HOT NEWS 2025 January(141) February(191) March(268) April(349) May(260) June(502) July(272) August(180) September(202) October(252) November(187) December(0) THREATS YEARS
|
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 30.10.25 | NetSupport RAT | Unpacking NetSupport RAT Loaders Delivered via ClickFix | MALWARE | RAT |
| 30.10.25 | Remcos | Fileless Remcos Attacks on the Rise | MALWARE | Fileless |
| 30.10.25 | Atroposia | Atroposia is a stealthy RAT with HRDP, credential theft, DNS hijacking & fileless exfiltration — aka cybercrime made easy for low-skill attackers. | MALWARE | RAT |
| 30.10.25 | CVE-2025-40778 | October 24 Advisory: BIND 9 Resolver Enables Cache Poisoning Via Unsolicited Answers [CVE-2025-40778] |
VULNEREBILITY |
|
| 30.10.25 | UTG-Q-010 | Cyber Warfare Amidst Gold's Skyrocketing Price: UTG-Q-010 Group's Supply Chain Attack Strike Directly at the Heart of HongKong's Financial Market | GROUP | GROUP |
| 30.10.25 | Authenticated SMTP users may spoof other identities due to ambiguous “From” header interpretation | Email message header syntax can be exploited to bypass authentication protocols such as SPF, DKIM, and DMARC. These exploits enable attackers to deliver spoofed emails that appear to originate from trusted sources. | ALERT | ALERT |
| 30.10.25 | Midnight Ransomware | Decrypted: Midnight Ransomware | Anti-Ramson Tool | Anti-Ramson Tool |
| 30.10.25 | PureHVNC | LATAM baited into the delivery of PureHVNC | MALWARE | RAT |
| 30.10.25 | PhantomRaven | PhantomRaven: NPM Malware Hidden in Invisible Dependencies | MALWARE | nmp |
| 30.10.25 | CVE-2017-9841 | A Remote code execution vulnerability in PHPUnit |
VULNEREBILITY |
|
| 30.10.25 | CVE-2021-3129 | A Remote code execution vulnerability in Laravel |
VULNEREBILITY |
|
| 30.10.25 | CVE-2022-47945 | A Remote code execution vulnerability in ThinkPHP Framework |
VULNEREBILITY |
|
| 29.10.25 | AI-targeted Cloaking Attack | OpenAI’s new browser Atlas falls for AI-targeted Cloaking Attack | ATTACK | AI |
| 29.10.25 | CVE-2025-6204 | (CVSS score: 8.0) - A code injection vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to execute arbitrary code. |
VULNEREBILITY |
|
| 29.10.25 | CVE-2025-6205 | (CVSS score: 9.1) - A missing authorization vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to gain privileged access to the application. |
VULNEREBILITY |
|
| 29.10.25 | CVE-2025-24893 | (CVSS score: 9.8) - An improper neutralization of input in a dynamic evaluation call (aka eval injection) in XWiki that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. |
VULNEREBILITY |
|
| 29.10.25 |
TEE.fail: Breaking
Trusted Execution Environments via DDR5 Memory Bus Interpositi |
Trusted execution environments (TEEs) aim to offer strong privacy and integrity guarantees even in the presence of root level attackers capable of arbitrarily modifying the system’s software. | ATTACK | RAM |
| 29.10.25 | Herodotus | New Android Malware Herodotus Mimics Human Behaviour to Evade Detection | MALWARE | Android |
| 29.10.25 | BlueNoroff | Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs | APT | APT |
| 29.10.25 | CVE-2025-2783 | Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High) |
VULNEREBILITY |
|
| 29.10.25 | Mem3nt0 mori | Mem3nt0 mori – The Hacking Team is back! | APT | APT |
| 28.10.25 | DarkCloud Campaign Targets Thailand and Turkey in Dual-Variant Operation | Symantec has observed two concurrent DarkCloud campaigns leveraging the same PE payload distributed via a RAR archive. Both campaigns share identical execution chains and TTPs, but differ in regional focus, language localization, and spoofed organizations. | CAMPAIGN | |
| 28.10.25 | Agent Tesla campaign impersonates WeTransfer to phish wide range of targets | Symantec has observed a new Agent Tesla campaign that uses WeTransfer-themed lures to deliver a 7z archive containing the malware. The campaign targets a wide range of sectors, including Technology and IT (global and Taiwan), Finance and Banking (UK), Manufacturing and Electric industries, News and Media (South Africa and Israel), Education (Falkland Islands), and other commercial sectors across multiple countries — indicating opportunistic, broad targeting rather than a single vertical. | ||
| 28.10.25 | Dark Vision campaign: Procurement email → fake PDF update → LZH archive → signed PE + DLL | A new Dark Vision campaign uses procurement-themed social engineering to push victims from a PDF to an LZH archive hosted on domain. The archive extracts a signed 64-bit executable (InstCont.exe) which side-loads a 64-bit DLL (Instup.dll). Targets observed across manufacturing, construction & tech sectors in Taiwan, Germany, the U.S., and Sweden. | CAMPAIGN | |
| 28.10.25 | Key Insights of Qilin RaaS Operations | The Qilin threat group operates a very prolific Ransomware-as-a-Service (RaaS) business model. A report by researchers at Cisco Talos provides highlights of recent Qilin activity. North America and Europe are the most targeted regions, with manufacturing, professional and scientific services, and wholesale trade as the most impacted industries. | ALERTS | RANSOM |
| 28.10.25 | Phishing campaign impersonates Exness to steal trading account credentials | Founded in 2008, Exness is a global online multi-asset broker that provides clients with the opportunity to trade Contracts for Difference (CFDs) across a variety of financial instruments, including forex, cryptocurrencies, indices, commodities and stocks. | PHISHING | |
| 28.10.25 | Phishing Campaign: Austrian Data Protection Authority (DSB) Impersonated to Target Local Organizations | Symantec has observed a phishing campaign that is targeting organizations across Austria by impersonating the Österreichische Datenschutzbehörde (Austrian Data Protection Authority). Targeting multiple sectors including finance, insurance, IT consulting, manufacturing, healthcare, and public services | PHISHING | |
