HOT NEWS 2025ALL(3125) January(141) February(191) March(268) April(349) May(260) June(502) July(272) August(180) September(202) October(252) November(308) December(200) ALL(3125) | HOT NEWS 2026(156) HOT NEWS 2025(3125) HOT NEWS 2024(2588)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 31.12.25 | DarkSpectre | DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers | HACKING | BROWSER |
| 31.12.25 | CVE-2025-13915 | IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. |
VULNEREBILITY |
|
| 31.12.25 | Shai Hulud | Shai Hulud strikes again - The golden path | MALWARE | PYTHON |
| 31.12.25 | CVE-2025-52691 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. |
VULNEREBILITY |
|
| 31.12.25 | Silver Fox | Silver Fox Targeting India Using Tax Themed Phishing Lures | APT | APT |
| 31.12.25 | HoneyMyte | The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor | APT | APT |
| 27.12.25 | Panda APT | The Evasive Panda APT group (also known as Bronze Highland, Daggerfly, and StormBamboo) has been active since 2012, targeting multiple industries with sophisticated, evolving tactics. Our latest research (June 2025) reveals that the attackers conducted highly-targeted campaigns, which started in November 2022 and ran until November 2024. | APT | APT |
| 27.12.25 | CVE-2025-14847 | Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 |
VULNEREBILITY |
|
| 27.12.25 | UNG0801 | Key Targets. Industries Affected. Geographical Focus. Infection Chain – Operation IconCat. Infection Chain – I. Infection Chain – II. Campaign-Analysis – Operation IconCat. Campaign-I Initial Findings. Looking into the malicious PDF File. Technical Analysis. Malicious PyInstaller implant – PYTRIC... | GROUP | GROUP |
|
25.12.25 |
Pytric and Rustric implants leveraged in UNG0801 malicious operations | A new malicious activity attributed to a persistent threat cluster designated as UNG0801 (aka Operation IconCat) has been reported in the wild. The campaign targets specifically Israeli enterprise environments. The attackers employ sophisticated social engineering techniques, utilizing Hebrew-language phishing lures that mimic internal corporate communications. | GROUP | |
|
25.12.25 |
MacSync Stealer malware | Jamf Threat Labs has identified an updated variant of the MacSync Stealer malware, that leverages code-signed binaries able to deliver the malicious payloads without user interaction. To evade detection, the attackers also inflate the malicious application bundle to over 25 MBs using decoy PDFs and employ a Swift-based helper to execute the malicious scripts. | VIRUS | |
|
25.12.25 |
CVE-2025-34392 - Barracuda Service Center absolute path traversal vulnerability | CVE-2025-34392 is a recently disclosed critical (CVSS score 10.0) absolute path traversal vulnerability affecting Barracuda Service Center, which is a web-based management console for Barracuda Managed Workplace (RMM). If successfully exploited the flaw might allow unauthorized attackers to perform arbitrary file write operations and remote code execution via malicious webshell upload. | VULNEREBILITY | |
|
25.12.25 |
Paper Werewolf campaign delivering EchoGather malware | Researchers from Intezer reported on a new malicious activity attributed to the Paper Werewolf threat group (aka GOFFEE). The attackers leverage XLL-based delivery techniques to distribute a custom backdoor dubbed EchoGather. | CAMPAIGN | |
|
25.12.25 |
Caminho and DCRAT malware variants leveraged by the Blind Eagle APT | Zscaler researchers identified a recent spear-phishing campaign attributed to the BlindEagle threat group that has been targeting Colombian institutions. The operation utilized phishing emails, a fake web portal, PowerShell scripts, steganography to hide payloads, and legitimate services like Discord to host arbitrary payloads. | VIRUS | |
|
25.12.25 |
AshTag malware distributed by the Ashen Lepus APT | Researchers from Palo Alto have detailed an evolving espionage campaign attributed to the Ashen Lepus APT group. This campaign has introduced a fully featured, modular .NET malware dubbed AshTag. The infection chain relies on social engineering and DLL side-loading performed by the AshenLoader malware. | APT | |
|
25.12.25 |
PyStoreRAT malware | A new sophisticated supply chain attack utilizing dormant GitHub accounts to distribute a previously undocumented malware dubbed PyStoreRAT has been reported in the wild. | VIRUS | |
|
25.12.25 |
RansomHouse RaaS | RansomHouse is a Ransomware-as-a-Service (RaaS) operation attributed to the threat actor Jolly Scorpius. This group employs a double-extortion method, generating revenue through ransoming encrypted files and sensitive data, and primarily targets virtualized environments through their MrAgent and Mario components. | RANSOM | |
|
25.12.25 |
SantaStealer - a new MaaS infostealer | Rapid7 Labs has identified a new infostealer variant dubbed SantaStealer, which is currently advertised on underground forums and offered for sale under the Malware-as-a-Service (MaaS) offering. Functionally, SantaStealer is designed to harvest sensitive data from browsers, including credentials, cookies, and credit card details. | VIRUS | |
|
25.12.25 |
Frogblight mobile malware | Frogblight is a sophisticated Android banking malware operating under the Malware-as-a-Service model and targeting specifically Turkish users through a combination of banking theft and spyware capabilities. As reported by the researchers from Securelist, the malware spreads via social engineering, utilizing phishing SMS messages that falsely warn victims of pending court cases. | VIRUS | |
|
25.12.25 |
CVE-2025-6389 - WordPress Sneeit Framework plugin vulnerability under active exploitation | CVE-2025-6389 is a recently disclosed critical (CVSS score 9.8) Remote Code Execution (RCE) vulnerability affecting Sneeit Framework plugin for WordPress. | VULNEREBILITY | |
|
25.12.25 |
Longlegs group attributed to multiple campaigns delivering ransomware | The Longlegs (aka Gold Salem, Storm-2603) threat actor group has established itself in early 2025 through the distribution of Warlock ransomware. The group gained notoriety in mid-2025 following exploitation of ToolShell, a collection of Microsoft SharePoint vulnerabilities. | GROUP | |
|
25.12.25 |
CVE-2025-58360 - OSGeo GeoServer XML External Entity (XXE) vulnerability | CVE-2025-58360 is a recently disclosed critical (CVSS score 9.8) XML External Entity (XXE) vulnerability affecting GeoServer, which is an open-source software server written in Java that allows for editing and sharing of geospatial data. If successfully exploited the flaw might allow an unauthenticated attacker to access arbitrary files from the server's file system or to conduct Server-Side Request Forgery (SSRF) attacks | VULNEREBILITY | |
|
25.12.25 |
CVE-2020-12812 | An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. |
VULNEREBILITY |
|
|
25.12.25 |
CVE-2023-52163 | Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. |
VULNEREBILITY |
|
|
25.12.25 |
Defeating AuraStealer: Practical Deobfuscation Workflows for Modern Infostealers |
STEALER |
||
|
25.12.25 |
GhostPairing Attacks: from phone number to full access in WhatsApp |
|||
|
25.12.25 |
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
25.12.25 |
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12. |
VULNEREBILITY |
||
|
25.12.25 |
SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums |
INFOSTEALER |
||
|
25.12.25 |
From ClickFix to code signed: the quiet shift of MacSync Stealer malware |
Mac OS |
||
|
24.12.25 |
Prince of Persia: A Decade of Iranian Nation-State APT Campaign Activity under the Microscope |
|||
|
24.12.25 |
Choose Your Fighter: A New Stage in the Evolution of Android SMS Stealers in Uzbekistan |
ANDROID |
||
|
24.12.25 |
NexusRoute | NexusRoute: Attempting to Disrupt an Indian Government Ministry | MALWARE | ANDROID |
|
24.12.25 |
Frogblight threatens you with a court case: a new Android banker targets Turkish users |
ANDROID BANKING |
||
|
24.12.25 |
Meet Cellik - A New Android RAT With Play Store Integration |
ANDROID RAT |
||
|
24.12.25 |
n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. |
VULNEREBILITY |
||
|
20.12.25 |
Vulnerability in UEFI firmware modules prevents IOMMU initialization on some UEFI-based motherboards |
A newly identified vulnerability in some UEFI-supported motherboard models leaves systems vulnerable to early-boot DMA attacks across architectures that implement UEFI and IOMMU. |
||
|
20.12.25 |
Siemens Gridscale X Prepay username enumeration and account lock bypass vulnerability |
Vulnerabilities have been identified in Siemens Gridscale X Prepay that allows unauthenticated username enumeration and enables an attacker to bypass account lock functionality. |
||
|
20.12.25 |
A view of the H2 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts |
|||
|
20.12.25 |
EXECUTIVE SUMMARY CYFIRMA is dedicated to providing advanced warning and strategic analysis of the evolving cyber threat landscape. Our latest report analyzes a targeted malware campaign attributed to APT-36, which… |
|||
|
20.12.25 |
EXECUTIVE SUMMARY CYFIRMA examines a sophisticated phishing campaign that leverages QR-code-based delivery, commonly referred to as “quishing,” to target employees with |
|||
|
20.12.25 |
The YouTube Ghost Network is a malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers. |
LOADER |
||
|
20.12.25 |
From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader |
LOADER |
||
|
19.12.25 |
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. |
VULNEREBILITY |
||
|
19.12.25 |
(CVSS score: 7.0) - A protection mechanism failure vulnerability affecting ASRock, ASRock Rack, and ASRock Industrial motherboards using Intel 500, 600, 700, and 800 series chipsets |
VULNEREBILITY |
||
|
19.12.25 |
(CVSS score: 7.0) - A protection mechanism failure vulnerability affecting ASUS motherboards using Intel Z490, W480, B460, H410, Z590, B560, H510, Z690, B660, W680, Z790, B760, and W790 series chipsets |
VULNEREBILITY |
||
|
19.12.25 |
(CVSS score: 7.0) - A protection mechanism failure vulnerability affecting GIGABYTE motherboards using Intel Z890, W880, Q870, B860, H810, Z790, B760, Z690, Q670, B660, H610, W790 series chipsets, and AMD X870E, X870, B850, B840, X670, B650, A620, A620A, and TRX50 series chipsets (Fix for TRX50 planned for Q1 2026) |
VULNEREBILITY |
||
|
19.12.25 |
(CVSS score: 7.0) - A protection mechanism failure vulnerability affecting MSI motherboards using Intel 600 and 700 series chipsets |
VULNEREBILITY |
||
|
19.12.25 |
LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan |
|||
|
18.12.25 |
Kimsuky Distributing Malicious Mobile App via QR Code |
ANDROID |
||
|
18.12.25 |
A remote code execution issue exists in HPE OneView. |
VULNEREBILITY |
||
|
18.12.25 |
ASUS Live Update Embedded Malicious Code Vulnerability |
VULNEREBILITY |
||
|
18.12.25 |
SonicWall SMA1000 Missing Authorization Vulnerability |
VULNEREBILITY |
||
|
18.12.25 |
Cisco is aware of a potential vulnerability. Cisco is currently investigating and will update these details as appropriate as more information becomes available. |
VULNEREBILITY |
||
|
18.12.25 |
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC). |
VULNEREBILITY |
||
|
18.12.25 |
Kimwolf Exposed: The Massive Android Botnet with 1.8 Million Infected Devices |
|||
|
17.12.25 |
Operation ForumTroll continues: Russian political scientists targeted using plagiarism reports |
|||
|
17.12.25 |
Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation |
|||
|
17.12.25 |
Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users |
JAVASCRIPT |
||
|
17.12.25 |
Patch or Peril: A Veeam vulnerability incident |
|||
|
17.12.25 |
Remediating Atlassian Confluence servers fails to thwart Effluence backdoor |
BACKDOOR |
||
|
17.12.25 |
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. |
VULNEREBILITY |
||
|
17.12.25 |
(CVSS score: 8.6) - Numerous authenticated SQL injection vulnerabilities impacting four unique endpoints (basestation, model, firmware, and custom extension) and 11 affected parameters that enable read and write access to the underlying SQL database |
VULNEREBILITY |
||
|
17.12.25 |
(CVSS score: 8.6) - An authenticated arbitrary file upload vulnerability that allows an attacker to exploit the firmware upload endpoint to upload a PHP web shell after obtaining a valid PHPSESSID and run arbitrary commands to leak the contents of sensitive files (e.g., "/etc/passwd") |
VULNEREBILITY |
||
|
17.12.25 |
(CVSS score: 9.3) - An authentication bypass vulnerability that occurs when the "Authorization Type" (aka AUTHTYPE) is set to "webserver," allowing an attacker to log in to the Administrator Control Panel via a forged Authorization header |
VULNEREBILITY |
||
|
17.12.25 |
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign |
BACKDOOR |
||
|
15.12.25 |
CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks |
|||
|
14.12.25 |
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
14.12.25 |
ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants |
WEB |
||
|
14.12.25 |
Pro-Russia Hacktivists Conduct Opportunistic |
This joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, 2025, joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre’s (EC3) Operation Eastwood.. |
||
|
14.12.25 |
An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. |
VULNEREBILITY |
||
|
14.12.25 |
(CVSS score: 8.8) - A memory corruption issue in WebKit that may lead to memory corruption when processing maliciously crafted web content |
VULNEREBILITY |
||
|
14.12.25 |
Apple fixes two zero-day flaws exploited in 'sophisticated' attacks By Lawrence Abrams December 12, 2025 06:23 PM 0 Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals. |
VULNEREBILITY |
||
|
13.12.25 |
CVE-2025-54100 - PowerShell Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
13.12.25 |
CVE-2025-64671 - GitHub Copilot for Jetbrains Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
13.12.25 |
CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
13.12.25 |
Ransomware Trends in Bank Secrecy Act Data Between |
This Financial Trend Analysis (FTA) focuses on ransomware patterns and trends identified in Bank Secrecy Act (BSA) data. The Financial Crimes Enforcement Network (FinCEN) is issuing this report pursuant to section 6206 of the Anti-Money Laundering Act of 2020 (codified at 31 U.S.C. § 5318(g)(6) (B)), which requires periodic publication of BSA-derived threat pattern and trend information. |
RANSOMWARE |
|
|
13.12.25 |
TOTOLINK's X5000R's (AX1800 router) lacks authentication for telnet |
An unauthenticated HTTP request can enable telnet which may lead to remote code execution with root-level privileges. |
||
|
13.12.25 |
Vulnerabilities identified in PCIe Integrity and Data Encryption (IDE) protocol specification |
PCI Express Integrity and Data Encryption (PCIe IDE), introduced in the PCIe 6.0 standard, provides link-level encryption and integrity protection for data transferred across PCIe connections. |
||
| 13.12.25 | EtherHiding | Hiding Web2 Malicious Code in Web3 Smart Contracts | HACKING | MALWARE |
| 13.12.25 | CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 13.12.25 | CVE-2025-42928 | Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. |
VULNEREBILITY |
|
| 13.12.25 | CVE-2025-55754 | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages |
VULNEREBILITY |
|
| 13.12.25 | CVE-2025-42880 | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. |
VULNEREBILITY |
|
| 13.12.25 | Operation MoneyMount-ISO | Table of Contents: Introduction: Targeted sectors: Initial Findings about Campaign: Analysis of Phishing Mail: Infection Chain: Technical Analysis: Stage-1: Analysis of Malicious ISO file. Stage-2: Analysis of Executable. Analysis of 1st Payload Analysis of 2nd Payload (Phantom Stealer) Conclusion:... | OPERATION | OPERATION |
| 13.12.25 | Operation FrostBeacon | Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia Contents Introduction Key Targets Geographical Focus Industries Affected LNK Cluster Initial Access: | OPERATION | OPERATION |
| 13.12.25 | GROUP 123 | Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and | APT | APT |
| 13.12.25 | Golang Stealer | This week, SonicWall Capture Labs Threat Research Team analyzed a sample of SalatStealer. This is a Golang malware capable of infiltrating a system and enumerating through browsers, files, cryptowallets and systems while embedding a complete array of monitoring tools to push and pull any data on disk. | MALWARE | STEALER |
| 13.12.25 | ValleyRAT | Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits | MALWARE | RAT |
| 13.12.25 | SetcodeRat | SetcodeRat Exposed: A Telegram Secret Stealing Trojan Customized for Chinese-speaking Regions | MALWARE | RAT |
| 13.12.25 | PyStoreRAT | PyStoreRAT: A New AI-Driven Supply Chain Malware Campaign Targeting IT & OSINT Professionals | MALWARE | RAT |
| 13.12.25 | BlackForce | Technical Analysis of the BlackForce Phishing Kit | PHISHING | KIT |
| 13.12.25 | Spiderman | Spiderman Phishing Kit Mimics Top European Banks With A Few Clicks | PHISHING | KIT |
| 13.12.25 | GhostFrame | Threat Spotlight: Introducing GhostFrame, a new super stealthy phishing kit | PHISHING | KIT |
| 12.12.25 | AshTag | Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite | MALWARE | MALWARE |
| 12.12.25 | AridViper | AridViper, an intrusion set allegedly associated with Hamas | GROUP | GROUP |
| 12.12.25 | CVE-2025-55182 | Meta React Server Components Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-58360 | OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-55184 | (CVSS score: 7.5) - A pre-authentication denial of service vulnerability arising from unsafe deserialization of payloads from HTTP requests to Server Function endpoints, triggering an infinite loop that hangs the server process and may prevent future HTTP requests from being served |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-67779 | (CVSS score: 7.5) - An incomplete fix for CVE-2025-55184 that has the same impact |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-55183 | (CVSS score: 5.3) - An information leak vulnerability that may cause a specifically crafted HTTP request sent to a vulnerable Server Function to return the source code of any Server Function |
VULNEREBILITY |
|
| 12.12.25 | CVE-2024-55947 | Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-8110 | Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. |
VULNEREBILITY |
|
| 12.12.25 | NANOREMOTE | The fully-featured backdoor we call NANOREMOTE shares characteristics with malware described in REF7707 and is similar to the FINALDRAFT implant. | MALWARE | BACKDOOR |
| 12.12.25 | SOAPwn | SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL | EXPLOIT | EXPLOIT |
| 12.12.25 | PeerBlight | PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182 | MALWARE | BACKDOOR |
| 10.12.25 | CVE-2025-54100 | (CVSS score: 7.8) - A command injection vulnerability in Windows PowerShell that allows an unauthorized attacker to execute code locally |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-64671 | (CVSS score: 8.4) - A command injection vulnerability in GitHub Copilot for JetBrains that allows an unauthorized attacker to execute code locally |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-62223 | Microsoft Edge (Chromium-based) for Mac Spoofing Vulnerability |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-54131 | Cursor is a code editor built for programming with AI. In versions below 1.3, an attacker can bypass the allow list in auto-run mode with a backtick (`) or $(cmd). |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-59458 | In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 code execution was possible due to improper command validation |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-54377 | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.23.18 and below, RooCode does not validate line breaks (\n) in its command input, allowing potential bypass of the allow-list mechanism. The project appears to lack parsing or validation logic to prevent multi-line command injection. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-57771 | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-65946 | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-9612 | (Forbidden IDE Reordering) – A missing integrity check on a receiving port may allow re-ordering of PCIe traffic, leading the receiver to process stale data |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-9613 | (Completion Timeout Redirection) – Incomplete flushing of a completion timeout may allow a receiver to accept incorrect data when an attacker injects a packet with a matching tag. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-9614 | (Delayed Posted Redirection) – Incomplete flushing or re-keying of an IDE stream may result in the receiver consuming stale, incorrect data packets. |
VULNEREBILITY |
|
| 10.12.25 | GOLD BLADE’s | Sharpening the knife: GOLD BLADE’s strategic evolution | APT | APT |
| 10.12.25 | JS#SMUGGLER | JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery | MALWARE | JAVASCRIPT |
| 10.12.25 | APT-C-08 | WinRAR CVE-2025-6218 Exploit: In-Depth Analysis of the APT-C-08 Directory Traversal Attack | APT | APT |
| 10.12.25 | CVE-2025-8088 | A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-6218 | RARLAB WinRAR Path Traversal Vulnerability |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-62221 | Microsoft Windows Use After Free Vulnerability |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-59719 | An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-59718 | A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 |
VULNEREBILITY |
|
| 10.12.25 | EtherRAT | EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | MALWARE | RAT |
| 10.12.25 | CastleLoader | GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries | MALWARE | LOADER |
| 10.12.25 | Storm-0249 | Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation | APT | APT |
| 8.12.25 | CVE-2025-2611 | The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable. |
VULNEREBILITY |
|
| 8.12.25 | The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). |
VULNEREBILITY |
||
| 8.12.25 | SEEDSNATCHER | Dissecting an Android Malware Targeting Multiple Crypto Wallet Mnemonic Phrases | MALWARE | ANDROID |
| 8.12.25 | ClayRat | Return of ClayRat: Expanded Features and Techniques | MALWARE | RAT |
| 8.12.25 | FvncBot | New FvncBot Android banking trojan targets Poland | MALWARE | ANDROID |
| 8.12.25 | UDPGangster | MuddyWater campaign analysis reveals macro-based delivery, extensive anti-analysis techniques, and shared infrastructure links | CAMPAIGN | CAMPAIGN |
| 7.12.25 | Snowlight | A malware dropper that allows remote attackers to drop additional payloads on breached devices. | MALWARE | Dropper |
| 7.12.25 | Vshell | A backdoor commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network. | MALWARE | Backdoor |
| 7.12.25 | CVE-2025-55182 | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2022-41049 | Windows Mark of the Web Security Feature Bypass Vulnerability |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-49150 | Cursor is a code editor built for programming with AI. Prior to 0.51.0, by default, the setting json.schemaDownload.enable was set to True. This means that by writing a JSON file, an attacker can trigger an arbitrary HTTP GET request that does not require user confirmation. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-53097 | Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-58335 | In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 information disclosure was possible via search_project function |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-53773 | Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code locally. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-54130 | Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions less than 1.3.9. If the file is a dotfile, editing it requires approval but creating a new one doesn't. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-53536 | Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-55012 | Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-64660 | Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-61590 | Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (RCE) attacks through Visual Studio Code Workspaces. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-58372 | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected in the same way as the .vscode folder. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-55182 | Meta React Server Components Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47322 | Memory corruption while handling IOCTL calls to set mode. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47320 | Memory corruption while processing MFC channel configuration during music playback. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-27063 | Memory corruption during video playback when video session open fails with time out error. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47321 | Memory corruption while copying packets received from unix clients. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47387 | Memory Corruption when processing IOCTLs for JPEG data without verification. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47350 | Memory corruption while handling concurrent memory mapping and unmapping requests from a user-space application. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47325 | Information disclosure while processing system calls with invalid parameters. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47323 | Memory corruption while routing GPR packets between user and root when handling large data packet. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47372 | Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47319 | Exposure of Sensitive System Information to an Unauthorized Control Sphere in HLOS |
VULNEREBILITY |
|
| 6.12.25 | RondoDox | Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities | MALWARE | IOT |
| 6.12.25 | HashJack Attack | HashJack Attack Targets AI Browsers and Agentic AI Systems | ATTACK | AI |
| 6.12.25 | CVE-2025-54988 | Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. |
VULNEREBILITY |
|
| 6.12.25 | CVE-2025-66516 | Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. |
VULNEREBILITY |
|
| 6.12.25 | CVE-2025-1338 | A vulnerability was found in NUUO Camera up to 20250203. It has been declared as critical. This vulnerability affects the function print_file of the file /handle_config.php. The manipulation of the argument log leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
VULNEREBILITY |
|
| 6.12.25 | V3G4 Botnet | CRIL has uncovered an active V3G4 campaign using a Mirai-derived botnet alongside a fileless, runtime-configured cryptominer. | BOTNET | BOTNET |
| 6.12.25 | Operation DupeHike | Contents Introduction Key Targets. Industries Affected. Geographical Focus. Infection Chain. Initial Findings. Looking into the decoy-document Technical Analysis Stage 1 – Malicious LNK Script Stage 2 – DUPERUNNER Implant Stage 3 – AdaptixC2 Beacon. Infrastructural Artefacts. Conclusion SEQRITE Protection.... | OPERATION | OPERATION |
| 5.12.25 | Benzona Ransomware | A new ransomware operation known as Benzona has surfaced, showing signs of rapid development and growing confidence. The malware encrypts victim files using the “.benzona” extension and drops a ransom note titled RECOVERY_INFO.txt, warning that sensitive data has already been exfiltrated. Victims are given a 72-hour deadline to negotiate via a Tor-based chat portal, with threats of data publication should they refuse. | RANSOM | |
| 5.12.25 | DupeRunner and AdaptixC2 malware deployed within the Operation DupeHike | The SEQRITE researchers have uncovered a targeted cyber espionage campaign dubbed Operation DupeHike. The campaign is focused on various sectors including HR, payroll, and administrative departments. The attack utilizes sophisticated social engineering tactics, deploying realistic decoy documents centered on employee financial bonuses to lure victims. | OPERATION | |
| 5.12.25 | Symbiote and BPFdoor Linux malware variants implement new eBPF filters | Symbiote and BPFdoor are two Linux malware strains known to utilize Berkeley Packet Filter (BPF) packet sniffer to monitor network traffic and send packets only on existing open ports, bypassing firewall rules and network protections. As reported by researchers from Fortinet, both called out malware families have recently implemented new extended Berkeley Packet Filters (eBPFs) within the distributed payloads. | VIRUS | |
| 5.12.25 | Datebug APT deploys malware targeting BOSS Linux systems | The Pakistan-based advanced persistent threat (APT) group known as Datebug (aka APT36, Transparent Tribe, Storm-0156) is reported to be behind recent attacks targeting Indian government entities running Bharat Operating System Solutions (BOSS) Linux. | APT | |
| 5.12.25 | CVE-2025-61757 - Oracle Fusion Middleware vulnerability | CVE-2025-61757 is a recently disclosed critical (CVSS score 9.8) missing authentication vulnerability affecting the Identity Manager product of Oracle Fusion Middleware. If successfully exploited the flaw might provide unauthenticated attackers with network access via HTTP to compromise Identity Manager leading up to takeover of the vulnerable Identity Manager instance by the threat actors. | VULNEREBILITY | |
| 5.12.25 | CVE-2025-12480 - Gladinet Triofox vulnerability | CVE-2025-12480 is a recently disclosed critical (CVSS score 9.1) improper access control vulnerability affecting Gladinet Triofox file server and storage solution. If successfully exploited the flaw might allow unauthenticated remote attackers access to the vulnerable application configuration pages and enable them to perform upload and execution of arbitrary payloads. | VULNEREBILITY | |
| 5.12.25 | LotusHarvest malware deployed in Operation Hanoi Thief | SEQRITE Labs’ researchers have identified "Operation Hanoi Thief," a malicious cyber campaign targeting IT professionals and HR recruiters in Vietnam. The campaign employs spear-phishing emails containing fake resumes to deliver malware used to steal confidential user data. | OPERATION | |
| 5.12.25 | Arkanix Stealer | Researchers at G DATA recently observed a new infostealer dubbed Arkanix. According to their findings, it was initially built in Python and distributed via Discord as a fake “utility,” but it quickly evolved — a native C++ “premium” version now exists, complete with VMProtect obfuscation. Its capabilities are standard for commodity stealers. | VIRUS | |
| 5.12.25 | Albiriox mobile RAT | Albiriox is a new Android malware operating under a Malware-as-a-Service (MaaS) model, designed to facilitate on-device fraud, VNC‑based remote control and overlay attacks. As reported by researchers from Cleafy, the malware spreads through social engineering, specifically targeting Austrian victims via fake applications distributed through SMS and WhatsApp lures | VIRUS | |
| 5.12.25 | CVE-2025-34299 - Monsta FTP vulnerability | CVE-2025-34299 is a recently disclosed critical (CVSS score 9.3) arbitrary file upload vulnerability affecting Monsta FTP solution (version 2.11.2 and earlier). If successfully exploited the flaw might allow unauthenticated remote attackers to perform arbitrary code execution by uploading a specially crafted file from malicious SFTP or FTP servers. | VULNEREBILITY | |
| 5.12.25 | Duc contains a stack buffer overflow vulnerability in the buffer_get function, allowing for out-of-bounds memory read | Duc, an open-source disk management tool, contains a stack-based buffer overflow vulnerability allowing for out-of-bounds memory read. | ALERT | ALERT |
| 5.12.25 | Insufficient Session Cookie Invalidation in nopCommerce ASP.NET Core eCommerce Platform | nopCommerce, an ecommerce platform, fails to invalidate session cookies upon user logout or session termination, enabling attackers to use the captured cookie to gain access to the application. This vulnerability is extremely similar to CVE-2019-7215. | ALERT | ALERT |
| 5.12.25 | Intellexa Leaks | Global: “Intellexa Leaks” investigation provides further evidence of spyware threats to human rights. | BIGBROTHER | BIGBROTHER |
| 5.12.25 | ValleyRAT | Silver Fox’s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack | MALWARE | RAT |
| 5.12.25 | BRICKSTORM Backdoor | The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. V | MALWARE | BACKDOOR |
| 4.12.25 |
Cloudflare's 2025 Q3 DDoS threat report -- including Aisuru, the apex of botnets |
Welcome to the 23rd edition of Cloudflare’s Quarterly DDoS Threat Report. This report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the third quarter of 2025. | BOTNET | BOTNET |
| 4.12.25 | CVE-2025-55182 | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. |
VULNEREBILITY |
|
| 4.12.25 | CVE-2025-9491 | Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. |
VULNEREBILITY |
|
| 4.12.25 | CVE-2025-8489 | The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . |
VULNEREBILITY |
|
| 3.12.25 | ShadyPanda's | 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | APT | APT |
| 3.12.25 | CVE-2025-10155 | (CVSS score: 9.3/7.8) - A file extension bypass vulnerability that can be used to undermine the scanner and load the model when providing a standard pickle file with a PyTorch-related extension such as .bin or .pt |
VULNEREBILITY |
|
| 3.12.25 | CVE-2025-10156 | (CVSS score: 9.3/7.5) - A bypass vulnerability that can be used to disable ZIP archive scanning by introducing a Cyclic Redundancy Check (CRC) error |
VULNEREBILITY |
|
| 3.12.25 | CVE-2025-10157 | (CVSS score: 9.3/8.3) - A bypass vulnerability that can be used to undermine Picklescan's unsafe globals check, leading to arbitrary code execution by getting around a blocklist of dangerous imports |
VULNEREBILITY |
|
| 3.12.25 | Glassworm's resurgence | Security can't take holidays off, but the code marketplace scanners just might. Over the past week, we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months. Many of these relate to Glassworm malware, but there could be mulitple campaigns at work also. | MALWARE | Worm |
| 3.12.25 | MuddyWater | MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook | APT | APT |
| 2.12.25 | Android Security Bulletin—December 2025 | This Android Security Bulletin contains details of security vulnerabilities that affect Android devices. Security patch levels of 2025-12-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version. | VULNEREBILITY | VULNEREBILITY |
| 2.12.25 | Albiriox | Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets | MALWARE | Android |
| 2.12.25 | Tomiris | Tomiris wreaks Havoc: New tools and techniques of the APT group | APT | APT |
| 2.12.25 | CVE-2021-26829 | OpenPLC ScadaBR Cross-site Scripting Vulnerability: OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm. |
VULNEREBILITY |
|
| 30.11.25 | CVE-2025-12816 | An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions. |
VULNEREBILITY |
|
| 30.11.25 | CVE-2025-59366 | An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information. |
VULNEREBILITY |
|
| 30.11.25 | CVE-2020-0688 | A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. |
VULNEREBILITY |
|
| 30.11.25 | CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 30.11.25 | Public Report: Android Quick Share Application Penetration Test |
NetSPI performed an analysis of Google LLC’s implementation
of Quick Share to identify vulnerabilities, determine the level of risk they present to Google, and provide actionable recommendations to reduce this risk. |
REPORT | REPORT |
| 30.11.25 | CVE-2025-61757 | Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability |
VULNEREBILITY |
|
| 29.11.25 | TangleCrypt packer employed in recent StoneStop malware delivery campaign | The researchers from WithSecure have released a technical analysis of TangleCrypt, a previously undocumented packer identified in recent attacks utilizing StoneStop EDR killer malware. | VIRUS | |
| 29.11.25 | Flexible Ferret malware distribution campaigns continue to target macOS users | A new run of the malicious campaign dubbed "Contagious Interview" has been reported on by the researchers from JAMF. The attackers target macOS users, lure them to fake job websites, and then trick into downloading malware via a bogus software updates. | VIRUS | |
| 29.11.25 | W-8BEN Phishing Alert: Interactive Brokers users targeted via fake login pages | Interactive Brokers (IBKR) is a large, global securities firm offering an electronic trading platform for sophisticated investors, active traders, and institutions across a wide range of products. Recently, a phishing campaign was identified that impersonates a request for the W-8BEN tax form, primarily targeting non-U.S. residents to steal sensitive data. | PHISHING | |
| 29.11.25 | Recent ShadowV2 - a Mirai variant delivery campaign | FortiGuard Labs recently reported on ShadowV2, a Mirai-based malware, targeting IoT devices during the large-scale AWS disruption incident in October. | BOTNET | |
| 29.11.25 | StealC malware campaign targets Blender users | StealC malware was deployed in a campaign by Russian-linked threat actors targeting users of the popular open-source 3D creation suite, Blender. The multi-stage attack involves malicious .blend files published to legitimate 3D marketplaces. | VIRUS | |
| 29.11.25 | Silver Fox Campaign Uses Fake Apps & BYOVD | Researchers recently observed a “SwimSnake / Silver Fox” campaign distributing remote-control malware via SEO-boosted fake download sites that impersonate apps like Youdao Translator and WPS. The loaders perform multilayered decryption, use around 80 encrypted fallback C2 addresses, and deploy Gh0st-derived plugins to conceal payloads and support spying, remote command execution, and DDoS. | CAMPAIGN | |
| 29.11.25 | Banking malware spread to Brazilian users in campaign leveraging phishing and WhatsApp messaging | A sophisticated malware campaign, identified by K7 Security Labs as part of the "Water-Saci" operation, is targeting the Brazilian financial sector through a hybrid phishing and WhatsApp messaging propagation strategy. Initial access is gained via phishing emails with malicious .VBS attachments, followed by the deployment of Python scripts and Selenium webdriver used to hijack WhatsApp Web sessions. | VIRUS | |
| 29.11.25 | TamperedChef activity continues | TamperedChef is a cyber campaign utilizing malvertising and Search Engine Optimization (SEO) to distribute malicious payloads. The operation targets users searching for common software like web browsers, PDF editors, or product manuals. | CAMPAIGN | |
| 29.11.25 | Autumn Dragon APT activity | Autumn Dragon is a sophisticated cyber espionage campaign targeting government and media organizations across Southeast Asia. As reported by the researchers from CyberArmor, the campaign has been active since early 2025. It begins with spearphishing emails containing a malicious RAR archive that exploits CVE-2025-8088, a path traversal vulnerability in WinRAR. | APT | |
| 29.11.25 | Tsundere botnet | Researchers at Kaspersky have identified a growing botnet named Tsundere, which has been targeting Windows users since at least mid-2025. The malware is primarily propagated through fake MSI installers disguised as popular video games installers or other pirated software. | BOTNET | |
| 29.11.25 | New variant of Shai-Hulud worm found targeting npm packages | A new, aggressive wave of the "Shai Hulud" malware campaign has been reported, compromising hundreds of packages and impacting major organizations including Zapier, Postman, AsyncAPI, and ENS Domains. The malware operates like a sophisticated worm, autonomously spreading by re-publishing itself into other packages maintained by the compromised individual. | VIRUS | |
| 29.11.25 | CCLand Ransomware | A ransomware actor calling itself “CCLand Team” has recently surfaced. The group presents itself as purely financially motivated and appears to follow a conventional double-extortion model, claiming data theft, file encryption and threatening public disclosure. In the recent activity, they demanded USD 50,000 in Bitcoin with a one-week deadline. | RANSOM | |
| 29.11.25 | Forge JavaScript library impacted by a vulnerability in signature verification. | The Forge JavaScript library provides TLS-related cryptographic utilities. A vulnerability that allows signature verification to be bypassed through crafted manipulation of ASN.1 structures, particularly in fields such as Message Authentication Code (MAC) data, was identified. | ALERT | ALERT |
| 29.11.25 | Fluent Bit contains five vulnerabilities, including stack buffer overflow, authentication bypass, and path traversa | Fluent Bit is a logging and metrics processor and forwarder that is used in a variety of cloud and container networking environments. Several vulnerabilities in Fluent Bit have been discovered that could allow for authentication bypass, remote code execution (RCE) and denial of service (DoS) largely enabled by various Fluent Bit plugins and by how Fluent Bit processes tags. | ALERT | ALERT |
| 29.11.25 | Lack of Sufficient Guardrails Lead to Excessive Agency (LLM08) in Some LLM Applications | Retell AI's API creates AI voice agents that have excessive permissions and functionality, as a result of insufficient amounts of guardrails. As a result, attackers can exploit this and conduct large scale social engineering, phishing, and misinformation campaigns. | ALERT | ALERT |
| 29.11.25 | ShadowV2 | At the end of October, during a global disruption of AWS connections, FortiGuard Labs observed malware named “ShadowV2” spreading via IoT vulnerabilities. These incidents affected multiple countries worldwide and spanned seven different industries. | BOTNET | BOTNET |
| 28.11.25 | Bloody Wolf | Bloody Wolf: A Blunt Crowbar Threat To Justice | GROUP | GROUP |
| 26.11.25 | Qilin RaaS | The Korean Leaks – Analyzing the Hybrid Geopolitical Campaign Targeting South Korean Financial Services With Qilin RaaS | CAMPAIGN | CAMPAIGN |
| 26.11.25 |
Market Opportunities and Advanced Strategies Increase the Impact and Resilience of Purchase Scams |
Purchase scams are a major emerging fraud threat in which threat actors use fake e-commerce stores to steal victim data and accept victim card payments for non-existent goods and services. | REPORT | REPORT |
| 26.11.25 | RomCom payload | Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine | OPERATION | OPERATION |
| 25.11.25 | "JackFix" attack | Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix | ATTACK | ATTACK |
| 25.11.25 | ToddyCat | ToddyCat: your hidden email assistant. Part 1 | GROUP | GROUP |
| 25.11.25 | StealC V2 infostealer | Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend Files | MALWARE | Stealer |
| 24.11.25 | CVE-2025-12969 | Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. |
VULNEREBILITY |
|
| 24.11.25 | CVE-2025-12977 | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. |
VULNEREBILITY |
|
| 24.11.25 | CVE-2025-12978 | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. |
VULNEREBILITY |
|
| 24.11.25 | CVE-2025-12970 | The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. |
VULNEREBILITY |
|
| 24.11.25 | CVE-2025-12972 | Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. |
VULNEREBILITY |
|
| 24.11.25 | Shai-Hulud 2.0 | Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign. Over 25,000 affected repositories across ~350 unique users. | CAMPAIGN | CAMPAIGN |
| 24.11.25 | Shai-Hulud Campaign | It's another Monday morning, sitting down at the computer. And I see a stack of alerts from the last hour of packages showing signs of malware in our triage queue. Having not yet finished my first cup of coffee, I see Shai Hulud indicators. Y | CAMPAIGN | CAMPAIGN |
| 24.11.25 | Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287) | AhnLab SEcurity intelligence Center (ASEC) has identified an attack where the remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, was exploited to distribute the ShadowPad malware. | REPORT | REPORT |
| 23.11.25 | CVE-2025-35939 | Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. |
VULNEREBILITY |
|
| 23.11.25 | CVE-2025-9242 | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2025-2492 | An improper authentication control vulnerability exists in AiCloud. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions. Refer to the 'ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2024-12912 | An improper input insertion vulnerability in AiCloud on certain router models may lead to arbitrary command execution. Refer to the '01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-39780 | On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. NOTE: for the similar "token-generated module" issue, see CVE-2023-41345; for the similar "token-refresh module" issue, see CVE-2023-41346; for the similar "check token module" issue, see CVE-2023-41347; and for the similar "code-authentication module" issue, see CVE-2023-41348. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-41348 | ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its check token module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-41347 | ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its check token module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-41346 | ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-41345 | ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-generated module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system, or terminate services. |
VULNEREBILITY |
|
|
19.11.25 |
Exploiting Agent-to-Agent Discovery via Prompt Injection | When AI Turns on Its Team: Exploiting Agent-to-Agent Discovery via Prompt Injection | HACKING | AI |
|
19.11.25 |
Operation WrtHug | Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router | OPERATION | OPERATION |
|
19.11.25 |
Eternidade Stealer | Advanced Banking Trojan Maverick Uses WhatsApp to Prey on Brazilian Users | MALWARE | Stealer |
|
19.11.25 |
PlushDaemon | PlushDaemon compromises network devices for adversary-in-the-middle attacks | APT | APT |
|
19.11.25 |
CVE-2025-58034 | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5,.. |
VULNEREBILITY |
|
|
19.11.25 |
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. |
VULNEREBILITY |
||
|
18.11.25 |
SmartApeSG campaign uses ClickFix page to push NetSupport RAT |
CAMPAIGN |
||
|
18.11.25 |
Morphisec Thwarts Sophisticated Tuoni C2 Attack on US Real Estate Fi |
In October 2025, Morphisec’s anti-ransomware prevention platform stopped a highly advanced cyberattack targeting a major U.S. real estate company. |
||
|
18.11.25 |
EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT |
CAMPAIGN |
||
|
18.11.25 |
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
VULNEREBILITY |
||
|
18.11.25 |
Pure Crypter Malware Analysis: 99 Problems but Detection Ain’t One |
Crypter |
||
|
17.11.25 |
RONINGLOADER: DragonBreath’s New Path to PPL Abuse |
Loader |
||
|
17.11.25 |
In multiple locations, there is a possible condition that results in OOB accesses due to an incorrect bounds check. This could lead to remote code execution in combination with other bugs, with no additional execution privileges needed. |
VULNEREBILITY |
||
|
16.11.25 |
An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. |
VULNEREBILITY |
||
|
16.11.25 |
CVE-2025-12686 allows remote attackers to execute arbitrary code |
VULNEREBILITY |
||
|
15.11.25 |
The Genians Security Center (GSC) has identified new attack activity linked to the KONNI APT campaign, which is known to be associated with the Kimsuky or APT37 groups. |
MALWARE |
||
|
15.11.25 |
Quantum Redirect: Offense by Vibes |
PHISHING |
||
|
15.11.25 |
Quantum Route Redirect: Anonymous Tool Streamlining Global Phishing Attack |
PHISHING |
||
|
15.11.25 |
SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system. |
VULNEREBILITY |
||
|
15.11.25 |
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution. |
VULNEREBILITY |
||
|
15.11.25 |
Attackers leverage software brand impersonation to deliver Gh0st RAT |
A report by Unit42 at Palo Alto Networks highlights two brand impersonation campaigns observed in 2025 that deliver a Gh0st RAT payload. |
||
|
15.11.25 |
A new malspam campaign impersonating the GLS delivery service has been reported by CERT AGID. The attackers leverage malicious emails themed with a failed parcel delivery and urge the recipients to open an attached XHTML file. |
|||
|
15.11.25 |
Researchers from Canva Threat Detection and Hunting team reported on an increased use of weaponized AppleScript (.scpt) files by the malicious threat actors. |
|||
|
15.11.25 |
The DanaBot malware has resurfaced with a new Windows variant, approximately six months after its activity was severely disrupted by the international law enforcement action, Operation Endgame. |
|||
|
15.11.25 |
A new report by researchers at Cisco Talos details recent activity related to the Kraken ransomware group. The group, established in early 2025, runs a double extortion operation with no specific industry or geographical focus. |
|||
|
15.11.25 |
SkyCloak campaigns target Russian and Belarusian military entities |
Russian and Belarusian military entities are targeted in a multi-stage attack, intent on allowing backdoor access for the attackers. Details of the activity, given the name Operation SkyCloak in a report published by Seqrite, are further corroborated in a report shared by researchers at Cyble. |
||
|
15.11.25 |
Unprotected temporary directories in Wolfram Cloud version 14.2 may result in privilege escalation |
Wolfram Cloud version 14.2 allows Java Virtual Machine (JVM) unrestricted access to temporary resources in the /tmp/ directory of the cloud environment which may result in privilege escalation, information exfiltration, and remote code execution. |
ALERT |
|
|
15.11.25 |
Lite XL Arbitrary Code Execution via Project Module and Legacy system.exec Function |
Lite XL is a lightweight text editor derived from the lite project, written primarily in Lua and C. |
ALERT |
|
|
15.11.25 |
NVIDIA AIStore AuthN Hard-coded Credentials Authentication Bypass Vulnerability |
ZDI-25-1013 |
ZERO-DAY |
|
|
15.11.25 |
ZDI-25-1012 |
ZERO-DAY |
||
|
15.11.25 |
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery |
JSON |
||
|
15.11.25 |
MCP Hijacking of Cursor’s New Browser |
WEB |
||
|
15.11.25 |
ShadowMQ: How Code Reuse Spread Critical Vulnerabilities Across the AI Ecosystem |
VULNEREBILITY |
||
|
15.11.25 |
CVE-2025-60455 |
(CVSS score: N/A) - Modular Max Server (Fixed) |
VULNEREBILITY |
|
|
15.11.25 |
(CVSS score: 8.8) - NVIDIA TensorRT-LLM (Fixed in version 0.18.2) |
VULNEREBILITY |
||
|
15.11.25 |
(CVSS score: 8.0) - vLLM (While the issue is not fixed, it has been addressed by switching to the V1 engine by default) |
VULNEREBILITY |
||
|
15.11.25 |
SpearSpecter |
Israel National Digital
Agency researchers have uncovered an ongoing, sophisticated espionage
campaign, |
BIGBROTHER |
|
|
15.11.25 |
BRONZE BUTLER, also known as Tick or REDBALDKNIGHT, is a sophisticated and persistent cyber espionage group believed to originate from China. |
GROUP |
||
|
15.11.25 |
This week, the SonicWall Capture Labs Threat Research Team analyzed a sample of RondoDox, a Linux botnet infector. |
Botnet |
||
|
15.11.25 |
In August 2025, Cisco
Talos observed big-game hunting and double extortion attacks carried out
by Kraken, a |
GROUP |
||
|
14.11.25 |
CRIL analyzed an active phishing campaign leveraging HTML-based Telegram bot credential harvesters designed to mimic multiple prominent brands |
PHISHING |
||
|
14.11.25 |
Disrupting the first reported AI-orchestrated cyber espionage campaing |
We have developed sophisticated safety and security measures to prevent the misuse of our AI models. |
||
|
13.11.25 |
The Great Indonesian TEA Theft: Analyzing a NPM Spam Campaign |
SPAM |
||
|
13.11.25 |
A dual strategy: legal action and new legislation to fight scammers |
That text message you got about a 'stuck package' from USPS or an 'unpaid road toll'? It’s not just spam. |
SPAM |
|
|
13.11.25 |
Microsoft Windows Race Condition Vulnerability |
VULNEREBILITY |
||
|
13.11.25 |
Gladinet Triofox Improper Access Control Vulnerability |
VULNEREBILITY |
||
|
13.11.25 |
WatchGuard Firebox Out-of-Bounds Write Vulnerability |
VULNEREBILITY |
||
| 12.11.25 | CHAMELEON#NET campaign - from DarkTortilla loader to FormBook payload | A new sophisticated malspam campaign utilizing the DarkTortilla .NET malware loader to deliver the FormBook Remote Access Trojan (RAT) has been documented by the researchers from Securonix. The attack is initiated via phishing, where users are manipulated into downloading a compressed .BZ2 archive containing a highly obfuscated JavaScript dropper. | VIRUS | |
| 12.11.25 | A new phishing campaign targeting hospitality industry customers | A recent phishing campaign reported by the researchers from Sekoia is targeting hospitality customers. A key intrusion tactic involves sending malicious emails to popular hospitality sector businesses that lure the staff into clicking a URL employing the "ClickFix" social engineering technique, ultimately manipulating them into executing a malicious PowerShell command. | CAMPAIGN | |
| 12.11.2025 | CVE-2024-25621 | containerd affected by a local privilege escalation via wide permissions on CRI directory | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-10966 | missing SFTP host verification with wolfSSH | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-12863 | Libxml2: namespace use-after-free in xmlsettreedoc() function of libxml2 | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-12875 | mruby array.c ary_fill_exec out-of-bounds write | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-30398 | Nuance PowerScribe 360 Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-31133 | runc container escape via "masked path" abuse due to mount race conditions | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-40107 | can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-40109 | crypto: rng - Ensure set_ent is always present | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-47179 | Configuration Manager Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-52565 | container escape due to /dev/console mount and related races | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-52881 | runc: LSM labels can be bypassed with malicious config using dummy procfs files | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59240 | Microsoft Excel Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59499 | Microsoft SQL Server Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59504 | Azure Monitor Agent Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59505 | Windows Smart Card Reader Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59506 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59507 | Windows Speech Runtime Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59508 | Windows Speech Recognition Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59509 | Windows Speech Recognition Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59510 | Windows Routing and Remote Access Service (RRAS) Denial of Service Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59511 | Windows WLAN Service Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59512 | Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59513 | Windows Bluetooth RFCOM Protocol Driver Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59514 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59515 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60703 | Windows Remote Desktop Services Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60704 | Windows Kerberos Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60705 | Windows Client-Side Caching Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60706 | Windows Hyper-V Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60707 | Multimedia Class Scheduler Service (MMCSS) Driver Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60708 | Storvsp.sys Driver Denial of Service Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60709 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60710 | Host Process for Windows Tasks Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60713 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60714 | Windows OLE Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60715 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60716 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60717 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60718 | Windows Administrator Protection Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60719 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60720 | Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60721 | Windows Administrator Protection Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60722 | Microsoft OneDrive for Android Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60723 | DirectX Graphics Kernel Denial of Service Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60724 | GDI+ Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60726 | Microsoft Excel Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60727 | Microsoft Excel Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60728 | Microsoft Excel Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60753 | An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62199 | Microsoft Office Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62200 | Microsoft Excel Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62201 | Microsoft Excel Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62202 | Microsoft Excel Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62203 | Microsoft Excel Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62204 | Microsoft SharePoint Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62205 | Microsoft Office Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62206 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62208 | Windows License Manager Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62209 | Windows License Manager Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62210 | Dynamics 365 Field Service (online) Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62211 | Dynamics 365 Field Service (online) Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62213 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62214 | Visual Studio Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62215 | Windows Kernel Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62216 | Microsoft Office Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62217 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62218 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62219 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62220 | Windows Subsystem for Linux GUI Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62222 | Agentic AI and Visual Studio Code Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62449 | Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62452 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62453 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64329 | containerd CRI server: Host memory exhaustion through Attach goroutine leak | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64432 | KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64433 | KubeVirt Arbitrary Container File Read | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64434 | KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64435 | KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64436 | KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64437 | KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes | VULNEREBILITY | VULNEREBILITY |
| 12.11.25 | CVE-2025-60716 | Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-62215 | This vulnerability is already being exploited. It is a privilege escalation vulnerability in the Windows Kernel. These types of vulnerabilities are often exploited as part of a more complex attack chain; however, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities. |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-60274 | A critical GDI+ remote execution vulnerability. GDI+ parses various graphics files. The attack surface is likely huge, as anything in Windows (Browsers, email, and Office Documents) will use this library at some point to display images. We also have a critical vulnerability in Direct-X CVE-2025-60716. Microsoft classifies this as a privilege escalation issue, yet still rates it as critical. |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-62199 | A code execution vulnerability in Microsoft Office. Another component with a huge attack surface that is often exploited. |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-5777 | Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-20337 | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. |
VULNEREBILITY |
|
| 12.11.25 | Maverick | Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution | MALWARE | Banking Trojan |
| 12.11.25 | Coyote Banking Trojan | Coyote Banking Trojan Extends Reach & Targets Users through WhatsApp | MALWARE | Banking Trojan |
| 12.11.25 | Gootloader | Gootloader Returns: What Goodies Did They Bring? | MALWARE | Loader |
| 11.11.25 | EndClient RAT | New Kimsuky Malware “EndClient RAT”: First Technical Report and IOCs | MALWARE | RAT |
| 11.11.25 | Fantasy Hub | Fantasy Hub: Another Russian Based RAT as M-a-a-S | MALWARE | M-a-a-S |
| 11.11.25 | Comebacker | Lazarus Group targets Aerospace and Defense with new Comebacker variant | MALWARE | Loader |
| 11.11.25 | CVE-2025-12480 | Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. |
VULNEREBILITY |
|
| 10.11.25 | I Paid Twice | Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers | CAMPAIGN | PHISHING |
| 9.11.25 | Vulnerability in expr-eval JavaScript library can lead to remote code execution. | The npm package expr-eval is a JavaScript library that evaluates mathematical expressions and is used in various applications, including NLP and AI. A vulnerability in this library has been disclosed that could allow arbitrary code execution by an attacker using maliciously crafted input. | ALERT | ALERT |
| 9.11.25 | Line Dancer | In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices | MALWARE | Loader |
| 9.11.25 | Line Runner | Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. | MALWARE | Loader |
| 9.11.25 | CVE-2025-20363 | Cisco Secure Firewall Adaptive Security Appliance Software, Secure Firewall Threat Defense Software, IOS Software, IOS XE Software, and IOS XR Software Web Services Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.11.25 | CVE-2025-20358 | A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative permissions pertaining to script creation and execution. |
VULNEREBILITY |
|
| 9.11.25 | CVE-2024-20359 | Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.11.25 | CVE-2024-20353 | Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability |
VULNEREBILITY |
|
| 9.11.25 | CVE-2025-6205 - DELMIA Apriso vulnerability exploited in the wild | CVE-2025-6205 is a recently disclosed critical (CVSS score 9.1) missing authorization vulnerability affecting DELMIA Apriso from release 2020 through release 2025. If successfully exploited the flaw might allow attackers to gain privileged access to the vulnerable application instances. This vulnerability has been added just last week to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. | VULNEREBILITY | |
| 9.11.25 | Attackers target cargo and freight companies with RMM tools | Remote monitoring and management (RMM) tools are a common payload in today's threat landscape. A recent report by researchers at Proofpoint details campaigns against cargo and freight companies to attempt cargo theft. | CAMPAIGN | |
| 9.11.25 | BankBot mobile malware | A new variant of the BankBot mobile malware has been reported by the researchers from Cyfirma. This strain implements updated anti-emulation techniques. During initialization, it inspects device attributes like device manufacturer and model identifiers to detect virtualized or sandboxed environments, dynamically altering its behavior to evade automated analysis. | VIRUS | |
| 9.11.25 | Recent activity focusing on organizations influencing U.S. policy | China-linked actors continue to show interest in U.S. organizations with links to or involvement in policy issues, including an intrusion earlier this year into a U.S. non-profit organization that is active in attempting to influence U.S. government policy on international issues. | APT | |
| 9.11.25 | New NGate mobile malware campaign targeting Polish banking users | CERT Polska has uncovered a new mobile malware campaign called NGate that uses an NFC Relay attack to drain cash from victims' bank accounts at ATMs. The attack targets users of Polish banks and starts with a fake security message (email or SMS) concerning a technical issue or incident, tricking the victim into installing a malicious Android app. | VIRUS | |
| 9.11.25 | RMM Abuse Continues — Malicious LogMeIn Resolve Activity on the Rise | In recent weeks we observed a decline in malicious ScreenConnect activity and a concurrent rise in campaigns abusing LogMeIn Resolve RMM (aka GoTo Resolve) – Using the “Unattended Access” feature within Resolve, which allows access to and control of computers or servers without an end user being present. | VIRUS | |
| 9.11.25 | CVE-2025-24893 - XWiki Platform injection vulnerability exploited in the wild | CVE-2025-24893 is a recently disclosed template-injection vulnerability affecting XWiki, which is a open-source wiki software platform. If successfully exploited the flaw might allow unauthenticated attackers to inject and execute arbitrary Groovy code through crafted requests. | VULNEREBILITY | |
| 9.11.25 | Multi-Stage In-Memory Agent Tesla Campaign Targets LATAM | Symantec has identified a new Agent Tesla campaign leveraging business-themed social engineering to target organizations across Latin America, Spain, and other international sectors. The actor impersonates a company that advertises outsourced management, consulting, and facility services. | CAMPAIGN | |
| 9.11.25 | CVE-2025-54247 - Adobe Experience Manager vulnerability | CVE-2025-54247 is a recently disclosed improper input validation vulnerability affecting Adobe Experience Manager versions 6.5.23.0 and earlier. If successfully exploited the flaw might allow low-privileged attackers to bypass security measures and gain unauthorized read access. Product vendor has already released respective security patches to address this vulnerability. | VULNEREBILITY | |
| 9.11.25 | Threat actors spoof Aramex services to steal credentials | Aramex, a global logistics and transportation company based in Dubai, offers services such as express courier delivery, freight forwarding, and supply chain management for businesses and consumers. Symantec has detected a new wave of phishing attacks that mimic Aramex services to steal credentials. | ALERTS | PHISHING |
| 9.11.25 | CVE-2025-54236 - Adobe Commerce and Magento vulnerability | CVE-2025-54236 (aka SessionReaper) is a recently disclosed critical (CVSS score 9.1) improper input validation vulnerability affecting Adobe Commerce and Magento solution. If successfully exploited the flaw might allow an attacker for a session takeover through the Commerce REST API. | VULNEREBILITY | |
| 9.11.25 | CVE-2025-11371 - Gladinet CenterStack LFI vulnerability exploited in the wild | CVE-2025-11371 is a recently disclosed local file inclusion (LFI) vulnerability in Gladinet CenterStack and Triofox platforms, which are self-hosted file sharing solutions. If successfully exploited the flaw might allow attackers to perform unauthenticated remote file inclusion, retrieval of configuration keys and subsequent remote code execution. The vulnerability has been reported as being exploited in the wild. | VULNEREBILITY | |
| 9.11.25 | New phishing campaign targets Tether users with fake anti-money laundering notices | A new phishing campaign has been observed, spoofing Tether and targeting its users with fraudulent anti-money laundering (AML) notice emails. Tether, a widely adopted stablecoin with tokens pegged 1-to-1 to fiat currencies and backed by reserves, is a popular target for such scams. | ALERTS | PHISHING |
| 9.11.25 | Tangerine Turkey, coming from a USB drive near you | Tangerine Turkey is a crypto mining campaign, delivered by the less-than-efficient mechanism of removable USB drives. The USB contains all the necessary components to complete the attack. Execution starts with a .vbs file which drops and executes a .bat. | CRYPTOCURRENCY | |
| 9.11.25 | BlueNoroff targets Crypto Sector with GhostCall and GhostHire campaigns | Two new campaigns by the BlueNoroff APT group, dubbed GhostCall and GhostHire, targeting cryptocurrency and Web3 professionals, have been reported by Kaspersky. In GhostCall, attackers impersonate venture capitalists or startup founders luring victims into fake online meetings via Zoom or Teams and prompting them to install a “security update” that deploys multi-stage malware on macOS or Windows. | ALERTS | CAMPAIGN |
| 9.11.25 | Airstalk malware | Airstalk, a Windows-based malware recently discovered by researchers at Unit42 of Palo Alto Networks. The name is derived from the malware's use of the AirWatch API for mobile device management (MDM) for C2 communications. Variants written in both PowerShell and .NET have been observed, with the .NET variant having more capabilities. | VIRUS | |
| 9.11.25 | Attackers linked to Russia continue activity against Ukraine | Attacks against a large business services organization and a local government organization were recently observed by our Threat Hunter team. Fueled by a heavy reliance on Living-off-the-Land tactics and dual-use tools, the attacker's goal appears to be establishing persistence and theft of sensitive information. | APT | |
| 9.11.25 | CVE-2025-59287: Microsoft WSUS RCE exploited in the wild | Microsoft patched a critical unauthenticated RCE in Windows Server Update Services (CVE‑2025‑59287) with an out-of-band update on Oct 23, 2025, after the initial October Patch Tuesday release proved incomplete. Exploit code and active attacks were observed within hours, prompting warnings from security vendors, incident responders and CISA’s KEV catalog. | VULNEREBILITY | |
| 9.11.25 | GhostGrab Android malware | An advanced Android malware strain named GhostGrab that is actively used to mine cryptocurrency and steal banking credentials from compromised devices has been reported by CYFIRMA. | VIRUS | |
| 9.11.25 | CVE-2025-20343 | Cisco Identity Services Engine RADIUS Suppression Denial of Service Vulnerability |
VULNEREBILITY |
|
| 9.11.25 | CVE-2025-20354 | A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system. |
VULNEREBILITY |
|
| 9.11.25 | Death by a Thousand Prompts: Open Model Vulnerability Analysis | Open-weight models provide researchers and developers with accessible foundations for diverse downstream applications. We tested the safety and security postures of eight open-weight large language models (LLMs) models to identify vulnerabilities that may impact subsequent fine-tuning and deployment. | PAPERS | PAPERS |
| 9.11.25 | InputSnatch: Stealing Input in LLM Services via Timing Side-Channel Attacks | Large language models (LLMs) possess extensive knowledge and question-answering capabilities, having been widely deployed in privacy-sensitive domains like finance and medical consultation. During LLM inferences, cache-sharing methods are commonly employed to enhance efficiency by reusing cached states or responses for the same or similar inference requests. | PAPERS | PAPERS |
| 9.11.25 | What Was Your Prompt? A Remote Keylogging Attack on AI Assistan | AI assistants are becoming an integral part of society, used for asking advice or help in personal and confidential issues. In this paper, we unveil a novel side-channel that can be used to read encrypted responses from AI Assistants over the web: the token-length side-channel. | PAPERS | PAPERS |
| 9.11.25 |
WHISPER LEAK: A
SIDE-CHANNEL ATTACK ON LARGE LANGUAGE MODE |
Large Language Models (LLMs) are increasingly deployed in sensitive domains including healthcare, legal services, and confidential communications, where privacy is paramount. This paper introduces Whisper Leak, a side-channel attack that infers user prompt topics from encrypted LLM traffic by analyzing packet size and timing patterns in streaming responses. | PAPERS | PAPERS |
