly APT campaign, dubbed “Swan Vector” has been targeting East Asian nations, particularly Japan and Taiwan. | APT | |
| 28.5.25 | StarFire Ransomware Demands $3,000 in Bitcoin | A group or individual calling themselves "StarFire" has recently emerged in the threat landscape, targeting individual machines with ransomware. | RANSOM | |
| 28.5.25 | DoubleLoader malware | DoubleLoader is a new malware family recently identified in the wild. Its' main functionality, similarly to other loader variants, is to retrieve malicious payloads from attacker-controlled servers and to execute them on the compromised endpoints | VIRUS | |
| 28.5.25 | Another Fake CAPTCHA campaign leads a range of stealers and RATs | There have been reports of another campaign involving fake CAPTCHA pages to deceive users into executing malicious commands via the Windows Run dialog. | ALERTS | VIRUS |
| 23.5.25 | Vidar and StealC infostealers delivered via social engineering | A new campaign distributing Vidar and StealC infostealers variants has been reported by the researchers from Trend Micro. The attackers are leveraging social engineering techniques with the use of TikTok videos in an attempt to entice users into running arbitrary PowerShell commands. | VIRUS | |
| 23.5.25 | Dero cryptominer delivered to vulnerable Docker containers | A new campaign delivering a Dero cryptocurrency miner to vulnerable Docker containers has been reported in the wild. While abusing exposed Docker APIs the attackers inject two malware components called “nginx” and “cloud”. The deployed cryptominer is written in Golang and based off an open-source DeroHE CLI miner project. | CRYPTOCURRENCY | |
| 23.5.25 | TetraLoader distributed in the UAT-6382 campaign | According to recent report from Cisco Talos, a new malicious activity dubbed UAT-6382 has been delivering a new malware called TetraLoader to its victims. The attackers have been leveraging a Cityworks RCE vulnerability (CVE-2025-0994) to get access to the targeted environments and perform the initial reconnaissance. | VIRUS | |
| 23.5.25 | Rhadamanthys delivered via phishing campaign | In a recently observed phishing campaign, we saw attackers attempting to deliver a Rhadamanthys stealer payload by way of a legal lure. Under the guise of a copyright infringement notification, the victim is encouraged to access a PDF for further details. | CAMPAIGN | |
| 22.5.25 | SideWinder APT using old Office Vulnerabilities | A new cyber-espionage campaign by APT group SideWinder has been targeting high-profile government institutions in Bangladesh, Pakistan, and Sri Lanka. The attackers leverage spear-phishing lures paired with geofenced payloads to ensure that only victims in specific countries receives the malicious content. To activate the infection process and deploy the StealerBot malware a combined exploitation of old vulnerabilities (CVE-2017-0199 and CVE-2017-11882) takes place. | ALERTS | APT |
| 23.5.25 | GhostSpy Android malware | GhostSpy is a mobile malware variant recently seen being actively distributed in the wild. Similarly to other prevalent mobile malware strains, GhostSpy leverages Android Accessibility Services in order to sideload malicious .apk packages on the targeted devices. | VIRUS | |
| 23.5.25 | Fake KeePass installers distributed in attacks targeting ESXi environments |
KeePass is a popular open source password manager
application. Recently there have been reports about an ongoing campaign
distributing fake KeePass installers targeted at ESXi environments.
|
HACKING | |
| 23.5.25 | CVE-2024-7399 & CVE-2025-4632 - Samsung MagicINFO vulnerabilities | CVE-2024-7399 is an unauthenticated remote code execution (RCE) vulnerability affecting the Samsung MagicINFO 9 Server. The flaw enables attackers to upload malicious .jsp files via unauthenticated POST requests effectively allowing them to execute arbitrary OS commands as a result. | VULNEREBILITY | |
| 23.5.25 | Spoofed Japan's e-Tax email notifications appear in phish runs | E-Tax is the National Tax Agency's online tax website that helps to file tax returns and pay national corporation taxes. Recently, Symantec has observed phishing attempts mimicking e-Tax, enticing users to open fake notification emails. | PHISHING | |
| 23.5.25 | Malvertising lures victims to fake Kling AI website | Threat Actors use social media malvertising to lure victims to fake pages impersonating Kling AI platform. The campaign directs visitors to use the platform to create AI-generated images and videos. | AI | |
| 23.5.25 | Trojanized installer delivers Bumblebee loader | It was recently observed that the installer package for the RVTools application was trojanized with a Bumblebee loader dll. RVTools is free utility that collects and displays a multitude of information related to Virtual Machines in VMware environments. | VIRUS | |
| 23.5.25 | Russia-Ukraine conflict comes in picture in a new Binance phishing wave | Binance is one of the world's major cryptocurrency exchanges that allows users to buy, sell and trade various digital assets, including Bitcoin, Ethereum, and altcoins. Lately, Symantec has observed phish runs that impersonate Binance services and entices users to open fake notification emails. | PHISHING | |
| 16.5.25 | Stealthy Shellcode loader executes Remcos RAT in Fileless Attack Chain | A sophisticated fileless malware campaign has been observed leveraging PowerShell to deploy the Remcos RAT. The attack begins with malicious LNK files embedded in ZIP archives, often masquerading as Office documents. These trigger obfuscated VBScript via mshta.exe leading to the in-memory execution of a PowerShell script. | VIRUS | |
| 16.5.25 | Earth Ammit cyber espionage campaigns | The Threat Actor known as Earth Ammit launched two distinct cyber espionage campaigns (dubbed VENOM and TIDRONE) across Central Asia, Southeast Asia, and Eastern Europe. These campaigns strategically target government entities and critical infrastructure - such as software service providers and upstream vendors across several critical sectors, including heavy industry, media, technology, healthcare, and military. | CAMPAIGN | |
| 16.5.25 | TransferLoader malware | TransferLoader is a newly identified malware loader active since February 2025, consisting of three components: a downloader, a backdoor and a backdoor loader. It uses advanced evasion techniques such as anti-debugging, runtime string decryption and junk code insertion to avoid detection and complicate reverse engineering. | VIRUS | |
| 16.5.25 | New DarkCloud malware uses AutoIt obfuscation in targeted attacks | According to a report published by Palo Alto Networks Unit 42, a new variant of the DarkCloud Stealer malware has been observed primarily targeting government organizations worldwide. The attack typically begins with phishing emails containing either a RAR archive or a PDF which prompts victims to download a malicious archive disguised as a software update. | VIRUS | |
| 16.5.25 | Chihuahua Stealer malware | Chihuahua Stealer is a new .NET-based infostealer distributed via a multi-staged campaign. The attackers leverage malicious documents hosted on the Google Drive repository and malicious PowerShell scripts to initiate the infection chain. The final payload - Chihuahua Stealer is delivered from a OneDrive repository path and has the functionality to collect and exfiltrate various sensitive data from the compromised endpoints including system information, data stored in the system web browsers, cryptocurrency wallet information, etc. | VIRUS | |
| 16.5.25 | PupkinStealer: A .NET-based Malware | PupkinStealer, a .NET-based malware has been observed being distributed via phishing emails containing malicious attachments or links. Targeting Windows users, the malware is capable of stealing sensitive data from Chromium-based browsers, Telegram, Discord, email clients, clipboard contents and more. The stolen data is compressed into a ZIP archive and exfiltrated using the Telegram Bot API. | VIRUS | |
| 13.5.25 | BTMOB RAT | According to recent reports, BTMOB RAT has resurfaced and now aims to steal Alipay PINs by mimicking the app’s interface. It spreads via phishing sites disguised as popular services and uses fake apps to lure victims. | VIRUS | |
| 13.5.25 | Noodlophile Stealer spread under the disguise of fake AI tools | An infostealing variant dubbed Noodlophile Stealer has been recently distributed in campaigns leveraging lures of AI video generators. The attackers have been advertising their fake AI platforms via social media platforms. The users are first asked to upload either photos or video for the AI to enhance and then are served with a download link for the supposedly edited content. | VIRUS | |
| 13.5.25 | Astryrean Stealer malware | Astryrean Stealer is a new Python-based infostealer recently identified in the wild. The malware targets collection and exfiltration of a wide variety of confidential or sensitive information including: compromised system information, data stored in system web browsers, Discord tokens or screenshots, among others. | VIRUS | |
| 13.5.25 | More_eggs served by Venom Spider | In a recent campaign threat actor known as "Venom Spider" has been targeting corporate hiring managers and recruiters with a complex spear-phishing scheme that capitalizes on the need for such users to open email attachments or click on links to review an applicants resume . | CAMPAIGN | |
| 9.5.25 | Earth Kasha threat actor targets Taiwan and Japan in a recent campaign | As recently reported by the researchers from Trend Micro, Earth Kasha threat group continues to target users in Taiwan and Japan. The attackers leverage a dropper malware dubbed RoamingMouse that comes in the form of a macro-enabled MS Excel file. | APT | |
| 9.5.25 | Deployment of RMM tools in malicious campaigns targeting Brazil | A new malicious campaign targeting users from Brazil has been reported by researchers from Cisco Talos. The attackers leverage a variety of commercial Remote Monitoring and Management (RMM) tools such as PDQ Connect and N-able remote access software. | VIRUS | |
| 9.5.25 | Mamona Ransomware |
Mamona Ransomware is a newly discovered threat in the
commodity ransomware landscape that operates entirely offline, with no
external communication or data exfiltration. The malware uses custom
encryption routines to encrypt user files, renaming them with the .HAes
extension.
