The financially motivated cybercrime group FIN7—also known as Carbon Spider, Sangria Tempest, ELBRUS, Gold Niagara, and Savage Ladybug, has been linked to a sophisticated Python-based backdoor called Anubis. This malware is designed to provide remote access and control over compromised Windows systems.

Beginning in late 2024, Unit 42 researchers have noticed a shift in QR code phishing tactics. Attackers are employing strategies such as hiding the final malicious website destination by leveraging the redirection mechanisms of legitimate sites and other phishing tactics.

In late January 2025, a Managed Service Provider (MSP) administrator fell victim to a sophisticated phishing attack targeting their ScreenConnect Remote Monitoring and Management (RMM) tool. The attack, attributed with high confidence by Sophos to the ransomware affiliate tracked as STAC4365, began with a well-crafted phishing email purporting to be a ScreenConnect authentication alert.

North Korean IT workers, often referred to as “IT warriors,” have expanded their operations beyond the United States and are now increasingly targeting organizations across Europe.

Ontinue's Cyber Defence Centre (CDC) analyzed a sophisticated, multi-stage attack that effectively combined vishing, remote access tools, and living-off-the-land techniques to infiltrate the victim's system.

Ontinue's Cyber Defence Centre investigated a complex, multi-stage attack involving social engineering, remote support abuse, and stealthy post-exploitation techniques. The intrusion began with a vishing campaign where the threat actor impersonated IT support and delivered a malicious PowerShell payload via Microsoft Teams chat.

Attackers are actively exploiting a critical authentication bypass vulnerability in CrushFTP file transfer software, tracked as CVE-2025-2825.

Yesterday, Apple released security updates to address several vulnerabilities impacting a range of products including macOS, ipadOS, iOS, and much more. Notably, three of the flaws, tracked as CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085, were exploited as zero-days in attacks in the wild:

GreyNoise has reported a significant increase in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals, with nearly 24,000 unique IP addresses attempting access in the past 30 days. This surge, which peaked at nearly 20,000 IPs per day from March 17 to March 26, suggests a coordinated effort to probe for vulnerable systems, potentially indicating preparations for future exploitation.

Ukrainian entities have been targeted in a phishing campaign aimed at delivering Remcos RAT, a remote access trojan used for surveillance and data theft.

North Korea's Lazarus Group has adopted a new tactic known as "ClickFix" in its ongoing efforts to compromise job seekers in the cryptocurrency industry, particularly within the centralized finance space.

CISA has identified a new malware strain named RESURGE targeting the patched vulnerability CVE-2025-0282 in Ivanti Connect Secure (ICS) appliances. RESURGE is an improved version of the SPAWNCHIMERA malware, retaining its reboot persistence mechanisms but introducing 3 distinct commands for malware behavior modification.

DarkCloud is a sophisticated infostealer malware that first gained prominence in 2022 and has continued to evolve and expand its presence since then. It is primarily distributed through phishing campaigns, where attackers impersonate legitimate entities or use social engineering tactics to compromise targets, especially HR departments.

DFIR Report researchers shared details of an intrusion that occurred in May 2024, where actors leveraged a fake zoom installer to infect the targeted system with BlackSuit ransomware. The attack initiated when an unsuspecting victim visited a malicious site masquerading Zoom's official download page (zoommanager[.]com).

Lucid is identified as a significantly impactful and sophisticated Phishing-as-a-Service (PhAAS) platform operated by Chinese-speaking threat actors. This platform targets a vast global landscape, impacting 169 entities across 88 countries.

CoffeeLoader is a sophisticated malware loader identified by security firm Zscaler in September 2024, designed to download and execute second-stage payloads while evading detection by security solutions.

Cybercriminals are now exploiting sponsored Google ads to target users searching for the popular AI chatbot, DeepSeek. According to security firm Malwarebytes, the attackers are using Google Ads to promote domains that mimic DeepSeek's official site, such as deepseek-ai-soft[.]com and deepseakr[.]com.

ESET researchers have uncovered that a custom security evasion tool developed by the RansomHub ransomware group has been used in attacks linked to three additional cybercrime gangs: Play, Medusa, and BianLian.

A sophisticated Phishing-as-a-Service platform, identified by Infoblox Threat Intelligence and dubbed Morphing Meerkat, has been observed spoofing over 100 well-known brands in order to steal user credentials through dynamic and highly evasive phishing attacks.

Security researchers from Forescout's Vedere Labs have disclosed 46 serious vulnerabilities in solar inverters produced by the world's top three manufacturers. These flaws, which affect both the devices and their associated cloud platforms, could allow attackers to remotely take control of the inverters, execute malicious code, access sensitive user data, or even physically damage components.

A widespread and persistent cyber campaign compromised around 150,000 legitimate websites by injecting malicious JavaScript to redirect users to Chinese-language gambling platforms. According to c/side security analyst Himanshu Anand, the threat actor continues to rely on iframe injections to deliver fullscreen overlays in victims' browsers.

RedCurl, aka Earth Kapre and Red World, is a Russian-speaking hacking group, that has been active since November 2018. The group is known for launching spear-phishing attacks (e.g. phishing emails containing IMG files disguised as CV documents) against organizations in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States.

Credential stuffing is a type of cyberattack in which malicious actors exploit of a list of stolen or leaked usernames and passwords to gain unauthorized access to accounts that use the same credentials.

The Chinese threat actor FamousSparrow has been observed deploying new variants of its custom SparrowDoor backdoor and, for the first time, the widely shared Chinese state-sponsored malware ShadowPad RAT in attacks targeting a trade group in the United States and a research institute in Mexico during July 2024.

Cybersecurity researchers have uncovered two malicious packages on the npm registry ethers-provider2 and ethers-providerz that exemplify a new wave of software supply chain attacks targeting open-source ecosystems. Published on March 15, 2025, ethers-provider2 was downloaded 73 times before detection, while ethers-providerz received no downloads and was likely removed by its author.

The threat actor known as EncryptHub has been exploiting a recently patched zero-day vulnerability in Microsoft Windows, CVE-2025-26633 (CVSS score: 7.0), to deliver various malware families, including Rhadamanthys and StealC, which are commonly used for backdoor access and information stealing.

A recent analysis by K7 Labs has uncovered a new campaign attributed to the North Korean APT group Kimsuky, also known as "Black Banshee." The analysis details the group's latest infection chain, which involves the use of malicious VBScript and PowerShell scripts along with encoded text files to deliver and execute payloads.

On Tuesday, Google addressed a zero-day vulnerability in its Chrome browser that had been actively exploited in attacks. Tracked as CVE-2025-2783, the vulnerability stems from an “incorrect handle provided in unspecified circumstances in Mojo on Windows.”

IOCONTROL is a newly emerging malware strain attributed to the anti-Israeli and pro-Iranian hacktivist group, Cyber Av3ngers. First observed in December 2024, IOCONTROL targets IoT devices and Linux-based systems and supports various functions enabling operators to gain remote access to systems and conduct surveillance, manipulate systems, exfiltrate data, and facilitate lateral movement.

Sygnia investigated a prolonged cyber espionage campaign targeting a major telecommunications company in Asia. The threat actor, tracked as Weaver Ant, is assessed to have China-nexus ties based on their operational behavior, infrastructure, and targeting.

A new in-depth investigation by Silent Push, in collaboration with Team Cymru, has identified nearly 200 unique command-and-control domains linked to the Raspberry Robin malware, highlighting the growing scale and complexity of this threat.

Launched on March 7, 2025, VanHelsingRaaS is a rapidly growing ransomware-as-a-service platform that has already infected at least three known victims within its first two weeks of operation.

Threat actors are exploiting free online document converter tools to infect victims' computers with malware, including ransomware. The FBI's Denver Field Office has issued a warning, noting an increase in scams involving these tools, which claim to convert or merge files (such as turning a .doc file into a .pdf or combining multiple .jpg files into one .pdf) or, in some cases, masquerade as MP3 or MP4 downloaders.

Cyble has uncovered a new social engineering campaign targeting developers, particularly Polish-speaking job-seekers, by disguising malware as a technical coding challenge on GitHub.

Security researchers have issued a warning about a new malvertising campaign that exploits fake Google ads for Semrush, a SEO and marketing platform widely used by businesses, to harvest victims' Google account credentials and sensitive data.

A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.

New variants of the Albabat ransomware were recently discovered by researchers at Trend Micro, which now target not only Microsoft Windows systems but also gather hardware and system information from Linux and macOS environments.

Researchers at SEQRITE have uncovered a new C++ based information stealer, dubbed SvcStealer, which is being distributed through spear-phishing emails. First observed in late January 2025, SvcStealer is designed to harvest a wide range of sensitive information from the targeted system.

Cisco Talos researchers have identified a previously unknown threat actor, UAT-5918, which has been actively targeting critical infrastructure in Taiwan since at least 2023. The group is believed to be an advanced persistent threat actor focused on establishing long-term access to victim environments for the purpose of espionage and data theft.

Cybersecurity researchers at Sygnia have discovered a concerning attack method that exploits recent VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226). This observed technique allows attackers to escape virtual machines, circumvent security controls, and deploy ransomware at scale.

Cybercriminals are increasingly using malicious kernel drivers—either exploiting vulnerable legitimate ones or deploying custom-built drivers—to disable endpoint detection and response tools and evade detection.

Summary: Swiss Telecommunications provider, Ascom recently issued an advisory, stating that it is investigating a cyberattack that compromised it's technical ticketing system. The company reassured that other IT and customer systems remain unaffected, and there has been no disruption to business operations.

In November, 2024, NAKIVO patched a path traversal flaw in its backup & replication software, which could allow unauthenticated actors to read arbitrary files on vulnerable devices.

On March 5, 2025, the U.S. Department of Justice unsealed an indictment against employees of the Chinese contractor I‑SOON, revealing their involvement in global cyber espionage campaigns. The indictment detailed a series of attacks attributed to I‑SOON's operational arm, the FishMonger APT group, including a 2022 cyber campaign known as Operation FishMedley, which targeted governments, NGOs, and think tanks across Asia, Europe, and the United States.

Symantec researchers have uncovered a RansomHub affiliate deploying Betruger, a sophisticated multi-function backdoor designed to enhance cyberattacks. This malware provides extensive capabilities, including capturing screenshots, logging keystrokes, scanning networks, dumping credentials, escalating privileges, and uploading files to a command-and-control server.

As the April tax deadline draws near, scammers are taking advantage of the heightened stress and urgency of individuals rushing to file their returns. According to a press release by F-Secure, fraudsters are impersonating the Internal Revenue Service (IRS) to deceive victims through text messages and emails.