| 8.11.25 | CVE-2025-59287 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 8.11.25 | XLoader 8.0 | Cracking XLoader with AI: How Generative Models Accelerate Malware Analysis | MALWARE | Loader |
| 8.11.25 | Operation Peek-a-Baku | Initial Findings. Technical Analysis. Campaign – I The LNK Way. Malicious SILENT LOADER Malicious LAPLAS Implant – TCP & TLS. Malicious .NET Implant – SilentSweeper Campaign –... | OPERATION | OPERATION |
| 8.11.25 | LANDFALL | LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices | MALWARE | ANDROID |
| 8.11.25 | TOLLBOOTH | REF3927 abuses publicly disclosed ASP.NET machine keys to compromise IIS servers and deploy TOLLBOOTH SEO cloaking modules globally. | MALWARE | FRAMEWORK |
| 8.11.25 | CVE-2017-17562 | Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c |
VULNEREBILITY |
|
| 8.11.25 | CVE-2017-9805 | The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. |
VULNEREBILITY |
|
| 8.11.25 | CVE-2021-44228 | Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints |
VULNEREBILITY |
|
| 8.11.25 | CVE-2022-26134 | In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. |
VULNEREBILITY |
|
| 7.11.25 | BLATANTLY MALICIOUS | Ransomvibing appears in VS Code extensions | RANSOMWARE | RANSOMWARE |
| 7.11.25 | ESET APT Activity Report Q2 2025–Q3 2025 | RUSSIA-ALIGNED APTs RAMP UP ATTACKS AGAINST UKRAINE AND ITS STRATEGIC PARTNERS | REPORT | REPORT |
| 7.11.25 | CVE-2025-20362 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
VULNEREBILITY |
|
| 7.11.25 | CVE-2025-20333 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 6.11.25 | Curly COMrades | Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines | GROUP | GROUP |
| 6.11.25 | PROMPTFLUX | GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools | MALWARE | AI |
| 6.11.25 | HackedGPT | HackedGPT: Novel AI Vulnerabilities Open the Door for Private Data Leakage | HACKING | AI |
| 5.11.25 | UNK_SmudgedSerpent | Crossed wires: a case study of Iranian espionage and attribution | GROUP | GROUP |
| 5.11.25 | CVE-2025-11371 | (CVSS score: 7.5) - A vulnerability in files or directories accessible to external parties in Gladinet CentreStack and Triofox that could result in unintended disclosure of system files. |
VULNEREBILITY |
|
| 5.11.25 | CVE-2025-48703 | (CVSS score: 9.0) - An operating system command injection vulnerability in Control Web Panel (formerly CentOS Web Panel) that results in unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-11953 | Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk |
VULNEREBILITY |
|
| 4.11.25 | CVE-2024-38197 | Microsoft Teams for iOS Spoofing Vulnerability |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43429 | A buffer overflow vulnerability that may lead to an unexpected process crash when processing maliciously crafted web content (addressed through improved bounds checking) |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43430 | An unspecified vulnerability that could result in an unexpected process crash when processing maliciously crafted web content (addressed through improved state management) |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43431 | Two unspecified vulnerabilities that may lead to memory corruption when processing maliciously crafted web content (addressed through improved memory handling) |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43433 | Two unspecified vulnerabilities that may lead to memory corruption when processing maliciously crafted web content (addressed through improved memory handling) |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43434 | A use-after-free vulnerability that may lead to an unexpected Safari crash when processing maliciously crafted web content (addressed through improved state management) |
VULNEREBILITY |
|
| 4.11.25 | SesameOp | SesameOp: Novel backdoor uses OpenAI Assistants API for command and control | MALWARE | Backdoor |
| 4.11.25 | SleepyDuck | SleepyDuck malware invades Cursor through Open VSX | MALWARE | RAT |
| 4.11.25 | HttpTroy | DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant | MALWARE | Dropper |
| 4.11.25 | BLINDINGCAN | DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant | MALWARE | Tool |
| 3.11.25 | CVE-2025-61932 | Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets. |
VULNEREBILITY |
|
| 3.11.25 | CN APT | CN APT targets Serbian Government | APT | APT |
| 3.11.25 | Tap-and-Steal | Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices | HACKING | Malware |
| 3.11.25 | CVE-2023-20273 | Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature |
VULNEREBILITY |
|
| 3.11.25 | CVE-2024-24919 | Check Point Quantum Security Gateways Information Disclosure Vulnerability |
VULNEREBILITY |
|
| 3.11.25 | CVE-2024-1086 | Linux Kernel Use-After-Free Vulnerability |
VULNEREBILITY |
|
| 3.11.25 | CVE-2024-1086 | A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. |
VULNEREBILITY |
|
| 3.11.25 | CVE-2025-11705 | Anti-Malware Security and Brute-Force Firewall – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read – POC |
VULNEREBILITY |
|
| 3.11.25 | BADCANDY | Don’t take BADCANDY from strangers – How your devices could be implanted and what to do about it | EXPLOIT | Shell |
| 2.11.25 | Agenda Ransomware | Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques | RANSOMWARE | RANSOMWARE |
| 2.11.25 | CryptoChameleon | CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack | GROUP | GROUP |
| 2.11.25 | CVE-2024-11972 | The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed. |
VULNEREBILITY |
|
| 2.11.25 | CVE-2024-9707 | The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. |
VULNEREBILITY |
|
| 2.11.25 | CVE-2024-9234 | The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. |
VULNEREBILITY |
|
| 1.11.25 | Minecraft RAT | RL's analysis of an STD Group-operated RAT yielded file indicators to better detect the malware and two YARA rules. | MALWARE | RAT |
| 1.11.25 | Hezi Rash: Rising Kurdish Hacktivist Group Targets Global Sites | GROUP | GROUP | |
| 1.11.25 | APT-C-60 | APT-C-60 intensified operations against Japanese organizations during Q3 2025, deploying three updated SpyGlace backdoor versions with refined tracking mechanisms, modified encryption, and sophisticated abuse of GitHub, StatCounter, and Git for stealthy malware distribution. | APT | APT |
| 1.11.25 | Operation SkyCloak | Authors: Sathwik Ram Prakki and Kartikkumar Jivani Contents Introduction Key Targets Industries Geographical Focus Infection and Decoys Technical Analysis PowerShell Stage Persistence Configuration Infrastructure and Attribution Conclusion SEQRITE Protection IOCs MITRE ATT&CK Introduction SEQRITE Labs has identified a campaign... | OPERATION | OPERATION |
| 1.11.25 | Android/BankBot-YNRK | Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan Executive Summary This report covers the analysis and findings related to three Android application packages (APKs) | MALWARE | Android |
| 1.11.25 | HijackLoader | The SonicWall Capture Labs threat research team has recently been monitoring new variants of the HijackLoader malware that are being delivered through SVG files. | MALWARE | Loader |
| 1.11.25 | Tangerine Turkey Operations | From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations | OPERATION | OPERATION |
| 1.11.25 | UNC6384 | UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities | GROUP | GROUP |
| 1.11.25 | Airstalk | Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack | MALWARE | MALWARE |
| 1.11.25 | CVE-2025-61932 | Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets. |
VULNEREBILITY |
|
| 1.11.25 | BRONZE BUTLER | BRONZE BUTLER exploits Japanese asset management software vulnerability | APT | APT |
| 1.11.25 | gokcpdoor | The sophisticated campaign, observed by Sophos, involved the exploitation of CVE-2025-61932 to deliver a known backdoor referred to as | MALWARE | Backdoor |
| 1.11.25 | CVE-2025-41244 | Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability |
VULNEREBILITY |
|
| 1.11.25 | CVE-2025-24893 | XWiki Platform Eval Injection Vulnerability |
VULNEREBILITY |
|
| 30.10.25 | NetSupport RAT | Unpacking NetSupport RAT Loaders Delivered via ClickFix | MALWARE | RAT |
| 30.10.25 | Remcos | Fileless Remcos Attacks on the Rise | MALWARE | Fileless |
| 30.10.25 | Atroposia | Atroposia is a stealthy RAT with HRDP, credential theft, DNS hijacking & fileless exfiltration — aka cybercrime made easy for low-skill attackers. | MALWARE | RAT |
| 30.10.25 | CVE-2025-40778 | October 24 Advisory: BIND 9 Resolver Enables Cache Poisoning Via Unsolicited Answers [CVE-2025-40778] |
VULNEREBILITY |
|
| 30.10.25 | UTG-Q-010 | Cyber Warfare Amidst Gold's Skyrocketing Price: UTG-Q-010 Group's Supply Chain Attack Strike Directly at the Heart of HongKong's Financial Market | GROUP | GROUP |
| 30.10.25 | Authenticated SMTP users may spoof other identities due to ambiguous “From” header interpretation | Email message header syntax can be exploited to bypass authentication protocols such as SPF, DKIM, and DMARC. These exploits enable attackers to deliver spoofed emails that appear to originate from trusted sources. | ALERT | ALERT |
| 30.10.25 | Midnight Ransomware | Decrypted: Midnight Ransomware | Anti-Ramson Tool | Anti-Ramson Tool |
| 30.10.25 | PureHVNC | LATAM baited into the delivery of PureHVNC | MALWARE | RAT |
| 30.10.25 | PhantomRaven | PhantomRaven: NPM Malware Hidden in Invisible Dependencies | MALWARE | nmp |
| 30.10.25 | CVE-2017-9841 | A Remote code execution vulnerability in PHPUnit |
VULNEREBILITY |
|
| 30.10.25 | CVE-2021-3129 | A Remote code execution vulnerability in Laravel |
VULNEREBILITY |
|
| 30.10.25 | CVE-2022-47945 | A Remote code execution vulnerability in ThinkPHP Framework |
VULNEREBILITY |
|
| 29.10.25 | AI-targeted Cloaking Attack | OpenAI’s new browser Atlas falls for AI-targeted Cloaking Attack | ATTACK | AI |
| 29.10.25 | CVE-2025-6204 | (CVSS score: 8.0) - A code injection vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to execute arbitrary code. |
VULNEREBILITY |
|
| 29.10.25 | CVE-2025-6205 | (CVSS score: 9.1) - A missing authorization vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to gain privileged access to the application. |
VULNEREBILITY |
|
| 29.10.25 | CVE-2025-24893 | (CVSS score: 9.8) - An improper neutralization of input in a dynamic evaluation call (aka eval injection) in XWiki that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. |
VULNEREBILITY |
|
| 29.10.25 |
TEE.fail: Breaking
Trusted Execution Environments via DDR5 Memory Bus Interpositi |
Trusted execution environments (TEEs) aim to offer strong privacy and integrity guarantees even in the presence of root level attackers capable of arbitrarily modifying the system’s software. | ATTACK | RAM |
| 29.10.25 | Herodotus | New Android Malware Herodotus Mimics Human Behaviour to Evade Detection | MALWARE | Android |
| 29.10.25 | BlueNoroff | Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs | APT | APT |
| 29.10.25 | CVE-2025-2783 | Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High) |
VULNEREBILITY |
|
| 29.10.25 | Mem3nt0 mori | Mem3nt0 mori – The Hacking Team is back! | APT | APT |
| 28.10.25 | DarkCloud Campaign Targets Thailand and Turkey in Dual-Variant Operation | Symantec has observed two concurrent DarkCloud campaigns leveraging the same PE payload distributed via a RAR archive. Both campaigns share identical execution chains and TTPs, but differ in regional focus, language localization, and spoofed organizations. | CAMPAIGN | |
| 28.10.25 | Agent Tesla campaign impersonates WeTransfer to phish wide range of targets | Symantec has observed a new Agent Tesla campaign that uses WeTransfer-themed lures to deliver a 7z archive containing the malware. The campaign targets a wide range of sectors, including Technology and IT (global and Taiwan), Finance and Banking (UK), Manufacturing and Electric industries, News and Media (South Africa and Israel), Education (Falkland Islands), and other commercial sectors across multiple countries — indicating opportunistic, broad targeting rather than a single vertical. | ||
| 28.10.25 | Dark Vision campaign: Procurement email → fake PDF update → LZH archive → signed PE + DLL | A new Dark Vision campaign uses procurement-themed social engineering to push victims from a PDF to an LZH archive hosted on domain. The archive extracts a signed 64-bit executable (InstCont.exe) which side-loads a 64-bit DLL (Instup.dll). Targets observed across manufacturing, construction & tech sectors in Taiwan, Germany, the U.S., and Sweden. | CAMPAIGN | |
| 28.10.25 | Key Insights of Qilin RaaS Operations | The Qilin threat group operates a very prolific Ransomware-as-a-Service (RaaS) business model. A report by researchers at Cisco Talos provides highlights of recent Qilin activity. North America and Europe are the most targeted regions, with manufacturing, professional and scientific services, and wholesale trade as the most impacted industries. | ALERTS | RANSOM |
| 28.10.25 | Phishing campaign impersonates Exness to steal trading account credentials | Founded in 2008, Exness is a global online multi-asset broker that provides clients with the opportunity to trade Contracts for Difference (CFDs) across a variety of financial instruments, including forex, cryptocurrencies, indices, commodities and stocks. | PHISHING | |
| 28.10.25 | Phishing Campaign: Austrian Data Protection Authority (DSB) Impersonated to Target Local Organizations | Symantec has observed a phishing campaign that is targeting organizations across Austria by impersonating the Österreichische Datenschutzbehörde (Austrian Data Protection Authority). Targeting multiple sectors including finance, insurance, IT consulting, manufacturing, healthcare, and public services | PHISHING | |
| 28.10.25 | Seedworm deploys Phoenix v4 in targeted espionage campaign | Group-IB has reported a new malware campaign by the Iran-linked APT group Seedworm (aka MuddyWater) deploying the Phoenix v4 backdoor, primarily targeting government, defense and international organizations in the Middle East with spillover activity across Europe, Africa and North America | CAMPAIGN | |
| 28.10.25 | TollBooth - a new IIS backdoor variant | A new campaign exploiting misconfigured Windows Internet Information Services (IIS) servers across the globe has been reported by the researchers from Elastic Security Labs. The initial compromise leveraged IIS web servers using ASP.NET machine keys - cryptographic keys used for encryption and data validation - that were exposed in publicly shared resources. | VIRUS | |
| 28.10.25 | Brimstone APT distributes NoRobot & MaybeRobot malware | The state-sponsored threat group Brimstone (also known as ColdRiver, UNC4057, Star Blizzard, and Callisto) rapidly overhauled its operations following the May 2025 public disclosure of its LostKeys malware as reported by the researchers from Google. | APT | |
| 28.10.25 | CVE-2025-33073 - SMB Client Privilege Escalation vulnerability exploited in the wild | CVE-2025-33073 is a high severity (CVSS score 8.8) privilege escalation vulnerability in Windows Server Message Block (SMB) Client that has been disclosed earlier in June 2025. | VULNEREBILITY | |
| 28.10.25 | CVE-2025-41243 - Spring Cloud Gateway WebFlux vulnerability | CVE-2025-41243 is a recently disclosed high severity (CVSS score 8.1) remote code execution vulnerability affecting Spring Cloud Gateway WebFlux which is an API Gateway built on the reactive Spring WebFlux framework. | VULNEREBILITY | |
| 28.10.25 | Vidar Stealer 2.0 | Released in early October 2025, Vidar Stealer has been fully rewritten in the C programming language and now runs multithreaded, allowing it to complete data-collection tasks far faster and more efficiently than before. | VIRUS | |
| 28.10.25 | Caminho LaaS: Stealthy malware delivery via Image Steganography | Arctic Wolf reported a new Loader-as-a-Service (LaaS) operation called Caminho, which originates in Brazil and leverages LSB steganography to conceal malicious payloads within image files. It is primarily delivered via spear-phishing emails carrying malicious JavaScript or VBScript files; when those scripts are executed, the loader retrieves an image containing a hidden payload, extracts it using LSB techniques and runs it directly in memory | VIRUS | |
| 28.10.25 | Warlock Ransomware | The Warlock ransomware first appeared in June 2025 and made an impact weeks later, after it was discovered exploiting the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) on July 19, 2025. Warlock is an unusual threat. | RANSOM | |
| 28.10.25 | ToolShell exploit used in recently disclosed attacks | China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025. The same threat actors also compromised two government departments in the same African country during the same time period. | EXPLOIT | |
| 28.10.25 | CAPI backdoor | Cybersecurity researchers at Seqrite Labs have identified a new campaign utilizing CAPI backdoor, a previously undocumented .NET malware, likely targeting E-commerce and automotive industries. The analysis is based upon a discovered malicious ZIP archive, which suggests the infection chain begins with phishing emails. | ALERTS | VIRUS |
| 28.10.25 | UAC-0239 group targets Ukraine with OrcaC2 framework and FILEMESS stealer | CERT-UA published details about recent activity associated with the threat group UAC-0239. The group engaged in campaigns against Ukranian Defense forces and local governments, initiated through spear phishing. The emails were socially engineered to appear as communications by the Security Service of Ukraine. | GROUP | |
| 28.10.25 | Kaiji botnet malware | Kaiji is a malware variant primarily targeting Linux-based servers and IoT devices by exploiting vulnerable internet-connected services. As reported by the researchers from Aquasec, the malware’s main objectives is to launch large-scale Distributed Denial of Service (DDoS) attacks and proxy malicious traffic, effectively leveraging infected devices as part of a botnet. | BOTNET | |
| 28.10.25 | Qilin Ransomware | Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack | RANSOMWARE | RANSOMWARE |
| 28.10.25 | SideWinder | SideWinder's Shifting Sands: Click Once for Espionage | APT | APT |
| 28.10.25 | OpenAI Atlas Omnibox Prompt Injection | OpenAI Atlas Omnibox Prompt Injection: URLs That Become Jailbreaks | HACKING | AI |
| 28.10.25 | ChatGPT Tainted Memories | “ChatGPT Tainted Memories:” LayerX Discovers The First Vulnerability in OpenAI Atlas Browser, Allowing Injection of Malicious Instructions into ChatGPT | HACKING | AI |
| 27.10.25 | CVE-2025-62518 | astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. |
VULNEREBILITY |
|
| 26.10.25 | CVE-2025-7656 | Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
VULNEREBILITY |
|
| 26.10.25 | CVE-2025-48561 | In multiple locations, there is a possible way to access data displayed on the screen due to side channel information disclosure. |
VULNEREBILITY |
|
| 26.10.25 | ODYSSEY STEALER | ODYSSEY STEALER : THE REBRAND OF POSEIDON STEALER | MALWARE | Stealer |
| 26.10.25 | Odyssey | Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools | CAMPAIGN | Malware |
| 26.10.25 | CVE-2025-11493 | The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. |
VULNEREBILITY |
|
| 26.10.25 | CVE-2025-11492 | In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. |
VULNEREBILITY |
|
| 26.10.25 | CVE-2025-55315 | Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network. |
VULNEREBILITY |
|
| 26.10.25 | EtherHiding | Hiding Web2 Malicious Code in Web3 Smart Contracts | HACKING | Malware |
| 26.10.25 | Oyster | Rhysida using Oyster Backdoor to deliver ransomware | MALWARE | Backdoor |
| 26.10.25 | WebSocket RAT | PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation | MALWARE | RAT |
| 26.10.25 | PXA | Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem | MALWARE | Stealer |
| 26.10.25 | Cache smuggling | Cache smuggling: When a picture isn’t a thousand words | HACKING | HACKING |
| 25.10.25 | Warlock Ransomware | The China-based actor behind the Warlock ransomware may not be a new player and has links to malicious activity dating as far back as 2019. | RANSOMWARE | RANSOMWARE |
| 25.10.25 | LockBit Returns | Key Takeaways LockBit is back. After being disrupted in early 2024, the ransomware group has ... | RANSOMWARE | RANSOMWARE |
| 25.10.25 | GHOSTGRAB | Sophisticated Android malware that mines crypto and silently steals banking credentials. EXECUTIVE SUMMARY CYFIRMA is dedicated to providing advanced warning and strategic | MALWARE | Android |
| 25.10.25 | Pass-as-a-Service | “Premier Pass-as-a-Service” describes the emerging trend of advanced collaboration tactics between multiple China-aligned APT groups, notably Earth Estries and Earth Naga, that are making modern cyberespionage campaigns even more complex. | RANSOMWARE | RANSOMWARE |
| 25.10.25 | Vidar Stealer 2.0 | Trend™ Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a multithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that Vidar is positioning itself to occupy the space left after Lumma Stealer’s decline. | MALWARE | Stealer |
| 25.10.25 | Agenda Ransomware | Trend™ Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises. | RANSOMWARE | RANSOMWARE |
| 25.10.25 | LockBit 5.0 | LockBit ransomware is one of the most active and notorious ransomware-as-a-service (RaaS) operations, first appearing in 2019 and having evolved through versions that we have analyzed and written about here and here. | RANSOMWARE | RANSOMWARE |
| 25.10.25 | SnakeStealer | Here’s what to know about the malware with an insatiable appetite for valuable data, so much so that it tops this year's infostealer detection charts | MALWARE | Stealer |
| 25.10.25 | Cybereason TTP Briefing Q3 2025 | Cybereason TTP Briefing Q3 2025: LOLBINs and CVE Exploits Dominate | REPORT | REPORT |
| 25.10.25 | Gotta fly | Gotta fly: Lazarus targets the UAV sector | APT | APT |
| 25.10.25 | Smishing Deluge | The Smishing Deluge: China-Based Campaign Flooding Global Text Messages | CAMPAIGN | CAMPAIGN |
| 25.10.25 | CVE-2025-59287 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 25.10.25 | DeskRAT | TransparentTribe targets Indian military organisations with DeskRAT | MALWARE | RAT |
| 25.10.25 | GlassWorm | GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace | MALWARE | Worm |
| 25.10.25 | Jingle Thief | Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign | CAMPAIGN | CAMPAIGN |
| 25.10.25 | CVE-2025-54236 | SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236) |
VULNEREBILITY |
|
| 25.10.25 | CVE-2025-61932 | Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability |
VULNEREBILITY |
|
| 25.10.25 | MuddyWater | Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage | APT | APT |
| 25.10.25 | PhantomCaptcha | PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation | MALWARE | RAT |
| 22.10.25 | CVE-2025-6541 | (CVSS score: 8.6) - An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management interface to run arbitrary commands |
VULNEREBILITY |
|
| 22.10.25 | CVE-2025-6542 | (CVSS score: 9.3) - An operating system command injection vulnerability that could be exploited by a remote unauthenticated attacker to run arbitrary commands |
VULNEREBILITY |
|
| 22.10.25 | CVE-2025-7850 | (CVSS score: 9.3) - An operating system command injection vulnerability that could be exploited by an attacker in possession of an administrator password of the web portal to run arbitrary commands |
VULNEREBILITY |
|
| 22.10.25 | CVE-2025-7851 | (CVSS score: 8.7) - An improper privilege management vulnerability that could be exploited by an attacker to obtain the root shell on the underlying operating system under restricted conditions |
VULNEREBILITY |
|
| 22.10.25 | ToolShell | ToolShell Used to Compromise Telecoms Company in Middle East |
VULNEREBILITY |
|
| 22.10.25 | PassiveNeuron | PassiveNeuron: a sophisticated campaign targeting servers of high-profile organizations | CAMPAIGN | CAMPAIGN |
| 22.10.25 | TARmageddon | TARmageddon (CVE-2025-62518): RCE Vulnerability Highlights the Challenges of Open Source Abandonware |
VULNEREBILITY |
|
| 22.10.25 | GhostSocks | GhostSocks: From Initial Access to Residential Proxy | MALWARE | Maas |
| 22.10.25 | PolarEdge | Defrosting PolarEdge’s Backdoor | MALWARE | Backdoor |
| 21.10.25 | COLDRIVER | To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | MALWARE | Malware |
| 21.10.25 | SNAPPYBEE | Salty Much: Darktrace’s view on a recent Salt Typhoon intrusion | MALWARE | RAT |
| 21.10.25 | CVE-2022-48503 | Apple Multiple Products Unspecified Vulnerability |
VULNEREBILITY |
|
| 21.10.25 | CVE-2025-2746 | Kentico Xperience Staging Sync Server Digest Password Authentication Bypass Vulnerability |
VULNEREBILITY |
|
| 21.10.25 | CVE-2025-2747 | Kentico Xperience Staging Sync Server None Password Type Authentication Bypass Vulnerability |
VULNEREBILITY |
|
| 21.10.25 | CVE-2025-33073 | Microsoft Windows SMB Client Improper Access Control Vulnerability |
VULNEREBILITY |
|
| 21.10.25 | CVE-2025-61884 | Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability |
VULNEREBILITY |
|
| 20.10.25 | Winos 4.0 | From China to Malaysia, FortiGuard Labs traces a hacker group’s shifting campaigns and evolving malware delivery tactics across Asia | MALWARE | RAT |
|
19.10.25 |
A new campaign reported by Securelist researchers has been leveraging WhatsApp messenger to distribute a new sophisticated banking trojan named Maverick. The attack has been targeting Brazilian users and utilizing .ZIP archives containing malicious LNK files. |
|||
|
19.10.25 |
Purseweb APT delivers updated BeaverTail and OtterCookie variants in the latest campaign |
Cisco Talos researchers have identified a new campaign attributed to the Purseweb (aka Famous Chollima) threat group that targets job seekers using fake employment offers. The attackers deploy custom infostealing malware strains including BeaverTail and OtterCookie. |
||
|
19.10.25 |
A spear-phishing campaign dubbed Operation Silk Lure, which targets Chinese HR and hiring teams in fintech, crypto exchanges and trading firms by weaponizing realistic résumés, has been uncovered by Seqrite Labs. Attackers send CVs containing malicious .lnk shortcuts that download a second-stage payload, deploy a script to create a hidden daily scheduled task for persistence, and then RC4-decrypt an in-memory loader that launches the final payload — ValleyRAT. |
|||
|
19.10.25 |
Katz Stealer delivered by PhantomVAI loader in a recent campaign |
A new campaign leveraging PhantomVAI Loader to distribute information-stealing malware via an evasive, multi-stage infection chain has been reported by the researchers from Unit42. The loader, initially known as Katz Stealer Loader, was primarily used to deliver the Katz Stealer malware but recently has also been noted to deliver a variety of other infostealer variants such as DcRAT, AsyncRAT, XWorm or FormBook. |
||
|
19.10.25 |
CVE-2025-61882 - Oracle E-Business Suite 0-Day vulnerability |
CVE-2025-61882 is a recently disclosed critical (CVSS score 9.8) zero-day vulnerability affecting the Oracle Concurrent Processing product within Oracle E-Business Suite (EBS). |
||
|
19.10.25 |
Chinese APT group Jewelbug (aka REF7707, CL-STA-0049, Earth Alux) has been highly active in recent months, targeting organizations in South America, South Asia, Taiwan and Russia. One of its intrusions was on the network of a Russian IT service provider and lasted for the first five months of 2025. |
|||
|
19.10.25 |
An Android malware campaign dubbed GhostBat RAT which impersonates RTO (Regional Transport Office) apps like mParivahan to deceive Indian users, has been reported by Cyble. The malware spreads via WhatsApp and SMS with shortened URLs pointing to GitHub-hosted APKs, as well as through compromised websites. |
|||
|
19.10.25 |
A new threat actor dubbed TA585 has been observed conducting phishing campaigns that use tailored email lures, malvertising and web-injection techniques to redirect victims to attacker-controlled sites, sometimes even tagging GitHub users with fake security alerts to boost credibility and click-through rates. The group delivers a range of malware including the newly released MonsterV2, through these campaigns. |
|||
|
19.10.25 |
The Stealit malware operation has recently upgraded its deployment strategy, incorporating Node.js's Single Executable Application (SEA) feature to distribute malicious payloads. FortiGuard Labs identified this shift following an increase in detections of a particular VB script that facilitates persistence on infected machines. |
|||
|
19.10.25 |
BeFirst is a recent MedusaLocker ransomware variant observed in the wild. The malware encrypts user data and appends .befirst1 extension to the locked files. |
|||
|
19.10.25 |
A new malicious campaign distributing the ClayRAT Android spyware has been reported by the researchers from Zimperium. The malware employs highly effective social engineering tactics, utilizing fraudulent Telegram channels and phishing websites that mimic legitimate services like Google Photos, WhatsApp, and TikTok to convince the victims to install the malicious application. Once deployed, ClayRat exhibits vast surveillance capabilities. |
|||
|
19.10.25 |
As per reports from McAfee, a new Astaroth campaign has been discovered that weaponizes legitimate GitHub repositories and image files, primarily targeting victims in South America. |
|||
|
19.10.25 |
ChaosBot: Hiding on your system and communicating through Discord |
Details regarding a newly identified, Rust-based malware dubbed ChaosBot have been shared by eSentire's Threat Response Unit. According to the report, the actors behind ChaosBot make use of varying methods to gain access to victim environments: |
||
|
19.10.25 |
Trend Micro reported on renewed malicious activities attributed to the RondoDox botnet. The researchers identified early intrusion attempts, noting that botnet operators quickly leverage publicly disclosed flaws such as CVE-2023-1389 vulnerability affecting TP-Link routers. |
|||
|
19.10.25 |
SumUp Payments Limited is a financial technology company that provides payment and point-of-sale solutions for small businesses and independent merchants. Lately, Symantec has observed phish runs that mimic SumUp and pose as account verification emails, to steal credentials. |
|||
|
19.10.25 |
The Chaos ransomware variant observed on the threat landscape in 2025 marks a significant evolution according to a latest blog from Fortinet. The malware has transitioned its codebase from .NET to C++ and integrated aggressive destructive extortion tactics alongside the traditional file encryption. |
|||
|
19.10.25 |
Symantec has detected a new wave of phishing runs targeting Japanese email users with fake 2025 Japan Population census emails. The emails use the subject line: |
|||
|
19.10.25 |
APAC Campaign: Malaysian Procurement Lures Load VIP Keylogger In-Memory |
Symantec observed a new malspam campaign that is leveraging procurement emails while posing as a well-known Malaysian company specializing in construction and civil engineering, to distribute credential-stealing malware against organizations in Malaysia and beyond. |
||
|
19.10.25 |
Multi-platform attacks leveraging IUAM ClickFix Generator phishing kit |
The popular social engineering technique known as "ClickFix" is being rapidly commercialized according to the latest report from Unit 42 Palo Alto. |
||
|
19.10.25 |
HiveWare is a new ransomware variant recently observed in the wild. The malware encrypts user data and appends .HIVELOCKED extension to the locked files. |
|||
|
19.10.25 |
FoalShell and StallionRAT malware deployed by Cavalry Werewolf APT |
Cavalry Werewolf APT has been observed to enhance its malicious toolkit with customized malware. According to the report published by BI.ZONE Threat Intelligence, the threat actors have been conducting phishing campaigns by assuming the identities of personnel from various governmental bodies. |
||
|
19.10.25 |
VampireBot malware distributed by the BatShadow threat group |
Aryaka Threat Research Labs has recently discovered a new campaign conducted by the Vietnamese threat group known as BatShadow. This operation relies heavily on sophisticated social engineering, primarily targeting digital marketers and job applicants. The attackers impersonate recruiters, distributing ZIP archives containing decoy PDF files with malicious executables packed alongside them. |
||
|
19.10.25 |
As the threat landscape continues to evolve, attackers are increasingly relying on sophisticated social engineering techniques to trick users into executing malicious code. These attacks often bypass traditional file-based detection methods, making proactive, behavior-based security measures more critical than ever. |
|||
|
19.10.25 |
Turkey-Focused Snake Keylogger Campaign Expands Across Sectors and Regions |
Symantec recently observed a malspam campaign delivering Snake Keylogger that abused the brand of a prominent Turkish financial institution to lend credibility to fraudulent messages. The emails carried subject lines such as “HESAP EKSTRESI” (account statement). |
||
|
19.10.25 |
JA Net Bank Phishing Pressures Users with Urgency & Compliance Lures |
A phishing campaign is impersonating JAネットバンク (JA Net Bank), using official-sounding messages that cite the 犯罪収益移転防止法 (Act on Prevention of Transfer of Criminal Proceeds) to add credibility. Victims are urged to complete “customer information and transaction purpose” verification or risk account restrictions. |
||
|
19.10.25 |
As per a report from Trend Micro, a new self-propagating Windows malware campaign dubbed SORVEPOTEL is spreading through WhatsApp messages that deliver malicious ZIP attachments. When opened on a desktop, the ZIP extracts a shortcut (.LNK) file that executes hidden PowerShell and batch commands to download payloads, establish persistence, and connect to attacker-controlled servers. |
|||
|
18.10.25 |
Національною командою реагування на кіберінциденти, кібератаки, кіберзагрози CERT-UA починаючи з другої половини вересня 2025 року фіксуються спроби здійснення цільових кібератак у відношенні Сил оборони та органів місцевого самоврядування низки регіонів України з використанням тематики "протидії російським диверсійно-розвідувальним групам", нібито, від імені Служби безпеки України. |
|||
|
18.10.25 |
Multiple Password Managers Vulnerable to Clickjacking Attacks |
Browser-extension password managers, which autofill sensitive information on websites, can be exposed to various clickjacking attacks. |
||
|
18.10.25 |
DNS Rebinding and Manipulating CORS Headers Enables Exfiltration of Information |
A vulnerability in cross-origin resource sharing (CORS) headers in Chromium, Google Chrome, Microsoft Edge, Safari, and Firefox enables the CORS policy to be manipulated. |
||
|
18.10.25 |
Clevo UEFI firmware embedded BootGuard keys compromising Clevo's implementation of BootGuard |
Clevo’s UEFI firmware update packages included sensitive private keys used in their Intel Boot Guard implementation. |
||
|
18.10.25 |
The Kiwire Captive Portal, provided by SynchroWeb, is an internet access gateway intended for providing guests internet access where many users will want to connect |
|||
|
18.10.25 |
Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. |
Loader |
||
|
18.10.25 |
Malicious .NET Implant Hunting and Infrastructure. Conclusion Seqrite Protection. IOCs MITRE ATT&CK.... |
|||
|
18.10.25 |
Introduction: Seqrite Lab has been actively monitoring global cyber threat... |
|||
|
17.10.25 |
BeaverTail and OtterCookie evolve with a new Javascript module |
JavaScipt |
||
|
17.10.25 |
Famous Chollima deploying Python version of GolangGhost RAT |
|||
|
17.10.25 |
Vice Society is a ransomware group that has been active since at least June 2021. |
|||
|
17.10.25 |
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. |
VULNEREBILITY |
||
|
17.10.25 |
DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains |
|||
|
17.10.25 |
New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware |
|||
|
17.10.25 |
LinkPro: eBPF rootkit analysis |
Rootkit |
||
|
16.10.25 |
Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits |
|||
|
16.10.25 |
K000154696: F5 Security Incident |
|||
|
16.10.25 |
CVE-2025-54253: Pre-Auth RCE – Adobe AEM Forms on JEE Critical OGNL Injection |
VULNEREBILITY |
||
|
16.10.25 |
(CVSS score: 7.8) - Windows Agere Modem Driver ("ltmdm64.sys") Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
16.10.25 |
(CVSS score: 7.8) - Windows Remote Access Connection Manager (RasMan) Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
16.10.25 |
When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge. |
VULNEREBILITY |
||
|
16.10.25 |
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge. |
VULNEREBILITY |
||
|
16.10.25 |
ICTBroadcast Command Injection Actively Exploited (CVE-2025-2611) |
VULNEREBILITY |
||
|
16.10.25 |
SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system files causing high impact on confidentiality integrity and availability of the application. |
VULNEREBILITY |
||
|
16.10.25 |
SOE-phisticated Persistence: Inside Flax Typhoon's ArcGIS Compromise |
|||
|
16.10.25 |
AMD SEV-SNP offers confidential computing in form of confidential VMs, such that the untrusted hypervisor cannot tamper with its confidentiality and integrity. |
|||
|
16.10.25 |
How a Catch-22 Breaks AMD SEV-SNP (ACM CCS 2025) |
CPU |
||
|
16.10.25 |
Pixel stealing attacks enable malicious websites to leak sensitive content displayed in victim websites. |
|||
|
16.10.25 |
Pixnapping is a new class of attacks that allows a malicious Android app to stealthily leak information displayed by other Android apps or arbitrary websites. |
Android |
||
|
16.10.25 |
When the monster bytes: tracking TA585 and its arsenal |
|||
|
13.10.25 |
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits |
|||
|
13.10.25 |
Astaroth: Banking Trojan Abusing GitHub for Resilience |
Banking |
||
|
13.10.25 |
New Rust Malware "ChaosBot" Uses Discord for Command and Control |
Bot |
||
|
13.10.25 |
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. |
VULNEREBILITY |
||
|
12.10.25 |
Inside Akira’s SonicWall Campaign: Darktrace’s Detection and Response |
CAMPAIGN |
||
|
12.10.25 |
Warlock: Professional Development, China Ties, and the Multiple Variants it Planned from the Start |
RANSOMWARE |
||
|
11.10.25 |
What Are Mousejacking Attacks, and How to Defend Against Them |
|||
|
11.10.25 |
With the widespread adoption of cloud infrastructure, cybercriminals have evolved their tactics to exploit new opportunities for access. One growing threat is cloud jacking, or cloud account hijacking, where an attacker takes control of a cloud account. |
|||
|
11.10.25 |
Earlier in 2025, an apparent sender from 193.29.58.37 spoofed the Libyan Navy’s Office of Protocol to send a then-zero-day exploit in Zimbra’s Collaboration Suite, CVE-2025-27915, targeting Brazil’s military. This leveraged a malicious .ICS file, a popular calendar format. |
|||
|
11.10.25 |
UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests |
|||
|
11.10.25 |
Unity Gaming Engine Editor vulnerability |
VULNEREBILITY |
||
|
11.10.25 |
Hafnium is a Chinese state-sponsored advanced persistent threat (APT) group, also referred to as Silk Typhoon, and is known for sophisticated cyber espionage targeting critical |
|||
|
11.10.25 |
New Stealit Campaign Abuses Node.js Single Executable Application |
RAT |
||
|
11.10.25 |
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. |
VULNEREBILITY |
||
|
11.10.25 |
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. |
VULNEREBILITY |
||
|
11.10.25 |
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. |
VULNEREBILITY |
||
|
10.10.25 |
ClayRat: A New Android Spyware Targeting Russia |
RAT |
||
|
10.10.25 |
Malvertising Campaign Hides in Plain Sight on WordPress Websites |
|||
|
10.10.25 |
SonicWall has completed its investigation, conducted in collaboration with leading IR Firm, Mandiant, into the scope of a recent cloud backup security incident. |
|||
|
10.10.25 |
UAC-0226 is a cyber-espionage group targeting Ukrainian military, law enforcement, and local government entities—particularly near the eastern border—since February 2025. |
|||
|
10.10.25 |
UAC-0219 is a hacking group observed conducting cyber-espionage operations targeting Ukrainian critical sectors, primarily utilising WRECKSTEEL malware for file exfiltration in both VBScript and PowerShell variants. |
|||
|
10.10.25 |
UAC-0218 Attack Detection: Adversaries Steal Files Using HOMESTEEL Malware |
|||
|
10.10.25 |
According to CERT-UA, this is a stealer targeting a range of file extensions and creating screenshots of the compromised machine to be then uploaded via cURL. |
Stealer |
||
|
10.10.25 |
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. |
VULNEREBILITY |
||
|
8.10.25 |
“Scattered Spider” announced plans to launch a ransomware-as-a-service (RaaS) offering, while “LockBit” returned with "LockBit 5.0" and announced critical infrastructure as a target. |
|||
|
8.10.25 |
The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors |
TOOL |
||
|
8.10.25 |
Ghosts in the Machine: ASCII Smuggling across Various LLMs |
AI |
||
|
8.10.25 |
figma-developer-mcp vulnerable to command injection in get_figma_data tool |
VULNEREBILITY |
||
|
8.10.25 |
Disrupting malicious uses of AI: October 2025 |
AI |
||
|
8.10.25 |
BatShadow: Vietnamese Threat Actor Expands Its Digital Operations |
|||
|
7.10.25 |
BIETA: A Technology Enablement Front for China's MSS |
BIGBROTHER |
||
|
7.10.25 |
Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability |
CAMPAIGN |
||
|
7.10.25 |
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. |
VULNEREBILITY |
||
|
7.10.25 |
Lua Use-After-Free may lead to remote code execution |
VULNEREBILITY |
||
|
7.10.25 |
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. |
VULNEREBILITY |
||
|
7.10.25 |
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. |
VULNEREBILITY |
||
|
5.10.25 |
On July 22, a security vulnerability was identified in DrayOS routers. The vulnerability can be triggered when unauthenticated remote attackers send crafted HTTP or HTTPS requests to the device's Web User Interface (WebUI). |
VULNEREBILITY |
||
|
5.10.25 |
Klopatra: exposing a new Android banking trojan operation with roots in Turkey |
Android |
||
|
5.10.25 |
Block ransomware proliferation and easily restore files with AI in Google Drive |
|||
|
5.10.25 |
MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments |
Toolkit |
||
|
5.10.25 |
UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK |
|||
|
5.10.25 |
VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. |
VULNEREBILITY |
||
|
5.10.25 |
A sophisticated bootkit and user-mode capability, targeting Cisco ASA devices. A significant advancement over LINE DANCER and LINE RUNNER. |
Bookit |
||
|
5.10.25 |
Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less |
Ramsomware |
||
|
5.10.25 |
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option. |
VULNEREBILITY |
||
|
5.10.25 |
An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST. |
VULNEREBILITY |
||
|
5.10.25 |
VMware NSX contains a weak password recovery mechanism vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially enabling brute-force attacks. Impact: Username enumeration → credential brute force risk. |
VULNEREBILITY |
||
|
5.10.25 |
Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access attempts. Impact: Username enumeration → facilitates unauthorized access. |
VULNEREBILITY |
||
|
5.10.25 |
CometJacking: How One Click Can Turn Perplexity’s Comet AI Browser Against You |
AI |
||
|
4.10.25 |
TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base |
|||
|
4.10.25 |
Arctic Wolf has observed a search engine optimization (SEO) poisoning and malvertising campaign promoting malicious websites hosting trojanized versions of legitimate IT tools such as PuTTY and WinSCP. |
Backdoor |
||
|
4.10.25 |
Security firm Mosyle and follow-up reports detailed the emergence of ModStealer, a cross-platform infostealer distributed via malvertising campaigns, often disguised as fake software downloads or job advertisements. |
|||
|
4.10.25 |
Cisco Talos has published details regarding UAT-8099, a cybercrime group focused on search engine optimization (SEO) fraud and the theft of miscellaneous sensitive data such as credentials, configuration files, logs, and more. This threat group specifically targets vulnerable Internet Information Services (IIS) servers globally, with confirmed victims spanning across universities, technology companies, and telecom providers, among others. |
|||
|
4.10.25 |
The cyber-espionage group Confucius, known for targeting government and critical industries across South Asia has been observed leveraging sophisticated phishing campaigns primarily against high-value targets in Pakistan, showing a major technical evolution. |
|||
|
4.10.25 |
New spyware campaigns targeting privacy-conscious Android users in the UAE has been reported by ESET. The campaigns deploy two previously undocumented spyware families, ProSpy and ToSpy, disguised as legitimate Signal or ToTok apps distributed via phishing sites and fake app stores. |
|||
|
4.10.25 |
Researchers recently published a report on the WARMCOOKIE backdoor, revealing that its operators have expanded their infrastructure and refined their tactics. First observed in recruitment-themed phishing campaigns, WARMCOOKIE is still active and capable of host fingerprinting, command execution, screenshot capture, and delivery of additional payloads. |
|||
|
4.10.25 |
CORS vulns exploited to deliver Latrodectus via injected FakeCaptcha |
According to recent reports, Lunar Spider (aka Gold SwathMore) has evolved its toolkit by exploiting CORS misconfigurations on websites—mainly in Europe—to inject a “FakeCaptcha” overlay that tricks victims into running malicious commands. The injected JavaScript creates a fake verification UI, copying a PowerShell command into the clipboard, which, when executed, initiates an MSI loader. |
||
|
4.10.25 |
A new activity delivering the DarkCloud version 3.2 payload has been reported by the researchers from eSentire. The attack is initiated via targeted spear-phishing campaign with financial lure that delivers the infostealing malware within the .zip archive attachment. |
|||
|
4.10.25 |
GuLoader campaign targets Francophone Businesses, deploying MassLogger |
Symantec has observed a new GuLoader campaign in which actors are impersonating a well-known hospitality and luxury resort/events group in Morocco. Sending fraudulent quotation requests with the subject line “DEMANDE DEVIS N° 25090358.” |
||
|
4.10.25 |
Acreed is an advanced infostealer variant first discovered in early 2025 and sold on underground markets. Once on the infected machine, Acreed deploys JavaScript modules designed for financial theft, performing cryptocurrency clipping (replacing legitimate wallet addresses on web pages) and clipboard hijacking. |
|||
|
4.10.25 |
The LockBit ransomware group has resurfaced following a February 2024 disruption, deploying an new variant dubbed LockBit 5.0. A new research published by Trend Micro has confirmed the existence of Windows, Linux, and ESXi variants, signifying the group’s continued cross-platform strategy targeting entire enterprise networks, including virtualized environments. |
|||
|
4.10.25 |
CVE-2025-10035 is a recently disclosed critical (CVSS score 10.0) deserialization vulnerability affecting Fortra GoAnywhere which is comprehensive managed file transfer (MFT) software. |
|||
|
4.10.25 |
Klopatra is a newly observed Android malware which functions as both a banking Trojan and Remote Access Trojan (RAT). A report provided by researchers at Cleafy shares technical details and campaign activity associated with this threat. Highlights from the report include: |
|||
|
4.10.25 |
A new assembly-written Malware-as-a-Service called Olymp Loader advertised as “FUD” (fully undetectable) has been reported by Outpost24. It includes anti-debugging, code-signing and crypter options and targets browsers, Telegram and crypto wallets. |
|||
|
4.10.25 |
Lately, Symantec has observed Halloween themed jumbo lottery phish runs targeting Japanese users. Threat actors have recently initiated jumbo lottery phish runs that masquerade as lottery campaign announcement emails. |
|||
|
4.10.25 |
A malware campaign delivering the XWorm .NET RAT using shellcode hidden inside Office attachments has been observed by Forcepoint. As part of the multi-stage attack, a phishing email is sent with a seemingly benign .xlam workbook that embeds an Ole10Native stream containing encrypted shellcode. |
|||
|
4.10.25 |
Microsoft Threat Intelligence has identified a new variant of XCSSET malware targeting Xcode projects. The malware employs run-only compiled AppleScripts for stealthy execution, now targets a broader range of browsers including Firefox, steals information from Telegram, hijacks clipboards by substituting wallet addresses and establishes persistence via LaunchDaemons and Git commits. |
|||
|
4.10.25 |
A recent campaign has been reported by Blackpoint SOC in which attackers are abusing SEO poisoning and malvertising to trick users into downloading trojanized Microsoft Teams installers that deliver the Oyster (also known as Broomstick) backdoor. |
|||
|
4.10.25 |
Lumma Stealer infection with follow-up malware (possible Ghostsocks/Go Backdoor) |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
||
|
4.10.25 |
Seven days of scans and probes and web traffic hitting my web server |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
||
|
4.10.25 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
|||
|
4.10.25 |
Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration interface |
A remote code execution (RCE) vulnerability, tracked as CVE-2025-10547, was discovered through the EasyVPN and LAN web administration interface of Vigor routers by Draytek. |
||
|
4.10.25 |
A major npm supply chain compromise was disclosed by the software supply chain security company Socket on September 15, 2025. |
|||
|
4.10.25 |
Hive0145 back in German inboxes with Strela Stealer and a backdoor |
GROUP |
||
|
4.10.25 |
Confucius threat group evolves from document stealers to Python backdoors, showcasing the growing sophistication of state-aligned cyber campaigns |
GROUP |
||
|
4.10.25 |
EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and |
|||
|
4.10.25 |
Network edge devices such as routers, switches, firewalls, VPNs, and access points are being targeted by waves of cyberattacks. The RedNovember attack campaign disclosed by RecordedFuture’s Insikt Group is the latest in a string of campaigns targeting SonicWall, Cisco, Palo Alto, Fortinet, and Ivanti devices inside government, defense, and technology companies. |
CAMPAIGN |
||
|
4.10.25 |
An argument injection flaw that attackers can use to trigger a denial of service (DoS), crashing the router or overwhelming remote servers. |
VULNEREBILITY |
||
|
4.10.25 |
An unauthenticated command injection vulnerability that allows attackers to remotely execute arbitrary commands on the device. |
VULNEREBILITY |
||
|
4.10.25 |
A security bypass that attackers can exploit to corrupt system files, cause a persistent denial-of-service, or achieve arbitrary file writes. Chaining attacks could lead to remote code execution (RCE). |
VULNEREBILITY |
||
|
4.10.25 |
Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia. |
GROUP |
||
|
4.10.25 |
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud |
GROUP |
||
|
4.10.25 |
XWorm V6, a potent malware, has resurfaced with new plugins and persistence methods. Stay informed and enhance your defenses against evolving cyber threats. Protect your organization now! |
Worm |
||
|
4.10.25 |
Detour Dog: DNS Malware Powers Strela Stealer Campaigns |
GROUP |
||
|
4.10.25 |
Rhadamanthys is a popular, multi-modular stealer, released in 2022. Since then, it has been used in multiple campaigns by various actors. Most recently, it is being observed in the ClickFix campaigns. |
Stealer |
||
|
3.10.25 |
GNU Bash OS Command Injection Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Juniper ScreenOS Improper Authentication Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Jenkins Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Smartbedded Meteobridge Command Injection Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Samsung Mobile Devices Out-of-Bounds Write Vulnerability |
VULNEREBILITY |
||
|
3.10.25 |
Бекдор CABINETRAT використовується UAC-0245 для цільових кібератак у відношенні СОУ (CERT-UA#17479) |
Національною командою реагування на кіберінциденти, кібератаки, кіберзагрози CERT-UA у вересні 2025 року виявлено низку програмних засобів, представлених у вигляді XLL-файлів зі специфічними іменами, зокрема "Звернення УБД.xll", |
||
|
3.10.25 |
New spyware campaigns target privacy-conscious Android users in the UAE |
|||
|
3.10.25 |
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. |
VULNEREBILITY |
||
|
3.10.25 |
Intel's Software Guard eXtensions (SGX) is a hardware feature in Intel servers that aims to offer strong integrity and confidentiality properties for software, even in the presence of root-level attackers. |
|||
|
3.10.25 |
With Battering RAM, we show that even the latest defenses on Intel and AMD cloud processors can be bypassed. We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks. |
|||
|
3.10.25 |
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users |
Malware |
||
|
3.10.25 |
Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks |
|||
|
3.10.25 |
In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created), |
VULNEREBILITY |
||
|
3.10.25 |
Klopatra: exposing a new Android banking trojan operation with roots in Turkey |
Banking |
||
|
3.10.25 |
Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite |
|||
|
3.10.25 |
EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks |
AI |
||
|
3.10.25 |
Datzbro: RAT Hiding Behind Senior Travel Scams |
RAT |
||
|
3.10.25 |
First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails |
Backdoor |
||
| 28.9.25 | CVE-2024-10237 | There is a vulnerability in the BMC firmware image authentication design at Supermicro MBD-X12DPG-OA6 . An attacker can modify the firmware to bypass BMC inspection and bypass the signature verification process | VULNEREBILITY | VULNEREBILITY |
| 28.9.25 | CVE-2025-10184 | CVE-2025-10184: OnePlus OxygenOS Telephony provider permission bypass (NOT FIXED) | VULNEREBILITY | VULNEREBILITY |
| 28.9.25 | Cross-site scripting vulnerability in Lectora course navigation | Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. | ALERT | ALERT |
| 27.9.25 | CVE-2024-36401 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. | VULNEREBILITY | VULNEREBILITY |
| 27.9.25 | RainyDay | How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking | MALWARE | Backdoor |
| 27.9.25 | Amatera | SVG Phishing hits Ukraine with Amatera Stealer, PureMiner | MALWARE | Stealer |
| 27.9.25 | SVG phishing campaigns deliver infostealer and cryptominer payloads | Symantec has observed an uptick in malicious spam (malspam) using Scalable Vector Graphics (SVG) file attachments to initiate malicious activity. A report by security researchers at Fortinet corroborates this trend, highlighting recent SVG-based campaigns delivering Amatera Stealer and PureMiner. | PHISHING | |
| 27.9.25 | Activities of the DeceptiveDevelopment threat group | In a recent publication, ESET reserchers report on a financially motivated threat group called DeceptiveDevelopment. The group has been active since at least 2023 and primarily targets software developers across all major operating systems (Windows, Linux, macOS), particularly those involved in cryptocurrency and Web3 projects. | ALERTS | GROUP |
| 27.9.25 | New YiBackdoor Malware | Cybersecurity researchers at Zscaler ThreatLabz have identified YiBackdoor, a newly discovered malware family exhibiting significant source code overlaps with the established loaders IcedID and Latrodectus. YiBackdoor operates as a powerful, modular backdoor capable of executing arbitrary commands, capturing screenshots, and extensive system information collection. | VIRUS | |
| 27.9.25 | RedNovember threat group targets global entities for espionage | A report by Insikt Group at Recorded Future details recent activity of a China-backed threat actor named RedNovember (previously known as TAG-100). | APT | |
| 27.9.25 | Operation Rewrite leads to BadIIS malware distribution | Researchers from Palo Alto reported on a SEO poisoning campaign, dubbed "Operation Rewrite". The primary tool used by the attackers in this operation is the BadIIS malware, that can intercept and modify web traffic, utilizing compromised legitimate servers to deliver malicious content. | OPERATION | |
| 27.9.25 | CVE-2025-53690 - Deserialization of Untrusted Data vulnerability affecting multiple Sitecore products | CVE-2025-53690 is a recently disclosed critical (CVSS score 9.0) ViewState deserialization of untrusted data vulnerability affecting Sitecore products including Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) and Experience Commerce (XC) | VULNEREBILITY | |
| 27.9.25 | Bitpanda users targeted by new phishing campaign | Recently, Symantec has observed phish runs targeting users of Bitpanda GmbH, an Austrian digital asset platform headquartered in Vienna. | PHISHING | |
| 27.9.25 | SystemBC botnet - new infrastructure uncovered | Black Lotus Labs at Lumen Technologies has identified new infrastructure belonging to the SystemBC botnet, a large-scale operation averaging 1,500 daily victims. Unlike typical botnets using residential IPs, SystemBC exploits Virtual Private Server (VPS) systems to create high-volume, persistent proxies that fuel malicious activities for various criminal groups. | BOTNET | |
| 27.9.25 | New malware distribution campaign attributed to the Rustfly APT group | Rustfly APT group (also known as UNC1549 or Nimbus Manticore) is engaged in a sustained cyberespionage operation targeting defense manufacturing, telecommunications, and aviation sectors. Recently published report from Checkpoint reveals a heightened focus from this APT group on Western Europe, particularly Denmark, Sweden, and Portugal. The attackers employ sophisticated spear-phishing campaigns, posing as HR recruiters to lure victims to fake career portals. | APT | |
| 27.9.25 | XWorm disguised as “Unreal Engine Auto Update” hosted on GitHub’s CDN | An individual or group has been disguising XWorm malware as an “Unreal Engine Auto Updater” and hosting it on raw[.]githubusercontent[.]com, GitHub’s CDN endpoint that serves raw file contents from public repositories. | ALERTS | VIRUS |
| 27.9.25 | ClickFix techniques used in BeaverTail malware distribution on macOS and Windows systems | The ClickFix social engineering technique relies on tricking users into running malicious commands by presenting fake CAPTCHAs. As reported by Gitlab, a recent campaign leveraging ClickFix techniques has been observed to spread a new BeaverTail malware variant. Previously targeting software developers, the APT group behind this malware has now shifted its focus to marketing, cryptocurrency trading and retail sectors. | VIRUS | |
| 27.9.25 | Leafperforator APT leverages Nepalese protest movement for mobile malware distribution | A recent activity reported by the researchers from StrikeReady demonstrates a popular trend where geopolitical events serve as bait for targeted cyber threats. | APT | |
| 27.9.25 | DarkCloud Campaign Targets European Energy, Finance, and Maritime Sectors | Symantec has observed a DarkCloud malspam run that used invoice/shipping-themed lures to deliver a Windows stealer. The attackers spoofed two German industrial suppliers (one industrial-machinery vendor, one tank/storage-construction firm) while using logistics and invoice-style social engineering. | ALERTS | CAMPAIGN |
| 27.9.25 | HybridPetya - a Petya/NotPetya offshoot with a UEFI bootkit | ESET security researchers have identified new malware samples, dubbed HybridPetya, which exhibit characteristics of the impactful Petya and NotPetya campaigns from 2016-2017. | VIRUS | |
| 27.9.25 | New campaign distributing SnakeDisk worm and the Toneshell backdoor | IBM X-Force identified a new malicious operation attributed to the threat actor known as Fireant (aka Hive0154, Mustang Panda). | CAMPAIGN | |
| 27.9.25 | XillenStealer malware | In their latest report, Cyfirma's analysts reveal XillenStealer as an open-source, Python-based information stealer readily available on GitHub. | ALERTS | VIRUS |
| 27.9.25 | RevengeHotels New Tactics Deliver Potent VenomRAT | Securelist researchers have identified RevengeHotels, also known as TA558, as a cybercriminal group targeting the hospitality and tourism industries to steal credit card data. | VIRUS | |
| 27.9.25 | WhiteCobra Targets Developer Tools for Data Heists | KOI Research has identified WhiteCobra, a sophisticated threat actor, in a year-long campaign targeting users of VSCode, Cursor, and Windsurf. | GROUP | |
| 27.9.25 | Rewrite | Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign | OPERATION | OPERATION |
| 26.9.25 | COLDRIVER | COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX | GROUP | GROUP |
| 26.9.25 | CVE-2025-10035 | A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. | VULNEREBILITY | VULNEREBILITY |
| 26.9.25 | XCSSET | XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory | MALWARE | MacOS |
| 26.9.25 | CVE-2025-20333 | (CVSS score: 9.9) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests | VULNEREBILITY | VULNEREBILITY |
| 26.9.25 | CVE-2025-20362 | (CVSS score: 6.5) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests | VULNEREBILITY | VULNEREBILITY |
| 26.9.25 | Line Runn | Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. | MALWARE | Loader |
| 26.9.25 | Line Danc | In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices. | MALWARE | Loader |
| 26.9.25 | Vane Viper | DNS-Driven Insights into a Malicious Ad Network | GROUP | GROUP |
| 25.9.25 | BRICKSTORM | Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors | MALWARE | BACKDOOR |
| 25.9.25 | RedNovember | RedNovember Targets Government, Defense, and Technology Organizations | GROUP | GROUP |
| 25.9.25 | CVE-2025-20352 | Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 25.9.25 | DeceptiveDevelopment | DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception | MALWARE | AI |
| 24.9.25 | YiBackdoor | YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus | MALWARE | BACKDOOR |
| 24.9.25 | SSRF to AWS Metadata Exposure | SSRF to AWS Metadata Exposure: How Attackers Steal Cloud Credentials | HACKING | Cloud |
| 24.9.25 | CVE-2025-10643 | (CVSS score: 9.1) - An authentication bypass vulnerability that exists within the permissions granted to a storage account token | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-10644 | (CVSS score: 9.4) - An authentication bypass vulnerability that exists within the permissions granted to an SAS token | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-51591 | A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-59689 | Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7. | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-6198 | (CVSS score: 6.4) - A crafted firmware image can bypass the Supermicro BMC firmware verification logic of the Signing Table to update the system firmware by redirecting the program to a fake signing table ("sig_table") in the unsigned region | VULNEREBILITY | VULNEREBILITY |
| 24.9.25 | CVE-2025-7937 | (CVSS score: 6.6) - A crafted firmware image can bypass the Supermicro BMC firmware verification logic of Root of Trust (RoT) 1.0 to update the system firmware by redirecting the program to a fake "fwmap" table in the unsigned region | VULNEREBILITY | VULNEREBILITY |
| 23.9.25 | fezbox | Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique | MALWARE | nmp |
| 23.9.25 | CVE-2025-26399 | SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. | VULNEREBILITY | VULNEREBILITY |
| 23.9.25 | ShadowV2 | ShadowV2: An emerging DDoS for hire botnet | BOTNET | BOTNET |
| 23.9.25 | Operation Rewrite | Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign | OPERATION | OPERATION |
| 22.9.25 | CVE-2025-55241 | Azure Entra Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 22.9.25 | BeaverTail | Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure | MALWARE | JavaScript |
| 21.9.25 | VMSCAPE: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments | Abstract—Virtualization is a cornerstone of modern cloud infrastructures, providing the required isolation to customers. This isolation, however, is threatened by speculative execution attacks which the CPU vendors attempt to mitigate by extending the isolation to the branch predictor state. | PAPERS | PAPERS |
| 21.9.25 | Phoenix: Rowhammer Attacks on DDR5 with Self-Correcting Synchronizati | Abstract—DDR5 has shown an increased resistance to Rowhammer attacks in production settings. Surprisingly, DDR5 achieves this without additional refresh management commands, pointing to the deployment of more sophisticated inDRAM Target Row Refresh (TRR) mechanisms. | PAPERS | PAPERS |
| 21.9.25 | Uncloaking VoidProxy | Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework | PHISHING | PHAAS |
| 21.9.25 | RaccoonO365 | Cloudflare participates in global operation to disrupt RaccoonO365 | OPERATION | PHISHING |
| 20.9.25 | CountLoader | Silent Push has discovered a new malware loader that is strongly associated with Russian ransomware gangs that we are naming: “CountLoader.” | MALWARE | LOADER |
| 20.9.25 | Maranhão Stealer | Cyble Research & Intelligence Labs detected Maranhão Stealer, a Node.js–based credential stealer leveraging reflective DLL injection. | MALWARE | STEALER |
| 20.9.25 | DeerStealer | DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities | MALWARE | STEALER |
| 20.9.25 | XillenStealer | UNMASKING A PYTHON STEALER – “XillenStealer” | MALWARE | STEALER |
| 20.9.25 | Shai-Hulud | "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19) | MALWARE | PYTHON |
| 20.9.25 | Lucid Phishing-as-a-Service | Inside the Lighthouse and Lucid PhaaS Campaigns Targeting 316 Global Brands | PHISHING | PHAAS |
| 20.9.25 | Large-Scale Attack | Large-Scale Attack Targeting Macs via GitHub Pages Impersonating Companies to Attempt to Deliver Stealer Malware | HACKING | ATTACK |
| 20.9.25 | LLM-Enabled Malware | Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware | HACKING | AI |
| 20.9.25 | ShadowLeak | ShadowLeak: A Zero-Click, Service-Side Attack Exfiltrating Sensitive Data Using ChatGPT’s Deep Research Agent | HACKING | AI |
| 20.9.25 | Subtle Snail | Subtle Snail (UNC1549) is an Iran-nexus espionage group linked to Unyielding Wasp (Tortoiseshell), which is part of the Eclipsed Wasp (Charming Kitten) network. | APT | APT |
| 20.9.25 | SystemBC | The Black Lotus Labs team at Lumen Technologies has uncovered new infrastructure behind the “SystemBC” botnet, a network composed of over 80 C2s with a daily average of 1,500 victims, nearly 80% of which are compromised VPS systems from several large commercial providers. | BOTNET | BOTNET |
| 20.9.25 | CVE-2025-10035 | Deserialization Vulnerability in GoAnywhere MFT's License Servlet | VULNEREBILITY | VULNEREBILITY |
| 19.9.25 | Gamaredon X Turla | Notorious APT group Turla collaborates with Gamaredon, both FSB-associated groups, to compromise high‑profile targets in Ukraine | APT | APT |
| 19.9.25 | CVE-2025-4428 | Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests. | VULNEREBILITY | VULNEREBILITY |
| 19.9.25 | CVE-2025-4427 | An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. | VULNEREBILITY | VULNEREBILITY |
| 18.9.25 | CountLoader | CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions | MALWARE | Loader |
| 18.9.25 | SilentSync RAT | Malicious PyPI Packages Deliver SilentSync RAT | MALWARE | RAT |
| 18.9.25 | CVE-2025-10585 | Type Confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16 | VULNEREBILITY | VULNEREBILITY |
| 18.9.25 | RevengeHotels | RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT | APT | APT |
| 18.9.25 | TA415 | Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | APT | APT |
| 17.9.25 | Clickfix HijackLoader Phishing Campaign | With the evolution of cyber threats, the final execution of a malicious payload is no longer the sole focus of the cybersecurity industry. | CAMPAIGN | PHISHING |
| 17.9.25 | Echoleak | Echoleak- Send a prompt , extract secret from Copilot AI!( CVE-2025-32711) | HACKING | AI |
| 17.9.25 | EMBER2024 - A Benchmark Dataset for Holistic Evaluation of Malware Classifie | A lack of accessible data has historically restricted malware analysis research, and practitioners have relied heavily on datasets provided by industry sources to advance. | PAPERS | PAPERS |
| 17.9.25 | LunoBotnet | LunoBotnet: A Self-Healing Linux Botnet with Modular DDoS and Cryptojacking Capabilities | BOTNET | CRYPTOCURRENCY |
| 17.9.25 | GhostAction | The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows | CAMPAIGN | CAMPAIGN |
| 17.9.25 | EvilAI Malware Mimics Legitimate Tools | As reported by Trend Micro researchers, a new malware campaign dubbed EvilAI is posing a threat by impersonating legitimate productivity and AI-powered tools. | VIRUS | |
| 17.9.25 | Phishing Campaign Targets UK Government Gateway User IDs and Passwords | Symantec has observed a phishing campaign delivering HTML attachments via email that masquerade as official GOV.UK Government Gateway confirmations. The email (subject: "Confirmation - Government Gateway") spoofed a no-reply government address and carried a file named attachement.service.gov.uk.html. | ALERTS | PHISHING |
| 17.9.25 | Phishing Emails Masquerade as Internal Messages to Deliver SHTML Credential Traps | A newly identified phishing campaign, discovered by Symantec, leverages SHTML attachments disguised as password-protected documents to harvest employee credentials. | PHISHING | |
| 17.9.25 | NPM packages infected by self-replicating worm | Malicious activity reported by multiple sources was observed impacting numerous packages in the npm JavaScript repository. The activity revolves around a self-replicating worm named Shai-Hulud, which after infecting a locally available NPM, searches for and infects other accessible packages based on user access. It's responsible for stealing secrets, exfiltrating data, and marking private GitHub projects as public for impacted users. | HACKING | |
| 17.9.25 | CVE-2025-5086 - Delmia Apriso vulnerability | CVE-2025-5086 is a recently disclosed critical (CVSS score 9.0) deserialization of untrusted data vulnerability affecting DELMIA Apriso Manufacturing Operations Management (MOM) software. | ALERTS | VULNEREBILITY |
| 17.9.25 | Maranhão Stealer | A recent campaign involving the Maranhão Stealer has been identified by the researchers from Cyble. The attack is targeting gaming users through social engineering websites hosted on cloud platforms. | VIRUS | |
| 17.9.25 | kkRAT: A new Remote Access Trojan | A malware campaign targeting China-speaking users has been identified, deploying a previously undocumented kkRAT alongside ValleyRAT and FatalRAT. | VIRUS | |
| 17.9.25 | Buterat Backdoor Targeting Enterprise and Government Networks | The Lat61 Threat Intelligence Team from Point Wild has identified Backdoor.Win32.Buterat, a sophisticated malware designed for persistent, long-term network infections. | VIRUS | |
| 17.9.25 | Contagious Interview operation continues | SentinelLABS has identified North Korean threat actors associated with the "Contagious Interview" campaign cluster exhibiting a sophisticated approach to operational security. | OPERATION | |
| 17.9.25 | New Go-Based ZynorRAT Leverages Telegram for Linux and Windows | The Sysdig Threat Research Team (TRT) has identified ZynorRAT, a novel Go-based Remote Access Trojan (RAT) demonstrating robust command and control (C2) features for both Linux and Windows platforms. | ||
| 17.9.25 |
Securing DRAM at
Scale: ARFM-Driven Row Hammer Defense with Unveiling the Threat of Short tRC Patterns |
Abstract—Since the disclosure of the row hammer (RH) attack phenomenon in 2014, a significant threat to system security, it has been active research in both industry and academia. | PAPERS | PAPERS |
| 17.9.25 | ECC.fail: Mounting Rowhammer Attacks on DDR4 Servers with ECC Memory | Rowhammer is a hardware vulnerability present in nearly all computer memory, allowing attackers to modify bits in memory without directly accessing them. | PAPERS | PAPERS |