| 28.10.25 | Seedworm deploys Phoenix v4 in targeted espionage campaign | Group-IB has reported a new malware campaign by the Iran-linked APT group Seedworm (aka MuddyWater) deploying the Phoenix v4 backdoor, primarily targeting government, defense and international organizations in the Middle East with spillover activity across Europe, Africa and North America | CAMPAIGN | |
| 28.10.25 | TollBooth - a new IIS backdoor variant | A new campaign exploiting misconfigured Windows Internet Information Services (IIS) servers across the globe has been reported by the researchers from Elastic Security Labs. The initial compromise leveraged IIS web servers using ASP.NET machine keys - cryptographic keys used for encryption and data validation - that were exposed in publicly shared resources. | VIRUS | |
| 28.10.25 | Brimstone APT distributes NoRobot & MaybeRobot malware | The state-sponsored threat group Brimstone (also known as ColdRiver, UNC4057, Star Blizzard, and Callisto) rapidly overhauled its operations following the May 2025 public disclosure of its LostKeys malware as reported by the researchers from Google. | APT | |
| 28.10.25 | CVE-2025-33073 - SMB Client Privilege Escalation vulnerability exploited in the wild | CVE-2025-33073 is a high severity (CVSS score 8.8) privilege escalation vulnerability in Windows Server Message Block (SMB) Client that has been disclosed earlier in June 2025. | VULNEREBILITY | |
| 28.10.25 | CVE-2025-41243 - Spring Cloud Gateway WebFlux vulnerability | CVE-2025-41243 is a recently disclosed high severity (CVSS score 8.1) remote code execution vulnerability affecting Spring Cloud Gateway WebFlux which is an API Gateway built on the reactive Spring WebFlux framework. | VULNEREBILITY | |
| 28.10.25 | Vidar Stealer 2.0 | Released in early October 2025, Vidar Stealer has been fully rewritten in the C programming language and now runs multithreaded, allowing it to complete data-collection tasks far faster and more efficiently than before. | VIRUS | |
| 28.10.25 | Caminho LaaS: Stealthy malware delivery via Image Steganography | Arctic Wolf reported a new Loader-as-a-Service (LaaS) operation called Caminho, which originates in Brazil and leverages LSB steganography to conceal malicious payloads within image files. It is primarily delivered via spear-phishing emails carrying malicious JavaScript or VBScript files; when those scripts are executed, the loader retrieves an image containing a hidden payload, extracts it using LSB techniques and runs it directly in memory | VIRUS | |
| 28.10.25 | Warlock Ransomware | The Warlock ransomware first appeared in June 2025 and made an impact weeks later, after it was discovered exploiting the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) on July 19, 2025. Warlock is an unusual threat. | RANSOM | |
| 28.10.25 | ToolShell exploit used in recently disclosed attacks | China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025. The same threat actors also compromised two government departments in the same African country during the same time period. | EXPLOIT | |
| 28.10.25 | CAPI backdoor | Cybersecurity researchers at Seqrite Labs have identified a new campaign utilizing CAPI backdoor, a previously undocumented .NET malware, likely targeting E-commerce and automotive industries. The analysis is based upon a discovered malicious ZIP archive, which suggests the infection chain begins with phishing emails. | ALERTS | VIRUS |
| 28.10.25 | UAC-0239 group targets Ukraine with OrcaC2 framework and FILEMESS stealer | CERT-UA published details about recent activity associated with the threat group UAC-0239. The group engaged in campaigns against Ukranian Defense forces and local governments, initiated through spear phishing. The emails were socially engineered to appear as communications by the Security Service of Ukraine. | GROUP | |
| 28.10.25 | Kaiji botnet malware | Kaiji is a malware variant primarily targeting Linux-based servers and IoT devices by exploiting vulnerable internet-connected services. As reported by the researchers from Aquasec, the malware’s main objectives is to launch large-scale Distributed Denial of Service (DDoS) attacks and proxy malicious traffic, effectively leveraging infected devices as part of a botnet. | BOTNET | |
| 28.10.25 | Qilin Ransomware | Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack | RANSOMWARE | RANSOMWARE |
| 28.10.25 | SideWinder | SideWinder's Shifting Sands: Click Once for Espionage | APT | APT |
| 28.10.25 | OpenAI Atlas Omnibox Prompt Injection | OpenAI Atlas Omnibox Prompt Injection: URLs That Become Jailbreaks | HACKING | AI |
| 28.10.25 | ChatGPT Tainted Memories | “ChatGPT Tainted Memories:” LayerX Discovers The First Vulnerability in OpenAI Atlas Browser, Allowing Injection of Malicious Instructions into ChatGPT | HACKING | AI |
| 27.10.25 | CVE-2025-62518 | astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. |
VULNEREBILITY |
|
| 26.10.25 | CVE-2025-7656 | Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
VULNEREBILITY |
|
| 26.10.25 | CVE-2025-48561 | In multiple locations, there is a possible way to access data displayed on the screen due to side channel information disclosure. |
VULNEREBILITY |
|
| 26.10.25 | ODYSSEY STEALER | ODYSSEY STEALER : THE REBRAND OF POSEIDON STEALER | MALWARE | Stealer |
| 26.10.25 | Odyssey | Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools | CAMPAIGN | Malware |
| 26.10.25 | CVE-2025-11493 | The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. |
VULNEREBILITY |
|
| 26.10.25 | CVE-2025-11492 | In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. |
VULNEREBILITY |
|
