ALERTS 2025 AUGUST HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2025 January(36) February(50) March(77) April(54) May(54) June(65) July(50) August(54) SEPTEMBER(11) October(0) November(0) December(0)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 31.8.25 | Xworm RAT delivered through ScreenConnect disguised as a Fake Video file | A recent campaign has been observed using AI-themed lures to trick victims into downloading a digitally signed ScreenConnect installer disguised as a video file. Once executed, the installer secretly establishes a hidden remote session and initiates a multi-stage infection chain. | VIRUS | |
| 31.8.25 | SpyNote Android RAT spreads through fake Play Store sites. | A new campaign is distributing the SpyNote Android RAT through deceptive websites mimicking Google Play Store pages, tricking users into installing dropper APKs. | ALERTS | VIRUS |
| 31.8.25 | Silver Fox Abuses Legit Drivers to Deploy RAT | Researchers at Check Point observed a Silver Fox campaign where they exploited a Microsoft-signed vulnerable driver (amsdk.sys) in an attempt to silently disable EDR and antivirus protections on Windows 10 and 11. | VIRUS | |
| 31.8.25 | TASPEN Impersonation Malware Exploits Indonesian Pensioners | A sophisticated mobile malware campaign, potentially linked to Chinese actors, is actively targeting Indonesian pensioners and civil servants by impersonating PT Dana Tabungan dan Asuransi Pegawai Negeri (TASPEN), a state-owned pension fund. | EXPLOIT | |
| 31.8.25 | ShadowSilk: A Mixed-Language APT Targeting Government in Asia | A recently published report details the ShadowSilk threat actor group, a mixed-language (Chinese and Russian) actor primarily focused on data exfiltration from government targets. | ALERTS | APT |
| 31.8.25 | SmartApeSG uses fake CAPTCHAs to deploy NetSupport RAT and StealC v2 | A multi-stage attack chain linked to SmartApeSG is exploiting compromised websites by injecting fake CAPTCHA pages that trick users into executing hidden commands through a ClickFix-style script. | VIRUS | |
| 31.8.25 | Hook v3 evolves into banking, spyware and ransomware extortion | A new variant of the Hook Android banking trojan has emerged, evolving beyond credential theft to include ransomware-style extortion via full-screen cryptocurrency payment overlays. | VIRUS | |
| 31.8.25 | Cephalus Ransomware | In mid‑August 2025, researchers observed two ransomware incidents involving a new variant dubbed “Cephalus.” According to their findings, the attackers gained entry via RDP using accounts without MFA and appeared to exfiltrate data via MEGA before deploying the payload. | RANSOM | |
| 31.8.25 | "PlugX" Backdoor Powers UNC6384's Diplomatic Espionage | A sophisticated cyber-espionage campaign, attributed to the PRC-nexus threat actor UNC6384, is actively targeting diplomats in Southeast Asia and other global entities. | ALERTS | VIRUS |
| 31.8.25 | ZipLine: Building Trust, Exploiting Trust – A New Attack Vector | The sophisticated social engineering campaign, "ZipLine," targets US companies across diverse sectors like manufacturing, semiconductors, and biotech, seeking valuable data, vendor networks, or exploitable infrastructure. Unlike traditional phishing, ZipLine initiates contact via a company's public "Contact Us" form, generating initial legitimacy. | EXPLOIT | |
| 31.8.25 | Datebug threat group uses custom malware to target Linux BOSS systems | The Datebug threat group (aka APT36, Transparent Tribe) is a Pakistan-based group known to target various industries (government. media, military) primarily situated in India. In recent activity, the group was observed targeting the Linux BOSS operating system with custom malware, notably those systems associated with the Indian government. | VIRUS | |
