ALERTS 2025 SEPTEMBER HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2025 January(36) February(50) March(77) April(54) May(54) June(65) July(50) August(54) SEPTEMBER(61) October(0) November(0) December(0)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 27.9.25 | SVG phishing campaigns deliver infostealer and cryptominer payloads | Symantec has observed an uptick in malicious spam (malspam) using Scalable Vector Graphics (SVG) file attachments to initiate malicious activity. A report by security researchers at Fortinet corroborates this trend, highlighting recent SVG-based campaigns delivering Amatera Stealer and PureMiner. | PHISHING | |
| 27.9.25 | Activities of the DeceptiveDevelopment threat group | In a recent publication, ESET reserchers report on a financially motivated threat group called DeceptiveDevelopment. The group has been active since at least 2023 and primarily targets software developers across all major operating systems (Windows, Linux, macOS), particularly those involved in cryptocurrency and Web3 projects. | GROUP | |
| 27.9.25 | New YiBackdoor Malware | Cybersecurity researchers at Zscaler ThreatLabz have identified YiBackdoor, a newly discovered malware family exhibiting significant source code overlaps with the established loaders IcedID and Latrodectus. YiBackdoor operates as a powerful, modular backdoor capable of executing arbitrary commands, capturing screenshots, and extensive system information collection. | VIRUS | |
| 27.9.25 | RedNovember threat group targets global entities for espionage | A report by Insikt Group at Recorded Future details recent activity of a China-backed threat actor named RedNovember (previously known as TAG-100). | APT | |
| 27.9.25 | Operation Rewrite leads to BadIIS malware distribution | Researchers from Palo Alto reported on a SEO poisoning campaign, dubbed "Operation Rewrite". The primary tool used by the attackers in this operation is the BadIIS malware, that can intercept and modify web traffic, utilizing compromised legitimate servers to deliver malicious content. | OPERATION | |
| 27.9.25 | CVE-2025-53690 - Deserialization of Untrusted Data vulnerability affecting multiple Sitecore products | CVE-2025-53690 is a recently disclosed critical (CVSS score 9.0) ViewState deserialization of untrusted data vulnerability affecting Sitecore products including Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) and Experience Commerce (XC) | VULNEREBILITY | |
| 27.9.25 | Bitpanda users targeted by new phishing campaign | Recently, Symantec has observed phish runs targeting users of Bitpanda GmbH, an Austrian digital asset platform headquartered in Vienna. | ALERTS | PHISHING |
| 27.9.25 | SystemBC botnet - new infrastructure uncovered | Black Lotus Labs at Lumen Technologies has identified new infrastructure belonging to the SystemBC botnet, a large-scale operation averaging 1,500 daily victims. Unlike typical botnets using residential IPs, SystemBC exploits Virtual Private Server (VPS) systems to create high-volume, persistent proxies that fuel malicious activities for various criminal groups. | BOTNET | |
| 27.9.25 | New malware distribution campaign attributed to the Rustfly APT group | Rustfly APT group (also known as UNC1549 or Nimbus Manticore) is engaged in a sustained cyberespionage operation targeting defense manufacturing, telecommunications, and aviation sectors. Recently published report from Checkpoint reveals a heightened focus from this APT group on Western Europe, particularly Denmark, Sweden, and Portugal. The attackers employ sophisticated spear-phishing campaigns, posing as HR recruiters to lure victims to fake career portals. | APT | |
| 27.9.25 | XWorm disguised as “Unreal Engine Auto Update” hosted on GitHub’s CDN | An individual or group has been disguising XWorm malware as an “Unreal Engine Auto Updater” and hosting it on raw[.]githubusercontent[.]com, GitHub’s CDN endpoint that serves raw file contents from public repositories. | ALERTS | VIRUS |
| 27.9.25 | ClickFix techniques used in BeaverTail malware distribution on macOS and Windows systems | The ClickFix social engineering technique relies on tricking users into running malicious commands by presenting fake CAPTCHAs. As reported by Gitlab, a recent campaign leveraging ClickFix techniques has been observed to spread a new BeaverTail malware variant. Previously targeting software developers, the APT group behind this malware has now shifted its focus to marketing, cryptocurrency trading and retail sectors. | VIRUS | |
| 27.9.25 | Leafperforator APT leverages Nepalese protest movement for mobile malware distribution | A recent activity reported by the researchers from StrikeReady demonstrates a popular trend where geopolitical events serve as bait for targeted cyber threats. | APT | |