| 17.9.25 |
Rowhammer-Based Trojan Injection: One Bit Flip Is Sufficient for Backdooring DNNs |
While conventional backdoor attacks on deep neural networks (DNNs) assume the attacker can manipulate the training data or process, recent research introduces a more practical threat model by injecting backdoors during the inference stage. | PAPERS | PAPERS |
| 16.9.25 | CVE-2025-6202 | Vulnerability in SK Hynix DDR5 on x86 allows a local attacker to trigger Rowhammer bit flips impacting the Hardware Integrity and the system's security. This issue affects DDR5: DIMMs produced from 2021-1 until 2024-12. | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | CVE-2025-43300 | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12. | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | FileFix | FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography | CAMPAIGN | CAMPAIGN |
| 16.9.25 | SnakeDisk | Hive0154, aka Mustang Panda, drops updated Toneshell backdoor and novel SnakeDisk USB worm | MALWARE | USB |
| 16.9.25 | SlopAds | Satori Threat Intelligence Alert: SlopAds Covers Fraud with Layers of Obfuscation | OPERATION | OPERATION |
| 16.9.25 | CVE-2025-59358 | (CVSS score: 7.5) - The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial-of-service | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | CVE-2025-59359 | (CVSS score: 9.8) - The cleanTcs mutation in Chaos Controller Manager is vulnerable to operating system command injection | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | CVE-2025-59360 | (CVSS score: 9.8) - The killProcesses mutation in Chaos Controller Manager is vulnerable to operating system command injection | VULNEREBILITY | VULNEREBILITY |
| 16.9.25 | CVE-2025-59361 | (CVSS score: 9.8) - The cleanIptables mutation in Chaos Controller Manager is vulnerable to operating system command injection | VULNEREBILITY | VULNEREBILITY |
| 15.9.25 | Cyberspike Villager | Cyberspike Villager – Cobalt Strike’s AI-native Successor | APT | AI |
| 13.9.25 | Scattered LAPSUS$ | The Cybercrime Group Redefining Threats | GROUP | GROUP |
| 13.9.25 | Langchaingo supports jinja2 and gonja for syntax parsing, allowing for arbitrary file read | LangChainGo, the Go implementation of LangChain, a large language model (LLM) application building framework, has been discovered to contain an arbitrary file read vulnerability. | ALERT | ALERT |
| 13.9.25 | CVE-2025-55190 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1 | VULNEREBILITY | VULNEREBILITY |
| 13.9.25 | MostereRAT | FortiGuard Labs uncovers MostereRAT’s use of phishing, EPL code, and remote access tools like AnyDesk and TightVNC to evade defenses and seize full system control. | MALWARE | RAT |
| 12.9.25 | Yurei ransomware | First observed in September, Yurei is a new ransomware group whose operations incorporate a double-extortion model of both file encryption and data theft. | RANSOM | |
| 12.9.25 | AMOS Stealer malware continues to be distributed via cracked apps | rend Micro's latest report reveals a sophisticated campaign leveraging the AMOS infostealer (also known as Atomic macOS Stealer). Attackers employ social engineering, disguising the malware binaries as cracked software or tricking users into pasting malicious commands into the macOS Terminal thus bypassing built-in protections like Gatekeeper. | VIRUS | |
| 12.9.25 | Fireant group continues activity in Myanmar with ToneShell backdoor | ToneShell is a backdoor that is deployed by the Fireant (aka Mustang Panda) threat group. Security researchers at Intezer have published details about a recently observed variant, with related activity indicating that the group continues acting against targets in Myanmar. | GROUP | |
| 12.9.25 | BlackField (aka BlackFL) Ransomware | BlackField (aka BlackFL) is a double-extortion ransomware actor first observed around July 2025. Analysis of its ransomware demonstrates the typical double-extortion model, using both encryption and data theft to pressure victims. | ALERTS | RANSOM |
| 12.9.25 | BlackNevas Ransomware | BlackNevas is a ransomware variant that initially emerged in November 2024. This encryptor targets businesses and critical infrastructure across Asia, North America, and Europe, with a strong focus on the Asia-Pacific region. | RANSOM | |
| 12.9.25 | Luno - Linux botnet with cryptomining and DDoS capabilities | Cyble researchers have identified a new sophisticated Linux botnet campaign dubbed "Luno." This malware framework combines cryptocurrency mining with modular DDoS attack capabilities, showcasing advanced features like process masquerading, binary replacement, and a self-update mechanisms, indicative of professional threat actor involvement. | BOTNET | |
| 12.9.25 | NightshadeC2 Botnet emerges | NightshadeC2 is a newly identified botnet uncovered by eSentire, notable for its advanced stealth and persistence techniques. It is distributed through trojanized installers of legitimate software such as CCleaner, ExpressVPN and others, as well as phishing campaigns using fake ClickFix-themed landing pages. | ALERTS | BOTNET |
| 12.9.25 | Kamasers Malware | Kamasers is a bot with backdoor capabilities that has recently been observed in the wild. Once deployed, it communicates with its C2 server to retrieve commands that enable it to download and execute files, perform HTTP and DNS flooding attacks, access local files, load malicious JavaScript, and direct browsers to attacker-specified URLs. | VIRUS | |
| 12.9.25 | NFSkate's RatOn Android Banking Trojan | In a recent report, ThreatFabric MTI analysts have identified a sophisticated new Android banking trojan dubbed "RatOn," crafted by the NFSkate threat actor group. RatOn represents a significant advancement in mobile cybercrime by combining classic overlay attacks with powerful Automated Transfer System (ATS) functionalities and NFC relay capabilities. | VIRUS | |
| 12.9.25 | New Threat Actor GhostRedirector Targets Windows Servers with SEO Fraud and Backdoors | In a recent report, ESET researchers have identified a new threat actor, GhostRedirector, that has compromised at least 65 Windows servers across Brazil, Thailand, and Vietnam. Operating in diverse sectors including insurance, healthcare, retail, and education, this actor utilizes a sophisticated custom toolkit. | GROUP | |
| 12.9.25 | Gentlemen Ransomware | Gentlemen is a newly emerged ransomware threat group as reported by Trend Micro researchers. The attackers have been observed to leverage legitimate drivers, abuse Group Policy Objects (GPO) as well as deliver KillAV tools aimed at disabling installed security products in the targeted environments | RANSOM | |
| 12.9.25 | Tamperedchef Malware Lurks in AppSuite PDF Editor | According to a report from Truesec a sophisticated malware campaign masquerading as a free utility, "AppSuite PDF Editor," which silently deploys an information-stealing malware named "Tamperedchef" has been identified. This operation employs highly obfuscated code, possibly AI-generated, and exploits Google advertising to achieve widespread distribution. | CAMPAIGN | |
| 12.9.25 | RapperBot: Fast-moving IoT botnet exploits NVRs for DDoS | RapperBot is a fast-moving IoT botnet that is quickly turning compromised DVRs and NVRs into nodes for large-scale DDoS attacks. | BOTNET | |
| 12.9.25 | Credential theft: Threat actors spoof Hungarian Post (Magyar Posta Zrt.) services | A new wave of phishing attacks targeting Hungarian Post (Magyar Posta Zrt.) services has been identified by Symantec, aiming to steal user credentials. | PHISHING | |
| 12.9.25 | TinyLoader delivers stealers while clipping wallets | In a recent report, researchers have spotlighted TinyLoader, a stealthy malware loader harnessed to siphon cryptocurrency and deploy additional payloads like Redline Stealer and DCRat. | ALERTS | VIRUS |
| 12.9.25 | XWorm adopts multi-stage infection chain | Trellix has identified a shift in the XWorm backdoor campaign, which has evolved from simple .lnk-based delivery to a more deceptive, multi-stage infection chain | VIRUS | |
| 12.9.25 | TAG-150 MaaS group deploys their Castle family of malware | TAG-150 is a newly identified threat actor group which operates as a Malware-as-a-Service (MaaS) provider. Activity associated with TAG-150 is highlighted by deployment of multiple custom developed malware, CastleBot, CastleLoader, and CastleRAT. | GROUP | |
| 12.9.25 | GPUGate: Malware campaign targets IT Pros via GitHub and Google Ads | A sophisticated malware campaign dubbed GPUGate, which exploits GitHub's infrastructure and Google Ads to distribute a malicious payload targeting IT professionals in Western Europe, has been reported by Arctic Wolf. | ALERTS | VIRUS |
| 12.9.25 | Salat Stealer: Go-Based Infostealer as Malware-as-a-Service | Salat Stealer, a Go-based infostealer offered under a Malware-as-a-Service model, has been reported by Cyfirma. Likely operated by Russian-speaking actors, the malware employs layered persistence techniques, including registry Run keys, scheduled tasks, process masquerading and modifications to Windows Defender exclusions to evade detection. | VIRUS | |
| 12.9.25 | Obscura: New Go-based ransomware emerges | A new ransomware variant known as Obscura has emerged, adding itself to the growing list of active ransomware families targeting organizations in 2025. | RANSOM | |
| 12.9.25 | Stealerium: An Open-Source Infostealer Fueling Widespread Attacks | Stealerium is an open-source infostealer that has been observed in recent activity. The malware has been deployed by multiple groups across various campaigns over the last few months. | VIRUS | |
| 12.9.25 | LockBeast ransomware | LockBeast is a ransomware variant that combines file encryption with data theft to pressure victims into payment. Upon execution, it encrypts files with strong cryptographic algorithms, appends a victim-specific identifier plus the “.lockbeast” extension, and drops a ransom note named README.TXT. | RANSOM | |
| 12.9.25 | CVE-2025-21043 | Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. | VULNEREBILITY | VULNEREBILITY |
| 12.9.25 | Mythical Beasts | Mythical Beasts: Diving into the depths of the global spyware market | MALWARE | SPYWARE |
| 12.9.25 | Elevated Privileges and Arbitrary Code Execution issues in Sunshine for Windows v2025.122.141614 | Two local security vulnerabilities have been identified in Sunshine for Windows, version v2025.122.141614 (and likely prior versions). These issues could allow attackers to execute arbitrary code and escalate privileges on affected systems. | ALERT | ALERT |
| 12.9.25 | Amp'ed RF BT-AP 111 Bluetooth access point lacks an authentication mechanism | The Amp’ed RF BT-AP 111 Bluetooth Access Point exposes an HTTP-based administrative interface without authentication controls. This allows an unauthenticated remote attacker to gain full administrative access to the device. | ALERT | ALERT |
| 12.9.25 | Hiawatha open-source web server has multiple vulnerabilities | Hiawatha is an open-source web server that supports Windows, MacOS X and a variety of Linux distributions. Hiawatha was focused on performance and is used in place of larger, more complex web servers. | ALERT | ALERT |
| 12.9.25 | Open Repo | Oasis Security’s research team uncovered a vulnerability in Cursor, the popular AI Code Editor, that allows a maliciously crafted code repository to execute code as soon as it's opened using Cursor, no trust prompt. | HACKING | AI |
| 12.9.25 | HybridPetya | Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass | RANSOMWARE | RANSOMWARE |
| 12.9.25 | CVE-2025-5086 | Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.9.25 | VBShower | The script uses the same method to erase both its own contents and the contents of the VBShower Launcher copy, which is used solely for the malware’s first run. | MALWARE | BACKDOOR |
| 12.9.25 | CVE-2018-0802 | Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". | VULNEREBILITY | VULNEREBILITY |
| 12.9.25 | Cloud Atlas | Cloud Atlas seen using a new tool in its attacks | GROUP | GROUP |
| 11.9.25 | CVE-2024-40766 | An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. | VULNEREBILITY | VULNEREBILITY |
| 11.9.25 | Madgicx Plus | Behind the Mask of Madgicx Plus: A Chrome Extension Campaign Targeting Meta Advertisers | CAMPAIGN | Social |
| 11.9.25 | AsyncRAT | AsyncRAT in Action: Fileless Malware Techniques and Analysis of a Remote Access Trojan | MALWARE | RAT |
| 11.9.25 | EggStreme | EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company | MALWARE | Keylogger |
| 10.9.25 | ChillyHell | ChillyHell: A Deep Dive into a Modular macOS Backdoor | MALWARE | MacOS |
| 10.9.25 | ZynorRAT | ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT | MALWARE | RAT |
| 10.9.25 | CVE-2025-48003 | (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability via WinRE Apps Scheduled Operation | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-48800 | (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting ReAgent.xml Parsing | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-48804 | (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting Boot.sdi Parsing | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-48818 | (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting Boot Configuration Data (BCD) Parsing | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-54236 | Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-42944 | (CVSS score: 10.0) - A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious payload to an open port through the RMI-P4 module, resulting in operating system command execution | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-42922 | (CVSS score: 9.9) - An insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an attacker authenticated as a non-administrative user to upload an arbitrary file | VULNEREBILITY | VULNEREBILITY |
| 10.9.25 | CVE-2025-42958 | (CVSS score: 9.1) - A missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series that could allow highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities | VULNEREBILITY | VULNEREBILITY |
| 9.9.25 | Salt Typhoon and UNC4841 | Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data | APT | APT |
| 9.9.25 | Strain | Off Your Docker: Exposed APIs Are Targeted in New Malware Strain | MALWARE | CRYPTOCURRENCY |
| 9.9.25 | RatOn | The Rise of RatOn: From NFC heists to remote control and ATS | MALWARE | ANDROID |
| 9.9.25 | MostereRAT | MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access | MALWARE | RAT |
| 9.9.25 | GPUGate | GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe | MALWARE | GPU |
| 7.9.25 | CVE-2025-57819 | Sangoma FreePBX Authentication Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 7.9.25 | Operation BarrelFire | NoisyBear targets entities linked to Kazakhstan’s Oil & Gas Sector. | OPERATION | OPERATION |
| 7.9.25 | CVE-2025-38352 | In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() | VULNEREBILITY | VULNEREBILITY |
| 7.9.25 | CVE-2025-55177 | Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78 | VULNEREBILITY | VULNEREBILITY |
| 7.9.25 | CVE-2025-50173 | Weak authentication in Windows Installer allows an authorized attacker to elevate privileges locally. | VULNEREBILITY | VULNEREBILITY |
| 6.9.25 | CVE-2025-53690 | Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability: Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 6.9.25 | Phishing campaign targets GMO Aozora Net Bank customers | GMO Aozora Net Bank, an online-only bank in Japan established in 2018 by the GMO Internet and Aozora Bank groups, offers customized financial services for both individuals and businesses. | PHISHING | |
| 6.9.25 | AI Waifu RAT exploits AI enthusiasm | AI Waifu RAT is a newly identified Remote Access Trojan spreading in LLM role-playing communities by posing as an AI interaction or research tool. | AI | |
| 6.9.25 | APT28 introduces NotDoor Backdoor | A new backdoor called NotDoor, attributed to APT28, a Russian intelligence-linked threat group, has been identified by LAB52. Delivered via Microsoft OneDrive with DLL side-loading, NotDoor uses an Outlook VBA macro to monitor emails for trigger words, enabling command execution, data exfiltration and file uploads. | APT | |
| 6.9.25 | Indonesian-Language Agent Tesla Campaign Targets Firms Across Southeast Asia | Symantec has observed a new Agent Tesla campaign targeting organizations in Southeast Asia, including both local companies and regional branches of large international firms. | ALERTS | VIRUS |
| 6.9.25 | Iran-Nexus campaign exploits Omani MFA Mailbox | A recent campaign exploiting the Oman Ministry of Foreign Affairs was first reported by ClearSky, with Dream Security researchers providing further insights. | CAMPAIGN | |
| 6.9.25 | Jackpot ransomware |
A new ransomware variant named Jackpot, linked to the
MedusaLocker family, has emerged leveraging a double extortion strategy
that combines file encryption with the theft of sensitive data.
|
RANSOM | |
| 6.9.25 | MystRodX Backdoor | As per recent reports from XLab, a new backdoor named MystRodX has been discovered, implemented in C++ and equipped with an extensive range of capabilities. It supports file management, port forwarding, reverse shell access and socket management, while also embedding anti-debugging and anti-VM techniques to bypass security analysis. | ALERTS | VIRUS |
| 6.9.25 | Masslogger actor switched from direct archive attachment to Discord CDN URL | Masslogger, an information-stealing malware active since 2020, continues to rank among the most prevalent threats. It is designed to harvest credentials stored in browsers, email clients, and messaging applications. | VIRUS | |
| 6.9.25 | Desolator Ransomware | The Desolator ransomware group, also referred to as The Desolated Collective, is a relatively new actor recently observed in the wild. Alleged victims include construction and engineering firms in Latin America and Southern Europe, and a technology and software developer in Southeast Asia. | RANSOM | |
| 6.9.25 | TinkyWinkey keylogger | A new Windows keylogger, dubbed TinkyWinkey, analyzed by Cyfirma, leverages a service-based persistence model and DLL injection into trusted processes to evade detection while maintaining continuous surveillance. | VIRUS | |
| 6.9.25 | North Korean Vedalia expands espionage via Operation HanKook Phantom | An espionage campaign dubbed Operation HanKook Phantom, attributed to North Korean threat actor Vedalia (also known as APT37, ScarCruft), has been reported by Seqrite targeting South Korean academic and research organizations. | APT | |
| 5.9.25 | CastleRAT | From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure | MALWARE | RAT |
| 5.9.25 | CVE-2025-42957 | SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. | VULNEREBILITY | VULNEREBILITY |
| 5.9.25 | AMOS Stealer | An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps | MALWARE | Stealer |
| 5.9.25 | APT28 | Analyzing NotDoor: Inside APT28’s Expanding Arsenal | APT | APT |
| 5.9.25 | GhostRedirector | GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes | MALWARE | Backdoor |
| 4.9.25 | CVE-2023-50224 | CVSS score: 6.5) - An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in "/tmp/dropbear/dropbearpwd" | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | CVE-2025-9377 | (CVSS score: 8.6) - An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | Hexstrike-AI | Hexstrike-AI: When LLMs Meet Zero-Day Exploitation | HACKING | AI |
| 4.9.25 | Iran-Nexus Spear phishing Campaign | Iran-Nexus Spear phishing Campaign Masquerades as Omani MFA to Target Global Governments. | PHISHING | PHISHING |
| 4.9.25 | CVE-2025-38352 | A privilege escalation flaw in the Linux Kernel component | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | CVE-2025-48543 | A privilege escalation flaw in the Android Runtime component | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | RapperBot | RapperBot: From Infection to DDoS in a Split Second | MALWARE | Bot |
| 4.9.25 | Blockbuster | Private Industry Takes Action Against Global Cyber Threats | OPERATION | OPERATION |
| 4.9.25 | CVE-2020-24363 | TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | CVE-2025-55177 | Meta Platforms WhatsApp Incorrect Authorization Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 4.9.25 | Lazarus RATs | Three Lazarus RATs coming for your cheese | APT | APT |
| 4.9.25 | AppleJeus | AppleJeus: Analysis of North Korea’s Cryptocurrency Malware | MALWARE | Cryptocurency |
| 4.9.25 | MystRodX | MystRodX: The Covert Dual-Mode Backdoor Threat | MALWARE | Backdoor |
| 2.9.25 | PolarEdge | Pondering my ORB - A look at PolarEdge Adjacent Infrastructure | BOTNET | IoT |
| 2.9.25 | Nodemailer | Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions | MALWARE | Python |
| 2.9.25 | Silver Fox | Chasing the Silver Fox: Cat & Mouse in Kernel Shadows | APT | APT |
| 2.9.25 | Silent Gatekeepers | Android Droppers: The Silent Gatekeepers of Malware | MALWARE | Android |
| 2.9.25 | ROKRAT | Operation HanKook Phantom: North Korean APT37 targeting South Korea | MALWARE | RAT |
| 31.8.25 | Threat Intelligence Report: August 2025 | Threat Intelligence Report: August 2025 ANTROPIC | REPORT | REPORT |
| 31.8.25 | Design Patterns for Securing LLM Agents against Prompt Injections | Large Language Models (LLMs) are becoming integral components of complex software systems, where they serve as intelligent agents that can interpret natural language instructions, make plans, and execute actions through external tools and APIs | PAPERS | PAPERS |
| 31.8.25 | Design Patterns for Securing LLM Agents against Prompt Injections | Large Language Models (LLMs) are becoming integral components of complex software systems, where they serve as intelligent agents that can interpret natural language instructions, make plans, and execute actions through external tools and APIs | ATTACK | AI |
| 31.8.25 | Xworm RAT delivered through ScreenConnect disguised as a Fake Video file | A recent campaign has been observed using AI-themed lures to trick victims into downloading a digitally signed ScreenConnect installer disguised as a video file. Once executed, the installer secretly establishes a hidden remote session and initiates a multi-stage infection chain. | VIRUS | |
| 31.8.25 | SpyNote Android RAT spreads through fake Play Store sites. | A new campaign is distributing the SpyNote Android RAT through deceptive websites mimicking Google Play Store pages, tricking users into installing dropper APKs. | ALERTS | VIRUS |
| 31.8.25 | Silver Fox Abuses Legit Drivers to Deploy RAT | Researchers at Check Point observed a Silver Fox campaign where they exploited a Microsoft-signed vulnerable driver (amsdk.sys) in an attempt to silently disable EDR and antivirus protections on Windows 10 and 11. | VIRUS | |
| 31.8.25 | TASPEN Impersonation Malware Exploits Indonesian Pensioners | A sophisticated mobile malware campaign, potentially linked to Chinese actors, is actively targeting Indonesian pensioners and civil servants by impersonating PT Dana Tabungan dan Asuransi Pegawai Negeri (TASPEN), a state-owned pension fund. | EXPLOIT | |
| 31.8.25 | ShadowSilk: A Mixed-Language APT Targeting Government in Asia | A recently published report details the ShadowSilk threat actor group, a mixed-language (Chinese and Russian) actor primarily focused on data exfiltration from government targets. | ALERTS | APT |
| 31.8.25 | SmartApeSG uses fake CAPTCHAs to deploy NetSupport RAT and StealC v2 | A multi-stage attack chain linked to SmartApeSG is exploiting compromised websites by injecting fake CAPTCHA pages that trick users into executing hidden commands through a ClickFix-style script. | VIRUS | |
| 31.8.25 | Hook v3 evolves into banking, spyware and ransomware extortion | A new variant of the Hook Android banking trojan has emerged, evolving beyond credential theft to include ransomware-style extortion via full-screen cryptocurrency payment overlays. | VIRUS | |
| 31.8.25 | Cephalus Ransomware | In mid‑August 2025, researchers observed two ransomware incidents involving a new variant dubbed “Cephalus.” According to their findings, the attackers gained entry via RDP using accounts without MFA and appeared to exfiltrate data via MEGA before deploying the payload. | RANSOM | |
| 31.8.25 | "PlugX" Backdoor Powers UNC6384's Diplomatic Espionage | A sophisticated cyber-espionage campaign, attributed to the PRC-nexus threat actor UNC6384, is actively targeting diplomats in Southeast Asia and other global entities. | ALERTS | VIRUS |
| 31.8.25 | ZipLine: Building Trust, Exploiting Trust – A New Attack Vector | The sophisticated social engineering campaign, "ZipLine," targets US companies across diverse sectors like manufacturing, semiconductors, and biotech, seeking valuable data, vendor networks, or exploitable infrastructure. Unlike traditional phishing, ZipLine initiates contact via a company's public "Contact Us" form, generating initial legitimacy. | EXPLOIT | |
| 31.8.25 | Datebug threat group uses custom malware to target Linux BOSS systems | The Datebug threat group (aka APT36, Transparent Tribe) is a Pakistan-based group known to target various industries (government. media, military) primarily situated in India. In recent activity, the group was observed targeting the Linux BOSS operating system with custom malware, notably those systems associated with the Indian government. | VIRUS | |
| 31.8.25 | Biotech and Semiconductor Firms Impersonated to Spread Snake Keylogger | Symantec has identified an actor running two coordinated malspam campaigns that impersonated well-known companies to distribute Snake Keylogger, a prevalent information-stealing malware designed to harvest credentials, system details, and other sensitive data before transmitting them to attacker-controlled Telegram bots. | ALERTS | VIRUS |
| 31.8.25 | New Android Backdoor Impersonates Antivirus to Spy on Russian Business Leaders | A new sophisticated Android malware, Android.Backdoor.916.origin, has been identified, specifically targeting executives of Russian businesses. | VIRUS | |
| 31.8.25 | Anatsa - Android banking malware | Anatsa, a banking Trojan targeting Android devices, has been in circulation since 2020. A recently observed campaign saw the malware being downloaded after installation of a decoy document reader application from the Google Play Store. Some features present in the recent release include: | VIRUS | |
| 31.8.25 | Gayfemboy malware campaign | A stealthy malware strain, dubbed "Gayfemboy," has been observed exploiting a range of vulnerabilities to infiltrate systems. Most recent attacks target vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco. | ALERTS | CAMPAIGN |
| 30.8.25 | Anatsa | Android Document Readers and Deception: Tracking the Latest Updates to Anatsa | MALWARE | Android |
| 30.8.25 | Android.Backdoor.916.origin | Android backdoor spies on employees of Russian businesses | MALWARE | Android |
| 30.8.25 | APT36 | APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files | APT | APT |
| 30.8.25 | COOKIE SPIDER | Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS | GROUP | GROUP |
| 30.8.25 | CVE-2025-34511 | Post-authenticated remote code execution via Sitecore PowerShell Extension | VULNEREBILITY | VULNEREBILITY |
| 30.8.25 | CVE-2025-34510 | Post-authenticated remote code execution via path traversal | VULNEREBILITY | VULNEREBILITY |
| 30.8.25 | CVE-2025-34509 | Use of hard-coded credentials | VULNEREBILITY | VULNEREBILITY |
| 30.8.25 | CVE-2025-53694 | Information Disclosure in ItemService API with a restricted anonymous user, leading to exposure of cache keys using a brute-force approach | VULNEREBILITY | VULNEREBILITY |
| 30.8.25 | CVE-2025-53691 | Remote code execution (RCE) through insecure deserialization | VULNEREBILITY | VULNEREBILITY |
| 30.8.25 | CVE-2025-53693 | HTML cache poisoning through unsafe reflections | VULNEREBILITY | VULNEREBILITY |
| 30.8.25 | CVE-2025-55177 | Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device | VULNEREBILITY | VULNEREBILITY |
| 30.8.25 | SikkahBot Malware | Executive Summary Cyble Research and Intelligence Labs (CRIL) has uncovered an ongoing Android malware tracker named “SikkahBot,” active since July 2024 and explicitly targeting students in Bangladesh. | MALWARE | Bot |
| 30.8.25 | Operation HanKook Phantom | Table of Contents: Introduction Threat Profile Infection Chain Campaign-1 Analysis of Decoy: Technical Analysis Fingerprint of ROKRAT’s Malware Campaign-2 Analysis of Decoy Technical analysis Detailed analysis of Decoded tony31.dat Conclusion Seqrite Protections MITRE Att&ck | OPERATION | OPERATION |
| 30.8.25 | INF0S3C STEALER | EXECUTIVE SUMMARY Cyfirma’s threat intelligence assessment reveals Inf0s3c Stealer, a Python-based grabber designed to collect system information and user data. The executable | MALWARE | Stealer |
| 30.8.25 | TINKYWINKEY KEYLOGGER | EXECUTIVE SUMMARY At CYFIRMA, we are dedicated to providing timely intelligence on emerging cyber threats and adversarial tactics that target both individuals and organizations. | MALWARE | Keylogger |
| 29.8.25 | APT29 | Amazon disrupts watering hole campaign by Russia’s APT29 | APT | APT |
| 29.8.25 | Xiangoop | Pirates of The Nang Hai: Follow the Artifacts No One Know | MALWARE | Loader |
| 29.8.25 | TAOTH | TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents | CAMPAIGN | Exploit |
| 29.8.25 | CVE-2025-57819 | FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data | VULNEREBILITY | VULNEREBILITY |
| 29.8.25 | TamperedChef | Truesec has observed what appears to be a large cybercrime campaign, involving multiple fraudulent websites promoted through a Google advertising campaign. | MALWARE | Stealer |
| 28.8.25 |
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System |
People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. | REPORT | REPORT |
| 28.8.25 | Storm-0501 | Storm-0501’s evolving techniques lead to cloud-based ransomware | APT | APT |
| 27.8.25 | CVE-2025-8424 | Improper access control on the NetScaler Management Interface in NetScaler ADC and NetScaler Gateway when an attacker can get access to the appliance NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access | VULNEREBILITY | VULNEREBILITY |
| 27.8.25 | CVE-2025-7776 | Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bounded to it | VULNEREBILITY | VULNEREBILITY |
| 27.8.25 | CVE-2025-7775 | Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC | VULNEREBILITY | VULNEREBILITY |
| 27.8.25 | UNC6395 | Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | GROUP | GROUP |
| 27.8.25 | TAG-144 | TAG-144’s Persistent Grip on South American Organizations | GROUP | GROUP |
| 27.8.25 |
Sni5Gect: A Practical Approach to Inject aNRchy into 5G NR |
Sni5Gect: A Practical Approach to Inject aNRchy into 5G NR |
PAPERS | PAPERS |
| 27.8.25 | Sni5Gect | A 5G Sniffer and Downlink Injector on steroids... And yes, Wireshark supported!!! Supports DCI Sniffing, MAC-NR Downlink/Uplink message sniffing and MAC-NR Downlink message injection | ATTACK | 5G |
| 27.8.25 | ZipLine | ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies | CAMPAIGN | Phishing |
| 26.8.25 | Gigabud Malware Masquerades as Grab Super-App in Southeast Asia | A recent variant of the Gigabud Android malware has been found impersonating the popular GRAB super-app—offering ride-hailing, food delivery, and digital payments—widely used across Southeast Asia. The trojanized APK, named Grab.apk, was detected in Thailand, disguised as the legitimate application. | VIRUS | |
| 26.8.25 | Sinobi Ransomware | The Sinobi ransomware ransom note uses standard double-extortion techniques. It mixes intimidation (stolen documents, 7-day deadline, threats of leaks) with persuasion (test decryption and stolen file list). | RANSOM | |
| 26.8.25 | Global Industries and Government Agencies Targeted in Remcos Campaign | A recently observed malspam campaign is leveraging impersonation of a global supplier in the valves and actuators industry to deliver Remcos RAT. The lure comes in the form of emails with the subject line “Price quote” or “Quotation” and a malicious archive (Quote_pdf.z) as attachment. | ALERTS | CAMPAIGN |
| 26.8.25 | APT36 is evolving with new delivery techniques | A new campaign by APT36(aka Transparent Tribe) has been reported, leveraging phishing emails containing ZIP archives with malicious .desktop files disguised as PDFs to target users. | APT | |
| 26.8.25 | Phishing campaign targeting Kazakhstan’s Public Sector | A phishing campaign in Kazakhstan has been discovered that is targeting public sector clients by mimicking official government login portals and using Telegram’s Bot API as a covert channel to exfiltrate stolen credentials. | CAMPAIGN | |
| 26.8.25 | FamiPay users targeted by new phishing campaign | Recently, Symantec has observed phish runs targeting users of FamiPay, a Japanese digital wallet and mobile payment service offered by FamilyMart. | ALERTS | CAMPAIGN |
| 26.8.25 | Fake IBM Trusteer Mobile App Used in SpyNote Campaign | During ongoing monitoring of mobile threats, Symantec identified a malicious Android application masquerading as an IBM security product. The app, distributed under the name IBMTMOBILE.apk, was hosted on a domain designed to typosquat IBM Trusteer. | CAMPAIGN | |
| 26.8.25 | TA-NATALSTATUS cryptojacking campaigns | TA-NATALSTATUS is a threat actor engaged in conduct of cryptojacking operations around the world. The attackers are targeting vulnerable Redis server instances for the purpose of cryptominer malware deployments. | CRYPTOCURRENCY | |
| 26.8.25 | Warlock Ransomware Leverages SharePoint ToolShell vulnerability (CVE-2025-53770) for Widespread Attacks | Warlock ransomware threat actors have been aggressively targeting organizations globally by exploiting a critical vulnerability (CVE-2025-53770) in Microsoft SharePoint, known as the ToolShell exploit chain. | RANSOM | |
| 26.8.25 | BQTLOCK Ransomware | BQTLOCK is a new ransomware variant offered for sale in the form of a Ransomware-as-a-Service (Raas) model. The malware has the functionality to encrypt user data and append .bqtlock extension to the locked files. | RANSOM | |
| 26.8.25 | SHAMOS macOS malware | SHAMOS is a new variant of AMOS (aka Atomic macOS Stealer) malware targeting the macOS platform. The malware is sold by the threat group known as Cookie Spider in form of a MaaS (Malware-as-a-Service) offering. | VIRUS | |
| 26.8.25 | QuirkyLoader: A stealthy new malware loader | A newly identified malware loader dubbed QuirkyLoader has emerged as a sophisticated cyber threat, actively distributing a range of infostealers and RATs including Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos and others. | ALERTS | VIRUS |
| 26.8.25 | Fake Electricity subsidy App phishing campaign | An Android phishing campaign impersonating an Indian government electricity subsidy scheme has been discovered. Victims are lured through YouTube and a GitHub-hosted phishing site mimicking an official subsidy portal. | PHISHING | |
| 26.8.25 | VIP Keylogger Spreads via Multi-Org Impersonation Campaign | Symantec has recently observed a series of malicious email campaigns delivering VIP Keylogger, in which attackers impersonated multiple legitimate organizations across industries such as logistics, engineering, and manufacturing—leveraging run-of-the-mill purchase orders, quotations, shipment notices, and sales contracts for social engineering. | CAMPAIGN | |
| 26.8.25 | Turkish Bank-themed Malspam spreads Snake Keylogger Across Sectors | Symantec has identified a recent malspam campaign distributing Snake Keylogger under the guise of a major financial institution in Turkey. | ALERTS | VIRUS |
| 26.8.25 | Deployment of the RealBlindingEDR tool among the recent activities of the Crypto24 threat group | Threat actor known as Crypto24 has been observed to recently conduct multi-stage attacks against high-profile organizations from various sectors. | GROUP | |
| 26.8.25 | CVE-2024-36401 in OSGeo GeoServer GeoTools exploited in a recent resource monetization campaign | According to latest report from Palo Alto Networks, a new campaign leveraging exploits of a remote code execution (RCE) vulnerability CVE-2024-36401 has been spotted in the wild. | VULNEREBILITY | |
| 26.8.25 | SoupDealer Loader malware | SoupDealer is a new loader malware variant observed recently in the wild and targeting users from Turkey. The malware is Java-based and distributed via malicious .jar attachments in malspam campaigns. | VIRUS | |
| 26.8.25 | ConfuserEx Obfuscation Spotted in Latest DarkCloud Stealer Campaign | A recent threat report from Unit 42 (Palo Alto Networks) highlights an evolved infection chain delivering the DarkCloud Stealer, now using ConfuserEx for obfuscation and a final payload written in Visual Basic 6. | ALERTS | CAMPAIGN |
| 26.8.25 | CORNFLAKE.V3 in “ClickFix” campaign | Researchers have uncovered a new campaign where the CORNFLAKE.V3 backdoor is being used, spread through fake CAPTCHA “ClickFix” pages run by the threat group UNC5518. | CAMPAIGN | |
| 26.8.25 | UNC1151 leverages macro-enabled Spreadsheets and Cloud C2 in latest campaign | The UNC1151 APT group has been observed conducting a malware campaign targeting Ukraine and Poland through malicious archive files containing decoy spreadsheets with embedded obfuscated macros. | APT | |
| 26.8.25 | MountBot Botnet | Researchers recently reported MountBot, a new IoT botnet first observed in April exploiting ASUS AiCloud vulnerabilities and operating on the same infrastructure as RapperBot. | ALERTS | BOTNET |
| 26.8.25 | ShadowCaptcha | Israel National Digital Agency Uncovers Global Cyberattack Campaign “ShadowCaptcha” | CAMPAIGN | CAMPAIGN |
| 26.8.25 | PRC-Nexus Espionage Campaign | Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats | CAMPAIGN | CAMPAIGN |
| 26.8.25 | Hook Version 3 | Hook Version 3: The Banking Trojan with The Most Advanced Capabilities | MALWARE | Banking |
| 26.8.25 | CVE-2025-48384 | Git Link Following Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 26.8.25 | CVE-2024-8068 | Citrix Session Recording Improper Privilege Management Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 26.8.25 | CVE-2024-8069 | Citrix Session Recording Deserialization of Untrusted Data Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 26.8.25 | CVE-2025-9074 | A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. | VULNEREBILITY | VULNEREBILITY |
| 26.8.25 | UpCrypter | Phishing Campaign Targeting Companies via UpCrypter | MALWARE | Crypter |
| 24.8.25 | DOM-based Extension Clickjacking | DOM-based Extension Clickjacking: Your Password Manager Data at Risk | HACKING | CRYPTOCURRENCY |
| 24.8.25 | XenoRAT | XenoRAT malware campaign hits multiple embassies in South Korea | MALWARE | RAT |
| 24.8.25 | CVE-2025-52970 | A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request. | VULNEREBILITY | VULNEREBILITY |
| 23.8.25 | Chihuahua Stealer | Chihuahua Stealer: Disguising Data Theft in Plain Lyrics | MALWARE | Stealer |
| 22.8.25 | VShell | The Silent, Fileless Threat of VShell | MALWARE | Linux |
| 22.8.25 | MURKY PANDA | MURKY PANDA: A Trusted-Relationship Threat in the Cloud | GROUP | GROUP |
| 22.8.25 | CVE-2025-57788 | (CVSS score: 6.9) - A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials | VULNEREBILITY | VULNEREBILITY |
| 22.8.25 | CVE-2025-57789 | (CVSS score: 5.3) - A vulnerability during the setup phase between installation and the first administrator login that allows remote attackers to exploit the default credentials to gain admin control | VULNEREBILITY | VULNEREBILITY |
| 22.8.25 | CVE-2025-57790 | (CVSS score: 8.7) - A path traversal vulnerability that allows remote attackers to perform unauthorized file system access through a path traversal issue, resulting in remote code execution | VULNEREBILITY | VULNEREBILITY |
| 22.8.25 | CVE-2025-57791 | (CVSS score: 6.9) - A vulnerability that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation, resulting in a valid user session for a low-privilege role | VULNEREBILITY | VULNEREBILITY |
| 22.8.25 | CORNFLAKE.V3 | A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor | MALWARE | Backdoor |
| 21.8.25 | QuirkyLoader | A new malware loader delivering infostealers and RATs | MALWARE | RAT |
| 21.8.25 | Scattered Spider | Scattered Spider: A Threat Profile | HACKING | THREATS |
| 21.8.25 | CVE-2025-43300 | About the security content of iOS 18.6.2 and iPadOS 18.6.2 | VULNEREBILITY | VULNEREBILITY |
| 21.8.25 | DOM-based Extension Clickjacking | DOM-based Extension Clickjacking: Your Password Manager Data at Risk | HACKING | CRYPTOCURRENCY |
| 21.8.25 | CVE-2018-0171 | A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device | VULNEREBILITY | VULNEREBILITY |
| 21.8.25 | SYNful Knock | SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks | ATTACK | DDoS |
| 20.8.25 | Fake Flash updates deliver Winos Trojan | A new Silver Fox campaign masquerading as a Flash plugin update has been observed. Users are lured through fake online tools, such as counterfeit translation sites, where they are prompted to install a fraudulent Flash update. | VIRUS | |
| 20.8.25 | EncryptHub attackers exploit MMC CVE-2025-26633 vulnerability for payload delivery | A recent campaign attributed to threat group EncryptHub (aka LARVA-208 and Water Gamayun), blends social engineering with the exploitation of the Microsoft Management Console (MMC) vulnerability tracked as CVE-2025-26633, dubbed MSC EvilTwin. | EXPLOIT | |
| 20.8.25 | Cracked Games lead to Lumma Stealer and SectopRAT infections | A multi-stage malware campaign has been uncovered where users searching for cracked games are tricked into downloading installers that first deploy Lumma Stealer and then install SectopRAT. | ALERTS | VIRUS |
| 20.8.25 | Modular PipeMagic backdoor masquerades as a ChatGPT application | Recent activity by a financially motivated threat actor group involved deployment of the modular PipeMagic malware under the guise of a ChatGPT desktop application. | VIRUS | |
| 20.8.25 | Recent vulnerabilities affecting Adobe Experience Manager (CVE-2025-54253 / CVE-2025-54254 / CVE-2025-49533) | Three vulnerabilities affecting Adobe Experience Manager (AEM) software solutions have been recently disclosed. The vulnerabilities are tracked as follows: | VULNEREBILITY | |
| 20.8.25 | njRAT masquerades as browser-based Minecraft Game | The renewed hype around Minecraft, driven by its upcoming film adaptation, is being exploited by cybercriminals who are distributing what appears to be a browser-based clone of the game but in reality conceals njRAT, a powerful remote access trojan. | ALERTS | VIRUS |
| 20.8.25 | Android malware masquerading as GiftFlipSoft | A sophisticated Android banking malware dubbed Lazarus Stealer, masquerading as the seemingly benign GiftFlipSoft app has been observed. | VIRUS | |
| 20.8.25 | NOVABLIGHT MaaS after Wallets | NOVABLIGHT is a sophisticated new Malware-as-a-Service (MaaS) information stealer leveraging Telegram and Discord for both distribution and operational support. Posing as an "educational tool," it stealthily distributes itself through social engineering lures like fake video game installers often repackaged with French-language titles. | CRYPTOCURRENCY | |
| 20.8.25 | PhantomCard mobile malware | A novel NFC-based malware, dubbed PhantomCard, has been identified in the wild and is actively targeting Android banking customers. | VIRUS | |
| 20.8.25 | Charon Ransomware | Charon represents a recently identified ransomware variant that utilizes DLL-injection techniques for the compromise of targeted endpoints. | RANSOM | |
| 20.8.25 | Phishing emails targeting U-Next users pose account takeover risk | U-Next is a Japanese video streaming platform (OTT). Recently, Symantec detected a phishing campaign targeting U-Next's users and its accounts. | PHISHING | |
| 20.8.25 | A new variant of the FireWood Linux malware found in the wild | A new variant of the Linux malware dubbed FireWood has been discovered in the wild. The malware is linked to Project Wood malware family and attributed to the Gelsemium APT group. | ALERTS | VIRUS |
| 20.8.25 | CVE-2017-11882 exploits still lead to malicious infections | CVE-2017-11882 is an older vulnerability affecting the Equation Editor component in Microsoft Office. If successfully exploited the flaw might allow attackers remote code execution on the targeted systems. | VULNEREBILITY | |
| 20.8.25 | BytesFromHeaven ransomware | A new ransomware strain, BytesFromHeaven, has surfaced in the wild. Upon execution, the malware encrypts user data, appends random extensions to locked files, and changes the desktop wallpaper to signal a successful attack. | RANSOM | |
| 20.8.25 | SmartLoader delivered via Github repositories | A new campaign leveraging Github repositories to deliver the SmartLoader malware has been reported in the wild. The repositories are disguised as projects involving automation tools, DDoS protection applications, software cracks or game hacks. | ALERTS | VIRUS |
| 20.8.25 | New malicious campaign delivering PS1Bot malware | A new malicious operation delivering PowerShell-based malware variant dubbed PS1Bot has been reported by the researchers from Cisco Talos. | VIRUS | |
| 20.8.25 | Scamlexity | "Scamlexity" - a new era of scam complexity, supercharged by Agentic AI. Familiar tricks hit harder than ever, while new AI-born attack vectors break into reality. | HACKING | AI |
| 20.8.25 | CVE-2023-46604 | The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. | VULNEREBILITY | VULNEREBILITY |
| 20.8.25 | DripDropper | Patching for persistence: How DripDropper Linux malware moves through the cloud | MALWARE | Linux |
| 19.8.25 | GodRAT | GodRAT – New RAT targeting financial institutions | MALWARE | RAT |
| 19.8.25 | CVE-2025-31324 | (CVSS score: 10.0) - Missing Authorization check in SAP NetWeaver's Visual Composer development server | VULNEREBILITY | VULNEREBILITY |
| 19.8.25 | CVE-2025-42999 |
SAP NetWeaver Visual
Composer Metadata Uploader is vulnerable when a privileged user can
upload untrusted or malicious content which, when deserialized, could
potentially lead to a compromise of confidentiality, integrity, and availability of the host system. |
VULNEREBILITY | VULNEREBILITY |
| 19.8.25 | Noodlophile | Noodlophile Stealer Evolves: Targeted Copyright Phishing Hits Enterprises with Social Media Footprints | MALWARE | STEALER |
| 19.8.25 | Preventing Domain Resurrection Attacks |
PyPI now checks for
expired domains to prevent domain resurrection attacks, a type of supply-chain
attack where someone buys an expired domain and uses it to take over
PyPI accounts through password resets. |
ATTACK | ATTACK |
| 17.8.25 | Operation CargoTalon | UNG0901 Targets Russian Aerospace & Defense Sector using EAGLET implant. | OPERATION | OPERATION |
| 17.8.25 | GPUHammer | GPUHammer: Rowhammer Attacks on GPU Memories are Practical | ATTACK | GPU |
| 17.8.25 | DarkCloud | New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer | MALWARE | STEALER |
| 17.8.25 | ERMAC V3.0 | Hunt.io Exposes and Analyzes ERMAC V3.0 Banking Trojan Full Source Code Leak | MALWARE | Android |
| 17.8.25 | EncryptHub | When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub’s Expanding Arsenal | APT | APT |
| 17.8.25 | CVE-2025-26633 | Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally. | VULNEREBILITY | VULNEREBILITY |
| 17.8.25 | UAT-7237 | UAT-7237 targets Taiwanese web hosting infrastructure | GROUP | GROUP |
| 16.8.25 | DEFCON 33 | ALL PRESENTATIONS FROM THE CONFERENCE IN THE WINZIP ARCHIVE | KONFERENCE | KONFERENCE |
| 16.8.25 | BLACKHAT 2025 USA | ALL PRESENTATIONS FROM THE CONFERENCE IN THE WINZIP ARCHIVE | KONFERENCE | KONFERENCE |
| 15.8.25 | CVE-2025-20265 | Cisco Secure Firewall Management Center Software RADIUS Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | PhantomCard | PhantomCard: New NFC-driven Android malware emerging in Brazil | MALWARE | Android |
| 14.8.25 | CVE-2025-8876 | N-able N-central Command Injection Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | CVE-2025-8875 | N-able N-central Insecure Deserialization Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | PS1Bot | Malvertising campaign leads to PS1Bot, a multi-stage malware framework | MALWARE | Backdoor |
| 14.8.25 | CVE-2025-49457 | Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | CVE-2025-25256 | Remote unauthenticated command injection | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | CVE-2025-53767 | (CVSS score: 10.0) - Azure OpenAI Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | CVE-2025-53766 | (CVSS score: 9.8) - GDI+ Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | CVE-2025-50165 | (CVSS score: 9.8) - Windows Graphics Component Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | CVE-2025-53792 | (CVSS score: 9.1) - Azure Portal Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | CVE-2025-53787 | (CVSS score: 8.2) - Microsoft 365 Copilot BizChat Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | CVE-2025-50177 | (CVSS score: 8.1) - Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | CVE-2025-50176 | (CVSS score: 7.8) - DirectX Graphics Kernel Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | Earth Baxia | New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises | VULNEREBILITY | VULNEREBILITY |
| 14.8.25 | XZ Utils | Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images | VULNEREBILITY | VULNEREBILITY |
| 13.8.25 | Amadey | MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities | CAMPAIGN | CAMPAIGN |
| 12.8.25 | CVE-2025-6543 | Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) | VULNEREBILITY | VULNEREBILITY |
| 12.8.25 | CVE-2024-40766 | An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. | VULNEREBILITY | VULNEREBILITY |
| 12.8.25 | CVE-2025-53786 | On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. | VULNEREBILITY | VULNEREBILITY |
| 12.8.25 | 2TETRA:2BURST | Midnight Blue presents new research on the security of TETRA, including on the elusive TETRA End-to-End (E2EE) encryption mechanisms that are commonly encountered in the most sensitive of use cases. | VULNEREBILITY | VULNEREBILITY |
| 12.8.25 | CVE-2024-42009 | (CVSS score: 9.3) - A cross-site scripting (XSS) vulnerability in RoundCube Webmail that could allow a remote attacker to steal and send emails of a victim via a crafted email message by | VULNEREBILITY | VULNEREBILITY |
| 12.8.25 | CVE-2025-32433 | (CVSS score: 10.0) - A missing authentication for a critical function vulnerability in the Erlang/OTP SSH server that could allow an attacker to execute arbitrary commands without valid credentials, | VULNEREBILITY | VULNEREBILITY |
| 12.8.25 | CVE-2025-8088 | A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | CVE-2024-40766 | An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | CVE-2025-30023 | The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | CVE-2025-30024 | The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack. | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | CVE-2025-30025 | The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | CVE-2025-30026 | The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required. | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | CVE-2025-53786 | Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | “CAPTCHAgeddon” | Unmasking the Viral Evolution of the ClickFix Browser-Based Threat | HACKING | HACKING |
| 9.8.25 | CVE-2020-25078 | (CVSS score: 7.5) - An unspecified vulnerability in D-Link DCS-2530L and DCS-2670L devices that could allow for remote administrator password disclosure | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | CVE-2020-25079 | (CVSS score: 8.8) - An authenticated command injection vulnerability in the cgi-bin/ddns_enc.cgi component affecting D-Link DCS-2530L and DCS-2670L devices | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | CVE-2020-40799 | (CVSS score: 8.8) - A download of code without an integrity check vulnerability in D-Link DNR-322L that could allow an authenticated attacker to execute operating system-level commands on the device | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 |
Оновлений інструментарій UAC-0099: MATCHBOIL, MATCHWOK, DRAGSTARE |
Національною командою реагування на
кіберінциденти, кібератаки, кіберзагрози CERT-UA досліджено низку
кібератак, здійснених угрупуванням UAC-0099, у відношенні органів державної влади, Сил оборони та підприємств оборонно-промислового комплексу України. |
BATTLEFIELD UKRAINE |
BATTLEFIELD UKRAINE |
| 9.8.25 | CVE-2025-54948 | A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. | VULNEREBILITY | VULNEREBILITY |
| 9.8.25 | CVE-2025-54987 | A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. | VULNEREBILITY | VULNEREBILITY |
| 5.8.25 | PlayPraetor | PlayPraetor's evolving threat: How Chinese-speaking actors globally scale an Android RAT | MALWARE | RAT |
| 5.8.25 | PXA Stealer | Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem | MALWARE | STEALER |
| 5.8.25 | CVE-2025-23319 | (CVSS score: 8.1) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request | VULNEREBILITY | VULNEREBILITY |
| 5.8.25 | CVE-2025-23320 | (CVSS score: 7.5) - A vulnerability in the Python backend, where an attacker could cause the shared memory limit to be exceeded by sending a very large request | VULNEREBILITY | VULNEREBILITY |
| 5.8.25 | CVE-2025-23334 | (CVSS score: 5.9) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds read by sending a request | VULNEREBILITY | VULNEREBILITY |
| 5.8.25 | CVE-2025-21479 | Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 5.8.25 | CVE-2025-21480 | Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 5.8.25 | CVE-2025-27038 | Qualcomm Multiple Chipsets Use-After-Free Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 2.8.25 | FunkSec decryptor | ANTI-RANSOM TOOLS | Anti-Ransom Tool | Anti-Ransom Tool |
| 26.7.25 | ZDI-25-653 | (Pwn2Own) Microsoft SharePoint Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-652 | (Pwn2Own) Microsoft SharePoint ToolPane Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-651 | (Pwn2Own) Red Hat Enterprise Linux CBS Packet Scheduling Use-After-Free Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-650 | ATEN eco DC Missing Authorization Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-649 | Veeam Agent for Microsoft Windows Incorrect Default Permissions Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-648 | Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-647 | Anritsu ShockLine CHX File Parsing Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-646 | Amazon AWS Client VPN Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-645 | Autodesk Revit RFA File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-644 | (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-643 | (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-642 | (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-641 | (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-640 | (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-639 | (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-638 | (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-637 | (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Integer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-636 | (0Day) Ashlar-Vellum Cobalt AR File Parsing Uninitialized Variable Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-635 | (0Day) Ashlar-Vellum Graphite VC6 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-634 | (0Day) Ashlar-Vellum Graphite VC6 File Parsing Uninitialized Variable Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-633 | (0Day) Ashlar-Vellum Graphite VC6 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-632 | (0Day) Ashlar-Vellum Graphite VC6 File Parsing Uninitialized Variable Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-631 | (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-630 | (0Day) Ashlar-Vellum Cobalt LI File Parsing Integer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-629 | (0Day) Ashlar-Vellum Cobalt LI File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-628 | (Pwn2Own) Phoenix Contact CHARX SEC-3150 OCPP Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-627 | rocket.chat Incorrect Authorization Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-626 | (Pwn2Own) NVIDIA Container Toolkit Environment Variable Handling Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-625 | Veeam Backup Enterprise Manager JobManagmentService Improper Access Control Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-624 | (Pwn2Own) Phoenix Contact CHARX SEC-3100 Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-623 | (Pwn2Own) Phoenix Contact CHARX SEC-3150 Origin Validation Error Firewall Bypass Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-622 | (Pwn2Own) Phoenix Contact CHARX SEC-3150 Configuration Service Missing Authentication Vulnerability |
ZERO-DAY |
|
| 26.7.25 | ZDI-25-621 | (Pwn2Own) Phoenix Contact CHARX SEC-3150 DHCP Configuration Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.7.25 | Data Pirates’ Toolkit | Leveraging SQLmap for Unearthing Digital Gold | REPORT | REPORT |
| 26.7.25 | Operation CargoTalon | Contents Introduction Initial Findings Infection Chain. Technical Analysis Stage 0 – Malicious Email File. Stage 1 – Malicious LNK file. Stage 2 – Looking into the decoy file. Stage 3 – Malicious EAGLET implant. Hunting and Infrastructure. Infrastructural details.... | OPERATION | OPERATION |
| 26.7.25 | RAVEN STEALER | EXECUTIVE SUMMARY Raven Stealer is a modern, lightweight, information-stealing malware developed primarily in Delphi and C++, designed to extract sensitive data from victim | MALWARE | STEALER |
| 26.7.25 | EdskManager RAT | Executive Summary At CYFIRMA, we are dedicated to providing current insights into prevalent threats and the strategies employed by malicious entities targeting both organizations | MALWARE | RAT |
| 25.7.25 | Chaos Ransomware Group Surfaces with Aggressive Tactics | A newly identified ransomware-as-a-service group called Chaos has rapidly gained traction, launching double extortion attacks primarily in the U.S., with additional victims in the U.K., India, and New Zealand. Cisco Talos links the group to former BlackSuit (Royal) operators based on overlapping tactics and tooling. | RANSOM | |
| 25.7.25 | Malicious Hangul Word Processor documents delivering RokRAT | In a change from previous distribution methods, a recent campaign saw the RokRAT malware delivered through Hangul Word Processor documents (.hwp) rather than previously observed .lnk files. The HWP document embeds a legitimate executable and a malicious DLL responsible for initial payload execution. | VIRUS | |
| 25.7.25 | Chinese APT Clusters Escalate Attacks on Taiwan's Semiconductor Sector | The Taiwanese semiconductor industry has become the primary target of a series of sophisticated spear-phishing campaigns orchestrated by three distinct Chinese state-sponsored threat actor groups: UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp. | ALERTS | APT |
| 25.7.25 | Recent malicious activities attributed to the UNG0002 threat group | A new cluster of malicious activities dubbed "Operation AmberMist" has been attributed to the threat group known as UNG0002. The attackers have been focusing on victims from various industry sectors and distributing miscellaneous payloads including Shadow RAT, Blister DLL Implant, and INET RAT. | GROUP | |
| 25.7.25 | DCHSpy malware distributed by the Seedworm APT group | A new campaign distributing mobile DCHSpy surveillanceware malware has been reported in the wild. The activity is attributed to the Seedworm APT group (aka MuddyWater). DCHSpy has the functionality to collect and exfiltrate various data from the compromised devices including: stored contacts, SMS messages, local files, call logs, WhatsApp messenger data and more. | VIRUS | |
| 25.7.25 | Greedy Sponge threat group distributes AllaKore RAT and SystemBC malware to Mexican organizations | A financially-motivated threat group known as Greedy Sponge has been reported to conduct a new campaign spreading AllaKore RAT and SystemBC malware to Mexican organizations. | ALERTS | VIRUS |
| 25.7.25 | New ACR Stealer variant features updates aimed at detection evasion | ACR Stealer is a C++based infostealer variant that emerged on the threat landscape last year. A new campaign distributing this malware has been reported now in the wild. | VIRUS | |
| 25.7.25 | New wave of extortion scam: "Hitman" threaten acid attacks in exchange for Litecoin | Lately, Symantec has observed a sudden theme change in extortion scam emails. In general, these emails make use of threatening language in order to extort money from the recipients. Scammers appear to have kicked off a new extortion scam campaign by imposing as professional hitmen offering services such as destruction to property or injury. | CRYPTOCURRENCY | |
| 25.7.25 | CVE-2025-53770 - Critical SharePoint Zero-Day vulnerability exploited in the wild | Microsoft has patched a zero-day vulnerability in SharePoint following reports of its exploitation in the wild. The vulnerability (CVE-2025-53770), dubbed ToolShell, affects on-premises SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems. | VULNEREBILITY | |
| 25.7.25 | AA25 203A StopRansomware Interlock | Prevent initial access by implementing domain name system (DNS) filtering and web access firewalls, and training users to spot social engineering attempts. | RANSOMWARE | RANSOMWARE |
| 25.7.25 | CVE-2025-20282 | Critical unauthenticated arbitrary file upload and execution vulnerability in Cisco ISE and ISE-PIC Release 3.4. Lack of file validation allows attackers to upload malicious files into privileged directories and execute them as root. Fixed in ISE 3.4 Patch 2. | VULNEREBILITY | VULNEREBILITY |
| 25.7.25 | Operation GhostChat | In June 2025, threat actors carried out a strategic web compromise by replacing the legitimate link, tibetfund.org/90thbirthday, on a compromised webpage with a malicious link. The original link directed users to a page inviting members of the Tibetan community to send greetings to the Dalai Lama, but the malicious link redirected them to a fraudulent page hosted at thedalailama90.niccenter[.]net. | OPERATION | OPERATION |
| 25.7.25 | Operation PhantomPrayers |
In June 2025, a new subdomain, hhthedalailama90.niccenter[.]net was used by the threat actor to distribute a malicious application masquerading as a "special prayer check-in" software. |
OPERATION | OPERATION |
| 25.7.25 | MISA-2025-0009 | MX-ONE Authentication Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 25.7.25 | Fire Ant | Fire Ant: A Deep-Dive into Hypervisor-Level Espionage | VULNEREBILITY | VULNEREBILITY |
| 25.7.25 | CVE-2023-34048 | vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 25.7.25 | CastleLoader | Understanding Current CastleLoader Campaigns | MALWARE | Loader |
| 25.7.25 | CVE-2025-6704 | (CVSS score: 9.8) - An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode | VULNEREBILITY | VULNEREBILITY |
| 25.7.25 | CVE-2025-7624 | (CVSS score: 9.8) - An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA | VULNEREBILITY | VULNEREBILITY |
| 25.7.25 | CVE-2024-13974 | (CVSS score: 8.1) - A business logic vulnerability in the Up2Date component can lead to attackers controlling the firewall's DNS environment to achieve remote code execution | VULNEREBILITY | VULNEREBILITY |
| 25.7.25 | CVE-2024-13973 | (CVSS score: 6.8) - A post-auth SQL injection vulnerability in WebAdmin can potentially lead to administrators achieving arbitrary code execution | VULNEREBILITY | VULNEREBILITY |
| 24.7.25 | Coyote | Coyote in the Wild: First-Ever Malware That Abuses UI Automation | MALWARE | AI |
| 23.7.25 | CVE-2025-2775 | (CVSS score: 9.3) - An improper restriction of XML external entity (XXE) reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives | VULNEREBILITY | VULNEREBILITY |
| 23.7.25 | CVE-2025-2776 | (CVSS score: 9.3) - An improper restriction of XML external entity (XXE) reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives | VULNEREBILITY | VULNEREBILITY |
| 23.7.25 | CVE-2025-49704 | (CVSS score: 8.8) - Microsoft SharePoint Remote Code Execution Vulnerability (Fixed on July 8, 2025) | VULNEREBILITY | VULNEREBILITY |
| 23.7.25 | CVE-2025-49706 | (CVSS score: 6.5) - Microsoft SharePoint Server Spoofing Vulnerability (Fixed on July 8, 2025) | VULNEREBILITY | VULNEREBILITY |
| 23.7.25 | AllaKore RAT | Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC | MALWARE | RAT |
| 23.7.25 | CVE-2025-20281 | Multiple vulnerabilities in a specific API that could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root | VULNEREBILITY | VULNEREBILITY |
| 23.7.25 | CVE-2025-20337 | Multiple vulnerabilities in a specific API that could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root | VULNEREBILITY | VULNEREBILITY |
| 22.7.25 | Crux | Getting to the Crux (Ransomware) of the Matter | RANSOMWARE | RANSOMWARE |
| 22.7.25 | KAWA4096 | KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles | RANSOMWARE | RANSOMWARE |
| 22.7.25 | LARVA-208’s New Campaign Targets Web3 Developers | LARVA-208 , known for its phishing attacks and social engineering tactics targeting English-speaking IT staff through phone calls, has adopted a new technique in its operations. In recent months, LARVA-208 used multiple domains to contact IT employees, gather their VPN credentials, and subsequently harvest usernames and passwords from victims. | CAMPAIGN | CAMPAIGN |
| 22.7.25 | DCHSpy | Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict | MALWARE | ANDROID |
| 22.7.25 | PoisonSeed | PoisonSeed downgrading FIDO key authentications to ‘fetch’ user accounts | GROUP | GROUP |
| 22.7.25 | CVE-2025-53771 | Microsoft SharePoint Server Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 22.7.25 | CVE-2025-53770 | Microsoft SharePoint Server Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 22.7.25 | CVE-2025-37103 | Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2025-49706 | Microsoft SharePoint Server Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2025-53770 | Microsoft SharePoint Server Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2025-54309 | CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 |
RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Provide |
Between December 2024 and January 2025, Recorded Future’s
Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. |
REPORT | REPORT |
| 20.7.25 | AUTHENTIC ANTI | Highly targeted credential and OAuth 2.0 tokenstealing malware targeting Outlook. | MALWARE | STEALING |
| 20.7.25 | CVE-2025-54309 | CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | PHOBOS ANTI-RANSOM TOOL | Phobos Decryptor is designed to decrypt files encrypted by Phobos Ransom. | Anti-Ransom Tool | Anti-Ransom Tool |
| 20.7.25 | CVE-2025-48927 | The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2025-41236 | VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. Nguyen Hoang Thach of STARLabs SG used this flaw at Pwn2Own. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2025-41237 | VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. This flaw was used by Corentin BAYET of REverse Tactics at Pwn2Own. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2025-41238 | VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | Matanbuchus 3.0 | From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up | PAPERS | PAPERS |
| 20.7.25 | Matanbuchus | Matanbuchus: Malware-as-a-Service with Demonic Intentions | MALWARE | MaaS |
| 20.7.25 | CVE-2023-20273 | A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2023-20198 | Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2018-0171 | A critical flaw in Cisco IOS and IOS XE Smart Install that allows remote code execution via specially crafted TCP packets. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2023-20198 | A zero-day affecting Cisco IOS XE web UI that permits unauthenticated remote access to devices. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2023-20273 | A privilege escalation flaw also targeting IOS XE that allows hackers to execute commands as root. This flaw has been seen chained with CVE-2023-20198 to maintain persistence. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2024-3400 | A command injection vulnerability in Palo Alto Networks' PAN-OS GlobalProtect, which allows unauthenticated attackers to execute commands on devices. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2021-20038 | A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2024-38475 | Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2021-20035 | Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2021-20039 | Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances. | VULNEREBILITY | VULNEREBILITY |
| 20.7.25 | CVE-2025-32819 | A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. | VULNEREBILITY | VULNEREBILITY |
| 19.7.25 | Lumma Stealer infection with SecTop RAT | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 19.7.25 | Koi Loader/Koi Stealer infection | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 19.7.25 | Lumma Stealer infection with follow-up Rsockstun malware | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 19.7.25 | APT PROFILE – FANCY BEAR | Fancy Bear, also known as APT28, is a notorious Russian cyberespionage group with a long history of targeting governments, military entities, and other high-value | APT | APT |
| 19.7.25 | CVE‑2025‑5777 | Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | VULNEREBILITY | VULNEREBILITY |
| 19.7.25 | MFSocket | Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico | MALWARE | TOOL |
| 19.7.25 | UNG0002 | UNG0002: Regional Threat Operations Tracked Across Multiple Asian Jurisdictions | GROUP | APT |
| 19.7.25 | DslogdRAT | DslogdRAT Malware Installed in Ivanti Connect Secure | MALWARE | RAT |
| 19.7.25 | SPAWNCHIMERA | SPAWNCHIMERA Malware: The Chimera Spawning from Ivanti Connect Secure Vulnerability | MALWARE | |
| 19.7.25 | CVE-2025-0282 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 19.7.25 | CVE-2025-22457 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 19.7.25 | MDifyLoader | Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities | MALWARE | LOADER |
|
18.7.25 |
CVE-2025-7029 | bug in an SMI handler (OverClockSmiHandler) that can lead to SMM privilege escalation | VULNEREBILITY | VULNEREBILITY |
|
18.7.25 |
CVE-2025-7028 | bug in an SMI handler (SmiFlash) gives read/write access to the System Management RAM (SMRAM), which can lead to malware installation | VULNEREBILITY | VULNEREBILITY |
|
18.7.25 |
CVE-2025-7027 | can lead to SMM privilege escalation and modifying the firmware by writing arbitrary content to SMRAM | VULNEREBILITY | VULNEREBILITY |
|
18.7.25 |
CVE-2025-7026 | allows arbitrary writes to SMRAM and can lead to privilege escalation to SMM and persistent firmware compromise | VULNEREBILITY | VULNEREBILITY |
|
18.7.25 |
ZDI-25-620 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-619 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-618 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-617 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-616 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-615 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-614 |
Hewlett Packard Enterprise AutoPass License Server Authentication Bypass Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-613 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-612 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-611 |
VMware ESXi VMCI Uninitialized Memory Information Disclosure Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-610 |
Linux Kernel ksmbd destroy_previous_session Null Pointer Dereference Denial-of-Service Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-609 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-608 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-607 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-606 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-605 |
Cisco Identity Services Engine IpAccessFilter Direct Request Authentication Bypass Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-604 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-603 |
Autodesk Revit RTE File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-602 |
ZERO-DAY |
||
|
18.7.25 |
ZDI-25-601 |
(Pwn2Own) Oracle VirtualBox VMSVGA Integer Overflow Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-600 |
(Pwn2Own) Oracle VirtualBox VMSVGA Out-Of-Bounds Write Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-599 |