CERT-UA has issued a warning regarding a new campaign targeting Ukraine's defense sector, utilizing the Dark Crystal RAT (DCRat). They have recorded numerous cases of these cyberattacks. This activity cluster, identified in June 2024, targets both defense-industrial complex enterprises and military personnel.

Security firm Intel471 notes an increasing trend in threat actors leveraging remote monitoring and management (RMM) applications to gain initial access and move laterally across organizational networks.

A critical, unpatched security flaw in Microsoft Windows, identified as ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat groups from China, Iran, North Korea, and Russia since 2017. T

Threat actors are actively exploiting CVE-2024-4577, a severe argument injection vulnerability in PHP running on Windows in CGI mode, to deploy cryptocurrency miners and remote access trojans like Quasar RAT.

Pillar researchers have uncovered an undocumented supply chain attack vector, "Rules File Backdoor," that exploits AI-powered code editors like GitHub Copilot and Cursor. Attackers embed malicious prompts within seemingly benign configuration files, specifically, rules files that guide AI behavior.

The ongoing exploitation of VPN-related vulnerabilities such as CVE-2018-13379 and CVE-2022-40684, continues to be a major threat to organizations worldwide. These vulnerabilities, despite being disclosed years ago, are still widely used by attackers in large-scale campaigns targeting VPN infrastructure.

Researchers at BI.Zone have uncovered a campaign where a North Korean threat group dubbed Squid Werewolf (aka APT37, Ricochet Chollima, ScarCruft, Reaper Group) was observed masquerading as recruiters to target job seekers and employees at specific organizations.

Guardz researchers have identified a sophisticated phishing campaign that bypasses traditional email security controls by abusing the inherent trust of Microsoft 365 infrastructure.

Researchers have confirmed that BlackLock is a rebranded version of the notorious Eldorado ransomware group, revealing a direct link between the two. After facing increased pressure from law enforcement and security experts, Eldorado resurfaced under the BlackLock banner, refining its operational model while maintaining its ransomware-as-a-service structure.

Threat hunters have uncovered new details about a cyber espionage campaign by the China-aligned MirrorFace group, which targeted a European Union diplomatic organization using the ANEL backdoor. The attack, detected by ESET in late August 2024, specifically focused on a Central European diplomatic institute, using lures themed around the upcoming World Expo in Osaka, Japan.

According to security researchers at Akamai, a critical command injection flaw impacting the Edimax IC-7100 network camera has been exploited in attacks in the wild since at lest May 2024 to deliver Mirai botnet malware variants.

Microsoft has uncovered details of a novel remote access trojan (RAT), dubbed StilachiRAT, which it uncovered in November, 2024. For its part, StilachiRAT employs sophisticated techniques to evade detection, maintain persistence on targeted environments, and exfiltrate sensitive information.

Cybersecurity researchers have recently uncovered a significant supply chain compromise targeting the widely adopted GitHub Action, "tj-actions/changed-files," which is integrated into the CI/CD workflows of over 23,000 software repositories.

Malicious actors are exploiting Cascading Style Sheets to evade spam filters and track user activity in phishing campaigns, posing significant security and privacy risks. According to Cisco Talos, attackers leverage CSS features to bypass detection in email clients, which impose strict restrictions on JavaScript and other dynamic content.

Cybercriminals are leveraging malicious Microsoft OAuth apps disguised as Adobe and DocuSign applications to steal Microsoft 365 credentials and deliver malware. Proofpoint researchers identified these highly targeted campaigns, which impersonate Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign to appear legitimate.

A widespread phishing campaign is underway, where fake security alerts on are being posted on GitHub repositories to trick unsuspecting developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and source code.

EclecticIQ security researcher Arda Byukkaya has uncovered details of a novel framework, dubbed ‘BRUTED,' which the Black Basta ransomware gang has used since 2023 to conduct large-scaled credential-stuffing and brute force attacks against edge network devices.

A new malware campaign, OBSCURE#BAT, has been identified using social engineering tactics to deploy the r77 rootkit, an open-source tool that enables persistence and evasion on compromised systems.

Microsoft Threat Intelligence has detected an active and evolving phishing campaign, designated as Storm-1865, which commenced in December 2024 and persists as of February 2025. This campaign specifically targets organizations within the hospitality sector, with a focus on individuals most likely to interact with Booking.com.

Barracuda's March Email Threat Radar report highlights a new campaign, where fraudsters are impersonating Clop ransomware to extort payments from victims. In this case, the attackers send emails falsely claiming to be Clop and state that they have successfully exploited a vulnerability in Cleo, a company known for developing managed file transfer platforms such as Cleo Harmony, VLTrader, and LexiCom.

A new ransomware group, dubbed SuperBlack (also referred to as "Mora_001"), was recently discovered by researchers at Forescout. This group has been exploiting two authentication bypass vulnerabilities (CVE-2024-55591 and CVE-2025-24472) affecting Fortigate firewall appliances.

A dual Russian-Israeli national, Rostislav Panev, has been extradited to the United States, where he faces charges for his alleged role as a key developer in the LockBit ransomware operation.

Facebook has issued a warning about a critical vulnerability in FreeType, an open-source font rendering library widely used across multiple platforms, including Linux, Android, game engines, GUI frameworks, and online services.

XWorm Remote Access Trojan (RAT) is a sophisticated malware tool that has gained popularity among cybercriminals due to its advanced capabilities and widespread availability.

This report details a sophisticated phishing campaign targeting users of Microsoft Copilot, a relatively new Generative AI service. Attackers are leveraging the novelty of Copilot and the widespread usage of the Microsoft ecosystem in organizations to deceive employees.

Mimecast recently conducted a study surveying 1,100 IT security professionals and decision-makers from the United States, United Kingdom, France, Germany, South Africa, and Australia to gain insights into their current cybersecurity challenges and priorities for the upcoming year.

Lookout has uncovered details of a new Android spyware, dubbed ‘KoSpy,' that is masquerading as utility apps to target Korean and English speaking users. KoSpy has been active since March 2022 and uses the Google Play store and Firebase Firestore for propagation.

A recent campaign, tracked by Trend Micro, leverages fake GitHub repositories to distribute malware, primarily SmartLoader, which then deploys Lumma Stealer. These repositories, designed to appear legitimate, offer gaming cheats, cracked software, and system tools, utilizing AI-generated content and social engineering to deceive users.

On March 9, GreyNoise detected a sharp and coordinated spike in Server-Side Request Forgery exploitation, affecting multiple widely used platforms. At least 400 unique IPs were observed actively exploiting 10 different SSRF-related CVEs simultaneously, with notable overlap in attack attempts.

Security firm Cyfirma has uncovered details of a new ransomware strain dubbed, “Ebyte” which has been made publicly available on GitHub by its developer, EvilByteCode. Written in the Go programming language, Ebyte utilizes a combination of ChaCha20 and ECIES encryption to lock victim files.

As part of the March Microsoft Patch Tuesday, Microsoft addressed 57 flaws, including 7 zero-days, 6 of which are being actively exploited in attacks in the wild. Of the 57 flaws, there were 23 elevation of privilege vulnerabilities, 3 security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, 4 information disclosure vulnerabilities, 1 denial of service vulnerabilities, and 3 spoofing vulnerabilities.

A hacktivist group calling themselves "Dark Storm," claiming pro-Palestinian motivations, has asserted they are responsible for a series of Distributed Denial-of-Service (DDoS) attacks that caused widespread outages on the X platform. X owner Elon Musk confirmed a "massive cyberattack" but initially didn't attribute it to Dark Storm.

SideWinder, an India-based cyber-espionage group active since at least 2012, has recently escalated its cyberattacks on maritime and logistics organizations across Africa and Asia. Security researchers from Kaspersky have tracked the group's activities since early 2024, identifying targeted organizations in Egypt, Djibouti, the United Arab Emirates, Bangladesh, Cambodia, and Vietnam.

The Ballista botnet is actively targeting unpatched TP-Link Archer routers by exploiting a remote code execution vulnerability (CVE-2023-1389). This high-severity flaw, affecting TP-Link Archer AX-21 routers, enables attackers to execute arbitrary commands and spread malware.

The misuse of Cobalt Strike, a legitimate adversary simulation tool, has significantly decreased over the past two years, according to its developer, Fortra. While initially designed for security penetration testing, cybercriminals and state-sponsored threat actors have exploited cracked versions of the tool to target critical sectors like healthcare with ransomware and other malware.

A new blog post by Group-IB highlights a surge in SIM swap fraud, despite security measures implemented by telecom providers to prevent such attacks. SIM swap fraud occurs when an actor obtains sensitive information, such as a victim's national ID, phone number, and card details, typically through phishing websites or social engineering tactics.

Researchers have detected a sharp rise in malicious software packages designed to exploit system vulnerabilities through obfuscation and stealth tactics. A newly published report from Fortinet, covering threats observed since November 2024, details how attackers are leveraging lightweight, concealed software packages to infiltrate systems while evading traditional security measures.

Travelers' latest Cyber Threat Report published on March 6, 2025 reveals a significant shift in ransomware tactics during 2024.

Former software developer Davis Lu, 55, of Houston, was convicted of sabotaging Eaton Corporation's computer systems after losing responsibilities following a corporate restructuring in 2018. Lu, who worked at the Ohio-based power management company from November 2007 to October 2019, retaliated by deploying malicious code that severely disrupted the company's operations.

The Medusa ransomware has become a primary weapon for the threat group Spearwing, which has claimed nearly 400 victims since 2023, as evidenced by its leak site. According to Symantec researchers, Spearwing has rapidly expanded its operations, likely filling the void left by the decline of major ransomware groups such as Noberus and LockBit.

Researchers at SquareX have uncovered a new campaign leveraging polymorphic browser extensions to steal credentials and other sensitive data. These malicious extensions can silently impersonate any extension installed on a victim's browser, creating the illusion that trusted tools like password managers, crypto wallets, or banking apps are requesting sensitive information.

Several U.S. cities are issuing warnings about a surge in phishing text messages that impersonate municipal parking violation departments in an attempt to steal sensitive data from unsuspecting recipients.

Microsoft has reported on X (formerly Twitter) that the North Korean hacking group Moonstone Sleet has recently deployed Qilin ransomware in a limited number of attacks, marking a shift in their operational tactics.

