ALERTS HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(13) November(80) December(6) 2025 January(36) February(50) March(77)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 24.4.25 | PE32 Ransomware | RANSOM | PE32 ransomware is a newly discovered malware strain that leverages Telegram for C2 operations. It employs a dual-extortion model, charging separate fees for file decryption and data non-disclosure. Despite its messy and simplistic code, which uses basic Windows libraries, it poses a significant threat to systems with weak security hygiene. | |
| 24.4.25 | Proton66 Infrastructure tied to expanding malware campaigns and C2 operations | VIRUS | Proton66 has emerged as a central hub for malicious cyber activity, hosting infrastructure used in C2 operations and phishing campaigns involving malware like GootLoader, SpyNote and XWorm. | |
| 24.4.25 | ToyMaker IAB paves way for Cactus ransomware | RANSOM | Initial Access Brokers are oftentimes the first step in a successful campaign for a threat actor. The access brokers work their way into an environment, collect relevant data, and then sell that information to a threat actor for further compromise. | |
| 24.4.25 | Weaponized Alpine Quest App used to spy on Russian military via Telegram Bot | BOTNET | A modified version of the popular Android navigation app Alpine Quest, has been found carrying spyware targeting Russian military personnel. The spyware, bundled within the app collects sensitive information like phone numbers, account details, contacts and geolocation. | |
| 24.4.25 | A recent FormBook distribution campaign observed in the wild | CAMPAIGN | A new FormBook distribution campaign has been reported by the researchers from Fortinet. The attackers leverage malicious Word documents containing an exploit for CVE-2017-11882, which is an older vulnerability affecting the Equation Editor component in Microsoft Office. | |
| 24.4.25 | Billbug APT continues campaigns in Southeast Asia | APT | The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. | |
| 24.4.25 | RustoBot botnet activity | BOTNET | RustoBot is a new Rust-based botnet variant distributed via exploitation of vulnerabilities in unpatched TOTOLINK devices. | |
| 22.4.25 | Ransomware group Interlock enhances tactics with ClickFix and Infostealers | RANSOM | Reports indicate that the ransomware group Interlock has advanced its attack methods by incorporating ClickFix social engineering techniques alongside infostealers. | |
| 22.4.25 | Gunra Ransomware | RANSOM | Another ransomware actor operating under the name Gunra has recently surfaced, allegedly claiming several victims in the healthcare, electronics, and beverage manufacturing sectors, as listed on their onion website. In recent activity, the ransomware they deploy appends a .encrt extension to encrypted files and drops a ransom note named r3adm3.txt in multiple directories. | |
| 22.4.25 | SuperCard X Android malware | VIRUS | A new Android malware campaign, identified as a malware-as-a-service called SuperCard X, has been observed targeting users in Italy. Delivered via socially engineered smishing and phone calls, the intent of the campaign is financial theft. | |
| 22.4.25 | PasivRobber - Spyware targeting macOS platform | PasivRobber is a new malware variant targeting the macOS platform that has been recently identified in the wild. Its main function is to ex-filtrate miscellaneous data from the macOS systems including information from 3rd party apps, web browsers, emails, cookies, chat messages (WeChat and QQ), screenshots, etc. | ||
| 18.4.25 | PteroLNK malware | VIRUS | PteroLNK is a new Pterodo malware variant recently distributed in the wild and attributed to the Shuckworm APT (aka Gamaredon). The malware comes in form of an obfuscated VBScript with a downloader and a LNK dropper components. | |
| 18.4.25 | A recent campaign attributed to the Fritillary APT group | APT | A new malicious campaign targeting diplomatic entities in Europe has been attributed to the cyberespionage group called Fritillary (aka Midnight Blizzard, APT29). According to a recent research by Checkpoint, the attackers have been leveraging a new custom malware loader dubbed GrapeLoader as well as an updated variant of the WineLoader backdoor. | |
| 18.4.25 | New fileless malware campaign drops XWorm & Rhadamanthys | VIRUS | A new malware campaign has been observed using JScript and obfuscated PowerShell commands to deploy highly evasive malware variants such as XWorm and Rhadamanthys. The campaign targets Windows systems employing scheduled tasks or deceptive ClickFix CAPTCHA screens to trick users into executing malicious payloads. | |
| 18.4.25 | DragonForce Ransomware's Campaign Intensifies in 2025 | RANSOM | In 2024, DragonForce ransomware actors were highly active, claiming around 93 victims on their leak website, with likely more that were not disclosed. We're still in early 2025, and the group has already "allegedly" claimed over 40 organizations as potential victims across multiple countries and sectors. | |
| 18.4.25 | Multi-stage attacks delivering Agent Tesla variants | VIRUS | Malspam email campaigns are the rule rather than the exception these days. Delivering multi-stage attacks through malicious attachments is the norm. Researchers at Palo Alto Networks have published a report sharing details about such campaigns using variants of Agent Tesla as the final payload. | |
| 18.4.25 | Malicious VSCode extensions infecing users with cryptominer | CRYPTOCURRENCY | A set of VSCode extensions posing as legitimate development tools has been observed infecting users with the XMRig cryptominer for Monero in a new cryptojacking campaign. | |