|
RANSOM | |
| 9.5.25 | Mail campaign delivers Java-based RAT | A malicious email campaign was recently observed targeting organizations in Italy, Portugal, and Spain. The campaign leveraged a Spanish email service provider in an effort to legitimize the emails which contained a PDF attachment. | ||
| 9.5.25 | LZRD - the latest Mirai variant distributed in the wild | New campaigns distributing Mirai botnet have been reported in the wild. The malware exploits two command injection vulnerabilities affecting GeoVision IoT devices that have been disclosed last year - CVE-2024-6047 and CVE-2024-11120. | BOTNET | |
| 9.5.25 | CVE-2025-31324 - a critical SAP NetWeaver vulnerability | CVE-2025-31324 is a recently disclosed critical (CVSS score 10) unrestricted file upload vulnerability affecting the SAP NetWeaver Visual Composer. | VULNEREBILITY | |
| 9.5.25 | CVE-2025-32433 - Erlang/OTP SSH RCE vulnerability | CVE-2025-32433 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Erlang/OTP which is a set of libraries for the Erlang programming language. If successfully exploited, the flaw might allow unauthenticated attackers to gain access to affected Erlang/OTP SSH servers and execute arbitrary commands. | VULNEREBILITY | |
| 9.5.25 | Bert Ransomware | In April, a new ransomware actor known as "Bert" was observed operating in the wild and allegedly claimed several organizations as victims, including those in the Healthcare, Technology, and Event Services sectors across the US and Turkey. | RANSOM | |
| 9.5.25 | NETXLOADER - a new loader used by the Agenda ransomware group | In a recent report, details about a new malware loader named NETXLOADER have been shared. This loader, along with SmokeLoader, has been used in attacks perpetrated by the Agenda ransomware group. | VIRUS | |
| 9.5.25 | Threat Actors use Pahalgam attack in malicious campaign | In a strategic approach to exploiting current events threat actors target Indian government personnel using decoy documents referencing the recent Pahalgam attack in a malicious campaign. | VIRUS | |
| 9.5.25 | FormBook malware distributed via weaponized Word Docs | A recent attack beginning with phishing emails containing malicious MS Word documents as attachments has been observed. Social engineering plays a part in luring users to click on the weaponized attached document. | VIRUS | |
| 9.5.25 | Balloonfly ransomware group leveraged 0-day in attack | The Symantec Threat Hunter team recently observed activity which can be attributed to the Balloonfly attack group. This group is typically responsible for distributing Play ransomware. | VULNEREBILITY | |
| 9.5.25 | CVE-2025–34028: Commvault Command Center Path Traversal Vulnerability | CVE-2025-34028 is a critical vulnerability found in the Command Center installation, enabling remote attackers to execute arbitrary code without authentication. | VULNEREBILITY | |
| 9.5.25 | Notaires de France Impersonated in Telegram-based Phishing Campaign | Symantec has identified a credential phishing campaign leveraging malicious HTML that mimic official French notarial services – a professional body of state-appointed legal officers, known as notaires. It serves as a central information hub for legal matters in France involving notarized acts. | PHISHING | |
| 9.5.25 | StealC V2: Enhanced capabilities | An enhanced version of the popular information stealer, StealC, has been observed. It features an upgraded control panel, a streamlined JSON-based C2 communication protocol and expanded payload delivery options including MSI packages and PowerShell scripts. | VIRUS | |
| 9.5.25 | TerraStealerV2 and TerraLogger malware families | Two new malware families, TerraStealerV2 and TerraLogger, have been reported in the wild and are associated with the financially motivated threat group Golden Chickens. | VIRUS | |
| 9.5.25 | Tax season targeted by modified Stealerium Infostealer | As U.S. tax day approaches, threat actors have been observed exploiting the season by distributing a modified version of the Stealerium infostealer through phishing emails. Malicious LNK files, disguised as tax-related documents like tax forms lure users into executing a Base64-encoded PowerShell script. | ALERTS | VIRUS |
| 2.5.25 | MintsLoader: The loader powering TAG-124’s targeted campaigns | MintsLoader, a sophisticated loader first observed in 2024, is extensively used by TAG-124, more than by any other threat actor to deploy malicious payloads such as GhostWeaver, StealC and a modified BOINC client. These attacks primarily target sectors including industrial, legal and energy. | VIRUS | |
| 2.5.25 | Discovery Bank Impersonated in FICA-Themed Smishing Scam | Discovery Bank, a well-known digital bank in South Africa, has had its brand abused by a group or individual in a recent smishing campaign aimed at harvesting mobile users' banking credentials. The attack begins with a malicious SMS that leverages FICA (Financial Intelligence Centre Act in South Africa) compliance as a lure. | PHISHING | |
| 2.5.25 | ClickFix social engineering tactic being used by various APT groups | ClickFix has gained traction in targeted espionage operations across multiple APT groups from North Korea, Iran, and Russia. This is a social engineering tactic where malicious websites impersonate legitimate software or document sharing platforms. | APT | |
| 2.5.25 | Iranian threat actor targeted critical Middle Eastern infrastructure | Researchers at Fortinet have recently published their investigation into an Iranian threat actor's attack against critical infrastructure in the Middle East. | APT | |
| 2.5.25 | Spear phishing campaign targets WUC with trojanized Uyghur Text Editor | A spear phishing campaign delivering surveillance malware targeting high profile members of the World Uyghur Congress (WUC) has been reported. As part of the attack a trojanized version of a legitimate Uyghur language text editor to gain remote access, collect system information, and manipulate files. | PHISHING | |
| 2.5.25 | Pentagon Stealer | Pentagon Stealer is a recently identified malware strain built using both Python and Golang, engineered to exfiltrate a broad array of sensitive information. It primarily targets browser credentials, cookies, cryptocurrency wallet data and authentication tokens from apps like Discord and Telegram. | VIRUS | |
| 2.5.25 | Hannibal Infostealer | Hannibal Infostealer is a sophisticated malware observed in the wild, rebranded from the Sharp and TX stealer families. Developed in C#, it targets both Chromium and Gecko-based browsers, extracting sensitive data while bypassing browser protection. | VIRUS | |
| 2.5.25 | TypeLib hijacking via Teams | A Microsoft Teams phishing campaign was found to spread a unique PowerShell backdoor in recent attacks. The Threat Actor known as Storm-1811 initiates the attack by employing social engineering tricks on a targeted employee via Microsoft Teams chat, posing as internal IT support staff. | PHISHING | |
| 2.5.25 | Gremlin Stealer | Gremlin Stealer is a new C#-based malware variant recently discovered by the researchers from Palo Alto. Gremlin Stealer is currently advertised for sale via Telegram channels. | VIRUS | |
| 2.5.25 | CVE-2025-24054 - NTLM vulnerability exploited in the wild | CVE-2025-24054 is a recently disclosed vulnerability related to NTLM (New Technology LAN Manager) hash disclosure via spoofing. With help of crafted .library-ms files, an unauthorized attacker might be able to perform spoofing over the network. | ALERTS | VULNEREBILITY |
| 29.4.25 | CVE-2025-3928 - Commvault Web Server vulnerability | CVE-2025-3928 is a recently disclosed unspecified vulnerability affecting Commvault Web Server. If successfully exploited, the flaw could enable remote, authenticated attackers to gain unauthorized access to the vulnerable systems and allow them for deployment and execution of arbitrary webshells. | VULNEREBILITY | |
| 29.4.25 | ELENOR-corp - a new Mimic ransomware variant | ELENOR-corp is a new ransomware variant from the Mimic malware family just recently identified in the wild and reported to be targeting the healthcare sector. The attackers have been also leveraging a persistent Clipper malware as well as a Python-based infostealer during the activities preceding the ransomware payload deployment. | RANSOM | |
| 29.4.25 | Multi-Stage malware campaign targeting South Korean entities linked to Konni APT | A sophisticated multi-stage malware campaign potentially linked to the North Korean Konni APT group has been observed targeting entities primarily in South Korea. The attack begins with a ZIP file containing a disguised .lnk shortcut which executes an obfuscated PowerShell script designed to download and run additional malicious payloads. | APT | |
| 29.4.25 | RevolverRAT targeting users with malicious emails | RevolverRAT, a newly disclosed Remote Access Trojan is initially spread via targeted emails in the recipient's native language claiming to be a copyright claim that needs to be addressed. The emails request that users click a link which results in an installation of software vulnerable to DLL side-loading attacks. | VIRUS | |
| 29.4.25 | DslogdRAT malware distribution | A recent campaign spreading DslogdRAT malware has been targeting organizations in Japan as reported by JPCERT. The attackers have been exploiting a vulnerability in Ivanti Connect Secure (CVE-2025-0282) to deliver the malicious payloads. DslogdRAT has the functionality to execute arbitrary commands received from the C2 servers (according to the hardcoded configuration data). | VIRUS | |
| 29.4.25 | Spoofed Driver and Vehicle Licensing Agency (DVLA) email notifications appear in phish runs | The Driver and Vehicle Licensing Agency (DVLA) is British government's organization responsible for maintaining records of drivers in Great Britain and vehicles for entire United Kingdom. Recently, Symantec has observed phishing attempts mimicking DVLA, enticing users to open fake notification emails. | PHISHING | |
| 29.4.25 | China-linked threat actors exploit NFC Tech | China-linked threat actors are exploiting NFC technologies for fraudulent activities targeting financial institutions worldwide, causing significant losses. Sophisticated tools like Z-NFC and King NFC are used to facilitate illegal transactions. These tools leverage Near Field Communication (NFC) technology, which is essential for contactless payments and applications relying on Host Card Emulation (HCE). | EXPLOIT | |
| 29.4.25 | AsyncRAT malware campaign using Cloudflare Tunnels | A malware campaign using Cloudflare tunnels to deploy AsyncRAT has been reported. The attack vector starts with a phishing email containing a malicious .ms-library file which when opened downloads a PDF shortcut (LNK file) that triggers a series of scripts. | VIRUS | |
| 29.4.25 | Ammyy Admin and PetitPotato deployed in targeted MS-SQL Server attacks | An emerging threat campaign targeting poorly managed MS-SQL servers has been observed, aiming to deploy Ammyy Admin and PetitPotato malware for remote access and privilege escalation. The attackers exploit vulnerable servers, execute commands to gather system information and use WGet to install the malware. They also enable RDP services and add new user accounts to maintain persistent access. | VIRUS | |
| 29.4.25 | Phishing campaign targets Norinchukin Bank users with fake login pages | Norinchukin (Nochu) Bank, founded in 1923, is a Japanese cooperative bank that supports the agricultural sector. It serves as the national institution for JA Bank, a group of agricultural cooperatives. Recently, Symantec detected a phishing campaign targeting the bank’s online banking services. | CAMPAIGN | |
| 24.4.25 | PE32 Ransomware | PE32 ransomware is a newly discovered malware strain that leverages Telegram for C2 operations. It employs a dual-extortion model, charging separate fees for file decryption and data non-disclosure. Despite its messy and simplistic code, which uses basic Windows libraries, it poses a significant threat to systems with weak security hygiene. | RANSOM | |
| 24.4.25 | Proton66 Infrastructure tied to expanding malware campaigns and C2 operations | Proton66 has emerged as a central hub for malicious cyber activity, hosting infrastructure used in C2 operations and phishing campaigns involving malware like GootLoader, SpyNote and XWorm. | VIRUS | |
| 24.4.25 | ToyMaker IAB paves way for Cactus ransomware | Initial Access Brokers are oftentimes the first step in a successful campaign for a threat actor. The access brokers work their way into an environment, collect relevant data, and then sell that information to a threat actor for further compromise. | RANSOM | |
| 24.4.25 | Weaponized Alpine Quest App used to spy on Russian military via Telegram Bot | A modified version of the popular Android navigation app Alpine Quest, has been found carrying spyware targeting Russian military personnel. The spyware, bundled within the app collects sensitive information like phone numbers, account details, contacts and geolocation. | BOTNET | |
| 24.4.25 | A recent FormBook distribution campaign observed in the wild | A new FormBook distribution campaign has been reported by the researchers from Fortinet. The attackers leverage malicious Word documents containing an exploit for CVE-2017-11882, which is an older vulnerability affecting the Equation Editor component in Microsoft Office. | CAMPAIGN | |
| 24.4.25 | Billbug APT continues campaigns in Southeast Asia | The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. | APT | |
| 24.4.25 | RustoBot botnet activity | RustoBot is a new Rust-based botnet variant distributed via exploitation of vulnerabilities in unpatched TOTOLINK devices. | BOTNET | |
| 22.4.25 | Ransomware group Interlock enhances tactics with ClickFix and Infostealers | Reports indicate that the ransomware group Interlock has advanced its attack methods by incorporating ClickFix social engineering techniques alongside infostealers. | RANSOM | |
| 22.4.25 | Gunra Ransomware | Another ransomware actor operating under the name Gunra has recently surfaced, allegedly claiming several victims in the healthcare, electronics, and beverage manufacturing sectors, as listed on their onion website. In recent activity, the ransomware they deploy appends a .encrt extension to encrypted files and drops a ransom note named r3adm3.txt in multiple directories. | RANSOM | |