| 26.10.25 | CVE-2025-55315 | Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network. |
VULNEREBILITY |
|
| 26.10.25 | EtherHiding | Hiding Web2 Malicious Code in Web3 Smart Contracts | HACKING | Malware |
| 26.10.25 | Oyster | Rhysida using Oyster Backdoor to deliver ransomware | MALWARE | Backdoor |
| 26.10.25 | WebSocket RAT | PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation | MALWARE | RAT |
| 26.10.25 | PXA | Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem | MALWARE | Stealer |
| 26.10.25 | Cache smuggling | Cache smuggling: When a picture isn’t a thousand words | HACKING | HACKING |
| 25.10.25 | Warlock Ransomware | The China-based actor behind the Warlock ransomware may not be a new player and has links to malicious activity dating as far back as 2019. | RANSOMWARE | RANSOMWARE |
| 25.10.25 | LockBit Returns | Key Takeaways LockBit is back. After being disrupted in early 2024, the ransomware group has ... | RANSOMWARE | RANSOMWARE |
| 25.10.25 | GHOSTGRAB | Sophisticated Android malware that mines crypto and silently steals banking credentials. EXECUTIVE SUMMARY CYFIRMA is dedicated to providing advanced warning and strategic | MALWARE | Android |
| 25.10.25 | Pass-as-a-Service | “Premier Pass-as-a-Service” describes the emerging trend of advanced collaboration tactics between multiple China-aligned APT groups, notably Earth Estries and Earth Naga, that are making modern cyberespionage campaigns even more complex. | RANSOMWARE | RANSOMWARE |
| 25.10.25 | Vidar Stealer 2.0 | Trend™ Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a multithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that Vidar is positioning itself to occupy the space left after Lumma Stealer’s decline. | MALWARE | Stealer |
| 25.10.25 | Agenda Ransomware | Trend™ Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises. | RANSOMWARE | RANSOMWARE |
| 25.10.25 | LockBit 5.0 | LockBit ransomware is one of the most active and notorious ransomware-as-a-service (RaaS) operations, first appearing in 2019 and having evolved through versions that we have analyzed and written about here and here. | RANSOMWARE | RANSOMWARE |
| 25.10.25 | SnakeStealer | Here’s what to know about the malware with an insatiable appetite for valuable data, so much so that it tops this year's infostealer detection charts | MALWARE | Stealer |
| 25.10.25 | Cybereason TTP Briefing Q3 2025 | Cybereason TTP Briefing Q3 2025: LOLBINs and CVE Exploits Dominate | REPORT | REPORT |
| 25.10.25 | Gotta fly | Gotta fly: Lazarus targets the UAV sector | APT | APT |
| 25.10.25 | Smishing Deluge | The Smishing Deluge: China-Based Campaign Flooding Global Text Messages | CAMPAIGN | CAMPAIGN |
| 25.10.25 | CVE-2025-59287 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 25.10.25 | DeskRAT | TransparentTribe targets Indian military organisations with DeskRAT | MALWARE | RAT |
| 25.10.25 | GlassWorm | GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace | MALWARE | Worm |
| 25.10.25 | Jingle Thief | Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign | CAMPAIGN | CAMPAIGN |
| 25.10.25 | CVE-2025-54236 | SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236) |
VULNEREBILITY |
|
| 25.10.25 | CVE-2025-61932 | Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability |
VULNEREBILITY |
|
| 25.10.25 | MuddyWater | Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage | APT | APT |
| 25.10.25 | PhantomCaptcha | PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation | MALWARE | RAT |
| 22.10.25 | CVE-2025-6541 | (CVSS score: 8.6) - An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management interface to run arbitrary commands |
VULNEREBILITY |
|
| 22.10.25 | CVE-2025-6542 | (CVSS score: 9.3) - An operating system command injection vulnerability that could be exploited by a remote unauthenticated attacker to run arbitrary commands |
VULNEREBILITY |
|
| 22.10.25 | CVE-2025-7850 | (CVSS score: 9.3) - An operating system command injection vulnerability that could be exploited by an attacker in possession of an administrator password of the web portal to run arbitrary commands |
VULNEREBILITY |
|
| 22.10.25 | CVE-2025-7851 | (CVSS score: 8.7) - An improper privilege management vulnerability that could be exploited by an attacker to obtain the root shell on the underlying operating system under restricted conditions |
VULNEREBILITY |
|
| 22.10.25 | ToolShell | ToolShell Used to Compromise Telecoms Company in Middle East |
VULNEREBILITY |
|
| 22.10.25 | PassiveNeuron | PassiveNeuron: a sophisticated campaign targeting servers of high-profile organizations | CAMPAIGN | CAMPAIGN |
| 22.10.25 | TARmageddon | TARmageddon (CVE-2025-62518): RCE Vulnerability Highlights the Challenges of Open Source Abandonware |
VULNEREBILITY |
|
| 22.10.25 | GhostSocks | GhostSocks: From Initial Access to Residential Proxy | MALWARE | Maas |
| 22.10.25 | PolarEdge | Defrosting PolarEdge’s Backdoor | MALWARE | Backdoor |
| 21.10.25 | COLDRIVER | To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | MALWARE | Malware |
| 21.10.25 | SNAPPYBEE | Salty Much: Darktrace’s view on a recent Salt Typhoon intrusion | MALWARE | RAT |
| 21.10.25 | CVE-2022-48503 | Apple Multiple Products Unspecified Vulnerability |
VULNEREBILITY |
|
| 21.10.25 | CVE-2025-2746 | Kentico Xperience Staging Sync Server Digest Password Authentication Bypass Vulnerability |
VULNEREBILITY |
|
| 21.10.25 | CVE-2025-2747 | Kentico Xperience Staging Sync Server None Password Type Authentication Bypass Vulnerability |
VULNEREBILITY |
|
| 21.10.25 | CVE-2025-33073 | Microsoft Windows SMB Client Improper Access Control Vulnerability |
VULNEREBILITY |
|
| 21.10.25 | CVE-2025-61884 | Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability |
VULNEREBILITY |
|