| 27.9.25 | DarkCloud Campaign Targets European Energy, Finance, and Maritime Sectors | Symantec has observed a DarkCloud malspam run that used invoice/shipping-themed lures to deliver a Windows stealer. The attackers spoofed two German industrial suppliers (one industrial-machinery vendor, one tank/storage-construction firm) while using logistics and invoice-style social engineering. | ALERTS | CAMPAIGN |
| 27.9.25 | HybridPetya - a Petya/NotPetya offshoot with a UEFI bootkit | ESET security researchers have identified new malware samples, dubbed HybridPetya, which exhibit characteristics of the impactful Petya and NotPetya campaigns from 2016-2017. | VIRUS | |
| 27.9.25 | New campaign distributing SnakeDisk worm and the Toneshell backdoor | IBM X-Force identified a new malicious operation attributed to the threat actor known as Fireant (aka Hive0154, Mustang Panda). | CAMPAIGN | |
| 27.9.25 | XillenStealer malware | In their latest report, Cyfirma's analysts reveal XillenStealer as an open-source, Python-based information stealer readily available on GitHub. | ALERTS | VIRUS |
| 27.9.25 | RevengeHotels New Tactics Deliver Potent VenomRAT | Securelist researchers have identified RevengeHotels, also known as TA558, as a cybercriminal group targeting the hospitality and tourism industries to steal credit card data. | VIRUS | |
| 27.9.25 | WhiteCobra Targets Developer Tools for Data Heists | KOI Research has identified WhiteCobra, a sophisticated threat actor, in a year-long campaign targeting users of VSCode, Cursor, and Windsurf. | GROUP | |
| 17.9.25 | EvilAI Malware Mimics Legitimate Tools | As reported by Trend Micro researchers, a new malware campaign dubbed EvilAI is posing a threat by impersonating legitimate productivity and AI-powered tools. | VIRUS | |
| 17.9.25 | Phishing Campaign Targets UK Government Gateway User IDs and Passwords | Symantec has observed a phishing campaign delivering HTML attachments via email that masquerade as official GOV.UK Government Gateway confirmations. The email (subject: "Confirmation - Government Gateway") spoofed a no-reply government address and carried a file named attachement.service.gov.uk.html. | PHISHING | |
| 17.9.25 | Phishing Emails Masquerade as Internal Messages to Deliver SHTML Credential Traps | A newly identified phishing campaign, discovered by Symantec, leverages SHTML attachments disguised as password-protected documents to harvest employee credentials. | PHISHING | |
| 17.9.25 | NPM packages infected by self-replicating worm | Malicious activity reported by multiple sources was observed impacting numerous packages in the npm JavaScript repository. The activity revolves around a self-replicating worm named Shai-Hulud, which after infecting a locally available NPM, searches for and infects other accessible packages based on user access. It's responsible for stealing secrets, exfiltrating data, and marking private GitHub projects as public for impacted users. | HACKING | |
| 17.9.25 | CVE-2025-5086 - Delmia Apriso vulnerability | CVE-2025-5086 is a recently disclosed critical (CVSS score 9.0) deserialization of untrusted data vulnerability affecting DELMIA Apriso Manufacturing Operations Management (MOM) software. | VULNEREBILITY | |
| 17.9.25 | Maranhão Stealer | A recent campaign involving the Maranhão Stealer has been identified by the researchers from Cyble. The attack is targeting gaming users through social engineering websites hosted on cloud platforms. | ALERTS | VIRUS |
| 17.9.25 | kkRAT: A new Remote Access Trojan | A malware campaign targeting China-speaking users has been identified, deploying a previously undocumented kkRAT alongside ValleyRAT and FatalRAT. | VIRUS | |
| 17.9.25 | Buterat Backdoor Targeting Enterprise and Government Networks | The Lat61 Threat Intelligence Team from Point Wild has identified Backdoor.Win32.Buterat, a sophisticated malware designed for persistent, long-term network infections. | VIRUS | |
| 17.9.25 | Contagious Interview operation continues | SentinelLABS has identified North Korean threat actors associated with the "Contagious Interview" campaign cluster exhibiting a sophisticated approach to operational security. | OPERATION | |
| 17.9.25 | New Go-Based ZynorRAT Leverages Telegram for Linux and Windows | The Sysdig Threat Research Team (TRT) has identified ZynorRAT, a novel Go-based Remote Access Trojan (RAT) demonstrating robust command and control (C2) features for both Linux and Windows platforms. | ||
| 12.9.25 | Yurei ransomware | First observed in September, Yurei is a new ransomware group whose operations incorporate a double-extortion model of both file encryption and data theft. | RANSOM | |
| 12.9.25 | AMOS Stealer malware continues to be distributed via cracked apps | rend Micro's latest report reveals a sophisticated campaign leveraging the AMOS infostealer (also known as Atomic macOS Stealer). Attackers employ social engineering, disguising the malware binaries as cracked software or tricking users into pasting malicious commands into the macOS Terminal thus bypassing built-in protections like Gatekeeper. | ||
