ALERTS HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(13) November(80) December(6) 2025 January(36) February(50) March(77) April(54) May(0) June(0) July(0) August(0) SEPTEMBER(0) October(0) November(0) December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 21.6.25 | Amatera Stealer | Amatera is a recently identified infostealer variant believed to be an evolution of the older ACR Stealer malware. It has been reported as being offered for sale via the malware-as-a-service (MaaS) model. | VIRUS | |
| 21.6.25 | CVE‑2025‑49113 – Post‑Auth Remote Code Execution vulnerability in Roundcube | CVE-2025-4123 is a recently disclosed critical (CVSS score 9.9) Post‑Auth Remote Code Execution (RCE) vulnerability affecting Roundcube, which is a free and open-source webmail application. | VULNEREBILITY | |
| 21.6.25 | Discord Vanity Link Flaw Exploited in New Malware Campaign Dropping AsyncRAT and Skuld Stealer | A new sophisticated malware campaign aimed at financial gain from cryptocurrency users is exploiting a subtle weakness in Discord's invitation system to distribute an information stealer called Skuld and the AsyncRAT. Targeted victims have been identified primarily in Austria, France, Germany, Slovakia, Vietnam, the Netherlands, the United States, and the United Kingdom. | EXPLOIT | |
| 21.6.25 | Stargazers malware campaign targets Minecraft players via fake mods | A large-scale malware campaign operated by the Stargazers Ghost Network is actively targeting Minecraft players, according to a recent report from Checkpoint. | CAMPAIGN | |
| 21.6.25 | Modified XWorm RAT distributed through trojanized MSI | A China-linked threat actor distributing a trojanized MSI installer posing as a WhatsApp setup to deliver a customized XWorm Remote Access Trojan (RAT) has been reported targeting users in East and Southeast Asia. | VIRUS | |
| 21.6.25 | New variant of the Godfather mobile malware employs virtualization techniques | A new variant of the Godfather Android banking malware has been discovered in the wild. The malware leverages on-device virtualization techniques to hijack several legitimate applications. | ||
| 21.6.25 | CVE-2023-0386 - Linux Kernel Improper Ownership Management vulnerability exploited in the wild | CVE-2023-0386 is a high severity (CVSS score 7.8) Improper Ownership Management vulnerability affecting the Linux Kernel. | VULNEREBILITY | |
| 21.6.25 | FIN7-linked GrayAlpha uses PowerShell loaders and TDS to spread NetSupport RAT | GrayAlpha, a cybercriminal group associated with FIN7, has been reported conducting a sophisticated malware campaign using multiple infection vectors to distribute NetSupport RAT via custom PowerShell loaders, PowerNet and MaskBat. | APT | |
| 21.6.25 | New Librarian Ghouls Campaign | A new cyber espionage campaign by APT group "Librarian Ghouls" (also known as Rare Werewolf and Rezet) was observed targeting organizations primarily in Russia, Belarus and Kazakhstan focusing on industrial organizations and engineering schools, along with sectors like rocket, aviation, space, defense, and petrochemical industries. | CAMPAIGN | |
| 21.6.25 | HijackLoader campaign delivers DeerStealer payload | A recent campaign leveraging the HijackLoader malware has been observed to distribute the DeerStealer malicious payload. | CAMPAIGN | |
| 21.6.25 | Threat Actors Abuse Paste.ee and use Unicode Deception to Deploy XWorm RAT | A sophisticated malware campaign initiated by a deceptively named JavaScript file designed to download a malicious payload was observed. | VIRUS | |
| 21.6.25 | XDSpy campaign employs whitespace-obfuscated LNK files | A new XDSpy malware campaign, attributed to the SadFuture threat actor, has been observed targeting Eastern European and Russian government entities. | VIRUS | |
| 21.6.25 | Financial communications lead to malware downloads for Taiwanese users | A threat actor has been targeting users in Taiwan through campaigns masquerading as communications from official financial entities. | VIRUS | |
| 21.6.25 | CVE-2025-48828 - a new vBulletin RCE vulnerability | CVE-2025-48828 is a recently disclosed critical (CVSS score 9.0) template engine vulnerability affecting vBulletin, which is a commercial forum software platform. | VULNEREBILITY | |
| 21.6.25 | MintsLoader Malware Campaign Hits Italian PEC Users | A new MintsLoader malware campaign has targeted Italy, showcasing the attacker's strategy of adapting to the local Italian work calendar. | VIRUS | |
| 21.6.25 | Pickai Backdoor | A new backdoor malware dubbed Pickai (AI Pickpocket) has been observed spreading through vulnerabilities in the popular ComfyUI framework. Written in C++, Pickai spreads through innocuous-looking configuration files like JSON and TMUX settings. | VIRUS | |