Oracle VirtualBox LSILogic Uninitialized Memory Information Disclosure Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-598 |
Oracle VirtualBox BusLogic Uninitialized Memory Information Disclosure Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-597 |
Autodesk Revit RFA File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-596 |
Autodesk Revit RTE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-595 |
Autodesk Revit RFA File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-594 |
Autodesk Revit RFA File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
|
18.7.25 |
ZDI-25-593 |
Autodesk Revit RVT File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 18.7.25 | SMM callout vulnerabilities identified in Gigabyte UEFI firmware modules | System Management Mode (SMM) callout vulnerabilities have been identified in UEFI modules present in Gigabyte firmware. An attacker could exploit one or more of these vulnerabilities to elevate privileges and execute arbitrary code in the SMM environment of a UEFI-supported processor. | ALERT | ALERT |
| 18.7.25 | Ruckus Virtual SmartZone (vSZ) and Ruckus Network Director (RND) contain multiple vulnerabilities | Multiple vulnerabilities have been identified in Ruckus Wireless management products, specifically Virtual SmartZone (vSZ) and Network Director (RND), including authentication bypass, hardcoded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. | ALERT | ALERT |
| 18.7.25 | CVE-2025-23266 | NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. | VULNEREBILITY | VULNEREBILITY |
| 18.7.25 | Кібератаки UAC-0001 на сектор безпеки та оборони із застосуванням програмного засобу LAMEHUG, що використовує LLM (велику мовну модель) (CERT-UA#16039) | Національною командою реагування на кіберінциденти, кібератаки, кіберзагрози CERT-UA 10.07.2025 отримано інформацію щодо розповсюдження серед органів виконавчої влади, начебто від імені представника профільного міністерства, електронних листів із вкладенням у вигляді файлу "Додаток.pdf.zip". | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 18.7.25 | BadBox 2.0 | Recently, our researchers partnered with HUMAN Security and Trend Micro to uncover BadBox 2.0, the largest known botnet of internet-connected TVs. Building on our previous actions to stop these cybercriminals, we filed a lawsuit in New York federal court against the botnet’s perpetrators. | BOTNET | BOTNET |
| 18.7.25 | H2miner | The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019. | MALWARE | CRYPTOCURRENCY |
| 18.7.25 | SquidLoader | Threat Analysis: SquidLoader - Still Swimming Under the Radar | MALWARE | Loader |
| 18.7.25 | CVE-2021-41773 | A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. | VULNEREBILITY | VULNEREBILITY |
| 18.7.25 | Emmenhtal | MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities | MALWARE | Loader |
| 18.7.25 | Linuxsys | VulnCheck observed exploitation of CVE-2021-41773 in the wild. This, in itself, is hardly noteworthy. The vulnerability was an inaugural member of both the CISA KEV and VulnCheck KEV. | MALWARE | CRYPTOCURRENCY |
| 17.7.25 | Emmenhtal leveraged by MaaS operators in recent campaigns | In a recent report published by Cisco Talos, researchers highlighted recent campaigns that used Emmenhtal to deliver various payloads. One campaign included the Emmenhtal loader contained within a phishing mail archive attachment, while another hosted Emmenhtal on various GitHub repositories to deliver the Amadey payload. | CAMPAIGN | |
| 17.7.25 | New wave of Tech Support Scams exploits legitimate chat platforms and uses brand impersonation | Tech/Fund Support scam techniques are continuously evolving to appear more legitimate. Previously, scammers included phone numbers in phishing emails, relying on victims to initiate contact. | SPAM | |
| 17.7.25 | DeadLock Ransomware | Another ransomware actor known as "DeadLock" has been observed making the rounds. Upon successful compromise, encrypted files are appended with a .dlock extension. At this time, it is unconfirmed whether the actor engages in double-extortion tactics (i.e., threatening to sell data if the ransom is not paid). | RANSOM | |
| 17.7.25 | XWorm disguised as Epstein Files | Amid renewed public interest in the Epstein case and debates around the release of related files, cybercriminals are leveraging this topical news for social engineering lures. One actor has been observed spreading XWorm, a known commodity malware often sold on Telegram channels and underground forums, disguised as fake Epstein files (Epstein files2.exe). | ALERTS | VIRUS |
| 17.7.25 | Many branches in the AsyncRAT tree | A recently published report highlights the extensive branching of derivative RATs traceable to AsyncRAT. AsyncRAT is a highly modular Remote Access Trojan that fundamentally allows an attacker to control a compromised system. | VIRUS | |
| 17.7.25 | Octalyn Stealer Targets Crypto, VPNs, and Browser Data via Deceptive Forensic Toolkit | Octalyn Stealer is a sophisticated new malware masquerading as a legitimate forensic toolkit on GitHub. Designed for large-scale data theft and exfiltration, it illicitly targets sensitive user data, including VPN configurations, browser credentials (passwords, cookies, auto-fill, browsing history), and critical cryptocurrency wallet information for Bitcoin, Ethereum, Litecoin, and Monero. | VIRUS | |
| 17.7.25 | Konfety mobile malware | Konfety is a mobile malware variant identified in a recent distribution campaign. The malware employs an unique technique of malforming the file ZIP structure in an effort to avoid detection and forensic analysis. | ALERTS | VIRUS |
| 17.7.25 | CVE-2025-52488 - DNN platform vulnerability | CVE-2025-52488 is a recently disclosed vulnerability affecting DNN Platform, which is an open-source web content management system (CMS) based on the .NET Framework. | VULNEREBILITY | |
| 17.7.25 | New mobile crypto-stealing malware SparkKitty | A new mobile crypto-stealing malware, SparkKitty, has infiltrated Android and iOS devices via Google Play and the Apple App Store. | VIRUS | |
| 17.7.25 | WeevilProxy malware targets cryptocurrency users | WeevilProxy is a new malware variant observed to be targeting prevalently cryptocurrency users. The campaigns' main propagation relies on arbitrary advertising campaigns via Google ads or miscellaneous social networks. | CRYPTOCURRENCY | |
| 17.7.25 | Global - a new BlackLock ransomware variant | Global is a new ransomware variant believed to be a rebrand of the BlackLock ransomware strain. According to the report published by the EclecticIQ researchers, the malware is sold as part of a Ransomware-as-a-Service (RaaS) offering by the threat actors previously associated with an older ransomware family known as Mamona. | ALERTS | RANSOM |
| 17.7.25 | Interlock RAT via FileFix scheme | A newly observed Interlock RAT variant is being delivered through PHP scripts, marking a shift from previous JavaScript-based methods. | VIRUS | |
| 17.7.25 | New variant of macOS malware ZuRu observed in the wild | Researchers have observed a new macOS-based ZuRu malware variant being spread in the wild. The malware is distributed via trojanized macOS application bundles and it is leveraging the open-source Khepri framework for performing post-infection activities. | VIRUS | |
| 17.7.25 | Web Injection Campaign: JSFireTruck | Palo Alto Networks Unit 42 has uncovered a large-scale campaign, dubbed JSFireTruck, that injects heavily obfuscated JavaScript into legitimate websites. | HACKING | |
| 17.7.25 | Amos Stealer Adds Backdoor | In a significant shift, researchers have observed that Atomic macOS Stealer (AMOS) has added a persistent backdoor to its payload, enabling long-term remote access to infected Macs. | VIRUS | |
| 17.7.25 | Sainbox RAT delivered via fake software installers | A new campaign delivering a variant of Gh0stRAT dubbed Sainbox RAT via fake software installers have been reported in the wild. The attackers masquerade the malware binaries as apps well known in China such as DeepSeek, Sogou or WPS Office. | CAMPAIGN | |
| 17.7.25 | Cloudflare temporary tunnels used to serve up payloads | A recently observed campaign leverages legitimate cloud services like TryCloudflare to host and deliver highly evasive RATs such as AsyncRAT, XWorm, VenomRAT, and Remcos. | CAMPAIGN | |
| 17.7.25 | SafePay ransomware | SafePay is a ransomware variant initially discovered back last year. Over the time the attackers behind this strain have been reported to compromise over 200 victims across various sectors. | RANSOM | |
| 17.7.25 | Mobile Threat: Qwizzserial | In mid-2025, researchers observed a sharp rise in Qwizzserial, a newly discovered Android malware designed to steal banking credentials and intercept SMS-based two-factor authentication codes. | VIRUS | |
| 17.7.25 | CVE-2025-20337 | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. | VULNEREBILITY | VULNEREBILITY |
| 17.7.25 | CVE-2025-20281 | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root | VULNEREBILITY | VULNEREBILITY |
| 17.7.25 | CVE-2025-6558 | Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | VULNEREBILITY | VULNEREBILITY |
| 17.7.25 | CVE-2025-6965 | There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. | VULNEREBILITY | VULNEREBILITY |
| 16.7.25 | GLOBAL GROUP | GLOBAL GROUP: Emerging Ransomware-as-a-Service, Supporting AI Driven Negotiation and Mobile Control Panel for Their Affiliates | GROUP | RANSOMWARE |
| 16.7.25 | Hyper-Volumetric DDoS Attacks | Hyper-volumetric DDoS attacks skyrocket: Cloudflare’s 2025 Q2 DDoS threat report | ATTACK | ATTACK |
| 16.7.25 | HazyBeacon | Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication | MALWARE | BACKDOOR |
| 16.7.25 | KongTuke | Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). | MALWARE | RAT |
| 13.7.25 | Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability | VULNEREBILITY | VULNEREBILITY | |
| 12.7.25 | CVE-2025-5959 | (high-severity, 8.8 score) – type confusion bug in the V8 JavaScript and WebAssembly engine allows remote code execution inside a sandbox via a crafted HTML page | VULNEREBILITY | VULNEREBILITY |
| 12.7.25 | CVE-2025-6554 | (high-severity, 8.1 score) – type confusion in V8 enables attackers to perform arbitrary memory read/write through a malicious HTML page | VULNEREBILITY | VULNEREBILITY |
| 12.7.25 | CVE-2025-6191 | (high-severity, 8.8 score) – integer overflow in V8 allows out-of-bounds memory access, potentially leading to code execution | VULNEREBILITY | VULNEREBILITY |
| 12.7.25 | CVE-2025-6192 | (high-severity, 8.8 score) – use-after-free vulnerability in Chrome's Metrics component could cause heap corruption exploitable via crafted HTML | VULNEREBILITY | VULNEREBILITY |
| 12.7.25 | GPUHammer: Rowhammer Attacks on GPU Memories are Practic | Rowhammer is a read disturbance vulnerability in modernDRAM that causes bit-flips, compromising security and reliability. While extensively studied on Intel and AMD CPUs with DDR and LPDDR memories, its impact on GPUs using GDDR memories, critical for emerging machine learning applications, remains unexplored | PAPERS | PAPERS |
| 12.7.25 | GPUHammer | GPUHammer: Rowhammer Attacks on GPU Memories are Practical# | ATTACK | GPU |
| 12.7.25 | CVE-2025-47812 – Wing FTP Server vulnerability exploited in the wild | CVE-2025-47812 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Wing FTP Server, which is a cross-platform file transfer software. | ALERTS | VULNEREBILITY |
| 12.7.25 | New Pay2Key ransomware campaign leverages I2P network | A ransomware-as-a-service (RaaS) operation distributing a new variant of the Pay2Key malware has been reported in the wild. Dubbed as Pay2Key.I2P the campaign has been linked to the activities of the Fox Kitten APT group. | RANSOM | |
| 12.7.25 | Malicious scripts lead to XWorm RAT | Campaigns distributing the XWorm remote access trojan often leverage various scripting languages. The most frequently observed malicious scripts include batch files, and those written in Visual Basic, JavaScript, and PowerShell. | VIRUS | |
| 12.7.25 | Phishing Campaign Masquerades as "Ordre des Experts-Comptables" Document | Symantec has observed a phishing campaign leveraging a deceptive HTML attachment disguised as an official document from l’Ordre des Experts-Comptables, the French national order of chartered accountants. | CAMPAIGN | |
| 12.7.25 | ZDI-25-592 | Delta Electronics DTM Soft BIN File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 12.7.25 | ZDI-25-591 | G DATA Total Security GDTunerSvc Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 12.7.25 | ZDI-25-590 | Trend Micro Worry-Free Business Security Missing Authentication Vulnerability |
ZERO-DAY |
|
| 12.7.25 | ZDI-25-589 | Trend Micro Cleaner One Pro Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 12.7.25 | ZDI-25-588 | Luxion KeyShot 3DM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 12.7.25 | TapTrap: Animation-Driven Tapjacking on Android | Users interact with mobile devices under the assumption that the graphical user interface (GUI) accurately reflects their actions, a trust fundamental to the user experience. | PAPERS | PAPERS |
| 11.7.25 | CVE-2025-25257 | An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | VULNEREBILITY | VULNEREBILITY |
| 11.7.25 | CVE-2024-45434 | Use-After-Free in AVRCP service | VULNEREBILITY | VULNEREBILITY |
| 11.7.25 | CVE-2024-45431 | Improper validation of an L2CAP channel's remote CID | VULNEREBILITY | VULNEREBILITY |
| 11.7.25 | CVE-2024-45433 | Incorrect function termination in RFCOMM | VULNEREBILITY | VULNEREBILITY |
| 11.7.25 | CVE-2024-45432 | Function call with incorrect parameter in RFCOMM | VULNEREBILITY | VULNEREBILITY |
| 11.7.25 | CVE-2025-47812 | In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. | VULNEREBILITY | VULNEREBILITY |
| 11.7.25 | CVE-2025-5777 | Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | VULNEREBILITY | VULNEREBILITY |
| 11.7.25 | CVE-2025-6514 | Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients | VULNEREBILITY | VULNEREBILITY |
| 11.7.25 | PerfektBlue | PerfektBlue is the industry-wide critical over-the-air attack chain affecting millions of devices in automotive and other industries. | ATTACK | bluetooth |
| 10.7.25 | macOS.ZuRu | macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App | MALWARE | MacOS |
| 10.7.25 | CVE-2024-36349 | (CVSS score: 3.8) - A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage | VULNEREBILITY | VULNEREBILITY |
| 10.7.25 | CVE-2024-36348 | (CVSS score: 3.8) - A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP[3] feature is enabled, potentially resulting in information leakage | VULNEREBILITY | VULNEREBILITY |
| 10.7.25 | CVE-2024-36357 | (CVSS score: 5.6) - A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries | VULNEREBILITY | VULNEREBILITY |
| 10.7.25 | CVE-2024-36350 | (CVSS score: 5.6) - A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information | VULNEREBILITY | VULNEREBILITY |
| 10.7.25 | AMD Transient Scheduler Attacks | AMD discovered several transient scheduler attacks related to the execution timing of instructions under specific microarchitectural conditions while investigating a Microsoft® report titled “Enter, Exit, Page Fault, Leak: Testing Isolation Boundaries for Microarchitectural Leaks”. | ATTACK | CPU |
| 10.7.25 | CVE-2025-3648 | CVE-2025-3648 - Data Inference in Now Platform via Conditional ACLs | VULNEREBILITY | VULNEREBILITY |
| 9.7.25 | ZDI-25-587 | Trend Micro Password Manager Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-586 | Trend Micro Maximum Security Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-585 | Microsoft Windows win32kfull Out-Of-Bounds Write Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-584 | Microsoft Windows win32kfull Out-Of-Bounds Write Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-583 | Microsoft Windows Startup Folder SmartScreen Bypass Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-582 | (Pwn2Own) Microsoft SharePoint DataSetSurrogateSelector Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-581 | (Pwn2Own) Microsoft SharePoint ToolPane Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-580 | Microsoft PC Manager Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-579 | Microsoft Windows win32kfull Integer Overflow Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-578 | Microsoft Windows AppX Deployment Service Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-577 | Siemens SINEC NMS uploadFWBinary Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-576 | Siemens SINEC NMS unZipJarFilestoLocation Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-575 | Siemens SINEC NMS reqToChangePassword Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-574 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-573 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-572 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-571 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-570 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-569 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-568 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-567 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-566 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-565 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-564 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-563 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-562 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-561 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-560 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-559 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-558 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-557 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-556 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-555 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-554 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-553 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-552 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-551 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-550 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-549 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-548 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-547 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-546 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-545 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-543 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-542 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-541 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-540 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-539 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-538 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-537 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-536 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-535 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-534 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-533 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-532 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-531 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-530 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-529 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-528 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-527 | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-526 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-525 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-524 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-523 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-522 | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-521 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-520 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-519 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-518 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-517 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-516 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-515 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-514 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-513 | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-512 | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-511 | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-510 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-509 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-508 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-507 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-506 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-505 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-504 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-503 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-502 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-501 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-500 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-499 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-498 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-497 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-496 | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-495 | IrfanView CADImage Plugin CGM File Parsing Out-of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-494 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-493 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-492 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-491 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-490 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-489 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-488 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-487 | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-486 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-485 | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-484 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-483 | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-482 | (0Day) INVT VT-Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-481 | (0Day) INVT VT-Designer PM3 File Parsing Type Confusion Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-480 | (0Day) INVT VT-Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-479 | (0Day) INVT VT-Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-478 | (0Day) INVT VT-Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-477 | (0Day) INVT HMITool VPM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-476 | (0Day) INVT HMITool VPM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-475 | (0Day) INVT HMITool VPM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-474 | (0Day) INVT HMITool VPM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 9.7.25 | ZDI-25-473 | Parallels Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 9.7.25 | NordDragonScan infostealer | NordDragonScan is a new Windows-based infostealing malware variant identified by the researchers from Fortinet. Recently observed campaigns leverage malicious .HTA files in order to deliver infostealing payload to the intended victims. | ALERTS | VIRUS |
| 9.7.25 | RondoDox botnet | RondoDox is new botnet identified recently by the researchers from Fortinet. RondoDox has been reported to leverage two high severity vulnerabilities for spreading: CVE-2024-3721 and CVE-2024-12856. | BOTNET | |
| 9.7.25 | Datebug APT attacks against BOSS Linux systems | Datebug threat group (also known as APT36 or Transparent Tribe) has been reported to conduct a new campaign targeting the BOSS Linux systems. | APT | |
| 9.7.25 | NimDoor - a Nim-based malware for macOS | NimDoor is a newly identified macOS malware variant for the macOS platform. Compiled in the Nim programming language, the malware targets Web3 and Cryptocurrency-related platforms. The attackers leverage social engineering tactics to approach their victims. | VIRUS | |
| 9.7.25 | SHELLTER | Taking SHELLTER: a commercial evasion framework abused in- the- wild | MALWARE | INFOSTEALER |
| 9.7.25 | Anatsa | Anatsa Targets North America; Uses Proven Mobile Campaign Process | MALWARE | Mobil |
| 8.7.25 | NordDragonScan | NordDragonScan: Quiet Data-Harvester on Windows | MALWARE | INFOSTEALER |
| 8.7.25 | CVE-2024-12856 | The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. | VULNEREBILITY | VULNEREBILITY |
| 8.7.25 | CVE-2024-3721 | A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. | VULNEREBILITY | VULNEREBILITY |
| 8.7.25 | RondoDox | RondoDox Unveiled: Breaking Down a New Botnet Threat | BOTNET | BOTNET |
| 8.7.25 | Batavia | Batavia spyware steals data from Russian organizations | MALWARE | SPYWARE |
| 8.7.25 | CVE-2019-9621 | (CVSS score: 7.5) - A Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite that could result in unauthorized access to internal resources and remote code execution | VULNEREBILITY | VULNEREBILITY |
| 8.7.25 | CVE-2019-5418 | (CVSS score: 7.5) - A path traversal vulnerability in Ruby on Rails' Action View that could cause contents of arbitrary files on the target system's file system to be exposed | VULNEREBILITY | VULNEREBILITY |
| 8.7.25 | CVE-2016-10033 | (CVSS score: 9.8) - A command injection vulnerability in PHPMailer that could allow an attacker to execute arbitrary code within the context of the application or result in a denial-of-service (DoS) condition | VULNEREBILITY | VULNEREBILITY |
| 8.7.25 | CVE-2014-3931 | (CVSS score: 9.8) - A buffer overflow vulnerability in Multi-Router Looking Glass (MRLG) that could allow remote attackers to cause an arbitrary memory write and memory corruption | VULNEREBILITY | VULNEREBILITY |
| 8.7.25 | DRAT V2 | DRAT V2: Updated DRAT Emerges in TAG-140’s Arsenal | MALWARE | RAT |
| 6.7.25 | Malicious Abuse of ConnectWise (ScreenConnect) | Over the past several months, we have observed a sharp increase in the malicious use of the popular Remote Monitoring and Management (RMM) tool ConnectWise by ransomware operators, Initial Access Brokers, APTs, and other eCrime actors. | ALERTS | APT |
| 6.7.25 | Remcos malspam campaign starts with a tar archive | A recently observed Remcos campaign began with a malicious email containing a .tar archive attachment. The archive contains a .lnk file which launches PowerShell to download the Remcos payload. | CAMPAIGN | |
| 6.7.25 | Janela RAT delivered in a recent campaign | Janela RAT (Remote Access Trojan) is a modified variant of a malware known as BX RAT. Janela RAT has been previously seen spread in campaigns targeting banking users from the LATAM region. | VIRUS | |
| 6.7.25 | Blackmoon’s expanding arsenal | The Blackmoon banking trojan, known for targeting users of online financial services, particularly in South Korea, has evolved into a more deceptive and multi-functional threat. | VIRUS | |
| 6.7.25 | DEVMAN - a new DragonForce ransomware variant | DEVMAN is a new customized ransomware variant from the DragonForce malware family. The malware encrypts data and appends .DEVMAN extension to locked files. | RANSOM | |
| 6.7.25 | GIFTEDCROOK malware upgraded for document theft via Telegram | An enhanced version of the GIFTEDCROOK malware, operated by the UAC-0226 threat group has been reported, marking a significant upgrade from its earlier capabilities first observed in February 2025. | VIRUS | |
| 5.7.25 | ZDI-25-472 | Delta Electronics CNCSoft Screen Editor DPB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.7.25 | ZDI-25-471 | Delta Electronics CNCSoft Screen Editor DPB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.7.25 | ZDI-25-470 | Delta Electronics CNCSoft Screen Editor DPB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.7.25 | ZDI-25-469 | Delta Electronics CNCSoft Screen Editor DPB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.7.25 | ZDI-25-468 | GFI Archiver Telerik Web UI Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.7.25 | ZDI-25-467 | GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.7.25 | CVE-2025-20309 | A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, | VULNEREBILITY | VULNEREBILITY |
| 5.7.25 | CVE-2025-6463 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. | VULNEREBILITY | VULNEREBILITY |
| 5.7.25 | FileFix (Part 2) | Last week I released the FileFix attack blog post which is an alternative to the traditional ClickFix attack. This blog post explores another variation to the original FileFix attack. | ATTACK | ATTACK |
| 5.7.25 | Chisel | Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor. | MALWARE | Backdoor |
| 5.7.25 | CVE-2025-32462 | (CVSS score: 2.8) - Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines | VULNEREBILITY | VULNEREBILITY |
| 5.7.25 | CVE-2025-32463 | (CVSS score: 9.3) - Sudo before 1.9.17p1 allows local users to obtain root access because "/etc/nsswitch.conf" from a user-controlled directory is used with the --chroot option | VULNEREBILITY | VULNEREBILITY |
| 4.7.25 | The Continuous Evolution of Ad Fraud Exploiting App Stores as a Front | The IAS Threat Lab has uncovered "Kaleidoscope," an insidiously adaptive Android ad fraud operation that employs legitimate-looking apps hosted on Google Play as a deceptive façade, while its malicious duplicate counterparts, distributed predominantly through third-party app stores, drive fraudulent ad supply. | REPORT | REPORT |
| 3.7.25 | HOUKEN | SEEKING A PATH BY LIVING ON THE EDGE WITH ZERO-DAYS | REPORT | REPORT |
| 3.7.25 | CVE-2025-20309 | A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. | VULNEREBILITY | VULNEREBILITY |
| 3.7.25 | NimDoor | macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware | MALWARE | macOS |
| 2.7.25 | Braodo infostealer hosts downloaded components on GitHub | A recently observed campaign involving Braodo stealer malware leveraged GitHub to house multiple components downloaded in the attack chain. | ALERTS | VIRUS |
| 2.7.25 | CVE-2025-4322: WordPress Motors theme privilege escalation vulnerability | CVE-2025-4322 is a critical unauthenticated privilege escalation vulnerability (CVSS 9.8) affecting the WordPress Motors theme in versions up to 5.6.67. | VULNEREBILITY | |
| 2.7.25 | EmailJS and HubSpot Abused in CCMA Phishing Scheme | A new phishing campaign is circulating under the guise of a legal summons from South Africa’s Commission for Conciliation, Mediation and Arbitration (CCMA), leveraging urgency and fear to pressure recipients into action. | PHISHING | |
| 2.7.25 | Nebulous Mantis | (a.k.a. Cuba, STORM-0978, Tropical Scorpius, UNC2596) is a Russian-speaking cyber espionage group that has actively deployed the RomCom remote access trojan (RAT) and Hancitor loader in targeted campaigns since mid-2019. | CAMPAIGN | CAMPAIGN |
| 2.7.25 | TransferLoader | Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. | MALWARE | LOADER |
| 2.7.25 | DAMASCENED PEACOCK | A lightweight, staged downloader targeting Windows, delivered via spear-phishing. | MALWARE | DOWNLOADER |
| 2.7.25 | CVE-2025-49596 | The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio | VULNEREBILITY | VULNEREBILITY |
| 1.7.25 | CVE-2025-6554 | Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | VULNEREBILITY | VULNEREBILITY |
| 1.7.25 |
Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest |
The Cybersecurity and
Infrastructure Security Agency (CISA), Federal Bureau of Investigation
(FBI), the Department of Defense Cyber Crime Center (DC3), and the
National Security Agency (NSA) (hereafter referred to as the authoring agencies) strongly urge organizations to remain vigilant for potential targeted cyber activity against U.S. critical infrastructure and other U.S. entities by Iranian-affiliated cyber actors. |
REPORT | REPORT |
| 30.6.25 | CVE-2025-20702 | CVE-2025-20702 is a critical vulnerability with a CVSS score of 9.6/10, though its risk level is disputed between Airoha and the discoverer. | VULNEREBILITY | VULNEREBILITY |
| 30.6.25 | CVE-2025-20701 | CVE-2025-20701 is a high-risk vulnerability with a CVSS score of 8.8/10, characterized by missing authentication, which could allow unauthorized access. | VULNEREBILITY | VULNEREBILITY |
| 30.6.25 | CVE-2025-20700 | CVE-2025-20700 is a high-risk vulnerability with a CVSS score of 8.8/10, characterized by missing authentication, which could allow unauthorized access. | VULNEREBILITY | VULNEREBILITY |
| 29.6.25 | PrintScan Hacks: Identifying multiple vulnerabilities across multiple Brother devices | Identifying multiple vulnerabilities across multiple Brother devices | REPORT | REPORT |
| 29.6.25 | CVE-2024-51978 | An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request. | VULNEREBILITY | VULNEREBILITY |
| 29.6.25 | CVE-2024-51977 | An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information from a vulnerable device. | VULNEREBILITY | VULNEREBILITY |
| 29.6.25 | CVE-2024-51979 | An authenticated attacker may trigger a stack based buffer overflow by performing a malformed request to either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631). | VULNEREBILITY | VULNEREBILITY |
| 29.6.25 | CVE-2024-51984 | An authenticated attacker can reconfigure the target device to use an external service (such as LDAP or FTP) controlled by the attacker. If an existing password is present for an external service, the attacker can force the target device to authenticate to an attacker controlled device using the existing credentials for that external service. | VULNEREBILITY | VULNEREBILITY |
| 28.6.25 | UAC-0226 | UAC-0226 is a cyber-espionage group targeting Ukrainian military, law enforcement, and local government entities—particularly near the eastern border—since February 2025. | GROUP | GROUP |
| 28.6.25 | GIFTEDCROOK | GIFTEDCROOK’s Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations | MALWARE | STEALER |
| 28.6.25 | Lumma Stealer infection with follow-up malware | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 28.6.25 | CVE-2025-5349 | Improper access control on the NetScaler Management Interface in NetScaler ADC and NetScaler Gateway | VULNEREBILITY | VULNEREBILITY |
| 28.6.25 | CVE-2025-5777 | Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | VULNEREBILITY | VULNEREBILITY |
| 28.6.25 | CVE-2025-6543 | A vulnerability has been discoSPRÁVNĚ TAKÉ TO MŮŽOU BÝT OVLÁDAČEvered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details. | VULNEREBILITY | VULNEREBILITY |
| 28.6.25 | CVE-2025-6218 | RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. | VULNEREBILITY | VULNEREBILITY |
| 28.6.25 | FileFix - A ClickFixAlternative | The update contains some modules related to ClickFix attack, which prompted me to dive deeper into the social engineering technique. | HACKING | HACKING |
| 28.6.25 | ZDI-25-466 | (0Day) Marvell QConvergeConsole readNICParametersFromFile Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-465 | (0Day) Marvell QConvergeConsole readObjectFromConfigFile Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-464 | (0Day) Marvell QConvergeConsole getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-463 | (0Day) Marvell QConvergeConsole getDriverTmpPath Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-462 | (0Day) Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-461 | (0Day) Marvell QConvergeConsole deleteEventLogFile Directory Traversal Arbitrary File Deletion Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-460 | (0Day) Marvell QConvergeConsole saveNICParamsToFile Directory Traversal Arbitrary File Write Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-459 | (0Day) Marvell QConvergeConsole restoreESwitchConfig Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-458 | (0Day) Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-457 | (0Day) Marvell QConvergeConsole deleteAppFile Directory Traversal Arbitrary File Deletion Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-456 | (0Day) Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-455 | (0Day) Marvell QConvergeConsole getFileUploadSize Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-454 | (0Day) Marvell QConvergeConsole saveAsText Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-453 | (0Day) Marvell QConvergeConsole compressFirmwareDumpFiles Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-452 | (0Day) Marvell QConvergeConsole compressDriverFiles Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-451 | (0Day) Marvell QConvergeConsole getAppFileBytes Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-450 | (0Day) Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-449 | (0Day) Mescius ActiveReports.NET TypeResolutionService Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 28.6.25 | ZDI-25-448 | (0Day) Mescius ActiveReports.NET ReadValue Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 28.6.25 | LapDogs, The New ORB in Town | SecurityScorecard’s STRIKE research team has identified a new suspected China-Nexus network of Operational Relay Boxes (ORB) called “LapDogs” targeting primarily Linux-based Small Office/Home Office (SOHO) devices around the globe. | REPORT | REPORT |
| 27.6.25 | ODYSSEY STEALER | The CYFIRMA research team has uncovered multiple websites employing Clickfix tactics to deliver malicious AppleScripts (osascripts). | MALWARE | STEALER |
| 27.6.25 | ToneShell | ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit | MALWARE | BACKDOOR |
| 27.6.25 | Hive0154 | Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor | GROUP | GROUP |
| 27.6.25 | Harnessing Language Models for Detection of Evasive Malicious Email Attachments | Harnessing Language Models for Detection of Evasive Malicious Email Attachments | KONFERENCE | CanSecWest_newtype |
| 27.6.25 | Threat Modeling AI Systems – Understanding the Risks | Threat Modeling AI Systems – Understanding the Risks | CanSecWest_newtype | |
| 27.6.25 | SOAR Implementation Pain Points and How to Avoid Them | SOAR Implementation Pain Points and How to Avoid Them | KONFERENCE | CanSecWest_newtype |
| 27.6.25 | Deepfake Deception: Weaponizing AI-Generated Voice Clones in Social Engineering Attacks | Deepfake Deception: Weaponizing AI-Generated Voice Clones in Social Engineering Attacks | CanSecWest_newtype | |
| 27.6.25 | AI Security Landscape: Tales and Techniques from the Frontlines | AI Security Landscape: Tales and Techniques from the Frontlines | KONFERENCE | CanSecWest_newtype |
| 27.6.25 | Keys to Freedom: Analysis and Resolution of Arab Ransom Locker Infections | Keys to Freedom: Analysis and Resolution of Arab Ransom Locker Infections | CanSecWest_newtype | |
| 27.6.25 | Role Reversal: Exploiting AI Moderation Rules as Attack Vectors. | Role Reversal: Exploiting AI Moderation Rules as Attack Vectors. | KONFERENCE | CanSecWest_newtype |
| 27.6.25 | Blockchain's Biggest Heists - Bridging Gone Wrong | Blockchain's Biggest Heists - Bridging Gone Wrong | CanSecWest_newtype | |
| 27.6.25 | Cross-Medium Injection: Exploiting Laser Signals to Manipulate Voice-Controlled IoT Devices | Cross-Medium Injection: Exploiting Laser Signals to Manipulate Voice-Controlled IoT Devices | KONFERENCE | CanSecWest_newtype |
| 27.6.25 | Fresh Secrets From The Docks - Lessons Learnt From Analysing 15 Million Public DockerHub Images (With a twist of AI) | Fresh Secrets From The Docks - Lessons Learnt From Analysing 15 Million Public DockerHub Images (With a twist of AI) | CanSecWest_newtype | |
| 27.6.25 | Sainbox RAT | Netskope Threat Labs has discovered a campaign using fake installers to deliver the Sainbox RAT and Hidden rootkit. | MALWARE | RAT |
| 27.6.25 | CVE-2023-36934 | In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database | VULNEREBILITY | VULNEREBILITY |
| 27.6.25 | CVE-2023-34362 | In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | VULNEREBILITY | VULNEREBILITY |
| 27.6.25 | Dire Wolf Ransomware | Dire Wolf is a new ransomware threat group discovered in the wild. The attackers have been focusing their efforts mostly on manufacturing and technology sectors. | RANSOM | |
| 27.6.25 | Open-source tools leveraged in attacks targeting the financial sector in Africa | Researchers from Palo Alto have recently reported on an ongoing campaign targeting financial institutions across Africa. | CAMPAIGN | |
| 27.6.25 | Prometei Botnet evolves with Self-Updating Linux variants | As per the latest report by Palo Alto Networks’ Unit 42, the Prometei botnet has resurfaced with enhanced capabilities, particularly in its Linux variants (v3 and v4). | BOTNET | |
| 27.6.25 | NightSpire Ransomware | Between March and June 2025, NightSpire ransomware actors claimed responsibility for attacks affecting 64 entities across 33 countries, with a globally dispersed victim base. | RANSOM | |
| 26.6.25 | Phishing Campaigns Galore | The surge in ClickFix campaigns also coincides with the discovery of various phishing campaigns that | CAMPAIGN | CAMPAIGN |
| 26.6.25 | ESET Threat Report H1 2025 | A view of the H1 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts | REPORT | REPORT |
| 26.6.25 | CVE-2025-20282 | An unauthenticated remote code execution vulnerability affecting Cisco ISE and ISE-PIC release 3.4 that could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and execute those files on the underlying operating system as root | VULNEREBILITY | VULNEREBILITY |
| 26.6.25 | CVE-2025-20281 | An unauthenticated remote code execution vulnerability affecting Cisco ISE and ISE-PIC releases 3.3 and later that could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root | VULNEREBILITY | VULNEREBILITY |
| 26.6.25 | Dire Wolf | Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors | GROUP | GROUP |
| 26.6.25 | ZDI-25-447 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-446 | PDF-XChange Editor App Object Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-445 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-444 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-443 | PDF-XChange Editor GIF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-442 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-441 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-440 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-439 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-438 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-437 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-436 | PDF-XChange Editor JP2 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-435 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-434 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-433 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-432 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-431 | PDF-XChange Editor U3D File Parsing Use-After-Free Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-430 | PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-429 | PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-428 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-427 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-426 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-425 | PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-424 | Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-423 | Microsoft WinJS winjsdevelop Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-422 | Microsoft Azure Machine Learning Environments Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-421 | Microsoft Azure App Services Information Disclosure Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-420 | PaperCut NG web-print-hot-folder Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 26.6.25 | ZDI-25-419 | TeamViewer Incorrect Permission Assignment Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 26.6.25 | Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. T | REPORT | REPORT |
| 26.6.25 |
PRC cyber
actors target telecommunications companies as part of a global cyberespionage campaign |
People’s Republic of China cyber threat activity | REPORT | REPORT |
| 26.6.25 | SparkCat | SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play | MALWARE | MOBIL |
| 26.6.25 | CVE-2024-54085 | (CVSS score: 10.0) - An authentication bypass by spoofing vulnerability in the Redfish Host Interface of AMI MegaRAC SPx that could allow a remote attacker to take control | VULNEREBILITY | VULNEREBILITY |
| 26.6.25 | CVE-2024-0769 | (CVSS score: 5.3) - A path traversal vulnerability in D-Link DIR-859 routers that allows for privilege escalation and unauthorized control (Unpatched) | VULNEREBILITY | VULNEREBILITY |
| 26.6.25 | CVE-2019-6693 | (CVSS score: 4.2) - A hard-coded cryptographic key vulnerability in FortiOS, FortiManager and FortiAnalyzer that's used to encrypt password data in CLI configuration, potentially allowing an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data | VULNEREBILITY | VULNEREBILITY |
| 26.6.25 | CVE-2025-6543 | A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details. | VULNEREBILITY | VULNEREBILITY |
| 26.6.25 | CVE-2025-5777 | Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | VULNEREBILITY | VULNEREBILITY |
| 26.6.25 | CVE-2025-0056 | SAP GUI for Java saves user input on the client PC to improve usability. An attacker with administrative privileges or access to the victims user directory on the Operating System level would be able to read this data. | VULNEREBILITY | VULNEREBILITY |
| 26.6.25 | CVE-2025-0055 | SAP GUI for Windows stores user input on the client PC to improve usability. Under very specific circumstances an attacker with administrative privileges or access to the victims user directory on the Operating System level would be able to read this data. | VULNEREBILITY | VULNEREBILITY |
| 25.6.25 | Wedding Invite scam deploys SpyMax RAT on Indian Android devices | An Android phishing campaign dubbed “Wedding Invitation” has been observed targeting mobile users across India by distributing spyware-laced APK files via WhatsApp and Telegram. | VIRUS | |
| 25.6.25 | Python-based ransomware variant spread in a recent campaign | As reported by researchers from Tinexta, a new campaign spreading a Python ransomware variant has been observed in the wild. The attackers make use of publicly accessible GitHub repositories to host the malicious .ISO binaries . | RANSOM | |
| 25.6.25 | PylangGhost - a new Python-based Remote Access Trojan | PylangGhost is a new RAT (Remote Access Trojan) variant discovered recently by the researchers from Cisco Talos. As the name suggests the malware is written in Python and shares some code similarities and functionalities with an older RAT strain known as GolangGhost. | VIRUS | |
| 25.6.25 | Shadow Vector: SVG Smuggling campaign targets Colombian users | A phishing malware campaign dubbed Shadow Vector has been reported, targeting users in Colombia through malicious SVG files disguised as urgent court notifications. | CAMPAIGN | |
| 25.6.25 | Drops 35 | Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages | CAMPAIGN | CAMPAIGN |
| 25.6.25 | Кібератаки UAC-0001 (APT28) у відношенні державних органів із застосуванням BEARDSHELL та COVENANT | У березні-квітні 2024 року під час проведення заходів з реагування на кіберінцидент в інформаційно-комунікаційній системі (ІКС) центрального органу виконавчої влади, національною командою реагування на кіберінциденти, кібератаки, кіберзагрози CERT-UA ідентифіковано технічний засіб під управлінням операційної системи Windows, що виконував роль серверу, на якому, серед іншого, було виявлено два програмні засоби реалізації кіберзагрози, а саме: BEARDSHELL та SLIMAGENT. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 25.6.25 | ZDI-25-418 | Apple macOS CoreGraphics PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 24.6.25 | ZDI-25-417 | Clam AntiVirus UDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 24.6.25 | ZDI-25-416 | ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 24.6.25 | ZDI-25-415 | ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability |
ZERO-DAY |
|
| 24.6.25 | ZDI-25-414 | Ruby WEBrick read_header HTTP Request Smuggling Vulnerability |
ZERO-DAY |
|
| 24.6.25 | Koi Loader/Koi Stealer infection | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 24.6.25 | Malware disgused as cracked version of popular software | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 24.6.25 | LLMs unlock new paths to monetizing exploit | We argue that Large language models (LLMs) will soon alter the economics of cyberattacks. Instead of attacking the most commonly used software and monetizing exploits by targeting the lowest common denominator among victims, LLMs enable adversaries to launch tailored attacks on a user-by-user basis. | PAPERS | AI |
| 24.6.25 | Bypassing Prompt Injection and Jailbreak Detection in LLM Guardrai | Large Language Models (LLMs) guardrail systems are designed to protect against prompt injection and jailbreak attacks. | PAPERS | AI |
| 24.6.25 | CVE-2023-20198 | Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. | VULNEREBILITY | VULNEREBILITY |
| 24.6.25 | UMBRELLA STAND | Malware targeting Fortinet devices | MALWARE | RAT |
| 24.6.25 | SHOE RACK | A post-exploitation tool for remote shell access & TCP tunnelling through a victim device. | MALWARE | RAT |
| 24.6.25 | Context Poisoning Jailbreak | Echo Chamber: A Context-Poisoning Jailbreak That Bypasses LLM Guardrails | ATTACK | AI |
| 24.6.25 | XDigo | SadFuture: Mapping XDSpy latest evolution | MALWARE | GO |
| 23.6.25 | ZDI-25-413 | Fuji Electric Smart Editor TL5 File Parsing Stack-Based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-412 | Fuji Electric Smart Editor X1 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-411 | Delta Electronics CNCSoft-G2 DPAX File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-410 | Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-409 | RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-408 | PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-407 | SolarWinds Web Help Desk AjaxProxy Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-406 | SolarWinds Serv-U FTP Service Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-405 | Fuji Electric Smart Editor X1 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-404 | Fuji Electric Smart Editor X1 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-403 | Fuji Electric Smart Editor V8 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-402 | Fuji Electric Smart Editor TL5 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-401 | Fuji Electric Smart Editor V10 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-400 | Fuji Electric Smart Editor TL5 File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-399 | Fuji Electric Smart Editor V8 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-398 | Trend Micro Internet Security Platinum Host Service Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-397 | Delta Electronics COMMGR Insufficient Randomization Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-396 | Siemens TeleControl Server Basic UpdateOpcSettings SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-395 | Siemens TeleControl Server Basic UpdateGateways SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-394 | Siemens TeleControl Server Basic CreateProject SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-393 | Siemens TeleControl Server Basic UpdateBufferingSettings SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-392 | Siemens TeleControl Server Basic UpdateSmtpSettings SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-391 | Siemens TeleControl Server Basic UpdateTcmSettings SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-390 | Siemens TeleControl Server Basic UpdateDatabaseSettings SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-389 | Siemens TeleControl Server Basic UpdateUsers SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-388 | Siemens TeleControl Server Basic ImportDatabase SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-387 | Siemens TeleControl Server Basic UpdateProjectConnections SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-386 | Siemens TeleControl Server Basic UpdateConnectionVariables SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-385 | Siemens TeleControl Server Basic RestoreFromBackup SQL Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-384 | Siemens TeleControl Server Basic Authenticate SQL Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-383 | Siemens TeleControl Server Basic VerifyUser SQL Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-382 | Siemens TeleControl Server Basic UpdateProject SQL Injection Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.6.25 | ZDI-25-381 | Siemens TeleControl Server Basic CreateTrace SQL Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.6.25 | GodFather | GodFather Malware Returns Targeting Banking Users | MALWARE | BANKING |
| 23.6.25 | FjordPhantom | Promon discovers new Android banking malware, “FjordPhantom” | MALWARE | BANKING |
| 23.6.25 | CVE-2025-4322 | The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. | VULNEREBILITY | VULNEREBILITY |
| 23.6.25 | Anubis | Anubis: A New Ransomware Threat | RANSOMWARE | RANSOMWARE |
| 22.6.25 | CVE-2023-0386 | Linux Kernel Improper Ownership Management Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 22.6.25 | CVE-2025-5309 | The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which can lead to remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 21.6.25 | CVE-2025-3464 | A race condition vulnerability exists in Armoury Crate. This vulnerability arises from a Time-of-check Time-of-use issue, potentially leading to authentication bypass. Refer to the 'Security Update for Armoury Crate App' section on the ASUS Security Advisory for more information. | VULNEREBILITY | VULNEREBILITY |
| 21.6.25 | Amatera Stealer | Amatera is a recently identified infostealer variant believed to be an evolution of the older ACR Stealer malware. It has been reported as being offered for sale via the malware-as-a-service (MaaS) model. | VIRUS | |
| 21.6.25 | CVE‑2025‑49113 – Post‑Auth Remote Code Execution vulnerability in Roundcube | CVE-2025-4123 is a recently disclosed critical (CVSS score 9.9) Post‑Auth Remote Code Execution (RCE) vulnerability affecting Roundcube, which is a free and open-source webmail application. | VULNEREBILITY | |
| 21.6.25 | Discord Vanity Link Flaw Exploited in New Malware Campaign Dropping AsyncRAT and Skuld Stealer | A new sophisticated malware campaign aimed at financial gain from cryptocurrency users is exploiting a subtle weakness in Discord's invitation system to distribute an information stealer called Skuld and the AsyncRAT. | EXPLOIT | |
| 21.6.25 | Stargazers malware campaign targets Minecraft players via fake mods | A large-scale malware campaign operated by the Stargazers Ghost Network is actively targeting Minecraft players, according to a recent report from Checkpoint. | CAMPAIGN | |
| 21.6.25 | Modified XWorm RAT distributed through trojanized MSI | A China-linked threat actor distributing a trojanized MSI installer posing as a WhatsApp setup to deliver a customized XWorm Remote Access Trojan (RAT) has been reported targeting users in East and Southeast Asia. | VIRUS | |
| 21.6.25 | New variant of the Godfather mobile malware employs virtualization techniques | A new variant of the Godfather Android banking malware has been discovered in the wild. | ||
| 21.6.25 | CVE-2023-0386 - Linux Kernel Improper Ownership Management vulnerability exploited in the wild | CVE-2023-0386 is a high severity (CVSS score 7.8) Improper Ownership Management vulnerability affecting the Linux Kernel. | VULNEREBILITY | |
| 21.6.25 | FIN7-linked GrayAlpha uses PowerShell loaders and TDS to spread NetSupport RAT | GrayAlpha, a cybercriminal group associated with FIN7, has been reported conducting a sophisticated malware campaign using multiple infection vectors to distribute NetSupport RAT via custom PowerShell loaders, PowerNet and MaskBat. | APT | |
| 21.6.25 | New Librarian Ghouls Campaign | A new cyber espionage campaign by APT group "Librarian Ghouls" (also known as Rare Werewolf and Rezet) was observed targeting organizations primarily in Russia, Belarus and Kazakhstan focusing on industrial organizations and engineering schools, along with sectors like rocket, aviation, space, defense, and petrochemical industries. | CAMPAIGN | |
| 21.6.25 | HijackLoader campaign delivers DeerStealer payload | A recent campaign leveraging the HijackLoader malware has been observed to distribute the DeerStealer malicious payload. | CAMPAIGN | |
| 21.6.25 | Threat Actors Abuse Paste.ee and use Unicode Deception to Deploy XWorm RAT | A sophisticated malware campaign initiated by a deceptively named JavaScript file designed to download a malicious payload was observed. | VIRUS | |
| 21.6.25 | XDSpy campaign employs whitespace-obfuscated LNK files | A new XDSpy malware campaign, attributed to the SadFuture threat actor, has been observed targeting Eastern European and Russian government entities. | VIRUS | |
| 21.6.25 | Financial communications lead to malware downloads for Taiwanese users | A threat actor has been targeting users in Taiwan through campaigns masquerading as communications from official financial entities. | VIRUS | |
| 21.6.25 | CVE-2025-48828 - a new vBulletin RCE vulnerability | CVE-2025-48828 is a recently disclosed critical (CVSS score 9.0) template engine vulnerability affecting vBulletin, which is a commercial forum software platform. | VULNEREBILITY | |
| 21.6.25 | MintsLoader Malware Campaign Hits Italian PEC Users | A new MintsLoader malware campaign has targeted Italy, showcasing the attacker's strategy of adapting to the local Italian work calendar. | VIRUS | |
| 21.6.25 | Pickai Backdoor | A new backdoor malware dubbed Pickai (AI Pickpocket) has been observed spreading through vulnerabilities in the popular ComfyUI framework. Written in C++, Pickai spreads through innocuous-looking configuration files like JSON and TMUX settings. | VIRUS | |
| 21.6.25 | Hackers Weaponize Legitimate 'Netbird' Tool in Phishing Campaign Targeting CFOs | A new fake recruiter spear-phishing campaign has been observed targeting high-level financial executives at banks, energy companies, insurers, and investment firms across Africa, Canada, Europe, the Middle East, and South Asia. | PHISHING | |
| 21.6.25 | CVE-2025-4123 - Grafana XSS and Full-Read SSRF vulnerability | CVE-2025-4123 is a recently discovered high severity (CVSS score 7.6) open redirect vulnerability affecting Grafana, which is an open-source data visualization platform. | VULNEREBILITY | |
| 21.6.25 | Masslogger | During our recent investigation at Seqrite Labs, we identified a sophisticated variant of Masslogger credential stealer malware spreading through .VBE (VBScript Encoded) files | MALWARE | VBE |
| 21.6.25 | Amatera Stealer | Proofpoint has been closely monitoring a stealer malware formerly known as ACR Stealer. In 2025, Proofpoint analysts identified a new, unnamed malware exhibiting significant code overlap, shared features, and capabilities with ACR Stealer. | MALWARE | STEALER |
| 21.6.25 | VMDetector | VMDetector-Based Loader Abuses Steganography to Deliver Infostealers | MALWARE | STEALER |
| 21.6.25 | Prometei | Resurgence of the Prometei Botnet | BOTNET | BOTNET |
| 21.6.25 | PylangGhost | Famous Chollima deploying Python version of GolangGhost RAT | MALWARE | RAT |
| 20.6.25 | Shadow Vector | Shadow Vector targets Colombian users via privilege escalation and court-themed SVG decoys | CAMPAIGN | CAMPAIGN |
| 20.6.25 | Stargazers Ghost Network Campaigns | Since March 2025, Check Point Research has been tracking malicious GitHub repositories targeting Minecraft users with an undetected Java downloader. | CAMPAIGN | CAMPAIGN |
| 20.6.25 | AntiDot | is an Android botnet malware that lets cybercriminals control their victim devices with high capability. LARVA-398 operates and sells this botnet as a Malware as a Service (MaaS) on underground forums. | BOTNET | BOTNET |
| 20.6.25 | Blue(Noroff) | Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion | GROUP | GROUP |
| 20.6.25 | APT29 | What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia | APT | APT |
| 20.6.25 | CVE-2025-6018 | A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). | VULNEREBILITY | VULNEREBILITY |
| 20.6.25 | CVE-2025-6019 | A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. | VULNEREBILITY | VULNEREBILITY |
| 20.6.25 | SERPENTINE#CLOUD | Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware | CAMPAIGN | CAMPAIGN |
| 20.6.25 | KimJongRAT | Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation | MALWARE | STEALER |
| 18.6.25 | CVE-2023-0386 | A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. | VULNEREBILITY | VULNEREBILITY |
| 18.6.25 | CVE-2025-23121 | A vulnerability allowing an authenticated user with the Backup Operator role to modify backup jobs, which could execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
| 18.6.25 | CVE-2025-2783 | Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High) | VULNEREBILITY | VULNEREBILITY |
| 18.6.25 | CVE-2025-3248 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
| 18.6.25 | CVE-2023-33538 | TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm . | VULNEREBILITY | VULNEREBILITY |
| 15.6.25 | ZDI-25-380 | Trend Micro Maximum Security Platinum Host Service Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-379 | (Pwn2Own) Ubiquiti Networks AI Bullet Insufficient Firmware Update Validation Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-378 | (Pwn2Own) Ubiquiti Networks UniFi Console Missing Authentication for Critical Function Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-377 | (Pwn2Own) Ubiquiti Networks AI Bullet Improper Neutralization of Escape Sequences Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-376 | (Pwn2Own) Ubiquiti Networks AI Bullet Improper Certificate Validation Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-375 | Trend Micro Endpoint Encryption ProcessWhereClause SQL Injection Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-374 | Trend Micro Endpoint Encryption ValidateToken Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-373 | Trend Micro Endpoint Encryption DbAppDomain Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-372 | Trend Micro Endpoint Encryption GetGroupFilteredUsers SQL Injection Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-371 | Trend Micro Endpoint Encryption DeserializeFromBase64String Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-370 | Trend Micro Endpoint Encryption PolicyServerWindowsService Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-369 | Trend Micro Endpoint Encryption PolicyValueTableSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-368 | Trend Micro Endpoint Encryption BuildEnterpriseSearchString SQL Injection Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-367 | Trend Micro Apex Central ConvertFromJson Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-366 | Trend Micro Apex Central GetReportDetailView Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-365 | Trend Micro Apex One Security Agent ntrmv Uncontrolled Search Path Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-364 | Trend Micro Apex One Damage Cleanup Engine Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-363 | Trend Micro Apex One Virus Scan Engine Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-362 | Trend Micro Apex One Data Loss Prevention Uncontrolled Search Path Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-361 | Trend Micro Password Manager Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-360 | Trend Micro Worry-Free Business Security Uncontrolled Search Path Element Arbitrary Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-359 | Microsoft Visual Studio initializeCommand Insufficient UI Warning Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-358 | (Pwn2Own) Sony XAV-AX8500 Bluetooth ERTM Channel Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-357 | (Pwn2Own) Sony XAV-AX8500 Bluetooth Improper Isolation Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-356 | (Pwn2Own) Sony XAV-AX8500 Bluetooth AVCTP Protocol Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-355 | (Pwn2Own) Sony XAV-AX8500 Bluetooth SDP Protocol Integer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-354 | (Pwn2Own) Sony XAV-AX8500 Bluetooth L2CAP Protocol Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-353 | (Pwn2Own) Sony XAV-AX8500 Bluetooth Packet Handling Integer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-352 | Pioneer DMH-WT7600NEX Software Update Signing Insufficient Verification of Data Authenticity Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-351 | Pioneer DMH-WT7600NEX Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-350 | Pioneer DMH-WT7600NEX Root Filesystem Insufficient Verification of Data Authenticity Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-349 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial DLB_SlaveRegister Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-348 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial autocharge Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-347 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial wLength Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-346 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-345 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Misinterpretation of Input Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-344 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial Firmware Downgrade Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-343 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial Origin Validation Error Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-342 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-341 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial Serial Number Exposed Dangerous Method Information Disclosure Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-340 | (Pwn2Own) Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-339 | JupyterLab Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-338 | Adobe Acrobat Reader DC Collab Object Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-337 | Adobe Acrobat Reader DC Font Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-336 | Adobe Acrobat Reader DC Collab Object Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-335 | Adobe Acrobat Reader DC Doc Object Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-334 | Microsoft Windows Remote Desktop Gateway Service Null Pointer Dereference Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-333 | Microsoft Windows Installer Service Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | ZDI-25-332 | Microsoft Windows Installer Service Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.6.25 | SmartAttack: Air-Gap Attack via Smartwatches | Air-gapped systems are considered highly secure against data leaks due to their physical isolation from external networks. | PAPERS | PAPERS |
| 15.6.25 | CVE-2025-49220 | A pre-auth RCE in Apex Central in the ConvertFromJson method. Improper input validation during deserialization lets attackers execute arbitrary code remotely without authentication. (CVSS 9.8) | VULNEREBILITY | VULNEREBILITY |
| 15.6.25 | CVE-2025-49219 | A pre-authentication RCE flaw in the GetReportDetailView method of Apex Central caused by insecure deserialization. Exploiting this allows unauthenticated attackers to execute code in the context of NETWORK SERVICE. (CVSS 9.8) | VULNEREBILITY | VULNEREBILITY |
| 15.6.25 | CVE-2025-49217 | A pre-authentication RCE vulnerability in the ValidateToken method, triggered by unsafe deserialization. While slightly harder to exploit, it still allows unauthenticated attackers to run code as SYSTEM | VULNEREBILITY | VULNEREBILITY |
| 15.6.25 | CVE-2025-49216 | An authentication bypass flaw in the DbAppDomain service due to a broken auth implementation. Remote attackers can fully bypass login and perform admin-level actions without credentials | VULNEREBILITY | VULNEREBILITY |
| 15.6.25 | CVE-2025-49213 | A pre-authentication remote code execution vulnerability in the PolicyServerWindowsService class, stemming from deserialization of untrusted data. Attackers can run arbitrary code as SYSTEM with no authentication required | VULNEREBILITY | VULNEREBILITY |
| 15.6.25 | CVE-2025-49212 | A pre-authentication remote code execution flaw caused by insecure deserialization in the PolicyValueTableSerializationBinder class. Remote attackers can exploit it to execute arbitrary code as SYSTEM without requiring login | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | CVE-2025-33073 | Windows SMB Client Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | CVE-2025-33053 | External control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network. | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | DanaBleed | DanaBleed: DanaBot C2 Server Memory Leak Bug | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | CVE-2025-3052 | CVE-2025-3052 InsydeH2O Secure Boot Bypass | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | A Vulnerability in UEFI Applications allows for secure boot bypass via misused NVRAM variable | UEFI firmware applications DTBios and BiosFlashShell from DTResearch contain a vulnerability that allows Secure Boot to be bypassed using a specially crafted NVRAM variable. | ALERT | ALERT |
| 14.6.25 | Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation | An out-of-bounds (OOB) read vulnerability has been identified in the Trusted Platform Module (TPM) 2.0 reference library specification, currently at Level 00, Revision 01.83 (March 2024). | ALERT | ALERT |
| 14.6.25 | A vulnerability in Insyde H2O UEFI application allows for digital certificate injection via NVRAM variable | A vulnerability in an Insyde H2O UEFI firmware application allows digital certificate injection through an unprotected NVRAM variable. | ALERT | ALERT |
| 14.6.25 | CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | CVE-2025-22455 | A hardcoded key in Ivanti Workspace Control before version 10.19.0.0 allows a local authenticated attacker to decrypt stored SQL credentials. | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | CVE-2025-5353 | A hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt stored SQL credentials. | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | 2024 INTERNET CRIME REPORT | 2024 INTERNET CRIME REPORT | REPORT | REPORT |
| 14.6.25 | 2023 INTERNET CRIME REPORT | 2023 INTERNET CRIME REPORT | REPORT | REPORT |
| 14.6.25 | CVE-2025-49113 | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | CVE-2024-3721 | A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. | VULNEREBILITY | VULNEREBILITY |
| 14.6.25 | JSFireTruck | JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique | CAMPAIGN | CyberCrime |
| 14.6.25 | Skuld | The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets. | MALWARE | STEALER |
| 14.6.25 | APT PROFILE – MISSION2025 | MISSION2025 is a Chinese state-sponsored advanced persistent threat (APT) group linked to APT41. Active since at least 2012, the group has conducted cyberespionage and | APT | APT |
| 13.6.25 | CyberEye RAT | CyberEye is a modular Remote Access Trojan that relies on Telegram for its C2 communications. Using a publicly available builder, its implants can be customized to include features like anti-analysis, cryptocurrency hijacking, and persistence. | VIRUS | |
| 13.6.25 | Spectra Ransomware | Spectra is a new ransomware variant found in the wild just this year. The malware belongs to the well known Chaos ransomware family. | RANSOM | |
| 13.6.25 | Stealth Falcon exploits Zero-Day Vulnerability CVE-2025-33053 | As reported by Check Point, the APT group Stealth Falcon has been observed exploiting a zero-day vulnerability (CVE-2025-33053) in a new malware campaign. | VULNEREBILITY | |
| 13.6.25 | Unusual Fog ransomware activity | In a recent report, the Symantec and Carbon Black Threat Hunter Team analyzed a Fog ransomware attack that targeted a financial institution in Asia. | RANSOM | |
| 13.6.25 | FIN6 abuses Job Portals and Cloud Infrastructure to evade detection | A malware campaign attributed to the threat actor FIN6, posing as job applicants on platforms like LinkedIn and Indeed, has been observed in the wild. Once a target is lured, the threat actor sends phishing emails containing non-clickable URLs that lead to cloud-hosted “resume” sites on AWS. | GROUP | |
| 13.6.25 | Chinese threat actor groups target cybersecurity vendor |
According to a recent report from SentinelLabs, China-backed
threat actors have deployed ShadowPad and PurpleHaze malware in global
campaigns.