| 22.4.25 | SuperCard X Android malware | A new Android malware campaign, identified as a malware-as-a-service called SuperCard X, has been observed targeting users in Italy. Delivered via socially engineered smishing and phone calls, the intent of the campaign is financial theft. | VIRUS | |
| 22.4.25 | PasivRobber - Spyware targeting macOS platform | PasivRobber is a new malware variant targeting the macOS platform that has been recently identified in the wild. Its main function is to ex-filtrate miscellaneous data from the macOS systems including information from 3rd party apps, web browsers, emails, cookies, chat messages (WeChat and QQ), screenshots, etc. | ||
| 18.4.25 | PteroLNK malware | PteroLNK is a new Pterodo malware variant recently distributed in the wild and attributed to the Shuckworm APT (aka Gamaredon). The malware comes in form of an obfuscated VBScript with a downloader and a LNK dropper components. | VIRUS | |
| 18.4.25 | A recent campaign attributed to the Fritillary APT group | A new malicious campaign targeting diplomatic entities in Europe has been attributed to the cyberespionage group called Fritillary (aka Midnight Blizzard, APT29). According to a recent research by Checkpoint, the attackers have been leveraging a new custom malware loader dubbed GrapeLoader as well as an updated variant of the WineLoader backdoor. | APT | |
| 18.4.25 | New fileless malware campaign drops XWorm & Rhadamanthys | A new malware campaign has been observed using JScript and obfuscated PowerShell commands to deploy highly evasive malware variants such as XWorm and Rhadamanthys. The campaign targets Windows systems employing scheduled tasks or deceptive ClickFix CAPTCHA screens to trick users into executing malicious payloads. | VIRUS | |
| 18.4.25 | DragonForce Ransomware's Campaign Intensifies in 2025 | In 2024, DragonForce ransomware actors were highly active, claiming around 93 victims on their leak website, with likely more that were not disclosed. We're still in early 2025, and the group has already "allegedly" claimed over 40 organizations as potential victims across multiple countries and sectors. | RANSOM | |
| 18.4.25 | Multi-stage attacks delivering Agent Tesla variants | Malspam email campaigns are the rule rather than the exception these days. Delivering multi-stage attacks through malicious attachments is the norm. Researchers at Palo Alto Networks have published a report sharing details about such campaigns using variants of Agent Tesla as the final payload. | VIRUS | |
| 18.4.25 | Malicious VSCode extensions infecing users with cryptominer | A set of VSCode extensions posing as legitimate development tools has been observed infecting users with the XMRig cryptominer for Monero in a new cryptojacking campaign. | CRYPTOCURRENCY | |
| 18.4.25 | DOGE BIG BALLS Ransomware | A new ransomware campaign has been reported exploiting the name of a prominent figure within the Department of Government Efficiency (DOGE) to trick victims. The attack delivers a modified variant of Fog ransomware dubbed "DOGE BIG BALLS Ransomware." | RANSOM | |
| 18.4.25 | Linux based BPFDoor observed in Asia and Middle East | BPFDoor is a Linux based backdoor that has been observed in attacks against various industries in Asia and the Middle East. Named for its use of Berkeley Packet Filtering, the malware implements a filter that activates functionality based on specific sequences found during network packet inspection. | VIRUS | |
| 18.4.25 | CVE-2025-30208 - Vite Arbitrary File Read vulnerability | CVE-2025-30208 is a recently disclosed Arbitrary File Read vulnerability affecting Vite, which is a frontend build and development tool for web applications. | VULNEREBILITY | |
| 15.4.25 | SpyNote Campaign Masquerades as a MissAV mobile app | Porn remains one of the most effective social engineering vectors due to high curiosity-driven engagement, the stigma that discourages victims from reporting, and the ease with which it can be weaponized through mobile-based attacks such as fake APKs. | CAMPAIGN | |
| 15.4.25 | Turkish Employment Agency Impersonated in a Snake Keylogger campaign | Symantec has recently observed a Snake Keylogger campaign targeting organizations in Turkey, including those in the Aerospace & Defense and Financial Services sectors. | CAMPAIGN | |
| 15.4.25 | ZeroTrace Stealer | ZeroTrace Stealer is a new infostealing malware that recently emerged on the threat landscape. The malware builder has been distributed via various underground forums and file-sharing platforms while advertised as being created for educational and research purposes ony. | VIRUS | |
| 15.4.25 | Pulsar RAT malware | Pulsar is a new remote access trojan (RAT) variant recently identified in the wild. This C#-based malware is based on the Quasar RAT strain and has miscellaneous functionality including keylogging, cryptocurrency wallet clipping, infostealing, file management, remote shell and command execution, among others. | VIRUS | |
| 15.4.25 | PelDox Ransomware | Unlike typical ransomware, PelDox does not inform victims about the encryption of their files or demand payment for decryption. After encrypting the files and appending the ".lczx" extension, the ransomware displays a full-screen message. | RANSOM | |
| 15.4.25 | HijackLoader new modular enhancements for stealth and evasion | HijackLoader (also known as GHOSTPULSE or IDAT Loader) is a malware loader capable of delivering second-stage payloads and offers a variety of modules mainly used for configuration information, evasion of security software, and injection/execution of code. | ||
| 12.4.25 | NanoCrypt Ransomware | NanoCrypt is another "run-of-the-mill" ransomware variant discovered in the wild. The malware encrypts user data and appends .ncrypt to the name of locked files. The ransom note dropped in the form of a text file called README.txt indicates that this malware has been created "for fun" and not intended for any harmful activity. | RANSOM | |
| 12.4.25 | Chaos Ransomware Variant Targets IT Staff via Fake Security Tool | Chaos ransomware variants continue to emerge, mostly used by actors targeting individual machines through drive-by-download social engineering. These attacks typically demand a smaller ransom compared to double-extortion ransomware actors who target larger organizations through more complex attack chains. | RANSOM | |
| 12.4.25 | New Amethyst Stealer variant distributed by Sapphire Werewolf group | Distribution of a new and updated Amethyst Stealer variant has been observed in the wild. The campaign is attributed to the threat actor known as Sapphire Werewolf. | VIRUS | |
| 12.4.25 | CVE-2025-31161 - CrushFTP authentication bypass vulnerability exploited in the wild | CVE-2025-31161 is a recently disclosed critical (CVSS score 9.8) authentication bypass vulnerability affecting CrushFTP file transfer solution. If successfully exploited, the flaw could grant unauthenticated attackers admin level access to the underlying server via crafted HTTP requests. | VULNEREBILITY | |
| 12.4.25 | Neptune RAT | Neptune RAT is a highly modular, multi-functional remote access Trojan. The malware contains numerous DLL plugins which provide functionality. Available features include, but are not limited to, the following: | VIRUS | |
| 12.4.25 | Salary Adjustment PDF Lure Redirects to AWS-Hosted Outlook Credential Phish | Symantec has observed a new phishing campaign in which threat actors are leveraging PDFs to redirect users to a phishing page hosted on AWS S3. | PHISHING | |
| 12.4.25 | CVE-2025-1094 - PostgreSQL SQL injection vulnerability | CVE-2025-1094 is a recently disclosed high severity (CVSS score 8.1) SQL injection vulnerability affecting PostgreSQL, which is an open-source relational database management system (RDBMS). If successfully exploited, the flaw might lead up to a remote code execution due to improperly sanitized SQL inputs. | ALERTS | VULNEREBILITY |
| 9.4.25 | GiftedCrook infostealer deployed in UAC-0226 campaign | According to a recent security alert released by Ukraine's Computer Emergency Response Team (CERT-UA), a new wave of targeted attacks against various military and governmental entities in Ukraine has been detected. The campaign dubbed as UAC-0226 distributes phishing emails containing .xlsm attachments with malicious macros. | VIRUS | |
| 9.4.25 | CVE-2025-29927 - Next.js middleware authorization bypass vulnerability | CVE-2025-29927 is a recently disclosed vulnerability (CVSS score 9.1) affecting Next.js, which is an open-source web development javascript framework. If successfully exploited, the flaw might allow the attackers for an authorization bypass attack via specially crafted HTTP requests potentially leading to protected content exposure. | VULNEREBILITY | |
| 9.4.25 | This Vidar stealer is not your Sysinternals tool | Vidar is an information stealing malware that has been active since 2018. It is a Malware-as-a-Service offering which has been used by attackers to steal sensitive data, such as credentials stored in browsers, applications, and cloud storage services. | VIRUS | |
| 9.4.25 | EncryptHub attackers leverage MSC files for payload delivery | A recent campaign attributed to EncryptHub (Water Gamayun) group has seen the threat actors to leverage Microsoft Management Console vulnerability (tracked as CVE-2025-26633) files for malicious payload execution. | VIRUS | |
| 9.4.25 | HollowQuill campaign luring users with disguised malicious PDFs | HollowQuill campaign has been targeting academic institutions and government agencies worldwide through weaponized PDF documents. The attack employs social engineering tactics, disguising malicious PDFs as research papers, grant applications, decoy research invitations, or government communiques to entice unsuspecting users. | CAMPAIGN | |
| 9.4.25 | Springtail APT group targets South Korean government entities | The Springtail (aka Kimsuky) APT group recently engaged in campaigns targeting South Korean government entities. The campaigns leveraged government-themed messaging (one being tax related and another regarding a policy on the topic of sex offenders) to distribute malicious LNK files as malspam attachments. | APT | |
| 9.4.25 | From Phishing to LINE Scams: Rakuten Securities users at risk | Over the past few weeks, a phishing actor has been launching campaign after campaign targeting Rakuten Securities users in an attempt to steal their credentials | PHISHING | |
| 9.4.25 | ModiLoader deployed via .SCR in Taiwanese Freight Impersonation | Malware actors have been abusing Windows screensavers file format (.scr) for some time now. While they might appear harmless, they are essentially executable programs with a different file extension. | VIRUS | |
| 4.4.25 | CVE-2024-54085 - AMI MegaRAC BMC authentication bypass vulnerability | CVE-2024-54085 is a critical (CVSS score 10.0) authentication bypass vulnerability affecting AMI MegaRAC Baseboard Management Controller (BMC) which is a remote server management platform. If successfully exploited, the flaw might allow remote unauthenticated attackers to access the remote management interface (Redfish) and further lead up to more severe compromise of the vulnerable server. | ALERTS | VULNEREBILITY |
| 4.4.25 | Lockbit 4.0 ransomware | Lockbit 4.0 is the most recent iteration of the infamous ransomware attributed to the threat actor called Syrphid. The ransomware is operated based on a Ransomware-as-a-Service (RaaS) model with various affiliates carrying out the attacks and often employing different tactics, techniques, and procedures (TTPs). | RANSOM | |
| 4.4.25 | RolandSkimmer campaign | A new credit card skimming campaign dubbed RolandSkimmer has been reported by the researchers from Fortinet. The attack starts with .zip archives containing malicious .lnk files being delivered to the intended victims. | CAMPAIGN | |
| 4.4.25 | CVE-2024-4577 makes a return in recent malware campaigns | A high severity CVE (CVSS: 9.8), CVE-2024-4577, has recently been disclosed to be in use in an active malware campaign targeting companies within the APJ region. | ||
| 4.4.25 | Latest Gootloader variant spread via malvertisements | Latest Gootloader variant has been observed to abuse Google Ads platform for distribution. The malware has been leveraging malvertisements directed at users searching for various legal templates such as NDA agreements, etc. | VIRUS | |
| 4.4.25 | CrazyHunter - a new Prince ransomware variant | CrazyHunter is a new Go-based ransomware variant based on the open-source Prince encryptor malware family. The malware encrypts user data and drops ransom note in form of a text file called "Decryption Instructions.txt". This note is written in identical format as the one observed from older Prince ransomware variant deployments. | RANSOM | |
| 3.4.25 | New phishing campaign targets Monex Securities users | Lately, Symantec has observed phish runs targeting users of Monex Securities (マネックス証券), one of the Japan's leading online securities company through the merger of Monex, Inc. and Nikko Beans, Inc. The company offers individual investors with different financial services. | PHISHING | |
| 3.4.25 | DarkCloud Stealer via TAR archives in Multi-Sector Spanish Campaign | A company in Spain that specializes in mountain and skiing equipment is being spoofed in an email campaign. The actors behind this attack are targeting Spanish companies and local offices of international organizations. | VIRUS | |
| 3.4.25 | CVE-2024-20439 - Cisco Smart Licensing Utility static credential vulnerability | CVE-2024-20439 is a static credential vulnerability (CVSS score 9.8) affecting Cisco Smart Licensing Utility. If successfully exploited, the flaw could allow attackers to gain administrative privileges for the application's API. | VULNEREBILITY | |
| 3.4.25 | CPU_HU cryptomining malware | A new campaign distributing cryptomining malware dubbed CPU_HU has been reported in the wild. The attackers target vulnerable or misconfigured PostgreSQL instances in efforts to deploy XMRig-C3 cryptominer binaries. Similar malware variant (also known as PG_MEM) has been distributed last year in campaigns attributed to the same threat actors. The most recent campaign implements additional detection evasion techniques including fileless payload execution. | VIRUS | |
| 3.4.25 | Salvador Stealer - a new mobile malware | Salvador Stealer is a newly discovered Android malware variant. The infostealer is spread under the disguise of legitimate mobile banking apps. The malware delivery is a multistage process that uses a separate malicious dropper .apk binary responsible for final payload execution. Salvador Stealer aims at collection and exfiltration of user confidential data including banking details and credentials. | VIRUS | |