| 18.4.25 | DOGE BIG BALLS Ransomware | RANSOM | A new ransomware campaign has been reported exploiting the name of a prominent figure within the Department of Government Efficiency (DOGE) to trick victims. The attack delivers a modified variant of Fog ransomware dubbed "DOGE BIG BALLS Ransomware." | |
| 18.4.25 | Linux based BPFDoor observed in Asia and Middle East | VIRUS | BPFDoor is a Linux based backdoor that has been observed in attacks against various industries in Asia and the Middle East. Named for its use of Berkeley Packet Filtering, the malware implements a filter that activates functionality based on specific sequences found during network packet inspection. | |
| 18.4.25 | CVE-2025-30208 - Vite Arbitrary File Read vulnerability | VULNEREBILITY | CVE-2025-30208 is a recently disclosed Arbitrary File Read vulnerability affecting Vite, which is a frontend build and development tool for web applications. | |
| 15.4.25 | SpyNote Campaign Masquerades as a MissAV mobile app | CAMPAIGN | Porn remains one of the most effective social engineering vectors due to high curiosity-driven engagement, the stigma that discourages victims from reporting, and the ease with which it can be weaponized through mobile-based attacks such as fake APKs. | |
| 15.4.25 | Turkish Employment Agency Impersonated in a Snake Keylogger campaign | CAMPAIGN | Symantec has recently observed a Snake Keylogger campaign targeting organizations in Turkey, including those in the Aerospace & Defense and Financial Services sectors. | |
| 15.4.25 | ZeroTrace Stealer | VIRUS | ZeroTrace Stealer is a new infostealing malware that recently emerged on the threat landscape. The malware builder has been distributed via various underground forums and file-sharing platforms while advertised as being created for educational and research purposes ony. | |
| 15.4.25 | Pulsar RAT malware | VIRUS | Pulsar is a new remote access trojan (RAT) variant recently identified in the wild. This C#-based malware is based on the Quasar RAT strain and has miscellaneous functionality including keylogging, cryptocurrency wallet clipping, infostealing, file management, remote shell and command execution, among others. | |
| 15.4.25 | PelDox Ransomware | RANSOM | Unlike typical ransomware, PelDox does not inform victims about the encryption of their files or demand payment for decryption. After encrypting the files and appending the ".lczx" extension, the ransomware displays a full-screen message. | |
| 15.4.25 | HijackLoader new modular enhancements for stealth and evasion | HijackLoader (also known as GHOSTPULSE or IDAT Loader) is a malware loader capable of delivering second-stage payloads and offers a variety of modules mainly used for configuration information, evasion of security software, and injection/execution of code. | ||
| 12.4.25 | NanoCrypt Ransomware | RANSOM | NanoCrypt is another "run-of-the-mill" ransomware variant discovered in the wild. The malware encrypts user data and appends .ncrypt to the name of locked files. The ransom note dropped in the form of a text file called README.txt indicates that this malware has been created "for fun" and not intended for any harmful activity. | |
| 12.4.25 | Chaos Ransomware Variant Targets IT Staff via Fake Security Tool | RANSOM | Chaos ransomware variants continue to emerge, mostly used by actors targeting individual machines through drive-by-download social engineering. These attacks typically demand a smaller ransom compared to double-extortion ransomware actors who target larger organizations through more complex attack chains. | |
| 12.4.25 | New Amethyst Stealer variant distributed by Sapphire Werewolf group | VIRUS | Distribution of a new and updated Amethyst Stealer variant has been observed in the wild. The campaign is attributed to the threat actor known as Sapphire Werewolf. | |
| 12.4.25 | CVE-2025-31161 - CrushFTP authentication bypass vulnerability exploited in the wild | VULNEREBILITY | CVE-2025-31161 is a recently disclosed critical (CVSS score 9.8) authentication bypass vulnerability affecting CrushFTP file transfer solution. If successfully exploited, the flaw could grant unauthenticated attackers admin level access to the underlying server via crafted HTTP requests. | |
| 12.4.25 | Neptune RAT | VIRUS | Neptune RAT is a highly modular, multi-functional remote access Trojan. The malware contains numerous DLL plugins which provide functionality. Available features include, but are not limited to, the following: | |
| 12.4.25 | Salary Adjustment PDF Lure Redirects to AWS-Hosted Outlook Credential Phish | PHISHING | Symantec has observed a new phishing campaign in which threat actors are leveraging PDFs to redirect users to a phishing page hosted on AWS S3. | |
| 12.4.25 | CVE-2025-1094 - PostgreSQL SQL injection vulnerability | ALERTS | VULNEREBILITY | CVE-2025-1094 is a recently disclosed high severity (CVSS score 8.1) SQL injection vulnerability affecting PostgreSQL, which is an open-source relational database management system (RDBMS). If successfully exploited, the flaw might lead up to a remote code execution due to improperly sanitized SQL inputs. |
| 9.4.25 | GiftedCrook infostealer deployed in UAC-0226 campaign | VIRUS | According to a recent security alert released by Ukraine's Computer Emergency Response Team (CERT-UA), a new wave of targeted attacks against various military and governmental entities in Ukraine has been detected. The campaign dubbed as UAC-0226 distributes phishing emails containing .xlsm attachments with malicious macros. | |
| 9.4.25 | CVE-2025-29927 - Next.js middleware authorization bypass vulnerability | VULNEREBILITY | CVE-2025-29927 is a recently disclosed vulnerability (CVSS score 9.1) affecting Next.js, which is an open-source web development javascript framework. If successfully exploited, the flaw might allow the attackers for an authorization bypass attack via specially crafted HTTP requests potentially leading to protected content exposure. | |
