ALERTS
HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY | 2024 2025
2025 January(36) February(50) March(77) April(54) May(54) June(65) July(50) August(54) SEPTEMBER(61) October(61) November(51) December(27)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 29.11.25 | TangleCrypt packer employed in recent StoneStop malware delivery campaign | The researchers from WithSecure have released a technical analysis of TangleCrypt, a previously undocumented packer identified in recent attacks utilizing StoneStop EDR killer malware. | VIRUS | |
| 29.11.25 | Flexible Ferret malware distribution campaigns continue to target macOS users | A new run of the malicious campaign dubbed "Contagious Interview" has been reported on by the researchers from JAMF. The attackers target macOS users, lure them to fake job websites, and then trick into downloading malware via a bogus software updates. | VIRUS | |
| 29.11.25 | W-8BEN Phishing Alert: Interactive Brokers users targeted via fake login pages | Interactive Brokers (IBKR) is a large, global securities firm offering an electronic trading platform for sophisticated investors, active traders, and institutions across a wide range of products. Recently, a phishing campaign was identified that impersonates a request for the W-8BEN tax form, primarily targeting non-U.S. residents to steal sensitive data. | PHISHING | |
| 29.11.25 | Recent ShadowV2 - a Mirai variant delivery campaign | FortiGuard Labs recently reported on ShadowV2, a Mirai-based malware, targeting IoT devices during the large-scale AWS disruption incident in October. | BOTNET | |
| 29.11.25 | StealC malware campaign targets Blender users | StealC malware was deployed in a campaign by Russian-linked threat actors targeting users of the popular open-source 3D creation suite, Blender. The multi-stage attack involves malicious .blend files published to legitimate 3D marketplaces. | VIRUS | |
| 29.11.25 | Silver Fox Campaign Uses Fake Apps & BYOVD | Researchers recently observed a “SwimSnake / Silver Fox” campaign distributing remote-control malware via SEO-boosted fake download sites that impersonate apps like Youdao Translator and WPS. The loaders perform multilayered decryption, use around 80 encrypted fallback C2 addresses, and deploy Gh0st-derived plugins to conceal payloads and support spying, remote command execution, and DDoS. | CAMPAIGN | |
| 29.11.25 | Banking malware spread to Brazilian users in campaign leveraging phishing and WhatsApp messaging | A sophisticated malware campaign, identified by K7 Security Labs as part of the "Water-Saci" operation, is targeting the Brazilian financial sector through a hybrid phishing and WhatsApp messaging propagation strategy. Initial access is gained via phishing emails with malicious .VBS attachments, followed by the deployment of Python scripts and Selenium webdriver used to hijack WhatsApp Web sessions. | VIRUS | |
| 29.11.25 | TamperedChef activity continues | TamperedChef is a cyber campaign utilizing malvertising and Search Engine Optimization (SEO) to distribute malicious payloads. The operation targets users searching for common software like web browsers, PDF editors, or product manuals. | CAMPAIGN | |
| 29.11.25 | Autumn Dragon APT activity | Autumn Dragon is a sophisticated cyber espionage campaign targeting government and media organizations across Southeast Asia. As reported by the researchers from CyberArmor, the campaign has been active since early 2025. It begins with spearphishing emails containing a malicious RAR archive that exploits CVE-2025-8088, a path traversal vulnerability in WinRAR. | APT | |
| 29.11.25 | Tsundere botnet | Researchers at Kaspersky have identified a growing botnet named Tsundere, which has been targeting Windows users since at least mid-2025. The malware is primarily propagated through fake MSI installers disguised as popular video games installers or other pirated software. | BOTNET | |
| 29.11.25 | New variant of Shai-Hulud worm found targeting npm packages | A new, aggressive wave of the "Shai Hulud" malware campaign has been reported, compromising hundreds of packages and impacting major organizations including Zapier, Postman, AsyncAPI, and ENS Domains. The malware operates like a sophisticated worm, autonomously spreading by re-publishing itself into other packages maintained by the compromised individual. | VIRUS | |
| 29.11.25 | CCLand Ransomware | A ransomware actor calling itself “CCLand Team” has recently surfaced. The group presents itself as purely financially motivated and appears to follow a conventional double-extortion model, claiming data theft, file encryption and threatening public disclosure. In the recent activity, they demanded USD 50,000 in Bitcoin with a one-week deadline. | RANSOM | |