| 20.10.25 | Winos 4.0 | From China to Malaysia, FortiGuard Labs traces a hacker group’s shifting campaigns and evolving malware delivery tactics across Asia | MALWARE | RAT |
|
19.10.25 |
A new campaign reported by Securelist researchers has been leveraging WhatsApp messenger to distribute a new sophisticated banking trojan named Maverick. The attack has been targeting Brazilian users and utilizing .ZIP archives containing malicious LNK files. |
|||
|
19.10.25 |
Purseweb APT delivers updated BeaverTail and OtterCookie variants in the latest campaign |
Cisco Talos researchers have identified a new campaign attributed to the Purseweb (aka Famous Chollima) threat group that targets job seekers using fake employment offers. The attackers deploy custom infostealing malware strains including BeaverTail and OtterCookie. |
||
|
19.10.25 |
A spear-phishing campaign dubbed Operation Silk Lure, which targets Chinese HR and hiring teams in fintech, crypto exchanges and trading firms by weaponizing realistic résumés, has been uncovered by Seqrite Labs. Attackers send CVs containing malicious .lnk shortcuts that download a second-stage payload, deploy a script to create a hidden daily scheduled task for persistence, and then RC4-decrypt an in-memory loader that launches the final payload — ValleyRAT. |
|||
|
19.10.25 |
Katz Stealer delivered by PhantomVAI loader in a recent campaign |
A new campaign leveraging PhantomVAI Loader to distribute information-stealing malware via an evasive, multi-stage infection chain has been reported by the researchers from Unit42. The loader, initially known as Katz Stealer Loader, was primarily used to deliver the Katz Stealer malware but recently has also been noted to deliver a variety of other infostealer variants such as DcRAT, AsyncRAT, XWorm or FormBook. |
||
|
19.10.25 |
CVE-2025-61882 - Oracle E-Business Suite 0-Day vulnerability |
CVE-2025-61882 is a recently disclosed critical (CVSS score 9.8) zero-day vulnerability affecting the Oracle Concurrent Processing product within Oracle E-Business Suite (EBS). |
||
|
19.10.25 |
Chinese APT group Jewelbug (aka REF7707, CL-STA-0049, Earth Alux) has been highly active in recent months, targeting organizations in South America, South Asia, Taiwan and Russia. One of its intrusions was on the network of a Russian IT service provider and lasted for the first five months of 2025. |
|||
|
19.10.25 |
An Android malware campaign dubbed GhostBat RAT which impersonates RTO (Regional Transport Office) apps like mParivahan to deceive Indian users, has been reported by Cyble. The malware spreads via WhatsApp and SMS with shortened URLs pointing to GitHub-hosted APKs, as well as through compromised websites. |
|||
|
19.10.25 |
A new threat actor dubbed TA585 has been observed conducting phishing campaigns that use tailored email lures, malvertising and web-injection techniques to redirect victims to attacker-controlled sites, sometimes even tagging GitHub users with fake security alerts to boost credibility and click-through rates. The group delivers a range of malware including the newly released MonsterV2, through these campaigns. |
|||
|
19.10.25 |
The Stealit malware operation has recently upgraded its deployment strategy, incorporating Node.js's Single Executable Application (SEA) feature to distribute malicious payloads. FortiGuard Labs identified this shift following an increase in detections of a particular VB script that facilitates persistence on infected machines. |
|||
|
19.10.25 |
BeFirst is a recent MedusaLocker ransomware variant observed in the wild. The malware encrypts user data and appends .befirst1 extension to the locked files. |
|||
|
19.10.25 |
A new malicious campaign distributing the ClayRAT Android spyware has been reported by the researchers from Zimperium. The malware employs highly effective social engineering tactics, utilizing fraudulent Telegram channels and phishing websites that mimic legitimate services like Google Photos, WhatsApp, and TikTok to convince the victims to install the malicious application. Once deployed, ClayRat exhibits vast surveillance capabilities. |
|||
|
19.10.25 |
As per reports from McAfee, a new Astaroth campaign has been discovered that weaponizes legitimate GitHub repositories and image files, primarily targeting victims in South America. |
|||
|
19.10.25 |
ChaosBot: Hiding on your system and communicating through Discord |
Details regarding a newly identified, Rust-based malware dubbed ChaosBot have been shared by eSentire's Threat Response Unit. According to the report, the actors behind ChaosBot make use of varying methods to gain access to victim environments: |
||
|
19.10.25 |
Trend Micro reported on renewed malicious activities attributed to the RondoDox botnet. The researchers identified early intrusion attempts, noting that botnet operators quickly leverage publicly disclosed flaws such as CVE-2023-1389 vulnerability affecting TP-Link routers. |
|||
|
19.10.25 |
SumUp Payments Limited is a financial technology company that provides payment and point-of-sale solutions for small businesses and independent merchants. Lately, Symantec has observed phish runs that mimic SumUp and pose as account verification emails, to steal credentials. |
|||
|
19.10.25 |
The Chaos ransomware variant observed on the threat landscape in 2025 marks a significant evolution according to a latest blog from Fortinet. The malware has transitioned its codebase from .NET to C++ and integrated aggressive destructive extortion tactics alongside the traditional file encryption. |
|||
|
19.10.25 |
Symantec has detected a new wave of phishing runs targeting Japanese email users with fake 2025 Japan Population census emails. The emails use the subject line: |
|||
|
19.10.25 |
APAC Campaign: Malaysian Procurement Lures Load VIP Keylogger In-Memory |