| 31.8.25 | Biotech and Semiconductor Firms Impersonated to Spread Snake Keylogger | Symantec has identified an actor running two coordinated malspam campaigns that impersonated well-known companies to distribute Snake Keylogger, a prevalent information-stealing malware designed to harvest credentials, system details, and other sensitive data before transmitting them to attacker-controlled Telegram bots. | ALERTS | VIRUS |
| 31.8.25 | New Android Backdoor Impersonates Antivirus to Spy on Russian Business Leaders | A new sophisticated Android malware, Android.Backdoor.916.origin, has been identified, specifically targeting executives of Russian businesses. | VIRUS | |
| 31.8.25 | Anatsa - Android banking malware | Anatsa, a banking Trojan targeting Android devices, has been in circulation since 2020. A recently observed campaign saw the malware being downloaded after installation of a decoy document reader application from the Google Play Store. Some features present in the recent release include: | VIRUS | |
| 31.8.25 | Gayfemboy malware campaign | A stealthy malware strain, dubbed "Gayfemboy," has been observed exploiting a range of vulnerabilities to infiltrate systems. Most recent attacks target vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco. | ALERTS | CAMPAIGN |
| 26.8.25 | Gigabud Malware Masquerades as Grab Super-App in Southeast Asia | A recent variant of the Gigabud Android malware has been found impersonating the popular GRAB super-app—offering ride-hailing, food delivery, and digital payments—widely used across Southeast Asia. The trojanized APK, named Grab.apk, was detected in Thailand, disguised as the legitimate application. | VIRUS | |
| 26.8.25 | Sinobi Ransomware | The Sinobi ransomware ransom note uses standard double-extortion techniques. It mixes intimidation (stolen documents, 7-day deadline, threats of leaks) with persuasion (test decryption and stolen file list). | RANSOM | |
| 26.8.25 | Global Industries and Government Agencies Targeted in Remcos Campaign | A recently observed malspam campaign is leveraging impersonation of a global supplier in the valves and actuators industry to deliver Remcos RAT. The lure comes in the form of emails with the subject line “Price quote” or “Quotation” and a malicious archive (Quote_pdf.z) as attachment. | ALERTS | CAMPAIGN |
| 26.8.25 | APT36 is evolving with new delivery techniques | A new campaign by APT36(aka Transparent Tribe) has been reported, leveraging phishing emails containing ZIP archives with malicious .desktop files disguised as PDFs to target users. | APT | |
| 26.8.25 | Phishing campaign targeting Kazakhstan’s Public Sector | A phishing campaign in Kazakhstan has been discovered that is targeting public sector clients by mimicking official government login portals and using Telegram’s Bot API as a covert channel to exfiltrate stolen credentials. | CAMPAIGN | |
| 26.8.25 | FamiPay users targeted by new phishing campaign | Recently, Symantec has observed phish runs targeting users of FamiPay, a Japanese digital wallet and mobile payment service offered by FamilyMart. | CAMPAIGN | |
| 26.8.25 | Fake IBM Trusteer Mobile App Used in SpyNote Campaign | During ongoing monitoring of mobile threats, Symantec identified a malicious Android application masquerading as an IBM security product. The app, distributed under the name IBMTMOBILE.apk, was hosted on a domain designed to typosquat IBM Trusteer. | CAMPAIGN | |
| 26.8.25 | TA-NATALSTATUS cryptojacking campaigns | TA-NATALSTATUS is a threat actor engaged in conduct of cryptojacking operations around the world. The attackers are targeting vulnerable Redis server instances for the purpose of cryptominer malware deployments. | CRYPTOCURRENCY | |
| 26.8.25 | Warlock Ransomware Leverages SharePoint ToolShell vulnerability (CVE-2025-53770) for Widespread Attacks | Warlock ransomware threat actors have been aggressively targeting organizations globally by exploiting a critical vulnerability (CVE-2025-53770) in Microsoft SharePoint, known as the ToolShell exploit chain. | ALERTS | RANSOM |