| 12.9.25 | Fireant group continues activity in Myanmar with ToneShell backdoor | ToneShell is a backdoor that is deployed by the Fireant (aka Mustang Panda) threat group. Security researchers at Intezer have published details about a recently observed variant, with related activity indicating that the group continues acting against targets in Myanmar. | ALERTS | GROUP |
| 12.9.25 | BlackField (aka BlackFL) Ransomware | BlackField (aka BlackFL) is a double-extortion ransomware actor first observed around July 2025. Analysis of its ransomware demonstrates the typical double-extortion model, using both encryption and data theft to pressure victims. | RANSOM | |
| 12.9.25 | BlackNevas Ransomware | BlackNevas is a ransomware variant that initially emerged in November 2024. This encryptor targets businesses and critical infrastructure across Asia, North America, and Europe, with a strong focus on the Asia-Pacific region. | RANSOM | |
| 12.9.25 | Luno - Linux botnet with cryptomining and DDoS capabilities | Cyble researchers have identified a new sophisticated Linux botnet campaign dubbed "Luno." This malware framework combines cryptocurrency mining with modular DDoS attack capabilities, showcasing advanced features like process masquerading, binary replacement, and a self-update mechanisms, indicative of professional threat actor involvement. | ALERTS | BOTNET |
| 12.9.25 | NightshadeC2 Botnet emerges | NightshadeC2 is a newly identified botnet uncovered by eSentire, notable for its advanced stealth and persistence techniques. It is distributed through trojanized installers of legitimate software such as CCleaner, ExpressVPN and others, as well as phishing campaigns using fake ClickFix-themed landing pages. | BOTNET | |
| 12.9.25 | Kamasers Malware | Kamasers is a bot with backdoor capabilities that has recently been observed in the wild. Once deployed, it communicates with its C2 server to retrieve commands that enable it to download and execute files, perform HTTP and DNS flooding attacks, access local files, load malicious JavaScript, and direct browsers to attacker-specified URLs. | VIRUS | |
| 12.9.25 | NFSkate's RatOn Android Banking Trojan | In a recent report, ThreatFabric MTI analysts have identified a sophisticated new Android banking trojan dubbed "RatOn," crafted by the NFSkate threat actor group. RatOn represents a significant advancement in mobile cybercrime by combining classic overlay attacks with powerful Automated Transfer System (ATS) functionalities and NFC relay capabilities. | VIRUS | |
| 12.9.25 | New Threat Actor GhostRedirector Targets Windows Servers with SEO Fraud and Backdoors | In a recent report, ESET researchers have identified a new threat actor, GhostRedirector, that has compromised at least 65 Windows servers across Brazil, Thailand, and Vietnam. Operating in diverse sectors including insurance, healthcare, retail, and education, this actor utilizes a sophisticated custom toolkit. | GROUP | |
| 12.9.25 | Gentlemen Ransomware | Gentlemen is a newly emerged ransomware threat group as reported by Trend Micro researchers. The attackers have been observed to leverage legitimate drivers, abuse Group Policy Objects (GPO) as well as deliver KillAV tools aimed at disabling installed security products in the targeted environments | RANSOM | |
| 12.9.25 | Tamperedchef Malware Lurks in AppSuite PDF Editor | According to a report from Truesec a sophisticated malware campaign masquerading as a free utility, "AppSuite PDF Editor," which silently deploys an information-stealing malware named "Tamperedchef" has been identified. This operation employs highly obfuscated code, possibly AI-generated, and exploits Google advertising to achieve widespread distribution. | CAMPAIGN | |
| 12.9.25 | RapperBot: Fast-moving IoT botnet exploits NVRs for DDoS | RapperBot is a fast-moving IoT botnet that is quickly turning compromised DVRs and NVRs into nodes for large-scale DDoS attacks. | BOTNET | |
| 12.9.25 | Credential theft: Threat actors spoof Hungarian Post (Magyar Posta Zrt.) services | A new wave of phishing attacks targeting Hungarian Post (Magyar Posta Zrt.) services has been identified by Symantec, aiming to steal user credentials. | PHISHING | |
| 12.9.25 | TinyLoader delivers stealers while clipping wallets | In a recent report, researchers have spotlighted TinyLoader, a stealthy malware loader harnessed to siphon cryptocurrency and deploy additional payloads like Redline Stealer and DCRat. | ALERTS | VIRUS |
| 12.9.25 | XWorm adopts multi-stage infection chain | Trellix has identified a shift in the XWorm backdoor campaign, which has evolved from simple .lnk-based delivery to a more deceptive, multi-stage infection chain | VIRUS | |
| 12.9.25 | TAG-150 MaaS group deploys their Castle family of malware | TAG-150 is a newly identified threat actor group which operates as a Malware-as-a-Service (MaaS) provider. Activity associated with TAG-150 is highlighted by deployment of multiple custom developed malware, CastleBot, CastleLoader, and CastleRAT. | GROUP | |