Medusa ransomware, a Ransomware-as-a-Service (RaaS) operation tracked as Spearwing by Symantec, has demonstrated a significant surge in activity since its emergence in early 2023. Claiming nearly 400 victims, the group has seen a 42% increase in attacks between 2023 and 2024, with over 40 attacks reported in the first two months of 2025 alone.

Threat hunters have uncovered Ragnar Loader, a sophisticated and adaptable malware toolkit leveraged by multiple ransomware and cybercrime groups, including Ragnar Locker, FIN7, FIN8, and Ruthless Mantis (formerly REvil). While it is closely associated with Ragnar Locker, it remains unclear whether the group owns it outright or if they rent it to other threat actors.

A new blog post by Microsoft highlights a large-scale malvertising campaign that has been active since early December, 2024, and that has impacted nearly one million devices to date.

Security firm S-RM recently uncovered details of an Akira ransomware intrusion where the group was able to identify and compromise an unsecured webcam on the targeted network and further deploy ransomware (T1486 - Data Encrypted for Impact) from it without triggering detection from existing Endpoint Detection and Response (EDR) solutions in place.

Phantom Goblin is a recently discovered malware campaign distributed through RAR attachments and social engineered malicious LNK files to infect systems. The malware employs a LNK file disguised as a legitimate document to execute a PowerShell script, which retrieves additional payloads from a GitHub repository to avoid detection.

EncryptHub, a financially motivated threat actor, has been conducting sophisticated phishing campaigns to distribute information stealers and ransomware while also developing a new tool called EncryptRAT.

The U.S. Department of Justice has charged 12 Chinese nationals for their involvement in a far-reaching cyberespionage campaign aimed at stealing sensitive data and suppressing free speech worldwide.

Software company Elastic has addressed a critical vulnerability in Kibana, a widely used data visualization platform for Elasticsearch, that could allow attackers to execute arbitrary code on affected systems by uploading a specially crafted file and sending malicious HTTP requests.

According to a post on the social media platform X by cybersecurity firm PRODAFT, a new ransomware group, dubbed SecP0, has emerged with a novel approach to extorting payments from organizations. Unlike traditional ransomware groups that typically encrypt victims' data and demand payment for decryption keys, SecP0 is reportedly identifying critical vulnerabilities in widely used applications and systems, threatening to publicly disclose these flaws unless a ransom is paid.

VMware has released a critical security advisory addressing three zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) that are being actively exploited in the wild. These vulnerabilities affect VMware ESXi, Workstation, and Fusion products, with severity levels ranging from high to critical.

Lotus Panda, a suspected China-nexus APT group active since at least 2012, has intensified its targeting of government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. Cisco Talos observed Lotus Panda deploying updated versions of its Sagerunex backdoor, including new "beta" variants, demonstrating a focus on long-term persistence and evasion.

The China-linked threat actor Silk Typhoon (formerly Hafnium), known for exploiting zero-day vulnerabilities in Microsoft Exchange servers in January 2021, has evolved its tactics to focus on the IT supply chain as a means of gaining initial access to corporate networks.

A newly identified polyglot malware is being leveraged in targeted attacks against aviation, satellite communication, and critical transportation organizations in the United Arab Emirates. The malware delivers a backdoor named Sosano, enabling attackers to establish persistence on infected systems.

A new botnet malware, dubbed 'Eleven11bot,' has infected over 86,000 IoT devices, primarily security cameras and network video recorders, to launch DDoS attacks against telecommunication providers and online gaming servers. Discovered by Nokia researchers, Eleven11bot is one of the largest DDoS botnets in recent years.

GuidePoint has uncovered a new campaign in which threat actors are sending physical ransom notes to senior executives at US organizations via the United States Postal Service.

The Splunk Threat Research Team has identified a mass exploitation campaign targeting ISP infrastructure providers on the West Coast of the United States and China.

Nisos has uncovered a network of likely North Korean DPRK-affiliated IT workers posing as Vietnamese, Japanese, and Singaporean nationals to obtain remote engineering and blockchain developer positions in Japan and the United States.

In 2024, a total of 33.5 million attacks involving malware and unwanted software targeting mobile devices were prevented. Notably, Adware was the most common type of mobile threat, accounting for 35% of detections observed by Kaspersky.

Paragon Partition Manager's BioNTdrv.sys driver, in versions prior to 2.0.0, contains five vulnerabilities that can be exploited by attackers with local access to escalate privileges on targeted devices or launch denial of service attacks.

Trend Micro researchers have uncovered a sophisticated cyber-attack leveraging social engineering and widely used remote access tools to deploy a stealthy infostealer malware. This campaign grants attackers persistent access to compromised machines, enabling them to steal sensitive data.

DragonForce, a Ransomware-as-a-Service (RaaS) group discovered in August 2023, executed a considerably major cyberattack, first announced on February 14, 2025, against a large enterprise in Saudi Arabia's real estate and construction sector, marking their first major attack against a KSA entity.

In late February 2025, major updates for two prominent info-stealers, Vidar and StealC, were simultaneously released, both transitioning to version 2.0. These updates introduce new builds which have been written from scratch, modernized user interfaces, and enhanced capabilities, including a new “morpher” module to improve runtime stability and speed up execution.

Malwarebytes has uncovered a new campaign that exploits Google ads, directing victims to specially crafted PayPal payment links. These links trick users into calling fraudsters posing as legitimate customer service representatives.

Unit 42 researchers have identified phishing activity linked to the cyber threat actor JavaGhost, which has been active for over five years. Initially known for website defacement, the group shifted in 2022 to targeting cloud environments, specifically AWS, to conduct phishing campaigns for financial gain.

Microsoft has updated its civil lawsuit to name four individuals responsible for developing and distributing tools that bypass security measures in generative AI services, including Microsoft's Azure OpenAI Service.

Netskope Threat Labs researchers expanded upon their report on threat actors leveraging fake CAPTCHAs for phishing on February 12th, 2025, with new research published in a blog post yesterday.

According to a new report from GreyNoise, 40% of exploited CVEs in 2024 were at least four years old, with some dating back to the 1990s. Furthermore, in 2024, ransomware groups leveraged 28% of vulnerabilities listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating that mass exploitation is a major driver of financially motivated attacks.

Security firm Darktrace has shined light on an emerging ransomware group dubbed Lynx which is known for targeting organizations in the finance, architecture, retail, energy, and manufacturing sectors. Operating under a ransomware-as-a-service model, Lynx provides affiliates a portion of the ransom after gaining initial access and deploying Lynx's encryptor.

A newly uncovered malware campaign leveraging Winos 4.0 is actively targeting organizations in Taiwan through phishing emails that impersonate Taiwan's National Taxation Bureau. First observed by FortiGuard Labs in January 2025, this attack marks a shift in cybercriminal tactics, using government-themed social engineering to increase credibility and deceive victims.

Researchers at KELA have uncovered activity belonging to a group named Anubis Ransomware. Anubis has an official X account which suggests they have been active since at least November 2024.

On February 21, 2025, cryptocurrency exchange Bybit revealed that a cyberattack resulted in the theft of over $1.5 billion worth of cryptocurrency from one of its Ethereum cold wallets, marking the largest single crypto heist in history.

Sekoia has uncovered details of a new campaign targeting edge devices, integrating them into a sophisticated botnet dubbed “PolarEdge.” Based on network traces observed through honeypots set up by Sekoia, actors were found exploiting a remote code execution vulnerability (CVE-2023-20118) in the web-based management interface of Cisco Small Business routers on two separate occasions.

This report from Palo Alto Networks' Unit 42 details a sophisticated macOS malware campaign, attributed with moderate confidence to North Korean state-sponsored threat actors, targeting job-seeking software developers within the cryptocurrency sector.

Between November and December 2024, Palo Alto Networks researchers discovered a new Linux malware variant named Auto-color, which derives its name from the filename it renames itself to upon installation.

LCRYX ransomware, a VBScript-based malware, has resurfaced in February 2025 after its initial emergence in November 2024. The ransomware encrypts files using the ‘.lcryx' extension and demands a $500 bitcoin ransom for decryption.

The Have I Been Pwned (HIBP) service has added over 284 million accounts to its database, which were stolen by information-stealer malware and found on a Telegram channel.

Researchers at Securelist have uncovered details of a malware campaign, dubbed "GitVenom," which has been distributing malicious code through fraudulent repositories on GitHub to target developers seeking tools for automation, cryptocurrency, and gaming hacks.

A new report from Forescout's Vedere Labs reveals a significant shift in cyber threats against the healthcare sector, with attackers moving beyond hospital networks to infiltrate patient-facing medical software.

Researchers have discovered an upgraded version of the LightSpy spyware, now equipped with expanded data collection features targeting social media applications like Facebook and Instagram.

Hunt[.]io has published an analysis of a threat actor campaign targeting users attempting to download messaging apps including Signal, Line, and Gmail. Signal, Line, and Gmail are popular apps that users often discover and download via search engines, making them attractive targets for SEO poisoning by cybercriminals to distribute malware.

Researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a malware campaign distributing the LummaC2 information stealer disguised as a cracked version of Total Commander, a popular Windows file management tool.

Security firm Group-IB has uncovered details of a campaign dubbed “ScreamedJungle,” which is using stolen browser fingerprints to impersonate legitimate users and bypass defenses.

A newly discovered botnet of over 130,000 compromised devices is launching a highly coordinated password-spraying attack on Microsoft 365 accounts, exposing critical vulnerabilities in modern authentication practices.

Paypal users are facing an ongoing email scam campaign that leverages the platform's address settings to distribute fraudulent purchase notifications that use social engineering techniques to convince users to grant the attacker remote access.

Proof-of-concept (POC) code has been released on GitHub for a high severity command injection vulnerability in F5's iControl REST API and BIG-IP Traffic Management Shell (TMSH) command-line interface.

Researchers at DFIR Report have uncovered details of an intrusion where LockBit ransomware was deployed by a threat actor within 2 hours of gaining initial access. The intrusion initiated with the compromise of an exposed Windows Confluence server that was vulnerable to critical a server-side template injection vulnerability in Confluence.

Summary: The AhnLab Security Intelligence Center (ASEC) has observed a significant increase in the distribution of ACRStealer infostealer malware, often disguised as cracks and keygens for illegal software.

Cisco Talos has been tracking a widespread intrusion campaign targeting major U.S. telecommunications companies, attributed to the sophisticated threat actor Salt Typhoon. Initially reported in late 2024 and later confirmed by the U.S. government, this campaign demonstrates advanced persistence techniques, allowing the attackers to maintain access for over three years in some cases.