|
GROUP | |
| 13.6.25 | Myth Stealer malware | Myth is a new Rust-based infostealing malware discovered recently in the wild. The malware has been previously advertised on various Telegram groups and lately reported as being distributed via fraudulent gaming websites and online portals offering software cracks, among others. | VIRUS | |
| 13.6.25 | CVE-2024-57727 | SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. | VULNEREBILITY | VULNEREBILITY |
| 13.6.25 | CVE-2025-43200 | iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. | VULNEREBILITY | VULNEREBILITY |
| 13.6.25 | TokenBreak Attack | Manipulating tokens to get past the security guard | ATTACK | ATTACK |
| 13.6.25 | CVE-2025-32711 | M365 Copilot Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 11.6.25 | Exploitaiton of Wazuh CVE-2025-24016 vulnerability leads to Mirai botnet distribution | New campaigns distributing variants of the popular Mirai botnet have been reported in the wild. The attackers have been exploiting critical (CVSS score 9.9) CVE-2025-24016 deserialization vulnerability affecting Wazuh Server which might allow for a remote code execution on the vulnerable devices. | BOTNET | |
| 11.6.25 | Datarip - a new MedusaLocker ransomware variant | Datarip ransomware is a new malware strain from the MedusaLocker ransomware family recently seen in the wild. The malware encrypts sensitive data while appending ".datarip" extension to the locked files. | RANSOM | |
| 11.6.25 | DuplexSpy RAT | DuplexSpy is a new Remote Access Trojan (RAT) variant identified in the wild. The malware is written in C#, has modular architecture and uses DLL injection technique for in-memory payload execution. | VIRUS | |
| 11.6.25 | DragonClone malicious operation | DragonClone is a new malicious campaign identified in the wild. The attackers have been targeting the Chinese Telecom Industry and distributing Veletrix and VShell malware implants as payloads. | OPERATION | |
| 11.6.25 | Golden Piranha - a new banking threat | Golden Piranha is the name of an emerging banking trojan identified by the researchers from SCILabs. The malware is leveraging Google Chrome browser extensions in order to steal banking related inputs from miscellaneous banking website forms. | ||
| 11.6.25 | SinoTrack GPS Receiver | Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface. | VULNEREBILITY | VULNEREBILITY |
| 11.6.25 | Microsft June 2025 Security Updates | This release consists of the following 68 Microsoft CVEs: | VULNEREBILITY | VULNEREBILITY |
| 11.6.25 | Adobe Security Bulletin June | Security updates available for Adobe Experience Manager | VULNEREBILITY | VULNEREBILITY |
| 11.6.25 | Salesforce Industry Clouds: Low-Code, High Stakes |
Salesforce industry clouds are a suite of Salesforce
solutions, each of which enables organizations to build industry-specific applications and workflows in a simplified low-code manner. |
REPORT | REPORT |
| 11.6.25 | FIN6 | Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery | GROUP | GROUP |
| 11.6.25 | Rust Based InfoStealer | Demystifying Myth Stealer: A Rust Based InfoStealer | MALWARE | STEALER |
| 10.6.25 | Rare Werewolf | Sleep with one eye open: how Librarian Ghouls steal data by night | APT | APT |
| 10.6.25 | CVE-2025-32433 | (CVSS score: 10.0) - A missing authentication for a critical function vulnerability in the Erlang/OTP SSH server that could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution. |
VULNEREBILITY |
|
| 10.6.25 | CVE-2024-42009 | (CVSS score: 9.3) - A cross-site scripting (XSS) vulnerability in RoundCube Webmail that could allow a remote attacker to steal and send emails of a victim via a crafted email message by taking advantage of a desanitization issue in program/actions/mail/show.php. |
VULNEREBILITY |
|
| 10.6.25 | CVE-2025-24016 | Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). |
VULNEREBILITY |
|
| 10.6.25 | Disrupting malicious uses of AI: June 2025 | Our mission is to ensure that artificial general intelligence benefits all of humanity. We advance this mission by deploying our innovations to build AI tools that help people solve really hard problems. | REPORT | REPORT |
| 8.6.25 | Sakura RAT | A simple customer query leads to a rabbit hole of backdoored malware and game cheats | MALWARE | RAT |
| 8.6.25 | AS-REP Roasting Attack Explained | In the MITRE ATT&CK Framework, the AS-REP Roasting attack is categorized as T1558.004 under the 'Steal or Forge Kerberos Tickets' attack technique. | ATTACK | ATTACK |
| 8.6.25 | StopRansomware: Play Ransomware update | The advisory was updated to reflect new TTPs employed by Play ransomware group, as well as provide current IOCs/remove outdated IOCs for effective threat hunting | RANSOMWARE | RANSOMWARE |
| 8.6.25 | ZDI-25-331 | Autodesk Revit RFA File Parsing Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.6.25 | ZDI-25-330 | (0Day) (Pwn2Own) WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 8.6.25 | ZDI-25-329 | (0Day) (Pwn2Own) WOLFBOX Level 2 EV Charger tuya_svc_devos_activate_result_parse Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.6.25 | ZDI-25-328 | (0Day) (Pwn2Own) WOLFBOX Level 2 EV Charger BLE Encryption Keys Uninitialized Variable Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 8.6.25 | ZDI-25-327 | (0Day) (Pwn2Own) WOLFBOX Level 2 EV Charger LAN OTA Exposed Dangerous Method Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.6.25 | ZDI-25-326 | (0Day) (Pwn2Own) WOLFBOX Level 2 EV Charger MCU Command Parsing Misinterpretation of Input Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.6.25 | ZDI-25-325 | Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.6.25 | REVIEW OF THE ATTACKS ASSOCIATED WITH LAPSUS$ AND RELATED THREAT GROUPS | Beginning in late 2021 and continuing late into 2022, a globally active, extortion-focused cyber threat actor group attacked dozens of well-known companies and government agencies around the world. | REPORT | REPORT |
| 8.6.25 | Infostealer Pipeline | The Infostealer Pipeline: How Russian Market Fuels Credential-Based Attacks | REPORT | REPORT |
| 8.6.25 | CVE-2025-48828 | Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. |
VULNEREBILITY |
|
| 8.6.25 | CVE-2025-48827 | vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025. |
VULNEREBILITY |
|
| 8.6.25 | Operation Phantom Enigma | A malicious campaign discovered by Positive Technologies specialists is primarily targeting residents of Brazil. Attacks have been detected since the beginning of 2025. | OPERATION | OPERATION |
| 7.6.25 | Interlock ransomware group deploys a new RAT named "NodeSnake" | Interlock ransomware group has been observed deploying a new RAT named "NodeSnake" and targeting educational institutions. | RANSOM | |
| 7.6.25 | APT41 using custom malware "TOUGHPROGRESS" to exploit Google Calendar | Threat Actor group APT41 has been observed using custom malware named TOUGHPROGRESS, which leverages Google Calendar events as its C2 channel, allowing it to hide malicious commands in seemingly benign public calendar entries. | APT | |
| 7.6.25 | Cheating in games might get you Blitz'ed | Blitz is a multi-stage malware composed of downloader and botnet components. A recent report by researchers at Palo Alto Networks provides details of campaigns attempting to proliferate this malware | VIRUS | |
| 7.6.25 | Android malware targets users in India by pretending to be a government app | In some recently observed malicious activity, a fake government application was found to be targeting Android users in India. | VIRUS | |
| 7.6.25 | Chaos RAT malware | A new Golang-based 5.0.3 variant of the Chaos RAT (Remote Access Trojan) has been recently discovered in the wild. | VIRUS | |
| 7.6.25 | Increased activity of DCRAT malware in Latin America | DCRAT (aka Dark Crystal RAT) is a modular RAT (Remote Access Trojan) offered for sale in form of Malware-as-a-Service (MaaS) model for last several years. | VIRUS | |
| 7.6.25 | AMOS malware for macOS spread via Clickfix social engineering techniques | A new campaign delivering the AMOS malware for macOS has been reported to leverage Clickfix social engineering techniques. | VIRUS | |
| 7.6.25 | Fake CAPTCHAs deliver multi-stage PowerShell downloaders | CAPTCHAs are used to determine whether a website visitor is human versus a bot. Malware campaigns have introduced fake CAPTCHAs into the attack chain to encourage interaction by the proposed victim. ClickFix is a name often given to such behavior. | VIRUS | |
| 7.6.25 | ViperSoftX activities continues via fake software | According to recent reports ViperSoftX continues to circulate widely across the globe, with a noticeable uptick in South Korea. | VIRUS | |
| 7.6.25 | CVE-2025-27920 - Srimax Output Messenger Directory Traversal vulnerability | CVE-2025-27920 is a recently discovered directory traversal vulnerability affecting Srimax Output Messenger software. | VULNEREBILITY | |
| 7.6.25 | AMOS update | AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers | MALWARE | Stealer |
| 6.6.25 | DuplexSpy | DuplexSpy RAT: Stealthy Windows Malware Enabling Full Remote Control and Surveillance | MALWARE | RAT |
| 6.6.25 | PathWiper | Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine | MALWARE | Wipper |
| 5.6.25 | ZDI-25-324 | Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-323 | Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-322 | 2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-321 | GIMP ICO File Parsing Integer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-320 | SolarWinds DameWare Mini Remote Control Service Incorrect Permissions Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-319 | Hewlett Packard Enterprise StoreOnce VSA getServerCertificate Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-318 | Hewlett Packard Enterprise StoreOnce VSA getServerPayload Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-317 | Hewlett Packard Enterprise StoreOnce VSA deletePackages Directory Traversal Arbitrary File Deletion Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-316 | Hewlett Packard Enterprise StoreOnce VSA Authentication Bypass Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-315 | Hewlett Packard Enterprise StoreOnce VSA doExecute Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-314 | Hewlett Packard Enterprise StoreOnce VSA doExecute Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-313 | Hewlett Packard Enterprise StoreOnce VSA determineInclusionAndExtract Server-Side Request Forgery Vulnerability |
ZERO-DAY |
|
| 5.6.25 | ZDI-25-312 | Hewlett Packard Enterprise StoreOnce VSA setLocateBeaconOnHardware Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 5.6.25 |
BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool |
In 2016, a sophisticated malware campaign targeting Pakistani nationals made headlines. Dubbed Bitter[4], the Advanced Persistent Threat group (also known as APT-C-08 [5]) has been active both in desktop and mobile malware campaigns for quite a long time, as their activity seems to date back to 2014. | REPORT | REPORT |
| 5.6.25 | Bitter Group | Bitter Group Distributes CHM Malware to Chinese Organizations | GROUP | GROUP |
| 5.6.25 | BladedFeline | ESET researchers analyzed a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig | APT | APT |
| 5.6.25 | Vishing Threats | Hello, Operator? A Technical Analysis of Vishing Threats | PHISHING | Vishing |
| 5.6.25 | UNC6040 | The Cost of a Call: From Voice Phishing to Data Extortion | GROUP | GROUP |
| 5.6.25 | CVE-2025-20286 | A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. |
VULNEREBILITY |
|
| 4.6.25 | New campaigns delivering Crocodilus mobile malware | A new variant of the Crocodilus mobile malware has been spread in recent campaigns targeting users in Europe and South America. | CAMPAIGN | |
| 4.6.25 | CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability | CVE-2023-38950 is a path traversal vulnerability affecting ZKTeco BioTime which is a web-based time and attendance management software. | VULNEREBILITY | |
| 4.6.25 | Exploiting the hype around popular AI tools to distribute various malware via fraudulent installers | Threat Actors are exploiting the hype around AI to distribute various malware strains. By capitalizing on the public's eagerness to access popular AI tools (such as ChatGPT, Copilot, DALL-E, Gemini, Midjourney, and Sora) Threat Actors are creating convincing but fraudulent installers. | AI | |
| 4.6.25 | Telegram-Based Email Credential Theft – Fake FedEx Invoice Campaign | Shipping companies are frequently exploited in social engineering attacks due to their global recognition, trusted brand image, and association with package notifications, invoices, and delivery updates—topics that easily trigger urgency, curiosity, and user interaction. These characteristics make them prime targets for phishing and credential theft campaigns. | CAMPAIGN | |
| 4.6.25 | EddieStealer delivered through ClickFix | EddieStealer is a Rust-based information stealer malware which has recently been observed as the payload of ClickFix campaigns. | VIRUS | |
| 4.6.25 | Latest PureHVNC RAT deployment campaigns | New campaigns delivering the PureHVNC RAT have been reported in the wild. The threat actors conduct multi stage operations and make use of miscellaneous components in their attacks including malicious .lnk files, PowerShell code, JavaScript, AutoIt, etc. | CAMPAIGN | |
| 4.6.25 | Python-based Lyrix Ransomware | Lyrix ransomware is a new Python based ransomware discovered in underground forums. It behaves in a manner similar to most current ransomware families | RANSOM | |
| 4.6.25 | New Katz Stealer malware-as-a-service compromises Web browsers | Katz Stealer operates as a multi-feature credential-stealing Malware-as-a-Service, designed for extensive system reconnaissance and data theft. It targets a vast array of sensitive information, including saved passwords, cookies, and session tokens from popular web browsers (Chrome, Edge, Brave, Firefox), cryptocurrency wallet files, and private keys via keyword matching. | VIRUS | |
| 4.6.25 | Earth Lamia exploits various SQL injection vulnerabilities | APT threat actor Earth Lamia exploits vulnerabilities in web applications to gain access to organizations, using various SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations for data exfiltration. | APT | |
| 4.6.25 | Recent VenomRAT activity |
A recent activity attributed to the VenomRAT malware has
been spotted in the wild. Malware is spread from a phishing website
disguised as AV software download page.
|
VIRUS | |
| 4.6.25 | PumaBot - a new botnet on the rise | PumaBot is a new Go-based botnet strain identified recently in the wild. Unlike some more common botnet variants, PumaBot does not rely on scanning the Internet for vulnerable devices but instead targets very specific ones via a list of IP addresses retrieved from the attacker C2 servers. | BOTNET | |
| 4.6.25 | Zanubis mobile malware latest activity | Zanubis is an Android banking malware active in the threat landscape since at least 2022. The malware has been known to mostly target banks and financial entities in South America but also expanding over time and adding theft of virtual cards and cryptocurrency to its portfolio. | ||
| 4.6.25 | AsyncRAT malspam campaigns observed | We've recently observed some malspam campaigns leveraging multiple downloads, starting with box.com, to deliver an AsyncRAT payload. | VIRUS | |
| 4.6.25 | Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress | Fancy Bear (aka APT28, Sofacy, Pawn Storm, Sednit, STRONTIUM, Tsar Team, and Threat Group-4127) is a Russian Threat Actor group that uses spearphishing to deliver SpyPress, a malicious JavaScript payload, by exploiting cross-site scripting (XSS) vulnerabilities in webmail interfaces to exfiltrate sensitive email data from high-value webmail servers. | ALERTS | PHISHING |
| 4.6.25 | Bofamet Stealer malware | Bofamet is a new Python-based infostealer found in the wild. The malware collects miscellaneous information from the compromised endpoints including: credentials, system information, browser cookies, Telegram session data, Discord tokens, screenshots, Steam configuration files, etc. | VIRUS | |
| 4.6.25 | Chaos RAT | From open-source to open threat: Tracking Chaos RAT’s evolution | MALWARE | RAT |
| 4.6.25 | CVE-2025-37093 | An authentication bypass vulnerability exists in HPE StoreOnce Software. |
VULNEREBILITY |
|
| 3.6.25 | JINX-0132 | The Wiz Threat Research team has identified a widespread cryptojacking campaign targeting commonly used DevOps applications including Nomad and Consul. | GROUP | GROUP |
| 3.6.25 | CVE-2025-49113 | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. |
VULNEREBILITY |
|
| 3.6.25 | Crocodilus | Crocodilus Mobile Malware: Evolving Fast, Going Global | MALWARE | Android |
| 3.6.25 | CVE-2025-5419 | Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
VULNEREBILITY |
|
| 3.6.25 | CVE-2024-13917 | (CVSS score: 8.3) - A pre-installed "com.pri.applock" application on Kruger&Matz smartphones exposed an "com.pri.applock.LockUI" activity that allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. |
VULNEREBILITY |
|
| 3.6.25 | CVE-2024-13916 | (CVSS score: 6.9) - A pre-installed "com.pri.applock" application on Kruger&Matz smartphones allows a user to encrypt any application using user-provided PIN code or by using biometric data. |
VULNEREBILITY |
|
| 3.6.25 | CVE-2024-13915 | (CVSS score: 6.9) - A pre-installed "com.pri.factorytest" application on Ulefone and Krüger&Matz smartphones exposes a "com.pri.factorytest.emmc.FactoryResetService" service that allows any installed application to perform a factory reset of the device. |
VULNEREBILITY |
|
| 3.6.25 | CVE-2025-27038 | Memory corruption while rendering graphics using Adreno GPU drivers in Chrome. |
VULNEREBILITY |
|
| 3.6.25 | CVE-2025-21480 | Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands. |
VULNEREBILITY |
|
| 3.6.25 | CVE-2025-21479 | Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands. |
VULNEREBILITY |
|
| 1.6.25 | Browser in the Middle (BiTM) | An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access. | HACKING | HACKING |
| 1.6.25 | Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Since November 2024, Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. | HACKING | HACKING |
| 1.6.25 | Infrastructure Used to Manage Domains Related to Cryptocurrency Investment Fraud Scams between October 2023 and April 2025 | The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) associated with malicious cyber activities linked to Funnull Technology Inc. (Funnull). | REPORT | REPORT |
| 1.6.25 | NodeSnake Malware Campaign | Threat Intelligence NodeSnake Malware Campaign | REPORT | REPORT |
| 1.6.25 | ASUS Routers campaign | GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers | CAMPAIGN | CAMPAIGN |
| 1.6.25 | Poseidon Stealer and Payday Loader | Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday Loader | MALWARE | MALWARE |
| 1.6.25 | PumaBot | PumaBot: Novel Botnet Targeting IoT Surveillance Devices | BOTNET | BOTNET |
| 1.6.25 | CVE-2023-39780 | On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. |
VULNEREBILITY |
|
| 1.6.25 | CVE-2025-5054 | (CVSS score: 4.7) - A race condition in Canonical apport package up to and including 2.32.0 that allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces |
VULNEREBILITY |
|
| 1.6.25 | CVE-2025-4598 | (CVSS score: 4.7) - A race condition in systemd-coredump that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process |
VULNEREBILITY |
|
| 30.5.25 | ZDI-25-311 | (Pwn2Own) Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 30.5.25 | ZDI-25-310 | Linux Kernel ksmbd Session Setup Null Pointer Dereference Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 30.5.25 | ZDI-25-309 | (Pwn2Own) Canon imageCLASS MF656Cdw sfpcmAuthenticateSecAdmin Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 30.5.25 | XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | MALWARE | RAT |
| 30.5.25 | EDDIESTEALER | Chasing Eddies: New Rust- based InfoStealer used in CAPTCHA campaigns | MALWARE | STEALER |
| 30.5.25 | CVE-2025-3935 | ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. |
VULNEREBILITY |
|
| 29.5.25 | PE File DOS Header | The MS-DOS Header is a 64-byte structure at the beginning of a PE file. Along with the DOS stub, the DOS header is responsible for MS-DOS backward compatibility. | MALWARE | RAT |
| 29.5.25 | DragonForce | DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers | RANSOMWARE | RANSOMWARE |
| 29.5.25 | APT41 Innovative Tactics | Mark Your Calendar: APT41 Innovative Tactics | APT | APT |
| 29.5.25 | CVE-2025-47577 | Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2. |
VULNEREBILITY |
|
| 28.5.25 | CVE-2024-58136 | (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP framework used by Craft CMS that could be exploited to access restricted functionality or resources (A regression of CVE-2024-4990) |
VULNEREBILITY |
|
| 28.5.25 | CVE-2025-32432 | (CVSS score: 10.0) - A remote code execution (RCE) vulnerability in Craft CMS (Patched in versions 3.9.15, 4.14.15, and 5.6.17) |
VULNEREBILITY |
|
| 28.5.25 | AppleProcessHub infostealer for macOS | AppleProcessHub is the name of a new infostealer variant targeting the macOS platform and masquerading as a system process. | VIRUS | |
| 28.5.25 | Swan Vector APT campaign | A newly APT campaign, dubbed “Swan Vector” has been targeting East Asian nations, particularly Japan and Taiwan. | APT | |
| 28.5.25 | StarFire Ransomware Demands $3,000 in Bitcoin | A group or individual calling themselves "StarFire" has recently emerged in the threat landscape, targeting individual machines with ransomware. | RANSOM | |
| 28.5.25 | DoubleLoader malware | DoubleLoader is a new malware family recently identified in the wild. Its' main functionality, similarly to other loader variants, is to retrieve malicious payloads from attacker-controlled servers and to execute them on the compromised endpoints | VIRUS | |
| 28.5.25 | Another Fake CAPTCHA campaign leads a range of stealers and RATs | There have been reports of another campaign involving fake CAPTCHA pages to deceive users into executing malicious commands via the Windows Run dialog. | ALERTS | VIRUS |
| 28.5.25 | PumaBot | PumaBot: Novel Botnet Targeting IoT Surveillance Devices | BOTNET | BOTNET |
| 28.5.25 | CVE-2025-32432 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. |
VULNEREBILITY |
|
| 28.5.25 | Dero miner | Dero miner zombies biting through Docker APIs to build a cryptojacking horde | MALWARE | CRYPTOCURRENCY |
| 28.5.25 | VenomRAT | Inside a VenomRAT Malware Campaign | MALWARE | RAT |
| 27.5.25 | Void Blizzard | New Russia-affiliated actor Void Blizzard targets critical sectors for espionage | GROUP | GROUP |
| 27.5.25 | TAG-110 | Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Documents | GROUP | GROUP |
| 27.5.25 | Winos 4.0 | NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign | MALWARE | Loader |
| 25.5.25 | Silent Ransom Group Targeting Law Firm | The cyber threat actor Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is targeting law firms using information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims | REPORT | REPORT |
| 25.5.25 | Russian GRU Targeting Western Logistics Entities and Technology Companies |
This joint cybersecurity advisory (CSA) highlights a Russian
state-sponsored cyber campaign targeting Western logistics entities and technology companies |
REPORT | REPORT |
| 25.5.25 | CVE-2020-12641 | rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. |
VULNEREBILITY |
|
| 25.5.25 | CVE-2020-35730 | An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. |
VULNEREBILITY |
|
| 25.5.25 | CVE-2021-44026 | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. |
VULNEREBILITY |
|
| 25.5.25 | CVE-2023-38831 | Exploiting WinRAR vulnerability |
VULNEREBILITY |
|
| 25.5.25 | CVE-2023-23397 | Exploiting the Outlook NTLM vulnerability |
VULNEREBILITY |
|
| 25.5.25 | CVE-2025-47949 | samlify is a Node.js library for SAML single sign-on. A Signature Wrapping attack has been found in samlify prior to version 2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An attacker would need a signed XML document by the identity provider. Version 2.10.0 fixes the issue. |
VULNEREBILITY |
|
| 25.5.25 | CVE-2025-4322 | The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. |
VULNEREBILITY |
|
| 24.5.25 | Lactrodectus | Following the spiders: Investigating Lactrodectus malware | MALWARE | RAT |
| 23.5.25 | Operation Sindoor – Anatomy of a Digital Siege | Overview Seqrite Labs, India’s largest Malware Analysis lab, has identified multiple cyber events linked to Operation Sindoor, involving state-sponsored APT activity and coordinated hacktivist operations. Observed tactics included spear phishing, deployment of malicious scripts, website defacements, and unauthorized data.. | OPERATION | OPERATION |
| 23.5.25 | ZDI-25-308 | Adobe Dreamweaver V8 Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-307 | Linux Kernel OpenvSwitch Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-306 | Docker Desktop Helper Service Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-305 | Apple XNU kernel vm_map Race Condition Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-304 | Apple macOS JPEG Image Decoding Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-303 | Apple Safari SandboxBroker ZIP File Processing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-302 | Apple macOS CoreMedia Framework Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-301 | Apple Safari Scrollbar Animation Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-300 | Apple macOS PDF Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-299 | Apple macOS acv2 Codec Converter Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-298 | Apple macOS MP4 File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-297 | Trend Micro Apex Central widget getBlock Local File Inclusion Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-296 | Trend Micro Apex Central modTMCM Unrestricted File Upload Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-295 | Trend Micro Apex Central widget getObjWGFServiceApiByApiName Local File Inclusion Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-294 | Microsoft PC Manager MSPCManagerService Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-293 | Microsoft Windows Installer Service Link Following Information Disclosure Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-292 | (Pwn2Own) Mozilla Firefox SpiderMonkey Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.5.25 | ZDI-25-291 | (Pwn2Own) Mozilla Firefox IonMonkey JIT Compiler Integer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 23.5.25 | Vidar and StealC infostealers delivered via social engineering | A new campaign distributing Vidar and StealC infostealers variants has been reported by the researchers from Trend Micro. The attackers are leveraging social engineering techniques with the use of TikTok videos in an attempt to entice users into running arbitrary PowerShell commands. | VIRUS | |
| 23.5.25 | Dero cryptominer delivered to vulnerable Docker containers | A new campaign delivering a Dero cryptocurrency miner to vulnerable Docker containers has been reported in the wild. While abusing exposed Docker APIs the attackers inject two malware components called “nginx” and “cloud”. The deployed cryptominer is written in Golang and based off an open-source DeroHE CLI miner project. | CRYPTOCURRENCY | |
| 23.5.25 | TetraLoader distributed in the UAT-6382 campaign | According to recent report from Cisco Talos, a new malicious activity dubbed UAT-6382 has been delivering a new malware called TetraLoader to its victims. The attackers have been leveraging a Cityworks RCE vulnerability (CVE-2025-0994) to get access to the targeted environments and perform the initial reconnaissance. | VIRUS | |
| 23.5.25 | Rhadamanthys delivered via phishing campaign | In a recently observed phishing campaign, we saw attackers attempting to deliver a Rhadamanthys stealer payload by way of a legal lure. Under the guise of a copyright infringement notification, the victim is encouraged to access a PDF for further details. | CAMPAIGN | |
| 22.5.25 | SideWinder APT using old Office Vulnerabilities | A new cyber-espionage campaign by APT group SideWinder has been targeting high-profile government institutions in Bangladesh, Pakistan, and Sri Lanka. The attackers leverage spear-phishing lures paired with geofenced payloads to ensure that only victims in specific countries receives the malicious content. To activate the infection process and deploy the StealerBot malware a combined exploitation of old vulnerabilities (CVE-2017-0199 and CVE-2017-11882) takes place. | ALERTS | APT |
| 23.5.25 | GhostSpy Android malware | GhostSpy is a mobile malware variant recently seen being actively distributed in the wild. Similarly to other prevalent mobile malware strains, GhostSpy leverages Android Accessibility Services in order to sideload malicious .apk packages on the targeted devices. | VIRUS | |
| 23.5.25 | Fake KeePass installers distributed in attacks targeting ESXi environments |
KeePass is a popular open source password manager
application. Recently there have been reports about an ongoing campaign
distributing fake KeePass installers targeted at ESXi environments.
|
HACKING | |
| 23.5.25 | CVE-2024-7399 & CVE-2025-4632 - Samsung MagicINFO vulnerabilities | CVE-2024-7399 is an unauthenticated remote code execution (RCE) vulnerability affecting the Samsung MagicINFO 9 Server. The flaw enables attackers to upload malicious .jsp files via unauthenticated POST requests effectively allowing them to execute arbitrary OS commands as a result. | VULNEREBILITY | |
| 23.5.25 | Spoofed Japan's e-Tax email notifications appear in phish runs | E-Tax is the National Tax Agency's online tax website that helps to file tax returns and pay national corporation taxes. Recently, Symantec has observed phishing attempts mimicking e-Tax, enticing users to open fake notification emails. | PHISHING | |
| 23.5.25 | Malvertising lures victims to fake Kling AI website | Threat Actors use social media malvertising to lure victims to fake pages impersonating Kling AI platform. The campaign directs visitors to use the platform to create AI-generated images and videos. | AI | |
| 23.5.25 | Trojanized installer delivers Bumblebee loader | It was recently observed that the installer package for the RVTools application was trojanized with a Bumblebee loader dll. RVTools is free utility that collects and displays a multitude of information related to Virtual Machines in VMware environments. | VIRUS | |
| 23.5.25 | Russia-Ukraine conflict comes in picture in a new Binance phishing wave | Binance is one of the world's major cryptocurrency exchanges that allows users to buy, sell and trade various digital assets, including Bitcoin, Ethereum, and altcoins. Lately, Symantec has observed phish runs that impersonate Binance services and entices users to open fake notification emails. | PHISHING | |
| 23.5.25 | CVE-2023-20118 | A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. |
VULNEREBILITY |
|
| 23.5.25 | CVE-2025-3928 | Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells. |
VULNEREBILITY |
|
| 22.5.25 | CVE-2025-0994 | Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server. |
VULNEREBILITY |
|
| 22.5.25 | UAT-6382 | UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware | GROUP | GROUP |
| 22.5.25 | Russian GRU Targeting Western Logistics Entities and Technology Compani | This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. | REPORT | REPORT |
| 22.5.25 | CVE-2025-4428 | Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests. |
VULNEREBILITY |
|
| 22.5.25 | Kerberoasting | Kerberoasting is a cyberattack that targets the Kerberos authentication protocol with the intent to steal AD credentials. | ATTACK | Windows |
| 22.5.25 | BadSuccessor | BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory |
VULNEREBILITY |
|
| 22.5.25 | CVE-2025-34027 | (CVSS score: 10.0) - An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to achieve remote code execution by exploiting an endpoint related to package uploads ("/portalapi/v1/package/spack/upload") via arbitrary file writes |
VULNEREBILITY |
|
| 22.5.25 | CVE-2025-34026 | (CVSS score: 9.2) - An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to access heap dumps and trace logs by exploiting an internal Spring Boot Actuator endpoint via |
VULNEREBILITY |
|
| 22.5.25 | CVE-2025-34025 | (CVSS score: 8.6) - A privilege escalation and Docker container escape vulnerability that's caused by unsafe default mounting of host binary paths and could be exploited to gain code execution on the underlying host machine |
VULNEREBILITY |
|
| 21.5.25 | Chinese Adult Content Scam Targets Mobile Users Through PWA Injection | We’ve identified a fresh injection campaign abusing third-party JavaScript to redirect mobile users to a Chinese adult-content PWA scam. | SPAM | SPAM |
| 21.5.25 | Pure Harm | Pure Harm: PureRAT Attacks Russian Organizations | MALWARE | RAT |
| 20.5.25 | Shadow Roles | Shadow Roles: AWS Defaults Can Open the Door to Service Takeover | HACKING | CLOUD |
| 20.5.25 | Hazy Hawk | From banks to battalions: SideWinder’s attacks on South Asia’s public sector | GROUP | APT |
| 20.5.25 | ESET APT Activity Report Q4 2024–Q1 2025 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025 | REPORT | REPORT |
| 20.5.25 | RedisRaider | RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale | MALWARE | CRYPTOCURRENCY |
| 20.5.25 | CVE-2025-4918 | An out-of-bounds access vulnerability when resolving Promise objects that could allow an attacker to perform read or write on a JavaScript Promise object |
VULNEREBILITY |
|
| 20.5.25 | CVE-2025-4919 | An out-of-bounds access vulnerability when optimizing linear sums that could allow an attacker to perform read or write on a JavaScript object by confusing array index sizes |
VULNEREBILITY |
|
| 18.5.25 | SnipVex | SnipVex—more than a Clipbanker | MALWARE | Stealer |
| 18.5.25 | XRed | XRed Backdoor: The Hidden Threat in Trojanized Programs | MALWARE | Backdoor |
| 18.5.25 | defendnot | New 'Defendnot' tool tricks Windows into disabling Microsoft Defender | TOOL | TOOL |
| 18.5.25 | Skitnet | Skitnet is a multi-stage malware that uses Rust and Nim to execute a stealthy reverse shell over DNS, leveraging encryption, manual mapping, and dynamic API resolution to evade detection | MALWARE | Loader |
| 18.5.25 | CVE-2025-4664 | Google Chromium Loader Insufficient Policy Enforcement Vulnerability |
VULNEREBILITY |
|
| 18.5.25 | CVE-2024-12987 | DrayTek Vigor Routers OS Command Injection Vulnerability |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-42999 | Insecure Deserialization in SAP NetWeaver (Visual Composer development server) |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-32756 | Stack-based buffer overflow vulnerability in API |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-22462 | An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system. |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-3462 | "This issue is limited to motherboards and does not affect laptops, desktop computers, or other endpoints." An insufficient validation in ASUS DriverHub may allow unauthorized sources to interact with the software's features via crafted HTTP requests. |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-3463 | vulnerability in ASUS DriverHub may allow untrusted sources to affect system behavior via crafted HTTP requests |
VULNEREBILITY |
|
| 16.5.25 | Stealthy Shellcode loader executes Remcos RAT in Fileless Attack Chain | A sophisticated fileless malware campaign has been observed leveraging PowerShell to deploy the Remcos RAT. The attack begins with malicious LNK files embedded in ZIP archives, often masquerading as Office documents. These trigger obfuscated VBScript via mshta.exe leading to the in-memory execution of a PowerShell script. | ALERTS | VIRUS |
| 16.5.25 | Earth Ammit cyber espionage campaigns | The Threat Actor known as Earth Ammit launched two distinct cyber espionage campaigns (dubbed VENOM and TIDRONE) across Central Asia, Southeast Asia, and Eastern Europe. These campaigns strategically target government entities and critical infrastructure - such as software service providers and upstream vendors across several critical sectors, including heavy industry, media, technology, healthcare, and military. | CAMPAIGN | |
| 16.5.25 | TransferLoader malware | TransferLoader is a newly identified malware loader active since February 2025, consisting of three components: a downloader, a backdoor and a backdoor loader. It uses advanced evasion techniques such as anti-debugging, runtime string decryption and junk code insertion to avoid detection and complicate reverse engineering. | VIRUS | |
| 16.5.25 | New DarkCloud malware uses AutoIt obfuscation in targeted attacks | According to a report published by Palo Alto Networks Unit 42, a new variant of the DarkCloud Stealer malware has been observed primarily targeting government organizations worldwide. The attack typically begins with phishing emails containing either a RAR archive or a PDF which prompts victims to download a malicious archive disguised as a software update. | VIRUS | |
| 16.5.25 | Chihuahua Stealer malware | Chihuahua Stealer is a new .NET-based infostealer distributed via a multi-staged campaign. The attackers leverage malicious documents hosted on the Google Drive repository and malicious PowerShell scripts to initiate the infection chain. The final payload - Chihuahua Stealer is delivered from a OneDrive repository path and has the functionality to collect and exfiltrate various sensitive data from the compromised endpoints including system information, data stored in the system web browsers, cryptocurrency wallet information, etc. | VIRUS | |
| 16.5.25 | PupkinStealer: A .NET-based Malware | PupkinStealer, a .NET-based malware has been observed being distributed via phishing emails containing malicious attachments or links. Targeting Windows users, the malware is capable of stealing sensitive data from Chromium-based browsers, Telegram, Discord, email clients, clipboard contents and more. The stolen data is compressed into a ZIP archive and exfiltrated using the Telegram Bot API. | VIRUS | |
| 16.5.25 | Transparent Tribe aka APT36 | APT36, also known as Transparent Tribe, is a Pakistan-based advanced persistent threat (APT) group active since at least 2013 | GROUP | APT |
| 16.5.25 | APT GROUP123 | Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and ScarCruft by various cybersecurity firms. | GROUP | APT |
| 16.5.25 | Spectre-v2 Attacks UPDATE | On the Limitations of Domain Isolation Against Spectre-v2 Attacks | ATTACK | CPU |
| 16.5.25 | HTTPBot | High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding | BOTNET | BOTNET |
| 16.5.25 | Remcos RAT | Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT | MALWARE | RAT |
| 16.5.25 | CVE-2024-43420 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel Atom® processors may allow an authenticated user to potentially enable information disclosure via local access. |
VULNEREBILITY |
|
| 16.5.25 | CVE-2025-20623 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel® Core™ processors (10th Generation) may allow an authenticated user to potentially enable information disclosure via local access. |
VULNEREBILITY |
|
| 16.5.25 | CVE-2024-45332 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. |
VULNEREBILITY |
|
| 16.5.25 | CVE-2024-28956 | (CVSS v4 score: 5.7) - Indirect Target Selection (ITS), which affects Intel Core 9th-11th, and Intel Xeon 2nd-3rd, among others. |
VULNEREBILITY |
|
| 16.5.25 | CVE-2025-24495 | (CVSS v4 score: 6.8) - Lion Cove BPU issue, which affects Intel CPUs with Lion Cove core |
VULNEREBILITY |
|
| 15.5.25 | ZDI-25-290 | Rockwell Automation ThinManager ThinServer Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 15.5.25 | ZDI-25-289 | Rockwell Automation ThinManager ThinServer Null Pointer Dereference Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 15.5.25 | ZDI-25-288 | Fortinet FortiWeb cgi_httpcontentrouting_post Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.5.25 | ZDI-25-287 | JetBrains TeamCity Diagnostics Data Directory Cross-Site Scripting Vulnerability |
ZERO-DAY |
|
| 15.5.25 | ZDI-25-286 | Dassault Systèmes eDrawings Viewer OBJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.5.25 | ZDI-25-285 | Dassault Systèmes eDrawings Viewer SLDPRT File Parsing Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.5.25 | ZDI-25-254 | MATE Desktop Atril Document Viewer EPUB File Parsing Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 15.5.25 | Xinbi | Xinbi: The $8 Billion Colorado-Incorporated Marketplace for Pig-Butchering Scammers and North Korean Hackers | CRYPTOCURRENCY | CRYPTOCURRENCY |
| 15.5.25 | CVE-2025-4664 | Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) |
VULNEREBILITY |
|
| 15.5.25 | RoundPress | ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities | OPERATION | OPERATION |
| 15.5.25 | CVE-2025-4632 | Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority. |
VULNEREBILITY |
|
| 15.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-30397 | (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-30400 | (CVSS score: 7.8) - Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-32701 | (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-32706 | (CVSS score: 7.8) - Windows Common Log File System Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-32709 | (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | Swan Vector | Unveiling Swan Vector APT Targeting Taiwan and Japan with varied DLL Implants | APT | Group |
| 14.5.25 | Horabot | Horabot Unleashed: A Stealthy Phishing Threat | PHISHING | PHISHING |
| 14.5.25 | CVE-2025-32756 | A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiVoice versions 7.2.0, 7.0.0 through 7.0.6, 6.4.0 through 6.4.10, FortiRecorder versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.5, 6.4.0 through 6.4.5, FortiMail versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-4428 | (CVSS score: 7.2) - A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-4427 | (CVSS score: 5.3) - An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. |
VULNEREBILITY |
|
| 13.5.25 | BTMOB RAT | According to recent reports, BTMOB RAT has resurfaced and now aims to steal Alipay PINs by mimicking the app’s interface. It spreads via phishing sites disguised as popular services and uses fake apps to lure victims. | VIRUS | |
| 13.5.25 | Noodlophile Stealer spread under the disguise of fake AI tools | An infostealing variant dubbed Noodlophile Stealer has been recently distributed in campaigns leveraging lures of AI video generators. The attackers have been advertising their fake AI platforms via social media platforms. The users are first asked to upload either photos or video for the AI to enhance and then are served with a download link for the supposedly edited content. | VIRUS | |
| 13.5.25 | Astryrean Stealer malware | Astryrean Stealer is a new Python-based infostealer recently identified in the wild. The malware targets collection and exfiltration of a wide variety of confidential or sensitive information including: compromised system information, data stored in system web browsers, Discord tokens or screenshots, among others. | VIRUS | |
| 13.5.25 | More_eggs served by Venom Spider | In a recent campaign threat actor known as "Venom Spider" has been targeting corporate hiring managers and recruiters with a complex spear-phishing scheme that capitalizes on the need for such users to open email attachments or click on links to review an applicants resume . | CAMPAIGN | |
| 13.5.25 | TA406 | TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian invasion. | GROUP | CAMPAIGN |
| 13.5.25 | CVE-2025-27920 | Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access. |
VULNEREBILITY |
|
| 13.5.25 | CVE-2025-3462 | (CVSS score: 8.4) - An origin validation error vulnerability that may allow unauthorized sources to interact with the software's features via crafted HTTP requests |
VULNEREBILITY |
|
| 13.5.25 | CVE-2025-3463 | (CVSS score: 9.4) - An improper certificate validation vulnerability that may allow untrusted sources to affect system behavior via crafted HTTP requests |
VULNEREBILITY |
|
| 13.5.25 | Noodlophile | New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms | MALWARE | STEALER |
| 12.5.25 | CoGUI Phish Kit | CoGUI Phish Kit Targets Japan with Millions of Messages | PHISHING | Kit |
| 12.5.25 | CVE-2025-27007 | Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82. |
VULNEREBILITY |
|
| 12.5.25 | CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 12.5.25 | CVE-2019-3568 | A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. |
VULNEREBILITY |
|
| 12.5.25 | CVE-2025-26647 | Windows Kerberos Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 12.5.25 | CVE-2025-30065 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue. |
VULNEREBILITY |
|
| 12.5.25 | CVE-2024-7399 | Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority. |
VULNEREBILITY |
|
| 12.5.25 | CVE-2025-3248 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
VULNEREBILITY |
|
| 10.5.25 | OtterCookie v4 | Additional Features of OtterCookie Malware Used by WaterPlum | MALWARE | STEALER |
| 9.5.25 | PupkinStealer | PupkinStealer : A .NET-Based Info-Stealer | MALWARE | STEALER |
| 9.5.25 | Gunra Ransomware | At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and organizations. | GROUP | RANSOMWARE |
| 9.5.25 | HANNIBAL Stealer | HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage | MALWARE | STEALER |
| 9.5.25 | Earth Kasha threat actor targets Taiwan and Japan in a recent campaign | As recently reported by the researchers from Trend Micro, Earth Kasha threat group continues to target users in Taiwan and Japan. The attackers leverage a dropper malware dubbed RoamingMouse that comes in the form of a macro-enabled MS Excel file. | APT | |
| 9.5.25 | Deployment of RMM tools in malicious campaigns targeting Brazil | A new malicious campaign targeting users from Brazil has been reported by researchers from Cisco Talos. The attackers leverage a variety of commercial Remote Monitoring and Management (RMM) tools such as PDQ Connect and N-able remote access software. | VIRUS | |
| 9.5.25 | Mamona Ransomware |
Mamona Ransomware is a newly discovered threat in the
commodity ransomware landscape that operates entirely offline, with no
external communication or data exfiltration. The malware uses custom
encryption routines to encrypt user files, renaming them with the .HAes
extension.
