HOT NEWS 2025 January(141) February(191) March(268) April(349) May(260) June(502) July(272) August(180) September(202) October(252) November(187) December(0) THREATS YEARS
| DATE | NAME | INFO | CATEGORY | SUBCATE |
| 28.9.25 | CVE-2024-10237 | There is a vulnerability in the BMC firmware image authentication design at Supermicro MBD-X12DPG-OA6 . An attacker can modify the firmware to bypass BMC inspection and bypass the signature verification process | VULNEREBILITY | VULNEREBILITY |
| 28.9.25 | CVE-2025-10184 | CVE-2025-10184: OnePlus OxygenOS Telephony provider permission bypass (NOT FIXED) | VULNEREBILITY | VULNEREBILITY |
| 28.9.25 | Cross-site scripting vulnerability in Lectora course navigation | Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. | ALERT | ALERT |
| 27.9.25 | CVE-2024-36401 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. | VULNEREBILITY | VULNEREBILITY |
| 27.9.25 | RainyDay | How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking | MALWARE | Backdoor |
| 27.9.25 | Amatera | SVG Phishing hits Ukraine with Amatera Stealer, PureMiner | MALWARE | Stealer |
| 27.9.25 | SVG phishing campaigns deliver infostealer and cryptominer payloads | Symantec has observed an uptick in malicious spam (malspam) using Scalable Vector Graphics (SVG) file attachments to initiate malicious activity. A report by security researchers at Fortinet corroborates this trend, highlighting recent SVG-based campaigns delivering Amatera Stealer and PureMiner. | PHISHING | |
| 27.9.25 | Activities of the DeceptiveDevelopment threat group | In a recent publication, ESET reserchers report on a financially motivated threat group called DeceptiveDevelopment. The group has been active since at least 2023 and primarily targets software developers across all major operating systems (Windows, Linux, macOS), particularly those involved in cryptocurrency and Web3 projects. | ALERTS | GROUP |
| 27.9.25 | New YiBackdoor Malware | Cybersecurity researchers at Zscaler ThreatLabz have identified YiBackdoor, a newly discovered malware family exhibiting significant source code overlaps with the established loaders IcedID and Latrodectus. YiBackdoor operates as a powerful, modular backdoor capable of executing arbitrary commands, capturing screenshots, and extensive system information collection. | VIRUS | |
| 27.9.25 | RedNovember threat group targets global entities for espionage | A report by Insikt Group at Recorded Future details recent activity of a China-backed threat actor named RedNovember (previously known as TAG-100). | APT | |
| 27.9.25 | Operation Rewrite leads to BadIIS malware distribution | Researchers from Palo Alto reported on a SEO poisoning campaign, dubbed "Operation Rewrite". The primary tool used by the attackers in this operation is the BadIIS malware, that can intercept and modify web traffic, utilizing compromised legitimate servers to deliver malicious content. | OPERATION | |
| 27.9.25 | CVE-2025-53690 - Deserialization of Untrusted Data vulnerability affecting multiple Sitecore products | CVE-2025-53690 is a recently disclosed critical (CVSS score 9.0) ViewState deserialization of untrusted data vulnerability affecting Sitecore products including Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) and Experience Commerce (XC) | VULNEREBILITY | |
| 27.9.25 | Bitpanda users targeted by new phishing campaign | Recently, Symantec has observed phish runs targeting users of Bitpanda GmbH, an Austrian digital asset platform headquartered in Vienna. | PHISHING | |
| 27.9.25 | SystemBC botnet - new infrastructure uncovered | Black Lotus Labs at Lumen Technologies has identified new infrastructure belonging to the SystemBC botnet, a large-scale operation averaging 1,500 daily victims. Unlike typical botnets using residential IPs, SystemBC exploits Virtual Private Server (VPS) systems to create high-volume, persistent proxies that fuel malicious activities for various criminal groups. | BOTNET | |
| 27.9.25 | New malware distribution campaign attributed to the Rustfly APT group | Rustfly APT group (also known as UNC1549 or Nimbus Manticore) is engaged in a sustained cyberespionage operation targeting defense manufacturing, telecommunications, and aviation sectors. Recently published report from Checkpoint reveals a heightened focus from this APT group on Western Europe, particularly Denmark, Sweden, and Portugal. The attackers employ sophisticated spear-phishing campaigns, posing as HR recruiters to lure victims to fake career portals. | APT | |
| 27.9.25 | XWorm disguised as “Unreal Engine Auto Update” hosted on GitHub’s CDN | An individual or group has been disguising XWorm malware as an “Unreal Engine Auto Updater” and hosting it on raw[.]githubusercontent[.]com, GitHub’s CDN endpoint that serves raw file contents from public repositories. | ALERTS | VIRUS |