A leaker known as ExploitWhispers has released an archive of internal Matrix chat logs from the Black Basta ransomware operation, initially uploaded to MEGA before being removed and later shared on a dedicated Telegram channel. I

In December 2024, 18,000 devices were scanned using an application developed by iVerify, which leverages signature-based detection, heuristic analysis, and machine learning to identify Pegasus artifacts.

In January 2025, Ivanti addressed a stack-based buffer overflow flaw (CVE-2025-0282) in its Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways which could enable unauthenticated actors to remotely execute code.

The Darcula phishing-as-a-service (PhaaS) platform is set to launch a new version, Darcula V3, significantly enhancing its capabilities to allow anyone to create highly convincing phishing sites with no technical expertise.

U.S. authorities have released an advisory detailing the activities of Ghost, a financially motivated ransomware group originating from China, which has compromised organizations across more than 70 countries.

Cybercriminals have been observed approaching their targets under the guise of company recruiters in the past, enticing them with fake offers of employment. Cybercriminals exploit the vulnerability of an individual distracted by a potential job offer.

Microsoft recently addressed an elevation-of-privilege vulnerability in its Power Pages platform, which the vendor confirms was exploited as a zero-day in attacks in the wild. Power Pages is a low-code, Software-as-a-Service (SaaS) platform that allows organizations to build, host, and manage business websites with ease.

An unidentified threat actor has been observed targeting European organizations, notably in the healthcare sector, with an undocumented C++ ransomware strain, dubbed NailaoLocker. The campaign, tracked as Green Nailao, was uncovered by Orange Cyberdefense CERT and initiated between June and October last year.

Mustang Panda, a Chinese APT group also tracked as Earth Preta, has been observed abusing Microsoft's Application Virtualization Injector as a LOLBIN to stealthily inject malicious payloads into legitimate Windows processes, evading antivirus detection.

Exploitation attempts against CVE-2025-0108, a critical authentication bypass vulnerability affecting the management web interface of Palo Alto Networks' firewalls, have surged in recent days.

Google Threat Intelligence Group (GTIG) has observed and analyzed a significant uptick in Russian-aligned cyber operations targeting Signal Messenger to compromise accounts belonging to individuals of interest to Russian intelligence services like GRU.

Mustang Panda, a Chinese APT group also tracked as Earth Preta, has been observed abusing Microsoft's Application Virtualization Injector as a LOLBIN to stealthily inject malicious payloads into legitimate Windows processes, evading antivirus detection.

KnownHost recently conducted a study to examine the most commonly used passwords and the likelihood of these passwords being hacked based on the frequency of their appearance in recorded data breaches.

Researchers at Malwr-Analysis have uncovered details of a new campaign that is infecting end users with Arechclient2 (aka sectopRAT), a highly obfuscated .NET-based Remote Access Trojan. SectopRAT is being disguised as a legitimate Google Chrome extension, “Google Docs,” for propagation.

Recently, Proofpoint identified two new actors, TA2726 and TA2727, involved in web-based malware distribution. TA2726 functions as a TDS operator, selling traffic to other threat actors, including TA569 and TA2727.

FortiGuard Labs recently detected a new variant of Snake Keylogger (also known as 404 Keylogger) using FortiSandbox v5.0 (FSAv5), this malware has been responsible for over 280 million blocked infection attempts, with the highest concentrations in China, Turkey, Indonesia, Taiwan, and Spain.

In January 2025, the eSentire Threat Response Unit (TRU) observed the use of a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader. RedCurl APT is a highly sophisticated group known for targeting private-sector organizations with a focus on corporate data theft and persistence.

Researchers at Cyfirma have uncovered details of a new ransomware strain, dubbed Vgod, which specifically targets Windows systems with advanced encryption techniques. Similar to other ransomware families such as LockBit, Vgod employs the AES-256 encryption algorithm to lock files, with RSA-4096 encryption used for key protection.

On January 7, 2024, SonicWall released security updates to address an improper authentication vulnerability in the SSLVPN authentication mechanism, which could allow remote attackers to hijack active SSL VPN sessions without authentication.

Securonix has been tracking a cyberattack campaign being conducted by a North Korea-sponsored threat actor known as Kimsuky (APT43, Emerald Sleet). This ongoing campaign, dubbed DEEP#DRIVE has been targeting South Korean business, government, and cryptocurrency sectors.

Attackers leveraged a PostgreSQL zero-day vulnerability (CVE-2025-1094) in conjunction with two BeyondTrust flaws (CVE-2024-12356 and CVE-2024-12686) and a stolen API key to breach BeyondTrust's network in December 2023. BeyondTrust later revealed that 17 of its Remote Support SaaS instances were affected.

Microsoft Threat Intelligence Center has identified an ongoing and highly effective device code phishing campaign attributed to Storm-2372, a suspected Russian state-affiliated threat actor.

A recent report from Group-IB reveals that RansomHub emerged as the most active ransomware group of 2024, targeting over 600 organizations across various sectors, including healthcare, finance, government, and critical infrastructure. RansomHub initiated operations in early February 2024, shortly after coordinated law enforcement efforts dismantled the infrastructure of the BlackCat and LockBit ransomware groups, both of which were among the most active at the time.

Recorded Future's Insikt Group has uncovered details of a campaign exploiting unpatched internet-facing Cisco network devices, primarily associated with global telecommunications providers and a handful of universities.

Astaroth, a newly emerged phishing tool, is rapidly gaining traction on cybercrime platforms due to its advanced ability to bypass two-factor authentication. First advertised in January 2025, it employs session hijacking and real-time credential interception to compromise accounts on major platforms like Gmail, Yahoo, and Office 365.

Symantec researchers have identified a China-based threat actor, Emperor Dragonfly, leveraging RA World ransomware in a financially motivated attack against an Asian software and services company in late 2024.

According to researchers at Hunt.io, hackers have been exploiting the open-source Pyramid pentesting tool to establish stealthy command-and-control (C2) communications. Pyramid, which was first released on GitHub in 2023, is a Python-based post-exploitation framework that is capable of evading endpoint detection and response tools by leveraging Python's widespread presence in many environments.

Netskope Threat Labs has uncovered details of a widespread phishing campaign aimed at stealing credit card information for financial fraud. The campaign has been ongoing since mid-2024 and exploits search engines to direct victims to PDF documents containing CAPTCHA images that are embedded with phishing links.

Microsoft has recently released research they conducted into a subgroup within the Russian state APT Seashell Blizzard (Sandworm) and the details of their initial access campaign that Microsoft dubbed BadPilot.

North Korean threat actor Kimsuky has been observed employing a new social engineering tactic to trick victims into running malicious PowerShell commands as administrators. The attackers impersonate South Korean government officials, gradually building rapport with targets before sending a spear-phishing email containing a PDF attachment.

The United States, Australia, and the United Kingdom have jointly sanctioned Zservers, a Russia-based bulletproof hosting provider, for facilitating ransomware attacks by supplying critical infrastructure to the LockBit gang.

Ivanti released an advisory detailing multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products. Some of the flaws allow for RCE and unauthorized data access. The vulnerabilities range from medium to critical severity and impact various versions of Ivanti products.

Although QR codes have transformed digital interactions by providing quick access to websites, services, and adding a layer of security to applications, their ubiquity has made them a prime target for threat actors. In "quishing" attacks, fraudsters use fake QR codes to redirect users to counterfeit websites, enabling them to steal personal data, login credentials, or financial details.

As part of the February Microsoft Patch Tuesday, Microsoft addressed 55 flaws, including 4 zero-day flaws, two of which are actively being exploited in attacks in the wild. Of the 55 flaws, there was 19 elevation of privilege vulnerabilities, 2 security feature bypass vulnerabilities, 22 remote code execution vulnerabilities, 1 information disclosure vulnerability, 9 denial of service vulnerabilities, and 3 spoofing vulnerabilities. 3 flaws have been rated critical in severity, all of which can lead to remote code execution.

The Russian military cyber-espionage group Sandworm (APT44), also tracked as UAC-0113 and Seashell Blizzard, has been actively targeting Windows users in Ukraine using trojanized Microsoft Key Management Service activators and fake Windows updates.

Beginning in early January 2025, eSentire Threat Response Unit observed an increase in the number of incidents involving the NetSupport Remote Access Trojan (RAT). The RAT was originally developed as a remote IT support tool in 1989 and was known as NetSupport Manager but has been weaponized by cybercriminals in recent years.

In 2024, ransomware groups such as Lynx, Akira, and RansomHub refined their techniques, prioritizing agility and speed over high-profile targets. According to the 2025 Cyber Threat Report by Huntress, these groups adopted a quantity-over-quality strategy, executing a larger number of attacks at an accelerated pace.

Four suspected European hackers were recently arrested in Phuket, Thailand, in connection with cyberattacks targeting over 1,000 victims worldwide. Dubbed, “Operation Phobos Aetor,” the arrest was carried out by Thai authorities after an urgent request for international cooperation from Swiss and US law enforcement.

Apple has issued out emergency security updates to address a zero-day vulnerability that it says has been exploited in the wild. Tracked as CVE-2025-24200, the flaw pertains to an authorization issue which could enable a malicious actor to disable the USB Restricted Mode on a locked device as part of a physical cyber attack.

Facebook is the third-most visited website on the internet, following Google and YouTube, which makes attacks abusing the brand have a consequential impact. Check Point researchers have recently discovered a new phishing campaign luring unwitting victims by utilizing Facebook-themed copyright infringement emails to harvest credentials.

A large-scale brute force password attack is currently underway, utilizing nearly 2.8 million IP addresses to target a variety of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall.

CISA has added a new vulnerability to its KEV catalog, impacting Trimble's Cityworks, a GIS-centric asset management software used by local governments, utilities, and public works organizations, to manage public assets, work orders, permitting, licensing, capital planning, and budgeting.

Microsoft has issued a critical warning about a growing security risk in which developers are unknowingly incorporating publicly disclosed ASP.NET machine keys from online sources, making their applications vulnerable to cyberattacks.

Cybercriminals are leveraging scalable vector graphics files in phishing attacks to evade detection by traditional security tools, according to a recent report from Sophos. SVG files, commonly used for rendering vector-based images, contain Extensible Markup Language (XML)-like instructions that allow for the embedding of interactive elements such as hyperlinks and scripts.

Field Effect thwarted a cyberattack where an threat actor exploited newly discovered vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) client to gain unauthorized access to a targeted network.

Linwei Ding, a 38 year old Chinese national and former software engineer at Google, has been been indicted for illegally transferring over 500 confidential AI files from Google to his personal accounts. The stolen data, which includes critical hardware and software designs, was allegedly shared with Chinese companies in the AI sector.