| 21.6.25 | Hackers Weaponize Legitimate 'Netbird' Tool in Phishing Campaign Targeting CFOs | A new fake recruiter spear-phishing campaign has been observed targeting high-level financial executives at banks, energy companies, insurers, and investment firms across Africa, Canada, Europe, the Middle East, and South Asia. | PHISHING | |
| 21.6.25 | CVE-2025-4123 - Grafana XSS and Full-Read SSRF vulnerability | CVE-2025-4123 is a recently discovered high severity (CVSS score 7.6) open redirect vulnerability affecting Grafana, which is an open-source data visualization platform. | VULNEREBILITY | |
| 13.6.25 | CyberEye RAT | CyberEye is a modular Remote Access Trojan that relies on Telegram for its C2 communications. Using a publicly available builder, its implants can be customized to include features like anti-analysis, cryptocurrency hijacking, and persistence. | VIRUS | |
| 13.6.25 | Spectra Ransomware | Spectra is a new ransomware variant found in the wild just this year. The malware belongs to the well known Chaos ransomware family. | RANSOM | |
| 13.6.25 | Stealth Falcon exploits Zero-Day Vulnerability CVE-2025-33053 | As reported by Check Point, the APT group Stealth Falcon has been observed exploiting a zero-day vulnerability (CVE-2025-33053) in a new malware campaign. | VULNEREBILITY | |
| 13.6.25 | Unusual Fog ransomware activity | In a recent report, the Symantec and Carbon Black Threat Hunter Team analyzed a Fog ransomware attack that targeted a financial institution in Asia. | RANSOM | |
| 13.6.25 | FIN6 abuses Job Portals and Cloud Infrastructure to evade detection | A malware campaign attributed to the threat actor FIN6, posing as job applicants on platforms like LinkedIn and Indeed, has been observed in the wild. Once a target is lured, the threat actor sends phishing emails containing non-clickable URLs that lead to cloud-hosted “resume” sites on AWS. | GROUP | |
| 13.6.25 | Chinese threat actor groups target cybersecurity vendor |
According to a recent report from SentinelLabs, China-backed
threat actors have deployed ShadowPad and PurpleHaze malware in global
campaigns.
|
GROUP | |
| 13.6.25 | Myth Stealer malware | Myth is a new Rust-based infostealing malware discovered recently in the wild. The malware has been previously advertised on various Telegram groups and lately reported as being distributed via fraudulent gaming websites and online portals offering software cracks, among others. | VIRUS | |
| 11.6.25 | Exploitaiton of Wazuh CVE-2025-24016 vulnerability leads to Mirai botnet distribution | New campaigns distributing variants of the popular Mirai botnet have been reported in the wild. The attackers have been exploiting critical (CVSS score 9.9) CVE-2025-24016 deserialization vulnerability affecting Wazuh Server which might allow for a remote code execution on the vulnerable devices. | BOTNET | |
| 11.6.25 | Datarip - a new MedusaLocker ransomware variant | Datarip ransomware is a new malware strain from the MedusaLocker ransomware family recently seen in the wild. The malware encrypts sensitive data while appending ".datarip" extension to the locked files. | RANSOM | |
| 11.6.25 | DuplexSpy RAT | DuplexSpy is a new Remote Access Trojan (RAT) variant identified in the wild. The malware is written in C#, has modular architecture and uses DLL injection technique for in-memory payload execution. | VIRUS | |
| 11.6.25 | DragonClone malicious operation | DragonClone is a new malicious campaign identified in the wild. The attackers have been targeting the Chinese Telecom Industry and distributing Veletrix and VShell malware implants as payloads. | OPERATION | |
| 11.6.25 | Golden Piranha - a new banking threat | Golden Piranha is the name of an emerging banking trojan identified by the researchers from SCILabs. The malware is leveraging Google Chrome browser extensions in order to steal banking related inputs from miscellaneous banking website forms. | ||
| 7.6.25 | Interlock ransomware group deploys a new RAT named "NodeSnake" | Interlock ransomware group has been observed deploying a new RAT named "NodeSnake" and targeting educational institutions. | RANSOM | |
| 7.6.25 | APT41 using custom malware "TOUGHPROGRESS" to exploit Google Calendar | Threat Actor group APT41 has been observed using custom malware named TOUGHPROGRESS, which leverages Google Calendar events as its C2 channel, allowing it to hide malicious commands in seemingly benign public calendar entries. | APT | |
| 7.6.25 | Cheating in games might get you Blitz'ed | Blitz is a multi-stage malware composed of downloader and botnet components. A recent report by researchers at Palo Alto Networks provides details of campaigns attempting to proliferate this malware | VIRUS | |