| 27.9.25 | ClickFix techniques used in BeaverTail malware distribution on macOS and Windows systems | The ClickFix social engineering technique relies on tricking users into running malicious commands by presenting fake CAPTCHAs. As reported by Gitlab, a recent campaign leveraging ClickFix techniques has been observed to spread a new BeaverTail malware variant. Previously targeting software developers, the APT group behind this malware has now shifted its focus to marketing, cryptocurrency trading and retail sectors. | VIRUS | |
| 27.9.25 | Leafperforator APT leverages Nepalese protest movement for mobile malware distribution | A recent activity reported by the researchers from StrikeReady demonstrates a popular trend where geopolitical events serve as bait for targeted cyber threats. | APT | |
| 27.9.25 | DarkCloud Campaign Targets European Energy, Finance, and Maritime Sectors | Symantec has observed a DarkCloud malspam run that used invoice/shipping-themed lures to deliver a Windows stealer. The attackers spoofed two German industrial suppliers (one industrial-machinery vendor, one tank/storage-construction firm) while using logistics and invoice-style social engineering. | ALERTS | CAMPAIGN |
| 27.9.25 | HybridPetya - a Petya/NotPetya offshoot with a UEFI bootkit | ESET security researchers have identified new malware samples, dubbed HybridPetya, which exhibit characteristics of the impactful Petya and NotPetya campaigns from 2016-2017. | VIRUS | |
| 27.9.25 | New campaign distributing SnakeDisk worm and the Toneshell backdoor | IBM X-Force identified a new malicious operation attributed to the threat actor known as Fireant (aka Hive0154, Mustang Panda). | CAMPAIGN | |
| 27.9.25 | XillenStealer malware | In their latest report, Cyfirma's analysts reveal XillenStealer as an open-source, Python-based information stealer readily available on GitHub. | ALERTS | VIRUS |
| 27.9.25 | RevengeHotels New Tactics Deliver Potent VenomRAT | Securelist researchers have identified RevengeHotels, also known as TA558, as a cybercriminal group targeting the hospitality and tourism industries to steal credit card data. | VIRUS | |
| 27.9.25 | WhiteCobra Targets Developer Tools for Data Heists | KOI Research has identified WhiteCobra, a sophisticated threat actor, in a year-long campaign targeting users of VSCode, Cursor, and Windsurf. | GROUP | |
| 27.9.25 | Rewrite | Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign | OPERATION | OPERATION |
| 26.9.25 | COLDRIVER | COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX | GROUP | GROUP |
| 26.9.25 | CVE-2025-10035 | A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. | VULNEREBILITY | VULNEREBILITY |
| 26.9.25 | XCSSET | XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory | MALWARE | MacOS |
| 26.9.25 | CVE-2025-20333 | (CVSS score: 9.9) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests | VULNEREBILITY | VULNEREBILITY |
| 26.9.25 | CVE-2025-20362 | (CVSS score: 6.5) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests | VULNEREBILITY | VULNEREBILITY |
| 26.9.25 | Line Runn | Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. | MALWARE | Loader |
| 26.9.25 | Line Danc | In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices. | MALWARE | Loader |
| 26.9.25 | Vane Viper | DNS-Driven Insights into a Malicious Ad Network | GROUP | GROUP |
| 25.9.25 | BRICKSTORM | Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors | MALWARE | BACKDOOR |
| 25.9.25 | RedNovember | RedNovember Targets Government, Defense, and Technology Organizations | GROUP | GROUP |
| 25.9.25 | CVE-2025-20352 | Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 25.9.25 | DeceptiveDevelopment | DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception | MALWARE | AI |
| 24.9.25 | YiBackdoor | YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus | MALWARE | BACKDOOR |
| 24.9.25 | SSRF to AWS Metadata Exposure | SSRF to AWS Metadata Exposure: How Attackers Steal Cloud Credentials | HACKING | Cloud |
| 24.9.25 | CVE-2025-10643 | (CVSS score: 9.1) - An authentication bypass vulnerability that exists within the permissions granted to a storage account token | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-10644 | (CVSS score: 9.4) - An authentication bypass vulnerability that exists within the permissions granted to an SAS token | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-51591 | A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-59689 | Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7. | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-6198 | (CVSS score: 6.4) - A crafted firmware image can bypass the Supermicro BMC firmware verification logic of the Signing Table to update the system firmware by redirecting the program to a fake signing table ("sig_table") in the unsigned region | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-7937 | (CVSS score: 6.6) - A crafted firmware image can bypass the Supermicro BMC firmware verification logic of Root of Trust (RoT) 1.0 to update the system firmware by redirecting the program to a fake "fwmap" table in the unsigned region | VULNEREBILITY | VULNEREBILITY |
| 23.9.25 | fezbox | Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique | MALWARE | nmp |
| 23.9.25 | CVE-2025-26399 | SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. | VULNEREBILITY | VULNEREBILITY |