This new activity cluster leverages deceptive LinkedIn job offers and is a part of the North Korea-sponsored Contagious Interview operation, primarily targeting individuals in the cryptocurrency and travel industries, to deploy cross-platform malware capable of compromising Windows, macOS, and Linux systems.

Cybercriminals are increasingly leveraging legitimate HTTP client tools, such as Axios and Node Fetch, to facilitate account takeover attacks on Microsoft 365 environments. According to enterprise security company Proofpoint, these tools, often sourced from public repositories like GitHub, are being repurposed for sophisticated attack techniques, including Adversary-in-the-Middle and brute-force tactics.

A new report from Chainalysis highlights a promising shift in the ransomware landscape from 2023 to 2024: more victims are refusing to pay ransoms. As a result, total ransomware payments dropped by approximately 35%, from $1.25 billion in 2023 to $813.55 million in 2024.

Cisco has disclosed several high-severity vulnerabilities in the Simple Network Management Protocol (SNMP) subsystem of its IOS, IOS XE, and IOS XR software. Tracked as CVE-2025-20169, CVE-2025-20170, and CVE-2025-20171, these flaws could allow authenticated, remote attackers to trigger a Denial of Service (DoS) on affected devices.

Palo Alto Network's Unit 42 has observed a growing number of attacks targeting macOS users with infostealer malware. Infostealer malware is typically designed to exfiltrate sensitive credentials, financial records, and intellectual property, which often leads to data breaches, financial losses and reputational damage.

Cybersecurity researchers at Morphisec Threat Labs have investigated a series of indicators of attacks in a campaign that deploys a new version of ValleyRAT malware. Attacks utilizing this malware are frequently attributed to Silver Fox APT.

Five Eyes cybersecurity agencies (UK, Australia, Canada, New Zealand, and the U.S.) have issued guidance urging network device manufacturers to enhance forensic visibility, helping defenders detect and investigate breaches. Network edge devices—such as firewalls, routers, VPN gateways, OT, and IoT systems—are prime targets for both state-sponsored and financially motivated attackers.

In September 2024, the Trend Micro's Threat Hunting team identified CVE-2025-0411, a zero-day vulnerability in 7-Zip, exploited in a SmokeLoader malware campaign targeting Ukrainian entities.

Apple recently updated its XProtect malware tool to block several variants of the macOS Ferret family—FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.

The Forcepoint X-Labs research team recently uncovered an AsyncRAT malware campaign that leverages malicious payloads delivered via TryCloudflare quick tunnels and Python packages.

According to Security Scorecard STRIKE researchers, North Korea-nexus Lazarus Group has compromised hundreds of victims in multiple countries in a large-scale data harvesting supply chain attack campaign which is ongoing as of mid-January 2025.

Researchers at Trend Micro have uncovered details of a campaign where actors leveraged a zero-day vulnerability in 7-Zip (CVE-2025-0411), to deploy SmokeLoader malware, a modular loader first identified in 2011. SmokeLoader primarily serves as a downloader for secondary payloads but also has capabilities for credential theft, data exfiltration, establishing backdoors, and using obfuscation and sandbox evasion techniques to evade detection.

While the compromise of user credentials and phishing are popular tactics employed in cyberattacks, the widespread adoption of multi-factor authentication has led adversaries to focus more on exploiting vulnerabilities to gain initial access to organizational networks.

SentinelOne researchers have detailed an active phishing campaign targeting “high-profile” X accounts endeavoring to hijack and exploit them to conduct malicious and fraudulent activity. SentinelOne observed this campaign targeting a variety of individual and organization accounts including U.S. political figures, leading international journalists, an X employee, large technology organizations, cryptocurrency organizations, and owners of valuable, short usernames.

On January 29, 2025, two malicious Python packages, deepseeek and deepseekai, were uploaded to the PyPI repository, masquerading as legitimate client libraries for interacting with the DeepSeek AI API.

Brazilian Windows users are the target of an evolving malware campaign deploying the Coyote Banking Trojan, a sophisticated banking malware designed to steal financial credentials and sensitive information.

Last Friday, Meta-owned WhatsApp, a popular messaging platform, stated it disrupted a spyware campaign back in December 2024, targeting journalists and civil society members. In total, 90 individuals were targeted and possibly compromised in the latest campaign, which WhatsApp asserts with high confidence.

Security researchers at Malwarebytes have uncovered a malvertising campaign targeting Microsoft advertisers with fake Google ads that lead to phishing sites designed to steal login credentials.

The Cybereason Security Team has recently published an analysis of a new attack campaign involving the Phorpiex botnet. In this campaign, the botnet is being used to automatically deploy LockBit Black Ransomware. This differs from previous attacks, which often relied on human interaction from LockBit operators, by making the attacks faster and more difficult to detect via the botnet.

DeepSeek, a Chinese AI company known for its open-source large language models (LLMs), launched its chatbot app in January 2025, quickly becoming the most downloaded free app on the U.S. iOS App Store, surpassing OpenAI's ChatGPT.

Google's Threat Intelligence Group conducted an in-depth analysis of how cyber threat actors interacted with Google's AI assistant, Gemini, to assess AI's role in cybersecurity threats. While AI has revolutionized cybersecurity by enhancing secure coding, vulnerability detection, and operational efficiency, it has also raised concerns about its misuse by cybercriminals and state-sponsored actors.

Europol, in coordination with law enforcement from eight countries, successfully dismantled the world's two largest cybercrime forums, Cracked and Nulled. Together, these platforms boasted over 10 million users and served as hubs for cybercrime discussions and marketplaces for illicit goods, including stolen data, malware, and hacking tools.

A critical unauthenticated Remote Code Execution vulnerability has been discovered in DSL-3788 routers, allowing attackers to remotely gain full control of the targeted device. The flaw impacts firmware versions v1.01R1B036_EU_EN and earlier and was reported by Max Bellia of SECURE NETWORK BVTECH.

A new attack technique dubbed Browser Hijacking was uncovered by security researchers at SquareX that enables a seemingly benign Chrome extension to take over a victim's device. This involves several steps, including Google profile hijacking, and browser hijacking, which eventually lead to device takeover.

POISONPLUG.SHADOW, also known as Shadowpad, is a highly sophisticated malware that leverages a custom obfuscating compiler to evade detection and analysis. Its complex obfuscation techniques make it particularly challenging for security researchers to identify and mitigate.

SecurityScorecard's investigation into Lazarus Group's recent cyber attacks on cryptocurrency entities and software developers uncovered a hidden administrative layer, dubbed Phantom Circuit, used to centrally manage the group's command-and-control infrastructure.

Researchers at SlashNext have uncovered a new SMS phishing tool, dubbed Devil-Traff, which features advanced capabilities like sender ID spoofing and automated messaging, allowing cybercriminals to send thousands of fraudulent messages in a short time.

A new variant of the Mirai-based botnet malware, Aquabotv3, has been observed exploiting a command injection vulnerability (CVE-2024-41710) in Mitel SIP phones.

Lynx ransomware has emerged as a highly structured and sophisticated Ransomware-as-a-Service operation, demonstrating an industrial-scale approach to cybercrime. The group operates through a well-organized affiliate program, providing cybercriminals with access to a centralized panel that facilitates ransomware deployment, victim management, and data leak coordination.

One of the most common methods cybercriminals use involves exploiting open redirects, a vulnerability that allows attackers to manipulate website links to redirect users to malicious destinations without proper validation. Cofense found that multiple .gov domains were primarily used for credential phishing, with some hosting as many as nine different phishing campaigns simultaneously.

Rapid advancements in AI are revealing new possibilities for the way humans work and accelerating innovation in science, technology, and more. AI is at the cusp of revolutionizing security and defense. With capabilities to sift through complex telemetry, secure coding, improve vulnerability discovery, and modernize operations.

In December, 2024, PowerSchool, a K-12 cloud-based software provider serving over 60 million students and 18,000 customers worldwide, experienced a breach where attackers were able to gain unauthorized access to its customer support portal, PowerSource.

CVE-2024-40891 is a critical command injection vulnerability impacting Zyxel CPE Series devices. The vulnerability was initially disclosed by VulnCheck back in August 1, 2024. However, the vulnerability has not been officially published by Zyxel, nor have patches been released.

Cisco Talos researchers have released a new report detailing a surge in the number of email phishing threats leveraging “Hidden Text Salting” techniques which they observed in the second half of 2024. Hidden Text Salting refers to poisoning the HTML source of an email.

Salt Labs researchers have uncovered details of a now-patched account takeover vulnerability affecting a popular online travel service used for booking hotels and car rentals.

Since its inception in March 2023, the Akira has grown to be one of the most prolific ransomware groups out here. Akira operates under a Ransomware-as-a-service model wherein affiliates or other cybercriminals are hired to gain initial access to victim environments and deploy the group's ransomware strain, in exchange for a portion of the ransom paid by victims.

Apple has patched a use-after-free zero-day vulnerability (CVE-2025-24085) in the Core Media component that could enable a malicious application already installed on the device to elevate privileges.

In early January 2025, threat hunters from eSentire detected and analyzed an ongoing threat campaign that utilizes the malware loader, MintsLoader, to deliver secondary payloads that include the StealC information stealer and BOINC, a legitimate open-source network computing platform.

A newly discovered phishing campaign is targeting mobile users with advanced social engineering techniques and malicious PDF files, aiming to compromise sensitive information on a global scale.

Ransomware actors have increasingly targeted VMware ESXi bare-metal hypervisors, exploiting SSH tunneling to establish persistence, move laterally, and deploy ransomware payloads without detection.

Such a sophisticated intrusion was initiated in January 2024 with a user downloading and executing the malicious file named setup_wm.exe, masquerading as the Windows Media Configuration Utility, with an almost legitimate-looking filename and icon.

A malware campaign has specifically targeted low-skilled hackers, or "script kiddies," to steal data and take control of systems. CloudSEK researchers report that a threat actor distributed a trojanized XWorm RAT builder through platforms like GitHub, file hosting sites, Telegram channels, YouTube, and various websites, promoting it as a free tool.

Almost 1000 fake websites, discovered by the Sekoia researcher, “crep1x”, are being distributed by a threat actor to deliver malware that leads to the deployment of Lumma Stealer malware on the victim's machine.

Over the past six months, ransomware activity has escalated significantly, marked by the rise of new groups such as FunkSec, Nitrogen, and Termite, alongside the reappearance of Cl0p and the introduction of LockBit 4.0.