Symantec observed a new malspam campaign that is leveraging procurement emails while posing as a well-known Malaysian company specializing in construction and civil engineering, to distribute credential-stealing malware against organizations in Malaysia and beyond. |
||
|
19.10.25 |
Multi-platform attacks leveraging IUAM ClickFix Generator phishing kit |
The popular social engineering technique known as "ClickFix" is being rapidly commercialized according to the latest report from Unit 42 Palo Alto. |
||
|
19.10.25 |
HiveWare is a new ransomware variant recently observed in the wild. The malware encrypts user data and appends .HIVELOCKED extension to the locked files. |
|||
|
19.10.25 |
FoalShell and StallionRAT malware deployed by Cavalry Werewolf APT |
Cavalry Werewolf APT has been observed to enhance its malicious toolkit with customized malware. According to the report published by BI.ZONE Threat Intelligence, the threat actors have been conducting phishing campaigns by assuming the identities of personnel from various governmental bodies. |
||
|
19.10.25 |
VampireBot malware distributed by the BatShadow threat group |
Aryaka Threat Research Labs has recently discovered a new campaign conducted by the Vietnamese threat group known as BatShadow. This operation relies heavily on sophisticated social engineering, primarily targeting digital marketers and job applicants. The attackers impersonate recruiters, distributing ZIP archives containing decoy PDF files with malicious executables packed alongside them. |
||
|
19.10.25 |
As the threat landscape continues to evolve, attackers are increasingly relying on sophisticated social engineering techniques to trick users into executing malicious code. These attacks often bypass traditional file-based detection methods, making proactive, behavior-based security measures more critical than ever. |
|||
|
19.10.25 |
Turkey-Focused Snake Keylogger Campaign Expands Across Sectors and Regions |
Symantec recently observed a malspam campaign delivering Snake Keylogger that abused the brand of a prominent Turkish financial institution to lend credibility to fraudulent messages. The emails carried subject lines such as “HESAP EKSTRESI” (account statement). |
||
|
19.10.25 |
JA Net Bank Phishing Pressures Users with Urgency & Compliance Lures |
A phishing campaign is impersonating JAネットバンク (JA Net Bank), using official-sounding messages that cite the 犯罪収益移転防止法 (Act on Prevention of Transfer of Criminal Proceeds) to add credibility. Victims are urged to complete “customer information and transaction purpose” verification or risk account restrictions. |
||
|
19.10.25 |
As per a report from Trend Micro, a new self-propagating Windows malware campaign dubbed SORVEPOTEL is spreading through WhatsApp messages that deliver malicious ZIP attachments. When opened on a desktop, the ZIP extracts a shortcut (.LNK) file that executes hidden PowerShell and batch commands to download payloads, establish persistence, and connect to attacker-controlled servers. |
|||
|
18.10.25 |
Національною командою реагування на кіберінциденти, кібератаки, кіберзагрози CERT-UA починаючи з другої половини вересня 2025 року фіксуються спроби здійснення цільових кібератак у відношенні Сил оборони та органів місцевого самоврядування низки регіонів України з використанням тематики "протидії російським диверсійно-розвідувальним групам", нібито, від імені Служби безпеки України. |
|||
|
18.10.25 |
Multiple Password Managers Vulnerable to Clickjacking Attacks |
Browser-extension password managers, which autofill sensitive information on websites, can be exposed to various clickjacking attacks. |
||
|
18.10.25 |
DNS Rebinding and Manipulating CORS Headers Enables Exfiltration of Information |
A vulnerability in cross-origin resource sharing (CORS) headers in Chromium, Google Chrome, Microsoft Edge, Safari, and Firefox enables the CORS policy to be manipulated. |
||
|
18.10.25 |
Clevo UEFI firmware embedded BootGuard keys compromising Clevo's implementation of BootGuard |
Clevo’s UEFI firmware update packages included sensitive private keys used in their Intel Boot Guard implementation. |
||
|
18.10.25 |
The Kiwire Captive Portal, provided by SynchroWeb, is an internet access gateway intended for providing guests internet access where many users will want to connect |
|||
|
18.10.25 |
Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. |
Loader |
||
|
18.10.25 |
Malicious .NET Implant Hunting and Infrastructure. Conclusion Seqrite Protection. IOCs MITRE ATT&CK.... |
|||
|
18.10.25 |
Introduction: Seqrite Lab has been actively monitoring global cyber threat... |
|||
|
17.10.25 |
BeaverTail and OtterCookie evolve with a new Javascript module |
JavaScipt |
||
|
17.10.25 |
Famous Chollima deploying Python version of GolangGhost RAT |
|||
|
17.10.25 |
Vice Society is a ransomware group that has been active since at least June 2021. |
|||
|
17.10.25 |
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. |
VULNEREBILITY |
||
|
17.10.25 |
DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains |
|||
|
17.10.25 |
New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware |
|||
|
17.10.25 |
LinkPro: eBPF rootkit analysis |
Rootkit |
||
|
16.10.25 |
Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits |
|||
|
16.10.25 |
K000154696: F5 Security Incident |
|||
|
16.10.25 |
CVE-2025-54253: Pre-Auth RCE – Adobe AEM Forms on JEE Critical OGNL Injection |
VULNEREBILITY |
||
|
16.10.25 |
(CVSS score: 7.8) - Windows Agere Modem Driver ("ltmdm64.sys") Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
16.10.25 |
(CVSS score: 7.8) - Windows Remote Access Connection Manager (RasMan) Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
16.10.25 |
When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge. |
VULNEREBILITY |
||
|
16.10.25 |