| 23.9.25 | ShadowV2 | ShadowV2: An emerging DDoS for hire botnet | BOTNET | BOTNET |
| 23.9.25 | Operation Rewrite | Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign | OPERATION | OPERATION |
| 22.9.25 | CVE-2025-55241 | Azure Entra Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 22.9.25 | BeaverTail | Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure | MALWARE | JavaScript |
| 21.9.25 | VMSCAPE: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments | Abstract—Virtualization is a cornerstone of modern cloud infrastructures, providing the required isolation to customers. This isolation, however, is threatened by speculative execution attacks which the CPU vendors attempt to mitigate by extending the isolation to the branch predictor state. | PAPERS | PAPERS |
| 21.9.25 | Phoenix: Rowhammer Attacks on DDR5 with Self-Correcting Synchronizati | Abstract—DDR5 has shown an increased resistance to Rowhammer attacks in production settings. Surprisingly, DDR5 achieves this without additional refresh management commands, pointing to the deployment of more sophisticated inDRAM Target Row Refresh (TRR) mechanisms. | PAPERS | PAPERS |
| 21.9.25 | Uncloaking VoidProxy | Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework | PHISHING | PHAAS |
| 21.9.25 | RaccoonO365 | Cloudflare participates in global operation to disrupt RaccoonO365 | OPERATION | PHISHING |
| 20.9.25 | CountLoader | Silent Push has discovered a new malware loader that is strongly associated with Russian ransomware gangs that we are naming: “CountLoader.” | MALWARE | LOADER |
| 20.9.25 | Maranhão Stealer | Cyble Research & Intelligence Labs detected Maranhão Stealer, a Node.js–based credential stealer leveraging reflective DLL injection. | MALWARE | STEALER |
| 20.9.25 | DeerStealer | DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities | MALWARE | STEALER |
| 20.9.25 | XillenStealer | UNMASKING A PYTHON STEALER – “XillenStealer” | MALWARE | STEALER |
| 20.9.25 | Shai-Hulud | "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19) | MALWARE | PYTHON |
| 20.9.25 | Lucid Phishing-as-a-Service | Inside the Lighthouse and Lucid PhaaS Campaigns Targeting 316 Global Brands | PHISHING | PHAAS |
| 20.9.25 | Large-Scale Attack | Large-Scale Attack Targeting Macs via GitHub Pages Impersonating Companies to Attempt to Deliver Stealer Malware | HACKING | ATTACK |
| 20.9.25 | LLM-Enabled Malware | Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware | HACKING | AI |
| 20.9.25 | ShadowLeak | ShadowLeak: A Zero-Click, Service-Side Attack Exfiltrating Sensitive Data Using ChatGPT’s Deep Research Agent | HACKING | AI |
| 20.9.25 | Subtle Snail | Subtle Snail (UNC1549) is an Iran-nexus espionage group linked to Unyielding Wasp (Tortoiseshell), which is part of the Eclipsed Wasp (Charming Kitten) network. | APT | APT |
| 20.9.25 | SystemBC | The Black Lotus Labs team at Lumen Technologies has uncovered new infrastructure behind the “SystemBC” botnet, a network composed of over 80 C2s with a daily average of 1,500 victims, nearly 80% of which are compromised VPS systems from several large commercial providers. | BOTNET | BOTNET |
| 20.9.25 | CVE-2025-10035 | Deserialization Vulnerability in GoAnywhere MFT's License Servlet | VULNEREBILITY | VULNEREBILITY |
| 19.9.25 | Gamaredon X Turla | Notorious APT group Turla collaborates with Gamaredon, both FSB-associated groups, to compromise high‑profile targets in Ukraine | APT | APT |
| 19.9.25 | CVE-2025-4428 | Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests. | VULNEREBILITY | VULNEREBILITY |
| 19.9.25 | CVE-2025-4427 | An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. | VULNEREBILITY | VULNEREBILITY |
| 18.9.25 | CountLoader | CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions | MALWARE | Loader |
| 18.9.25 | SilentSync RAT | Malicious PyPI Packages Deliver SilentSync RAT | MALWARE | RAT |
| 18.9.25 | CVE-2025-10585 | Type Confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16 | VULNEREBILITY | VULNEREBILITY |
| 18.9.25 | RevengeHotels | RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT | APT | APT |
| 18.9.25 | TA415 | Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | APT | APT |
| 17.9.25 | Clickfix HijackLoader Phishing Campaign | With the evolution of cyber threats, the final execution of a malicious payload is no longer the sole focus of the cybersecurity industry. | CAMPAIGN | PHISHING |
| 17.9.25 | Echoleak | Echoleak- Send a prompt , extract secret from Copilot AI!( CVE-2025-32711) | HACKING | AI |
| 17.9.25 | EMBER2024 - A Benchmark Dataset for Holistic Evaluation of Malware Classifie | A lack of accessible data has historically restricted malware analysis research, and practitioners have relied heavily on datasets provided by industry sources to advance. | PAPERS | PAPERS |
| 17.9.25 | LunoBotnet | LunoBotnet: A Self-Healing Linux Botnet with Modular DDoS and Cryptojacking Capabilities | BOTNET | CRYPTOCURRENCY |
| 17.9.25 | GhostAction | The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows | CAMPAIGN | CAMPAIGN |