| 7.6.25 | Android malware targets users in India by pretending to be a government app | In some recently observed malicious activity, a fake government application was found to be targeting Android users in India. | VIRUS | |
| 7.6.25 | Chaos RAT malware | A new Golang-based 5.0.3 variant of the Chaos RAT (Remote Access Trojan) has been recently discovered in the wild. | VIRUS | |
| 7.6.25 | Increased activity of DCRAT malware in Latin America | DCRAT (aka Dark Crystal RAT) is a modular RAT (Remote Access Trojan) offered for sale in form of Malware-as-a-Service (MaaS) model for last several years. | VIRUS | |
| 7.6.25 | AMOS malware for macOS spread via Clickfix social engineering techniques | A new campaign delivering the AMOS malware for macOS has been reported to leverage Clickfix social engineering techniques. | VIRUS | |
| 7.6.25 | Fake CAPTCHAs deliver multi-stage PowerShell downloaders | CAPTCHAs are used to determine whether a website visitor is human versus a bot. Malware campaigns have introduced fake CAPTCHAs into the attack chain to encourage interaction by the proposed victim. ClickFix is a name often given to such behavior. | VIRUS | |
| 7.6.25 | ViperSoftX activities continues via fake software | According to recent reports ViperSoftX continues to circulate widely across the globe, with a noticeable uptick in South Korea. | VIRUS | |
| 7.6.25 | CVE-2025-27920 - Srimax Output Messenger Directory Traversal vulnerability | CVE-2025-27920 is a recently discovered directory traversal vulnerability affecting Srimax Output Messenger software. | VULNEREBILITY | |
| 4.6.25 | New campaigns delivering Crocodilus mobile malware | A new variant of the Crocodilus mobile malware has been spread in recent campaigns targeting users in Europe and South America. | CAMPAIGN | |
| 4.6.25 | CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability | CVE-2023-38950 is a path traversal vulnerability affecting ZKTeco BioTime which is a web-based time and attendance management software. | VULNEREBILITY | |
| 4.6.25 | Exploiting the hype around popular AI tools to distribute various malware via fraudulent installers | Threat Actors are exploiting the hype around AI to distribute various malware strains. By capitalizing on the public's eagerness to access popular AI tools (such as ChatGPT, Copilot, DALL-E, Gemini, Midjourney, and Sora) Threat Actors are creating convincing but fraudulent installers. | AI | |
| 4.6.25 | Telegram-Based Email Credential Theft – Fake FedEx Invoice Campaign | Shipping companies are frequently exploited in social engineering attacks due to their global recognition, trusted brand image, and association with package notifications, invoices, and delivery updates—topics that easily trigger urgency, curiosity, and user interaction. These characteristics make them prime targets for phishing and credential theft campaigns. | CAMPAIGN | |
| 4.6.25 | EddieStealer delivered through ClickFix | EddieStealer is a Rust-based information stealer malware which has recently been observed as the payload of ClickFix campaigns. | VIRUS | |
| 4.6.25 | Latest PureHVNC RAT deployment campaigns | New campaigns delivering the PureHVNC RAT have been reported in the wild. The threat actors conduct multi stage operations and make use of miscellaneous components in their attacks including malicious .lnk files, PowerShell code, JavaScript, AutoIt, etc. | CAMPAIGN | |
| 4.6.25 | Python-based Lyrix Ransomware | Lyrix ransomware is a new Python based ransomware discovered in underground forums. It behaves in a manner similar to most current ransomware families | RANSOM | |
| 4.6.25 | New Katz Stealer malware-as-a-service compromises Web browsers | Katz Stealer operates as a multi-feature credential-stealing Malware-as-a-Service, designed for extensive system reconnaissance and data theft. It targets a vast array of sensitive information, including saved passwords, cookies, and session tokens from popular web browsers (Chrome, Edge, Brave, Firefox), cryptocurrency wallet files, and private keys via keyword matching. | VIRUS | |
| 4.6.25 | Earth Lamia exploits various SQL injection vulnerabilities | APT threat actor Earth Lamia exploits vulnerabilities in web applications to gain access to organizations, using various SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations for data exfiltration. | APT | |
| 4.6.25 | Recent VenomRAT activity |
A recent activity attributed to the VenomRAT malware has
been spotted in the wild. Malware is spread from a phishing website
disguised as AV software download page.