| 12.9.25 | GPUGate: Malware campaign targets IT Pros via GitHub and Google Ads | A sophisticated malware campaign dubbed GPUGate, which exploits GitHub's infrastructure and Google Ads to distribute a malicious payload targeting IT professionals in Western Europe, has been reported by Arctic Wolf. | ALERTS | VIRUS |
| 12.9.25 | Salat Stealer: Go-Based Infostealer as Malware-as-a-Service | Salat Stealer, a Go-based infostealer offered under a Malware-as-a-Service model, has been reported by Cyfirma. Likely operated by Russian-speaking actors, the malware employs layered persistence techniques, including registry Run keys, scheduled tasks, process masquerading and modifications to Windows Defender exclusions to evade detection. | VIRUS | |
| 12.9.25 | Obscura: New Go-based ransomware emerges | A new ransomware variant known as Obscura has emerged, adding itself to the growing list of active ransomware families targeting organizations in 2025. | RANSOM | |
| 12.9.25 | Stealerium: An Open-Source Infostealer Fueling Widespread Attacks | Stealerium is an open-source infostealer that has been observed in recent activity. The malware has been deployed by multiple groups across various campaigns over the last few months. | VIRUS | |
| 12.9.25 | LockBeast ransomware | LockBeast is a ransomware variant that combines file encryption with data theft to pressure victims into payment. Upon execution, it encrypts files with strong cryptographic algorithms, appends a victim-specific identifier plus the “.lockbeast” extension, and drops a ransom note named README.TXT. | RANSOM | |
| 6.9.25 | Phishing campaign targets GMO Aozora Net Bank customers | GMO Aozora Net Bank, an online-only bank in Japan established in 2018 by the GMO Internet and Aozora Bank groups, offers customized financial services for both individuals and businesses. | PHISHING | |
| 6.9.25 | AI Waifu RAT exploits AI enthusiasm | AI Waifu RAT is a newly identified Remote Access Trojan spreading in LLM role-playing communities by posing as an AI interaction or research tool. | AI | |
| 6.9.25 | APT28 introduces NotDoor Backdoor | A new backdoor called NotDoor, attributed to APT28, a Russian intelligence-linked threat group, has been identified by LAB52. Delivered via Microsoft OneDrive with DLL side-loading, NotDoor uses an Outlook VBA macro to monitor emails for trigger words, enabling command execution, data exfiltration and file uploads. | APT | |
| 6.9.25 | Indonesian-Language Agent Tesla Campaign Targets Firms Across Southeast Asia | Symantec has observed a new Agent Tesla campaign targeting organizations in Southeast Asia, including both local companies and regional branches of large international firms. | ALERTS | VIRUS |
| 6.9.25 | Iran-Nexus campaign exploits Omani MFA Mailbox | A recent campaign exploiting the Oman Ministry of Foreign Affairs was first reported by ClearSky, with Dream Security researchers providing further insights. | CAMPAIGN | |
| 6.9.25 | Jackpot ransomware |
A new ransomware variant named Jackpot, linked to the
MedusaLocker family, has emerged leveraging a double extortion strategy
that combines file encryption with the theft of sensitive data.
|
RANSOM | |
| 6.9.25 | MystRodX Backdoor | As per recent reports from XLab, a new backdoor named MystRodX has been discovered, implemented in C++ and equipped with an extensive range of capabilities. It supports file management, port forwarding, reverse shell access and socket management, while also embedding anti-debugging and anti-VM techniques to bypass security analysis. | ALERTS | VIRUS |
| 6.9.25 | Masslogger actor switched from direct archive attachment to Discord CDN URL | Masslogger, an information-stealing malware active since 2020, continues to rank among the most prevalent threats. It is designed to harvest credentials stored in browsers, email clients, and messaging applications. | VIRUS | |
| 6.9.25 | Desolator Ransomware | The Desolator ransomware group, also referred to as The Desolated Collective, is a relatively new actor recently observed in the wild. Alleged victims include construction and engineering firms in Latin America and Southern Europe, and a technology and software developer in Southeast Asia. | RANSOM | |
| 6.9.25 | TinkyWinkey keylogger | A new Windows keylogger, dubbed TinkyWinkey, analyzed by Cyfirma, leverages a service-based persistence model and DLL injection into trusted processes to evade detection while maintaining continuous surveillance. | VIRUS | |
| 6.9.25 | North Korean Vedalia expands espionage via Operation HanKook Phantom | An espionage campaign dubbed Operation HanKook Phantom, attributed to North Korean threat actor Vedalia (also known as APT37, ScarCruft), has been reported by Seqrite targeting South Korean academic and research organizations. | APT | |