| 23.11.25 | Sturnus mobile malware | A new Android malware called Sturnus has been discovered by MTI Security researchers and is reportedly used to target customers of financial institutions in Southern and Central Europe. The malware comes in a disguise of known legitimate apps, such as Google Chrome and Preemix Box. | VIRUS | |
| 23.11.25 | BadAudio malware distributed in campaigns attributed to Budminer APT group | Google’s Threat Intelligence Group has identified a sophisticated espionage campaign orchestrated by a threat actor known as Budminer (aka APT24 or Spicy Panda). Since at least 2022, the group has deployed a previously undocumented malware strain dubbed BadAudio to targeted Windows systems. | VIRUS | |
| 23.11.25 | Eternidade Stealer | The Eternidade stealer is a banking Trojan targeting Brazilian users. The campaign utilizes malicious scripts to propagate through WhatsApp and download the payload. This malware also features backdoor functionality, leveraging IMAP to identify the active C2. | VIRUS | |
| 23.11.25 | Backdoor NKNShell | Researchers have recently published a blog on a threat actor (Larva‑24010) who's been compromising a South Korean VPN provider’s official site to covertly install malware. The installer masquerades as a legitimate VPN client but triggers a PowerShell script that disables defenses and drops three key tools: the backdoor NKNShell, the remote-management agent MeshAgent, and the remote-shell gs‑netcat. | VIRUS | |
| 23.11.25 | Hospital-Impersonation Malspam Drives VIPKeylogger Targeting Across EU and Turkey | A new malspam campaign delivering VIPKeylogger is circulating across multiple regions, with the actor impersonating a prominent Turkish private hospital group / healthcare institution to establish credibility. The phishing email—bearing the subject “SİPARݪİMİZDİR HK.” and posed as a procurement-related message—arrived from a spoofed sender and carried a RAR attachment framed as a purchase order. | VIRUS | |
| 23.11.25 | Steganography .NET Loader spreading Lokibot | In its latest analysis, the Splunk Threat Research Team has dissected a .NET loader that uses steganography to smuggle the Lokibot credential-stealer. Hiding modules inside image resources and loading them at runtime, the loader evades static detection and embeds a dual-stage container that ultimately drops Lokibot. | VIRUS | |
| 23.11.25 | ShinySp1d3r Ransomware | ShinySp1d3r is a new ransomware variant offered for sale in a form of Ransomware as a Service (RaaS) model. The malware is attributed to the threat actor known as ShinyHunters. Researchers from BleepingComputer have reported on a discovery of a Windows encryptor variant of this ransomware. | RANSOM | |
| 23.11.25 | Threat actors delivering RMM packages with help of seasonal party invite lures | A highly active threat actor that specializes in using the ScreenConnect remote management and monitoring (RMM) software in its attacks has changed tactics and is now infecting its victims with multiple RMM tools, including LogMeIn Resolve and Naverisk. | HACKING | |
| 23.11.25 | DigitStealer – MacOS stealer | Jamf Threat Labs examined DigitStealer, a macOS infostealer spread through a deceptive disk image that prompts users to run a Terminal script, slipping past Gatekeeper controls. According to their analysis, after checking the system’s region and evading virtual machines, the malware moves through a multi-stage chain that blends AppleScript and obfuscated JXA to harvest browser data, VPN creds, and crypto-wallet information. | VIRUS | |
| 23.11.25 | Amatera stealer delivered via ClickFix in EVALUSION campaign | Social engineering is an important component of a successful attack by threat actor groups. Researchers at eSentire have highlighted a recent campaign, identified as EVALUSION, whereby targets are socially engineered to participate in their own compromise via the ClickFix technique. | CAMPAIGN | |
| 23.11.25 | GMER anti-rootkit utility | Dual-use tools are common components of attack campaigns by established threat actors. A highly popular tool that is often observed in such attacks is the anti-rootkit utility GMER. | CAMPAIGN | |
| 23.11.25 | RONINGLOADER | Researchers at Elastic recently published an article on RONINGLOADER, a multi-stage Windows loader used by the DragonBreath (APT-Q-27) group and delivered through tampered installers disguised as everyday apps like Chrome or Teams. | VIRUS | |
|
15.11.25 |
Attackers leverage software brand impersonation to deliver Gh0st RAT |