Threat actors are capitalizing on the recent news about Ross Ulbricht, founder of the infamous Silk Road marketplace, to trick users into downloading malware. Using fake, verified accounts on X (formerly Twitter), these actors direct unsuspecting users to Telegram channels masquerading as official portals for Ulbricht.

Cybercriminals have introduced a new malicious AI chatbot named GhostGPT, which is specifically designed to assist in creating malware, developing exploits, and crafting phishing emails. Researchers from Abnormal Security discovered that GhostGPT has been actively marketed and sold through Telegram since late 2024.

The FBI has warned that North Korean IT worker schemes are stealing data to extort their victims as part of efforts to generate revenue for the Democratic People's Republic of Korea (DPRK). The US intelligence agency confirmed it has observed North Korean IT workers engaging in this tactic over recent months.

CYFIRMA's Research and Advisory team uncovered a new ransomware strain while monitoring various underground forums. Dubbed “Nnice,” the strain is designed to target Windows systems and comes with advanced encryption techniques.

Salt Typhoon is identified by the United States Cybersecurity and Infrastructure Security Agency (CISA) as a state-sponsored threat actor that has successfully compromised at least nine telecommunications companies with headquarters in the United States, thus prioritizing government and political figures and very high-profile targets.

Cisco Product Security Incident Response Team (PSIRT) recently released patches for a critical privilege escalation vulnerability in Meeting Management, CVE-2025-20156, and a heap-based buffer overflow flaw, CVE-2025-20128, that can terminate the ClamAV scanning process on endpoints running a Cisco Secure Endpoint Connector.

SonicWall has released patches for a pre-authentication of untrusted data vulnerability impacting its SMA1000 Appliance Management Console and Central Management Console, which in specific conditions could enable remote unauthenticated actors to execute arbitrary OS commands.

Cybersecurity researchers at Specops are delivering a new report regarding a major password-related security issue. According to them, over 1 billion passwords were stolen by malware in 2024.

Cyble Threat Intelligence has discovered thousands of account credentials belonging to some major cybersecurity vendors on the dark web. Cyble researchers shared their findings on January 22nd, 2025, noting they found credentials for at least 14 security providers.

PlushDaemon, a newly identified China-aligned advanced persistent threat (APT) group, has been linked to a supply chain attack targeting a South Korean VPN provider in 2023, as revealed by ESET.

In 2024, 84% of healthcare organizations (HCOs) experienced cyber-attacks or intrusions, with account hijacking and phishing being the most prevalent threats, according to a Netwrix study.

Asif William Rahman, a 34-year-old former CIA analyst from Vienna, admitted to leaking highly classified information to people who didn't have clearance to see it.

The Ukrainian government's Computer Emergency Response Team (CERT-UA) has received several reports of unidentified actors falsely claiming to represent CERT-UA in an attempt to connect to victims' systems via AnyDesk.

On January 13, the Biden administration proposed the "Framework for Artificial Intelligence Diffusion," a landmark rule with far-reaching implications for global AI development. It threads a difficult needle: encouraging U.S. AI technology globally,

Researchers at Sophos have raised concerns about two ransomware groups employing social engineering tactics to gain remote access to corporate machines for data theft and extortion.

Trend Micro uncovered an IoT botnet in late 2024 and has been continuously monitoring its activity as it conducts large-scale distributed denial-of-service (DDoS) attacks. The attack commands sent from its C2 server have mainly targeted Japan, but Trend Micro has observed these attacks targeting various companies in different countries as well.

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on two individuals and four entities tied to North Korea's extensive revenue-generation schemes that directly fund its weapons programs.

Cybersecurity researchers have uncovered a sophisticated phishing kit called Sneaky 2FA, specifically engineered to compromise Microsoft 365 accounts by stealing credentials and bypassing two-factor authentication (2FA). First identified in December 2024 by the French cybersecurity firm Sekoia, this adversary-in-the-middle (AitM) phishing kit has been linked to nearly 100 domains, reflecting its growing use among cybercriminals.

Consequently, it was found that GoDaddy, one of the major hosting service providers, had not taken proper security measures to protect the services since 2018. The FTC ordered GoDaddy to increase its security practices.

The Russian threat group Star Blizzard, formerly known as SEABORGIUM, has been linked to a new spear-phishing campaign targeting victims' WhatsApp accounts, marking a shift from its usual tactics to likely avoid detection.

A recently patched vulnerability, CVE-2024-7344 (CVSS 6.7), highlights a critical flaw in the Secure Boot mechanism for UEFI systems, potentially allowing attackers to bypass protections and execute unsigned malicious code during the boot process.

On Wednesday, 27 November 2024, Russian President Putin was on a 2-day state visit in Kazakhstan to discuss with local representatives the implementation of energy projects and to counter Chinese and Western influence. P

The North Korea-nexus APT, Lazarus Group, has been observed conducting a new cyber attack campaign dubbed Operation 99. This campaign targets software developers who are searching for freelance Web3 and cryptocurrency work to ultimately embed malware into the victim's environment.

On January 15, 2025, GuidePoint Security published findings from a Q4 2024 incident response involving a Python-based backdoor used by threat actors to maintain access to compromised systems. This access was leveraged to deploy RansomHub encryptors across the targeted network.

The U.S. Cybersecurity and Infrastructure Security Agency has released a new playbook providing detailed guidance for AI developers, providers, and adopters on how to voluntarily share cybersecurity information with federal agencies, private industry partners, and international stakeholders.

A new malvertising campaign is underway targeting individuals and businesses that use Google Ads for advertising. According to researchers at Malwarebytes, the scheme involves impersonating Google Ads to direct victims to fake login pages in an effort to capture as many advertiser accounts as possible.

As part of the January Microsoft Patch Tuesday, Microsoft addressed 159 flaws, including 8 zero-day flaws, 3 of which are actively being exploited in attacks in the wild.

According to the U.S. Department of Justice (DoJ), thousands of computers in the U.S. have been cleaned of a version of the "PlugX" malware, a sophisticated tool that has been used by Chinese state-sponsored hackers since 2014.

Fortinet revealed a security lag in one of its FortiOS and FortiProxy systems, CVE-2024-55591. Attacks began in November 2024, attacking before the vendor released fixes. Remote attackers can take control of the systems with super admin privileges by sending specially crafted requests to exploit the Node.js websocket module.

The ReliaQuest report stated that in the last quarter of 2024, ransomware had grown excessively, with 2024 showing a record high in victim counts of all months in December.

Cybersecurity researchers have identified infrastructure links between North Korean threat actors behind fraudulent IT worker schemes and a 2016 crowdfunding scam, highlighting Pyongyang's long-standing involvement in illicit financial activities.

The ransomware group Codefinger has been observed exploiting compromised AWS keys to encrypt data stored in Amazon S3 buckets, using AWS's Server-Side Encryption with Customer-Provided Keys, cybersecurity firm Halcyon reports.

CVE-2024-44243 represents a significant vulnerability in macOS that allows attackers to bypass System Integrity Protection (SIP) by exploiting improperly validated third-party kernel extensions. SIP, a security mechanism that restricts root-level access to critical system components, serves as a cornerstone of macOS's security framework.

Threat actors are targeting individuals searching for pirated or cracked software by using YouTube comments and Google search results to distribute infostealing malware like Lumma Stealer, Vidar, MarsStealer, and others.

Cloud security firm Wiz is currently responding to multiple incidents involving the active exploitation of a recently disclosed critical security flaw, CVE-2024-50603 impacting Aviatrix Controller cloud networking platform.

In mid-2024, Huntress identified cyber espionage activity targeting several Canadian organizations, which was attributed to the APT group RedCurl (also known as Earth Kapre or Red Wolf).

A recent investigation has revealed a highly sophisticated credit card skimmer malware targeting WordPress websites. This malware is designed to inject malicious JavaScript into database entries rather than traditional files like themes or plugins, allowing it to avoid detection by common file-scanning tools.

CrowdStrike has issued a warning about a phishing campaign targeting job seekers by impersonating the company. Discovered on January 7, 2025, the campaign involves fake job offer emails from a supposed CrowdStrike recruiter, thanking recipients for applying for a developer position.

Hackers responsible for a December 2024 ransomware attack on RIBridges, Rhode Island's health and benefits system, have released stolen files on the dark web.

he FunkSec ransomware group emerged in late 2024, quickly gaining attention by claiming over 85 victims in December, more than any other ransomware group during that period. Despite their rapid rise, analysis reveals that much of their activity may be overstated.

n December 2024, two critical vulnerabilities in Microsoft's Windows Lightweight Directory Access Protocol (LDAP) were addressed via Microsoft's monthly Patch Tuesday release.

The Banshee infostealer, a sophisticated malware targeting macOS systems, has been leveraging a stolen Apple encryption algorithm to evade detection by antivirus solutions.

UPDATE: Ivanti has issued an urgent warning about a critical zero-day vulnerability, CVE-2025-0282, which attackers exploited to install malware on Ivanti Connect Secure appliances.

Researchers have identified a rise in sophisticated phishing and malspam campaigns employing email spoofing, neglected domains, and social engineering to bypass traditional security measures.

SonicWall released a security bulletin on January 7, 2025, warning customers to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that SonicWall deemed susceptible to in-the-wild attacks.

Threat actors are actively attempting to exploit CVE-2024-52875, a critical CRLF injection vulnerability in the GFI KerioControl firewall, which can lead to 1-click remote code execution (RCE) attacks.

A Mirai botnet variant has been observed exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the intention of conducting DDoS attacks.

Ivanti has issued an urgent warning regarding a critical remote code execution vulnerability, CVE-2025-0282, that is being actively exploited in zero-day attacks targeting Ivanti Connect Secure appliances.

A new phishing technique exploiting PayPal's money request feature has been identified in a recent advisory by Fortinet. This method uses legitimate-looking PayPal payment requests to deceive recipients, making them appear genuine and bypassing traditional email security checks.

Researchers at Cyfirma have discovered a new remote access trojan called NonEuclid, written in C#, which provides attackers with comprehensive control over compromised Windows systems.

The U.S. government has officially launched the U.S. Cyber Trust Mark, a cybersecurity safety label designed for Internet-of-Things (IoT) consumer devices.

In August, 2024 SonicWall addressed a critical improper access control flaw (CVE-2024-40766) in its SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.

A malicious plugin recently discovered on a Russian cybercrime forum manipulates WordPress sites into phishing pages by creating fake online payment processes that impersonate trusted checkout services. This attack masquerades as a legitimate e-commerce app like Stripe to steal customer payment data and browser metadata.