| 9.4.25 | This Vidar stealer is not your Sysinternals tool | VIRUS | Vidar is an information stealing malware that has been active since 2018. It is a Malware-as-a-Service offering which has been used by attackers to steal sensitive data, such as credentials stored in browsers, applications, and cloud storage services. | |
| 9.4.25 | EncryptHub attackers leverage MSC files for payload delivery | VIRUS | A recent campaign attributed to EncryptHub (Water Gamayun) group has seen the threat actors to leverage Microsoft Management Console vulnerability (tracked as CVE-2025-26633) files for malicious payload execution. | |
| 9.4.25 | HollowQuill campaign luring users with disguised malicious PDFs | CAMPAIGN | HollowQuill campaign has been targeting academic institutions and government agencies worldwide through weaponized PDF documents. The attack employs social engineering tactics, disguising malicious PDFs as research papers, grant applications, decoy research invitations, or government communiques to entice unsuspecting users. | |
| 9.4.25 | Springtail APT group targets South Korean government entities | APT | The Springtail (aka Kimsuky) APT group recently engaged in campaigns targeting South Korean government entities. The campaigns leveraged government-themed messaging (one being tax related and another regarding a policy on the topic of sex offenders) to distribute malicious LNK files as malspam attachments. | |
| 9.4.25 | From Phishing to LINE Scams: Rakuten Securities users at risk | PHISHING | Over the past few weeks, a phishing actor has been launching campaign after campaign targeting Rakuten Securities users in an attempt to steal their credentials | |
| 9.4.25 | ModiLoader deployed via .SCR in Taiwanese Freight Impersonation | VIRUS | Malware actors have been abusing Windows screensavers file format (.scr) for some time now. While they might appear harmless, they are essentially executable programs with a different file extension. | |
| 4.4.25 | CVE-2024-54085 - AMI MegaRAC BMC authentication bypass vulnerability | ALERTS | VULNEREBILITY | CVE-2024-54085 is a critical (CVSS score 10.0) authentication bypass vulnerability affecting AMI MegaRAC Baseboard Management Controller (BMC) which is a remote server management platform. If successfully exploited, the flaw might allow remote unauthenticated attackers to access the remote management interface (Redfish) and further lead up to more severe compromise of the vulnerable server. |
| 4.4.25 | Lockbit 4.0 ransomware | RANSOM | Lockbit 4.0 is the most recent iteration of the infamous ransomware attributed to the threat actor called Syrphid. The ransomware is operated based on a Ransomware-as-a-Service (RaaS) model with various affiliates carrying out the attacks and often employing different tactics, techniques, and procedures (TTPs). | |
| 4.4.25 | RolandSkimmer campaign | CAMPAIGN | A new credit card skimming campaign dubbed RolandSkimmer has been reported by the researchers from Fortinet. The attack starts with .zip archives containing malicious .lnk files being delivered to the intended victims. | |
| 4.4.25 | CVE-2024-4577 makes a return in recent malware campaigns | A high severity CVE (CVSS: 9.8), CVE-2024-4577, has recently been disclosed to be in use in an active malware campaign targeting companies within the APJ region. | ||
| 4.4.25 | Latest Gootloader variant spread via malvertisements | VIRUS | Latest Gootloader variant has been observed to abuse Google Ads platform for distribution. The malware has been leveraging malvertisements directed at users searching for various legal templates such as NDA agreements, etc. | |
| 4.4.25 | CrazyHunter - a new Prince ransomware variant | RANSOM | CrazyHunter is a new Go-based ransomware variant based on the open-source Prince encryptor malware family. The malware encrypts user data and drops ransom note in form of a text file called "Decryption Instructions.txt". This note is written in identical format as the one observed from older Prince ransomware variant deployments. | |
| 3.4.25 | New phishing campaign targets Monex Securities users | PHISHING | Lately, Symantec has observed phish runs targeting users of Monex Securities (マネックス証券), one of the Japan's leading online securities company through the merger of Monex, Inc. and Nikko Beans, Inc. The company offers individual investors with different financial services. | |
| 3.4.25 | DarkCloud Stealer via TAR archives in Multi-Sector Spanish Campaign | VIRUS | A company in Spain that specializes in mountain and skiing equipment is being spoofed in an email campaign. The actors behind this attack are targeting Spanish companies and local offices of international organizations. | |
| 3.4.25 | CVE-2024-20439 - Cisco Smart Licensing Utility static credential vulnerability | VULNEREBILITY | CVE-2024-20439 is a static credential vulnerability (CVSS score 9.8) affecting Cisco Smart Licensing Utility. If successfully exploited, the flaw could allow attackers to gain administrative privileges for the application's API. | |
| 3.4.25 | CPU_HU cryptomining malware | VIRUS | A new campaign distributing cryptomining malware dubbed CPU_HU has been reported in the wild. The attackers target vulnerable or misconfigured PostgreSQL instances in efforts to deploy XMRig-C3 cryptominer binaries. Similar malware variant (also known as PG_MEM) has been distributed last year in campaigns attributed to the same threat actors. The most recent campaign implements additional detection evasion techniques including fileless payload execution. | |