| 17.9.25 | EvilAI Malware Mimics Legitimate Tools | As reported by Trend Micro researchers, a new malware campaign dubbed EvilAI is posing a threat by impersonating legitimate productivity and AI-powered tools. | VIRUS | |
| 17.9.25 | Phishing Campaign Targets UK Government Gateway User IDs and Passwords | Symantec has observed a phishing campaign delivering HTML attachments via email that masquerade as official GOV.UK Government Gateway confirmations. The email (subject: "Confirmation - Government Gateway") spoofed a no-reply government address and carried a file named attachement.service.gov.uk.html. | ALERTS | PHISHING |
| 17.9.25 | Phishing Emails Masquerade as Internal Messages to Deliver SHTML Credential Traps | A newly identified phishing campaign, discovered by Symantec, leverages SHTML attachments disguised as password-protected documents to harvest employee credentials. | PHISHING | |
| 17.9.25 | NPM packages infected by self-replicating worm | Malicious activity reported by multiple sources was observed impacting numerous packages in the npm JavaScript repository. The activity revolves around a self-replicating worm named Shai-Hulud, which after infecting a locally available NPM, searches for and infects other accessible packages based on user access. It's responsible for stealing secrets, exfiltrating data, and marking private GitHub projects as public for impacted users. | HACKING | |
| 17.9.25 | CVE-2025-5086 - Delmia Apriso vulnerability | CVE-2025-5086 is a recently disclosed critical (CVSS score 9.0) deserialization of untrusted data vulnerability affecting DELMIA Apriso Manufacturing Operations Management (MOM) software. | ALERTS | VULNEREBILITY |
| 17.9.25 | Maranhão Stealer | A recent campaign involving the Maranhão Stealer has been identified by the researchers from Cyble. The attack is targeting gaming users through social engineering websites hosted on cloud platforms. | VIRUS | |
| 17.9.25 | kkRAT: A new Remote Access Trojan | A malware campaign targeting China-speaking users has been identified, deploying a previously undocumented kkRAT alongside ValleyRAT and FatalRAT. | VIRUS | |
| 17.9.25 | Buterat Backdoor Targeting Enterprise and Government Networks | The Lat61 Threat Intelligence Team from Point Wild has identified Backdoor.Win32.Buterat, a sophisticated malware designed for persistent, long-term network infections. | VIRUS | |
| 17.9.25 | Contagious Interview operation continues | SentinelLABS has identified North Korean threat actors associated with the "Contagious Interview" campaign cluster exhibiting a sophisticated approach to operational security. | OPERATION | |
| 17.9.25 | New Go-Based ZynorRAT Leverages Telegram for Linux and Windows | The Sysdig Threat Research Team (TRT) has identified ZynorRAT, a novel Go-based Remote Access Trojan (RAT) demonstrating robust command and control (C2) features for both Linux and Windows platforms. | ||
| 17.9.25 |
Securing DRAM at
Scale: ARFM-Driven Row Hammer Defense with Unveiling the Threat of Short tRC Patterns |
Abstract—Since the disclosure of the row hammer (RH) attack phenomenon in 2014, a significant threat to system security, it has been active research in both industry and academia. | PAPERS | PAPERS |
| 17.9.25 | ECC.fail: Mounting Rowhammer Attacks on DDR4 Servers with ECC Memory | Rowhammer is a hardware vulnerability present in nearly all computer memory, allowing attackers to modify bits in memory without directly accessing them. | PAPERS | PAPERS |
| 17.9.25 |
Rowhammer-Based Trojan Injection: One Bit Flip Is Sufficient for Backdooring DNNs |
While conventional backdoor attacks on deep neural networks (DNNs) assume the attacker can manipulate the training data or process, recent research introduces a more practical threat model by injecting backdoors during the inference stage. | PAPERS | PAPERS |
| 16.9.25 | CVE-2025-6202 | Vulnerability in SK Hynix DDR5 on x86 allows a local attacker to trigger Rowhammer bit flips impacting the Hardware Integrity and the system's security. This issue affects DDR5: DIMMs produced from 2021-1 until 2024-12. | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | CVE-2025-43300 | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12. | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | FileFix | FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography | CAMPAIGN | CAMPAIGN |
| 16.9.25 | SnakeDisk | Hive0154, aka Mustang Panda, drops updated Toneshell backdoor and novel SnakeDisk USB worm | MALWARE | USB |
| 16.9.25 | SlopAds | Satori Threat Intelligence Alert: SlopAds Covers Fraud with Layers of Obfuscation | OPERATION | OPERATION |
| 16.9.25 | CVE-2025-59358 | (CVSS score: 7.5) - The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial-of-service | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | CVE-2025-59359 | (CVSS score: 9.8) - The cleanTcs mutation in Chaos Controller Manager is vulnerable to operating system command injection | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | CVE-2025-59360 | (CVSS score: 9.8) - The killProcesses mutation in Chaos Controller Manager is vulnerable to operating system command injection | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | CVE-2025-59361 | (CVSS score: 9.8) - The cleanIptables mutation in Chaos Controller Manager is vulnerable to operating system command injection | VULNEREBILITY | VULNEREBILITY |