| 3.4.25 | Recent activities deploying Konni RAT malware | Konni RAT is a well known remote access trojan (RAT) variant active on the threat landscape for several years. The malware has the functionality to exfiltrate sensitive data from compromised machines, achieve persistence on the infected endpoints and execute remote commands received from attackers. | VIRUS | |
| 3.4.25 | CVE-2024-48248 - NAKIVO Backup and Replication absolute path traversal vulnerability | CVE-2024-48248 is a recently identified absolute path traversal vulnerability (CVSS score 8.6) affecting NAKIVO Backup and Replication solution. If successfully exploited, the flaw might enable unauthenticated attackers to read arbitrary files on the target hosts leading to sensitive information exposure. | VULNEREBILITY | |
| 2.4.25 | Masslogger Bank-Themed Phishing Primarily Targets Romania, With Broader European Reach | Symantec has observed a Masslogger campaign primarily targeting organizations in Romania, where attackers are impersonating a Romanian bank. In addition to Romanian entities, the campaign has also impacted organizations in several other countries across Europe and beyond. | VIRUS | |
| 2.4.25 | TsarBot Android malware | TsarBot is a new Android banking trojan reported to be targeting over 750 different banking, financial and cryptocurrency-related applications. | VIRUS | |
| 1.4.25 | New SnakeKeylogger multistage Info-stealer campaign | SnakeKeylogger is an info-stealer malware that harvests credentials and other sensitive data. It targets a wide range of applications such as web browsers like Google Chrome, Mozilla Firefox, and email clients such as Microsoft Outlook and Thunderbird. | ALERTS | VIRUS |
| 1.4.25 | Crocodilus Android malware | Crocodilus is a new mobile banking trojan variant identified recently on the threat landscape. The malware has extensive remote control and infostealing functionalities, allowing the attackers for application overlay attacks, remote access to the compromised devices, theft of credentials/data stored on the mobile device, keylogging and execution of commands received from C2 servers, among others. | ALERTS | VIRUS |
| 1.4.25 | New CoffeeLoader malware | CoffeeLoader is a new sophisticated malware loader designed to implement secondary payloads while evading detection. This loader leverages a packer that executes code on a system’s GPU. CoffeeLoader can establish persistence via the Windows Task Schedule and can maintain persistence via a scheduled task with a hard-coded name. | VIRUS | |
| 1.4.25 | MassLogger Targets Businesses Worldwide via Procurement-themed Phishing | MassLogger, an information-stealing malware designed to capture credentials, keystrokes, and clipboard data from victims, has been gaining prevalence in the threat landscape, with campaigns of various sizes and victimology observed worldwide. | ALERTS | PHISHING |
|
28.3.25 |
Remcos backdoor distributed in the latest campaign attributed to Shuckworm APT | A new campaign attributed to the Shuckworm APT (aka Gamaredon) has been reported by researchers from Cisco Talos. According to the released report, the attackers are targeting users from Ukraine with malicious .LNK files and PowerShell downloaders before infecting them with Remcos RAT payload. | ALERTS | CAMPAIGN |
|
28.3.25 |
Argenta Bank users targeted with new phishing emails | Argenta is a bank based in Belgium and also operates in the Netherlands and Luxembourg. Recently, Symantec has detected a new wave of phish runs spoofing Argenta's bank services with fake account notifications. | ALERTS | PHISHING |
|
28.3.25 |
RALord Ransomware | RALord is a new Rust-based ransomware variant identified in the wild. The malware encrypts user data and appends ".RALord" extension to the names of the locked files. | RANSOM | |
|
28.3.25 |
VIPKeyLogger Targets Japan’s Corporate Sector | VIPKeyLogger, a stealthy keylogging malware, has been observed in two phishing campaigns targeting Japanese organizations and international companies with local offices in Japan. | ALERTS | VIRUS |
|
28.3.25 |
PJobRAT Android malware | A new campaign distributing PJobRAT malware for Android has been discovered by the researchers from Sophos. The campaign targets mostly the mobile users from Taiwan and aims at collection and exfiltration of sensitive data including SMS messages, contact lists as well as documents and media file stored on the compromised devices. | ALERTS | VIRUS |
|
28.3.25 |
CVE-2025-24799 - SQL injection vulnerability in GLPI | CVE-2025-24799 is a recently identified SQL injection vulnerability affecting GLPI, which is a popular and open-source IT Service Management (ITSM) software. | VULNEREBILITY | |
|
27.3.25 |
CVE-2025-29891 - Bypass/Injection vulnerability in Apache Camel | CVE-2025-29891 is a second recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. If successfully exploited, the flaw might enable the remote attackers to inject arbitrary parameters in the HTTP requests that are sent to the Camel application. | ALERTS | VULNEREBILITY |
|
27.3.25 |
New Go-based ReaderUpdate macOS malware variant | A new Go-based strain of the macOS malware dubbed ReaderUpdate has been discovered in the wild. Previous variants of this malware were based on Crystal, Nim and Rust programming languages. | ALERTS | VIRUS |
|
27.3.25 |
Phishing Surge Targets Rakuten Securities Users | In recent weeks, there has been an increase in phishing campaigns targeting users of Rakuten Securities (楽天証券), one of Japan’s largest and most well-established online brokerage firms. The company offers a wide range of investment services, including stocks, ETFs, mutual funds, futures, options, forex trading, and NISA (Japan’s tax-advantaged investment accounts). | ALERTS | PHISHING |
|
27.3.25 |
New Android malware leverages .NET MAUI framework for detection evasion | A new Android malware variant leveraging .NET MAUI framework has been identified in the wild. .NET MAUI is a cross-platform framework used to build native, desktop and mobile apps with C# and XAML. | VIRUS | |
|
27.3.25 |
PlayBoy Locker Ransomware | PlayBoy Locker is a ransomware variant discovered last September and initially distributed in form of a Ransomware-as-a-Service (RaaS) offering. The ransomware platform offered multi-OS support including Windows, NAS and ESXi operating systems. | RANSOM | |
|
26.3.25 |
CVE-2025-24813 - Critical path equivalence RCE vulnerability in Apache Tomcat | Security researchers have observed active exploitation attempts of CVE-2025-24813, a critical Remote Code Execution (RCE) vulnerability in Apache Tomcat, an open-source servlet container and web server for Java applications. The flaw, caused by a path equivalence issue, allows attackers to bypass security constraints and execute arbitrary code remotely. | ALERTS | VULNEREBILITY |
|
26.3.25 |
Dragon RaaS Group: Ransomware targeting the US and European countries | Dragon RaaS, a ransomware group that emerged in July 2024, primarily targets organizations in the US, Israel, UK, France and Germany. The group leverages web application vulnerabilities, brute-force attacks and stolen credentials as its main attack vectors using two ransomware variants: a Windows-focused encryptor, likely a modified version of StormCry and a PHP webshell which provides both backdoor functionality and persistent ransomware capabilities. | ALERTS | RANSOM |
|
26.3.25 |
New JS downloader observed in recent malspam campaign | Symantec has observed a new email campaign delivering a JavaScript downloader as an attachment. The JS arrives under various filenames in an email with variable subjects. | ALERTS | VIRUS |
|
26.3.25 |
Funnelweb attack group targets victims in Operation FishMedley | The China-backed advanced persistent threat group known as Funnelweb (aka Aquatic Panda, Earth Lusca, FishMonger) was responsible for an extensive campaign identified as Operation FishMedley. The campaign targeted entities including governments, NGOs, and think tanks across numerous countries. | OPERATION | |
|
26.3.25 |
CVE-2025–26319 - Flowise Pre-Auth arbitrary file upload vulnerability | CVE-2025–26319 is a recently disclosed pre-auth arbitrary file upload vulnerability affecting Flowise, which is a popular open source tool for developers to build customized LLM (Large Language Model) orchestration flows and AI agents. | VULNEREBILITY | |
|
26.3.25 |
FogDoor backdoor delivery campaign | A new campaign targeting Polish-speaking job-seeking developers has been reported to deliver a new backdoor variant dubbed FogDoor. The attackers lure the victims with a fake recruitment test that leads to a download of a .iso archive containing a malicious .lnk file. The executed .lnk file runs a PowerShell script responsible for installing the malware payload. | ALERTS | VIRUS |
|
25.3.25 |
CVE-2024-56346 & CVE-2024-56347 - recent IBM AIX OS vulnerabilities | CVE-2024-56346 and CVE-2024-56347 are two recently disclosed critical (CVSS score 10.0 and 9.6 respectively) vulnerabilities affecting IBM AIX operating system. | VULNEREBILITY | |
|
25.3.25 |
SVCStealer malware | SVCStealer is a new C++based infostealing malware identified in the wild. The infostealer collects various sensitive information from the infected endpoints such as system information, credentials, cryptocurrency wallets, data stored in browsers, screenshots, data from messaging applications (Discord, Tox, Telegram) or VPN apps, and others. | VIRUS | |
|
22.3.25 |
New variants of the Albabat ransomware implement multi-OS capabilities | A new strain of the Albabat ransomware has been reported to offer multi-OS support, according to latest report from Trend Micro. New Albabat variant is still under active development and it adds Linux and macOS to the list of the targeted platforms. | RANSOM | |
|
22.3.25 |
New phishing campaign targets Pocket Card users | Symantec has detected a phishing campaign targeting Japanese users with fake Pocket Card notification emails. The emails use the subject line: | PHISHING | |
|
22.3.25 |
VanHelsing Ransomware | VanHelsing is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends .vanhelsing or .vanlocker extension to the locked files. VanHelsing drops the ransom note in form of a text file called “README.txt” and it is also able to modify the desktop wallpaper. | RANSOM | |
|
22.3.25 |
Campaign impersonating travel bookings site using “ClickFix" technique | A phishing campaign impersonating Booking.com to deliver credential stealing malware has been observed targeting hospitality organizations in Asia, North America, Oceania, and Europe. The attackers send fake emails impersonating the online travel agency. | ALERTS | CAMPAIGN |
|
22.3.25 |
Recent UAT-5918 APT malicious activities targeting entities in Taiwan | Researchers from Cisco Talos have reported a long-lasting campaign targeting entities in Taiwan and attributed to the UAT-5918 APT. The attackers are known to obtain access to the targeted environments usually via vulnerability exploitation. | APT | |
|
22.3.25 |
DarkCrystal RAT distributed in malicious campaign UAC-0200 | According to a recent alert released by Ukraine's Computer Emergency Response Team (CERT-UA), a new wave of attacks against the defense sector in Ukraine has been detected. The campaign dubbed as UAC-0200 distributes malicious messages via the Signal messenger leading the victims to execution of DarkTortilla loader, which in turn decrypts and runs the DarkCrystal RAT (aka DCRat) payload. | VIRUS | |
|
22.3.25 |
Custom Betruger backdoor deployed by RansomHub affiliate | The Symantec Threat Hunter team has observed activity from a custom backdoor that can be tied to a RansomHub affiliate. RansomHub is a Ransomware-as-a-Service offering and the backdoor has been named Betruger. | ||
|
20.3.25 |
New Steganographic malware campaign exploits JPEG files to distribute Infostealers | A new steganographic malware campaign has been identified, using JPEG image files to distribute various infostealer malwares. The attack starts by luring users into downloading an obfuscated JPEG file, which contains hidden malicious scripts and executables. | ALERTS | VIRUS |
|
20.3.25 |
Fake captchas entice users to run malicious commands for rootkit deployment | Another fake captcha campaign is resulting in rootkits being deployed to unsuspecting victims. The attack is spread via fake captchas that impersonate popular software tools and websites, the captcha copies a malicious powershell command using curl to the users clipboard and provides instructions on how to run it to prove they are human. | VIRUS | |
|
20.3.25 |
CVE-2024-27564 - ChatGPT commit f9f4bbc SSRF vulnerability exploited in the wild | New reports emerged about threat actors actively exploiting an older Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-27564) affecting OpenAI’s ChatGPT. | VULNEREBILITY | |
|
20.3.25 |
NailaoLocker Ransomware | NailaoLocker is a ransomware variant distributed last year in campaigns targeting various European healthcare organizations. The attackers responsible for the attacks have been leveraging previously disclosed Check Point Security Gateway vulnerability CVE-2024-24919 in the initial attack stages. | RANSOM | |
|
20.3.25 |
AnubisBackdoor: New Python-based malware linked to Coreid APT group | A relatively new backdoor malware dubbed AnubisBackdoor has been spotted in the wild. This Python-based backdoor is attributed to the Savage Ladybug group, which is reportedly connected to the notorious Coreid (aka Fin7) APT group. | ALERTS | VIRUS |
|
20.3.25 |
CVE-2025-27636 - Apache Camel Message Header Injection vulnerability | CVE-2025-27636 is a recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. | VULNEREBILITY | |
|
20.3.25 |
StilachiRAT malware | StilachiRAT is a new remote access trojan variant discovered recently by researchers from Microsoft. The malware possesses extensive remote control as well as infostealing capabilities. | ALERTS | VIRUS |
|
19.3.25 |
Protection Highlight: Thwarting Ransomware with Carbon Black Endpoint Standard | Today's ransomware is innovating at a rapid pace. Going beyond simple file encryption, ransomware increasingly leverages unknown variants and fileless techniques. | ALERTS | RANSOM |
|
19.3.25 |
JPHP downloader uncovered | A new downloader compiled with JPHP was recently observed. JPHP is an interpreter that allows PHP scripts to execute in a Java Virtual Machine. This particular malware was originally delivered in a ZIP file and leveraged Telegram for its C2 communications. Potential downloaded payloads include infostealers such as Danabot. | VIRUS | |