| 3.4.25 | Salvador Stealer - a new mobile malware | VIRUS | Salvador Stealer is a newly discovered Android malware variant. The infostealer is spread under the disguise of legitimate mobile banking apps. The malware delivery is a multistage process that uses a separate malicious dropper .apk binary responsible for final payload execution. Salvador Stealer aims at collection and exfiltration of user confidential data including banking details and credentials. | |
| 3.4.25 | Recent activities deploying Konni RAT malware | VIRUS | Konni RAT is a well known remote access trojan (RAT) variant active on the threat landscape for several years. The malware has the functionality to exfiltrate sensitive data from compromised machines, achieve persistence on the infected endpoints and execute remote commands received from attackers. | |
| 3.4.25 | CVE-2024-48248 - NAKIVO Backup and Replication absolute path traversal vulnerability | VULNEREBILITY | CVE-2024-48248 is a recently identified absolute path traversal vulnerability (CVSS score 8.6) affecting NAKIVO Backup and Replication solution. If successfully exploited, the flaw might enable unauthenticated attackers to read arbitrary files on the target hosts leading to sensitive information exposure. | |
| 2.4.25 | Masslogger Bank-Themed Phishing Primarily Targets Romania, With Broader European Reach | VIRUS | Symantec has observed a Masslogger campaign primarily targeting organizations in Romania, where attackers are impersonating a Romanian bank. In addition to Romanian entities, the campaign has also impacted organizations in several other countries across Europe and beyond. | |
| 2.4.25 | TsarBot Android malware | VIRUS | TsarBot is a new Android banking trojan reported to be targeting over 750 different banking, financial and cryptocurrency-related applications. | |
| 1.4.25 | New SnakeKeylogger multistage Info-stealer campaign | ALERTS | VIRUS | SnakeKeylogger is an info-stealer malware that harvests credentials and other sensitive data. It targets a wide range of applications such as web browsers like Google Chrome, Mozilla Firefox, and email clients such as Microsoft Outlook and Thunderbird. |
| 1.4.25 | Crocodilus Android malware | ALERTS | VIRUS | Crocodilus is a new mobile banking trojan variant identified recently on the threat landscape. The malware has extensive remote control and infostealing functionalities, allowing the attackers for application overlay attacks, remote access to the compromised devices, theft of credentials/data stored on the mobile device, keylogging and execution of commands received from C2 servers, among others. |
| 1.4.25 | New CoffeeLoader malware | VIRUS | CoffeeLoader is a new sophisticated malware loader designed to implement secondary payloads while evading detection. This loader leverages a packer that executes code on a system’s GPU. CoffeeLoader can establish persistence via the Windows Task Schedule and can maintain persistence via a scheduled task with a hard-coded name. | |
| 1.4.25 | MassLogger Targets Businesses Worldwide via Procurement-themed Phishing | ALERTS | PHISHING | MassLogger, an information-stealing malware designed to capture credentials, keystrokes, and clipboard data from victims, has been gaining prevalence in the threat landscape, with campaigns of various sizes and victimology observed worldwide. |
|
28.3.25 |
Remcos backdoor distributed in the latest campaign attributed to Shuckworm APT | ALERTS | CAMPAIGN | A new campaign attributed to the Shuckworm APT (aka Gamaredon) has been reported by researchers from Cisco Talos. According to the released report, the attackers are targeting users from Ukraine with malicious .LNK files and PowerShell downloaders before infecting them with Remcos RAT payload. |
|
28.3.25 |
Argenta Bank users targeted with new phishing emails | ALERTS | PHISHING | Argenta is a bank based in Belgium and also operates in the Netherlands and Luxembourg. Recently, Symantec has detected a new wave of phish runs spoofing Argenta's bank services with fake account notifications. |
|
28.3.25 |
RALord Ransomware | RANSOM | RALord is a new Rust-based ransomware variant identified in the wild. The malware encrypts user data and appends ".RALord" extension to the names of the locked files. | |
|
28.3.25 |
VIPKeyLogger Targets Japan’s Corporate Sector | ALERTS | VIRUS | VIPKeyLogger, a stealthy keylogging malware, has been observed in two phishing campaigns targeting Japanese organizations and international companies with local offices in Japan. |
|
28.3.25 |
PJobRAT Android malware | ALERTS | VIRUS | A new campaign distributing PJobRAT malware for Android has been discovered by the researchers from Sophos. The campaign targets mostly the mobile users from Taiwan and aims at collection and exfiltration of sensitive data including SMS messages, contact lists as well as documents and media file stored on the compromised devices. |
|
28.3.25 |
CVE-2025-24799 - SQL injection vulnerability in GLPI | VULNEREBILITY | CVE-2025-24799 is a recently identified SQL injection vulnerability affecting GLPI, which is a popular and open-source IT Service Management (ITSM) software. | |
|
27.3.25 |
CVE-2025-29891 - Bypass/Injection vulnerability in Apache Camel | ALERTS | VULNEREBILITY | CVE-2025-29891 is a second recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. If successfully exploited, the flaw might enable the remote attackers to inject arbitrary parameters in the HTTP requests that are sent to the Camel application. |
|
27.3.25 |
New Go-based ReaderUpdate macOS malware variant | ALERTS | VIRUS | A new Go-based strain of the macOS malware dubbed ReaderUpdate has been discovered in the wild. Previous variants of this malware were based on Crystal, Nim and Rust programming languages. |
|
27.3.25 |