| 15.9.25 | Cyberspike Villager | Cyberspike Villager – Cobalt Strike’s AI-native Successor | APT | AI |
| 13.9.25 | Scattered LAPSUS$ | The Cybercrime Group Redefining Threats | GROUP | GROUP |
| 13.9.25 | Langchaingo supports jinja2 and gonja for syntax parsing, allowing for arbitrary file read | LangChainGo, the Go implementation of LangChain, a large language model (LLM) application building framework, has been discovered to contain an arbitrary file read vulnerability. | ALERT | ALERT |
| 13.9.25 | CVE-2025-55190 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1 | VULNEREBILITY | VULNEREBILITY |
| 13.9.25 | MostereRAT | FortiGuard Labs uncovers MostereRAT’s use of phishing, EPL code, and remote access tools like AnyDesk and TightVNC to evade defenses and seize full system control. | MALWARE | RAT |
| 12.9.25 | Yurei ransomware | First observed in September, Yurei is a new ransomware group whose operations incorporate a double-extortion model of both file encryption and data theft. | RANSOM | |
| 12.9.25 | AMOS Stealer malware continues to be distributed via cracked apps | rend Micro's latest report reveals a sophisticated campaign leveraging the AMOS infostealer (also known as Atomic macOS Stealer). Attackers employ social engineering, disguising the malware binaries as cracked software or tricking users into pasting malicious commands into the macOS Terminal thus bypassing built-in protections like Gatekeeper. | VIRUS | |
| 12.9.25 | Fireant group continues activity in Myanmar with ToneShell backdoor | ToneShell is a backdoor that is deployed by the Fireant (aka Mustang Panda) threat group. Security researchers at Intezer have published details about a recently observed variant, with related activity indicating that the group continues acting against targets in Myanmar. | GROUP | |
| 12.9.25 | BlackField (aka BlackFL) Ransomware | BlackField (aka BlackFL) is a double-extortion ransomware actor first observed around July 2025. Analysis of its ransomware demonstrates the typical double-extortion model, using both encryption and data theft to pressure victims. | ALERTS | RANSOM |
| 12.9.25 | BlackNevas Ransomware | BlackNevas is a ransomware variant that initially emerged in November 2024. This encryptor targets businesses and critical infrastructure across Asia, North America, and Europe, with a strong focus on the Asia-Pacific region. | RANSOM | |
| 12.9.25 | Luno - Linux botnet with cryptomining and DDoS capabilities | Cyble researchers have identified a new sophisticated Linux botnet campaign dubbed "Luno." This malware framework combines cryptocurrency mining with modular DDoS attack capabilities, showcasing advanced features like process masquerading, binary replacement, and a self-update mechanisms, indicative of professional threat actor involvement. | BOTNET | |
| 12.9.25 | NightshadeC2 Botnet emerges | NightshadeC2 is a newly identified botnet uncovered by eSentire, notable for its advanced stealth and persistence techniques. It is distributed through trojanized installers of legitimate software such as CCleaner, ExpressVPN and others, as well as phishing campaigns using fake ClickFix-themed landing pages. | ALERTS | BOTNET |
| 12.9.25 | Kamasers Malware | Kamasers is a bot with backdoor capabilities that has recently been observed in the wild. Once deployed, it communicates with its C2 server to retrieve commands that enable it to download and execute files, perform HTTP and DNS flooding attacks, access local files, load malicious JavaScript, and direct browsers to attacker-specified URLs. | VIRUS | |
| 12.9.25 | NFSkate's RatOn Android Banking Trojan | In a recent report, ThreatFabric MTI analysts have identified a sophisticated new Android banking trojan dubbed "RatOn," crafted by the NFSkate threat actor group. RatOn represents a significant advancement in mobile cybercrime by combining classic overlay attacks with powerful Automated Transfer System (ATS) functionalities and NFC relay capabilities. | VIRUS | |
| 12.9.25 | New Threat Actor GhostRedirector Targets Windows Servers with SEO Fraud and Backdoors | In a recent report, ESET researchers have identified a new threat actor, GhostRedirector, that has compromised at least 65 Windows servers across Brazil, Thailand, and Vietnam. Operating in diverse sectors including insurance, healthcare, retail, and education, this actor utilizes a sophisticated custom toolkit. | GROUP | |
| 12.9.25 | Gentlemen Ransomware | Gentlemen is a newly emerged ransomware threat group as reported by Trend Micro researchers. The attackers have been observed to leverage legitimate drivers, abuse Group Policy Objects (GPO) as well as deliver KillAV tools aimed at disabling installed security products in the targeted environments | RANSOM | |