|
RANSOM | |
| 9.5.25 | Mail campaign delivers Java-based RAT | A malicious email campaign was recently observed targeting organizations in Italy, Portugal, and Spain. The campaign leveraged a Spanish email service provider in an effort to legitimize the emails which contained a PDF attachment. | ||
| 9.5.25 | LZRD - the latest Mirai variant distributed in the wild | New campaigns distributing Mirai botnet have been reported in the wild. The malware exploits two command injection vulnerabilities affecting GeoVision IoT devices that have been disclosed last year - CVE-2024-6047 and CVE-2024-11120. | BOTNET | |
| 9.5.25 | CVE-2025-31324 - a critical SAP NetWeaver vulnerability | CVE-2025-31324 is a recently disclosed critical (CVSS score 10) unrestricted file upload vulnerability affecting the SAP NetWeaver Visual Composer. | VULNEREBILITY | |
| 9.5.25 | CVE-2025-32433 - Erlang/OTP SSH RCE vulnerability | CVE-2025-32433 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Erlang/OTP which is a set of libraries for the Erlang programming language. If successfully exploited, the flaw might allow unauthenticated attackers to gain access to affected Erlang/OTP SSH servers and execute arbitrary commands. | VULNEREBILITY | |
| 9.5.25 | Bert Ransomware | In April, a new ransomware actor known as "Bert" was observed operating in the wild and allegedly claimed several organizations as victims, including those in the Healthcare, Technology, and Event Services sectors across the US and Turkey. | RANSOM | |
| 9.5.25 | NETXLOADER - a new loader used by the Agenda ransomware group | In a recent report, details about a new malware loader named NETXLOADER have been shared. This loader, along with SmokeLoader, has been used in attacks perpetrated by the Agenda ransomware group. | VIRUS | |
| 9.5.25 | Threat Actors use Pahalgam attack in malicious campaign | In a strategic approach to exploiting current events threat actors target Indian government personnel using decoy documents referencing the recent Pahalgam attack in a malicious campaign. | VIRUS | |
| 9.5.25 | FormBook malware distributed via weaponized Word Docs | A recent attack beginning with phishing emails containing malicious MS Word documents as attachments has been observed. Social engineering plays a part in luring users to click on the weaponized attached document. | VIRUS | |
| 9.5.25 | Balloonfly ransomware group leveraged 0-day in attack | The Symantec Threat Hunter team recently observed activity which can be attributed to the Balloonfly attack group. This group is typically responsible for distributing Play ransomware. | VULNEREBILITY | |
| 9.5.25 | CVE-2025–34028: Commvault Command Center Path Traversal Vulnerability | CVE-2025-34028 is a critical vulnerability found in the Command Center installation, enabling remote attackers to execute arbitrary code without authentication. | VULNEREBILITY | |
| 9.5.25 | Notaires de France Impersonated in Telegram-based Phishing Campaign | Symantec has identified a credential phishing campaign leveraging malicious HTML that mimic official French notarial services – a professional body of state-appointed legal officers, known as notaires. It serves as a central information hub for legal matters in France involving notarized acts. | PHISHING | |
| 9.5.25 | StealC V2: Enhanced capabilities | An enhanced version of the popular information stealer, StealC, has been observed. It features an upgraded control panel, a streamlined JSON-based C2 communication protocol and expanded payload delivery options including MSI packages and PowerShell scripts. | VIRUS | |
| 9.5.25 | TerraStealerV2 and TerraLogger malware families | Two new malware families, TerraStealerV2 and TerraLogger, have been reported in the wild and are associated with the financially motivated threat group Golden Chickens. | VIRUS | |
| 9.5.25 | Tax season targeted by modified Stealerium Infostealer | As U.S. tax day approaches, threat actors have been observed exploiting the season by distributing a modified version of the Stealerium infostealer through phishing emails. Malicious LNK files, disguised as tax-related documents like tax forms lure users into executing a Base64-encoded PowerShell script. | ALERTS | VIRUS |
| 9.5.25 | Darcula PhaaS | Exposing Darcula: a rare look behind the scenes of a global Phishing-as-a-Service operation | PHISHING | PhaaS |
| 9.5.25 | libexpat library is vulnerable to DoS attacks through stack overflow | A stack overflow vulnerability has been discovered within the libexpat open source library. When parsing XML documents with deeply nested entity references, libexpat can recurse indefinitely. | ALERT | ALERT |
| 9.5.25 | Radware Cloud Web Application Firewall Vulnerable to Filter Bypass | The Radware Cloud Web Application Firewall is vulnerable to filter bypass by multiple means. The first is via specially crafted HTTP request and the second being insufficient validation of user-supplied input when processing a special character | ALERT | ALERT |
| 9.5.25 | (RMM) tools | Spam campaign targeting Brazil abuses Remote Monitoring and Management tools | CAMPAIGN | PHISHING |
| 9.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. |
VULNEREBILITY |
|
| 9.5.25 | FreeDrain | FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network | CAMPAIGN | PHISHING |
| 8.5.25 | CVE-2025-27363 | An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. |
VULNEREBILITY |
|
| 8.5.25 | StealC | I StealC You: Tracking the Rapid Changes To StealC | MALWARE | Steal |
| 8.5.25 | CVE-2025-32819 | (CVSS score: 8.8) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. |
VULNEREBILITY |
|
| 8.5.25 | CVE-2025-32820 | (CVSS score: 8.3) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable |
VULNEREBILITY |
|
| 8.5.25 | CVE-2025-32821 | (CVSS score: 6.7) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN admin privileges can with admin privileges can inject shell command arguments to upload a file on the appliance |
VULNEREBILITY |
|
| 8.5.25 | ZDI-25-284 | MATE Desktop Atril Document Viewer EPUB File Parsing Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.5.25 | ZDI-25-283 | MATE Desktop Atril Document Viewer CBT File Parsing Argument Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.5.25 | COLDRIVER | COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs | MALWARE | Steal |
| 8.5.25 | CVE-2025-20188 | Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-29824 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-3102 | The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-27007 | Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-2777 | SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-2776 | SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-2775 | SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2019-3568 | A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2024-11120 | Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2024-6047 | Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. |
VULNEREBILITY |
|
| 6.5.25 | CVE-2025-27363 | An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. |
VULNEREBILITY |
|
| 6.5.25 | CVE-2025-3248 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
VULNEREBILITY |
|
| 6.5.25 | CVE-2025-34028 | Commvault Command Center Path Traversal Vulnerability |
VULNEREBILITY |
|
| 6.5.25 | CVE-2024-58136 | Yiiframework Yii Improper Protection of Alternate Path Vulnerability |
VULNEREBILITY |
|
| 6.5.25 | TerraStealerV2 and TerraLogger | TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered | MALWARE | Loader |
| 6.5.25 | CVE-2025-23242 | NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service, or information disclosure. |
VULNEREBILITY |
|
| 4.5.25 | CVE-2025-23243 | NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. A successful exploit of this vulnerability might lead to data tampering or denial of service. |
VULNEREBILITY |
|
| 4.5.25 | CVE-2025-31191 | Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape |
VULNEREBILITY |
|
|
4.5.25 |
Hello 0-Days My Old Frien : A 2024 Zero-Day |
This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. |
REPORT |
|
|
4.5.25 |
Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government |
APT |
||
|
4.5.25 |
TARGETING AND COMPROMISE OF FRENCH ENTITIES USING THE APT28 INTRUSION S |
ACTIVITIES ASSOCIATED WITH APT28 SINCE 2021 |
REPORT |
|
|
4.5.25 |
Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition. |
VULNEREBILITY |
||
|
4.5.25 |
Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6. |
VULNEREBILITY |
||
| 4.5.25 | AirBorne | Wormable Zero-Click Remote Code Execution (RCE) in AirPlay Protocol Puts Apple & IoT Devices at Risk | HACKING | Apple |
| 4.5.25 | CVE-2025-3928 | Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells. |
VULNEREBILITY |
|
| 3.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. |
VULNEREBILITY |
|
| 3.5.25 | FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure | The FortiGuard Incident Response (FGIR) team recently investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group. The attack involved extensive espionage operations and suspected network prepositioning—a tactic often used to maintain persistent access for future strategic advantage. | REPORT | REPORT |
| 2.5.25 | Digigram PYKO-OUT audio-over-IP (AoIP) does not require a password by default | Digigrams PYKO-OUT audio-over-IP (AoIP) product is used for audio decoding and intended for various uses such as paging, background music, live announcements and others. It has hardware compatibility with two analog mono outputs and a USB port for storing local playlists. | ALERT | ALERT |
| 2.5.25 | MintsLoader: The loader powering TAG-124’s targeted campaigns | MintsLoader, a sophisticated loader first observed in 2024, is extensively used by TAG-124, more than by any other threat actor to deploy malicious payloads such as GhostWeaver, StealC and a modified BOINC client. These attacks primarily target sectors including industrial, legal and energy. | VIRUS | |
| 2.5.25 | Discovery Bank Impersonated in FICA-Themed Smishing Scam | Discovery Bank, a well-known digital bank in South Africa, has had its brand abused by a group or individual in a recent smishing campaign aimed at harvesting mobile users' banking credentials. The attack begins with a malicious SMS that leverages FICA (Financial Intelligence Centre Act in South Africa) compliance as a lure. | PHISHING | |
| 2.5.25 | ClickFix social engineering tactic being used by various APT groups | ClickFix has gained traction in targeted espionage operations across multiple APT groups from North Korea, Iran, and Russia. This is a social engineering tactic where malicious websites impersonate legitimate software or document sharing platforms. | APT | |
| 2.5.25 | Iranian threat actor targeted critical Middle Eastern infrastructure | Researchers at Fortinet have recently published their investigation into an Iranian threat actor's attack against critical infrastructure in the Middle East. | APT | |
| 2.5.25 | Spear phishing campaign targets WUC with trojanized Uyghur Text Editor | A spear phishing campaign delivering surveillance malware targeting high profile members of the World Uyghur Congress (WUC) has been reported. As part of the attack a trojanized version of a legitimate Uyghur language text editor to gain remote access, collect system information, and manipulate files. | PHISHING | |
| 2.5.25 | Pentagon Stealer | Pentagon Stealer is a recently identified malware strain built using both Python and Golang, engineered to exfiltrate a broad array of sensitive information. It primarily targets browser credentials, cookies, cryptocurrency wallet data and authentication tokens from apps like Discord and Telegram. | VIRUS | |
| 2.5.25 | Hannibal Infostealer | Hannibal Infostealer is a sophisticated malware observed in the wild, rebranded from the Sharp and TX stealer families. Developed in C#, it targets both Chromium and Gecko-based browsers, extracting sensitive data while bypassing browser protection. | VIRUS | |
| 2.5.25 | TypeLib hijacking via Teams | A Microsoft Teams phishing campaign was found to spread a unique PowerShell backdoor in recent attacks. The Threat Actor known as Storm-1811 initiates the attack by employing social engineering tricks on a targeted employee via Microsoft Teams chat, posing as internal IT support staff. | PHISHING | |
| 2.5.25 | Gremlin Stealer | Gremlin Stealer is a new C#-based malware variant recently discovered by the researchers from Palo Alto. Gremlin Stealer is currently advertised for sale via Telegram channels. | VIRUS | |
| 2.5.25 | CVE-2025-24054 - NTLM vulnerability exploited in the wild | CVE-2025-24054 is a recently disclosed vulnerability related to NTLM (New Technology LAN Manager) hash disclosure via spoofing. With help of crafted .library-ms files, an unauthorized attacker might be able to perform spoofing over the network. | ALERTS | VULNEREBILITY |
| 2.5.25 | ZDI-25-282 | Webmin CRLF Injection Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-281 | Cisco IOS XE SNMP SET cewProxyClass Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-280 | Cisco IOS XE SNMP GET-NEXT ciscoFlashChipCode Unexpected Sign Extension Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-279 | Cisco IOS XE SNMP GET-NEXT cContextMappingBridgeDomainIdentifier Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-278 | Cisco IOS XE SNMP GET-NEXT ctspIpSgtValue Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-277 | Cisco IOS XE SNMP SET cewEventTime Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-276 | Cisco IOS XE SNMP GET-NEXT cilmCurrentImageLevel Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-275 | Cisco IOS XE SNMP GET-NEXT callHomeUserDefCmdName Unexpected Sign Extension Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-274 | Cisco IOS XE SNMP OID Handling Out-Of-Bounds Read Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-273 | Cisco IOS XE SNMP OID Handling Out-Of-Bounds Read Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-272 | Cisco IOS XE SNMP OID Handling Out-Of-Bounds Read Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-271 | Cisco IOS XE SNMP OID Handling Out-Of-Bounds Read Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-270 | Cisco IOS XE SNMP GET-NEXT ciscoFlashFileSize Unexpected Sign Extension Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 2.5.25 | ZDI-25-269 | (Pwn2Own) Synology BeeStation BST150-4T Unnecessary Privileges Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 2.5.25 | MintsLoader | Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting | MALWARE | Loader |
| 1.5.25 | ZDI-25-268 | GStreamer Incorrect Permission Assignment Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-267 | GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-266 | Apache ActiveMQ NMS Body Deserialization of Untrusted Data Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-265 | (Pwn2Own) Tesla Model 3 VCSEC Integer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-264 | (Pwn2Own) Tesla Model S Iris Modem ql_atfwd Command Injection Code Execution Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-263 | (Pwn2Own) Tesla Model S oFono Unnecessary Privileges Sandbox Escape Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-262 | (Pwn2Own) Tesla Model S Iris Modem QCMAP_ConnectionManager Improper Input Validation Sandbox Escape Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-261 | (Pwn2Own) Tesla Model S oFono AT Command Heap-based Buffer Overflow Code Execution Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-260 | (Pwn2Own) Tesla Model S Iris Modem Race Condition Firewall Bypass Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-259 | (Pwn2Own) Adobe Acrobat Reader DC Collab Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-258 | (Pwn2Own) Adobe Acrobat Reader DC distributionURL JavaScript API Restrictions Bypass Vulnerability |
ZERO-DAY |
|
| 1.5.25 | ZDI-25-257 | (Pwn2Own) Oracle VirtualBox OHCI USB Controller Race Condition Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 1.5.25 | MCP Prompt Injection | MCP Prompt Injection: Not Just For Evil | ATTACK | AI |
| 1.5.25 | Hive0117 | New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware | CAMPAIGN | PHISHING |
| 1.5.25 | Sheriff | IBM X-Force discovers new Sheriff Backdoor used to target Ukraine | MALWARE | Backdoor |
| 1.5.25 | CVE-2025-3928 | Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells. |
VULNEREBILITY |
|
| 1.5.25 | CVE-2023-44221 | (CVSS score: 7.2) - Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability |
VULNEREBILITY |
|
| 1.5.25 | CVE-2024-38475 | (CVSS score: 9.8) - Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server |
VULNEREBILITY |
|
| 30.4.25 | SLAAC Snooping | NDP messages are unsecured, which makes SLAAC susceptible to attacks that involve the spoofing (or forging) of link-layer addresses. You must configure SLAAC snooping to validate IPv6 clients using SLAAC before allowing them to access the network. | ATTACK | IPv6 |
| 30.4.25 | Context Compliance Attack | (CCA), a jailbreak technique that involves the adversary injecting a "simple assistant response into the conversation history" about a potentially sensitive topic that expresses readiness to provide additional information | ATTACK | AI |
| 30.4.25 | Policy Puppetry Attack | a prompt injection technique that crafts malicious instructions to look like a policy file, such as XML, INI, or JSON, and then passes it as input to the large language model (LLMs) to bypass safety alignments and extract the system prompt | ATTACK | AI |
| 30.4.25 | Memory INJection Attack | (MINJA), which involves injecting malicious records into a memory bank by interacting with an LLM agent via queries and output observations and leads the agent to perform an undesirable action | ATTACK | AI |
| 29.4.25 | CVE-2025-3928 - Commvault Web Server vulnerability | CVE-2025-3928 is a recently disclosed unspecified vulnerability affecting Commvault Web Server. If successfully exploited, the flaw could enable remote, authenticated attackers to gain unauthorized access to the vulnerable systems and allow them for deployment and execution of arbitrary webshells. | VULNEREBILITY | |
| 29.4.25 | ELENOR-corp - a new Mimic ransomware variant | ELENOR-corp is a new ransomware variant from the Mimic malware family just recently identified in the wild and reported to be targeting the healthcare sector. The attackers have been also leveraging a persistent Clipper malware as well as a Python-based infostealer during the activities preceding the ransomware payload deployment. | RANSOM | |
| 29.4.25 | Multi-Stage malware campaign targeting South Korean entities linked to Konni APT | A sophisticated multi-stage malware campaign potentially linked to the North Korean Konni APT group has been observed targeting entities primarily in South Korea. The attack begins with a ZIP file containing a disguised .lnk shortcut which executes an obfuscated PowerShell script designed to download and run additional malicious payloads. | APT | |
| 29.4.25 | RevolverRAT targeting users with malicious emails | RevolverRAT, a newly disclosed Remote Access Trojan is initially spread via targeted emails in the recipient's native language claiming to be a copyright claim that needs to be addressed. The emails request that users click a link which results in an installation of software vulnerable to DLL side-loading attacks. | VIRUS | |
| 29.4.25 | DslogdRAT malware distribution | A recent campaign spreading DslogdRAT malware has been targeting organizations in Japan as reported by JPCERT. The attackers have been exploiting a vulnerability in Ivanti Connect Secure (CVE-2025-0282) to deliver the malicious payloads. DslogdRAT has the functionality to execute arbitrary commands received from the C2 servers (according to the hardcoded configuration data). | VIRUS | |
| 29.4.25 | Spoofed Driver and Vehicle Licensing Agency (DVLA) email notifications appear in phish runs | The Driver and Vehicle Licensing Agency (DVLA) is British government's organization responsible for maintaining records of drivers in Great Britain and vehicles for entire United Kingdom. Recently, Symantec has observed phishing attempts mimicking DVLA, enticing users to open fake notification emails. | PHISHING | |
| 29.4.25 | China-linked threat actors exploit NFC Tech | China-linked threat actors are exploiting NFC technologies for fraudulent activities targeting financial institutions worldwide, causing significant losses. Sophisticated tools like Z-NFC and King NFC are used to facilitate illegal transactions. These tools leverage Near Field Communication (NFC) technology, which is essential for contactless payments and applications relying on Host Card Emulation (HCE). | EXPLOIT | |
| 29.4.25 | AsyncRAT malware campaign using Cloudflare Tunnels | A malware campaign using Cloudflare tunnels to deploy AsyncRAT has been reported. The attack vector starts with a phishing email containing a malicious .ms-library file which when opened downloads a PDF shortcut (LNK file) that triggers a series of scripts. | VIRUS | |
| 29.4.25 | Ammyy Admin and PetitPotato deployed in targeted MS-SQL Server attacks | An emerging threat campaign targeting poorly managed MS-SQL servers has been observed, aiming to deploy Ammyy Admin and PetitPotato malware for remote access and privilege escalation. The attackers exploit vulnerable servers, execute commands to gather system information and use WGet to install the malware. They also enable RDP services and add new user accounts to maintain persistent access. | VIRUS | |
| 29.4.25 | Phishing campaign targets Norinchukin Bank users with fake login pages | Norinchukin (Nochu) Bank, founded in 1923, is a Japanese cooperative bank that supports the agricultural sector. It serves as the national institution for JA Bank, a group of agricultural cooperatives. Recently, Symantec detected a phishing campaign targeting the bank’s online banking services. | CAMPAIGN | |
| 29.4.25 | UyghurEdit++ Tool | Uyghur Language Software Hijacked to Deliver Malware | HACKING | SOFTWARE |
| 29.4.25 | CVE-2025-3928 | (CVSS score: 8.7) - An unspecified flaw in the Commvault Web Server that allows a remote, authenticated attacker to create and execute web shells |
VULNEREBILITY |
|
| 29.4.25 | CVE-2025-1976 | (CVSS score: 8.6) - A code injection flaw affecting Broadcom Brocade Fabric OS that allows a local user with administrative privileges to execute arbitrary code with full root privileges |
VULNEREBILITY |
|
| 29.4.25 | CVE-2025-32432 | (CVSS score: 10.0) - A remote code execution (RCE) vulnerability in Craft CMS (Patched in versions 3.9.15, 4.14.15, and 5.6.17) |
VULNEREBILITY |
|
| 29.4.25 | CVE-2024-58136 | (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP framework used by Craft CMS that could be exploited to access restricted functionality or resources |
VULNEREBILITY |
|
| 27.4.25 | DragonForce | Ransomware Groups Evolve Affiliate Models | RANSOMWARE | RANSOMWARE |
| 27.4.25 | KB5055627 | April 25, 2025—KB5055627(OS Build 26100.3915) Preview | KB DATABAZE | KB DATABAZE |
| 27.4.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. |
VULNEREBILITY |
|
| 27.4.25 | CVE-2025-32432 | A remote code execution (RCE) vulnerability in Craft CMS. |
VULNEREBILITY |
|
| 27.4.25 | CVE-2024-58136 | An input validation flaw in the Yii framework used by Craft CMS. |
VULNEREBILITY |
|
| 27.4.25 | Password Spraying | The basics of a password spraying attack involve a threat actor using a single common password against multiple accounts on the same application. This avoids the account lockouts that typically occur when an attacker uses a brute force attack on a single account by trying many passwords. | ATTACK | Password |
| 26.4.25 | ToyMaker | Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs | GROUP | IAB |
| 26.4.25 | FBI INTERNET CRIME REPORT | This year marks the 25th anniversary of the FBI’s Internet Crime Complaint Center, or IC3. Originally intended to serve the law enforcement community, IC3 has evolved to become the primary destination for the public to report cyber-enabled crime and fraud as well as a key source for information on scams and cyber threats | REPORT | REPORT |
| 26.4.25 | CVE-2024-54084 | APTIOV contains a vulnerability in BIOS where an attacker may cause a Time-of-check Time-of-use (TOCTOU) Race Condition by local means. Successful exploitation of this vulnerability may lead to arbitrary code execution. |
VULNEREBILITY |
|
| 26.4.25 | CVE-2024-54085 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. |
VULNEREBILITY |
|
| 25.4.25 | KB5055523 | 8. dubna 2025 – KB5055523 (build operačního systému 26100.3775) | KB DATABAZE | KB DATABAZE |
| 25.4.25 | KB5052093 | February 25, 2025—KB5052093 (OS Build 26100.3323) Preview | KB DATABAZE | KB DATABAZE |
| 25.4.25 | KB5046617 | 12. listopadu 2024 – KB5046617 (build operačního systému 26100.2314) | KB DATABAZE | KB DATABAZE |
| 25.4.25 | CVE-2025-42599 | Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition. |
VULNEREBILITY |
|
| 25.4.25 | ELUSIVE COMET | Mitigating ELUSIVE COMET Zoom remote control attacks | OPERATION | CRYPTOCURRENCY |
| 25.4.25 | KB5055612 | April 22, 2025—KB5055612 (OS Build 19045.5796) Preview | KB DATABAZE | KB DATABAZE |
| 25.4.25 | Cookie-Bite attack | Cookie-Bite: How Your Digital Crumbs Let Threat Actors Bypass MFA and Maintain Access to Cloud Environments | ATTACK | COOKIES |
| 25.4.25 | Scallywag | Scallywag Extensions Monetize Piracy | OPERATION | CRYPTOCURRENCY |
| 25.4.25 | Various GPT services are vulnerable to "Inception" jailbreak, allows for bypass of safety guardrails | Two systemic jailbreaks, affecting a number of generative AI services, were discovered. These jailbreaks can result in the bypass of safety protocols and allow an attacker to instruct the corresponding LLM to provide illicit or dangerous content. | ALERT | ALERT |
| 25.4.25 | ZDI-25-256 | Avast Free Antivirus Integer Overflow Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 25.4.25 | ZDI-25-255 | Allegra isZipEntryValide Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 25.4.25 | ZDI-25-254 | Allegra extractFileFromZip Directory Traversal Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 25.4.25 | ZDI-25-253 | SonicWALL Connect Tunnel Link Following Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 25.4.25 | CVE-2017-9844 | SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-27610 | (CVSS score: 7.5) - A path traversal vulnerability that could be used to gain access to all files under the specified root: directory, assuming an attacker can determine the paths to those files |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-27111 | (CVSS score: 6.9) - An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that could be used to manipulate log entries and distort log files |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-25184 | (CVSS score: 5.7) - An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that could be used to manipulate log entries and inject malicious data |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-0282 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. |
VULNEREBILITY |
|
| 25.4.25 | DslogdRAT | DslogdRAT Malware Installed in Ivanti Connect Secure | MALWARE | RAT |
| 24.4.25 | ZDI-25-252 | (0Day) Cato Networks Cato Client for macOS Helper Service Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 24.4.25 | ZDI-25-251 | (0Day) Harman Becker MGU21 Bluetooth Improper Input Validation Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 24.4.25 | ZDI-25-250 | (0Day) Cloudera Hue Ace Editor Directory Traversal Information Disclosure Vulnerability |
ZERO-DAY |
|
| 24.4.25 | ZDI-25-249 | (0Day) eCharge Hardy Barth cPH2 index.php Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 24.4.25 | ZDI-25-248 | (0Day) eCharge Hardy Barth cPH2 nwcheckexec.php dest Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 24.4.25 | ZDI-25-247 | (0Day) eCharge Hardy Barth cPH2 check_req.php ntp Command Injection Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 24.4.25 | PE32 Ransomware | PE32 ransomware is a newly discovered malware strain that leverages Telegram for C2 operations. It employs a dual-extortion model, charging separate fees for file decryption and data non-disclosure. Despite its messy and simplistic code, which uses basic Windows libraries, it poses a significant threat to systems with weak security hygiene. | RANSOM | |
| 24.4.25 | Proton66 Infrastructure tied to expanding malware campaigns and C2 operations | Proton66 has emerged as a central hub for malicious cyber activity, hosting infrastructure used in C2 operations and phishing campaigns involving malware like GootLoader, SpyNote and XWorm. | VIRUS | |
| 24.4.25 | ToyMaker IAB paves way for Cactus ransomware | Initial Access Brokers are oftentimes the first step in a successful campaign for a threat actor. The access brokers work their way into an environment, collect relevant data, and then sell that information to a threat actor for further compromise. | RANSOM | |
| 24.4.25 | Weaponized Alpine Quest App used to spy on Russian military via Telegram Bot | A modified version of the popular Android navigation app Alpine Quest, has been found carrying spyware targeting Russian military personnel. The spyware, bundled within the app collects sensitive information like phone numbers, account details, contacts and geolocation. | BOTNET | |
| 24.4.25 | A recent FormBook distribution campaign observed in the wild | A new FormBook distribution campaign has been reported by the researchers from Fortinet. The attackers leverage malicious Word documents containing an exploit for CVE-2017-11882, which is an older vulnerability affecting the Equation Editor component in Microsoft Office. | CAMPAIGN | |
| 24.4.25 | Billbug APT continues campaigns in Southeast Asia | The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. | APT | |
| 24.4.25 | RustoBot botnet activity | RustoBot is a new Rust-based botnet variant distributed via exploitation of vulnerabilities in unpatched TOTOLINK devices. | BOTNET | |
| 24.4.25 | UNC4736 | UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER. They have used malware strains such as TAXHAUL, Coldcat, and VEILEDSIGNAL to compromise Windows and macOS systems. | GROUP | GROUP |
| 24.4.25 | UNC1069 | (Active since at least April 2018), which targets diverse industries for financial gain using social engineering ploys by sending fake meeting invites and posing as investors from reputable companies on Telegram to gain access to victims' digital assets and cryptocurrency | GROUP | GROUP |
| 24.4.25 | UNC4899 | (Active since 2022), which is known for orchestrating job-themed campaigns that deliver malware as part of a supposed coding assignment and has previously staged supply chain compromises for financial gain (Overlaps with Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor) | GROUP | GROUP |
| 24.4.25 | UNC5342 | (Active since at least December 2022), which is also known for employing job-related lures to trick developers into running malware-laced projects (Overlaps with Contagious Interview, DeceptiveDevelopment, DEV#POPPER, and Famous Chollima) | GROUP | GROUP |
| 24.4.25 | Operation SyncHole | Operation SyncHole: Lazarus APT goes back to the well | OPERATION | APT |
| 24.4.25 | io_uring | io_uring Is Back, This Time as a Rootkit | MALWARE | ROOTKIT |
| 24.4.25 | Darcula phishing-as-a-service | AI-Enabled Darcula-Suite Makes Phishing Kits More Accessible, Easier to Deploy | PHISHING | PHaaS |
| 24.4.25 | CVE-2025-34028 | A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication. |
VULNEREBILITY |
|
| 23.4.25 | M-Trends 2025 | A key takeaway from M-Trends 2025 is that attackers are seizing every opportunity to further their objectives. | REPORT | REPORT |
| 23.4.25 | Phishing for Codes | Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows | PHISHING | PHISHING |
| 23.4.25 | XRP supply chain attack | XRP supply chain attack: Official NPM package infected with crypto stealing backdoor | ATTACK | Crypto |
| 23.4.25 | RustoBot | New Rust Botnet "RustoBot" is Routed via Routers | BOTNET | Bot |
| 22.4.25 | Ransomware group Interlock enhances tactics with ClickFix and Infostealers | Reports indicate that the ransomware group Interlock has advanced its attack methods by incorporating ClickFix social engineering techniques alongside infostealers. | RANSOM | |
| 22.4.25 | Gunra Ransomware | Another ransomware actor operating under the name Gunra has recently surfaced, allegedly claiming several victims in the healthcare, electronics, and beverage manufacturing sectors, as listed on their onion website. | RANSOM | |
| 22.4.25 | SuperCard X Android malware | A new Android malware campaign, identified as a malware-as-a-service called SuperCard X, has been observed targeting users in Italy. Delivered via socially engineered smishing and phone calls, the intent of the campaign is financial theft. | VIRUS | |
| 22.4.25 | PasivRobber - Spyware targeting macOS platform | PasivRobber is a new malware variant targeting the macOS platform that has been recently identified in the wild. Its main function is to ex-filtrate miscellaneous data from the macOS systems including information from 3rd party apps, web browsers, emails, cookies, chat messages (WeChat and QQ), screenshots, etc. | ||
| 22.4.25 | DKIM Replay Phishing Attack | Google Spoofed Via DKIM Replay Attack: A Technical Breakdown | ATTACK | PHISHING |
| 22.4.25 | Billbug | Billbug: Intrusion Campaign Against Southeast Asia Continues | GROUP | Espionage group |
| 22.4.25 | Larva-24005 | During the breach investigation process, the AhnLab SEcurity intelligence Center (ASEC) discovered a new operation related to the Kimsuky group and named it Larva-24005.1 | GROUP | APT Group Profiles |
| 22.4.25 | SuperCard X Malware | A novel Android malware offered through a Malware-as-a-Service (MaaS) model, enabling NFC relay attacks for fraudulent cash-outs. | MALWARE | ANDROID |
| 22.4.25 | SuperCard X | SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation | OPERATION | Fraund |
| 22.4.25 | Proton66 | Proton66 Part 1: Mass Scanning and Exploit Campaigns | GROUP | GROUP |
| 21.4.25 | Interlock ransomware | Interlock is a ransomware intrusion set first observed in September 2024 that conducts Big Game Hunting and double extortion campaigns. | RANSOMWARE | RANSOMWARE |
|
21.4.25 |
CVE-2021-20035 | Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS. |
VULNEREBILITY |
|
| 21.4.25 | CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability |
VULNEREBILITY |
|
|
21.4.25 |
CVE-2025-20150 | Cisco Nexus Dashboard LDAP Username Enumeration Vulnerability |
VULNEREBILITY |
|
| 21.4.25 | CVE-2025-20178 | Cisco Secure Network Analytics Privilege Escalation Vulnerability |
VULNEREBILITY |
|
|
21.4.25 |
In-car dash cameras (dashcams) have become quintessential to our daily lives, supported by guidelines and regulations from insurance companies as part of insurance reduction or substantiating claims during an accident. However, this can be a double-edged sword without proper security measures, potentially compromising privacy and increasing susceptibility to identity theft. |
BLACK HAT 2025 ASIE |
||
| 21.4.25 |
QuickShell: Sharing is Caring About an RCE Attack Chain on Quick Share |
Quick Share (formerly Nearby Share) has allowed Android users to easily share files for four years now. A year ago, Google introduced a Windows version. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Think Inside the Box: In-the-Wild Abuse of Windows Sandbox in Targeted Attacks |
Windows Sandbox is a lightweight virtualization mechanism introduced in 2018, designed to provide an isolated desktop environment for quickly testing suspicious applications. However, this feature can also serve as a "magic cloak" for adversaries. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
vCenter Lost: How the DCERPC Vulnerabilities Changed the Fate of ESXi |
As one of the most widely-used commercial virtualization platforms, the security of VMware virtualization suite has long been a focal point of scrutiny. Over the past few years, we have focused extensively on identifying vulnerabilities within VMware products, particularly those in ESXi and Workstation virtualization implementations. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | Java serialization and deserialization facilitate cooperation between different Java systems, enabling convenient data and code exchange. However, a significant vulnerability known as Java Object Injection (JOI) allows remote attackers to inject crafted serialized objects, triggering internal Java methods (gadgets) and resulting in severe consequences such as remote code execution (RCE). |
BLACK HAT 2025 ASIE |
||
|
21.4.25 |
With the new AI moving to the cloud, a sequence of ML/AI tooling suites has been integrated into the core Azure DevOps functionalities, yielding a new concept of MLOps to enable the LLM capabilities for Azure. |
BLACK HAT 2025 ASIE |
||
| 21.4.25 | As WebAssembly becomes more integrated into modern web browsers, its interaction with JavaScript creates new opportunities for performance optimization, but also introduces significant security risks. This presentation dives deep into the vulnerabilities emerging from the boundaries between WebAssembly and JavaScript, with a focus on type confusion issues and improper handling of object boundaries within the V8 engine. |
BLACK HAT 2025 ASIE |
||
|
21.4.25 |
Double Tap at the Blackbox: Hacking a Car Remotely Twice with MiTM |
Obtaining the hardware, extracting firmware, and then reverse engineering to uncover vulnerabilities in automotive systems is a common practice within the vehicle security community. However, access to vehicle components can often be limited—especially for newer models—making it challenging for researchers who do not own the vehicle. Dissecting a car can also be risky and expensive for many security researchers. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 |
The Illusion of Isolation: How Isolation Failures in CI/CD Servers Lead to RCE and Privacy Risks |
For many years, security research on CI/CD platforms has been a popular topic, but researchers often tend to look for flaws that are visibly present across various functionalities within the workflow rather than auditing CI/CD platform implementations to analyze application mechanisms and identify potential vulnerabilities. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
This talk invites you on an exploration of advanced reverse engineering techniques applied to sophisticated proprietary hardware. Rather than focusing on well-known hands-on methods such as hardware decapsulation and schematic analysis, I will demonstrate how a unique combination of patent analysis, firmware reverse engineering, and theoretical modeling can unlock the intricacies of undocumented hardware technologies and their application semantics. |
BLACK HAT 2025 ASIE |
||
| 21.4.25 |
Determining Exploitability of Vulnerabilities with SBOM and VEX |
Software Composition Analysis tools are known to generate a flood of vulnerability data in third party code. The key challenge today is determining the number of vulnerabilities that are actually exploitable in the products that are shipped. A lot of tools have started exploring this problem. However, it cannot be completely solved without internal developer context on how a third party package is being used. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Currently, the application of LLMs within the security landscape has achieved widespread adoption, becoming a standard practice across the industry. In the realm of threat intelligence, LLMs have distinguished themselves through their exceptional capabilities in extracting IOCs and summarizing cyberattack reports, significantly enhancing the efficiency and precision of threat intelligence processing. |
BLACK HAT 2025 ASIE |
||
| 21.4.25 | One Bug to Rule Them All: Stably Exploiting a Preauth RCE Vulnerability on Windows Server 2025 | As the security protection mechanisms of the Windows operating system are constantly being proposed and applied, it is becoming increasingly difficult to find exploitable vulnerabilities on current Windows, especially vulnerabilities that can cause preauth 0-click RCE. But, is there really no such vulnerabilities? |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Foreign Information Manipulation and Interference (Disinformation 2.0) - How Patterns of Behavior in the Information Domain Threaten or Attack Organizations' Values, Procedures and Political Processes | Over the past decade, foreign information manipulation and interference (FIMI) operations have grown in complexity and scope. More specifically, Russia and China have continuously invested resources into developing their hybrid warfare strategy. Hybrid warfare goes beyond physical confrontation. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities | Linux kernel vulnerability reproduction is a critical task in system security. To reproduce a kernel vulnerability, the vulnerable environment and the Proof of Concept (PoC) program are needed. Most existing research focuses on the generation of PoC, while the construction of the environment is overlooked. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Mini-App But Great Impact: New Ways to Compromise Mobile Apps | In the mobile app ecosystem, super-apps serve as platforms hosting mini-apps, facilitating cross-platform operation across Android and iOS. Traditionally, attacks on mobile apps have targeted native applications, web pages, and networks. Our research pioneers a novel exploitation vector targeting mobile apps via mini-apps. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | Should We Chat, Too? Security Analysis of WeChat's MMTLS Encryption Protocol | WeChat, with over 1.2 billion monthly active users, stands as the most popular messaging and social media platform in China and third globally. Instead of TLS, WeChat mainly uses a proprietary network encryption protocol called "MMTLS". We performed the first public analysis of the security and privacy properties of MMTLS and found it to be a modified version of TLS 1.3, with many of the modifications that WeChat developers made to the cryptography introducing weaknesses. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Invisible Ink: Privacy Risks of CSS in Browsers and Emails | Recently, Google Chrome and other browsers have started restricting traditional tracking methods, such as third-party cookies, to improve user privacy. Still, websites can leverage browser fingerprinting to track users across websites, even when they try to protect their privacy. Interestingly, the same principles can be leveraged to enhance the security of web applications, such as in risk-based authentication, where users are identified based on their browser fingerprint. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | Operation BlackEcho: Voice Phishing Using Fake Financial and Vaccine Apps | Voice phishing (a.k.a. vishing) is a crime in which scammers deceive victims through phone calls in order to fraudulently obtain funds or steal personal information. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Watch Your Phone: Novel USB-Based File Access Attacks Against Mobile Devices | Modern mobile OSs employ lock screens and user confirmation prompts to shield sensitive data from attackers with access to the device's USB port. In this talk, we present novel attacks and attack techniques that bypass both of these critical security mechanisms to gain USB-based file access on state-of-the-art mobile devices. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | (Mis)adventures with Copilot+: Attacking and Exploiting Windows NPU Drivers | In May 2024, Microsoft introduced a new category of PCs designed for AI, called Copilot+ PCs. According to Microsoft, those PCs are starting a new chapter of AI integration on Windows and, thus, personal computing. Each device will have an NPU enabling the device to run Large-Language Models (LLMs) locally. But how exactly were those NPUs integrated into Windows? |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Behind Closed Doors - Bypassing RFID Readers | Cloning RFID tags - you probably tried it, or at least heard about it. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | Impostor Syndrome - Hacking Apple MDMs Using Rogue Device Enrolments | Apple's solution for mobile device management seems like an airtight process. Enterprise customers buy devices from registered retailers, these are automatically registered in Apple Business Manager which in turn integrates seamlessly with the customer's choice of MDM platform. A company can have devices set up and shipped to remote employees without ever touching them. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Standing on the Shoulders of Giants: De-Obfuscating WebAssembly Using LLVM | WebAssembly (Wasm) is an increasingly popular compilation target, offering compact representation, efficient validation and compilation, and safe low to no-overhead execution. Wasm is popular not only on the browsers but finding adoption across various platforms. As its popularity grows for various applications, so does the need to obfuscate it, subsequently raising the necessity to de-obfuscate. In this talk we will discuss how to de-obfuscate Wasm code using LLVM compiler infrastructure. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | A Closer Look at the Gaps in the Grid: New Vulnerabilities and Exploits Affecting Solar Power Systems | Distributed energy resources (DER), such as solar power systems, are rapidly becoming essential elements of power grids worldwide. However, cybersecurity for these systems is often an afterthought, creating a growing risk to grid reliability. While each residential solar system produces limited power, their combined output reaches dozens of gigawatts — making their collective impact on grid stability too significant to ignore. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
CDN Cannon: Exploiting CDN Back-to-Origin Strategies for Amplification Attacks | Content Delivery Networks (CDNs) are widely adopted to enhance web performance and offer protection against DDoS attacks. However, our research unveils a critical vulnerability within CDN back-to-origin strategies, allowing attackers to exploit these mechanisms for massive amplification attacks, termed as Back-to-Origin Amplification (BtOAmp) attacks. These attacks leverage CDN configurations that prioritize performance over security, leading to the exhaustion of origin server resources. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | I Have Got to Warn You, It Is a Learning Robot: Using Deep Learning Attribution Methods for Fault Injection Attacks | Deep Learning (DL) has recently received significant attention in breaking cryptographic implementations on embedded systems. However, research on the subject mostly focused on side-channel attacks (SCAs). |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
The Drone Supply Chain's Grand Siege: From Initial Breaches to Long-Term Espionage on High-Value Targets | In mid-2024, we disclosed a cyber campaign named TIDRONE, attributed to an unidentified threat actor likely linked to Chinese-speaking groups. This campaign revealed a strong focus on the military industry, specifically targeting drone manufacturers in Taiwan. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | Dismantling the SEOS Protocol | In this talk, we present the first open source implementation of HID SEOS communication protocol over RFID. HID SEOS is a credential technology designed to provide enhanced security, flexibility, and convenience for access control and identity management applications. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
KernelSnitch: Leaking Kernel Heap Pointers by Exploiting Software-Induced Side-Channel Leakage of Kernel Hash Tables | In this talk, we present a generic software-induced side-channel attack, KernelSnitch, on the operating system. With this new side-channel attack we opened up a novel attack surface in operating systems that are both, potent and difficult to patch. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | The ByzRP Solution: A Global Operational Shield for RPKI Validators | The Border Gateway Protocol (BGP) is the core routing protocol on the Internet, but it lacks security mechanisms. At the same time, the democratization of access has transformed the Internet into the default platform, where global services and communications happen. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
The Problems of Embedded Python in Excel, or How to Excel in Pwning Pandas | In Windows build 2407, Microsoft released Python support inside Excel as embedded =PY() functions. According to the Microsoft website: "Python in Excel brings the power of Python analytics into Excel. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | AI-Powered Image-Based Command and Control (C2) Framework: Utilizing AI Models to Conceal and Extract Commands in C2 Images | Generative AI concentrates on generating novel and unique content in various forms, including text, image, and video. Many researchers focus on utilizing GenAI models to improve our lives or identifying vulnerabilities in GenAI models. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Inbox Invasion: Exploiting MIME Ambiguities to Evade Email Attachment Detectors | Email attachments have become a favored delivery vector for malware campaigns. In response, email attachment detectors are widely deployed to safeguard email security. However, an emerging threat arises when adversaries exploit parsing discrepancies between email detectors and clients to evade detection. Currently, uncovering these vulnerabilities still depends on manual, ad hoc methods. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | State Manipulation: Unveiling New Attack Vectors in Bluetooth Vulnerability Discovery through Protocol State Machine Reconfiguration | The Bluetooth protocol has become ubiquitous, supporting a wide range of devices from personal gadgets like headphones and smartphones to complex systems in automotive and IoT environments. While Bluetooth's flexibility and performance have been thoroughly validated, an overlooked attack surface exists within the protocol's underlying state machines. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Sweeping the Blockchain: Unmasking Illicit Accounts in Web3 Scams | The web3 applications have recently been growing, especially on the Ethereum platform, starting to become the target of scammers. The web3 scams, imitating the services provided by legitimate platforms, mimic regular activity to deceive users. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | Remote Exploitation of Nissan Leaf: Controlling Critical Body Elements from the Internet | Today's vehicles are evolving rapidly, with a rising number of electric models and an expanding array of digital technologies, such as onboard Wi-Fi, Bluetooth, and USB connectivity. These advancements are making cars increasingly connected and technologically complex. However, most vehicles still have largely proprietary internal systems, which, coupled with the critical importance of automotive safety, makes them a significant area of focus for security research. |
BLACK HAT 2025 ASIE |
|
|
21.4.25 |
Weaponized Deception: Lessons from Indonesia's Muslim Cyber Army | A defunct Indonesian cyber deception collective of attackers known as Muslim Cyber Army (MCA) modeled one of the first known examples of weaponizing deception and disinformation to disrupt Indonesian politics more than a decade ago, well before the notorious Russian attempts to undermine American electoral politics in 2016. |
BLACK HAT 2025 ASIE |
|
| 21.4.25 | Operation BlackEcho | Voice Phishing using Fake Financial and Vaccine Apps | OPERATION | OPERATION |
|
21.4.25 |
WINELOADER | European diplomats targeted by APT29 (Cozy Bear) with WINELOADER | MALWARE | Loader |
|
20.4.25 |
KB5059091 | 16. dubna 2025 – KB5059091 (build operačního systému 17763.7249) mimo pásmo | KB DATABAZE | KB DATABAZE |
|
20.4.25 |
KB5059092 | 16. dubna 2025 – KB5059092 (build operačního systému 20348.3566) mimo pásmo | KB DATABAZE | KB DATABAZE |
|
20.4.25 |
KB5059087 | 16. dubna 2025 – KB5059087 (build operačního systému 26100.3781) Mimo pásmo | KB DATABAZE | KB DATABAZE |
|
20.4.25 |
KB5058922 | 11. dubna 2025 – KB5058920 (build operačního systému 20348.3561) Mimo pásmo | KB DATABAZE | KB DATABAZE |
|
20.4.25 |
KB5058921 | 11. dubna 2025 – KB5058921 (build operačního systému 14393.7973) Mimo pásmo | KB DATABAZE | KB DATABAZE |
|
20.4.25 |
KB5058920 | 11. dubna 2025 – KB5058922 (build operačního systému 17763.7240) Mimo pásmo | KB DATABAZE | KB DATABAZE |
|
20.4.25 |
KB5058920 | 11. dubna 2025 – KB5058920 (build operačního systému 20348.3561) Mimo pásmo | KB DATABAZE | KB DATABAZE |
|
20.4.25 |
KB5058919 | 11. dubna 2025 – KB5058919 (buildy operačního systému 22621.5192 a 22631.5192) Mimo pásmo | KB DATABAZE | KB DATABAZE |
|
20.4.25 |
KB5057589: Aktualizace prostředí Windows Recovery Environment pro Windows 10 verze 21H2 a 22H2: 8. dubna 2025 |
KB DATABAZE | KB DATABAZE | |
|
20.4.25 |
KB5057588: Aktualizace prostředí Windows Recovery Environment pro Windows Server 2022: 8. dubna 2025 |
KB DATABAZE | KB DATABAZE | |
| 19.4.25 | Earth Estries | Earth Estries is a Chinese Advanced Persistent Threat (APT) group that has gained prominence for its sophisticated cyber espionage activities targeting critical infrastructure and government entities globally. | APT | PROFILE |
| 19.4.25 | Smishing Triad | Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit | CAMPAIGN | SPAM |
| 19.4.25 | CVE-2025-2492 | An improper authentication control vulnerability exists in AiCloud. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions. Refer to the 'ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. |
VULNEREBILITY |
|
| 18.4.25 | MysterySnail RAT | IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia | MALWARE | RAT |
| 18.4.25 | PteroLNK malware | PteroLNK is a new Pterodo malware variant recently distributed in the wild and attributed to the Shuckworm APT (aka Gamaredon). The malware comes in form of an obfuscated VBScript with a downloader and a LNK dropper components. | VIRUS | |
| 18.4.25 | A recent campaign attributed to the Fritillary APT group | A new malicious campaign targeting diplomatic entities in Europe has been attributed to the cyberespionage group called Fritillary (aka Midnight Blizzard, APT29). According to a recent research by Checkpoint, the attackers have been leveraging a new custom malware loader dubbed GrapeLoader as well as an updated variant of the WineLoader backdoor. | APT | |
| 18.4.25 | New fileless malware campaign drops XWorm & Rhadamanthys | A new malware campaign has been observed using JScript and obfuscated PowerShell commands to deploy highly evasive malware variants such as XWorm and Rhadamanthys. The campaign targets Windows systems employing scheduled tasks or deceptive ClickFix CAPTCHA screens to trick users into executing malicious payloads. | VIRUS | |
| 18.4.25 | DragonForce Ransomware's Campaign Intensifies in 2025 | In 2024, DragonForce ransomware actors were highly active, claiming around 93 victims on their leak website, with likely more that were not disclosed. We're still in early 2025, and the group has already "allegedly" claimed over 40 organizations as potential victims across multiple countries and sectors. | RANSOM | |
| 18.4.25 | Multi-stage attacks delivering Agent Tesla variants | Malspam email campaigns are the rule rather than the exception these days. Delivering multi-stage attacks through malicious attachments is the norm. Researchers at Palo Alto Networks have published a report sharing details about such campaigns using variants of Agent Tesla as the final payload. | VIRUS | |
| 18.4.25 | Malicious VSCode extensions infecing users with cryptominer | A set of VSCode extensions posing as legitimate development tools has been observed infecting users with the XMRig cryptominer for Monero in a new cryptojacking campaign. | CRYPTOCURRENCY | |
| 18.4.25 | DOGE BIG BALLS Ransomware | A new ransomware campaign has been reported exploiting the name of a prominent figure within the Department of Government Efficiency (DOGE) to trick victims. The attack delivers a modified variant of Fog ransomware dubbed "DOGE BIG BALLS Ransomware." | RANSOM | |
| 18.4.25 | Linux based BPFDoor observed in Asia and Middle East | BPFDoor is a Linux based backdoor that has been observed in attacks against various industries in Asia and the Middle East. Named for its use of Berkeley Packet Filtering, the malware implements a filter that activates functionality based on specific sequences found during network packet inspection. | VIRUS | |
| 18.4.25 | CVE-2025-30208 - Vite Arbitrary File Read vulnerability | CVE-2025-30208 is a recently disclosed Arbitrary File Read vulnerability affecting Vite, which is a frontend build and development tool for web applications. | VULNEREBILITY | |
| 18.4.25 | PAKLOG, CorKLOG, and SplatCloak | P2 | Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 | MALWARE | APT |
| 18.4.25 | ToneShell and StarProxy | P1 | Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1 | MALWARE | APT |
| 18.4.25 | XorDDoS controller | Unmasking the new XorDDoS controller and infrastructure | MALWARE | DDoS |
| 18.4.25 | CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability |
VULNEREBILITY |
|
| 17.4.25 | Sponsored Actors Try ClickFix | Around the World in 90 Days: State-Sponsored Actors Try ClickFix | CAMPAIGN | CAMPAIGN |
| 17.4.25 | CVE-2025-32433 | Unauthenticated Remote Code Execution in Erlang/OTP SSH |
VULNEREBILITY |
|
| 17.4.25 | CVE-2021-20035 | SonicWall SMA100 Appliances OS Command Injection Vulnerability |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-24201 | (CVSS score: 7.1) - An out-of-bounds write issue in the WebKit component that could be exploited to break out of the Web Content sandbox using maliciously crafted web content |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-24200 | (CVSS score: 4.6) - An authorization issue in the Accessibility component that could enable an attacker to disable USB Restricted Mode on a locked device as part of a cyber-physical attack |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-24085 | (CVSS score: 7.8) - A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-31201 | (CVSS score: 6.8) - A vulnerability in the RPAC component that could be used by an attacker with arbitrary read and write capability to bypass Pointer Authentication |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-31200 | (CVSS score: 7.5) - A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio stream in a maliciously crafted media file |
VULNEREBILITY |
|
| 17.4.25 | New Vulnerabilities for schtasks.exe | Task Scheduler– New Vulnerabilities for schtasks.exe |
VULNEREBILITY |
|
| 16.4.25 | Android.Clipper | Nice chatting with you: what connects cheap Android smartphones, WhatsApp and cryptocurrency theft? | MALWARE | Android |
| 16.4.25 | Multi-Stage Phishing Attack Exploits Gamma | Attackers exploit Gamma in a multi-stage phishing attack using Cloudflare Turnstile and AiTM tactics to evade detection and steal Microsoft credentials. | ATTACK | AI |
| 16.4.25 | BPFDoor | BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets | MALWARE | Backdoor |
| 16.4.25 | SNOWLIGHT | According to sysdig, SNOWLIGHT is used as a dropper for its fileless payload (vshell). | MALWARE | Linux |
| 16.4.25 | UNC5174 | UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell | GROUP | GROUP |
| 16.4.25 | CVE-2025-24859 | A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. |
VULNEREBILITY |
|
| 15.4.25 | SpyNote Campaign Masquerades as a MissAV mobile app | Porn remains one of the most effective social engineering vectors due to high curiosity-driven engagement, the stigma that discourages victims from reporting, and the ease with which it can be weaponized through mobile-based attacks such as fake APKs. | CAMPAIGN | |
| 15.4.25 | Turkish Employment Agency Impersonated in a Snake Keylogger campaign | Symantec has recently observed a Snake Keylogger campaign targeting organizations in Turkey, including those in the Aerospace & Defense and Financial Services sectors. | CAMPAIGN | |
| 15.4.25 | ZeroTrace Stealer | ZeroTrace Stealer is a new infostealing malware that recently emerged on the threat landscape. The malware builder has been distributed via various underground forums and file-sharing platforms while advertised as being created for educational and research purposes ony. | VIRUS | |
| 15.4.25 | Pulsar RAT malware | Pulsar is a new remote access trojan (RAT) variant recently identified in the wild. This C#-based malware is based on the Quasar RAT strain and has miscellaneous functionality including keylogging, cryptocurrency wallet clipping, infostealing, file management, remote shell and command execution, among others. | VIRUS | |
| 15.4.25 | PelDox Ransomware | Unlike typical ransomware, PelDox does not inform victims about the encryption of their files or demand payment for decryption. After encrypting the files and appending the ".lczx" extension, the ransomware displays a full-screen message. | RANSOM | |
| 15.4.25 | HijackLoader new modular enhancements for stealth and evasion | HijackLoader (also known as GHOSTPULSE or IDAT Loader) is a malware loader capable of delivering second-stage payloads and offers a variety of modules mainly used for configuration information, evasion of security software, and injection/execution of code. | ||
| 15.4.25 | Slow Pisces | Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware | GROUP | GROUP |
| 15.4.25 | Precision-Validated Phishing | The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders | PHISHING | PHISHING |
| 15.4.25 | Double-Edged Email Attack | Pick your Poison - A Double-Edged Email Attack | HACKING | SPAM |
| 15.4.25 | CVE-2025-30406 | Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. |
VULNEREBILITY |
|
| 15.4.25 | ResolverRAT | New Malware Variant Identified: ResolverRAT Enters the Maze | MALWARE | RAT |
| 15.4.25 | CurlBack RAT | Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks | MALWARE | RAT |
| 13.4.25 | Tycoon2FA | Tycoon2FA New Evasion Technique for 2025 | PHISHING | Kit |
| 13.4.25 |
We Have a Package for You! A Comprehensive Analysis of
Package Hallucinations by Code Generating LL |
The reliance of popular programming languages such as Python and JavaScript on centralized package repositories and open-source software, combined with the emergence of code-generating Large Language Models (LLMs), has created a new type of threat to the software supply chain: package hallucinations. T | PAPERS | AI |
| 12.4.25 | NanoCrypt Ransomware | NanoCrypt is another "run-of-the-mill" ransomware variant discovered in the wild. The malware encrypts user data and appends .ncrypt to the name of locked files. The ransom note dropped in the form of a text file called README.txt indicates that this malware has been created "for fun" and not intended for any harmful activity. | RANSOM | |
| 12.4.25 | Chaos Ransomware Variant Targets IT Staff via Fake Security Tool | Chaos ransomware variants continue to emerge, mostly used by actors targeting individual machines through drive-by-download social engineering. These attacks typically demand a smaller ransom compared to double-extortion ransomware actors who target larger organizations through more complex attack chains. | RANSOM | |
| 12.4.25 | New Amethyst Stealer variant distributed by Sapphire Werewolf group | Distribution of a new and updated Amethyst Stealer variant has been observed in the wild. The campaign is attributed to the threat actor known as Sapphire Werewolf. | VIRUS | |
| 12.4.25 | CVE-2025-31161 - CrushFTP authentication bypass vulnerability exploited in the wild | CVE-2025-31161 is a recently disclosed critical (CVSS score 9.8) authentication bypass vulnerability affecting CrushFTP file transfer solution. If successfully exploited, the flaw could grant unauthenticated attackers admin level access to the underlying server via crafted HTTP requests. | VULNEREBILITY | |
| 12.4.25 | Neptune RAT | Neptune RAT is a highly modular, multi-functional remote access Trojan. The malware contains numerous DLL plugins which provide functionality. Available features include, but are not limited to, the following: | VIRUS | |
| 12.4.25 | Salary Adjustment PDF Lure Redirects to AWS-Hosted Outlook Credential Phish | Symantec has observed a new phishing campaign in which threat actors are leveraging PDFs to redirect users to a phishing page hosted on AWS S3. | PHISHING | |
| 12.4.25 | CVE-2025-1094 - PostgreSQL SQL injection vulnerability | CVE-2025-1094 is a recently disclosed high severity (CVSS score 8.1) SQL injection vulnerability affecting PostgreSQL, which is an open-source relational database management system (RDBMS). If successfully exploited, the flaw might lead up to a remote code execution due to improperly sanitized SQL inputs. | ALERTS | VULNEREBILITY |
| 12.4.25 | CVE-2025-30401 | A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. |
VULNEREBILITY |
|
| 12.4.25 | TsarBot | TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications | MALWARE | Bot |
| 12.4.25 | CVE-2024-21762 | A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests |
VULNEREBILITY |
|
| 12.4.25 | CVE-2023-27997 | A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. |
VULNEREBILITY |
|
| 12.4.25 | CVE-2022-42475 | A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. |
VULNEREBILITY |
|
| 11.4.25 | Core Werewolf | Core Werewolf hones its arsenal against Russia’s government organizations | GROUP | GROUP |
| 11.4.25 | Venture Wolf | Venture Wolf attempts to disrupt Russian businesses with MetaStealer | GROUP | GROUP |
| 11.4.25 | NOVA | Attackers use a fork of a popular stealer to target Russian companies | GROUP | GROUP |
| 11.4.25 | Bloody Wolf | Bloody Wolf evolution: new targets, new tools | GROUP | GROUP |
| 11.4.25 | Sapphire Werewolf | Sapphire Werewolf refines Amethyst stealer to attack energy companies | GROUP | GROUP |
| 11.4.25 | ZDI-25-246 | MedDream WEB DICOM Viewer Cleartext Transmission of Credentials Information Disclosure Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-245 | MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-244 | MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-243 | MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-242 | MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-241 | Trend Micro Deep Security Agent Link Following Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-240 | Trend Micro Deep Security Anti-Malware Solution Platform Link Following Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-239 | Trend Micro Deep Security Link Following Local Privilege Escalation Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-238 | Trend Micro Apex Central Query Server-Side Request Forgery Information Disclosure Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-237 | Trend Micro Apex Central modOSCE Server-Side Request Forgery Information Disclosure Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-236 | Trend Micro Apex Central modTMSM Server-Side Request Forgery Information Disclosure Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-235 | Ivanti Endpoint Manager OpenRecordSet SQL Injection Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-234 | Microsoft Windows dxkrnl Untrusted Pointer Dereference Local Privilege Escalation Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-233 | Luxion KeyShot Viewer KSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-232 | Luxion KeyShot PVS File Parsing Access of Uninitialized Pointer Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-231 | Luxion KeyShot SKP File Parsing Use-After-Free Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-230 | (Pwn2Own) Samsung Galaxy S24 Smart Switch Agent Improper Verification of Cryptographic Signature Remote Code Execution Vulnerability | ZERO-DAY | ZERO-DAY |
| 11.4.25 | ZDI-25-229 | (Pwn2Own) Samsung Galaxy S24 Quick Share Directory Traversal Arbitrary File Write Vulnerability | ZERO-DAY | ZERO-DAY |
| 11.4.25 | ZDI-25-228 | (Pwn2Own) Samsung Galaxy S24 Quick Share Insufficient UI Warning Arbitrary File Write Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-227 | (Pwn2Own) Samsung Galaxy S24 Gaming Hub Exposed Dangerous Method Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-226 | (Pwn2Own) Samsung Galaxy S24 Gaming Hub Improper Input Validation Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-225 | (Pwn2Own) Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-224 | (Pwn2Own) Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-223 | (Pwn2Own) Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 11.4.25 | ZDI-25-222 | (Pwn2Own) Lexmark CX331adwe concatstrings Type Confusion Information Disclosure Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-221 | (Pwn2Own) Lexmark CX331adwe httpd extract-trace Link Following Local Privilege Escalation Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-220 | (Pwn2Own) Lexmark CX331adwe basic_auth.cgi PATH_TRANSLATED Directory Traversal Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-219 | (Pwn2Own) Lexmark CX331adwe JBIG2 File Parsing new_image Integer Overflow Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-218 | (Pwn2Own) Lexmark CX331adwe JPEG2000 Memory Corruption Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-217 | (Pwn2Own) Lexmark CX331adwe loadCFFdata Type Confusion Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-216 | (Pwn2Own) Synology TC500 ONVIF Heap-based Buffer Overflow Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-215 | (Pwn2Own) Synology DiskStation DS1823xs+ LDAP Client Improper Certificate Validation Authentication Bypass Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-214 | (Pwn2Own) Synology DiskStation DS1823xs+ Vue.JS Improper Neutralization of Argument Delimiters Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-213 | (Pwn2Own) Synology BeeStation BST150-4T Improper Authentication Vulnerability | ZERO-DAY | ZERO-DAY |
| 11.4.25 | ZDI-25-212 | (Pwn2Own) Synology BeeStation BST150-4T Improper Authentication Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-211 | (Pwn2Own) Synology BeeStation BST150-4T Improper Input Validation Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-210 | (Pwn2Own) Synology BeeStation BST150-4T Improper Input Validation Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-209 | (Pwn2Own) Synology BeeStation BST150-4T Cleartext Transmission of Sensitive Information Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-208 | (Pwn2Own) Synology DiskStation DS1823xs+ Replication Service Out-Of-Bounds Write Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 11.4.25 | ZDI-25-207 | (Pwn2Own) Synology BeeStation BST150-4T Command Injection Remote Code Execution Vulnerability | ZERO-DAY | ZERO-DAY |
| 11.4.25 | GOFFEE | GOFFEE continues to attack organizations in Russia | GROUP | GROUP |
| 11.4.25 | SpyNote | Newly Registered Domains Distributing SpyNote Malware | MALWARE | Android RAT |
| 11.4.25 | CVE-2025-3102 | The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. |
VULNEREBILITY |
|
| 10.4.25 | Everest Ransomware Group | Threat Actor Profile | GROUP | Ransomware |
| 10.4.25 | GammaSteel | Shuckworm Targets Foreign Military Mission Based in Ukraine | MALWARE | PowerShell |
| 10.4.25 | CVE-2024-0132 | NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. |
VULNEREBILITY |
|
| 10.4.25 | AkiraBot | AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale | BOTNET | AI |
| 9.4.25 | GiftedCrook infostealer deployed in UAC-0226 campaign | According to a recent security alert released by Ukraine's Computer Emergency Response Team (CERT-UA), a new wave of targeted attacks against various military and governmental entities in Ukraine has been detected. The campaign dubbed as UAC-0226 distributes phishing emails containing .xlsm attachments with malicious macros. | VIRUS | |
| 9.4.25 | CVE-2025-29927 - Next.js middleware authorization bypass vulnerability | CVE-2025-29927 is a recently disclosed vulnerability (CVSS score 9.1) affecting Next.js, which is an open-source web development javascript framework. If successfully exploited, the flaw might allow the attackers for an authorization bypass attack via specially crafted HTTP requests potentially leading to protected content exposure. | VULNEREBILITY | |
| 9.4.25 | This Vidar stealer is not your Sysinternals tool | Vidar is an information stealing malware that has been active since 2018. It is a Malware-as-a-Service offering which has been used by attackers to steal sensitive data, such as credentials stored in browsers, applications, and cloud storage services. | VIRUS | |