Phishing Surge Targets Rakuten Securities Users | ALERTS | PHISHING | In recent weeks, there has been an increase in phishing campaigns targeting users of Rakuten Securities (楽天証券), one of Japan’s largest and most well-established online brokerage firms. The company offers a wide range of investment services, including stocks, ETFs, mutual funds, futures, options, forex trading, and NISA (Japan’s tax-advantaged investment accounts). |
|
27.3.25 |
New Android malware leverages .NET MAUI framework for detection evasion | VIRUS | A new Android malware variant leveraging .NET MAUI framework has been identified in the wild. .NET MAUI is a cross-platform framework used to build native, desktop and mobile apps with C# and XAML. | |
|
27.3.25 |
PlayBoy Locker Ransomware | RANSOM | PlayBoy Locker is a ransomware variant discovered last September and initially distributed in form of a Ransomware-as-a-Service (RaaS) offering. The ransomware platform offered multi-OS support including Windows, NAS and ESXi operating systems. | |
|
26.3.25 |
CVE-2025-24813 - Critical path equivalence RCE vulnerability in Apache Tomcat | ALERTS | VULNEREBILITY | Security researchers have observed active exploitation attempts of CVE-2025-24813, a critical Remote Code Execution (RCE) vulnerability in Apache Tomcat, an open-source servlet container and web server for Java applications. The flaw, caused by a path equivalence issue, allows attackers to bypass security constraints and execute arbitrary code remotely. |
|
26.3.25 |
Dragon RaaS Group: Ransomware targeting the US and European countries | ALERTS | RANSOM | Dragon RaaS, a ransomware group that emerged in July 2024, primarily targets organizations in the US, Israel, UK, France and Germany. The group leverages web application vulnerabilities, brute-force attacks and stolen credentials as its main attack vectors using two ransomware variants: a Windows-focused encryptor, likely a modified version of StormCry and a PHP webshell which provides both backdoor functionality and persistent ransomware capabilities. |
|
26.3.25 |
New JS downloader observed in recent malspam campaign | ALERTS | VIRUS | Symantec has observed a new email campaign delivering a JavaScript downloader as an attachment. The JS arrives under various filenames in an email with variable subjects. |
|
26.3.25 |
Funnelweb attack group targets victims in Operation FishMedley | OPERATION | The China-backed advanced persistent threat group known as Funnelweb (aka Aquatic Panda, Earth Lusca, FishMonger) was responsible for an extensive campaign identified as Operation FishMedley. The campaign targeted entities including governments, NGOs, and think tanks across numerous countries. | |
|
26.3.25 |
CVE-2025–26319 - Flowise Pre-Auth arbitrary file upload vulnerability | VULNEREBILITY | CVE-2025–26319 is a recently disclosed pre-auth arbitrary file upload vulnerability affecting Flowise, which is a popular open source tool for developers to build customized LLM (Large Language Model) orchestration flows and AI agents. | |
|
26.3.25 |
FogDoor backdoor delivery campaign | ALERTS | VIRUS | A new campaign targeting Polish-speaking job-seeking developers has been reported to deliver a new backdoor variant dubbed FogDoor. The attackers lure the victims with a fake recruitment test that leads to a download of a .iso archive containing a malicious .lnk file. The executed .lnk file runs a PowerShell script responsible for installing the malware payload. |
|
25.3.25 |
CVE-2024-56346 & CVE-2024-56347 - recent IBM AIX OS vulnerabilities | VULNEREBILITY | CVE-2024-56346 and CVE-2024-56347 are two recently disclosed critical (CVSS score 10.0 and 9.6 respectively) vulnerabilities affecting IBM AIX operating system. | |
|
25.3.25 |
SVCStealer malware | VIRUS | SVCStealer is a new C++based infostealing malware identified in the wild. The infostealer collects various sensitive information from the infected endpoints such as system information, credentials, cryptocurrency wallets, data stored in browsers, screenshots, data from messaging applications (Discord, Tox, Telegram) or VPN apps, and others. | |
|
22.3.25 |
New variants of the Albabat ransomware implement multi-OS capabilities | RANSOM | A new strain of the Albabat ransomware has been reported to offer multi-OS support, according to latest report from Trend Micro. New Albabat variant is still under active development and it adds Linux and macOS to the list of the targeted platforms. | |
|
22.3.25 |
New phishing campaign targets Pocket Card users | PHISHING | Symantec has detected a phishing campaign targeting Japanese users with fake Pocket Card notification emails. The emails use the subject line: | |
|
22.3.25 |
VanHelsing Ransomware | RANSOM | VanHelsing is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends .vanhelsing or .vanlocker extension to the locked files. VanHelsing drops the ransom note in form of a text file called “README.txt” and it is also able to modify the desktop wallpaper. | |
|
22.3.25 |
Campaign impersonating travel bookings site using “ClickFix" technique | ALERTS | CAMPAIGN | A phishing campaign impersonating Booking.com to deliver credential stealing malware has been observed targeting hospitality organizations in Asia, North America, Oceania, and Europe. The attackers send fake emails impersonating the online travel agency. |
|
22.3.25 |
Recent UAT-5918 APT malicious activities targeting entities in Taiwan | APT | Researchers from Cisco Talos have reported a long-lasting campaign targeting entities in Taiwan and attributed to the UAT-5918 APT. The attackers are known to obtain access to the targeted environments usually via vulnerability exploitation. | |
|
22.3.25 |