| 12.9.25 | Tamperedchef Malware Lurks in AppSuite PDF Editor | According to a report from Truesec a sophisticated malware campaign masquerading as a free utility, "AppSuite PDF Editor," which silently deploys an information-stealing malware named "Tamperedchef" has been identified. This operation employs highly obfuscated code, possibly AI-generated, and exploits Google advertising to achieve widespread distribution. | CAMPAIGN | |
| 12.9.25 | RapperBot: Fast-moving IoT botnet exploits NVRs for DDoS | RapperBot is a fast-moving IoT botnet that is quickly turning compromised DVRs and NVRs into nodes for large-scale DDoS attacks. | BOTNET | |
| 12.9.25 | Credential theft: Threat actors spoof Hungarian Post (Magyar Posta Zrt.) services | A new wave of phishing attacks targeting Hungarian Post (Magyar Posta Zrt.) services has been identified by Symantec, aiming to steal user credentials. | PHISHING | |
| 12.9.25 | TinyLoader delivers stealers while clipping wallets | In a recent report, researchers have spotlighted TinyLoader, a stealthy malware loader harnessed to siphon cryptocurrency and deploy additional payloads like Redline Stealer and DCRat. | ALERTS | VIRUS |
| 12.9.25 | XWorm adopts multi-stage infection chain | Trellix has identified a shift in the XWorm backdoor campaign, which has evolved from simple .lnk-based delivery to a more deceptive, multi-stage infection chain | VIRUS | |
| 12.9.25 | TAG-150 MaaS group deploys their Castle family of malware | TAG-150 is a newly identified threat actor group which operates as a Malware-as-a-Service (MaaS) provider. Activity associated with TAG-150 is highlighted by deployment of multiple custom developed malware, CastleBot, CastleLoader, and CastleRAT. | GROUP | |
| 12.9.25 | GPUGate: Malware campaign targets IT Pros via GitHub and Google Ads | A sophisticated malware campaign dubbed GPUGate, which exploits GitHub's infrastructure and Google Ads to distribute a malicious payload targeting IT professionals in Western Europe, has been reported by Arctic Wolf. | ALERTS | VIRUS |
| 12.9.25 | Salat Stealer: Go-Based Infostealer as Malware-as-a-Service | Salat Stealer, a Go-based infostealer offered under a Malware-as-a-Service model, has been reported by Cyfirma. Likely operated by Russian-speaking actors, the malware employs layered persistence techniques, including registry Run keys, scheduled tasks, process masquerading and modifications to Windows Defender exclusions to evade detection. | VIRUS | |
| 12.9.25 | Obscura: New Go-based ransomware emerges | A new ransomware variant known as Obscura has emerged, adding itself to the growing list of active ransomware families targeting organizations in 2025. | RANSOM | |
| 12.9.25 | Stealerium: An Open-Source Infostealer Fueling Widespread Attacks | Stealerium is an open-source infostealer that has been observed in recent activity. The malware has been deployed by multiple groups across various campaigns over the last few months. | VIRUS | |
| 12.9.25 | LockBeast ransomware | LockBeast is a ransomware variant that combines file encryption with data theft to pressure victims into payment. Upon execution, it encrypts files with strong cryptographic algorithms, appends a victim-specific identifier plus the “.lockbeast” extension, and drops a ransom note named README.TXT. | RANSOM | |
| 12.9.25 | CVE-2025-21043 | Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. | VULNEREBILITY | VULNEREBILITY |
| 12.9.25 | Mythical Beasts | Mythical Beasts: Diving into the depths of the global spyware market | MALWARE | SPYWARE |
| 12.9.25 | Elevated Privileges and Arbitrary Code Execution issues in Sunshine for Windows v2025.122.141614 | Two local security vulnerabilities have been identified in Sunshine for Windows, version v2025.122.141614 (and likely prior versions). These issues could allow attackers to execute arbitrary code and escalate privileges on affected systems. | ALERT | ALERT |
| 12.9.25 | Amp'ed RF BT-AP 111 Bluetooth access point lacks an authentication mechanism | The Amp’ed RF BT-AP 111 Bluetooth Access Point exposes an HTTP-based administrative interface without authentication controls. This allows an unauthenticated remote attacker to gain full administrative access to the device. | ALERT | ALERT |
| 12.9.25 | Hiawatha open-source web server has multiple vulnerabilities | Hiawatha is an open-source web server that supports Windows, MacOS X and a variety of Linux distributions. Hiawatha was focused on performance and is used in place of larger, more complex web servers. | ALERT | ALERT |
| 12.9.25 | Open Repo | Oasis Security’s research team uncovered a vulnerability in Cursor, the popular AI Code Editor, that allows a maliciously crafted code repository to execute code as soon as it's opened using Cursor, no trust prompt. | HACKING | AI |
| 12.9.25 | HybridPetya | Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass | RANSOMWARE | RANSOMWARE |
| 12.9.25 | CVE-2025-5086 | Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.9.25 | VBShower | The script uses the same method to erase both its own contents and the contents of the VBShower Launcher copy, which is used solely for the malware’s first run. | MALWARE | BACKDOOR |