|
19.3.25 |
VenomRat malware campaign uses VHD files for data exfiltration | A VenomRat malware campaign using VHD files has been observed in the wild. The attack begins with a phishing email containing an archive attachment disguised as a purchase order to lure users. Inside the archive there is a .vhd file which mounts itself as a hard disk when opened. | CAMPAIGN | |
|
19.3.25 |
New XCSSET macOS malware variant discovered | According to recent reports, a new variant of XCSSET, the macOS modular malware, has been observed by researchers at Microsoft. First discovered in 2020, XCSSET is a sophisticated modular malware known to target users by infecting Apple Xcode projects. | ||
|
19.3.25 |
A new Sobolan malware campaign | Threat Actors use compromised interactive computing environments like Jupyter Notebooks to spread Sobolan malware in a multi stage attack. | ALERTS | CAMPAIGN |
|
16.3.25 |
OctoV2 mobile malware distributed as fake DeepSeek AI app | A new variant of the OctoV2 Android banking malware has been spread recently under the disguise of a DeepSeek AI mobile app. DeepSeek is a recently released AI-powered chatbot, much similar to the well known ChatGPT. | ALERTS | AI |
| 14.3.25 | SuperBlack - a new Lockbit ransomware variant | SuperBlack is a new ransomware variant based on the leaked Lockbit builder. According to recent reports, a newly observed distribution of this malware has been attributed to the threat actor dubbed as Mora_001 (a possible Lockbit affiliate). | RANSOM | |
| 14.3.25 | LithiumWare Ransomware | LithiumWare is a new ransomware strain observed in the wild. The malware encrypts user data and appends random four-character extensions to the locked files. | RANSOM | |
| 14.3.25 | Vedalia threat group tied to new Android spyware called KoSpy | KoSpy is a recently discovered Android spyware that has been associated with the North Korean APT Vedalia (also known as APT37 ScarCruft). The spyware was observed masquerading as numerous utility applications to entice/trick its victims. | VIRUS | |
| 14.3.25 | Hellcat: Ransomware-as-a-Service group | Since its identification in late 2024, the Hellcat Ransomware Group has emerged as a prominent Ransomware-as-a-Service (RaaS) threat claiming attacks on critical national infrastructure and government organizations. | RANSOM | |
| 14.3.25 | Sosano backdoor targets UAE Aviation and Satellite firms | An email campaign targeting organizations in the UAE associated with aviation and satellite communications has been reported. The attack leveraged a compromised email account from an Indian electronics firm to send malicious emails aimed at luring victims. | VIRUS | |
| 13.3.25 | DocSwap mobile malware | DocSwap is a new mobile malware variant distributed under the disguise of a "document viewing authentication" mobile app. | VIRUS | |
| 13.3.25 | A new campaign distributing scam crypto investment platforms | A new campaign spreading fraudulent cryptocurrency investment platforms has been reported by researchers from Palo Alto. The attackers leverage websites and Android mobile apps masqueraded as known brands of retail stores, financial institutions or technology companies to lure their victims. | CRYPTOCURRENCY | |
| 13.3.25 | CVE-2025-25181 - Advantive VeraCore SQL Injection vulnerability | CVE-2025-25181 is a SQL Injection vulnerability affecting Advantive VeraCore, which is an order fulfillment and warehouse management software. If successfully exploited, the flaw might allow the remote attackers to execute arbitrary SQL commands via the PmSess1 parameter and gain unauthorized access to sensitive data. | VULNEREBILITY | |
| 13.3.25 | Ballista botnet targets TP-Link Archer routers via vulnerability exploitation | A new botnet dubbed Ballista has targeted organizations in Australia, China, Mexico, and the US focusing on healthcare, manufacturing, services, and technology sectors. | BOTNET | |
| 13.3.25 | Credential Theft Campaign Disguised as Construction Quote Requests | An actor has been running a large phishing campaign, targeting businesses with emails disguised as requests for quotations. The emails, sent from multiple Outlook, Live, Hotmail, and MSN addresses, urge recipients to review an attached document, claiming it contains the scope of work for an urgent project. | PHISHING | |
| 13.3.25 | PlayPraetor mobile malware | PlayPraetor is a mobile malware recently distributed via fake Play Store websites. Many of the observed fraudulent domains leverage typo-squatting techniques to lure the unsuspecting victims into downloading the malicious binaries. | VIRUS | |
| 13.3.25 | CVE-2024-32444 and CVE-2024-32555 - WordPress RealHome and Easy Real Estate Plugin vulnerabilities | CVE-2024-32444 and CVE-2024-32555 are two recently disclosed vulnerabilities affecting WordPress RealHome and WordPress Easy Real Estate Plugin respectively. | VULNEREBILITY | |
| 13.3.25 | Blind Eagle malicious .url files variant | Blind Eagle (aka APT-C-36), is a threat actor group that engages in both espionage and cyber-crime. It primarily targets organizations in Colombia and other Latin American countries focusing on government institutions, financial organizations, and critical infrastructure. | APT | |
| 13.3.25 | Malvertising campaign found in pirate streaming sites leading to infostealers | A malvertising campaign has been recently disclosed by Microsoft. The malicious actors start by injecting malvertising redirectors into videos hosted on pirate streaming sites. | VIRUS | |
| 13.3.25 | Phishing Campaign Impersonates Korean Tax Service | A new wave phishing is making rounds in South Korea, disguising itself as an official email from the Korean National Tax Service (NTS). The email claims to contain an electronic tax invoice and includes an HTML attachment named NTS_eTaxInvoice.html. | PHISHING | |
| 13.3.25 | Malicious operations attributed to the EncryptHub threat actor | EncryptHub is a new threat actor engaging in malicious operations distributing ransomware and infostealers (StealC, Rhadamanthys) to the unsuspecting victims. | RANSOM | |
| 13.3.25 | Leafperforator APT conducts attacks on maritime sector | A new malicious campaign targeting the maritime and nuclear energy sector across South and Southeast Asia, the Middle East, and Africa has been attributed to the Leafperforator (also known as SideWinder) APT group. | APT | |
| 11.3.25 | New Poco RAT distribution campaign | A new campaign distributing Poco RAT to Spanish-speaking users in Latin America has been reported in the wild. The campaign has been attributed to the Darkling APT (aka Dark Caracal). The group is known to leverage Bandook-based backdoors in their attacks. | VIRUS | |
| 11.3.25 | CVE-2024-13159 - Ivanti Endpoint Manager (EPM) Absolute Path Traversal vulnerability | CVE-2024-13159 is a critical (CVSS score 9.8) absolute path traversal vulnerability affecting the Ivanti Endpoint Manager (EPM) software. If successfully exploited, the flaw might allow a remote unauthenticated attacker to leak sensitive information. | VULNEREBILITY | |
| 10.3.25 | Strela Stealer targets MS Outlook users credentials | Strela Stealer is a malware infostealer typically distributed through phishing campaigns affecting users in Italy, Germany, Spain, and Ukraine. It is designed to target specific email clients (notably Microsoft Outlook and Mozilla Thunderbird) and exfiltrate email login credentials. | VIRUS | |
| 10.3.25 | Boramae Ransomware | Boramae is a new ransomware discovered just recently in the threat landscape and a suspected variant of the Beast aka BlackLockbit malware family. The malware encrypts user files and appends ".boramae" to them. | RANSOM | |
| 10.3.25 | Phantom-Goblin operation spreading infostealers to victims | Phantom-Goblin is the name of a malicious infostealing campaign recently identified in the wild. The attackers responsible are leveraging social engineering techniques luring victims into execution of malicious .LNK files. | OPERATION | |
| 10.3.25 | Ebyte Ransomware | Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. | ||
| 7.3.25 | Desert Dexter malicious campaign | Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. | CAMPAIGN | |
| 7.3.25 | Latest Njrat variant uses Microsoft Dev Tunnels for C2 communications | A new variant of the NjRAT malware has been reported in the wild. NjRAT (also known as Bladabindi or Ratenjay) is an older but still widely used Remote Access Trojan (RAT). This malware is often used to extract data from the compromised endpoints, send commands via remote shell, manipulate the registry as well as download additional payloads. | VIRUS | |
| 7.3.25 | Medusa ransomware activity on the rise | Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. | RANSOM | |
| 7.3.25 | A new campaign targeting ISP infrastructure with infostealers | A new campaign targeting ISP (Internet service providers) infrastructure with infostealers and cryptocurrency miners has been reported in the wild. In the initial attack stages the threat actors are leveraging brute force attacks to access the vulnerable environments. | VIRUS | |
| 5.3.25 | Phishing campaign used to deliver Havoc malware | In a new report, researchers at Fortinet have detailed a phishing campaign that was used to deliver Havoc malware. Havoc is a malicious framework, akin to Cobalt Strike, that is actively leveraged to compromise victims. In this campaign, the attackers leveraged multiple components, starting with an html file which lures the recipient into executing a malicious PowerShell command. | CAMPAIGN | |
| 5.3.25 | Danger & Loches - recent Globeimposter ransomware variants seen in the wild | Dange and Loches are the two most recently identified variants of the Globeimposter ransomware family. The malware will encrypt user data and append .danger or .loches extension to the locked files respectively. | RANSOM | |
| 5.3.25 | GrassCall malware campaign spreads infostealers to job seekers | GrassCall is a recently identified campaign attributed to the threat group known as Crazy Evil. The attack has been targeting job seekers with fake job interviews in efforts to distribute malicious executables used for infostealing. The attackers have been advertising fake job offers on various well know websites such as LinkedIn or CryptoJobsList. The victims were asked to download fake video meeting software called GrassCall. | VIRUS | |
| 5.3.25 | CVE-2024-12356 - BeyondTrust PRA and RS vulnerability | CVE-2024-12356 is a critical (CVSS score 9.8) command injection vulnerability affecting the BeyondTrust Privileged Remote Access (PRA) and BeyondTrust Remote Support (RS) software. If successfully exploited, the flaw might allow an unauthenticated attacker to inject commands that are run as a site user. This vulnerability has been previously added to the CISA Known Exploited Vulnerabilities (KEV) Catalog in December 2024 following the reports of the in-the-wild exploitation. | VULNEREBILITY | |
| 5.3.25 | Leveraging malicious LNK files and Null-AMSI tool to deliver AsyncRAT | A malware campaign using malicious LNK files disguised as wallpapers to lure users has been observed. As part of the attack vector, the open-source Null-AMSI tool is employed to bypass malware scanning interfaces (AMSI) and Event Tracing for Windows (ETW). Obfuscated PowerShell scripts are used to connect to a remote server and download gzip compressed payloads to evade detection. The final payload is loaded into memory via reflection enabling the execution of AsyncRAT for remote control. | VIRUS | |
| 5.3.25 | Attackers spread Winos4.0 malware using taxation as a lure | The Winos4.0 malware framework has been used by threat groups to perpetrate attacks against intended victims. In a recent report from Fortinet, they have outlined an attack observed against users in Taiwan, using a tax related lure to distribute Winos4.0 malware. The campaign leveraged a PDF attachment with a zip archive that contained malicious DLL and shellcode components along with further modules which are downloaded from a C2. | ||
| 5.3.25 | Fake browser updates being distributed through malicious redirects | Security researchers have observed recent malware campaigns utilizing web-based malware distribution via compromised sites rather than relying solely on email-based attacks to spread malicious links. | ||
| 1.3.25 | LCRYX Ransomware | LCRYX is a VBScript-based ransomware discovered in the wild last year. The malware encrypts user data, appends ‘.lcryx’ to the locked files and demands ransom payment in the Bitcoin cryptocurrency. | ALERTS | |
| 1.3.25 | New Squidoor backdoor variant distributed in latest campaigns | Squidoor is a modular multi-platform backdoor variant supporting both Windows and Linux platforms. According to the researchers from Palo Alto, the newest strain of this malware is distributed in attacks associated with suspected Chinese threat actors. | ALERTS | VIRUS |
| 1.3.25 | Bank of Yokohama users targeted with new phishing emails | In Japan, the Bank of Yokohama is the largest regional bank headquartered in Yokohama. Recently, Symantec has detected a new wave of phish runs spoofing the Bank of Yokohama services with fake account notifications. The emails use the subject line: 【横浜銀行】3月ご利用明細のご案内について (Translated: [Yokohama Bank] Information on March usage statements). | ALERTS | PHISHING |
| 1.3.25 | Billbug (aka Lotus Blossom) threat group uses Sagerunex malware to target numerous victims | The Billbug (aka Lotus Blossom) threat group has been observed leveraging Sagerunex malware, along with other hacking tools, to target numerous victims across industries. In a recent report by researchers at Cisco Talos, activity from this group was seen in attacks affecting organizations such as governments, manufacturing, and telecommunications and media in Asia. | ALERTS | APT |
| 27.2.25 | Yodobashi Camera users targeted with a new phish wave | In Japan, Yodobashi Camera Co., Ltd is a major retail chain that sells electronics, PCs, cameras and photographic equipment. Recently, Symantec has observed a new wave of phish runs spoofing Yodobashi Camera services. The email content mentions that the customer information has been changed and entices the users to click on the phishing URL to confirm the change. | PHISHING | |