DarkCrystal RAT distributed in malicious campaign UAC-0200 | VIRUS | According to a recent alert released by Ukraine's Computer Emergency Response Team (CERT-UA), a new wave of attacks against the defense sector in Ukraine has been detected. The campaign dubbed as UAC-0200 distributes malicious messages via the Signal messenger leading the victims to execution of DarkTortilla loader, which in turn decrypts and runs the DarkCrystal RAT (aka DCRat) payload. | |
|
22.3.25 |
Custom Betruger backdoor deployed by RansomHub affiliate | The Symantec Threat Hunter team has observed activity from a custom backdoor that can be tied to a RansomHub affiliate. RansomHub is a Ransomware-as-a-Service offering and the backdoor has been named Betruger. | ||
|
20.3.25 |
New Steganographic malware campaign exploits JPEG files to distribute Infostealers | ALERTS | VIRUS | A new steganographic malware campaign has been identified, using JPEG image files to distribute various infostealer malwares. The attack starts by luring users into downloading an obfuscated JPEG file, which contains hidden malicious scripts and executables. |
|
20.3.25 |
Fake captchas entice users to run malicious commands for rootkit deployment | VIRUS | Another fake captcha campaign is resulting in rootkits being deployed to unsuspecting victims. The attack is spread via fake captchas that impersonate popular software tools and websites, the captcha copies a malicious powershell command using curl to the users clipboard and provides instructions on how to run it to prove they are human. | |
|
20.3.25 |
CVE-2024-27564 - ChatGPT commit f9f4bbc SSRF vulnerability exploited in the wild | VULNEREBILITY | New reports emerged about threat actors actively exploiting an older Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-27564) affecting OpenAI’s ChatGPT. | |
|
20.3.25 |
NailaoLocker Ransomware | RANSOM | NailaoLocker is a ransomware variant distributed last year in campaigns targeting various European healthcare organizations. The attackers responsible for the attacks have been leveraging previously disclosed Check Point Security Gateway vulnerability CVE-2024-24919 in the initial attack stages. | |
|
20.3.25 |
AnubisBackdoor: New Python-based malware linked to Coreid APT group | ALERTS | VIRUS | A relatively new backdoor malware dubbed AnubisBackdoor has been spotted in the wild. This Python-based backdoor is attributed to the Savage Ladybug group, which is reportedly connected to the notorious Coreid (aka Fin7) APT group. |
|
20.3.25 |
CVE-2025-27636 - Apache Camel Message Header Injection vulnerability | VULNEREBILITY | CVE-2025-27636 is a recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. | |
|
20.3.25 |
StilachiRAT malware | ALERTS | VIRUS | StilachiRAT is a new remote access trojan variant discovered recently by researchers from Microsoft. The malware possesses extensive remote control as well as infostealing capabilities. |
|
19.3.25 |
Protection Highlight: Thwarting Ransomware with Carbon Black Endpoint Standard | ALERTS | RANSOM | Today's ransomware is innovating at a rapid pace. Going beyond simple file encryption, ransomware increasingly leverages unknown variants and fileless techniques. |
|
19.3.25 |
JPHP downloader uncovered | VIRUS | A new downloader compiled with JPHP was recently observed. JPHP is an interpreter that allows PHP scripts to execute in a Java Virtual Machine. This particular malware was originally delivered in a ZIP file and leveraged Telegram for its C2 communications. Potential downloaded payloads include infostealers such as Danabot. | |
|
19.3.25 |
VenomRat malware campaign uses VHD files for data exfiltration | CAMPAIGN | A VenomRat malware campaign using VHD files has been observed in the wild. The attack begins with a phishing email containing an archive attachment disguised as a purchase order to lure users. Inside the archive there is a .vhd file which mounts itself as a hard disk when opened. | |
|
19.3.25 |
New XCSSET macOS malware variant discovered | According to recent reports, a new variant of XCSSET, the macOS modular malware, has been observed by researchers at Microsoft. First discovered in 2020, XCSSET is a sophisticated modular malware known to target users by infecting Apple Xcode projects. | ||
|
19.3.25 |
A new Sobolan malware campaign | ALERTS | CAMPAIGN | Threat Actors use compromised interactive computing environments like Jupyter Notebooks to spread Sobolan malware in a multi stage attack. |
|
16.3.25 |
OctoV2 mobile malware distributed as fake DeepSeek AI app | ALERTS | AI | A new variant of the OctoV2 Android banking malware has been spread recently under the disguise of a DeepSeek AI mobile app. DeepSeek is a recently released AI-powered chatbot, much similar to the well known ChatGPT. |
| 14.3.25 | SuperBlack - a new Lockbit ransomware variant | RANSOM | SuperBlack is a new ransomware variant based on the leaked Lockbit builder. According to recent reports, a newly observed distribution of this malware has been attributed to the threat actor dubbed as Mora_001 (a possible Lockbit affiliate). | |
| 14.3.25 | LithiumWare Ransomware | RANSOM | LithiumWare is a new ransomware strain observed in the wild. The malware encrypts user data and appends random four-character extensions to the locked files. | |
| 14.3.25 | Vedalia threat group tied to new Android spyware called KoSpy | VIRUS | KoSpy is a recently discovered Android spyware that has been associated with the North Korean APT Vedalia (also known as APT37 ScarCruft). The spyware was observed masquerading as numerous utility applications to entice/trick its victims. | |
| 14.3.25 | Hellcat: Ransomware-as-a-Service group | RANSOM | Since its identification in late 2024, the Hellcat Ransomware Group has emerged as a prominent Ransomware-as-a-Service (RaaS) threat claiming attacks on critical national infrastructure and government organizations. | |