| 26.8.25 | BQTLOCK Ransomware | BQTLOCK is a new ransomware variant offered for sale in the form of a Ransomware-as-a-Service (Raas) model. The malware has the functionality to encrypt user data and append .bqtlock extension to the locked files. | RANSOM | |
| 26.8.25 | SHAMOS macOS malware | SHAMOS is a new variant of AMOS (aka Atomic macOS Stealer) malware targeting the macOS platform. The malware is sold by the threat group known as Cookie Spider in form of a MaaS (Malware-as-a-Service) offering. | VIRUS | |
| 26.8.25 | QuirkyLoader: A stealthy new malware loader | A newly identified malware loader dubbed QuirkyLoader has emerged as a sophisticated cyber threat, actively distributing a range of infostealers and RATs including Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos and others. | ALERTS | VIRUS |
| 26.8.25 | Fake Electricity subsidy App phishing campaign | An Android phishing campaign impersonating an Indian government electricity subsidy scheme has been discovered. Victims are lured through YouTube and a GitHub-hosted phishing site mimicking an official subsidy portal. | PHISHING | |
| 26.8.25 | VIP Keylogger Spreads via Multi-Org Impersonation Campaign | Symantec has recently observed a series of malicious email campaigns delivering VIP Keylogger, in which attackers impersonated multiple legitimate organizations across industries such as logistics, engineering, and manufacturing—leveraging run-of-the-mill purchase orders, quotations, shipment notices, and sales contracts for social engineering. | CAMPAIGN | |
| 26.8.25 | Turkish Bank-themed Malspam spreads Snake Keylogger Across Sectors | Symantec has identified a recent malspam campaign distributing Snake Keylogger under the guise of a major financial institution in Turkey. | VIRUS | |
| 26.8.25 | Deployment of the RealBlindingEDR tool among the recent activities of the Crypto24 threat group | Threat actor known as Crypto24 has been observed to recently conduct multi-stage attacks against high-profile organizations from various sectors. | ALERTS | GROUP |
| 26.8.25 | CVE-2024-36401 in OSGeo GeoServer GeoTools exploited in a recent resource monetization campaign | According to latest report from Palo Alto Networks, a new campaign leveraging exploits of a remote code execution (RCE) vulnerability CVE-2024-36401 has been spotted in the wild. | VULNEREBILITY | |
| 26.8.25 | SoupDealer Loader malware | SoupDealer is a new loader malware variant observed recently in the wild and targeting users from Turkey. The malware is Java-based and distributed via malicious .jar attachments in malspam campaigns. | VIRUS | |
| 26.8.25 | ConfuserEx Obfuscation Spotted in Latest DarkCloud Stealer Campaign | A recent threat report from Unit 42 (Palo Alto Networks) highlights an evolved infection chain delivering the DarkCloud Stealer, now using ConfuserEx for obfuscation and a final payload written in Visual Basic 6. | ALERTS | CAMPAIGN |
| 26.8.25 | CORNFLAKE.V3 in “ClickFix” campaign | Researchers have uncovered a new campaign where the CORNFLAKE.V3 backdoor is being used, spread through fake CAPTCHA “ClickFix” pages run by the threat group UNC5518. | CAMPAIGN | |
| 26.8.25 | UNC1151 leverages macro-enabled Spreadsheets and Cloud C2 in latest campaign | The UNC1151 APT group has been observed conducting a malware campaign targeting Ukraine and Poland through malicious archive files containing decoy spreadsheets with embedded obfuscated macros. | APT | |
| 26.8.25 | MountBot Botnet | Researchers recently reported MountBot, a new IoT botnet first observed in April exploiting ASUS AiCloud vulnerabilities and operating on the same infrastructure as RapperBot. | BOTNET | |
| 20.8.25 | Fake Flash updates deliver Winos Trojan | A new Silver Fox campaign masquerading as a Flash plugin update has been observed. Users are lured through fake online tools, such as counterfeit translation sites, where they are prompted to install a fraudulent Flash update. | VIRUS | |