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge. |
VULNEREBILITY |
||
|
16.10.25 |
ICTBroadcast Command Injection Actively Exploited (CVE-2025-2611) |
VULNEREBILITY |
||
|
16.10.25 |
SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system files causing high impact on confidentiality integrity and availability of the application. |
VULNEREBILITY |
||
|
16.10.25 |
SOE-phisticated Persistence: Inside Flax Typhoon's ArcGIS Compromise |
|||
|
16.10.25 |
AMD SEV-SNP offers confidential computing in form of confidential VMs, such that the untrusted hypervisor cannot tamper with its confidentiality and integrity. |
|||
|
16.10.25 |
How a Catch-22 Breaks AMD SEV-SNP (ACM CCS 2025) |
CPU |
||
|
16.10.25 |
Pixel stealing attacks enable malicious websites to leak sensitive content displayed in victim websites. |
|||
|
16.10.25 |
Pixnapping is a new class of attacks that allows a malicious Android app to stealthily leak information displayed by other Android apps or arbitrary websites. |
Android |
||
|
16.10.25 |
When the monster bytes: tracking TA585 and its arsenal |
|||
|
13.10.25 |
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits |
|||
|
13.10.25 |
Astaroth: Banking Trojan Abusing GitHub for Resilience |
Banking |
||
|
13.10.25 |
New Rust Malware "ChaosBot" Uses Discord for Command and Control |
Bot |
||
|
13.10.25 |
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. |
VULNEREBILITY |
||
|
12.10.25 |
Inside Akira’s SonicWall Campaign: Darktrace’s Detection and Response |
CAMPAIGN |
||
|
12.10.25 |
Warlock: Professional Development, China Ties, and the Multiple Variants it Planned from the Start |
RANSOMWARE |
||
|
11.10.25 |
What Are Mousejacking Attacks, and How to Defend Against Them |
|||
|
11.10.25 |
With the widespread adoption of cloud infrastructure, cybercriminals have evolved their tactics to exploit new opportunities for access. One growing threat is cloud jacking, or cloud account hijacking, where an attacker takes control of a cloud account. |
|||
|
11.10.25 |
Earlier in 2025, an apparent sender from 193.29.58.37 spoofed the Libyan Navy’s Office of Protocol to send a then-zero-day exploit in Zimbra’s Collaboration Suite, CVE-2025-27915, targeting Brazil’s military. This leveraged a malicious .ICS file, a popular calendar format. |
|||
|
11.10.25 |
UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests |
|||
|
11.10.25 |
Unity Gaming Engine Editor vulnerability |
VULNEREBILITY |
||
|
11.10.25 |
Hafnium is a Chinese state-sponsored advanced persistent threat (APT) group, also referred to as Silk Typhoon, and is known for sophisticated cyber espionage targeting critical |
|||
|
11.10.25 |
New Stealit Campaign Abuses Node.js Single Executable Application |
RAT |
||
|
11.10.25 |
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. |
VULNEREBILITY |
||
|
11.10.25 |
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. |
VULNEREBILITY |
||
|
11.10.25 |
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. |
VULNEREBILITY |
||
|
10.10.25 |
ClayRat: A New Android Spyware Targeting Russia |
RAT |
||
|
10.10.25 |
Malvertising Campaign Hides in Plain Sight on WordPress Websites |
|||
|
10.10.25 |
SonicWall has completed its investigation, conducted in collaboration with leading IR Firm, Mandiant, into the scope of a recent cloud backup security incident. |
|||
|
10.10.25 |
UAC-0226 is a cyber-espionage group targeting Ukrainian military, law enforcement, and local government entities—particularly near the eastern border—since February 2025. |
|||
|
10.10.25 |
UAC-0219 is a hacking group observed conducting cyber-espionage operations targeting Ukrainian critical sectors, primarily utilising WRECKSTEEL malware for file exfiltration in both VBScript and PowerShell variants. |
|||
|
10.10.25 |
UAC-0218 Attack Detection: Adversaries Steal Files Using HOMESTEEL Malware |
|||
|
10.10.25 |
According to CERT-UA, this is a stealer targeting a range of file extensions and creating screenshots of the compromised machine to be then uploaded via cURL. |
Stealer |
||
|
10.10.25 |
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. |
VULNEREBILITY |
||
|
8.10.25 |
“Scattered Spider” announced plans to launch a ransomware-as-a-service (RaaS) offering, while “LockBit” returned with "LockBit 5.0" and announced critical infrastructure as a target. |
|||
|
8.10.25 |
The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors |
TOOL |
||
|
8.10.25 |
Ghosts in the Machine: ASCII Smuggling across Various LLMs |
AI |
||
|
8.10.25 |
figma-developer-mcp vulnerable to command injection in get_figma_data tool |
VULNEREBILITY |
||
|
8.10.25 |
Disrupting malicious uses of AI: October 2025 |
AI |
||
|
8.10.25 |
BatShadow: Vietnamese Threat Actor Expands Its Digital Operations |
|||
|
7.10.25 |
BIETA: A Technology Enablement Front for China's MSS |
BIGBROTHER |
||
|
7.10.25 |
Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability |
CAMPAIGN |
||
|
7.10.25 |
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. |
VULNEREBILITY |
||
|
7.10.25 |
Lua Use-After-Free may lead to remote code execution |
VULNEREBILITY |
||
|
7.10.25 |
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. |
VULNEREBILITY |
||
|
7.10.25 |
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. |
VULNEREBILITY |
||
|
5.10.25 |
On July 22, a security vulnerability was identified in DrayOS routers. The vulnerability can be triggered when unauthenticated remote attackers send crafted HTTP or HTTPS requests to the device's Web User Interface (WebUI). |
VULNEREBILITY |
||
|
5.10.25 |
Klopatra: exposing a new Android banking trojan operation with roots in Turkey |
Android |
||
|
5.10.25 |
Block ransomware proliferation and easily restore files with AI in Google Drive |
|||
|
5.10.25 |
MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments |
Toolkit |
||
|
5.10.25 |
UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK |
|||
|
5.10.25 |
VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. |
VULNEREBILITY |
||
|
5.10.25 |
A sophisticated bootkit and user-mode capability, targeting Cisco ASA devices. A significant advancement over LINE DANCER and LINE RUNNER. |
Bookit |
||
|
5.10.25 |
Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less |
Ramsomware |
||
|
5.10.25 |
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option. |
VULNEREBILITY |
||
|
5.10.25 |
An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST. |
VULNEREBILITY |
||
|
5.10.25 |
VMware NSX contains a weak password recovery mechanism vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially enabling brute-force attacks. Impact: Username enumeration → credential brute force risk. |
VULNEREBILITY |
||
|
5.10.25 |
Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access attempts. Impact: Username enumeration → facilitates unauthorized access. |
VULNEREBILITY |
||
|
5.10.25 |
CometJacking: How One Click Can Turn Perplexity’s Comet AI Browser Against You |
AI |
||
|
4.10.25 |
TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base |
|||
|
4.10.25 |
Arctic Wolf has observed a search engine optimization (SEO) poisoning and malvertising campaign promoting malicious websites hosting trojanized versions of legitimate IT tools such as PuTTY and WinSCP. |
Backdoor |
||
|
4.10.25 |
Security firm Mosyle and follow-up reports detailed the emergence of ModStealer, a cross-platform infostealer distributed via malvertising campaigns, often disguised as fake software downloads or job advertisements. |
|||
|
4.10.25 |
Cisco Talos has published details regarding UAT-8099, a cybercrime group focused on search engine optimization (SEO) fraud and the theft of miscellaneous sensitive data such as credentials, configuration files, logs, and more. This threat group specifically targets vulnerable Internet Information Services (IIS) servers globally, with confirmed victims spanning across universities, technology companies, and telecom providers, among others. |
|||
|
4.10.25 |
The cyber-espionage group Confucius, known for targeting government and critical industries across South Asia has been observed leveraging sophisticated phishing campaigns primarily against high-value targets in Pakistan, showing a major technical evolution. |
|||
|
4.10.25 |
New spyware campaigns targeting privacy-conscious Android users in the UAE has been reported by ESET. The campaigns deploy two previously undocumented spyware families, ProSpy and ToSpy, disguised as legitimate Signal or ToTok apps distributed via phishing sites and fake app stores. |
|||
|
4.10.25 |
Researchers recently published a report on the WARMCOOKIE backdoor, revealing that its operators have expanded their infrastructure and refined their tactics. First observed in recruitment-themed phishing campaigns, WARMCOOKIE is still active and capable of host fingerprinting, command execution, screenshot capture, and delivery of additional payloads. |
|||
|
4.10.25 |
CORS vulns exploited to deliver Latrodectus via injected FakeCaptcha |
According to recent reports, Lunar Spider (aka Gold SwathMore) has evolved its toolkit by exploiting CORS misconfigurations on websites—mainly in Europe—to inject a “FakeCaptcha” overlay that tricks victims into running malicious commands. The injected JavaScript creates a fake verification UI, copying a PowerShell command into the clipboard, which, when executed, initiates an MSI loader. |
||
|
4.10.25 |
A new activity delivering the DarkCloud version 3.2 payload has been reported by the researchers from eSentire. The attack is initiated via targeted spear-phishing campaign with financial lure that delivers the infostealing malware within the .zip archive attachment. |
|||
|
4.10.25 |
GuLoader campaign targets Francophone Businesses, deploying MassLogger |
Symantec has observed a new GuLoader campaign in which actors are impersonating a well-known hospitality and luxury resort/events group in Morocco. Sending fraudulent quotation requests with the subject line “DEMANDE DEVIS N° 25090358.” |
||
|
4.10.25 |
Acreed is an advanced infostealer variant first discovered in early 2025 and sold on underground markets. Once on the infected machine, Acreed deploys JavaScript modules designed for financial theft, performing cryptocurrency clipping (replacing legitimate wallet addresses on web pages) and clipboard hijacking. |
|||
|
4.10.25 |
The LockBit ransomware group has resurfaced following a February 2024 disruption, deploying an new variant dubbed LockBit 5.0. A new research published by Trend Micro has confirmed the existence of Windows, Linux, and ESXi variants, signifying the group’s continued cross-platform strategy targeting entire enterprise networks, including virtualized environments. |
|||
|
4.10.25 |
CVE-2025-10035 is a recently disclosed critical (CVSS score 10.0) deserialization vulnerability affecting Fortra GoAnywhere which is comprehensive managed file transfer (MFT) software. |
|||
|
4.10.25 |
Klopatra is a newly observed Android malware which functions as both a banking Trojan and Remote Access Trojan (RAT). A report provided by researchers at Cleafy shares technical details and campaign activity associated with this threat. Highlights from the report include: |
|||
|
4.10.25 |
A new assembly-written Malware-as-a-Service called Olymp Loader advertised as “FUD” (fully undetectable) has been reported by Outpost24. It includes anti-debugging, code-signing and crypter options and targets browsers, Telegram and crypto wallets. |
|||
|
4.10.25 |
Lately, Symantec has observed Halloween themed jumbo lottery phish runs targeting Japanese users. Threat actors have recently initiated jumbo lottery phish runs that masquerade as lottery campaign announcement emails. |