Telegram disclosed that it fulfilled 900 requests from U.S. law enforcement in 2024, resulting in the sharing of phone numbers or IP addresses of 2,253 users. This represents a sharp increase from prior years, largely attributed to a significant policy shift in September 2024.

Moxa, a provider of industrial networking solutions, has issued an urgent advisory regarding two severe vulnerabilities affecting several models of its cellular routers, secure routers, and network security appliances.

The Salt Typhoon cyber-espionage campaign continues to escalate as Charter Communications, Consolidated Communications, and Windstream have been identified as the latest U.S. telecom companies breached by Chinese state-sponsored hackers, according to a report from The Wall Street Journal.

Kaspersky researchers recently identified a campaign being deployed against ISPs and governmental entities in the Middle East following their investigation into the EAGERBEE backdoor. T

Cybersecurity researchers have uncovered a new and sophisticated malware strain, PLAYFULGHOST, which exhibits a wide array of information-gathering capabilities, including keylogging, screen and audio capture, remote shell access, file transfer, and execution.

During the end-of-year holiday season, a series of distributed denial-of-service attacks severely disrupted operations across several major Japanese organizations, including leading airlines, financial institutions, and telecommunications providers.

ASUS has released security updates to address two high severity flaws impacting several of its router models.

On December 31, 2024, Tenable Nessus vulnerability scanner agents were taken offline due to a buggy differential plugin update that impacted users globally. This issue affected Nessus Agent versions 10.8.0 and 10.8.1 across the Americas, Europe, and Asia. Tenable has since pulled these faulty versions and released Nessus Agent version 10.8.2 to resolve the problem and restore agent functionality.

A new and sophisticated variation of clickjacking attacks, termed DoubleClickjacking, has been identified by cybersecurity expert Paulos Yibelo. This novel technique exploits the timing of double-click mouse actions to deceive users into performing sensitive operations on legitimate websites.

Researchers have discovered a malicious npm package, ethereumvulncontracthandler, masquerading as a library for detecting vulnerabilities in Ethereum smart contracts.

On January 2, 2025, NTT Docomo, Japan's largest mobile operator, experienced a DDoS (Distributed Denial of Service) attack that disrupted several services for nearly 12 hours.

Symantec has uncovered a new ransomware operation, dubbed Nitrogen, which has been notably active over the past four months. This group has targeted a wide range of industries, including construction, financial services, manufacturing, and technology.

Threat actors are actively exploiting a critical remote command injection vulnerability, tracked as CVE-2024-12856, in Four-Faith routers, specifically models F3x24 and F3x36. These devices are commonly deployed in critical sectors such as energy, utilities, transportation, telecommunications, and manufacturing, making the potential impact of exploitation significant. T

A phishing campaign has compromised at least 35 Chrome extensions, including those from cybersecurity firm Cyberhaven, where actors have injected malicious code into compromised extensions to steal user data.

The Lumma Stealer malware has experienced a significant rise in usage, with ESET reporting a 369% increase in detections during the second half of 2024. First discovered in 2022, Lumma has become one of the top ten most-detected infostealers, targeting high-value assets such as two-factor authentication browser extensions, user credentials, and cryptocurrency wallets.

Threat actors are actively exploiting a critical remote command injection vulnerability, tracked as CVE-2024-12856, in Four-Faith routers, specifically models F3x24 and F3x36.

A phishing campaign has compromised at least 35 Chrome extensions, including those from cybersecurity firm Cyberhaven, where actors have injected malicious code into compromised extensions to steal user data. I

December has continued to see targeted spearphish involving compromised mailboxes across Texas and Kentucky, as well as a massive surge in USPS phishing around the holidays.

Cybercriminals are increasingly combining traditional and new tactics to steal sensitive information, using remote access tools (RATs) like AsyncRAT and SectopRAT. Recent trends show attackers exploiting SEO poisoning, typosquatting, and legitimate remote monitoring software to breach systems.

Adobe has released some emergency security updates to address a critical ColdFusion vulnerability with proof-of-concept (PoC) exploit code. The company released an advisory on Monday, December 23, 2024, stating that the flaw, tracked as CVE-2024-53961 is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.

Security Researchers at IProov, a biometric threat intelligence service, have urged customer-facing businesses to improve their verification checks after they uncovered a large-scale identity data farming operation conducted by an unnamed underground group on the dark web.

The developers of Rspack, a popular high-performance JavaScript bundler written in Rust, have discovered that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack. This supply chain attack granted the attacker the capability to publish malicious versions of these packages to the official package registry.

A new phishing-as-a-service platform dubbed "FlowerStorm" is quickly gaining traction, stepping in to replace the now-defunct Rockstar2FA cybercrime service. Rockstar2FA, which was first documented by Trustwave in late November 2024, enabled large-scale adversary-in-the-middle (AiTM) attacks targeting Microsoft 365 credentials.

Cybercriminals are taking advantage of a newly discovered Microsoft Office vulnerability to deliver malware and gain access to systems. Researchers have found that attackers are sending out malicious Office documents that exploit the flaw, allowing them to run harmful code without the victim realizing it.

In a detailed report from Picus Security, the Volt Typhoon cyber espionage campaign has been exposed as one of the most advanced and stealthy operations targeting critical infrastructure and government organizations.

In a significant move against cybercrime, the U.S. Department of Justice has charged an Israeli-Russian national for allegedly developing software used by the notorious LockBit ransomware gang.

The LockBit ransomware group is signaling a potential comeback after a challenging period marked by a significant takedown in February 2024. On December 19, LockBitSupp, believed to be an administrator for the group, announced the forthcoming release of "LockBit 4.0," scheduled for February 3, 2025. T

The Lazarus Group, a North Korean state-sponsored threat actor, has been linked to sophisticated cyberattacks targeting employees of a nuclear-related organization in January 2024. These attacks used a complex infection chain culminating in the deployment of a new modular backdoor, CookiePlus.

Threat actors are actively exploiting a recently patched security flaw impacting Fortinet FortiClient EMS in a campaign that installs remote desktop software like AnyDesk and ScreenConnect. The vulnerability is tracked as CVE-2023-48788 (CVSS score: 9.8) and is an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.

CISA is advising organizations to promptly patch a critical vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS).

In a report from Security Intelligence, it was found that 2024 saw several high-profile data breaches that highlighted critical vulnerabilities across industries. Among the most notable was a breach in the healthcare sector, where attackers targeted a major hospital network, compromising sensitive patient records, insurance information, and medical histories.

A report from the Canadian Centre for Cyber Security highlights the increasing sophistication of Iranian state-sponsored cyber campaigns, focusing on social engineering and spear-phishing techniques.

Google Calendar, a widely used scheduling tool with over 500 million users in 41 languages, has become a significant target for cybercriminals exploiting its features to conduct phishing campaigns. Researchers at Check Point uncovered an ongoing campaign affecting over 300 brands, with more than 4,000 phishing emails sent in just four weeks.

Recent research by Forescout's Vedere Labs sheds light on the mechanisms driving the rise of malware targeting operational technology and industrial control systems.

Google Calendar, a widely used scheduling tool with over 500 million users in 41 languages, has become a significant target for cybercriminals exploiting its features to conduct phishing campaigns. Researchers at Check Point uncovered an ongoing campaign affecting over 300 brands, with more than 4,000 phishing emails sent in just four weeks.

In a complex threat landscape undergoing constant evolution, targeted phishing campaigns have become more sophisticated due to attackers leveraging new techniques and analyzing the platform-specific behaviors of organizations' defenses they target.

Sublime Security recently reported that it was successfully able to intercept a phishing campaign targeting end users with Xloader malware. The attack begins with the victim receiving an email designed to resemble a legitimate SharePoint file-sharing notification.

The Trend Micro Managed Detection and Response (MDR) team analyzed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call to gain remote access to the victim's system.

The rise of generative AI has introduced advanced capabilities but also new security vulnerabilities, including prompt injection attacks. Traditionally, these attacks exploit how AI processes inputs, often requiring permissions for external interactions.

Unit 42 researchers recently investigated a sophisticated phishing campaign targeting European companies, particularly in Germany and the UK, with a focus on the automotive, chemical, and industrial compound manufacturing sectors.

UAC-0099, a cyber-espionage threat actor linked to advanced persistent threats (APTs), has been identified targeting organizations with sophisticated campaigns. According to a recent analysis by SOC Prime, UAC-0099 employs a combination of spear-phishing emails, malicious attachments, and advanced malware to infiltrate targeted networks.

A recent scan conducted by cybersecurity firm Bishop Fox uncovered 430,363 SonicWall publicly exposed firewall appliances. Among these, 25,485 SonicWall SSLVPN devices were found to be vulnerable to critical security flaws, while an additional 94,018 were vulnerable to high-severity issues.

The Securonix Threat Research team has been monitoring a new tax-related phishing campaign where threat actors leveraged MSC files and advanced obfuscation techniques to execute a stealthy backdoor payload. Securonix is tracking this activity as FLUX#CONSOLE and the adversary employs tax-themed social engineering lures.

The Mask, also known as Careto, is a highly sophisticated cyber espionage group that has been active since at least 2007, primarily targeting high-profile organizations such as governments, diplomatic entities, and research institutions.

Earth Koshchei (APT29/Midnight Blizzard) conducted a large-scale rogue RDP campaign in October 2024, targeting governments, military, think tanks, academic researchers, and Ukrainian entities. The group used spear-phishing emails containing malicious RDP configuration files that redirected victims' connections to rogue servers via 193 RDP relays.

Firefighters have issued an urgent warning about the fire hazards associated with lithium-ion battery-powered devices, a popular category of Christmas gifts, including e-bikes, e-scooters, and hoverboards.

On Monday, the FBI released an advisory warning of a new HiatusRAT malware campaign that is actively scanning for and infecting vulnerable Chinese-branded web cameras and DVRs that are exposed online.

Dragos has released its Q3 2024 Industrial Ransomware Analysis, which highlights a continued increase in ransomware attacks targeting industrial sectors, including manufacturing, energy, and transportation.

A high-severity Windows kernel vulnerability, identified as CVE-2024-35250, is currently being exploited in the wild. This flaw, stemming from an untrusted pointer dereference in the Microsoft Kernel Streaming Service (MSKSSRV.SYS), allows local attackers to escalate privileges to SYSTEM level without user interaction.