| 20.8.25 | EncryptHub attackers exploit MMC CVE-2025-26633 vulnerability for payload delivery | A recent campaign attributed to threat group EncryptHub (aka LARVA-208 and Water Gamayun), blends social engineering with the exploitation of the Microsoft Management Console (MMC) vulnerability tracked as CVE-2025-26633, dubbed MSC EvilTwin. | EXPLOIT | |
| 20.8.25 | Cracked Games lead to Lumma Stealer and SectopRAT infections | A multi-stage malware campaign has been uncovered where users searching for cracked games are tricked into downloading installers that first deploy Lumma Stealer and then install SectopRAT. | ALERTS | VIRUS |
| 20.8.25 | Modular PipeMagic backdoor masquerades as a ChatGPT application | Recent activity by a financially motivated threat actor group involved deployment of the modular PipeMagic malware under the guise of a ChatGPT desktop application. | VIRUS | |
| 20.8.25 | Recent vulnerabilities affecting Adobe Experience Manager (CVE-2025-54253 / CVE-2025-54254 / CVE-2025-49533) | Three vulnerabilities affecting Adobe Experience Manager (AEM) software solutions have been recently disclosed. The vulnerabilities are tracked as follows: | VULNEREBILITY | |
| 20.8.25 | njRAT masquerades as browser-based Minecraft Game | The renewed hype around Minecraft, driven by its upcoming film adaptation, is being exploited by cybercriminals who are distributing what appears to be a browser-based clone of the game but in reality conceals njRAT, a powerful remote access trojan. | ALERTS | VIRUS |
| 20.8.25 | Android malware masquerading as GiftFlipSoft | A sophisticated Android banking malware dubbed Lazarus Stealer, masquerading as the seemingly benign GiftFlipSoft app has been observed. | VIRUS | |
| 20.8.25 | NOVABLIGHT MaaS after Wallets | NOVABLIGHT is a sophisticated new Malware-as-a-Service (MaaS) information stealer leveraging Telegram and Discord for both distribution and operational support. Posing as an "educational tool," it stealthily distributes itself through social engineering lures like fake video game installers often repackaged with French-language titles. | CRYPTOCURRENCY | |
| 20.8.25 | PhantomCard mobile malware | A novel NFC-based malware, dubbed PhantomCard, has been identified in the wild and is actively targeting Android banking customers. | VIRUS | |
| 20.8.25 | Charon Ransomware | Charon represents a recently identified ransomware variant that utilizes DLL-injection techniques for the compromise of targeted endpoints. | RANSOM | |
| 20.8.25 | Phishing emails targeting U-Next users pose account takeover risk | U-Next is a Japanese video streaming platform (OTT). Recently, Symantec detected a phishing campaign targeting U-Next's users and its accounts. | PHISHING | |
| 20.8.25 | A new variant of the FireWood Linux malware found in the wild | A new variant of the Linux malware dubbed FireWood has been discovered in the wild. The malware is linked to Project Wood malware family and attributed to the Gelsemium APT group. | ALERTS | VIRUS |
| 20.8.25 | CVE-2017-11882 exploits still lead to malicious infections | CVE-2017-11882 is an older vulnerability affecting the Equation Editor component in Microsoft Office. If successfully exploited the flaw might allow attackers remote code execution on the targeted systems. | VULNEREBILITY | |
| 20.8.25 | BytesFromHeaven ransomware | A new ransomware strain, BytesFromHeaven, has surfaced in the wild. Upon execution, the malware encrypts user data, appends random extensions to locked files, and changes the desktop wallpaper to signal a successful attack. | RANSOM | |
| 20.8.25 | SmartLoader delivered via Github repositories | A new campaign leveraging Github repositories to deliver the SmartLoader malware has been reported in the wild. The repositories are disguised as projects involving automation tools, DDoS protection applications, software cracks or game hacks. | ALERTS | VIRUS |
| 20.8.25 | New malicious campaign delivering PS1Bot malware | A new malicious operation delivering PowerShell-based malware variant dubbed PS1Bot has been reported by the researchers from Cisco Talos. | VIRUS | |