|
VIRUS | |
| 4.6.25 | PumaBot - a new botnet on the rise | PumaBot is a new Go-based botnet strain identified recently in the wild. Unlike some more common botnet variants, PumaBot does not rely on scanning the Internet for vulnerable devices but instead targets very specific ones via a list of IP addresses retrieved from the attacker C2 servers. | BOTNET | |
| 4.6.25 | Zanubis mobile malware latest activity | Zanubis is an Android banking malware active in the threat landscape since at least 2022. The malware has been known to mostly target banks and financial entities in South America but also expanding over time and adding theft of virtual cards and cryptocurrency to its portfolio. | ||
| 4.6.25 | AsyncRAT malspam campaigns observed | We've recently observed some malspam campaigns leveraging multiple downloads, starting with box.com, to deliver an AsyncRAT payload. | VIRUS | |
| 4.6.25 | Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress | Fancy Bear (aka APT28, Sofacy, Pawn Storm, Sednit, STRONTIUM, Tsar Team, and Threat Group-4127) is a Russian Threat Actor group that uses spearphishing to deliver SpyPress, a malicious JavaScript payload, by exploiting cross-site scripting (XSS) vulnerabilities in webmail interfaces to exfiltrate sensitive email data from high-value webmail servers. | ALERTS | PHISHING |
| 4.6.25 | Bofamet Stealer malware | Bofamet is a new Python-based infostealer found in the wild. The malware collects miscellaneous information from the compromised endpoints including: credentials, system information, browser cookies, Telegram session data, Discord tokens, screenshots, Steam configuration files, etc. | VIRUS | |
| 28.5.25 | AppleProcessHub infostealer for macOS | AppleProcessHub is the name of a new infostealer variant targeting the macOS platform and masquerading as a system process. | VIRUS | |
| 28.5.25 | Swan Vector APT campaign | A newly APT campaign, dubbed “Swan Vector” has been targeting East Asian nations, particularly Japan and Taiwan. | APT | |
| 28.5.25 | StarFire Ransomware Demands $3,000 in Bitcoin | A group or individual calling themselves "StarFire" has recently emerged in the threat landscape, targeting individual machines with ransomware. | RANSOM | |
| 28.5.25 | DoubleLoader malware | DoubleLoader is a new malware family recently identified in the wild. Its' main functionality, similarly to other loader variants, is to retrieve malicious payloads from attacker-controlled servers and to execute them on the compromised endpoints | VIRUS | |
| 28.5.25 | Another Fake CAPTCHA campaign leads a range of stealers and RATs | There have been reports of another campaign involving fake CAPTCHA pages to deceive users into executing malicious commands via the Windows Run dialog. | ALERTS | VIRUS |
| 23.5.25 | Vidar and StealC infostealers delivered via social engineering | A new campaign distributing Vidar and StealC infostealers variants has been reported by the researchers from Trend Micro. The attackers are leveraging social engineering techniques with the use of TikTok videos in an attempt to entice users into running arbitrary PowerShell commands. | VIRUS | |
| 23.5.25 | Dero cryptominer delivered to vulnerable Docker containers | A new campaign delivering a Dero cryptocurrency miner to vulnerable Docker containers has been reported in the wild. While abusing exposed Docker APIs the attackers inject two malware components called “nginx” and “cloud”. The deployed cryptominer is written in Golang and based off an open-source DeroHE CLI miner project. | CRYPTOCURRENCY | |
| 23.5.25 | TetraLoader distributed in the UAT-6382 campaign | According to recent report from Cisco Talos, a new malicious activity dubbed UAT-6382 has been delivering a new malware called TetraLoader to its victims. The attackers have been leveraging a Cityworks RCE vulnerability (CVE-2025-0994) to get access to the targeted environments and perform the initial reconnaissance. | VIRUS | |