QiAnXin XLab researchers have uncovered the use of a new PHP backdoor named Glutton they have observed in a global campaign targeting China, the United States, Cambodia, Pakistan, and South Africa. The malicious activity was discovered in April 2024 and Glutton has been attributed to the Chinese nation-state group APT41 (Winnti) with moderate confidence. To the researchers' surprise, some of these Glutton attacks are part of targeted operations against cybercrime systems.

A recent campaign exploiting fake CAPTCHA pages has been identified as a sophisticated method to deliver malware through malvertising networks. Cybercriminals use these fake CAPTCHA pages to lure users into clicking on malicious links or downloading harmful files, under the guise of proving they are not bots.

The Clop ransomware gang has claimed responsibility for a series of recent data-theft attacks targeting Cleo's managed file transfer platforms—Harmony, VLTrader, and LexiCom—leveraging vulnerabilities to breach corporate networks and steal sensitive information.

A recent campaign exploiting fake CAPTCHA pages has been identified as a sophisticated method to deliver malware through malvertising networks. Cybercriminals use these fake CAPTCHA pages to lure users into clicking on malicious links or downloading harmful files, under the guise of proving they are not bots.

Threat actor MUT-1244, tracked by DataDog, has been conducting a widespread and multifaceted campaign targeting a range of individuals, including academics, security researchers, pentesters, red teamers, and even other threat actors. The group's primary goal is to steal sensitive data such as AWS access keys, WordPress credentials, private SSH keys, bash history, and other critical system information.

Corvus Insurance reported a surge in ransomware attacks in November 2024, with 632 victims being listed on ransomware groups' data leak sites. This number is more than double the monthly average of 307 victims and exceeds the previous peak of 528 victims recorded in May 2024.

IOCONTROL is a custom-built IoT/OT malware linked to Iranian state-sponsored threat actors, specifically the CyberAv3ngers group. It targets critical infrastructure in Israel and the United States, including routers, IP cameras, firewalls, PLCs, HMIs, and fuel management systems such as Orpak and Gasboy devices.

Elastic Security has discovered a new Linux rootkit called Pumakit. This rootkit uses stealth and sophisticated privilege escalation techniques to maintain persistence on compromised systems.

Two Russian hacktivist groups, the People's Cyber Army (PCA) and Z-Pentest, have intensified their attacks on critical infrastructure in the U.S. and allied nations.

As the holiday shopping season intensifies, UK consumers are increasingly frustrated by the prevalence of bots that snap up popular items before human shoppers have a chance.

In October, Cleo patched a remote code vulnerability (CVE-2024-50623) in its LexiCom, VLTrader, and Harmony software, which is commonly used to manage file transfers. However on December 3, Huntress identified actors targeting fully patched Cleo software.

EagleMsgSpy is a newly identified Android surveillance tool reportedly employed by Chinese law enforcement agencies to conduct targeted monitoring and tracking of individuals.

Prometheus is a popular monitoring tool used extensively in DevOps and cloud-native environments. However, the default configurations often prioritize accessibility over security, leaving systems vulnerable to exploitation.

AWS Single Sign-On (SSO) access tokens are critical credentials used for authenticating users to AWS resources. If these tokens are exposed or mishandled, they can be exploited by threat actors to assume the identity of legitimate users, bypassing standard authentication mechanisms.

Zscaler's ThreatLabz team has uncovered a new version of ZLoader (2.9.4.0), that features an interactive shell for hands-on keyboard activity and a Domain Name System tunnel for C2 communications.

The Shiny Nemesis Cyber Operation highlights a highly sophisticated campaign targeting misconfigured public websites, predominantly hosted on AWS, to exploit vulnerabilities and gain unauthorized access to sensitive data, credentials, and proprietary resources.

Earlier this year, a large U.S. organization with operations in China experienced a targeted cyberattack attributed to China-based threat actors, likely for intelligence gathering.

Yesterday, Ivanti released a security advisory regarding a new maximum-severity authentication bypass flaw in Ivanti's Cloud Services Appliance (CSA) solution. The critical vulnerability is tracked as CVE-2024-11639 and was reported to Ivanti by CrowdStrike's advanced research team.

As part of the December Patch Tuesday, Microsoft addressed 71 flaws, including a zero-day vulnerability which is actively being exploited in attacks in the wild. Of the 71 flaws, there were 27 elevation of privilege vulnerabilities, 30 remote code execution vulnerabilities, 7 information disclosure vulnerabilities, 5 denial of service vulnerabilities, and 1 spoofing vulnerabilities.

Senator Ron Wyden has introduced a new bill aimed at bolstering the security of U.S. telecommunications infrastructure in the wake of recent hacks by the Salt Typhoon cyber espionage group.

AhnLab Security Intelligence Response Center (ASEC) has released a new blog post uncovering threat actors exploiting a critical Apache ActiveMQ vulnerability, CVE-2023-46604, to deploy Mauri ransomware in attacks most recently against Korean systems.

Huntress researchers have reported active exploitation of a vulnerability (CVE-2024-50623) in Cleo's file transfer software—Harmony, VLTrader, and LexiCom.

A suspected China-linked cyber espionage group targeted major business-to-business IT service providers in Southern Europe as part of a campaign known as Operation Digital Eye, according to a joint report by SentinelOne SentinelLabs and Tinexta Cyber.

A recently uncovered phishing campaign has revealed a new tactic employed by cybercriminals involving fake recruiters targeting unsuspecting victims.

Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about a new wave of phishing attacks targeting the country's defense sector, including both defense companies and security forces.

Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about a new wave of phishing attacks targeting the country's defense sector, including both defense companies and security forces.

In early October 2024, Rapid7 witnessed a resurgence of activity related to an ongoing social engineering campaign being conducted by Black Basta ransomware operators. This activity was initially reported on by Rapid7 and has been ongoing since at least May 2024.

Mandiant has identified an innovative method to bypass browser isolation technology by leveraging QR codes for command-and-control operations. Browser isolation is a security approach that routes web requests through remote browsers hosted in the cloud, virtual machines, or on-premises environments.

Researchers at Bitsight has identified a malicious botnet called Socks5Systemz, which powers the proxy service PROXY.AM. This malware enables other criminal activities by providing threat actors with anonymous proxy services, leveraging compromised systems as proxy exit nodes.

Generative Artificial Intelligence (AI) has paved the way for criminals to commit fraud at a scale larger than ever before. “Generative AI reduces the time and effort criminals must expend to deceive their targets.

U.S. authorities have arrested 19-year-old Remington Goy Ogletree, a key member of the Scattered Spider cybercrime gang, for breaching a U.S. financial institution and two telecommunications firms.

BlueAlpha, a Russian state-sponsored APT group, has recently refined its malware delivery techniques by abusing Cloudflare Tunnels to distribute its proprietary GammaDrop malware.

Cybersecurity researchers at WatchTowr Labs have released a PoC exploit that chains together a recently patched critical vulnerability impacting Mitel MiCollab, CVE-2024-41713, and an arbitrary file read zero-day vulnerability that requires authentication to exploit.

On December 4, 2024, the ransomware group Brain Cipher publicly claimed responsibility for a breach allegedly targeting Deloitte UK.

According to Citizen Lab, a concerning incident has surfaced where devices confiscated by Russian authorities were returned to their owners with Monokle-type spyware installed. Monokle, a highly advanced spyware tool, is capable of extracting sensitive data such as contact lists, messages, and login credentials, while also intercepting communications and remotely activating device cameras and microphones.

Cado Security Labs recently uncovered a DocuSign spear-phishing campaign targeting tech executives. These campaigns mimic authentic DocuSign communications, luring recipients to input their credentials on fraudulent websites.

Secret Blizzard, a Russian state-sponsored advanced persistent threat group attributed to Center 16 of the FSB, has developed a unique strategy of leveraging tools and infrastructure from other threat actors to enhance its espionage operations.

According to Symantec, they found evidence that a large US organization with a quote-unquote significant presence in China was targeted by China-nexus threat actors earlier this year and was subjected to a four-month-long intrusion where persistence was established on the organization's network seemingly for intelligence gathering purposes.

The manufacturing industry is increasingly targeted by cybercriminals leveraging sophisticated malware campaigns involving Lumma Stealer and Amadey Bot. This attack campaign primarily exploits phishing emails with malicious attachments to infiltrate organizational systems.

The Chinese cyber-espionage group known as Salt Typhoon has significantly broadened its activities, targeting U.S. telecommunications networks with a strategy that extends beyond previously understood objectives.

Microsoft has warned that a recent premature patch could cause issues with the "Recall" feature in Windows, potentially rendering it unable to function properly. The bug, which emerged after the update was rolled out, could lead to a loss of essential data recall functions, disrupting workflows for many users.

Mikhail Matveev, known in the cybercriminal world by the aliases "Wazawaka" and "Boriselcin," has been a prominent figure in several ransomware groups responsible for extorting hundreds of millions of dollars from various sectors, including healthcare, education, government agencies, and private enterprises.

Researchers have disclosed a PoC exploit for CVE-2024-8785, a critical remote code execution vulnerability in Progress WhatsUp Gold, a widely used enterprise network monitoring tool.

Researchers at Trend Micro have observed a significant evolution in the behavior of the Gafgyt malware, which has expanded its targeting scope from vulnerable IoT devices to misconfigured Docker Remote API servers.

A known threat actor in the Malware-as-a-Service business, Venom Spider, has expanded the capabilities of their MaaS platform with a new backdoor and loader malware.

SmokeLoader, which has been around since 2011, is a malware loader that's still being actively used by cybercriminals. Recently, it's been found exploiting outdated vulnerabilities in Microsoft Office documents, particularly old DOC and XLS files.

Researchers at the South Korean cybersecurity company Genians have uncovered a series of email phishing attacks originating from Russian sender addresses that they link to the North Korea-aligned APT, Kimsuky. According to Genians researchers, the phishing emails were delivered through email services in Japan and Korea up until early September.

The Social Design Agency, recently accused by the US government of operating the "Doppelgänger" malign influence campaign, is now running a parallel effort called "Operation Undercut."

Cybersecurity researchers have uncovered malicious email campaigns using a sophisticated phishing-as-a-service toolkit called Rockstar 2FA, designed to steal Microsoft 365 account credentials.

Researchers have disclosed significant vulnerabilities in Palo Alto Networks GlobalProtect and SonicWall SMA100 NetExtender VPN clients for Windows, macOS, and Linux, which could enable attackers to execute remote code and gain elevated access.

A newly uncovered malware campaign, Horns&Hooves, primarily targets private users, retailers, and service businesses in Russia to deploy NetSupport RAT and BurnsRAT.