| 27.2.25 | Vedalia APT group phishing campaign delivers RokRat malware across Asia | phishing campaign by the North Korean-linked threat actor Vedalia (also known as APT37, RedEyes and ScarCruft) has been reported delivering fileless RokRat malware. The campaign targets government and corporate entities across South Korea and Asia. | APT | |
| 27.2.25 | LightSpy: A new multi-platform Spyware variant targeting social media | A multi-platform variant of the LightSpy spyware with an expanded list of command functionalities has been reported. It has shifted its focus from messaging apps to extracting data from social media platforms such as Facebook and Instagram including messages, contacts and account metadata. | VIRUS | |
| 27.2.25 | Updated TgToxic Android malware | TgToxic is an infostealing malware that was first spread via phishing sites and compromised social media accounts. This new version of the TgToxic malware can be delivered though a single malicious SMS text. | VIRUS | |
| 27.2.25 | New Snake Keylogger variant | A new variant of the Snake Keylogger, also known as the 404 Keylogger, targeting Windows users has been observed. Snake Keylogger typically spreads via phishing emails containing a malicious attachment or URL. It targets popular web browsers (such as Chrome, Edge, Firefox etc.) monitoring/logging keystrokes. | VIRUS | |
| 27.2.25 | Threat actors spoof Sagawa Express services to steal credentials | Symantec has identified a new wave of phishing attacks that impersonate Sagawa Express services to steal credentials. In this campaign, phishing emails are disguised as delivery notifications requesting an immediate update of the delivery address. The email content is brief, encouraging recipients to click on a phishing URL. Once clicked, victims encounter webpages designed for credential harvesting. | OPERATION | |
| 27.2.25 | FatalRAT malware distributed via Operation SalmonSlalom | Operation SalmonSlalom is a new malicious campaign targeted at industrial organizations in the Asia-Pacific (APAC) region. The attackers have been leveraging various first and second stage loaders leading up to the infection with FatalRAT final payload. | VIRUS | |
| 26.2.25 | Fake DeepSeek websites lead to malware infections | A number of DeepSeek-themed malware campaigns has been reported in the wild lately. DeepSeek is a recently released AI-powered chatbot, much similar to the well known ChatGPT. The attackers have been leveraging the growing popularity of the DeepSeek brand by creating a large number of fake DeepSeek websites and look-alike domains used to serve malicious payloads. | VIRUS | |
| 26.2.25 | New Phishing Campaign Targets ANA Mileage Club Users |
Symantec has detected a phishing campaign targeting Japanese
users with fake All Nippon Airways (ANA) emails. The emails use the subject
line:「ANAマイレージクラブ 重要なお知らせ - 事後登録手続きのお願い」 (Translated: "ANA Mileage Club Important Notice - Request for Retroactive Registration Procedure") |
CAMPAIGN | |
| 26.2.25 | Ghostwriter malicious campaign | Ghostwriter is a malicious campaign attributed to UNC1151 (UAC-0057) threat group. The campaign is believed to be actively running since at least 2016 with the latest iterations observed around November-December 2024. The campaign has been reported to target military and government organizations in Ukraine as well as activists in Belarus. The attackers are known to leverage Excel documents containing malicious VBA macros to initialize the attack. Later infection stages lead to execution of a downloader malware called PicassoDownloader, which has been already used in older campaigns linked to the same threat actors. | CAMPAIGN | |
| 20.2.25 | Phishing campaign disguises as ChatGPT Subscription | In a recent phishing campaign observed by Symantec, emails disguised as "monthly subscription" notifications are being sent to targeted recipients. The subject lines are often including keywords like "action required" or "Reminder" a common tactic to lure the recipient to open the email. The body of the email is claiming a $24 monthly subscription fee is required to access ChatGPT's premium features. To complete the payment, recipients are being prompted to click on a phishing URL designed to steal their credentials. | ALERTS | PHISHING |
| 20.2.25 | Core Ransomware - a new Makop variant | Core ransomware is a new Makop malware variant recently found in the wild. The ransomware encrypts user files and appends .core extension to them. Victim's unique ID and developers' email address is also appended to the extension. The malware drops ransom note in form of a text file called "README-WARNING.txt". Core has also capability to delete volume shadow copies and backup data on the infected endpoints as well as functionality to modify registry entries to ensure its persistence on the machine. | ALERTS | RANSOM |
| 20.2.25 | Ghost (aka Cring) Ransomware | Symantec Security Response is aware of the recent joint alert from CISA, FBI and MS-ISAC concerning a number of recent campaigns distributing the Ghost (aka Cring) ransomware. The attackers behind this ransomware family are known to leverage exploitation of publicly disclosed vulnerabilities in an effort to access internet facing vulnerable servers. Some of the exploited vulnerabilities include but are not limited to: CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. | ALERTS | RANSOM |
| 20.2.25 | XingCode disguised malware exhibits XWorm characteristics | Recently, malware samples were discovered disguised as XingCode software executables. XingCode is an anti-cheat software commonly used in online games to prevent cheating, hacking and unauthorized third-party tools. These malicious files contain embedded PowerShell scripts used to deobfuscate data. The files exhibit characteristics of XWorm malware with capabilities such as system manipulation, data exfiltration and keylogging designed to create persistence and evade detection. | ALERTS | VIRUS |
| 20.2.25 | Rhadamanthys Infostealer campaign exploits MSC files and Console Taskpad | Since mid-2024, there has been an increase in the distribution of MSC malware with campaigns observed exploiting the CVE-2024-43572 Microsoft Windows Management Console remote code execution (RCE) vulnerability. A campaign distributing the Rhadamanthys Infostealer has been observed with the malware disguised as MSC files. The newly identified MSC file belongs to the variant that executes the "command" command via Console Taskpad. | ALERTS | VIRUS |
| 20.2.25 | Nigerian threat actor distributes XLogger malware | A malware campaign by a Nigerian threat actor has been observed distributing XLogger malware. The campaign begins with harvesting email addresses using Google dorking techniques and setting up spoofed domains with bulletproof hosting. Users are lured through phishing emails crafted with ChatGPT containing RAR attachments with executable files. Upon execution, a PowerShell script decrypts the malware payload which then exfiltrates stolen data to a Telegram channel. | ALERTS | VIRUS |
| 19.2.25 | In a recent report published by Palo Alto Networks, links to a variant of Bookworm malware were uncovered based on activity of the Fireant (aka Stately Taurus) group impacting Southeast Asian countries. Per the report, Bookworm is a modular Trojan first observed in 2015, with no previous group attribution. Original Bookworm malware leveraged DLL sideloading to decrypt and launch attacker shellcode. In more recent variants, the shellcode is formatted as UUID strings, which is then decoded into binary data and launched via legitimate API functions, discarding the use of sideloading altogether. | ALERTS | VIRUS | |
| 19.2.25 | ACR Stealer malware leverages Dead Drop Resolver (DDR) technique | ACR Stealer is a C++based infostealing malware variant discovered initially in early 2024. The malware is known to be advertised for sale in the form of a Malware-as-a-Service (MaaS) offering. ACR Stealer is believed to be an updated variant of on older infostealer called GrMsk Stealer. Functionality-wise the malware targets collection and exfiltration of miscellaneous sensitive data including system information, credentials, browser cookies, configuration files of 3rd party apps, cryptocurrency wallets, etc. | ALERTS | VIRUS |
| 18.2.25 | Recent RedCurl (aka EarthKapre) APT activity | RedCurl (also known as EarthKapre) is a threat group known for conducting espionage and data exfiltration activities. The recently observed campaign attributed to this threat actor has been leveraging legitimate Adobe executable (ADNotificationManager.exe) to sideload malicious binaries. The infection chain has been initiated via crafted PDF malspam leading to ZIP compressed .img binaries. Upon execution/mounting of the .img file, a malicious .dll binary is sideloaded onto the compromised endpoint. After successful infection, the threat actors have been observed to execute SysInternals Active Directory Explorer (AD Explorer) tool for data collection and later to utilize Cloudflare Workers infrastructure for C2 purposes. | ALERTS | APT |
| 17.2.25 | CipherLocker Ransomware | CipherLocker is a new ransomware variant identified in the wild. The malware encrypts user data and appends .clocker extension to the locked files. The ransom note is dropped in form of a text files called "README.txt" and contains instructions for the victims including attackers' email contact details. CipherLocker has the capability to delete both Volume Shadow copies and the backup files on the infected endpoints. | ALERTS | RANSOM |
| 14.2.25 | Zhong Stealer malware spread via social engineering | Zhong Stealer is a malware variant recently spread in a distribution campaign targeting fintech and cryptocurrency sectors. The attackers have been leveraging chat platforms to open tickets with various support teams and supplying .zip archives with malicious binaries to unsuspecting support staff. One of the payloads distributed this way was Zhong Stealer which is used by the threat actors to collect and exfiltrate confidential data such as credentials from the infected endpoints. | ALERTS | VIRUS |
| 14.2.25 | Vgod Ransomware | Vgod is a new ransomware variant recently identified in the wild. Upon file encryption the malware appends .vgod extension to the encrypted files. The ransom note is dropped in form of a text file called “Decryption Instructions.txt” with the attackers asking the victims to contact them for decryption instructions. Vgod ransomware also changes the desktop wallpaper on the infected machine to indicate to the victim that the files have been encrypted. | ALERTS | RANSOM |
| 14.2.25 | Lynx Ransomware, established in 2024 | Lynx ransomware was first observed in mid-2024 and is believed to be a successor of INC ransomware, according to a recent report by Fortinet. Lynx has been observed targeting Windows systems across multiple industries around the world. Per the report, The United States has seen the majority of victims while Canada and the United Kingdom are a distant second. Manufacturing and construction industries make up almost half of the victims. | ALERTS | RANSOM |
| 14.2.25 | Xelera Ransomware | Xelera is a Python-based ransomware variant recently distributed in campaigns targeting potential job applicants to Food Corporations of India (FCI), which is a public sector company. The attackers leverage fake job description/notification documents to lure the potential victims. The campaign spreads PyInstaller executables containing both a Discord bot and ransomware components. The dropped Discord bot is used among others for privilege escalation, system information exfiltration, locking down the system as well as theft of credentials stored in web browsers. Alongside the Xelera ransomware components deployment, the attackers also utilize a MEMZ tool which is a MBR corruption utility. | ALERTS | RANSOM |
| 13.2.25 | DEEP#DRIVE attack campaign | DEEP#DRIVE is a recently discovered malicious campaign targeting enterprises, government entities and cryptocurrency users from South Korea. The attackers leverage phishing emails containing zip archives with shortcut .lnk files disguised as legitimate documents (in PDF, HWP or MS Office formats). Further attacks stages rely on PowerShell scripts execution, establishing persistence on the targeted endpoints as well as download of Dropbox-hosted payloads. | ALERTS | CAMPAIGN |
| 13.2.25 | RevivalStone malware campaign deploys new Winnti variant | A malware campaign dubbed RevivalStone has been identified targeting Japanese organizations in the manufacturing and energy sectors. The campaign is attributed to the China-linked APT group APT41 which is deploying a new variant of the infamous Winnti malware. The attack vector begins with the exploitation of SQL injection vulnerabilities in web-facing ERP systems allowing attackers to deploy web shells and gain initial access. Once inside the network, the threat actors deploy an updated version of Winnti malware which includes a rootkit for maintaining persistence and encrypted communication channels to avoid detection. | ALERTS | VIRUS |
| 13.2.25 | Destiny Stealer | There is no shortage of stealers in the threat landscape, and Destiny Stealer is a new one being advertised with Symantec observing testing activities. This malware is a run-of-the-mill infostealer designed to harvest login credentials from web browsers and applications, exfiltrate specific file types like documents and images, and steal FTP credentials. Like many other stealers, it also targets cryptocurrency wallets such as Exodus, Blockchain.com, Binance, and MetaMask. Additionally, it gathers system information, monitors clipboard activity for sensitive data. Destiny Stealer follows the typical playbook of modern infostealers, incorporating generic anti-detection mechanisms. | ALERTS | VIRUS |
| 13.2.25 | Phishing campaigns target Ukraine's banking sector with SmokeLoader malware | Phishing campaigns specifically targeting Ukraine's automotive and banking sectors using SmokeLoader malware have been observed in the wild. One such campaign targets customers of PrivatBank, Ukraine’s largest state-owned bank. Users are lured with financial-themed documents such as fabricated invoices and account statements to increase interaction and compromise systems. The campaign leverages password-protected archives containing malicious JavaScript, VBScript and LNK files to evade detection. SmokeLoader malware is deployed via process injection and PowerShell execution with the goal of stealing credentials and financial data while maintaining persistent access to compromised systems. | ALERTS | PHISHING |