| 12.9.25 | CVE-2018-0802 | Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". | VULNEREBILITY | VULNEREBILITY |
| 12.9.25 | Cloud Atlas | Cloud Atlas seen using a new tool in its attacks | GROUP | GROUP |
| 11.9.25 | CVE-2024-40766 | An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. | VULNEREBILITY | VULNEREBILITY |
| 11.9.25 | Madgicx Plus | Behind the Mask of Madgicx Plus: A Chrome Extension Campaign Targeting Meta Advertisers | CAMPAIGN | Social |
| 11.9.25 | AsyncRAT | AsyncRAT in Action: Fileless Malware Techniques and Analysis of a Remote Access Trojan | MALWARE | RAT |
| 11.9.25 | EggStreme | EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company | MALWARE | Keylogger |
| 10.9.25 | ChillyHell | ChillyHell: A Deep Dive into a Modular macOS Backdoor | MALWARE | MacOS |
| 10.9.25 | ZynorRAT | ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT | MALWARE | RAT |
| 10.9.25 | CVE-2025-48003 | (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability via WinRE Apps Scheduled Operation | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-48800 | (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting ReAgent.xml Parsing | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-48804 | (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting Boot.sdi Parsing | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-48818 | (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting Boot Configuration Data (BCD) Parsing | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-54236 | Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-42944 | (CVSS score: 10.0) - A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious payload to an open port through the RMI-P4 module, resulting in operating system command execution | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-42922 | (CVSS score: 9.9) - An insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an attacker authenticated as a non-administrative user to upload an arbitrary file | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-42958 | (CVSS score: 9.1) - A missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series that could allow highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities | VULNEREBILITY | VULNEREBILITY |
| 9.9.25 | Salt Typhoon and UNC4841 | Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data | APT | APT |
| 9.9.25 | Strain | Off Your Docker: Exposed APIs Are Targeted in New Malware Strain | MALWARE | CRYPTOCURRENCY |
| 9.9.25 | RatOn | The Rise of RatOn: From NFC heists to remote control and ATS | MALWARE | ANDROID |
| 9.9.25 | MostereRAT | MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access | MALWARE | RAT |
| 9.9.25 | GPUGate | GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe | MALWARE | GPU |
| 7.9.25 | CVE-2025-57819 | Sangoma FreePBX Authentication Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 7.9.25 | Operation BarrelFire | NoisyBear targets entities linked to Kazakhstan’s Oil & Gas Sector. | OPERATION | OPERATION |
| 7.9.25 | CVE-2025-38352 | In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() | VULNEREBILITY | VULNEREBILITY |
| 7.9.25 | CVE-2025-55177 | Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78 | VULNEREBILITY | VULNEREBILITY |
| 7.9.25 | CVE-2025-50173 | Weak authentication in Windows Installer allows an authorized attacker to elevate privileges locally. | VULNEREBILITY | VULNEREBILITY |
| 6.9.25 | CVE-2025-53690 | Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability: Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 6.9.25 | Phishing campaign targets GMO Aozora Net Bank customers | GMO Aozora Net Bank, an online-only bank in Japan established in 2018 by the GMO Internet and Aozora Bank groups, offers customized financial services for both individuals and businesses. | PHISHING | |
| 6.9.25 | AI Waifu RAT exploits AI enthusiasm | AI Waifu RAT is a newly identified Remote Access Trojan spreading in LLM role-playing communities by posing as an AI interaction or research tool. | AI | |
| 6.9.25 | APT28 introduces NotDoor Backdoor | A new backdoor called NotDoor, attributed to APT28, a Russian intelligence-linked threat group, has been identified by LAB52. Delivered via Microsoft OneDrive with DLL side-loading, NotDoor uses an Outlook VBA macro to monitor emails for trigger words, enabling command execution, data exfiltration and file uploads. | APT | |
| 6.9.25 | Indonesian-Language Agent Tesla Campaign Targets Firms Across Southeast Asia | Symantec has observed a new Agent Tesla campaign targeting organizations in Southeast Asia, including both local companies and regional branches of large international firms. | ALERTS | VIRUS |
| 6.9.25 | Iran-Nexus campaign exploits Omani MFA Mailbox | A recent campaign exploiting the Oman Ministry of Foreign Affairs was first reported by ClearSky, with Dream Security researchers providing further insights. | CAMPAIGN | |
| 6.9.25 | Jackpot ransomware |
A new ransomware variant named Jackpot, linked to the
MedusaLocker family, has emerged leveraging a double extortion strategy
that combines file encryption with the theft of sensitive data.