|||
|
4.10.25 |
A malware campaign delivering the XWorm .NET RAT using shellcode hidden inside Office attachments has been observed by Forcepoint. As part of the multi-stage attack, a phishing email is sent with a seemingly benign .xlam workbook that embeds an Ole10Native stream containing encrypted shellcode. |
|||
|
4.10.25 |
Microsoft Threat Intelligence has identified a new variant of XCSSET malware targeting Xcode projects. The malware employs run-only compiled AppleScripts for stealthy execution, now targets a broader range of browsers including Firefox, steals information from Telegram, hijacks clipboards by substituting wallet addresses and establishes persistence via LaunchDaemons and Git commits. |
|||
|
4.10.25 |
A recent campaign has been reported by Blackpoint SOC in which attackers are abusing SEO poisoning and malvertising to trick users into downloading trojanized Microsoft Teams installers that deliver the Oyster (also known as Broomstick) backdoor. |
|||
|
4.10.25 |
Lumma Stealer infection with follow-up malware (possible Ghostsocks/Go Backdoor) |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
||
|
4.10.25 |
Seven days of scans and probes and web traffic hitting my web server |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
||
|
4.10.25 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
|||
|
4.10.25 |
Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration interface |
A remote code execution (RCE) vulnerability, tracked as CVE-2025-10547, was discovered through the EasyVPN and LAN web administration interface of Vigor routers by Draytek. |
||
|
4.10.25 |
A major npm supply chain compromise was disclosed by the software supply chain security company Socket on September 15, 2025. |
|||
|
4.10.25 |
Hive0145 back in German inboxes with Strela Stealer and a backdoor |
GROUP |
||
|
4.10.25 |
Confucius threat group evolves from document stealers to Python backdoors, showcasing the growing sophistication of state-aligned cyber campaigns |
GROUP |
||
|
4.10.25 |
EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and |
|||
|
4.10.25 |
Network edge devices such as routers, switches, firewalls, VPNs, and access points are being targeted by waves of cyberattacks. The RedNovember attack campaign disclosed by RecordedFuture’s Insikt Group is the latest in a string of campaigns targeting SonicWall, Cisco, Palo Alto, Fortinet, and Ivanti devices inside government, defense, and technology companies. |
CAMPAIGN |
||
|
4.10.25 |
An argument injection flaw that attackers can use to trigger a denial of service (DoS), crashing the router or overwhelming remote servers. |
VULNEREBILITY |
||
|
4.10.25 |
An unauthenticated command injection vulnerability that allows attackers to remotely execute arbitrary commands on the device. |
VULNEREBILITY |
||
|
4.10.25 |
A security bypass that attackers can exploit to corrupt system files, cause a persistent denial-of-service, or achieve arbitrary file writes. Chaining attacks could lead to remote code execution (RCE). |
VULNEREBILITY |
||
|
4.10.25 |
Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia. |
GROUP |
||
|
4.10.25 |
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud |
GROUP |
||
|
4.10.25 |
XWorm V6, a potent malware, has resurfaced with new plugins and persistence methods. Stay informed and enhance your defenses against evolving cyber threats. Protect your organization now! |
Worm |
||
|
4.10.25 |
Detour Dog: DNS Malware Powers Strela Stealer Campaigns |
GROUP |
||
|
4.10.25 |
Rhadamanthys is a popular, multi-modular stealer, released in 2022. Since then, it has been used in multiple campaigns by various actors. Most recently, it is being observed in the ClickFix campaigns. |
Stealer |
||
|
3.10.25 |
GNU Bash OS Command Injection Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Juniper ScreenOS Improper Authentication Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Jenkins Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Smartbedded Meteobridge Command Injection Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Samsung Mobile Devices Out-of-Bounds Write Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Бекдор CABINETRAT використовується UAC-0245 для цільових кібератак у відношенні СОУ (CERT-UA#17479) |
Національною командою реагування на кіберінциденти, кібератаки, кіберзагрози CERT-UA у вересні 2025 року виявлено низку програмних засобів, представлених у вигляді XLL-файлів зі специфічними іменами, зокрема "Звернення УБД.xll", |
||
|
3.10.25 |
New spyware campaigns target privacy-conscious Android users in the UAE |
|||
|
3.10.25 |
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. |
VULNEREBILITY |
||
|
3.10.25 |
Intel's Software Guard eXtensions (SGX) is a hardware feature in Intel servers that aims to offer strong integrity and confidentiality properties for software, even in the presence of root-level attackers. |
|||
|
3.10.25 |
With Battering RAM, we show that even the latest defenses on Intel and AMD cloud processors can be bypassed. We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks. |
|||
|
3.10.25 |
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users |
Malware |
||
|
3.10.25 |
Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks |
|||
|
3.10.25 |
In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created), |
VULNEREBILITY |
||
|
3.10.25 |
Klopatra: exposing a new Android banking trojan operation with roots in Turkey |
Banking |
||
|
3.10.25 |
Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite |
|||
|
3.10.25 |
EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks |
AI |
||
|
3.10.25 |
Datzbro: RAT Hiding Behind Senior Travel Scams |
RAT |
||
|
3.10.25 |
First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails |
Backdoor |
||
|
|
|
|
|
|