| 9.4.25 | EncryptHub attackers leverage MSC files for payload delivery | A recent campaign attributed to EncryptHub (Water Gamayun) group has seen the threat actors to leverage Microsoft Management Console vulnerability (tracked as CVE-2025-26633) files for malicious payload execution. | VIRUS | |
| 9.4.25 | HollowQuill campaign luring users with disguised malicious PDFs | HollowQuill campaign has been targeting academic institutions and government agencies worldwide through weaponized PDF documents. The attack employs social engineering tactics, disguising malicious PDFs as research papers, grant applications, decoy research invitations, or government communiques to entice unsuspecting users. | CAMPAIGN | |
| 9.4.25 | Springtail APT group targets South Korean government entities | The Springtail (aka Kimsuky) APT group recently engaged in campaigns targeting South Korean government entities. The campaigns leveraged government-themed messaging (one being tax related and another regarding a policy on the topic of sex offenders) to distribute malicious LNK files as malspam attachments. | APT | |
| 9.4.25 | From Phishing to LINE Scams: Rakuten Securities users at risk | Over the past few weeks, a phishing actor has been launching campaign after campaign targeting Rakuten Securities users in an attempt to steal their credentials | PHISHING | |
| 9.4.25 | ModiLoader deployed via .SCR in Taiwanese Freight Impersonation | Malware actors have been abusing Windows screensavers file format (.scr) for some time now. While they might appear harmless, they are essentially executable programs with a different file extension. | VIRUS | |
| 9.4.25 | CVE-2025-27491 | Windows Hyper-V Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-26686 | Windows TCP/IP Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27752 | Microsoft Excel Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27745 | Microsoft Office Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27748 | Microsoft Office Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27749 | Microsoft Office Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29791 | Microsoft Excel Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-26670 | Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-26663 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27482 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29809 | Windows Kerberos Security Feature Bypass Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-30406 | Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29824 | Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29824 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
VULNEREBILITY |
|
| 9.4.25 | VibeScamming | VibeScamming — From Prompt to Phish: Benchmarking Popular AI Agents’ Resistance to the Dark Side | PHISHING | AI |
| 9.4.25 | TCESB | How ToddyCat tried to hide behind AV software | MALWARE | Rootkit |
| 9.4.25 | CVE-2024-48887 | Unverified password change via set_password endpoint |
VULNEREBILITY |
|
| 9.4.25 | AWS SSM Agent's Plugin ID Validation | Path Traversal Vulnerability in AWS SSM Agent's Plugin ID Validation |
VULNEREBILITY |
|
| 9.4.25 | ClipBanker | Attackers distributing a miner and the ClipBanker Trojan via SourceForge | MALWARE | Trojan |
| 8.4.25 | ZDI-25-206 | Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.4.25 | ZDI-25-205 | Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.4.25 | ZDI-25-204 | GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.4.25 | ZDI-25-203 | GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability |
ZERO-DAY |
|
| 8.4.25 | ZDI-25-202 | Fortinet FortiWeb cgi_xmlprotection_xmlschemafile_post Directory Traversal Arbitrary File Write Vulnerability |
ZERO-DAY |
|
| 8.4.25 | ZDI-25-201 | Trend Micro Cleaner One Pro Link Following Denial-of-Service Vulnerability |
ZERO-DAY |
|
| 8.4.25 | ZDI-25-200 | Exim Use-After-Free Local Privilege Escalation Vulnerability |
ZERO-DAY |
|
| 8.4.25 | Цільова шпигунська активність UAC-0226 у відношенні осередків інновацій, державних і правоохоронних органів з використанням стілеру GIFTEDCROOK (CERT-UA#14303) | Урядовою командою реагування на комп'ютерні надзвичайні події України CERT-UA, починаючи з лютого 2025 року, відстежується цільова активність, яка здійснюється з метою шпигунства у відношенні осередків розвитку інновацій у військовій сфері, військових формувань, правоохоронних органів України та органів місцевого самоврядування, особливо тих, що розташовані вздовж східного кордону країни. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 8.4.25 | CVE-2025-31161 | CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." |
VULNEREBILITY |
|
| 8.4.25 | CVE-2024-53150 | (CVSS score: 7.8) - An out-of-bounds flaw in the USB sub-component of Kernel that could result in information disclosure |
VULNEREBILITY |
|
| 8.4.25 | CVE-2024-53197 | (CVSS score: 7.8) - A privilege escalation flaw in the USB sub-component of Kernel |
VULNEREBILITY |
|
|
6.4.25 |
PoisonSeed Campaign | PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation | CAMPAIGN | SPAM |
|
6.4.25 |
Issue that bypasses the "Mark of the Web" security warning function for files when opening a symbolic link that points to an executable file exists in WinRAR versions prior to 7.11. If a symbolic link specially crafted by an attacker is opened on the affected product, arbitrary code may be executed. |
VULNEREBILITY |
||
|
6.4.25 |
Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” |
PAPERS |
MALWARE |
|
|
6.4.25 |
(CVSS score: 7.8) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability |
VULNEREBILITY |
||
|
6.4.25 |
(CVSS score: 6.5) - Microsoft Windows File Explorer Spoofing Vulnerability |
VULNEREBILITY |
||
| 5.4.25 | GRUB2 vulnerabilities | [SECURITY PATCH 00/73] GRUB2 vulnerabilities - 2025/02/18 |
VULNEREBILITY |
|
| 5.4.25 | Multiple deserialization vulnerabilities in PyTorch Lightning 2.4.0 and earlier versions | PyTorch Lightning versions 2.4.0 and earlier do not use any verification mechanisms to ensure that model files are safe to load before loading them. | ALERT | ALERT |
| 4.4.25 | CVE-2024-54085 - AMI MegaRAC BMC authentication bypass vulnerability | CVE-2024-54085 is a critical (CVSS score 10.0) authentication bypass vulnerability affecting AMI MegaRAC Baseboard Management Controller (BMC) which is a remote server management platform. | ALERTS | VULNEREBILITY |
| 4.4.25 | Lockbit 4.0 ransomware | Lockbit 4.0 is the most recent iteration of the infamous ransomware attributed to the threat actor called Syrphid. The ransomware is operated based on a Ransomware-as-a-Service (RaaS) model with various affiliates carrying out the attacks and often employing different tactics, techniques, and procedures (TTPs). | RANSOM | |
| 4.4.25 | RolandSkimmer campaign | A new credit card skimming campaign dubbed RolandSkimmer has been reported by the researchers from Fortinet. The attack starts with .zip archives containing malicious .lnk files being delivered to the intended victims. | CAMPAIGN | |
| 4.4.25 | CVE-2024-4577 makes a return in recent malware campaigns | A high severity CVE (CVSS: 9.8), CVE-2024-4577, has recently been disclosed to be in use in an active malware campaign targeting companies within the APJ region. | ||
| 4.4.25 | Latest Gootloader variant spread via malvertisements | Latest Gootloader variant has been observed to abuse Google Ads platform for distribution. The malware has been leveraging malvertisements directed at users searching for various legal templates such as NDA agreements, etc. | VIRUS | |
| 4.4.25 | CrazyHunter - a new Prince ransomware variant | CrazyHunter is a new Go-based ransomware variant based on the open-source Prince encryptor malware family. The malware encrypts user data and drops ransom note in form of a text file called "Decryption Instructions.txt". This note is written in identical format as the one observed from older Prince ransomware variant deployments. | RANSOM | |
| 4.4.25 | ZDI-25-199 | Autodesk Navisworks Freedom DWFX File Parsing Memory Corruption Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 4.4.25 | ZDI-25-198 |
Autodesk Navisworks Freedom DWFX File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZERO-DAY |
ZERO-DAY |
| 4.4.25 | ZDI-25-197 | Autodesk Navisworks Freedom DWFX File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 4.4.25 | Proton66 | Bulletproof Hosting Networks and Proton66 | GROUP | GROUP |
| 4.4.25 | UAC-0219: кібершпигунство з використанням PowerShell-стілеру WRECKSTEEL (CERT-UA#14283) | Урядовою командою реагування на комп'ютерні надзвичайні події України CERT-UA вживаються системні заходи щодо накопичення та проведення аналізу даних про кіберінциденти з метою надання актуальної інформації про кіберзагрози. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 4.4.25 | ClickFix tactic | From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic | HACKING | CRYPTOCURRENCY |
| 4.4.25 | CVE-2025-22457 | April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457) |
VULNEREBILITY |
|
| 4.4.25 | CVE-2025-30065 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue. |
VULNEREBILITY |
|
| 4.4.25 | RaccoonO365 Script Analysis | During our investigation into the RaccoonO365 Phishing-as-a-Service operation, we uncovered a sandbox report revealing a script embedded in an HTML page associated with a RaccoonO365 phishing link. | PHISHING | PHaaS |
| 3.4.25 | New phishing campaign targets Monex Securities users | Lately, Symantec has observed phish runs targeting users of Monex Securities (マネックス証券), one of the Japan's leading online securities company through the merger of Monex, Inc. and Nikko Beans, Inc. The company offers individual investors with different financial services. | PHISHING | |
| 3.4.25 | DarkCloud Stealer via TAR archives in Multi-Sector Spanish Campaign | A company in Spain that specializes in mountain and skiing equipment is being spoofed in an email campaign. The actors behind this attack are targeting Spanish companies and local offices of international organizations. | VIRUS | |
| 3.4.25 | CVE-2024-20439 - Cisco Smart Licensing Utility static credential vulnerability | CVE-2024-20439 is a static credential vulnerability (CVSS score 9.8) affecting Cisco Smart Licensing Utility. If successfully exploited, the flaw could allow attackers to gain administrative privileges for the application's API. | VULNEREBILITY | |
| 3.4.25 | CPU_HU cryptomining malware | A new campaign distributing cryptomining malware dubbed CPU_HU has been reported in the wild. The attackers target vulnerable or misconfigured PostgreSQL instances in efforts to deploy XMRig-C3 cryptominer binaries. Similar malware variant (also known as PG_MEM) has been distributed last year in campaigns attributed to the same threat actors. The most recent campaign implements additional detection evasion techniques including fileless payload execution. | VIRUS | |
| 3.4.25 | Salvador Stealer - a new mobile malware | Salvador Stealer is a newly discovered Android malware variant. The infostealer is spread under the disguise of legitimate mobile banking apps. The malware delivery is a multistage process that uses a separate malicious dropper .apk binary responsible for final payload execution. Salvador Stealer aims at collection and exfiltration of user confidential data including banking details and credentials. | VIRUS | |
| 3.4.25 | Recent activities deploying Konni RAT malware | Konni RAT is a well known remote access trojan (RAT) variant active on the threat landscape for several years. The malware has the functionality to exfiltrate sensitive data from compromised machines, achieve persistence on the infected endpoints and execute remote commands received from attackers. | VIRUS | |
| 3.4.25 | CVE-2024-48248 - NAKIVO Backup and Replication absolute path traversal vulnerability | CVE-2024-48248 is a recently identified absolute path traversal vulnerability (CVSS score 8.6) affecting NAKIVO Backup and Replication solution. If successfully exploited, the flaw might enable unauthenticated attackers to read arbitrary files on the target hosts leading to sensitive information exposure. | VULNEREBILITY | |
| 3.4.25 | CVE-2024-10668 | There exists an auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim. The root cause of the vulnerability lies in the fact that when a Payload Transfer frame of type FILE is sent to Quick Share, the file that is contained in this frame is written to disk in the Downloads folder. |
VULNEREBILITY |
|
| 3.4.25 | Stripe API Skimming Campaign | Stripe API Skimming Campaign: Additional Victims and Insights | CAMPAIGN | Skimming |
| 3.4.25 | ImageRunner | ImageRunner: A Privilege Escalation Vulnerability Impacting GCP Cloud Run |
VULNEREBILITY |
|
| 2.4.25 | Masslogger Bank-Themed Phishing Primarily Targets Romania, With Broader European Reach | Symantec has observed a Masslogger campaign primarily targeting organizations in Romania, where attackers are impersonating a Romanian bank. In addition to Romanian entities, the campaign has also impacted organizations in several other countries across Europe and beyond. | VIRUS | |
| 2.4.25 | TsarBot Android malware | TsarBot is a new Android banking trojan reported to be targeting over 750 different banking, financial and cryptocurrency-related applications. | VIRUS | |
| 2.4.25 | ZDI-25-196 | Apple macOS ICC Profile Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 2.4.25 | ZDI-25-195 | Apple macOS CoreGraphics Image Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | ZERO-DAY |
ZERO-DAY |
| 2.4.25 | ZDI-25-194 | Apple macOS AppleIntelKBLGraphics Time-Of-Check Time-Of-Use Information Disclosure Vulnerability | ZERO-DAY |
ZERO-DAY |
| 2.4.25 | ZDI-25-193 | Apple macOS CoreText Font Glyphs Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | ZERO-DAY |
ZERO-DAY |
| 2.4.25 | ZDI-25-192 | Apple macOS MP4 File Parsing Memory Corruption Remote Code Execution Vulnerability | ZERO-DAY |
ZERO-DAY |
| 2.4.25 | ZDI-25-191 | Apple macOS MP4 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | ZERO-DAY |
ZERO-DAY |
| 2.4.25 | ZDI-25-190 |
Apple macOS MP4 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
ZERO-DAY |
| 2.4.25 | ZDI-25-189 |
Apple macOS AudioToolbox AMR File Parsing Memory Corruption Remote Code Execution Vulnerability |
ZERO-DAY |
ZERO-DAY |
| 2.4.25 | ZDI-25-188 |
Apple macOS AudioToolboxCore WAV File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability |
ZERO-DAY |
ZERO-DAY |
| 2.4.25 | CPU_HU: Fileless cryptominer | CPU_HU: Fileless cryptominer targeting exposed PostgreSQL with over 1.5K victims | HACKING | CRYPTOCURRENCY |
| 2.4.25 | Outlaw | Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective | MALWARE | Linux |
| 2.4.25 | HijackLoader | Analyzing New HijackLoader Evasion Tactics |
Loader |
|
| 2.4.25 | Anubis Backdoor | The Savage Ladybug , also known as FIN7, has developed a new, mildly obfuscated Python-based backdoor called Anubis Backdoor . This malware allows attackers to execute remote shell commands and other system operations, giving them full control over an infected machine. |
Backdoor |
|
| 2.4.25 | Lucid Phishing-as-a-Service | Lucid is a sophisticated Phishing-as-a-Service (PhAAS) platform operated by Chinese-speaking threat actors, targeting 169 entities across 88 countries globally. With 129 active instances and 1000+ registered domains, Lucid ranks among prominent PhAAS platforms, alongside Darcula and Lighthouse | PHISHING | Platform |
|
1.4.25 |
To achieve persistence on infected systems, Water Gamayun employs two distinct backdoors in their campaigns. In earlier campaigns with encrypthub[.]net/org, they utilized the SilentPrism backdoor, a tool designed for stealthy access and control. In their latest campaign, we identified a new backdoor, which we have named DarkWisp. |
Backdoor |
||
|
1.4.25 |
The MSC EvilTwin loader represents a novel approach (CVE-2025-26633) to malware deployment by leveraging specially crafted Microsoft Saved Console (.msc) files. The MSC EvilTwin loader creates two directories: C:\Windows \System32<space>\ and C:\Windows<space>\System32\en-US. |
Loader |
||
|
1.4.25 |
SilentPrism is a backdoor malware designed to achieve persistence, dynamically execute shell commands, and maintain unauthorized remote control of compromised systems. |
Backdoor |
||
|
1.4.25 |
On July 26, 2024, security researcher Germán Fernández tweeted about a fake WinRAR website distributing various types of malwares, including stealers, miners, hidden virtual network computing (hVNC), and ransomware, as shown. These malicious tools were hosted on a GitHub repository named "encrypthub," managed by a user called "sap3r-encrypthub" |
Stealer |
||
|
1.4.25 |
SnakeKeylogger is an info-stealer malware that harvests credentials and other sensitive data. It targets a wide range of applications such as web browsers like Google Chrome, Mozilla Firefox, and email clients such as Microsoft Outlook and Thunderbird. |
|||
|
1.4.25 |
Crocodilus is a new mobile banking trojan variant identified recently on the threat landscape. The malware has extensive remote control and infostealing functionalities, allowing the attackers for application overlay attacks, remote access to the compromised devices, theft of credentials/data stored on the mobile device, keylogging and execution of commands received from C2 servers, among others. |
|||
|
1.4.25 |
CoffeeLoader is a new sophisticated malware loader designed to implement secondary payloads while evading detection. This loader leverages a packer that executes code on a system’s GPU. CoffeeLoader can establish persistence via the Windows Task Schedule and can maintain persistence via a scheduled task with a hard-coded name. |
|||
|
1.4.25 |
MassLogger Targets Businesses Worldwide via Procurement-themed Phishing |
MassLogger, an information-stealing malware designed to capture credentials, keystrokes, and clipboard data from victims, has been gaining prevalence in the threat landscape, with campaigns of various sizes and victimology observed worldwide. |
||
|
1.4.25 |
The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques |
CyberSpionage |
||
|
1.4.25 |
(CVSS score: 7.3) - A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges |
VULNEREBILITY |
||
|
1.4.25 |
(CVSS score: 4.6) - An authorization issue in the Accessibility component that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack |
VULNEREBILITY |
||
|
1.4.25 |
(CVSS score: 8.8) - An out-of-bounds write issue in the WebKit component that could allow an attacker to craft malicious web content such that it can break out of the Web Content sandbox |
VULNEREBILITY |
||
|
31.3.25 |
CISA analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited Ivanti CVE-2025-0282 for initial access. One file—that CISA is calling RESURGE—has functionality similar to SPAWNCHIMERA in how it creates a Secure Shell (SSH) tunnel for command and control (C2). |
ICS |
||
|
31.3.25 |
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. |
VULNEREBILITY |
||
|
29.3.25 |
Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices |
ANDROID |
||
|
29.3.25 |
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access. |
VULNEREBILITY |
||
|
29.3.25 |
Multiple Cloudflare services, including R2 object storage, experienced an elevated rate of errors for 1 hour and 7 minutes on March 21, 2025 (starting at 21:38 UTC and ending 22:45 UTC). |
INCIDENT |
||
|
29.3.25 |
A browser-in-the-browser (BitB) attack is a new phishing technique that simulates a login window with a spoofed domain within a parent browser window to steal credentials. |
PHISHING |
||
|
29.3.25 |
NTLM Hash Disclosure Spoofing Vulnerability |
VULNEREBILITY |
||
|
29.3.25 |
Windows Themes Spoofing Vulnerability |
VULNEREBILITY |
||
|
29.3.25 |
Blacklock Ransomware: A Late Holiday Gift with Intrusion into the Threat Actor's Infrastructure |
RANSOMWARE |
||
|
28.3.25 |
ANALYSIS OF A DISCORD-BASED REMOTE ACCESS TROJAN (RAT) |
RAT |
||
|
28.3.25 |
Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques |
RAT |
||
|
28.3.25 |
Juniper Routers, Network Devices Targeted with Custom Backdoors |
MALWARE |
||
|
28.3.25 |
Gamaredon campaign abuses LNK files to distribute Remcos backdoor |
MALWARE |
||
|
28.3.25 |
Remcos backdoor distributed in the latest campaign attributed to Shuckworm APT |
A new campaign attributed to the Shuckworm APT (aka Gamaredon) has been reported by researchers from Cisco Talos. According to the released report, the attackers are targeting users from Ukraine with malicious .LNK files and PowerShell downloaders before infecting them with Remcos RAT payload. |
||
|
28.3.25 |
Argenta is a bank based in Belgium and also operates in the Netherlands and Luxembourg. Recently, Symantec has detected a new wave of phish runs spoofing Argenta's bank services with fake account notifications. |
|||
|
28.3.25 |
RALord is a new Rust-based ransomware variant identified in the wild. The malware encrypts user data and appends ".RALord" extension to the names of the locked files. |
|||
|
28.3.25 |
SnakeKeylogger | SnakeKeylogger – A Multistage Info Stealer Malware Campaign | MALWARE | Keylogger |
|
28.3.25 |
CoffeeLoader | CoffeeLoader: A Brew of Stealthy Techniques | MALWARE | Loader |
|
28.3.25 |
2025-03-26 -- SmartApeSG traffic for fake browser update leads to NetSupport RAT and StealC |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
|
28.3.25 |
VIPKeyLogger Targets Japan’s Corporate Sector | VIPKeyLogger, a stealthy keylogging malware, has been observed in two phishing campaigns targeting Japanese organizations and international companies with local offices in Japan. | ALERTS | VIRUS |
|
28.3.25 |
PJobRAT Android malware | A new campaign distributing PJobRAT malware for Android has been discovered by the researchers from Sophos. The campaign targets mostly the mobile users from Taiwan and aims at collection and exfiltration of sensitive data including SMS messages, contact lists as well as documents and media file stored on the compromised devices. | ALERTS | VIRUS |
|
28.3.25 |
CVE-2025-24799 - SQL injection vulnerability in GLPI | CVE-2025-24799 is a recently identified SQL injection vulnerability affecting GLPI, which is a popular and open-source IT Service Management (ITSM) software. | VULNEREBILITY | |
|
28.3.25 |
PJobRAT | PJobRAT makes a comeback, takes another crack at chat apps | MALWARE | ANDROID RAT |
|
28.3.25 |
CVE-2025-2783 | Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High) |
VULNEREBILITY |
|
|
28.3.25 |
CVE-2025-2857 | Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. |
VULNEREBILITY |
|
|
28.3.25 |
Morphing Meerkat | A Phishing Tale of DoH and DNS MX Abuse | PHISHING | PHaaS |
|
28.3.25 |
EDRKillShifter | Shifting the sands of RansomHub’s EDRKillShifter | MALWARE | Tool |
|
27.3.25 |
CVE-2025-29891 - Bypass/Injection vulnerability in Apache Camel | CVE-2025-29891 is a second recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. If successfully exploited, the flaw might enable the remote attackers to inject arbitrary parameters in the HTTP requests that are sent to the Camel application. | ALERTS | VULNEREBILITY |
|
27.3.25 |
New Go-based ReaderUpdate macOS malware variant | A new Go-based strain of the macOS malware dubbed ReaderUpdate has been discovered in the wild. Previous variants of this malware were based on Crystal, Nim and Rust programming languages. | ALERTS | VIRUS |
|
27.3.25 |
Phishing Surge Targets Rakuten Securities Users | In recent weeks, there has been an increase in phishing campaigns targeting users of Rakuten Securities (楽天証券), one of Japan’s largest and most well-established online brokerage firms. The company offers a wide range of investment services, including stocks, ETFs, mutual funds, futures, options, forex trading, and NISA (Japan’s tax-advantaged investment accounts). | ALERTS | PHISHING |
|
27.3.25 |
New Android malware leverages .NET MAUI framework for detection evasion | A new Android malware variant leveraging .NET MAUI framework has been identified in the wild. .NET MAUI is a cross-platform framework used to build native, desktop and mobile apps with C# and XAML. | VIRUS | |
|
27.3.25 |
PlayBoy Locker Ransomware | PlayBoy Locker is a ransomware variant discovered last September and initially distributed in form of a Ransomware-as-a-Service (RaaS) offering. The ransomware platform offered multi-OS support including Windows, NAS and ESXi operating systems. | RANSOM | |
|
27.3.25 |
APT36 TURNING AID INTO ATTACK | TURNING AID INTO ATTACK: EXPLOITATION OF PAKISTAN’S YOUTH LAPTOP SCHEME TO TARGET INDIA | APT | BLOG |
|
27.3.25 |
UI/UX changes | Over 150K websites hit by full-page hijack linking to Chinese gambling sites | HACKING | INJECT |
|
27.3.25 |
CVE-2020-8515 | (CVSS score: 9.8) — An operating system command injection vulnerability in multiple DrayTek router models that could allow remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2021-20123 | (CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the DownloadFileServlet endpoint |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2021-20124 | (CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the WebServlet endpoint |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2019-9874 | (CVSS score: 9.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2019-9875 | (CVSS score: 8.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2025-26512 | CVE-2025-26512 Privilege Escalation Vulnerability in SnapCenter |
VULNEREBILITY |
|
|
27.3.25 |
FamousSparrow | You will always remember this as the day you finally caught FamousSparrow | GROUP | APT |
|
26.3.25 |
ZDI-25-187 | (0Day) BEC Technologies Multiple Routers sys ping Command Injection Remote Code Execution Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-186 | (0Day) BEC Technologies Multiple Routers Cleartext Password Storage Information Disclosure Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-185 | (0Day) BEC Technologies Multiple Routers Insufficiently Protected Credentials Information Disclosure Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-184 | (0Day) BEC Technologies Multiple Routers Authentication Bypass Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-183 | (0Day) Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-182 | (0Day) Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-181 | (0Day) Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-180 | (0Day) 70mai A510 Use of Default Password Authentication Bypass Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-179 | (0Day) CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-178 | (0Day) CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-177 | (0Day) CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
ZDI-25-176 | (0Day) CarlinKit CPC200-CCPA Missing Root of Trust Local Privilege Escalation Vulnerability | ZERO-DAY | ZERO-DAY |
|
26.3.25 |
CVE-2025-24813 - Critical path equivalence RCE vulnerability in Apache Tomcat | Security researchers have observed active exploitation attempts of CVE-2025-24813, a critical Remote Code Execution (RCE) vulnerability in Apache Tomcat, an open-source servlet container and web server for Java applications. The flaw, caused by a path equivalence issue, allows attackers to bypass security constraints and execute arbitrary code remotely. | ALERTS | VULNEREBILITY |
|
26.3.25 |
Dragon RaaS Group: Ransomware targeting the US and European countries | Dragon RaaS, a ransomware group that emerged in July 2024, primarily targets organizations in the US, Israel, UK, France and Germany. The group leverages web application vulnerabilities, brute-force attacks and stolen credentials as its main attack vectors using two ransomware variants: a Windows-focused encryptor, likely a modified version of StormCry and a PHP webshell which provides both backdoor functionality and persistent ransomware capabilities. | ALERTS | RANSOM |
|
26.3.25 |
New JS downloader observed in recent malspam campaign | Symantec has observed a new email campaign delivering a JavaScript downloader as an attachment. The JS arrives under various filenames in an email with variable subjects. | ALERTS | VIRUS |
|
26.3.25 |
Funnelweb attack group targets victims in Operation FishMedley | The China-backed advanced persistent threat group known as Funnelweb (aka Aquatic Panda, Earth Lusca, FishMonger) was responsible for an extensive campaign identified as Operation FishMedley. The campaign targeted entities including governments, NGOs, and think tanks across numerous countries. | OPERATION | |
|
26.3.25 |
CVE-2025–26319 - Flowise Pre-Auth arbitrary file upload vulnerability | CVE-2025–26319 is a recently disclosed pre-auth arbitrary file upload vulnerability affecting Flowise, which is a popular open source tool for developers to build customized LLM (Large Language Model) orchestration flows and AI agents. | VULNEREBILITY | |
|
26.3.25 |
FogDoor backdoor delivery campaign | A new campaign targeting Polish-speaking job-seeking developers has been reported to deliver a new backdoor variant dubbed FogDoor. The attackers lure the victims with a fake recruitment test that leads to a download of a .iso archive containing a malicious .lnk file. The executed .lnk file runs a PowerShell script responsible for installing the malware payload. | ALERTS | VIRUS |
|
26.3.25 |
CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin | Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data. |
VULNEREBILITY |
|
|
26.3.25 |
CVE-2025-26633 | Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally. |
VULNEREBILITY |
|
|
26.3.25 |
RedCurl | In mid to late 2024, Huntress uncovered activity across several organizations in Canada, with similar infrastructure and TTPs used that can be associated with the APT group known as RedCurl (aka Earth Kapre and Red Wolf). This activity goes back as far as November 2023 in the hosts observed by Huntress. | GROUP | APT |
|
26.3.25 |
CVE-2025-2783 | The Stable channel has been updated to 134.0.6998.177/.178 for Windows which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log. |
VULNEREBILITY |
|
|
26.3.25 |
Inside Atlantis AIO | Inside Atlantis AIO: Credential Stuffing Across 140+ Platforms | CRIME | CRIME |
|
26.3.25 |
CVE-2025-22230 | VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control. A malicious actor with non-administrative privileges on a guest VM may gain ability to perform certain high privilege operations within that VM. |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2024-56346 & CVE-2024-56347 - recent IBM AIX OS vulnerabilities | CVE-2024-56346 and CVE-2024-56347 are two recently disclosed critical (CVSS score 10.0 and 9.6 respectively) vulnerabilities affecting IBM AIX operating system. | ALERTS | VULNEREBILITY |
|
25.3.25 |
SVCStealer malware | SVCStealer is a new C++based infostealing malware identified in the wild. The infostealer collects various sensitive information from the infected endpoints such as system information, credentials, cryptocurrency wallets, data stored in browsers, screenshots, data from messaging applications (Discord, Tox, Telegram) or VPN apps, and others. | ALERTS | VIRUS |
|
25.3.25 |
Raspberry Robin | Raspberry Robin: Copy Shop USB Worm Evolves to Initial Access Broker Enabling Other Threat Actor Attacks | MALWARE | Worm |
|
25.3.25 |
Elephant Beetle | Elephant Beetle: Uncovering an Organized Financial-Theft Operation | GROUP | GROUP |
|
25.3.25 |
Operational Relay Box (ORB) | An Introduction to Operational Relay Box (ORB) Networks - Unpatched, Forgotten, and Obscured | OPERATION | OPERATION |
|
25.3.25 |
Weaver Ant | Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation | GROUP | GROUP |
|
25.3.25 |
.NET MAUI | New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI | CAMPAIGN | Malware |
|
25.3.25 |
CVE-2025-24513 | (CVSS score: 4.8) – An improper input validation vulnerability that could result in directory traversal within the container, leading to denial-of-service (DoS) or limited disclosure of secret objects from the cluster when combined with other vulnerabilities |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2025-24514 | (CVSS score: 8.8) – The auth-url Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2025-1097 | (CVSS score: 8.8) – The auth-tls-match-cn Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2025-1098 | (CVSS score: 8.8) – The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2025-1974 | (CVSS score: 9.8) – An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions |
VULNEREBILITY |
|
|
24.3.25 |
VanHelsing RaaS Launch | VanHelsingRaaS is a new and rapidly growing ransomware-as-a-service (RaaS) affiliate program launched on March 7, 2025. The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. | RANSOMWARE | RaaS |
|
24.3.25 |
CVE-2025-29927 | Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2024-48248 | NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials). |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2024-20439 | Cisco Smart Licensing Utility Static Credential Vulnerability |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2024-20440 | Cisco Smart Licensing Utility Information Disclosure Vulnerability |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2025-30154 | reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2025-30066 | tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) |
VULNEREBILITY |
|
|
22.3.25 |
New variants of the Albabat ransomware implement multi-OS capabilities | A new strain of the Albabat ransomware has been reported to offer multi-OS support, according to latest report from Trend Micro. New Albabat variant is still under active development and it adds Linux and macOS to the list of the targeted platforms. | ALERTS | RANSOM |
|
22.3.25 |
New phishing campaign targets Pocket Card users | Symantec has detected a phishing campaign targeting Japanese users with fake Pocket Card notification emails. The emails use the subject line: | PHISHING | |
|
22.3.25 |
VanHelsing Ransomware | VanHelsing is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends .vanhelsing or .vanlocker extension to the locked files. VanHelsing drops the ransom note in form of a text file called “README.txt” and it is also able to modify the desktop wallpaper. | RANSOM | |
|
22.3.25 |
Campaign impersonating travel bookings site using “ClickFix" technique | A phishing campaign impersonating Booking.com to deliver credential stealing malware has been observed targeting hospitality organizations in Asia, North America, Oceania, and Europe. The attackers send fake emails impersonating the online travel agency. | ALERTS | CAMPAIGN |
|
22.3.25 |
Recent UAT-5918 APT malicious activities targeting entities in Taiwan | Researchers from Cisco Talos have reported a long-lasting campaign targeting entities in Taiwan and attributed to the UAT-5918 APT. The attackers are known to obtain access to the targeted environments usually via vulnerability exploitation. | APT | |
|
22.3.25 |
DarkCrystal RAT distributed in malicious campaign UAC-0200 | According to a recent alert released by Ukraine's Computer Emergency Response Team (CERT-UA), a new wave of attacks against the defense sector in Ukraine has been detected. The campaign dubbed as UAC-0200 distributes malicious messages via the Signal messenger leading the victims to execution of DarkTortilla loader, which in turn decrypts and runs the DarkCrystal RAT (aka DCRat) payload. | VIRUS | |
|
22.3.25 |
Custom Betruger backdoor deployed by RansomHub affiliate | The Symantec Threat Hunter team has observed activity from a custom backdoor that can be tied to a RansomHub affiliate. RansomHub is a Ransomware-as-a-Service offering and the backdoor has been named Betruger. | ||
|
21.3.25 |
Bloody Wolf | The notorious cluster changes its toolkit by switching from malware to a legitimate remote administration tool | MALWARE | Toolkit |
|
21.3.25 |
ABYSSWORKER | Shedding light on the ABYSSWORKER driver | MALWARE | Driver |
|
21.3.25 |
Operation FishMedley | ESET researchers detail a global espionage operation by FishMonger, the APT group run by I‑SOON | OPERATION | OPERATION |
|
21.3.25 |
UAT-5918 | UAT-5918 targets critical infrastructure entities in Taiwan | GROUP | GROUP |
|
21.3.25 |
Trusted relationship attacks | Trusted relationship attacks: trust, but verify | ATTACK | ATTACK |
|
21.3.25 |
-=TWELVE= | -=TWELVE=- is back | GROUP | GROUP |
|
21.3.25 |
Head Mare | Head Mare: adventures of a unicorn in Russia and Belarus | GROUP | GROUP |
|
21.3.25 |
Arcane stealer | What’s intriguing about this malware is how much it collects. It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla and DynDNS. The stealer was named Arcane, not to be confused with the well-known Arcane Stealer V. | MALWARE | Stealer |
|
21.3.25 |
CVE-2024-20439 | (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system |
VULNEREBILITY |
|
|
21.3.25 |
CVE-2024-20440 | (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API |
VULNEREBILITY |
|
|
21.3.25 |
CVE-2024-56347 | (CVSS score: 9.6) - An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimsh service SSL/TLS protection mechanism |
VULNEREBILITY |
|
|
21.3.25 |
CVE-2024-56346 | (CVSS score: 10.0) - An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimesis NIM master service |
VULNEREBILITY |
|
|
21.3.25 |
CVE-2025-23120 | A vulnerability allowing remote code execution (RCE) by authenticated domain users. |
VULNEREBILITY |
|
|
20.3.25 |
ZDI-25-175 | (0Day) Luxion KeyShot USDC File Parsing Use-After-Free Remote Code Execution Vulnerability | ZERO-DAY | ZERO-DAY |
|
20.3.25 |
ZDI-25-174 | (0Day) Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability | ZERO-DAY | ZERO-DAY |
|
20.3.25 |
ZDI-25-173 | (0Day) Luxion KeyShot DAE File Parsing Access of Uninitialized Pointer Remote Code Execution Vulnerability | ZERO-DAY | ZERO-DAY |
|
20.3.25 |
Paragon's Adroid Spyware | Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations | MALWARE | Android |
|
20.3.25 |
CVE-2025-1316 | (CVSS score: 9.3) - Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests (Unpatched due to the device reaching end-of-life) |
VULNEREBILITY |
|
|
20.3.25 |
CVE-2017-12637 | (CVSS score: 7.5) - SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string |
VULNEREBILITY |
|
|
20.3.25 |
New Steganographic malware campaign exploits JPEG files to distribute Infostealers | A new steganographic malware campaign has been identified, using JPEG image files to distribute various infostealer malwares. The attack starts by luring users into downloading an obfuscated JPEG file, which contains hidden malicious scripts and executables. | ALERTS | VIRUS |
|
20.3.25 |
Fake captchas entice users to run malicious commands for rootkit deployment | Another fake captcha campaign is resulting in rootkits being deployed to unsuspecting victims. The attack is spread via fake captchas that impersonate popular software tools and websites, the captcha copies a malicious powershell command using curl to the users clipboard and provides instructions on how to run it to prove they are human. | VIRUS | |
|
20.3.25 |
CVE-2024-27564 - ChatGPT commit f9f4bbc SSRF vulnerability exploited in the wild | New reports emerged about threat actors actively exploiting an older Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-27564) affecting OpenAI’s ChatGPT. | VULNEREBILITY | |
|
20.3.25 |
NailaoLocker Ransomware | NailaoLocker is a ransomware variant distributed last year in campaigns targeting various European healthcare organizations. The attackers responsible for the attacks have been leveraging previously disclosed Check Point Security Gateway vulnerability CVE-2024-24919 in the initial attack stages. | RANSOM | |
|
20.3.25 |
AnubisBackdoor: New Python-based malware linked to Coreid APT group | A relatively new backdoor malware dubbed AnubisBackdoor has been spotted in the wild. This Python-based backdoor is attributed to the Savage Ladybug group, which is reportedly connected to the notorious Coreid (aka Fin7) APT group. | ALERTS | VIRUS |
|
20.3.25 |
CVE-2025-27636 - Apache Camel Message Header Injection vulnerability | CVE-2025-27636 is a recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. | VULNEREBILITY | |
|
20.3.25 |
StilachiRAT malware | StilachiRAT is a new remote access trojan variant discovered recently by researchers from Microsoft. The malware possesses extensive remote control as well as infostealing capabilities. | ALERTS | VIRUS |
|
20.3.25 |
Black Basta Ransomware | Analysis of Black Basta Ransomware Chat Leaks | RANSOMWARE | ANALYSIS |
|
20.3.25 |
UAC-0200: Шпигунство за оборонно-промисловим комплексом за допомогою DarkCrystal RAT (CERT-UA#14045) | Урядовою командою реагування на компʼютерні надзвичайні події CERT-UA фіксуються непоодинокі випадки здійснення цільових кібератак як у відношенні співробітників підприємств оборонно-промислового комплексу, так й окремих представників Сил оборони України. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
|
20.3.25 |
CVE-2024-4577 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. |
VULNEREBILITY |
|
|
20.3.25 |
PEAKLIGHT | PEAKLIGHT: Decoding the Stealthy Memory-Only Malware | MALWARE | DROPPER |
|
20.3.25 |
Auto Dealership Supply Chain Attack | Over 100 auto dealerships were being abused compliments of a supply chain attack of a shared video service unique to dealerships. | HACKING | MALWARE |
|
20.3.25 |
ClearFake | ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery | MALWARE | JAVASCRIPT |
|
20.3.25 |
ClearFake | ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery | CAMPAIGN | MALWARE |
|
19.3.25 |
Protection Highlight: Thwarting Ransomware with Carbon Black Endpoint Standard | Today's ransomware is innovating at a rapid pace. Going beyond simple file encryption, ransomware increasingly leverages unknown variants and fileless techniques. | ALERTS | RANSOM |
|
19.3.25 |
JPHP downloader uncovered | A new downloader compiled with JPHP was recently observed. JPHP is an interpreter that allows PHP scripts to execute in a Java Virtual Machine. This particular malware was originally delivered in a ZIP file and leveraged Telegram for its C2 communications. Potential downloaded payloads include infostealers such as Danabot. | VIRUS | |
|
19.3.25 |
VenomRat malware campaign uses VHD files for data exfiltration | A VenomRat malware campaign using VHD files has been observed in the wild. The attack begins with a phishing email containing an archive attachment disguised as a purchase order to lure users. Inside the archive there is a .vhd file which mounts itself as a hard disk when opened. | CAMPAIGN | |
|
19.3.25 |
New XCSSET macOS malware variant discovered | According to recent reports, a new variant of XCSSET, the macOS modular malware, has been observed by researchers at Microsoft. First discovered in 2020, XCSSET is a sophisticated modular malware known to target users by infecting Apple Xcode projects. | ||
|
19.3.25 |
A new Sobolan malware campaign | Threat Actors use compromised interactive computing environments like Jupyter Notebooks to spread Sobolan malware in a multi stage attack. | ALERTS | CAMPAIGN |
|
19.3.25 |
Rules File Backdoor | New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents | ATTACK | AI |
|
19.3.25 |
CVE-2025-20061 | An operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing an email parameter |
VULNEREBILITY |
|
|
19.3.25 |
CVE-2025-20014 | An operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing a version parameter |
VULNEREBILITY |
|
|
19.3.25 |
CVE-2025-30066 | tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) |
VULNEREBILITY |
|
|
19.3.25 |
ZDI-CAN-25373 | (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability | Zero-Day | Zero-Day |
|
19.3.25 |
CVE-2024-54085 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. |
VULNEREBILITY |
|
|
19.3.25 |
Operation AkaiRyū | Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor | OPERATION | OPERATION |
|
19.3.25 |
BADBOX 2.0 | Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes | BOTNET | BOTNET |
|
18.3.25 |
StilachiRAT | StilachiRAT analysis: From system reconnaissance to cryptocurrency theft | MALWARE | RAT |
|
18.3.25 |
CVE-2025-24813 | Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. |
VULNEREBILITY |
|
|
17.3.25 |
CVE-2025-1316 | Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device |
VULNEREBILITY |
|
|
17.3.25 |
CVE-2025-30066 | tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) |
VULNEREBILITY |
|
|
16.3.25 |
Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs |
ENCRYPTED |
||
|
16.3.25 |
Inside BRUTED: Black Basta (RaaS) Members Used Automated Brute Forcing Framework to Target Edge Network Devices |
VPN |
||
|
16.3.25 |
A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. |
VULNEREBILITY |
||
|
16.3.25 |
THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool |
TOOL |
||
|
16.3.25 |
New Ransomware Operator Exploits Fortinet Vulnerability Duo |
RANSOMWARE |
||
|
16.3.25 |
An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device. |
VULNEREBILITY |
||
|
16.3.25 |
A new variant of the OctoV2 Android banking malware has been spread recently under the disguise of a DeepSeek AI mobile app. DeepSeek is a recently released AI-powered chatbot, much similar to the well known ChatGPT. |
AI |
||
|
14.3.25 |
SuperBlack is a new ransomware variant based on the leaked Lockbit builder. According to recent reports, a newly observed distribution of this malware has been attributed to the threat actor dubbed as Mora_001 (a possible Lockbit affiliate). |
|||
|
14.3.25 |
LithiumWare is a new ransomware strain observed in the wild. The malware encrypts user data and appends random four-character extensions to the locked files. |
|||
|
14.3.25 |
Vedalia threat group tied to new Android spyware called KoSpy |
KoSpy is a recently discovered Android spyware that has been associated with the North Korean APT Vedalia (also known as APT37 ScarCruft). The spyware was observed masquerading as numerous utility applications to entice/trick its victims. |
||
|
14.3.25 |
Since its identification in late 2024, the Hellcat Ransomware Group has emerged as a prominent Ransomware-as-a-Service (RaaS) threat claiming attacks on critical national infrastructure and government organizations. |
|||
|
14.3.25 |
An email campaign targeting organizations in the UAE associated with aviation and satellite communications has been reported. The attack leveraged a compromised email account from an Indian electronics firm to send malicious emails aimed at luring victims. |
|||
|
14.3.25 |
Captain MassJacker Sparrow: Uncovering the Malware’s Buried Treasure |
Cryptojacking |
||
|
14.3.25 |
Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits |
Rootkit |
||
|
13.3.25 |
DocSwap is a new mobile malware variant distributed under the disguise of a "document viewing authentication" mobile app. |
|||
|
13.3.25 |
A new campaign distributing scam crypto investment platforms |
A new campaign spreading fraudulent cryptocurrency investment platforms has been reported by researchers from Palo Alto. The attackers leverage websites and Android mobile apps masqueraded as known brands of retail stores, financial institutions or technology companies to lure their victims. |
||
|
13.3.25 |
CVE-2025-25181 - Advantive VeraCore SQL Injection vulnerability |
CVE-2025-25181 is a SQL Injection vulnerability affecting Advantive VeraCore, which is an order fulfillment and warehouse management software. If successfully exploited, the flaw might allow the remote attackers to execute arbitrary SQL commands via the PmSess1 parameter and gain unauthorized access to sensitive data. |
||
|
13.3.25 |
Ballista botnet targets TP-Link Archer routers via vulnerability exploitation |
A new botnet dubbed Ballista has targeted organizations in Australia, China, Mexico, and the US focusing on healthcare, manufacturing, services, and technology sectors. |
||
|
13.3.25 |
Credential Theft Campaign Disguised as Construction Quote Requests |
An actor has been running a large phishing campaign, targeting businesses with emails disguised as requests for quotations. The emails, sent from multiple Outlook, Live, Hotmail, and MSN addresses, urge recipients to review an attached document, claiming it contains the scope of work for an urgent project. |
||
|
13.3.25 |
PlayPraetor is a mobile malware recently distributed via fake Play Store websites. Many of the observed fraudulent domains leverage typo-squatting techniques to lure the unsuspecting victims into downloading the malicious binaries. |
|||
|
13.3.25 |
CVE-2024-32444 and CVE-2024-32555 - WordPress RealHome and Easy Real Estate Plugin vulnerabilities |
CVE-2024-32444 and CVE-2024-32555 are two recently disclosed vulnerabilities affecting WordPress RealHome and WordPress Easy Real Estate Plugin respectively. |
||
|
13.3.25 |
Blind Eagle (aka APT-C-36), is a threat actor group that engages in both espionage and cyber-crime. It primarily targets organizations in Colombia and other Latin American countries focusing on government institutions, financial organizations, and critical infrastructure. |
|||
|
13.3.25 |
Malvertising campaign found in pirate streaming sites leading to infostealers |
A malvertising campaign has been recently disclosed by Microsoft. The malicious actors start by injecting malvertising redirectors into videos hosted on pirate streaming sites. |
||
|
13.3.25 |
A new wave phishing is making rounds in South Korea, disguising itself as an official email from the Korean National Tax Service (NTS). The email claims to contain an electronic tax invoice and includes an HTML attachment named NTS_eTaxInvoice.html. |
|||
|
13.3.25 |
Malicious operations attributed to the EncryptHub threat actor |
EncryptHub is a new threat actor engaging in malicious operations distributing ransomware and infostealers (StealC, Rhadamanthys) to the unsuspecting victims. |
||
|
13.3.25 |
A new malicious campaign targeting the maritime and nuclear energy sector across South and Southeast Asia, the Middle East, and Africa has been attributed to the Leafperforator (also known as SideWinder) APT group. |
|||
|
13.3.25 |
Lookout Discovers New Spyware by North Korean APT37 |
Spyware |
||
|
13.3.25 |
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential) |
VULNEREBILITY |
||
|
13.3.25 |
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential) |
VULNEREBILITY |
||
|
13.3.25 |
n out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. |
VULNEREBILITY |
||
|
13.3.25 |
Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers |
GROUP |
||
|
12.3.25 |
(CVSS score: 7.5) - DotNetNuke |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 9.8) - Zimbra Collaboration Suite |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 5.3) - VMware vCenter |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 7.5) - VMware Workspace ONE UEM |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 9.8) - GitLab CE/EE |
VULNEREBILITY |
||
|
12.3.25 |
CVSS score: 8.6) - GitLab CE/EE |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 7.5) - GitLab CE/EE |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 9.8) - ColumbiaSoft DocumentLocator |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 7.5) - BerriAI LiteLLM |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 8.2) - Ivanti Connect Secure |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 7.0) - A Windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that allows an authorized attacker to elevate privileges locally |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 4.6) - A Windows NTFS information disclosure vulnerability that allows an attacker with physical access to a target device and the ability to plug in a malicious USB drive to potentially read portions of heap memory |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 7.8) - An integer overflow vulnerability in Windows Fast FAT File System Driver that allows an unauthorized attacker to execute code locally |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 5.5) - An out-of-bounds read vulnerability in Windows NTFS that allows an authorized attacker to disclose information locally |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 7.8) - A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally |
VULNEREBILITY |
||
|
12.3.25 |
(CVSS score: 7.0) - An improper neutralization vulnerability in Microsoft Management Console that allows an unauthorized attacker to bypass a security feature locally |
VULNEREBILITY |
||
|
12.3.25 |
This document lists security updates and Rapid Security Responses for Apple software. |
Update |
||
|
12.3.25 |
Blind Eagle: …And Justice for All |
APT |
||
|
11.3.25 |
A new campaign distributing Poco RAT to Spanish-speaking users in Latin America has been reported in the wild. The campaign has been attributed to the Darkling APT (aka Dark Caracal). The group is known to leverage Bandook-based backdoors in their attacks. |
|||
|
11.3.25 |
CVE-2024-13159 - Ivanti Endpoint Manager (EPM) Absolute Path Traversal vulnerability |
CVE-2024-13159 is a critical (CVSS score 9.8) absolute path traversal vulnerability affecting the Ivanti Endpoint Manager (EPM) software. If successfully exploited, the flaw might allow a remote unauthenticated attacker to leak sensitive information. |
||
|
11.3.25 |
Cato CTRL™ Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers |
BOTNET |
||
|
11.3.25 |
SideWinder targets the maritime and nuclear sectors with an updated toolset |
APT |
||
|
11.3.25 |
An unrestricted file upload vulnerability in Advantive VeraCore that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx |
VULNEREBILITY |
||
|
11.3.25 |
An SQL injection vulnerability in Advantive VeraCore that allows a remote attacker to execute arbitrary SQL commands |
VULNEREBILITY |
||
|
11.3.25 |
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information |
VULNEREBILITY |
||
|
11.3.25 |
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information |
VULNEREBILITY |
||
|
11.3.25 |
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information |
VULNEREBILITY |
||
|
11.3.25 |
Moxa’s Ethernet switch is vulnerable to an authentication bypass because of flaws in its authorization mechanism. Although both client-side and back-end server verification are involved in the process, attackers can exploit weaknesses in its implementation. |
VULNEREBILITY |
||
|
10.3.25 |
Strela Stealer is a malware infostealer typically distributed through phishing campaigns affecting users in Italy, Germany, Spain, and Ukraine. It is designed to target specific email clients (notably Microsoft Outlook and Mozilla Thunderbird) and exfiltrate email login credentials. |
|||
|
10.3.25 |
Boramae is a new ransomware discovered just recently in the threat landscape and a suspected variant of the Beast aka BlackLockbit malware family. The malware encrypts user files and appends ".boramae" to them. |
|||
|
10.3.25 |
Phantom-Goblin is the name of a malicious infostealing campaign recently identified in the wild. The attackers responsible are leveraging social engineering techniques luring victims into execution of malicious .LNK files. |
|||
|
10.3.25 |
Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. |
|||
|
10.3.25 |
Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension |
HACKING |
||
|
10.3.25 |
Desert Dexter. Attacks on Middle Eastern countries |
Malware |
||
|
10.3.25 |
Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool |
CRYPTOCURRENCY |
||
|
9.3.25 |
Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory). |
VULNEREBILITY |
||
|
9.3.25 |
Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device |
VULNEREBILITY |
||
|
8.3.25 |
Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes |
Android |
||
|
8.3.25 |
We’re aware that phishers have been sharing private videos to send false videos, including an AI generated video of YouTube’s CEO Neal Mohan announcing changes in monetization. |
PHISHING |
||
|
8.3.25 |
Snail Mail Fail: Fake Ransom Note Campaign Preys on Fear |
Ransom |
||
|
8.3.25 |
Inside Zloader’s Latest Trick: DNS Tunneling |
Loader |
||
|
8.3.25 |
TMPN (Skuld) Stealer: The dark side of open source |
Stealer |
||
|
8.3.25 |
Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity |
AI |
||
|
8.3.25 |
(EncryptHub) is a threat actor that has come to the forefront with highly sophisticated spear-phishing attacks since 26 June 2024. In the attacks it has carried out, it exhibits a different operational strategy by carrying out all the processes necessary to obtain initial access through personalized SMS (smishing) or by calling the person directly (vishing) and tricking the victim into installing remote monitoring and management (RMM) software. |
GROUP |
||
|
8.3.25 |
(a.k.a Sardonic Backdoor) is a sophisticated toolkit of the Monstrous Mantis |
Loader |
||
|
7.3.25 |
Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. |
|||
|
7.3.25 |
Latest Njrat variant uses Microsoft Dev Tunnels for C2 communications |
A new variant of the NjRAT malware has been reported in the wild. NjRAT (also known as Bladabindi or Ratenjay) is an older but still widely used Remote Access Trojan (RAT). This malware is often used to extract data from the compromised endpoints, send commands via remote shell, manipulate the registry as well as download additional payloads. |
||
|
7.3.25 |
Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. |
|||
|
7.3.25 |
A new campaign targeting ISP infrastructure with infostealers |
A new campaign targeting ISP (Internet service providers) infrastructure with infostealers and cryptocurrency miners has been reported in the wild. In the initial attack stages the threat actors are leveraging brute force attacks to access the vulnerable environments. |
||
|
7.3.25 |
Unmasking the new persistent attacks on Japan |
Kit |
||
|
7.3.25 |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions |
VULNEREBILITY |
||
|
7.3.25 |
The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024. |
RANSOMWARE |
||
|
7.3.25 |
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role |
VULNEREBILITY |
||
|
7.3.25 |
Unveiling EncryptHub: Analysis of a multi-stage malware campaign |
RAT |
||
|
7.3.25 |
Thousands of websites hit by four backdoors in 3rd party JavaScript attack |
JavaScript |
||
|
6.3.25 |
Silk Typhoon targeting IT supply chain |
APT |
||
|
6.3.25 |
The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT |
RAT |
||
|
6.3.25 |
The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT |
APT |
||
|
6.3.25 |
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools |
APT |
||
|
5.3.25 |
In a new report, researchers at Fortinet have detailed a phishing campaign that was used to deliver Havoc malware. Havoc is a malicious framework, akin to Cobalt Strike, that is actively leveraged to compromise victims. |
|||
|
5.3.25 |
Danger & Loches - recent Globeimposter ransomware variants seen in the wild |
Dange and Loches are the two most recently identified variants of the Globeimposter ransomware family. The malware will encrypt user data and append .danger or .loches extension to the locked files respectively. |
||
|
5.3.25 |
GrassCall malware campaign spreads infostealers to job seekers |
GrassCall is a recently identified campaign attributed to the threat group known as Crazy Evil. The attack has been targeting job seekers with fake job interviews in efforts to distribute malicious executables used for infostealing. |
||
|
5.3.25 |
CVE-2024-12356 is a critical (CVSS score 9.8) command injection vulnerability affecting the BeyondTrust Privileged Remote Access (PRA) and BeyondTrust Remote Support (RS) software. If successfully exploited, the flaw might allow an unauthenticated attacker to inject commands that are run as a site user. |
|||
|
5.3.25 |
Leveraging malicious LNK files and Null-AMSI tool to deliver AsyncRAT |
A malware campaign using malicious LNK files disguised as wallpapers to lure users has been observed. As part of the attack vector, the open-source Null-AMSI tool is employed to bypass malware scanning interfaces (AMSI) and Event Tracing for Windows (ETW). |
||
|
5.3.25 |
The Winos4.0 malware framework has been used by threat groups to perpetrate attacks against intended victims. In a recent report from Fortinet, they have outlined an attack observed against users in Taiwan, using a tax related lure to distribute Winos4.0 malware. |
|||
|
5.3.25 |
Fake browser updates being distributed through malicious redirects |
Security researchers have observed recent malware campaigns utilizing web-based malware distribution via compromised sites rather than relying solely on email-based attacks to spread malicious links. |
||
|
5.3.25 |
Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems |
Go |
||
|
5.3.25 |
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal |
RANSOMWARE |
||
|
5.3.25 |
Qbot is Back.Connect |
Stealer |
||
|
5.3.25 |
(CVSS score: 9.3) - A Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write, which a malicious actor with local administrative privileges on a virtual machine could exploit to execute code as the virtual machine's VMX process running on the host |
VULNEREBILITY |
||
|
5.3.25 |
(CVSS score: 8.2) - An arbitrary write vulnerability that a malicious actor with privileges within the VMX process could exploit to result in a sandbox escape |
VULNEREBILITY |
||
|
5.3.25 |
(CVSS score: 7.1) - An information disclosure vulnerability due to an out-of-bounds read in HGFS that a malicious actor with administrative privileges to a virtual machine could exploit to leak memory from the vmx process |
VULNEREBILITY |
||
|
5.3.25 |
Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware |
Go |
||
|
5.3.25 |
Infostealer Campaign against ISPs |
Infostealer |
||
|
4.3.25 |
(CVSS score: 6.5) - A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status) |
VULNEREBILITY |
||
|
4.3.25 |
(CVSS score: 8.6) - An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1) |
VULNEREBILITY |
||
|
4.3.25 |
(CVSS score: 7.8) - An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and running arbitrary code in kernel mode (Fixed in December 2018) |
VULNEREBILITY |
||
|
4.3.25 |
(CVSS score: 7.8) - An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and running arbitrary code in kernel mode (Fixed in December 2018) |
VULNEREBILITY |
||
|
4.3.25 |
(CVSS score: 9.8) - A path traversal vulnerability in Progress WhatsUp Gold that allows an unauthenticated attacker to achieve remote code execution (Fixed in version 2023.1.3 in June 2024) |
VULNEREBILITY |
||
|
4.3.25 |
A privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. |
VULNEREBILITY |
||
|
4.3.25 |
A privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports. |
VULNEREBILITY |
||
|
4.3.25 |
JavaGhost’s Persistent Phishing Attacks From the Cloud |
GROUP |
||
|
4.3.25 |
Havoc: SharePoint with Microsoft Graph API turns into FUD C2 |
Loader |
||
|
4.3.25 |
An arbitrary kernel memory mapping vulnerability in version 7.9.1 caused by a failure to validate user-supplied data lengths. Attackers can exploit this flaw to escalate privileges. |
VULNEREBILITY |
||
|
4.3.25 |
An arbitrary kernel memory write vulnerability in version 7.9.1 due to improper validation of user-supplied data lengths. |
VULNEREBILITY |
||
|
4.3.25 |
A null pointer dereference vulnerability in version 7.9.1 caused by the absence of a valid MasterLrp structure in the input buffer. |
VULNEREBILITY |
||
|
4.3.25 |
An arbitrary kernel memory vulnerability in version 7.9.1 caused by the memmove function, which fails to sanitize user-controlled input. |
VULNEREBILITY |
||
|
4.3.25 |
An insecure kernel resource access vulnerability in version 17 caused by failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware. |
VULNEREBILITY |
||
|
4.3.25 |
Paragon Partition Manager's BioNTdrv.sys driver, versions prior to 2.0.0, contains five vulnerabilities. |
ALERT |
||
|
3.3.25 |
Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally |
BOTNET |
||
|
1.3.25 |
LCRYX is a VBScript-based ransomware discovered in the wild last year. The malware encrypts user data, appends ‘.lcryx’ to the locked files and demands ransom payment in the Bitcoin cryptocurrency. |
|||
|
1.3.25 |
New Squidoor backdoor variant distributed in latest campaigns |
Squidoor is a modular multi-platform backdoor variant supporting both Windows and Linux platforms. According to the researchers from Palo Alto, the newest strain of this malware is distributed in attacks associated with suspected Chinese threat actors. |
||
|
1.3.25 |
In Japan, the Bank of Yokohama is the largest regional bank headquartered in Yokohama. |
|||
|
1.3.25 |
Billbug (aka Lotus Blossom) threat group uses Sagerunex malware to target numerous victims |
The Billbug (aka Lotus Blossom) threat group has been observed leveraging Sagerunex malware, along with other hacking tools, to target numerous victims across industries. |
||
|
1.3.25 |
(CVSS score: N/A) - An out-of-bounds access vulnerability for Extigy and Mbox devices |
VULNEREBILITY |
||
|
1.3.25 |
(CVSS score: 5.5) - A use of an uninitialized resource vulnerability that could be used to leak kernel memory |
VULNEREBILITY |
||
| 28.2.25 | Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data | tl;dr We scanned Common Crawl - a massive dataset used to train LLMs like DeepSeek - and found ~12,000 hardcoded live API keys and passwords. This highlights a growing issue: LLMs trained on insecure code may inadvertently generate unsafe outputs. | AI | BIGBROTHER |
| 28.2.25 | Disrupting a global cybercrime network abusing generative AI | In an amended complaint to recent civil litigation, Microsoft is naming the primary developers of malicious tools designed to bypass the guardrails of generative AI services, including Microsoft’s Azure OpenAI Service. | AI | CRIME |
| 28.2.25 | Angry Likho | Angry Likho: Old beasts in a new forest | APT | APT |
| 27.2.25 | CleverSoar | New “CleverSoar” Installer Targets Chinese and Vietnamese Users | MALWARE | Rootkit |
| 27.2.25 | ValleyRAT | ValleyRAT Insights: Tactics, Techniques, and Detection Methods | MALWARE | RAT |
| 27.2.25 | Yodobashi Camera users targeted with a new phish wave | In Japan, Yodobashi Camera Co., Ltd is a major retail chain that sells electronics, PCs, cameras and photographic equipment. Recently, Symantec has observed a new wave of phish runs spoofing Yodobashi Camera services. The email content mentions that the customer information has been changed and entices the users to click on the phishing URL to confirm the change. | PHISHING | |
| 27.2.25 | Vedalia APT group phishing campaign delivers RokRat malware across Asia | phishing campaign by the North Korean-linked threat actor Vedalia (also known as APT37, RedEyes and ScarCruft) has been reported delivering fileless RokRat malware. The campaign targets government and corporate entities across South Korea and Asia. | APT | |
| 27.2.25 | LightSpy: A new multi-platform Spyware variant targeting social media | A multi-platform variant of the LightSpy spyware with an expanded list of command functionalities has been reported. It has shifted its focus from messaging apps to extracting data from social media platforms such as Facebook and Instagram including messages, contacts and account metadata. | VIRUS | |
| 27.2.25 | Updated TgToxic Android malware | TgToxic is an infostealing malware that was first spread via phishing sites and compromised social media accounts. This new version of the TgToxic malware can be delivered though a single malicious SMS text. | VIRUS | |
| 27.2.25 | New Snake Keylogger variant | A new variant of the Snake Keylogger, also known as the 404 Keylogger, targeting Windows users has been observed. Snake Keylogger typically spreads via phishing emails containing a malicious attachment or URL. It targets popular web browsers (such as Chrome, Edge, Firefox etc.) monitoring/logging keystrokes. | VIRUS | |
| 27.2.25 | Threat actors spoof Sagawa Express services to steal credentials | Symantec has identified a new wave of phishing attacks that impersonate Sagawa Express services to steal credentials. In this campaign, phishing emails are disguised as delivery notifications requesting an immediate update of the delivery address. The email content is brief, encouraging recipients to click on a phishing URL. Once clicked, victims encounter webpages designed for credential harvesting. | OPERATION | |
| 27.2.25 | FatalRAT malware distributed via Operation SalmonSlalom | Operation SalmonSlalom is a new malicious campaign targeted at industrial organizations in the Asia-Pacific (APAC) region. The attackers have been leveraging various first and second stage loaders leading up to the infection with FatalRAT final payload. | VIRUS | |
| 27.2.25 | TraderTraitor |
TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies |
GROUP | GROUP |
| 27.2.25 | Winos 4.0 | Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan | MALWARE | MALWARE |
| 27.2.25 | TgToxic | Android trojan TgToxic updates its capabilities | MALWARE | Android |
| 27.2.25 | PolarEdge | PolarEdge: Unveiling an uncovered ORB network | BOTNET | BOTNET |
| 27.2.25 | 360XSS | 360XSS: Mass Website Exploitation via Virtual Tour Framework for SEO Poisoning | HACKING | EXPLOIT |
| 26.2.25 | Fake DeepSeek websites lead to malware infections | A number of DeepSeek-themed malware campaigns has been reported in the wild lately. DeepSeek is a recently released AI-powered chatbot, much similar to the well known ChatGPT. The attackers have been leveraging the growing popularity of the DeepSeek brand by creating a large number of fake DeepSeek websites and look-alike domains used to serve malicious payloads. | VIRUS | |
| 26.2.25 | New Phishing Campaign Targets ANA Mileage Club Users |
Symantec has detected a phishing campaign targeting Japanese
users with fake All Nippon Airways (ANA) emails. The emails use the subject
line:「ANAマイレージクラブ 重要なお知らせ - 事後登録手続きのお願い」 (Translated: "ANA Mileage Club Important Notice - Request for Retroactive Registration Procedure") |
CAMPAIGN | |
| 26.2.25 | Ghostwriter malicious campaign | Ghostwriter is a malicious campaign attributed to UNC1151 (UAC-0057) threat group. The campaign is believed to be actively running since at least 2016 with the latest iterations observed around November-December 2024. The campaign has been reported to target military and government organizations in Ukraine as well as activists in Belarus. The attackers are known to leverage Excel documents containing malicious VBA macros to initialize the attack. Later infection stages lead to execution of a downloader malware called PicassoDownloader, which has been already used in older campaigns linked to the same threat actors. | CAMPAIGN | |
| 26.2.25 | Black Basta Ransomware Playbook | Defense Lessons From the Black Basta Ransomware Playbook | RANSOMWARE | RANSOMWARE |
| 26.2.25 | Auto-Color | Auto-Color: An Emerging and Evasive Linux Backdoor | MALWARE | Linux |
| 26.2.25 | CVE-2023-34192 | (CVSS score: 9.0) - A cross-site scripting (XSS) vulnerability in Synacor ZCS that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. (Fixed in July 2023 with version 8.8.15 Patch 40) |
VULNEREBILITY |
|
| 26.2.25 | CVE-2024-49035 | (CVSS score: 8.7) - An improper access control vulnerability in Microsoft Partner Center that allows an attacker to escalate privileges. (Fixed in November 2024) |
VULNEREBILITY |
|
| 26.2.25 | LightSpy | LightSpy Expands Command List to Include Social Media Platforms | MALWARE | Spyware |
| 26.2.25 | UNC1151 | UNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence | GROUP | GROUP |
|
25.2.25 | UAC-0173 проти Нотаріату України (CERT-UA#13738) | Починаючи з другої половини січня 2025 року Урядовою командою реагування на комп'ютерні надзвичайні події України CERT-UA фіксується поновлення активності організованого злочинного угрупування UAC-0173, які на замовлення та за грошову винагороду проводять кібератаки для отримання прихованого віддаленого доступу до комп'ютерів нотаріусів з метою подальшого внесення несанкціонованих змін в державні реєстри. | ||
|
25.2.25 |
Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign |
RAT |
||
|
25.2.25 |
The GitVenom campaign: cryptocurrency theft using GitHub |
CRYPTOCURRENCY |
||
| 25.2.25 | FatalRAT | Backdoor delivered via an overly long infection chain to Chinese-speaking targets | MALWARE | RAT |
| 25.2.25 | CVE-2017-3066 | (CVSS score: 9.8) - A deserialization vulnerability impacting Adobe ColdFusion in the Apache BlazeDS library that allows for arbitrary code execution. (Fixed in April 2017) | VULNEREBILITY | VULNEREBILITY |
| 25.2.25 | CVE-2024-20953 | (CVSS score: 8.8) - A deserialization vulnerability impacting Oracle Agile PLM that allows a low-privileged attacker with network access via HTTP to compromise the system. (Fixed in January 2024) | VULNEREBILITY | VULNEREBILITY |