A report by Unit42 at Palo Alto Networks highlights two brand impersonation campaigns observed in 2025 that deliver a Gh0st RAT payload. |
||
|
15.11.25 |
A new malspam campaign impersonating the GLS delivery service has been reported by CERT AGID. The attackers leverage malicious emails themed with a failed parcel delivery and urge the recipients to open an attached XHTML file. |
|||
|
15.11.25 |
Researchers from Canva Threat Detection and Hunting team reported on an increased use of weaponized AppleScript (.scpt) files by the malicious threat actors. |
|||
|
15.11.25 |
The DanaBot malware has resurfaced with a new Windows variant, approximately six months after its activity was severely disrupted by the international law enforcement action, Operation Endgame. |
|||
|
15.11.25 |
A new report by researchers at Cisco Talos details recent activity related to the Kraken ransomware group. The group, established in early 2025, runs a double extortion operation with no specific industry or geographical focus. |
|||
|
15.11.25 |
SkyCloak campaigns target Russian and Belarusian military entities |
Russian and Belarusian military entities are targeted in a multi-stage attack, intent on allowing backdoor access for the attackers. Details of the activity, given the name Operation SkyCloak in a report published by Seqrite, are further corroborated in a report shared by researchers at Cyble. |
||
|
12.11.25 |
CHAMELEON#NET campaign - from DarkTortilla loader to FormBook payload |
A new sophisticated malspam campaign utilizing the DarkTortilla .NET malware loader to deliver the FormBook Remote Access Trojan (RAT) has been documented by the researchers from Securonix. The attack is initiated via phishing, where users are manipulated into downloading a compressed .BZ2 archive containing a highly obfuscated JavaScript dropper. |
||
|
12.11.25 |
A new phishing campaign targeting hospitality industry customers |
A recent phishing campaign reported by the researchers from Sekoia is targeting hospitality customers. A key intrusion tactic involves sending malicious emails to popular hospitality sector businesses that lure the staff into clicking a URL employing the "ClickFix" social engineering technique, ultimately manipulating them into executing a malicious PowerShell command. |
||
|
9.11.25 |
CVE-2025-6205 - DELMIA Apriso vulnerability exploited in the wild |
CVE-2025-6205 is a recently disclosed critical (CVSS score 9.1) missing authorization vulnerability affecting DELMIA Apriso from release 2020 through release 2025. If successfully exploited the flaw might allow attackers to gain privileged access to the vulnerable application instances. This vulnerability has been added just last week to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. |
||
|
9.11.25 |
Remote monitoring and management (RMM) tools are a common payload in today's threat landscape. A recent report by researchers at Proofpoint details campaigns against cargo and freight companies to attempt cargo theft. |
|||
|
9.11.25 |
A new variant of the BankBot mobile malware has been reported by the researchers from Cyfirma. This strain implements updated anti-emulation techniques. During initialization, it inspects device attributes like device manufacturer and model identifiers to detect virtualized or sandboxed environments, dynamically altering its behavior to evade automated analysis. |
|||
|
9.11.25 |
Recent activity focusing on organizations influencing U.S. policy |
China-linked actors continue to show interest in U.S. organizations with links to or involvement in policy issues, including an intrusion earlier this year into a U.S. non-profit organization that is active in attempting to influence U.S. government policy on international issues. |
||
|
9.11.25 |
New NGate mobile malware campaign targeting Polish banking users |
CERT Polska has uncovered a new mobile malware campaign called NGate that uses an NFC Relay attack to drain cash from victims' bank accounts at ATMs. The attack targets users of Polish banks and starts with a fake security message (email or SMS) concerning a technical issue or incident, tricking the victim into installing a malicious Android app. |
||
|
9.11.25 |
RMM Abuse Continues — Malicious LogMeIn Resolve Activity on the Rise |
In recent weeks we observed a decline in malicious ScreenConnect activity and a concurrent rise in campaigns abusing LogMeIn Resolve RMM (aka GoTo Resolve) – Using the “Unattended Access” feature within Resolve, which allows access to and control of computers or servers without an end user being present. |
||
|
9.11.25 |