| 13.2.25 | Library-ms files seen abused in recent malspam campaign | Symantec has recently observed a malspam campaign utilizing library-ms attached files. Library-ms files allow users to view contents of multiple directories within a single file explorer view. Through the creation of legitimate local file explorer windows that utilize remote WebDAV servers threat actors serve malicious LNK files to unsuspecting victims. Once executed it allows further infection with additional malware of the attackers choice. | ALERTS | SPAM |
| 12.2.25 | CVE-2024-20767 - Path Traversal Vulnerability in Adobe ColdFusion | In December 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Adobe ColdFusion vulnerability CVE-2024-20767 to its Known Exploited Vulnerabilities (KEV) catalog. This "Path Traversal" flaw allows an attacker to bypass pathname restrictions, potentially leading to arbitrary file system reads. The vulnerability, with a CVSS score of 7.4, affects ColdFusion versions 2023.6, 2021.12 and earlier and requires an exposed admin panel for exploitation. Experts have noted the availability of a proof-of-concept (PoC) exploit code. Adobe has since released out-of-band security updates to mitigate this critical issue. | ALERTS | VULNEREBILITY |
| 12.2.25 | FINALDRAFT malware discovered in REF7707 campaign | A new malware variant named FINALDRAFT has been discovered as part of the REF7707 campaign targeting the Foreign Ministry of a South American nation. The malware exists in both Windows and Linux variants and leverages Microsoft’s Graph API service for command and control operations. Additionally, the campaign utilizes PATHLOADER and GUIDLOADER malware to download and execute encrypted shellcodes directly in memory. | ALERTS | VIRUS |
| 11.2.25 | China-linked espionage tools used in ransomware attacks | Tools that are usually associated with China-based espionage actors were recently deployed in an attack involving the RA World ransomware against an Asian software and services company. During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks. While tools associated with China-based espionage groups are often shared resources, many aren’t publicly available and aren’t usually associated with cybercrime activity. | ALERTS | RANSOM |
| 11.2.25 | Trojanized KMS activation tools leveraged in latest Sandworm APT campaigns | According to the latest report published by EclecticIQ researchers, Sandworm APT (aka APT44, UAC-0145) has been recently engaged in espionage activities against users in Ukraine. The attackers have been leveraging trojanized Microsoft Key Management Service (KMS) activator tools and fake update installers in efforts aimed at distribution of a new BackOrder loader variant. This new variant utilizes various LOLbin binaries as one of the defence evasion measures. The final payload spread in this campaign belongs to the Dark Crystal RAT (DcRAT) malware family and can be used by the threat actors for cyber espionage and sensitive data exfiltration. | ALERTS | APT |
| 11.2.25 | Cryptocurrency mining malware distributed via USB | Cryptocurrency mining malware has spread to victims through USB propagation in South Korea. In addition to infection persistence through USB, further characteristics that maximize infection via system settings modifications, and security bypass techniques have been observed. In particular the CoinMiner malware employs techniques such as C2 server communications, DLL sideloading for execution bypass, detection evasion via Windows Defender exception settings, and disabling of hibernation status for optimum mining performance. | ALERTS | CRYPTOCURRENCY |
| 10.2.25 | China-Linked threat actors target IIS servers with BadIIS malware | According to reports from Trend Micro, threat actors have been observed targeting Internet Information Services (IIS) servers as part of an SEO manipulation campaign designed to deploy BadIIS malware. The campaign believed to be linked to China-based threat actors specifically targets servers in Asia. As part of the attack users are redirected to illegal gambling websites or rogue servers hosting malware or credential-harvesting pages with the ultimate goal of financial gain. | ALERTS | VIRUS |
| 10.2.25 | Astral Stealer malware | Astral Stealer is an infostealing malware advertised as a fork of older malware strains dubbed Hazard Grabber and Wasp Stealer. Astral Stealer is used to collect and exfiltrate a wide variety of sensitive information including system information, credentials, banking related data, web browser data, cookies, clipboard content, cryptocurrency wallets, 3rd party app data, files, tokens and others. The malware has the capabilities for antivirus evasion, VM/sandbox environment detection as well as some persistence mechanisms. The exfiltration of the collected data might happen over the attacker-controlled command and control channels or via webhooks. | ALERTS | VIRUS |
| 10.2.25 | SapphireRAT malware | A new phishing campaign has been observed targeting Latin American organizations using fake judicial late fee receipts to distribute SapphireRAT malware. The threat actor provides detailed instructions on how to review and sign the relevant document attempting to add legitimacy to the email. However, these instructions include a URL that redirects the recipient to a malicious domain. This domain is specifically designed to host and deliver the SapphireRAT malware, furthering the attacker's objective of compromising the recipient's system. | ALERTS | VIRUS |
| 10.2.25 | FinStealer mobile banking malware | A new mobile malware variant dubbed FinStealer has been identified in the wild. Spread via phishing campaigns or unofficial mobile app repositories, the malware binaries are disguised as mobile apps impersonating legitimate banking institutions. FinStealer will extract various banking information, credentials, credit card numbers and other PII (Personally Identifiable Information) from the victims. The malware is coded in Kotlin which is a cross-platform high-level programming language compatible with Java. The attackers extract the collected data via Telegram bots as well as via controlled C&C infrastructure. | ALERTS | VIRUS |
| 10.2.25 | SparkCat: Cross-Platform malware targets Crypto Wallets via OCR on Android and iOS. | A new malware campaign dubbed SparkCat has been discovered targeting both Android and iOS users through official and unofficial app stores, affecting users across Europe and Asia. The malware employs OCR technology to scan users' image galleries for cryptocurrency wallet recovery phrases. It leverages Google’s ML Kit for OCR and communicates with command-and-control (C2) servers using a custom Rust-based protocol. | ALERTS | VIRUS |
| 07.2.25 | Old Telerik UI RCE vulnerability leveraged for JuicyPotatoNG distribution | The exploitation of an almost six-year-old Telerik UI RCE vulnerability (CVE-2019-18935) has been observed recently in the wild. The flaw is a .NET JSON deserialization vulnerability affecting Telerik UI for ASP.NET AJAX, that if successfully exploited could allow for a remote code execution. The attackers have been targeting vulnerable web servers in an effort to deliver malicious reverse shells alongside of the JuicyPotatoNG privilege escalation tool. The attacker efforts aim at reconnaissance of potential victims and information collection about the targeted environments. | ALERTS | VULNEREBILITY |
| 07.2.25 | FleshStealer malware | FleshStealer is a new infostealer variant recently identified in the wild. The malware targets Chromium-based web browsers for information extraction (including passwords, cookies, etc.). Other infostealing functionalities allow this malware to perform cryptowallet theft as well as exfiltration of two-factor authentication (2FA) passwords or Wifi network credentials. FleshStealer features advanced encryption mechanisms as well as detection capabilities for the presence of debugging tools or VM environments. Sale of this malware has been promoted by threat actors via Telegram and Discord platforms. | ALERTS | VIRUS |
| 07.2.25 | Infostealers targeting macOS on the rise | A recent report from Unit42 by Palo Alto Networks highlights a surge in activity related to infostealers on macOS. The report identifies three particular malware families, Atomic Stealer, Cthulhu Stealer, and Poseidon Stealer, as some of the most prevalent examples. These three families are sold as malware as a service. | ALERTS | VIRUS |
| 07.2.25 | CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine | According to recent report from Trend Micro, a zero-day vulnerability in 7-Zip identified as CVE-2025-0411 has been exploited in a cyberespionage campaign targeting Ukrainian organizations. This vulnerability allows attackers to bypass Windows Mark-of-the-Web protections by double-archiving files thereby evading essential security checks and enabling the execution of malicious content. Russian-linked threat actor groups have actively leveraged this flaw through spear-phishing campaigns using homoglyph attacks to spoof document extensions and trick users into executing the malicious files. | ALERTS | VULNEREBILITY |
| 06.2.25 | North Korean hackers deploy FlexibleFerret malware to target macOS developers | A newly discovered malware strain dubbed FlexibleFerret has been identified as part of an ongoing North Korean Contagious Interview campaign. In this attack Threat Actors trick victims into installing malware disguised as meeting software updates like VCam or Chrome through the job interview process. Unlike other variants of the macOS malware family, FlexibleFerret was signed with a valid Apple Developer signature and Team ID, and contains other elements that make it appear to be legitimate software. This appearance of legitimacy lends to establish persistence, enabling remote access and leading to cryptocurrency theft. | ALERTS | VIRUS |
| 05.2.25 | MMS phishing campaign targeting users with fake shipping PDFs | A phishing campaign has been recently reporting targeting users with MMS messages with attached PDFs. The messages attempt spoof popular delivery services in order to convince victims to open the attached PDF. When opened the victim is prompted with a screen requesting they 'unlock' the file visiting by visiting a malicious page controlled by the attackers and entering their credentials. | ALERTS | PHISHING |
| 05.2.25 | CVE-2024-52875 - KerioControl CRLF injection vulnerability | CVE-2024-52875 is a recently discovered critical CRLF injection vulnerability affecting GFI KerioControl network security solution in versions 9.2.5 through 9.4.5. Successful exploitation of this flaw might allow attackers to inject malicious JavaScript code and lead to CSRF token theft and arbitrary code execution within the context of the vulnerable application. According to recently published reports, the vulnerability has been actively exploited in the wild. The product vendor already released a patch version "9.4.5 Patch 1" to address this vulnerability. | ALERTS | VULNEREBILITY |
| 05.2.25 | CVE-2023-48365 - Qlik Sense HTTP Tunneling vulnerability reported as exploited in the wild | CVE-2023-48365 is a bypass vulnerability to the original fix for an older flaw CVE-2023-41265 in Qlik Sense Enterprise product. The vulnerability might allow unauthenticated attackers to perform remote code execution even after applying the patches for CVE-2023-41265 and CVE-2023-41266 flaws. The product vendor has already released a new patch addressing this bypass by an updated filtering mechanism which is less prone to HTTP request tunneling attacks. This vulnerability has been just recently added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. | ALERTS | VULNEREBILITY |
| 04.2.25 | CVE-2024-57727 - SimpleHelp Directory Traversal vulnerability | CVE-2024-57727 is a high severity (CVSS score 7.5) directory traversal vulnerability affecting SimpleHelp remote support software in version 5.5.7 or older. If successfully exploited the flaw might allow unauthenticated attackers to download arbitrary files from the SimpleHelp servers, including configuration files containing hashed passwords for the SimpleHelpAdmin account or other accounts. | ALERTS | VULNEREBILITY |
| 03.2.25 | Attack Campaign targets Brazilian financial sector with Coyote Banking Trojan | A multi-stage attack campaign leveraging LNK files to deploy the Coyote Banking Trojan has been reported, primarily targeting Brazilian financial applications. As part of the attack vector the malware uses PowerShell commands, shellcode injection and registry modifications to maintain persistence and evade detection. The malware has capabilities such as keylogging, screenshot capture and displaying phishing overlays. It monitors user activity, steals sensitive data from targeted websites and exfiltrates it to the attacker's C2 servers. | ALERTS | VIRUS |
| 31.1.25 | SparkRAT - a cross-platform modular malware | SparkRAT is a Golang-based modular malware variant initially discovered back in 2022. With its cross-platform support it targets various architectures including Windows, macOS, and Linux. The malware was used in various targeted cyber espionage operations just last year. | ALERTS | VIRUS |
| 31.1.25 | Windows Locker ransomware | A new variant of the Windows Locker ransomware has been identified in the wild. The malware encrypts user data and appends .winlocker extension to the locked files. A ransom request is dropped in form of a text file "Readme.txt" with information on how to contact the threat actors and on how to pay the ransom demands. Windows Locker ransomware has the functionality to maintain persistence, disable firewall and task manager as well as to delete backups and volume shadow copies on the compromised machine. | ALERTS | RANSOM |
| 29.1.25 | Aquabot v3 - a new Mirai variant in the field | A new Mirai malware variant dubbed Aquabot v3 has been observed in the wild. The malware has been reported to exploit CVE-2024-41710 which is a command injection vulnerability affecting various Mitel devices. The malware is also able to exploit some older vulnerabilities affecting Hadoop YARN or various Linksys devices. Aquabot v3 supports a wide range of architectures including x86 and ARM. Functionality-wise the malware is predominately used for initiating DDoS attacks from the compromised devices. | ALERTS | BOTNET |