|
RANSOM | |
| 6.9.25 | MystRodX Backdoor | As per recent reports from XLab, a new backdoor named MystRodX has been discovered, implemented in C++ and equipped with an extensive range of capabilities. It supports file management, port forwarding, reverse shell access and socket management, while also embedding anti-debugging and anti-VM techniques to bypass security analysis. | ALERTS | VIRUS |
| 6.9.25 | Masslogger actor switched from direct archive attachment to Discord CDN URL | Masslogger, an information-stealing malware active since 2020, continues to rank among the most prevalent threats. It is designed to harvest credentials stored in browsers, email clients, and messaging applications. | VIRUS | |
| 6.9.25 | Desolator Ransomware | The Desolator ransomware group, also referred to as The Desolated Collective, is a relatively new actor recently observed in the wild. Alleged victims include construction and engineering firms in Latin America and Southern Europe, and a technology and software developer in Southeast Asia. | RANSOM | |
| 6.9.25 | TinkyWinkey keylogger | A new Windows keylogger, dubbed TinkyWinkey, analyzed by Cyfirma, leverages a service-based persistence model and DLL injection into trusted processes to evade detection while maintaining continuous surveillance. | VIRUS | |
| 6.9.25 | North Korean Vedalia expands espionage via Operation HanKook Phantom | An espionage campaign dubbed Operation HanKook Phantom, attributed to North Korean threat actor Vedalia (also known as APT37, ScarCruft), has been reported by Seqrite targeting South Korean academic and research organizations. | APT | |
| 5.9.25 | CastleRAT | From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure | MALWARE | RAT |
| 5.9.25 | CVE-2025-42957 | SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. | VULNEREBILITY | VULNEREBILITY |
| 5.9.25 | AMOS Stealer | An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps | MALWARE | Stealer |
| 5.9.25 | APT28 | Analyzing NotDoor: Inside APT28’s Expanding Arsenal | APT | APT |
| 5.9.25 | GhostRedirector | GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes | MALWARE | Backdoor |
| 4.9.25 | CVE-2023-50224 | CVSS score: 6.5) - An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in "/tmp/dropbear/dropbearpwd" | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | CVE-2025-9377 | (CVSS score: 8.6) - An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | Hexstrike-AI | Hexstrike-AI: When LLMs Meet Zero-Day Exploitation | HACKING | AI |
| 4.9.25 | Iran-Nexus Spear phishing Campaign | Iran-Nexus Spear phishing Campaign Masquerades as Omani MFA to Target Global Governments. | PHISHING | PHISHING |
| 4.9.25 | CVE-2025-38352 | A privilege escalation flaw in the Linux Kernel component | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | CVE-2025-48543 | A privilege escalation flaw in the Android Runtime component | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | RapperBot | RapperBot: From Infection to DDoS in a Split Second | MALWARE | Bot |
| 4.9.25 | Blockbuster | Private Industry Takes Action Against Global Cyber Threats | OPERATION | OPERATION |
| 4.9.25 | CVE-2020-24363 | TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | CVE-2025-55177 | Meta Platforms WhatsApp Incorrect Authorization Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | Lazarus RATs | Three Lazarus RATs coming for your cheese | APT | APT |
| 4.9.25 | AppleJeus | AppleJeus: Analysis of North Korea’s Cryptocurrency Malware | MALWARE | Cryptocurency |
| 4.9.25 | MystRodX | MystRodX: The Covert Dual-Mode Backdoor Threat | MALWARE | Backdoor |
| 2.9.25 | PolarEdge | Pondering my ORB - A look at PolarEdge Adjacent Infrastructure | BOTNET | IoT |
| 2.9.25 | Nodemailer | Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions | MALWARE | Python |
| 2.9.25 | Silver Fox | Chasing the Silver Fox: Cat & Mouse in Kernel Shadows | APT | APT |
| 2.9.25 | Silent Gatekeepers | Android Droppers: The Silent Gatekeepers of Malware | MALWARE | Android |
| 2.9.25 | ROKRAT | Operation HanKook Phantom: North Korean APT37 targeting South Korea | MALWARE | RAT |