| 14.3.25 | Sosano backdoor targets UAE Aviation and Satellite firms | VIRUS | An email campaign targeting organizations in the UAE associated with aviation and satellite communications has been reported. The attack leveraged a compromised email account from an Indian electronics firm to send malicious emails aimed at luring victims. | |
| 13.3.25 | DocSwap mobile malware | VIRUS | DocSwap is a new mobile malware variant distributed under the disguise of a "document viewing authentication" mobile app. | |
| 13.3.25 | A new campaign distributing scam crypto investment platforms | CRYPTOCURRENCY | A new campaign spreading fraudulent cryptocurrency investment platforms has been reported by researchers from Palo Alto. The attackers leverage websites and Android mobile apps masqueraded as known brands of retail stores, financial institutions or technology companies to lure their victims. | |
| 13.3.25 | CVE-2025-25181 - Advantive VeraCore SQL Injection vulnerability | VULNEREBILITY | CVE-2025-25181 is a SQL Injection vulnerability affecting Advantive VeraCore, which is an order fulfillment and warehouse management software. If successfully exploited, the flaw might allow the remote attackers to execute arbitrary SQL commands via the PmSess1 parameter and gain unauthorized access to sensitive data. | |
| 13.3.25 | Ballista botnet targets TP-Link Archer routers via vulnerability exploitation | BOTNET | A new botnet dubbed Ballista has targeted organizations in Australia, China, Mexico, and the US focusing on healthcare, manufacturing, services, and technology sectors. | |
| 13.3.25 | Credential Theft Campaign Disguised as Construction Quote Requests | PHISHING | An actor has been running a large phishing campaign, targeting businesses with emails disguised as requests for quotations. The emails, sent from multiple Outlook, Live, Hotmail, and MSN addresses, urge recipients to review an attached document, claiming it contains the scope of work for an urgent project. | |
| 13.3.25 | PlayPraetor mobile malware | VIRUS | PlayPraetor is a mobile malware recently distributed via fake Play Store websites. Many of the observed fraudulent domains leverage typo-squatting techniques to lure the unsuspecting victims into downloading the malicious binaries. | |
| 13.3.25 | CVE-2024-32444 and CVE-2024-32555 - WordPress RealHome and Easy Real Estate Plugin vulnerabilities | VULNEREBILITY | CVE-2024-32444 and CVE-2024-32555 are two recently disclosed vulnerabilities affecting WordPress RealHome and WordPress Easy Real Estate Plugin respectively. | |
| 13.3.25 | Blind Eagle malicious .url files variant | APT | Blind Eagle (aka APT-C-36), is a threat actor group that engages in both espionage and cyber-crime. It primarily targets organizations in Colombia and other Latin American countries focusing on government institutions, financial organizations, and critical infrastructure. | |
| 13.3.25 | Malvertising campaign found in pirate streaming sites leading to infostealers | VIRUS | A malvertising campaign has been recently disclosed by Microsoft. The malicious actors start by injecting malvertising redirectors into videos hosted on pirate streaming sites. | |
| 13.3.25 | Phishing Campaign Impersonates Korean Tax Service | PHISHING | A new wave phishing is making rounds in South Korea, disguising itself as an official email from the Korean National Tax Service (NTS). The email claims to contain an electronic tax invoice and includes an HTML attachment named NTS_eTaxInvoice.html. | |
| 13.3.25 | Malicious operations attributed to the EncryptHub threat actor | RANSOM | EncryptHub is a new threat actor engaging in malicious operations distributing ransomware and infostealers (StealC, Rhadamanthys) to the unsuspecting victims. | |
| 13.3.25 | Leafperforator APT conducts attacks on maritime sector | APT | A new malicious campaign targeting the maritime and nuclear energy sector across South and Southeast Asia, the Middle East, and Africa has been attributed to the Leafperforator (also known as SideWinder) APT group. | |
| 11.3.25 | New Poco RAT distribution campaign | VIRUS | A new campaign distributing Poco RAT to Spanish-speaking users in Latin America has been reported in the wild. The campaign has been attributed to the Darkling APT (aka Dark Caracal). The group is known to leverage Bandook-based backdoors in their attacks. | |
| 11.3.25 | CVE-2024-13159 - Ivanti Endpoint Manager (EPM) Absolute Path Traversal vulnerability | VULNEREBILITY | CVE-2024-13159 is a critical (CVSS score 9.8) absolute path traversal vulnerability affecting the Ivanti Endpoint Manager (EPM) software. If successfully exploited, the flaw might allow a remote unauthenticated attacker to leak sensitive information. | |
| 10.3.25 | Strela Stealer targets MS Outlook users credentials | VIRUS | Strela Stealer is a malware infostealer typically distributed through phishing campaigns affecting users in Italy, Germany, Spain, and Ukraine. It is designed to target specific email clients (notably Microsoft Outlook and Mozilla Thunderbird) and exfiltrate email login credentials. | |
| 10.3.25 | Boramae Ransomware | RANSOM | Boramae is a new ransomware discovered just recently in the threat landscape and a suspected variant of the Beast aka BlackLockbit malware family. The malware encrypts user files and appends ".boramae" to them. | |
| 10.3.25 | Phantom-Goblin operation spreading infostealers to victims | OPERATION | Phantom-Goblin is the name of a malicious infostealing campaign recently identified in the wild. The attackers responsible are leveraging social engineering techniques luring victims into execution of malicious .LNK files. | |
| 10.3.25 | Ebyte Ransomware | Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. | ||