CVE-2025-24893 - XWiki Platform injection vulnerability exploited in the wild |
CVE-2025-24893 is a recently disclosed template-injection vulnerability affecting XWiki, which is a open-source wiki software platform. If successfully exploited the flaw might allow unauthenticated attackers to inject and execute arbitrary Groovy code through crafted requests. |
||
|
9.11.25 |
Symantec has identified a new Agent Tesla campaign leveraging business-themed social engineering to target organizations across Latin America, Spain, and other international sectors. The actor impersonates a company that advertises outsourced management, consulting, and facility services. |
|||
|
9.11.25 |
CVE-2025-54247 is a recently disclosed improper input validation vulnerability affecting Adobe Experience Manager versions 6.5.23.0 and earlier. If successfully exploited the flaw might allow low-privileged attackers to bypass security measures and gain unauthorized read access. Product vendor has already released respective security patches to address this vulnerability. |
|||
|
9.11.25 |
Aramex, a global logistics and transportation company based in Dubai, offers services such as express courier delivery, freight forwarding, and supply chain management for businesses and consumers. Symantec has detected a new wave of phishing attacks that mimic Aramex services to steal credentials. |
|||
|
9.11.25 |
CVE-2025-54236 (aka SessionReaper) is a recently disclosed critical (CVSS score 9.1) improper input validation vulnerability affecting Adobe Commerce and Magento solution. If successfully exploited the flaw might allow an attacker for a session takeover through the Commerce REST API. |
|||
|
9.11.25 |
CVE-2025-11371 - Gladinet CenterStack LFI vulnerability exploited in the wild |
CVE-2025-11371 is a recently disclosed local file inclusion (LFI) vulnerability in Gladinet CenterStack and Triofox platforms, which are self-hosted file sharing solutions. If successfully exploited the flaw might allow attackers to perform unauthenticated remote file inclusion, retrieval of configuration keys and subsequent remote code execution. The vulnerability has been reported as being exploited in the wild. |
||
|
9.11.25 |
New phishing campaign targets Tether users with fake anti-money laundering notices |
A new phishing campaign has been observed, spoofing Tether and targeting its users with fraudulent anti-money laundering (AML) notice emails. Tether, a widely adopted stablecoin with tokens pegged 1-to-1 to fiat currencies and backed by reserves, is a popular target for such scams. |
||
|
9.11.25 |
Tangerine Turkey is a crypto mining campaign, delivered by the less-than-efficient mechanism of removable USB drives. The USB contains all the necessary components to complete the attack. Execution starts with a .vbs file which drops and executes a .bat. |
|||
|
9.11.25 |
BlueNoroff targets Crypto Sector with GhostCall and GhostHire campaigns |
Two new campaigns by the BlueNoroff APT group, dubbed GhostCall and GhostHire, targeting cryptocurrency and Web3 professionals, have been reported by Kaspersky. In GhostCall, attackers impersonate venture capitalists or startup founders luring victims into fake online meetings via Zoom or Teams and prompting them to install a “security update” that deploys multi-stage malware on macOS or Windows. |
||
|
9.11.25 |
Airstalk, a Windows-based malware recently discovered by researchers at Unit42 of Palo Alto Networks. The name is derived from the malware's use of the AirWatch API for mobile device management (MDM) for C2 communications. Variants written in both PowerShell and .NET have been observed, with the .NET variant having more capabilities. |
|||
|
9.11.25 |
Attackers linked to Russia continue activity against Ukraine |
Attacks against a large business services organization and a local government organization were recently observed by our Threat Hunter team. Fueled by a heavy reliance on Living-off-the-Land tactics and dual-use tools, the attacker's goal appears to be establishing persistence and theft of sensitive information. |
||
|
9.11.25 |
Microsoft patched a critical unauthenticated RCE in Windows Server Update Services (CVE‑2025‑59287) with an out-of-band update on Oct 23, 2025, after the initial October Patch Tuesday release proved incomplete. Exploit code and active attacks were observed within hours, prompting warnings from security vendors, incident responders and CISA’s KEV catalog. |
|||
|
9.11.25 |
An advanced Android malware strain named GhostGrab that is actively used to mine cryptocurrency and steal banking credentials from compromised devices has been reported by CYFIRMA. |
|||