| 24.2.25 | SectopRAT variant distributed under the disguise of Chrome installer | SectopRAT (aka ArechClient2) is a .NET based malware leveraged to steal sensitive information from the victim's machine. A new campaign delivering this malware has been observed in the wild. The attackers have been recently spreading this infostealing variant under the disguise of Google Chrome browser installer via abuse of the Google Ads platform. | ALERTS | VIRUS |
| 24.2.25 | Lumma Stealer malware campaign targets educational institutions using malicious LNK files | A malware campaign exploiting educational institutions' infrastructure to distribute Lumma Stealer has been reported. The attack begins with malicious LNK files disguised as PDF documents to lure victims. Once executed, these files trigger a multi-stage infection process ultimately deploying Lumma Stealer on compromised systems. The malware targets sensitive data including passwords, browser information and cryptocurrency wallet details. Advanced evasion techniques are used such as leveraging Steam profiles for C2 operations. | ALERTS | VIRUS |
| 24.2.25 | ACRStealer | ACRStealer Infostealer Exploiting Google Docs as C2 | MALWARE | Stealer |
| 24.2.25 |
SysBumps: Exploiting Speculative Execution in System Calls
for Breaking KASLR in macOS for Apple Silicon |
Apple silicon is the proprietary ARM-based processor that powers the mainstream of Apple devices. The move to this proprietary architecture presents unique challenges in addressing security issues, requiring huge research efforts into the security of Apple silicon-based systems. In this paper, we study the security of KASLR, the randomization-based kernel hardening technique, on the stateof-the-art macOS system equipped with Apple silicon processors. | PAPERS | PAPERS |
| 24.2.25 | Цільова активність UAC-0212 у відношенні розробників та постачальників рішень АСУТП з метою здійснення кібератак на об'єкти критичної інфраструктури України (CERT-UA#13702) | Як зазначено у минулорічній статті, Урядовою командою реагування на комп'ютерні надзвичайні події України CERT-UA у першому кварталі 2024 року розкрито зловмисний задум щодо проведення деструктивних кібератак у відношенні інформаційно-комунікаційних систем (ІКС) близько двадцяти підприємств галузі енергетики, водо- та теплопостачання (ОКІ) у десяти регіонах України. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 23.2.25 | Cyber Threat Intelligence Annual Report 2024 | Reflecting on the cyber security landscape of 2024, it is evident that the challenges organisations faced were unprecedented in scale and complexity | REPORT | REPORT |
| 22.2.25 | ThreatLabz 2024_Encrypted Attacks Report | Encryption is a cornerstone of cybersecurity, safeguarding sensitive data and ensuring privacy in our increasingly interconnected world. | REPORT | REPORT |
| 22.2.25 | Earth Preta | Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection | APT | APT |
| 22.2.25 | CVE-2025-26465 | (CVSS score: 6.8) - The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled, allowing a malicious interloper to impersonate a legitimate server when a client attempts to connect to it (Introduced in December 2014) | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | CVE-2025-26465 | (CVSS score: 5.9) - The OpenSSH client and server are vulnerable to a pre-authentication DoS attack between versions 9.5p1 to 9.9p1 (inclusive) that causes memory and CPU consumption (Introduced in August 2023) | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | CVE-2025-0108 | (CVSS score: 7.8) - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS management web interface that allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | CVE-2024-53704 | (CVSS score: 8.2) - An improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | Signals of Trouble | Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | BIGBROTHER | BIGBROTHER |
| 22.2.25 | Censorship as a Service | Censorship as a Service | Leak Reveals Public-Private Collaboration to Monitor Chinese Cyberspace | BIGBROTHER | Service |
| 22.2.25 | DeceptiveDevelopment | Cybercriminals have been known to approach their targets under the guise of company recruiters, enticing them with fake employment offers. | CAMPAIGN | Malware |
| 22.2.25 | CVE-2018-0171 | A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | Darcula phishing-as-a-service | The Bleeding Edge of Phishing: darcula-suite 3.0 Enables DIY Phishing of Any Brand | PHISHING | PAAS |
| 22.2.25 | Deceptive Employment Scheme | A network from North Korea linked to the fraudulent IT worker scheme that was involved in the creation of personal documentation for fictitious job applicants, such as resumés, online job profiles and cover letters, as well as come up convincing responses to explain unusual behaviors like avoiding video calls, accessing corporate systems from unauthorized countries or working irregular hours. Some of the bogus job applications were then shared on LinkedIn. | HACKING | AI |
| 22.2.25 | Sponsored Discontent | A network likely of Chinese origin that was involved in the creation of social media content in English and long-form articles in Spanish that were critical of the United States, and subsequently published by Latin American news websites in Peru, Mexico, and Ecuador. | HACKING | AI |
| 22.2.25 | Romance-baiting Scam | A network of accounts that was involved in the translation and generation of comments in Japanese, Chinese, and English for posting on social media platforms including Facebook, X and Instagram in connection with suspected Cambodia-origin romance and investment scams. | HACKING | AI |
| 22.2.25 | Iranian Influence Nexus | A network of five accounts that was involved in the generation of X posts and articles that were pro-Palestinian, pro-Hamas, and pro-Iran, and anti-Israel and anti-U.S., and shared on websites associated with an Iranian influence operations tracked as the International Union of Virtual Media (IUVM) and Storm-2035. | HACKING | AI |
| 22.2.25 | Kimsuky and BlueNoroff | A network of accounts operated by North Korean threat actors that was involved in gathering information related to cyber intrusion tools and cryptocurrency-related topics, and debugging code for Remote Desktop Protocol (RDP) brute-force attacks | HACKING | AI |
| 22.2.25 | Youth Initiative Covert Influence Operation | A network of accounts that was involved in the creation of English-language articles for a website named "Empowering Ghana" and social media comments targeting the Ghana presidential election | HACKING | AI |
| 22.2.25 | Task Scam | A network of accounts likely originating from Cambodia that was involved in the translation of comments between Urdu and English as part of a scam that lures unsuspecting people into jobs performing simple tasks (e.g., liking videos or writing reviews) in exchange for earning a non-existent commission, accessing which requires victims to part with their own money. | HACKING | AI |
| 22.2.25 | NailaoLocker | Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors | MALWARE | Backdoor |
| 22.2.25 | CVE-2024-24919 | Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | Harvest | Operation ‘Harvest’: A Deep Dive into a Long-term Campaign | OPERATION | Hacking |
| 22.2.25 | Shadowpad | Updated Shadowpad Malware Leads to Ransomware Deployment | MALWARE | Backdoor |
| 22.2.25 | CVE-2025-23209 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | Salt Typhoon | Weathering the storm: In the midst of a Typhoon | GROUP | APT |
| 20.2.2025 | Phishing campaign disguises as ChatGPT Subscription | In a recent phishing campaign observed by Symantec, emails disguised as "monthly subscription" notifications are being sent to targeted recipients. The subject lines are often including keywords like "action required" or "Reminder" a common tactic to lure the recipient to open the email. The body of the email is claiming a $24 monthly subscription fee is required to access ChatGPT's premium features. To complete the payment, recipients are being prompted to click on a phishing URL designed to steal their credentials. | ALERTS | PHISHING |
| 20.2.2025 | Core Ransomware - a new Makop variant | Core ransomware is a new Makop malware variant recently found in the wild. The ransomware encrypts user files and appends .core extension to them. Victim's unique ID and developers' email address is also appended to the extension. The malware drops ransom note in form of a text file called "README-WARNING.txt". Core has also capability to delete volume shadow copies and backup data on the infected endpoints as well as functionality to modify registry entries to ensure its persistence on the machine. | ALERTS | RANSOM |
| 20.2.2025 | Ghost (aka Cring) Ransomware | Symantec Security Response is aware of the recent joint alert from CISA, FBI and MS-ISAC concerning a number of recent campaigns distributing the Ghost (aka Cring) ransomware. The attackers behind this ransomware family are known to leverage exploitation of publicly disclosed vulnerabilities in an effort to access internet facing vulnerable servers. Some of the exploited vulnerabilities include but are not limited to: CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. | ALERTS | RANSOM |
| 20.2.2025 | XingCode disguised malware exhibits XWorm characteristics | Recently, malware samples were discovered disguised as XingCode software executables. XingCode is an anti-cheat software commonly used in online games to prevent cheating, hacking and unauthorized third-party tools. These malicious files contain embedded PowerShell scripts used to deobfuscate data. The files exhibit characteristics of XWorm malware with capabilities such as system manipulation, data exfiltration and keylogging designed to create persistence and evade detection. | ALERTS | VIRUS |
| 20.2.2025 | Rhadamanthys Infostealer campaign exploits MSC files and Console Taskpad | Since mid-2024, there has been an increase in the distribution of MSC malware with campaigns observed exploiting the CVE-2024-43572 Microsoft Windows Management Console remote code execution (RCE) vulnerability. A campaign distributing the Rhadamanthys Infostealer has been observed with the malware disguised as MSC files. The newly identified MSC file belongs to the variant that executes the "command" command via Console Taskpad. | ALERTS | VIRUS |
| 20.2.2025 | Nigerian threat actor distributes XLogger malware | A malware campaign by a Nigerian threat actor has been observed distributing XLogger malware. The campaign begins with harvesting email addresses using Google dorking techniques and setting up spoofed domains with bulletproof hosting. Users are lured through phishing emails crafted with ChatGPT containing RAR attachments with executable files. Upon execution, a PowerShell script decrypts the malware payload which then exfiltrates stolen data to a Telegram channel. | ALERTS | VIRUS |
| 20.2.25 | XLoader | XLoader Executed Through JAR Signing Tool (jarsigner.exe) | MALWARE | Loader |
| 20.2.25 | CVE-2024-12284 | Authenticated privilege escalation in NetScaler Console and NetScaler Agent allows. | VULNEREBILITY | VULNEREBILITY |
| 20.2.25 | CVE-2025-21355 | (CVSS score: 8.6) - Microsoft Bing Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 20.2.25 | CVE-2025-24989 | (CVSS score: 8.2) - Microsoft Power Pages Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 20.2.25 | StaryDobry | StaryDobry ruins New Year’s Eve, delivering miner instead of presents | MALWARE | Cryptominer |
| 20.2.25 | Snake Keylogger | FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant | MALWARE | Keylogger |
| 20.2.25 | JS to C2 | javascript-to-command-and-control-c2-server-malware | MALWARE | JavaScript |
| 20.2.25 | Викрадення акаунту WhatsApp під виглядом голосування за електронні петиції (CERT-UA#9565) | Урядова команда реагування на комп'ютерні надзвичайні події України CERT-UA інформує щодо зловмисної активності, спрямованої на отримання доступу до WhatsApp. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 20.2.25 | Цільові кібератаки UAC-0185 у відношенні Сил оборони та підприємств ОПК України (CERT-UA#12414) | Урядовою командою реагування на комп'ютерні надзвичайні події України CERT-UA 04.12.2024 від фахівців MIL.CERT-UA отримано інформацію щодо розповсюдження електронних листів з темою "до уваги_змiни_02-1-437 вiд 04.12.2024р.", | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 19.2.2025 | In a recent report published by Palo Alto Networks, links to a variant of Bookworm malware were uncovered based on activity of the Fireant (aka Stately Taurus) group impacting Southeast Asian countries. Per the report, Bookworm is a modular Trojan first observed in 2015, with no previous group attribution. Original Bookworm malware leveraged DLL sideloading to decrypt and launch attacker shellcode. In more recent variants, the shellcode is formatted as UUID strings, which is then decoded into binary data and launched via legitimate API functions, discarding the use of sideloading altogether. | ALERTS | VIRUS | |
| 19.2.2025 | ACR Stealer malware leverages Dead Drop Resolver (DDR) technique | ACR Stealer is a C++based infostealing malware variant discovered initially in early 2024. The malware is known to be advertised for sale in the form of a Malware-as-a-Service (MaaS) offering. ACR Stealer is believed to be an updated variant of on older infostealer called GrMsk Stealer. Functionality-wise the malware targets collection and exfiltration of miscellaneous sensitive data including system information, credentials, browser cookies, configuration files of 3rd party apps, cryptocurrency wallets, etc. | ALERTS | VIRUS |
| 18.2.2025 | Recent RedCurl (aka EarthKapre) APT activity | RedCurl (also known as EarthKapre) is a threat group known for conducting espionage and data exfiltration activities. The recently observed campaign attributed to this threat actor has been leveraging legitimate Adobe executable (ADNotificationManager.exe) to sideload malicious binaries. The infection chain has been initiated via crafted PDF malspam leading to ZIP compressed .img binaries. Upon execution/mounting of the .img file, a malicious .dll binary is sideloaded onto the compromised endpoint. After successful infection, the threat actors have been observed to execute SysInternals Active Directory Explorer (AD Explorer) tool for data collection and later to utilize Cloudflare Workers infrastructure for C2 purposes. | ALERTS | APT |
| 18.2.25 | FrigidStealer | An Update on Fake Updates: Two New Actors, and New Mac Malware | MALWARE | MacOS |
| 18.2.25 | CVE-2025-21589 | CVE-2025-21589 | VULNEREBILITY | VULNEREBILITY |
| 18.2.25 | RevivalStone | The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. | CAMPAIGN | APT |
| 18.2.25 | ELF/Sshdinjector.A!tr | Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst | MALWARE | Linux |
| 18.2.25 | Earth Freybug’s | Stealth in the Shadows: Dissecting Earth Freybug’s Recent Campaign and Operational Techniques | CAMPAIGN | Malware |
| 18.2.25 | DEATHLOTUS | A passive CGI backdoor that supports file creation and command execution | MALWARE | Backdoor |
| 18.2.25 | UNAPIMON | A defense evasion utility written in C++ | MALWARE | Utility |
| 18.2.25 | PRIVATELOG | A loader that's used to drop Winnti RAT (aka DEPLOYLOG) which, in turn, delivers a kernel-level rootkit named WINNKIT by means of a rootkit installer | MALWARE | Rootkit |
| 18.2.25 | CUNNINGPIGEON | A backdoor that uses Microsoft Graph API to fetch commands – file and process management, and custom proxy – from mail messages | MALWARE | Backdoor |
| 18.2.25 | WINDJAMMER | A rootkit with capabilities to intercept TCPIP Network Interface, as well as create covert channels with infected endpoints within intranet | MALWARE | Rootkit |
| 18.2.25 | SHADOWGAZE | A passive backdoor reusing listening port from IIS web server | MALWARE | Backdoor |
| 18.2.25 | CVE-2024-12510 | (CVSS score: 6.7) - Pass-back attack via LDAP | VULNEREBILITY | VULNEREBILITY |
| 18.2.25 | CVE-2024-12511 | (CVSS score: 7.6) - Pass-back attack via user's address book | VULNEREBILITY | VULNEREBILITY |
| 18.2.25 | Magento Credit Card Stealer Disguised in an <img> Tag | In order to find this malicious code, we must first go to the infected website, add an item to the cart, and observe the page source at the end of the checkout process, once it is time to submit credit card details. | CRIME | CRIME |
| 18.2.25 | XCSSET | Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. | MALWARE | MacOS |
| 18.2.25 | Golang Backdoor | Telegram Abused as C2 Channel for New Golang Backdoor | MALWARE | Backdoor |
| 17.2.2025 | CipherLocker Ransomware | CipherLocker is a new ransomware variant identified in the wild. The malware encrypts user data and appends .clocker extension to the locked files. The ransom note is dropped in form of a text files called "README.txt" and contains instructions for the victims including attackers' email contact details. CipherLocker has the capability to delete both Volume Shadow copies and the backup files on the infected endpoints. | ALERTS | RANSOM |
| 15.2.25 | Storm-2372 | Storm-2372 conducts device code phishing campaign | GROUP | Phishing |
| 15.2.25 | whoAMI Attack | whoAMI: A cloud image name confusion attack | ATTACK | Cloud |
| 15.2.25 | Operation Marstech Mayhen | Lazarus Group’s Open-Source Trap: North Korea’s New Malware Tactic Targeting Developers and Crypto Wallets | OPERATION | APT |
| 15.2.25 | RansomHub | RansomHub Never Sleeps Episode 1: The evolution of modern ransomware | RANSOMWARE | RANSOMWARE |
| 15.2.25 | CVE-2025-1094 | Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. | VULNEREBILITY | VULNEREBILITY |
| 15.2.25 | DEEP#DRIVE | Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks | CAMPAIGN | APT |
| 15.2.25 | RedMike | RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers | EXPLOIT | Vulnerebility |
| 15.2.25 | CVE-2025-0108 | CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface | VULNEREBILITY | VULNEREBILITY |
| 15.2.25 | BadPilot | The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation | CAMPAIGN | Operation |
| 14.2.2025 | Zhong Stealer malware spread via social engineering | Zhong Stealer is a malware variant recently spread in a distribution campaign targeting fintech and cryptocurrency sectors. The attackers have been leveraging chat platforms to open tickets with various support teams and supplying .zip archives with malicious binaries to unsuspecting support staff. One of the payloads distributed this way was Zhong Stealer which is used by the threat actors to collect and exfiltrate confidential data such as credentials from the infected endpoints. | ALERTS | VIRUS |
| 14.2.2025 | Vgod Ransomware | Vgod is a new ransomware variant recently identified in the wild. Upon file encryption the malware appends .vgod extension to the encrypted files. The ransom note is dropped in form of a text file called “Decryption Instructions.txt” with the attackers asking the victims to contact them for decryption instructions. Vgod ransomware also changes the desktop wallpaper on the infected machine to indicate to the victim that the files have been encrypted. | ALERTS | RANSOM |
| 14.2.2025 | Lynx Ransomware, established in 2024 | Lynx ransomware was first observed in mid-2024 and is believed to be a successor of INC ransomware, according to a recent report by Fortinet. Lynx has been observed targeting Windows systems across multiple industries around the world. Per the report, The United States has seen the majority of victims while Canada and the United Kingdom are a distant second. Manufacturing and construction industries make up almost half of the victims. | ALERTS | RANSOM |
| 14.2.2025 | Xelera Ransomware | Xelera is a Python-based ransomware variant recently distributed in campaigns targeting potential job applicants to Food Corporations of India (FCI), which is a public sector company. The attackers leverage fake job description/notification documents to lure the potential victims. The campaign spreads PyInstaller executables containing both a Discord bot and ransomware components. The dropped Discord bot is used among others for privilege escalation, system information exfiltration, locking down the system as well as theft of credentials stored in web browsers. Alongside the Xelera ransomware components deployment, the attackers also utilize a MEMZ tool which is a MBR corruption utility. | ALERTS | RANSOM |
| 13.2.2025 | DEEP#DRIVE attack campaign | DEEP#DRIVE is a recently discovered malicious campaign targeting enterprises, government entities and cryptocurrency users from South Korea. The attackers leverage phishing emails containing zip archives with shortcut .lnk files disguised as legitimate documents (in PDF, HWP or MS Office formats). Further attacks stages rely on PowerShell scripts execution, establishing persistence on the targeted endpoints as well as download of Dropbox-hosted payloads. | ALERTS | CAMPAIGN |
| 13.2.2025 | RevivalStone malware campaign deploys new Winnti variant | A malware campaign dubbed RevivalStone has been identified targeting Japanese organizations in the manufacturing and energy sectors. The campaign is attributed to the China-linked APT group APT41 which is deploying a new variant of the infamous Winnti malware. The attack vector begins with the exploitation of SQL injection vulnerabilities in web-facing ERP systems allowing attackers to deploy web shells and gain initial access. Once inside the network, the threat actors deploy an updated version of Winnti malware which includes a rootkit for maintaining persistence and encrypted communication channels to avoid detection. | ALERTS | VIRUS |
| 13.2.2025 | Destiny Stealer | There is no shortage of stealers in the threat landscape, and Destiny Stealer is a new one being advertised with Symantec observing testing activities. This malware is a run-of-the-mill infostealer designed to harvest login credentials from web browsers and applications, exfiltrate specific file types like documents and images, and steal FTP credentials. Like many other stealers, it also targets cryptocurrency wallets such as Exodus, Blockchain.com, Binance, and MetaMask. Additionally, it gathers system information, monitors clipboard activity for sensitive data. Destiny Stealer follows the typical playbook of modern infostealers, incorporating generic anti-detection mechanisms. | ALERTS | VIRUS |
| 13.2.2025 | Phishing campaigns target Ukraine's banking sector with SmokeLoader malware | Phishing campaigns specifically targeting Ukraine's automotive and banking sectors using SmokeLoader malware have been observed in the wild. One such campaign targets customers of PrivatBank, Ukraine’s largest state-owned bank. Users are lured with financial-themed documents such as fabricated invoices and account statements to increase interaction and compromise systems. The campaign leverages password-protected archives containing malicious JavaScript, VBScript and LNK files to evade detection. SmokeLoader malware is deployed via process injection and PowerShell execution with the goal of stealing credentials and financial data while maintaining persistent access to compromised systems. | ALERTS | PHISHING |
| 13.2.2025 | Library-ms files seen abused in recent malspam campaign | Symantec has recently observed a malspam campaign utilizing library-ms attached files. Library-ms files allow users to view contents of multiple directories within a single file explorer view. Through the creation of legitimate local file explorer windows that utilize remote WebDAV servers threat actors serve malicious LNK files to unsuspecting victims. Once executed it allows further infection with additional malware of the attackers choice. | ALERTS | SPAM |
| 12.2.2025 | CVE-2024-20767 - Path Traversal Vulnerability in Adobe ColdFusion | In December 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Adobe ColdFusion vulnerability CVE-2024-20767 to its Known Exploited Vulnerabilities (KEV) catalog. This "Path Traversal" flaw allows an attacker to bypass pathname restrictions, potentially leading to arbitrary file system reads. The vulnerability, with a CVSS score of 7.4, affects ColdFusion versions 2023.6, 2021.12 and earlier and requires an exposed admin panel for exploitation. Experts have noted the availability of a proof-of-concept (PoC) exploit code. Adobe has since released out-of-band security updates to mitigate this critical issue. | ALERTS | VULNEREBILITY |
| 12.2.2025 | FINALDRAFT malware discovered in REF7707 campaign | A new malware variant named FINALDRAFT has been discovered as part of the REF7707 campaign targeting the Foreign Ministry of a South American nation. The malware exists in both Windows and Linux variants and leverages Microsoft’s Graph API service for command and control operations. Additionally, the campaign utilizes PATHLOADER and GUIDLOADER malware to download and execute encrypted shellcodes directly in memory. | ALERTS | VIRUS |
| 11.2.2025 | China-linked espionage tools used in ransomware attacks | Tools that are usually associated with China-based espionage actors were recently deployed in an attack involving the RA World ransomware against an Asian software and services company. During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks. While tools associated with China-based espionage groups are often shared resources, many aren’t publicly available and aren’t usually associated with cybercrime activity. | ALERTS | RANSOM |
| 11.2.2025 | Trojanized KMS activation tools leveraged in latest Sandworm APT campaigns | According to the latest report published by EclecticIQ researchers, Sandworm APT (aka APT44, UAC-0145) has been recently engaged in espionage activities against users in Ukraine. The attackers have been leveraging trojanized Microsoft Key Management Service (KMS) activator tools and fake update installers in efforts aimed at distribution of a new BackOrder loader variant. This new variant utilizes various LOLbin binaries as one of the defence evasion measures. The final payload spread in this campaign belongs to the Dark Crystal RAT (DcRAT) malware family and can be used by the threat actors for cyber espionage and sensitive data exfiltration. | ALERTS | APT |
| 11.2.2025 | Cryptocurrency mining malware distributed via USB | Cryptocurrency mining malware has spread to victims through USB propagation in South Korea. In addition to infection persistence through USB, further characteristics that maximize infection via system settings modifications, and security bypass techniques have been observed. In particular the CoinMiner malware employs techniques such as C2 server communications, DLL sideloading for execution bypass, detection evasion via Windows Defender exception settings, and disabling of hibernation status for optimum mining performance. | ALERTS | CRYPTOCURRENCY |
| 10.2.25 | Webflow CDN | New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs | CAMPAIGN | Phishing |
| 10.2.25 | FINALDRAFT | From South America to Southeast Asia: The Fragile Web of REF7707 | MALWARE | Malware |
| 10.2.25 | NAPLISTENER | NAPLISTENER: more bad dreams from developers of SIESTAGRAPH | MALWARE | Malware |
| 10.2.25 | CVE-2025-23359 | NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-21391 | (CVSS score: 7.1) - Windows Storage Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-21418 | (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-38657 | (CVSS score: 9.1) - External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-22467 | (CVSS score: 9.9) - A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-10644 | (CVSS score: 9.1) - Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-47908 | (CVSS score: 9.1) - Operating system command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56131 | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56132 | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56133 | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56135 | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56134 | (CVSS score: 8.4) - An improper input validation vulnerability that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to download the content of any file on the system via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-24200 | An authorization issue was addressed with improved state management. This issue is fixed in iPadOS 17.7.5, iOS 18.3.1 and iPadOS 18.3.1. A physical attack may disable USB Restricted Mode on a locked device. | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | BadIIS | This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment. | MALWARE | Malware |
| 10.2.25 | DragonRank | Trend Micro researchers observed an SEO manipulation campaign that highlights the need for organizations using Internet Information Services (IIS) to proactively update and patch systems to prevent exploitation by threat actors that use malware like BadIIS in their campaigns. | GROUP | Campaigns |
| 10.2.25 | CVE-2025-25064 | SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-57968 | (CVSS score: 9.9) - An unrestricted upload of files with a dangerous type vulnerability that allows remote authenticated users to upload files to unintended folders (Fixed in VeraCore version 2024.4.2.1) | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-25181 | (CVSS score: 5.8) - An SQL injection vulnerability that allows remote attackers to execute arbitrary SQL commands (No patch available) | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | ASPXSpy | ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. | MALWARE | Malware |
| 10.2.25 | Malicious ML models | Malicious ML models discovered on Hugging Face platform | MALWARE | AI |
| 10.2.25 | ValleyRAT | Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques | MALWARE | RAT |
| 10.2.25 | Sliver | Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor | MALWARE | Backdoor |
| 10.2.25 | SparkCat | Take my money: OCR crypto stealers in Google Play and App Store | MALWARE | Android |
| 10.2.2025 | China-Linked threat actors target IIS servers with BadIIS malware | According to reports from Trend Micro, threat actors have been observed targeting Internet Information Services (IIS) servers as part of an SEO manipulation campaign designed to deploy BadIIS malware. The campaign believed to be linked to China-based threat actors specifically targets servers in Asia. As part of the attack users are redirected to illegal gambling websites or rogue servers hosting malware or credential-harvesting pages with the ultimate goal of financial gain. | ALERTS | VIRUS |
| 10.2.2025 | Astral Stealer malware | Astral Stealer is an infostealing malware advertised as a fork of older malware strains dubbed Hazard Grabber and Wasp Stealer. Astral Stealer is used to collect and exfiltrate a wide variety of sensitive information including system information, credentials, banking related data, web browser data, cookies, clipboard content, cryptocurrency wallets, 3rd party app data, files, tokens and others. The malware has the capabilities for antivirus evasion, VM/sandbox environment detection as well as some persistence mechanisms. The exfiltration of the collected data might happen over the attacker-controlled command and control channels or via webhooks. | ALERTS | VIRUS |
| 10.2.2025 | SapphireRAT malware | A new phishing campaign has been observed targeting Latin American organizations using fake judicial late fee receipts to distribute SapphireRAT malware. The threat actor provides detailed instructions on how to review and sign the relevant document attempting to add legitimacy to the email. However, these instructions include a URL that redirects the recipient to a malicious domain. This domain is specifically designed to host and deliver the SapphireRAT malware, furthering the attacker's objective of compromising the recipient's system. | ALERTS | VIRUS |
| 10.2.2025 | FinStealer mobile banking malware | A new mobile malware variant dubbed FinStealer has been identified in the wild. Spread via phishing campaigns or unofficial mobile app repositories, the malware binaries are disguised as mobile apps impersonating legitimate banking institutions. FinStealer will extract various banking information, credentials, credit card numbers and other PII (Personally Identifiable Information) from the victims. The malware is coded in Kotlin which is a cross-platform high-level programming language compatible with Java. The attackers extract the collected data via Telegram bots as well as via controlled C&C infrastructure. | ALERTS | VIRUS |
| 10.2.2025 | SparkCat: Cross-Platform malware targets Crypto Wallets via OCR on Android and iOS. | A new malware campaign dubbed SparkCat has been discovered targeting both Android and iOS users through official and unofficial app stores, affecting users across Europe and Asia. The malware employs OCR technology to scan users' image galleries for cryptocurrency wallet recovery phrases. It leverages Google’s ML Kit for OCR and communicates with command-and-control (C2) servers using a custom Rust-based protocol. | ALERTS | VIRUS |
| 07.2.2025 | Old Telerik UI RCE vulnerability leveraged for JuicyPotatoNG distribution | The exploitation of an almost six-year-old Telerik UI RCE vulnerability (CVE-2019-18935) has been observed recently in the wild. The flaw is a .NET JSON deserialization vulnerability affecting Telerik UI for ASP.NET AJAX, that if successfully exploited could allow for a remote code execution. The attackers have been targeting vulnerable web servers in an effort to deliver malicious reverse shells alongside of the JuicyPotatoNG privilege escalation tool. The attacker efforts aim at reconnaissance of potential victims and information collection about the targeted environments. | ALERTS | VULNEREBILITY |
| 07.2.2025 | FleshStealer malware | FleshStealer is a new infostealer variant recently identified in the wild. The malware targets Chromium-based web browsers for information extraction (including passwords, cookies, etc.). Other infostealing functionalities allow this malware to perform cryptowallet theft as well as exfiltration of two-factor authentication (2FA) passwords or Wifi network credentials. FleshStealer features advanced encryption mechanisms as well as detection capabilities for the presence of debugging tools or VM environments. Sale of this malware has been promoted by threat actors via Telegram and Discord platforms. | ALERTS | VIRUS |
| 07.2.2025 | Infostealers targeting macOS on the rise | A recent report from Unit42 by Palo Alto Networks highlights a surge in activity related to infostealers on macOS. The report identifies three particular malware families, Atomic Stealer, Cthulhu Stealer, and Poseidon Stealer, as some of the most prevalent examples. These three families are sold as malware as a service. | ALERTS | VIRUS |
| 07.2.2025 | CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine | According to recent report from Trend Micro, a zero-day vulnerability in 7-Zip identified as CVE-2025-0411 has been exploited in a cyberespionage campaign targeting Ukrainian organizations. This vulnerability allows attackers to bypass Windows Mark-of-the-Web protections by double-archiving files thereby evading essential security checks and enabling the execution of malicious content. Russian-linked threat actor groups have actively leveraged this flaw through spear-phishing campaigns using homoglyph attacks to spoof document extensions and trick users into executing the malicious files. | ALERTS | VULNEREBILITY |
| 06.2.2025 | North Korean hackers deploy FlexibleFerret malware to target macOS developers | A newly discovered malware strain dubbed FlexibleFerret has been identified as part of an ongoing North Korean Contagious Interview campaign. In this attack Threat Actors trick victims into installing malware disguised as meeting software updates like VCam or Chrome through the job interview process. Unlike other variants of the macOS malware family, FlexibleFerret was signed with a valid Apple Developer signature and Team ID, and contains other elements that make it appear to be legitimate software. This appearance of legitimacy lends to establish persistence, enabling remote access and leading to cryptocurrency theft. | ALERTS | VIRUS |
| 5.2.25 | Trimble Cityworks | Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server. | VULNEREBILITY | ICS |
| 5.2.25 | Privacy Flaws in DeepSeek iOS Mobile App | NowSecure Uncovers Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App | BIGBROTHER | AI |
| 5.2.25 | RDP Wrapper | Persistent Threats from the Kimsuky Group Using RDP Wrapper | MALWARE | Wrapper |
| 5.2.25 | CVE-2025-20124 | (CVSS score: 9.9) - An insecure Java deserialization vulnerability in an API of Cisco ISE that could permit an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-20125 | (CVSS score: 9.1) - An authorization bypass vulnerability in an API of Cisco ISE could could permit an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | LinkedIn Recruiting Scam | Lazarus Group Targets Organizations with Sophisticated LinkedIn Recruiting Scam | SPAM | APT |
| 5.2.25 | Silent Lynx | Silent Lynx APT Targets Various Entities Across Kyrgyzstan & Neighbouring Nations | APT | APT |
| 5.2.25 | CVE-2025-23114 | A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | AsyncRAT | AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again | MALWARE | RAT |
| 5.2.25 | CVE-2025-0411 | 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-0411 | CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks | HACKING | VULNEREBILITY |
| 5.2.25 | HTTP Client Tools Exploitation | HTTP Client Tools Exploitation for Account Takeover Attacks | EXPLOIT | HTTP |
| 5.2.25 | CVE-2024-45195 | (CVSS score: 7.5/9.8) - A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized access and execute arbitrary code on the server (Fixed in September 2024) | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2024-29059 | (CVSS score: 7.5) - An information disclosure vulnerability in Microsoft .NET Framework that could expose the ObjRef URI and lead to remote code execution (Fixed in March 2024) | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2018-9276 | (CVSS score: 7.2) - An operating system command injection vulnerability in Paessler PRTG Network Monitor that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console (Fixed in April 2018) | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2018-19410 | (CVSS score: 9.8) - A local file inclusion vulnerability in Paessler PRTG Network Monitor that allows a remote, unauthenticated attacker to create users with read-write privileges (Fixed in April 2018) | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | FERRET | macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed | MALWARE | macOS |
| 5.2.25 | CVE-2024-56161 | Loss of the SEV-based protection of a confidential guest. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-21396 | (CVSS score: 7.5) - Microsoft Account Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-21415 | (CVSS score: 9.9) - Azure AI Face Service Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2024-53104 | (CVSS score: 7.8), which has been described as a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | boltdb-go | Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence | MALWARE | GO Backdoor |
| 5.2.25 | Coyote Banking Trojan | Coyote Banking Trojan: A Stealthy Attack via LNK Files | MALWARE | Banking |
| 5.2.25 | Crazy Evil | "Crazy Evil" Cryptoscam Gang: Unmasking a Global Threat in 2024 | CRYPTOCURRENCY | SPAM |
| 5.2.25 | Memcached DDoS attack | Memcached can speed up websites, but a memcached server can also be exploited to perform a DDoS attack. | ATTACK | DDoS |
| 5.2.25 | CVE-2025-0626 | Contec Health CMS8000 Patient Monitor sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2024-12248 | (CVSS v4 score: 9.3) - An out-of-bounds write vulnerability that could allow an attacker to send specially formatted UDP requests in order to write arbitrary data, resulting in remote code execution | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-0683 | (CVSS v4 score: 8.2) - A privacy leakage vulnerability that causes plain-text patient data to be transmitted to a hard-coded public IP address when the patient is attached to the monitor | VULNEREBILITY | VULNEREBILITY |
| 05.2.2025 | MMS phishing campaign targeting users with fake shipping PDFs | A phishing campaign has been recently reporting targeting users with MMS messages with attached PDFs. The messages attempt spoof popular delivery services in order to convince victims to open the attached PDF. When opened the victim is prompted with a screen requesting they 'unlock' the file visiting by visiting a malicious page controlled by the attackers and entering their credentials. | ALERTS | PHISHING |
| 05.2.2025 | CVE-2024-52875 - KerioControl CRLF injection vulnerability | CVE-2024-52875 is a recently discovered critical CRLF injection vulnerability affecting GFI KerioControl network security solution in versions 9.2.5 through 9.4.5. Successful exploitation of this flaw might allow attackers to inject malicious JavaScript code and lead to CSRF token theft and arbitrary code execution within the context of the vulnerable application. According to recently published reports, the vulnerability has been actively exploited in the wild. The product vendor already released a patch version "9.4.5 Patch 1" to address this vulnerability. | ALERTS | VULNEREBILITY |
| 05.2.2025 | CVE-2023-48365 - Qlik Sense HTTP Tunneling vulnerability reported as exploited in the wild | CVE-2023-48365 is a bypass vulnerability to the original fix for an older flaw CVE-2023-41265 in Qlik Sense Enterprise product. The vulnerability might allow unauthenticated attackers to perform remote code execution even after applying the patches for CVE-2023-41265 and CVE-2023-41266 flaws. The product vendor has already released a new patch addressing this bypass by an updated filtering mechanism which is less prone to HTTP request tunneling attacks. This vulnerability has been just recently added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. | ALERTS | VULNEREBILITY |
| 04.2.2025 | CVE-2024-57727 - SimpleHelp Directory Traversal vulnerability | CVE-2024-57727 is a high severity (CVSS score 7.5) directory traversal vulnerability affecting SimpleHelp remote support software in version 5.5.7 or older. If successfully exploited the flaw might allow unauthenticated attackers to download arbitrary files from the SimpleHelp servers, including configuration files containing hashed passwords for the SimpleHelpAdmin account or other accounts. | ALERTS | VULNEREBILITY |
| 03.2.2025 | Attack Campaign targets Brazilian financial sector with Coyote Banking Trojan | A multi-stage attack campaign leveraging LNK files to deploy the Coyote Banking Trojan has been reported, primarily targeting Brazilian financial applications. As part of the attack vector the malware uses PowerShell commands, shellcode injection and registry modifications to maintain persistence and evade detection. The malware has capabilities such as keylogging, screenshot capture and displaying phishing overlays. It monitors user activity, steals sensitive data from targeted websites and exfiltrates it to the attacker's C2 servers. | ALERTS | VIRUS |
|
31.1.25 |
SparkRAT is a Golang-based modular malware variant initially discovered back in 2022. With its cross-platform support it targets various architectures including Windows, macOS, and Linux. The malware was used in various targeted cyber espionage operations just last year. |
|||
|
31.1.25 |
A new variant of the Windows Locker ransomware has been identified in the wild. The malware encrypts user data and appends .winlocker extension to the locked files. A ransom request is dropped in form of a text file "Readme.txt" with information on how to contact the threat actors and on how to pay the ransom demands. Windows Locker ransomware has the functionality to maintain persistence, disable firewall and task manager as well as to delete backups and volume shadow copies on the compromised machine. |
|||
|
29.1.25 |
A new Mirai malware variant dubbed Aquabot v3 has been observed in the wild. The malware has been reported to exploit CVE-2024-41710 which is a command injection vulnerability affecting various Mitel devices. The malware is also able to exploit some older vulnerabilities affecting Hadoop YARN or various Linksys devices. Aquabot v3 supports a wide range of architectures including x86 and ARM. Functionality-wise the malware is predominately used for initiating DDoS attacks from the compromised devices. |
|||
|
29.1.25 |
A new malicious activity attributed to the GamaCopy threat group has been reported in the wild. The TTPs utilized by the group share certain degree of overlap with another APT called Core Werewolf and the discovered activity mimics some of the older attacks conducted by the Shuckworm (aka Gamaredon) APT. The attackers leverage self-extracting (SFX) archive files to deliver decoy .PDF documents alongside of UltraVNC remote desktop tool used for remote access to the compromised endpoints. |
|||
|
29.1.25 |
TorNet is a new backdoor variant spread within an ongoing malicious campaign targeting prevalently Germany and Poland. The threat actors responsible have also been distributing various other malware payloads including Agent Tesla and Snake Keylogger. According to the recent Cisco Talos report, the attack chain leverages phishing emails disguised as correspondence from financial institutions and manufacturing or logistics companies. |
|||
|
28.1.25 |
A new malware campaign that leverages fake CAPTCHA verification checks to deliver Lumma Stealer has been observed. This campaign has targeted victims from around the world (Argentina, Colombia, U.S., Philippines etc.) and across various industries (such as financial institutions, healthcare, marketing and telecom organizations). |
|||
|
28.1.25 |
Llama Stack prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 used pickle as a serialization format for socket communication, potentially allowing for remote code execution. Socket communication has been changed to use JSON instead. |
VULNEREBILITY |
||
|
28.1.25 |
(CVSS score: 8.5) - A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs |
VULNEREBILITY |
||
|
28.1.25 |
(CVSS score: 6.8) - A malicious actor with non-administrative privileges may be able to inject a malicious script that may lead to arbitrary operations as admin user via a stored cross-site scripting (XSS) attack |
VULNEREBILITY |
||
|
28.1.25 |
(CVSS score: 4.3) - A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin user |
VULNEREBILITY |
||
|
28.1.25 |
(CVSS score: 5.2) - A malicious actor with admin privileges to VMware Aria Operations for Logs may be able to inject a malicious script that could be executed in a victim's browser when performing a delete action in the Agent Configuration |
VULNEREBILITY |
||
|
28.1.25 |
(CVSS score: 7.7) - A malicious user with non-administrative privileges may exploit this vulnerability to retrieve credentials for an outbound plugin if a valid service credential ID is known |
VULNEREBILITY |
||
|
28.1.25 |
Noma Research discovers RCE vulnerability in AI-development platform, Lightning AI |
AI |
||
|
28.1.25 |
An arbitrary file write vulnerability in the "/admin/media/upload" endpoint |
VULNEREBILITY |
||
|
28.1.25 |
A reflected cross-site scripting (XSS) vulnerability in the "/admin/compass" endpoint |
VULNEREBILITY |
||
|
28.1.25 |
An arbitrary file leak and deletion vulnerability |
VULNEREBILITY |
||
|
28.1.25 |
(CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor to execute arbitrary commands within the context of the phone. |
VULNEREBILITY |
||
|
28.1.25 |
North Korea’s Global Data Exfiltration Campaign |
OPERATION |
||
|
28.1.25 |
Uncovering New Classes of Kernel Vulnerabiliti |
PAPERS |
||
|
27.1.25 |
GTA VI Hype Exploited: Malware Masquerades as Early Alpha Access |
The hype surrounding popular games often becomes a breeding ground for cybercrime, and Grand Theft Auto VI is no exception. A highly anticipated next installment in Rockstar Games' iconic open-world action-adventure series. Officially announced in December 2023, the game is set to release in late 2025 for PlayStation and Xbox. |
||
|
27.1.25 |
Phishing Campaign Targets Workplace Anxiety: Email Credentials at Risk |
A recent phishing campaign leverages workplace fears and urgency in an attempt to steal email credentials. The attack begins with an email titled "Employment Termination lists and new admin position 2025" and an attached malicious HTML file (Staff Employment Termination listsPDF.html) disguised as an important workplace document. When opened, the attachment displays a fake login page, crafted to resemble a legitimate email login portal. |
||
|
27.1.25 |
(CVSS score: 6.6) - Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop |
VULNEREBILITY |
||
|
27.1.25 |
(CVSS score: 7.4) - Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager |
VULNEREBILITY |
||
|
27.1.25 |
(CVSS score: 8.5) - Git LFS permits retrieval of credentials via crafted HTTP URLs |
VULNEREBILITY |
||
|
27.1.25 |
(CVSS score: 6.5) - Recursive repository cloning in GitHub CLI can leak authentication tokens to non-GitHub submodule hosts |
VULNEREBILITY |
||
|
27.1.25 |
Love and hate under war: The GamaCopy organization, which imitates the Russian Gamaredon, uses military — related bait to launch attacks on Russia |
GROUP |
||
|
27.1.25 |
MintsLoader: StealC and BOINC Delivery |
Loader |
||
|
25.1.25 |
FLOP: Breaking the Apple M3 CPU via False Load Output Predictions |
To bridge the ever-increasing gap between the fast execution speed of modern processors and the long latency of memory accesses, CPU vendors continue to introduce newer and more advanced optimizations. While these optimizations improve performance, research has repeatedly demonstrated that they may also have an adverse impact on security. |
PAPERS |
|
|
25.1.25 |
SLAP: Data Speculation Attacks via Load Address Prediction on Apple Silicon |
Since Spectre’s initial disclosure in 2018, the difficulty of mitigating speculative execution attacks completely in hardware has led to the proliferation of several new variants and attack surfaces in the past six years. Most of the progeny build on top of the original Spectre attack’s key insight, namely that CPUs can execute the wrong control flow transiently and disclose secrets through side-channel traces when attempting to alleviate control hazards, such as conditional or indirect branches and return statements. |
PAPERS |
|
|
25.1.25 |
Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. |
VULNEREBILITY |
||
|
25.1.25 |
Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891) |
VULNEREBILITY |
||
|
25.1.25 |
(CVSS score: 8.8) - A post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request |
VULNEREBILITY |
||
|
25.1.25 |
(CVSS score: 8.8) - A post-authentication command injection vulnerability in the management commands component that could allow an authenticated attacker to execute OS commands on an affected device via Telnet |
VULNEREBILITY |
||
|
25.1.25 |
(CVSS score: 9.8) - The use of insecure default credentials for the Telnet function that could allow an attacker to log in to the management interface |
VULNEREBILITY |
||
|
25.1.25 |
UAC-0063: Cyber Espionage Operation Expanding from Central Asia |
GROUP |
||
|
25.1.25 |
New TorNet backdoor seen in widespread campaign |
Backdoor |
||
|
25.1.25 |
ESXi Ransomware Attacks: Stealthy Persistence through SSH Tunneling |
RANSOMWARE |
||
|
25.1.25 |
A use after free issue was addressed with improved memory management. This issue is fixed in visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2. |
VULNEREBILITY |
||
|
24.1.25 |
CVE-2024-50603 - Aviatrix Controller RCE vulnerability exploited in the wild |
CVE-2024-50603 is a critical (CVSS score 10.0) remote code execution vulnerability affecting Aviatrix Controller which has been recently reported as being exploited in the wild. The flaw results due to improper neutralization of user-supplied input and if exploited might allow remote unauthenticated attackers with arbitrary code execution. Product vendor has already addressed this vulnerability in patched versions 7.1.4191 and 7.2.4996. |
||
|
24.1.25 |
Phishing-as-a-service (PhaaS) kit dubbed Sneaky 2FA has been observed targeting Microsoft 365 accounts by sending payment type related emails luring recipients into opening fake receipt PDFs containing a QR code that upon scanning redirects to a Sneaky 2FA phishing page. The phishing pages are hosted on a compromised infrastructure, primarily involving WordPress websites and other domains controlled by the Threat Actor. The bogus authentication page(s) are designed to automatically populate the victim's email address to elevate their appearance of legitimacy. |
|||
|
24.1.25 |
A ransomware actor operating under the name LucKY Gh0$t has been observed in the threat landscape. The ransomware they employ is a Chaos variant that appends encrypted files with a .[4 random characters] extension. This threat is being spread via drive-by downloads, disguised as a fake ChatGPT desktop version ("ChatGPT 4.0 Full Version - Premium.zip"). |
|||
|
23.1.25 |
A new Mirai variant dubbed Murdoc botnet has been discovered in a recently observed campaign. The campaign leverages ELF binaries and shell scripts to target various *nix based systems, such as IoT devices and IP cameras, among others. The shell scripts are deployed to the devices to download and execute the Murdoc botnet payloads from the C2 servers. |
|||
|
22.1.25 |
Groups targeting users with Email bombing and vishing campaigns |
Researchers have discovered two groups behind malware campaigns involving email-bombing, Microsoft Teams communication, and remote-control tools. These attacks begin with targeted email-bombing campaigns and continue with the attackers contacting the victims via Teams, posing as IT staff. They then tell the victim they can resolve the recent spam issue by using the Teams screen-sharing option or "Quick Assist." |
||
|
22.1.25 |
Nnice is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends “.xdddd” extension to the encrypted files. Beside dropping the ransom note in form of a “Readme.txt" text file, the ransomware also changes the desktop wallpaper to indicate that the user files have been encrypted and ransom is demanded from the victim. |
|||
|
22.1.25 |
Silent Lynx: New cyber threat group targeting government and financial entities in Kyrgyzstan |
A new threat group dubbed Silent Lynx has been discovered targeting organizations in Kyrgyzstan and neighboring countries. The group employs a range of techniques such as malicious email attachments, decoy documents and persistence mechanisms to maintain access to compromised systems. |
||
|
21.1.25 |
MintsLoader campaign targets energy sector with StealC and BOINC malware |
MintsLoader is a sophisticated malware loader that employs advanced techniques to evade detection and enhance its operational effectiveness. Impacted sectors include Electricity, Gas and Oil industries as well as Law firms and Legal service industries all within the U.S. and Europe. The infection process begins when a victim clicks on a link in a phishing email, triggering the download of malicious JScript files, leading to the deployment of secondary payloads like StealC and the Berkeley Open Infrastructure for Network Computing (BOINC) client. The combination of these payloads allows for the consumption of sensitive data from browsers, applications, crypto-wallets, and then the exfiltration to C2 server. |
||
|
21.1.25 |
Threat actor APT group known as DoNot Team has been linked to a new Tanzeem Android malware. This malicious Android app primarily uses OneSignal which is a popular customer engagement platform used by organizations to send push notifications, emails, in-app messages, and SMS messages. Once installed the malicious app displays a fake chat screen prompting the victim to click a button named "Start Chat". Doing so triggers a message that instructs the victim to grant permissions to the accessibility services API, thus allowing it to perform various nefarious actions. |
|||
|
21.1.25 |
Redtail is an adaptable malware that stealthily installs itself on compromised systems utilizing advanced tactics to persist and exploit systems for unauthorized cryptocurrency mining. It is capable of running on various CPU architectures by utilizing two extra scripts: one script identifies the CPU architecture of the victim system ensuring compatibility for the malware, and a second script removes any other competing crypto-mining software that may already exist on the compromised system. This dual approach tactic maintains persistence and works towards evading detection. |
|||
|
20.1.25 |
A new ValleyRAT malware distribution campaign has been reported in the wild. The attackers leverage a new multi-stage loader dubbed PNGPlug within the observed attack chain. The deployed ValleyRAT payload has the functionality for deployed shellcode execution, download of additional arbitrary components, etc. This campaign has been attributed to the Silver Fox APT group and observed to be targeting various companies in several Chinese-speaking regions. |
|||
|
20.1.25 |
Airashi is a variant of the Aisiru botnet observed in the wild last year. The botnet is known to be spread via exposed vulnerabilities as well as through exploitation of weak Telnet credentials. Airashi can be used by attackers to conduct a wide variety of DDoS attacks. Several strains of the botnet binaries also support additional functionalities such as command execution or proxy services. |
|||
|
18.1.25 |
Threat actors reusing legitimate government documents to deliver malware |
A malware campaign has been linked to nation state actors targeting countries in Central Asia for information gathering. The attacks utilizes legitimate government documents to deliver the malware. |
||
|
18.1.25 |
CVE-2024-55591 - Fortinet FortiOS Authorization Bypass vulnerability |
CVE-2024-55591 is a recently discovered authorization bypass vulnerability affecting Fortinet FortiOS and FortiProxy products. Successful exploitation of the flaw could allow remote attackers to obtain super-admin privileges on the vulnerable devices via crafted requests to Node.js websocket module. |
||
|
18.1.25 |
CVE-2024-12686 - BeyondTrust vulnerability exploited in the wild |
CVE-2024-12686 is a recently disclosed OS command injection vulnerability affecting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products. |
||
|
18.1.25 |
Fireant (aka RedDelta, Mustang Panda) advanced persistent threat (APT) group has been targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia in recent campaign spreading an updated variant of the PlugX backdoor. |
|||
|
18.1.25 |
Ottercookie observed being used by nation states to steal crypto currency |
OtterCookie, an infostealer designed to steal crypto currency information, has recently been observed in use by nation state actors. |
||
|
18.1.25 |
CVE-2024-49113 is a vulnerability affecting Microsoft Windows Lightweight Directory Access Protocol (LDAP) which was patched in December. In a recent campaign, attackers have been observed distributing infostealer malware disguised as proof-of-concept (PoC) code for this vulnerability. The fake PoC leverages dropped/downloaded scripts to exfiltrate system information via FTP. |
|||
|
18.1.25 |
Спроби здійснення кібератак з використанням AnyDesk, нібито, від імені CERT-UA |
Урядовою командою реагування на комп'ютерні надзвичайні події України CERT-UA отримано інформацію про непоодинокі випадки спроб підключень до комп'ютерів з використанням програми AnyDesk, нібито, від імені CERT-UA. |
||
|
18.1.25 |
Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) |
Tunnelling protocols are an essential part of the Internet and form much of the backbone that modern network infrastructure relies on today. |
||
|
18.1.25 |
Rsync, a versatile file-synchronizing tool, contains six vulnerabilities present within versions 3.3.0 and below. |
|||
|
18.1.25 |
Howyar Reloader UEFI bootloader vulnerable to unsigned software execution |
The Howyar UEFI Application "Reloader" (32-bit and 64-bit), distributed as part of SysReturn prior to version 10.2.02320240919, is vulnerable to the execution of arbitrary software from a hard-coded path. |
||
|
18.1.25 |
Hack The Emulated Planet: Vulnerability Hunting Planet WGS-804HPT Industrial Switch |
Hardware |
||
|
18.1.25 |
GSocket Gambling Scavenger – How Hackers Use PHP Backdoors and GSocket to Facilitate Illegal Gambling in Indonesia |
CAMPAIGN |
||
|
18.1.25 |
Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service |
PHISHING |
||
|
18.1.25 |
New Star Blizzard spear-phishing campaign targets WhatsApp accounts |
PHISHING |
||
|
16.1.25 |
Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344 |
VULNEREBILITY |
||
|
16.1.25 |
If you think you blocked NTLMv1 in your org, think again |
VULNEREBILITY |
||
|
16.1.25 |
This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape. |
VULNEREBILITY |
||
|
16.1.25 |
The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads |
CRIME |
||
|
16.1.25 |
Operation 99: North Korea’s Cyber Assault on Software Developers |
OPERATION |
||
|
16.1.25 |
NICKEL TAPESTRY Infrastructure Associated with Crowdfunding Scheme |
GROUP |
||
|
16.1.25 |
Rsync, a versatile file-synchronizing tool, contains six vulnerabilities present within versions 3.3.0 and below. |
VULNEREBILITY |
||
|
16.1.25 |
(CVSS score: 9.8) - Windows NTLM V1 Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
(CVSS score: 9.8) - Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
(CVSS score: 9.8) - Windows Object Linking and Embedding (OLE) Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
(CVSS score: 8.1) - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
(CVSS score: 8.1) - Microsoft Digest Authentication Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
Windows Themes Spoofing Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
Windows App Package Installer Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
Microsoft Access Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
Microsoft Access Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
Microsoft Access Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
16.1.25 |
A privilege escalation vulnerability that allows an attacker who gains access as a low-privilege technician to elevate their privileges to an admin by taking advantage of missing backend authorization checks |
VULNEREBILITY |
||
|
16.1.25 |
An arbitrary file upload vulnerability that allows an attacker with SimpleHelpAdmin privileges (or as a technician with admin privileges) to upload arbitrary files anywhere on the SimpleServer host, potentially leading to remote code execution |
VULNEREBILITY |
||
|
16.1.25 |
An unauthenticated path traversal vulnerability that allows an attacker to download arbitrary files from the SimpleHelp server, including the serverconfig.xml file that contains hashed passwords for the SimpleHelpAdmin account and other local technician accounts |
VULNEREBILITY |
||
|
14.1.25 |
Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable. |
VULNEREBILITY |
||
|
14.1.25 |
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. |
VULNEREBILITY |
||
|
14.1.25 |
Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations |
GROUP |
||
|
14.1.25 |
A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.2. An app may be able to modify protected parts of the file system. |
VULNEREBILITY |
||
|
14.1.25 |
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user. |
VULNEREBILITY |
||
|
14.1.25 |
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. |
VULNEREBILITY |
||
|
14.1.25 |
Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection |
Recently, we released an article where a credit card skimmer was targeting checkout pages on a Magento site. Now we’ve come across sophisticated credit card skimmer malware while investigating a compromised WordPress website. |
HACKING |
|
|
10.1.25 |
CVE-2024-55550 - Mitel MiCollab Path Traversal vulnerability |
VE-2024-55550 is a newly disclosed path traversal vulnerability affecting Mitel MiCollab collaboration tool versions 9.8 SP1 FP2 and earlier. |
||
|
10.1.25 |
A new and updated variant of the macOS-based infostealer malware dubbed Banshee Stealer has been detected in the wild. |
|||
|
10.1.25 |
Funksec (aka Funklocker) is another double-extortion ransomware actor that surfaced in late 2024 and allegedly claimed multiple organizations as victims. |
|||
|
10.1.25 |
Latest HexaLocker ransomware attacks leverage Skuld Stealer for data extraction |
A new updated variant of the Go-based HexaLocker ransomware has been discovered in the wild. The new strain has the functionality to download infostealer malware called Skuld Stealer, in an effort focused on extraction of confidential data from the infected endpoint. |
||
|
10.1.25 |
CVE-2025-0282 - Ivanti Connect Secure vulnerability exploited in zero-day attacks |
CVE-2025-0282 is a newly disclosed critical (CVSS score 9.0) stack-based buffer overflow vulnerability affecting Ivanti Connect Secure. If successfully exploited, it could allow unauthenticated attackers to execute arbitrary code on the vulnerable instances. |
||
|
10.1.25 |
Old Oracle WebLogic Deserialization vulnerability (CVE-2020-2883) exploited in the wild |
CVE-2020-2883 is a 2020 deserialization vulnerability affecting unpatched Oracle WebLogic servers. If successfully exploited, it could allow remote code execution by unauthenticated attackers via specially crafted T3 port network requests. |
||
|
10.1.25 |
XWorm Middle East Campaign: Fake Mossad Intelligence Reports Used as Lures |
As tensions in the Middle East remain high, particularly following recent events in Syria, threat actors are exploiting the volatile situation to target organizations and individuals both within the region and globally, leveraging the allure of sensitive intelligence to entice victims. |
||
|
10.1.25 |
FireScam is a mobile malware variant recently discovered in the wild. The malware is distributed via a phishing website and under the disguise of Telegram Premium app. |
|||
|
10.1.25 |
KGB Keylogger Targets Companies with Fake Russian Ministry-Themed Emails |
During the second half of December 2024, an actor has been targeting companies with malicious emails enticing users with a Ministry of Industry and Trade of the Russian Federation (Минпромторг России) social engineering ploy along with the use of a malicious .scr file (Письмо в МНТЦ и ЦРП.scr). |
||
|
10.1.25 |
(CVSS score: 2.3) - An operating system (OS) command injection vulnerability that enables an authenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software |
VULNEREBILITY |
||
|
10.1.25 |
(CVSS score: 2.7) - A wildcard expansion vulnerability that allows an unauthenticated attacker to enumerate files on the host file system |
VULNEREBILITY |
||
|
10.1.25 |
(CVSS score: 2.7) - An arbitrary file deletion vulnerability that enables an unauthenticated attacker to delete arbitrary files accessible to the www-data user on the host file system |
VULNEREBILITY |
||
|
10.1.25 |
(CVSS score: 4.7) - A reflected cross-site scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript code in the context of an authenticated user's browser if that authenticated user clicks a malicious link that allows phishing attacks and could lead to browser-session theft |
VULNEREBILITY |
||
|
10.1.25 |
(CVSS score: 7.8) - An SQL injection vulnerability that enables an authenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys, as well as create and read arbitrary files |
VULNEREBILITY |
||
|
10.1.25 |
A newly discovered phishing campaign uses CrowdStrike recruitment branding to convince victims to download a fake application, which serves as a downloader for the XMRig cryptominer. |
SPAM |
||
|
10.1.25 |
FunkSec – Alleged Top Ransomware Group Powered by AI |
AI |
||
|
10.1.25 |
Out-of-bound write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code. |
VULNEREBILITY |
||
|
10.1.25 |
Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain |
GROUP |
||
|
10.1.25 |
Cracking the Code: How Banshee Stealer Targets macOS Users |
MacOS |
||
|
10.1.25 |
China-linked threat actor named MirrorFace of orchestrating a persistent attack campaign targeting organizations, businesses, and individuals in the country since 2019. |
GROUP |
||
|
10.1.25 |
refers to a carriage return line feed (CRLF) injection attack, paving the way for HTTP response splitting, which could then lead to a cross-site scripting (XSS) flaw. |
VULNEREBILITY |
||
|
10.1.25 |
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges. |
VULNEREBILITY |
||
|
10.1.25 |
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. |
VULNEREBILITY |
||
|
10.1.25 |
Muddling Malspam: The Use of Spoofed Domains in Malicious Spam |
SPAM |
||
|
10.1.25 |
Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS |
VULNEREBILITY |
||
|
10.1.25 |
The NonEuclid Remote Access Trojan (RAT) is a type of malicious software that enables unauthorised remote access and control of a victim’s computer, often without their awareness. |
RAT |
||
|
10.1.25 |
Gayfemboy: A Botnet Deliver Through a Four-Faith Industrial Router 0-day Exploit. |
Botnet |
||
|
10.1.25 |
(CVSS score: 9.1) - A path traversal vulnerability in Mitel MiCollab that could allow an attacker to gain unauthorized and unauthenticated access |
VULNEREBILITY |
||
|
10.1.25 |
(CVSS score: 4.4) - A path traversal vulnerability in Mitel MiCollab that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization |
VULNEREBILITY |
||
|
10.1.25 |
(CVSS score: 9.8) - A security vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3 |
VULNEREBILITY |
||
|
7.1.25 |
EAGERBEE, with updated and novel components, targets the Middle East |
Backdoor |
||
|
7.1.25 |
(CVSS 4.0 score: 9.3) - A vulnerability allows attackers to exploit special characters to bypass input restrictions, potentially leading to unauthorized command execution |
VULNEREBILITY |
||
|
7.1.25 |
(CVSS 4.0 score: 8.6) - A hard-coded credentials vulnerability that could allow an authenticated user to escalate privileges and gain root-level access to the system, leading to system compromise, unauthorized modifications, data exposure, or service disruption |
VULNEREBILITY |
||
|
5.1.25 |
Inside FireScam : An Information Stealer with Spyware Capabilities |
ANDROID |
||
|
5.1.25 |
Nuclei is a vulnerability scanner powered by YAML based templates. Starting in version 3.0.0 and prior to version 3.3.2, a vulnerability in Nuclei's template signature verification system could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template. |
VULNEREBILITY |
||
|
4.1.25 |
SecTor has built a reputation of bringing together experts from around the world to share their latest research and techniques involving underground threats and corporate defences. |
|||
|
4.1.25 |
Black Hat Briefings (běžně označované jako Black Hat ) je konference o počítačové bezpečnosti , která poskytuje bezpečnostní konzultace, školení a instruktáže hackerům, korporacím a vládním agenturám po celém světě. |
|||
|
4.1.25 |
The annual Virus Bulletin International Conference has been running since 1991, recently celebrating its 25th anniversary. The venue typically alternates between Europe and North America. |
|||
|
4.1.25 |
HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. |
|||
|
4.1.25 |
Finding Malware: Unveiling PLAYFULGHOST with Google Security Operations |
RAT |
||
|
4.1.25 |
Treasury Sanctions Technology Company for Support to Malicious Cyber Group |
Treasury Sanctions Technology Company for Support to Malicious Cyber Group |
APT |
|
|
4.1.25 |
We entered a new year, but attack scenarios have not changed (yet). I found a Python script with an interesting behavior and a low Virustotal score (7/61). |
RAT |
||
|
3.1.25 |
The double-extortion ransomware group known as Nitrogen has been very active over the past four months, targeting organizations across diverse sectors such as construction, financial services, manufacturing, and technology. |
|||
|
3.1.25 |
Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability |
AI |
||
|
3.1.25 |
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
3.1.25 |
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability |
VULNEREBILITY |
||
|
3.1.25 |
We are currently making an unexpected change to the way that .NET installers and archives are distributed. |
VULNEREBILITY |
||
|
2.1.25 |
Discovery to Resolution: A Critical Microsoft 365 Vulnerability |
VULNEREBILITY |
||
|
2.1.25 |
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts |
RAT |
||
|
1.1.25 |
is a new variation on this classic theme: instead of relying on a single click, it takes advantage of a double-click sequence. |
Web |
||