| 29.1.25 | Recent activities of the GamaCopy threat group | A new malicious activity attributed to the GamaCopy threat group has been reported in the wild. The TTPs utilized by the group share certain degree of overlap with another APT called Core Werewolf and the discovered activity mimics some of the older attacks conducted by the Shuckworm (aka Gamaredon) APT. The attackers leverage self-extracting (SFX) archive files to deliver decoy .PDF documents alongside of UltraVNC remote desktop tool used for remote access to the compromised endpoints. | ALERTS | GROUP |
| 29.1.25 | TorNet backdoor | TorNet is a new backdoor variant spread within an ongoing malicious campaign targeting prevalently Germany and Poland. The threat actors responsible have also been distributing various other malware payloads including Agent Tesla and Snake Keylogger. According to the recent Cisco Talos report, the attack chain leverages phishing emails disguised as correspondence from financial institutions and manufacturing or logistics companies. | ALERTS | VIRUS |
| 28.1.25 | New Lumma Stealer campaign using fake Captchas | A new malware campaign that leverages fake CAPTCHA verification checks to deliver Lumma Stealer has been observed. This campaign has targeted victims from around the world (Argentina, Colombia, U.S., Philippines etc.) and across various industries (such as financial institutions, healthcare, marketing and telecom organizations). | ALERTS | VIRUS |
| 27.1.25 | GTA VI Hype Exploited: Malware Masquerades as Early Alpha Access | The hype surrounding popular games often becomes a breeding ground for cybercrime, and Grand Theft Auto VI is no exception. A highly anticipated next installment in Rockstar Games' iconic open-world action-adventure series. Officially announced in December 2023, the game is set to release in late 2025 for PlayStation and Xbox. | ALERTS | EXPLOIT |
| 27.1.25 | Phishing Campaign Targets Workplace Anxiety: Email Credentials at Risk | A recent phishing campaign leverages workplace fears and urgency in an attempt to steal email credentials. The attack begins with an email titled "Employment Termination lists and new admin position 2025" and an attached malicious HTML file (Staff Employment Termination listsPDF.html) disguised as an important workplace document. When opened, the attachment displays a fake login page, crafted to resemble a legitimate email login portal. | ALERTS | PHISHING |
| 24.1.25 | CVE-2024-50603 - Aviatrix Controller RCE vulnerability exploited in the wild | CVE-2024-50603 is a critical (CVSS score 10.0) remote code execution vulnerability affecting Aviatrix Controller which has been recently reported as being exploited in the wild. The flaw results due to improper neutralization of user-supplied input and if exploited might allow remote unauthenticated attackers with arbitrary code execution. Product vendor has already addressed this vulnerability in patched versions 7.1.4191 and 7.2.4996. | ALERTS | VULNEREBILITY |
| 24.1.25 | PhaaS kit Sneaky 2FA | Phishing-as-a-service (PhaaS) kit dubbed Sneaky 2FA has been observed targeting Microsoft 365 accounts by sending payment type related emails luring recipients into opening fake receipt PDFs containing a QR code that upon scanning redirects to a Sneaky 2FA phishing page. The phishing pages are hosted on a compromised infrastructure, primarily involving WordPress websites and other domains controlled by the Threat Actor. The bogus authentication page(s) are designed to automatically populate the victim's email address to elevate their appearance of legitimacy. | ALERTS | PHISHING |
| 24.1.25 | LucKY Gh0$t Ransomware | A ransomware actor operating under the name LucKY Gh0$t has been observed in the threat landscape. The ransomware they employ is a Chaos variant that appends encrypted files with a .[4 random characters] extension. This threat is being spread via drive-by downloads, disguised as a fake ChatGPT desktop version ("ChatGPT 4.0 Full Version - Premium.zip"). | ALERTS | RANSOM |
| 23.1.25 | Murdoc botnet, a Mirai variant | A new Mirai variant dubbed Murdoc botnet has been discovered in a recently observed campaign. The campaign leverages ELF binaries and shell scripts to target various *nix based systems, such as IoT devices and IP cameras, among others. The shell scripts are deployed to the devices to download and execute the Murdoc botnet payloads from the C2 servers. | ALERTS | BOTNET |
| 22.1.25 | Groups targeting users with Email bombing and vishing campaigns | Researchers have discovered two groups behind malware campaigns involving email-bombing, Microsoft Teams communication, and remote-control tools. These attacks begin with targeted email-bombing campaigns and continue with the attackers contacting the victims via Teams, posing as IT staff. They then tell the victim they can resolve the recent spam issue by using the Teams screen-sharing option or "Quick Assist." Once remote access is established the groups diverge in tactics, one utilizes Java/Python threats to further the infection, while the other employs side-loading DLLs. | ALERTS | GROUP |
| 22.1.25 | Nnice Ransomware | Nnice is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends “.xdddd” extension to the encrypted files. Beside dropping the ransom note in form of a “Readme.txt" text file, the ransomware also changes the desktop wallpaper to indicate that the user files have been encrypted and ransom is demanded from the victim. | ALERTS | RANSOM |
| 22.1.25 | Silent Lynx: New cyber threat group targeting government and financial entities in Kyrgyzstan | A new threat group dubbed Silent Lynx has been discovered targeting organizations in Kyrgyzstan and neighboring countries. The group employs a range of techniques such as malicious email attachments, decoy documents and persistence mechanisms to maintain access to compromised systems. Silent Lynx uses sophisticated multi-stage attack methods including ISO files, C++ loaders, PowerShell scripts and Golang implants, primarily targeting government entities, banks and diplomatic operations while leveraging UN-themed lures and employee bonus schemes to deceive victims. For command and control and data exfiltration, Silent Lynx relies on Telegram bots. | ALERTS | GROUP |
| 21.1.25 | MintsLoader campaign targets energy sector with StealC and BOINC malware | MintsLoader is a sophisticated malware loader that employs advanced techniques to evade detection and enhance its operational effectiveness. Impacted sectors include Electricity, Gas and Oil industries as well as Law firms and Legal service industries all within the U.S. and Europe. The infection process begins when a victim clicks on a link in a phishing email, triggering the download of malicious JScript files, leading to the deployment of secondary payloads like StealC and the Berkeley Open Infrastructure for Network Computing (BOINC) client. The combination of these payloads allows for the consumption of sensitive data from browsers, applications, crypto-wallets, and then the exfiltration to C2 server. | ALERTS | VIRUS |
| 21.1.25 | New Tanzeem Android Malware courtesy of DoNot Team | Threat actor APT group known as DoNot Team has been linked to a new Tanzeem Android malware. This malicious Android app primarily uses OneSignal which is a popular customer engagement platform used by organizations to send push notifications, emails, in-app messages, and SMS messages. Once installed the malicious app displays a fake chat screen prompting the victim to click a button named "Start Chat". Doing so triggers a message that instructs the victim to grant permissions to the accessibility services API, thus allowing it to perform various nefarious actions. This further access facilitates the collection of added sensitive information such as call logs, contacts, SMS messages, precise locations, account information, and files present in external storage. Some of the other features include capturing screen recordings and establishing connections to C2 server. | ALERTS | VIRUS |
| 21.1.25 | Redtail Cryptocurrency Mining Malware | Redtail is an adaptable malware that stealthily installs itself on compromised systems utilizing advanced tactics to persist and exploit systems for unauthorized cryptocurrency mining. It is capable of running on various CPU architectures by utilizing two extra scripts: one script identifies the CPU architecture of the victim system ensuring compatibility for the malware, and a second script removes any other competing crypto-mining software that may already exist on the compromised system. This dual approach tactic maintains persistence and works towards evading detection. | ALERTS | CRYPTOCURRENCY |
|
20.1.25 | PNGPlug loader leveraged for ValleyRAT distribution | A new ValleyRAT malware distribution campaign has been reported in the wild. The attackers leverage a new multi-stage loader dubbed PNGPlug within the observed attack chain. The deployed ValleyRAT payload has the functionality for deployed shellcode execution, download of additional arbitrary components, etc. This campaign has been attributed to the Silver Fox APT group and observed to be targeting various companies in several Chinese-speaking regions. | ALERTS | VIRUS |
|
20.1.25 | AIRASHI - a large scale DDoS botnet | Airashi is a variant of the Aisiru botnet observed in the wild last year. The botnet is known to be spread via exposed vulnerabilities as well as through exploitation of weak Telnet credentials. Airashi can be used by attackers to conduct a wide variety of DDoS attacks. Several strains of the botnet binaries also support additional functionalities such as command execution or proxy services. | ALERTS | BOTNET |
|
18.1.25 | Threat actors reusing legitimate government documents to deliver malware | A malware campaign has been linked to nation state actors targeting countries in Central Asia for information gathering. The attacks utilizes legitimate government documents to deliver the malware. | ALERTS | VIRUS |
|
18.1.25 | CVE-2024-55591 - Fortinet FortiOS Authorization Bypass vulnerability | CVE-2024-55591 is a recently discovered authorization bypass vulnerability affecting Fortinet FortiOS and FortiProxy products. Successful exploitation of the flaw could allow remote attackers to obtain super-admin privileges on the vulnerable devices via crafted requests to Node.js websocket module. | ALERTS | VULNEREBILITY |
|
18.1.25 | CVE-2024-12686 - BeyondTrust vulnerability exploited in the wild | CVE-2024-12686 is a recently disclosed OS command injection vulnerability affecting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products. | ALERTS | VULNEREBILITY |
|
18.1.25 | Recent malicious activities of the Fireant APT group | Fireant (aka RedDelta, Mustang Panda) advanced persistent threat (APT) group has been targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia in recent campaign spreading an updated variant of the PlugX backdoor. | ALERTS | APT |
|
18.1.25 | Ottercookie observed being used by nation states to steal crypto currency | OtterCookie, an infostealer designed to steal crypto currency information, has recently been observed in use by nation state actors. | ALERTS | CRYPTOCURRENCY |
|
18.1.25 | LDAP vulnerability PoC is actually just an infostealer | CVE-2024-49113 is a vulnerability affecting Microsoft Windows Lightweight Directory Access Protocol (LDAP) which was patched in December. In a recent campaign, attackers have been observed distributing infostealer malware disguised as proof-of-concept (PoC) code for this vulnerability. The fake PoC leverages dropped/downloaded scripts to exfiltrate system information via FTP. | ALERTS | VULNEREBILITY |
|
10.1.25 | CVE-2024-55550 - Mitel MiCollab Path Traversal vulnerability | VE-2024-55550 is a newly disclosed path traversal vulnerability affecting Mitel MiCollab collaboration tool versions 9.8 SP1 FP2 and earlier. | ALERTS | VULNEREBILITY |
|
10.1.25 | New variant of Banshee Stealer targets macOS users | A new and updated variant of the macOS-based infostealer malware dubbed Banshee Stealer has been detected in the wild. | ALERTS | VIRUS |
|
10.1.25 | Funksec Ransomware | Funksec (aka Funklocker) is another double-extortion ransomware actor that surfaced in late 2024 and allegedly claimed multiple organizations as victims. | ALERTS | RANSOM |
|
10.1.25 | Latest HexaLocker ransomware attacks leverage Skuld Stealer for data extraction | A new updated variant of the Go-based HexaLocker ransomware has been discovered in the wild. The new strain has the functionality to download infostealer malware called Skuld Stealer, in an effort focused on extraction of confidential data from the infected endpoint. | ALERTS | RANSOM |
|
10.1.25 | CVE-2025-0282 - Ivanti Connect Secure vulnerability exploited in zero-day attacks | CVE-2025-0282 is a newly disclosed critical (CVSS score 9.0) stack-based buffer overflow vulnerability affecting Ivanti Connect Secure. If successfully exploited, it could allow unauthenticated attackers to execute arbitrary code on the vulnerable instances. | ALERTS | VULNEREBILITY |
|
10.1.25 | Old Oracle WebLogic Deserialization vulnerability (CVE-2020-2883) exploited in the wild | CVE-2020-2883 is a 2020 deserialization vulnerability affecting unpatched Oracle WebLogic servers. If successfully exploited, it could allow remote code execution by unauthenticated attackers via specially crafted T3 port network requests. | ALERTS | VULNEREBILITY |
|
10.1.25 | XWorm Middle East Campaign: Fake Mossad Intelligence Reports Used as Lures | As tensions in the Middle East remain high, particularly following recent events in Syria, threat actors are exploiting the volatile situation to target organizations and individuals both within the region and globally, leveraging the allure of sensitive intelligence to entice victims. | ALERTS | VIRUS |
|
10.1.25 | FireScam mobile malware | FireScam is a mobile malware variant recently discovered in the wild. The malware is distributed via a phishing website and under the disguise of Telegram Premium app. | ALERTS | VIRUS |
|
10.1.25 | KGB Keylogger Targets Companies with Fake Russian Ministry-Themed Emails | During the second half of December 2024, an actor has been targeting companies with malicious emails enticing users with a Ministry of Industry and Trade of the Russian Federation (Минпромторг России) social engineering ploy along with the use of a malicious .scr file (Письмо в МНТЦ и ЦРП.scr). | ALERTS | VIRUS |
|
3.1.25 | Nitrogen Ransomware | The double-extortion ransomware group known as Nitrogen has been very active over the past four months, targeting organizations across diverse sectors such as construction, financial services, manufacturing, and technology. | ALERTS | RANSOM |