| 7.3.25 | Desert Dexter malicious campaign | CAMPAIGN | Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. | |
| 7.3.25 | Latest Njrat variant uses Microsoft Dev Tunnels for C2 communications | VIRUS | A new variant of the NjRAT malware has been reported in the wild. NjRAT (also known as Bladabindi or Ratenjay) is an older but still widely used Remote Access Trojan (RAT). This malware is often used to extract data from the compromised endpoints, send commands via remote shell, manipulate the registry as well as download additional payloads. | |
| 7.3.25 | Medusa ransomware activity on the rise | RANSOM | Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. | |
| 7.3.25 | A new campaign targeting ISP infrastructure with infostealers | VIRUS | A new campaign targeting ISP (Internet service providers) infrastructure with infostealers and cryptocurrency miners has been reported in the wild. In the initial attack stages the threat actors are leveraging brute force attacks to access the vulnerable environments. | |
| 5.3.25 | Phishing campaign used to deliver Havoc malware | CAMPAIGN | In a new report, researchers at Fortinet have detailed a phishing campaign that was used to deliver Havoc malware. Havoc is a malicious framework, akin to Cobalt Strike, that is actively leveraged to compromise victims. In this campaign, the attackers leveraged multiple components, starting with an html file which lures the recipient into executing a malicious PowerShell command. | |
| 5.3.25 | Danger & Loches - recent Globeimposter ransomware variants seen in the wild | RANSOM | Dange and Loches are the two most recently identified variants of the Globeimposter ransomware family. The malware will encrypt user data and append .danger or .loches extension to the locked files respectively. | |
| 5.3.25 | GrassCall malware campaign spreads infostealers to job seekers | VIRUS | GrassCall is a recently identified campaign attributed to the threat group known as Crazy Evil. The attack has been targeting job seekers with fake job interviews in efforts to distribute malicious executables used for infostealing. The attackers have been advertising fake job offers on various well know websites such as LinkedIn or CryptoJobsList. The victims were asked to download fake video meeting software called GrassCall. | |
| 5.3.25 | CVE-2024-12356 - BeyondTrust PRA and RS vulnerability | VULNEREBILITY | CVE-2024-12356 is a critical (CVSS score 9.8) command injection vulnerability affecting the BeyondTrust Privileged Remote Access (PRA) and BeyondTrust Remote Support (RS) software. If successfully exploited, the flaw might allow an unauthenticated attacker to inject commands that are run as a site user. This vulnerability has been previously added to the CISA Known Exploited Vulnerabilities (KEV) Catalog in December 2024 following the reports of the in-the-wild exploitation. | |
| 5.3.25 | Leveraging malicious LNK files and Null-AMSI tool to deliver AsyncRAT | VIRUS | A malware campaign using malicious LNK files disguised as wallpapers to lure users has been observed. As part of the attack vector, the open-source Null-AMSI tool is employed to bypass malware scanning interfaces (AMSI) and Event Tracing for Windows (ETW). Obfuscated PowerShell scripts are used to connect to a remote server and download gzip compressed payloads to evade detection. The final payload is loaded into memory via reflection enabling the execution of AsyncRAT for remote control. | |
| 5.3.25 | Attackers spread Winos4.0 malware using taxation as a lure | The Winos4.0 malware framework has been used by threat groups to perpetrate attacks against intended victims. In a recent report from Fortinet, they have outlined an attack observed against users in Taiwan, using a tax related lure to distribute Winos4.0 malware. The campaign leveraged a PDF attachment with a zip archive that contained malicious DLL and shellcode components along with further modules which are downloaded from a C2. | ||
| 5.3.25 | Fake browser updates being distributed through malicious redirects | Security researchers have observed recent malware campaigns utilizing web-based malware distribution via compromised sites rather than relying solely on email-based attacks to spread malicious links. | ||
| 1.3.25 | LCRYX Ransomware | ALERTS | LCRYX is a VBScript-based ransomware discovered in the wild last year. The malware encrypts user data, appends ‘.lcryx’ to the locked files and demands ransom payment in the Bitcoin cryptocurrency. | |
| 1.3.25 | New Squidoor backdoor variant distributed in latest campaigns | ALERTS | VIRUS | Squidoor is a modular multi-platform backdoor variant supporting both Windows and Linux platforms. According to the researchers from Palo Alto, the newest strain of this malware is distributed in attacks associated with suspected Chinese threat actors. |
| 1.3.25 | Bank of Yokohama users targeted with new phishing emails | ALERTS | PHISHING | In Japan, the Bank of Yokohama is the largest regional bank headquartered in Yokohama. Recently, Symantec has detected a new wave of phish runs spoofing the Bank of Yokohama services with fake account notifications. The emails use the subject line: 【横浜銀行】3月ご利用明細のご案内について (Translated: [Yokohama Bank] Information on March usage statements). |
| 1.3.25 | Billbug (aka Lotus Blossom) threat group uses Sagerunex malware to target numerous victims | ALERTS | APT | The Billbug (aka Lotus Blossom) threat group has been observed leveraging Sagerunex malware, along with other hacking tools, to target numerous victims across industries. In a recent report by researchers at Cisco Talos, activity from this group was seen in attacks affecting organizations such as governments, manufacturing, and telecommunications and media in Asia. |