| 23.5.25 | Rhadamanthys delivered via phishing campaign | In a recently observed phishing campaign, we saw attackers attempting to deliver a Rhadamanthys stealer payload by way of a legal lure. Under the guise of a copyright infringement notification, the victim is encouraged to access a PDF for further details. | CAMPAIGN | |
| 22.5.25 | SideWinder APT using old Office Vulnerabilities | A new cyber-espionage campaign by APT group SideWinder has been targeting high-profile government institutions in Bangladesh, Pakistan, and Sri Lanka. The attackers leverage spear-phishing lures paired with geofenced payloads to ensure that only victims in specific countries receives the malicious content. To activate the infection process and deploy the StealerBot malware a combined exploitation of old vulnerabilities (CVE-2017-0199 and CVE-2017-11882) takes place. | ALERTS | APT |
| 23.5.25 | GhostSpy Android malware | GhostSpy is a mobile malware variant recently seen being actively distributed in the wild. Similarly to other prevalent mobile malware strains, GhostSpy leverages Android Accessibility Services in order to sideload malicious .apk packages on the targeted devices. | VIRUS | |
| 23.5.25 | Fake KeePass installers distributed in attacks targeting ESXi environments |
KeePass is a popular open source password manager
application. Recently there have been reports about an ongoing campaign
distributing fake KeePass installers targeted at ESXi environments.
|
HACKING | |
| 23.5.25 | CVE-2024-7399 & CVE-2025-4632 - Samsung MagicINFO vulnerabilities | CVE-2024-7399 is an unauthenticated remote code execution (RCE) vulnerability affecting the Samsung MagicINFO 9 Server. The flaw enables attackers to upload malicious .jsp files via unauthenticated POST requests effectively allowing them to execute arbitrary OS commands as a result. | VULNEREBILITY | |
| 23.5.25 | Spoofed Japan's e-Tax email notifications appear in phish runs | E-Tax is the National Tax Agency's online tax website that helps to file tax returns and pay national corporation taxes. Recently, Symantec has observed phishing attempts mimicking e-Tax, enticing users to open fake notification emails. | PHISHING | |
| 23.5.25 | Malvertising lures victims to fake Kling AI website | Threat Actors use social media malvertising to lure victims to fake pages impersonating Kling AI platform. The campaign directs visitors to use the platform to create AI-generated images and videos. | AI | |
| 23.5.25 | Trojanized installer delivers Bumblebee loader | It was recently observed that the installer package for the RVTools application was trojanized with a Bumblebee loader dll. RVTools is free utility that collects and displays a multitude of information related to Virtual Machines in VMware environments. | VIRUS | |
| 23.5.25 | Russia-Ukraine conflict comes in picture in a new Binance phishing wave | Binance is one of the world's major cryptocurrency exchanges that allows users to buy, sell and trade various digital assets, including Bitcoin, Ethereum, and altcoins. Lately, Symantec has observed phish runs that impersonate Binance services and entices users to open fake notification emails. | PHISHING | |
| 16.5.25 | Stealthy Shellcode loader executes Remcos RAT in Fileless Attack Chain | A sophisticated fileless malware campaign has been observed leveraging PowerShell to deploy the Remcos RAT. The attack begins with malicious LNK files embedded in ZIP archives, often masquerading as Office documents. These trigger obfuscated VBScript via mshta.exe leading to the in-memory execution of a PowerShell script. | VIRUS | |
| 16.5.25 | Earth Ammit cyber espionage campaigns | The Threat Actor known as Earth Ammit launched two distinct cyber espionage campaigns (dubbed VENOM and TIDRONE) across Central Asia, Southeast Asia, and Eastern Europe. These campaigns strategically target government entities and critical infrastructure - such as software service providers and upstream vendors across several critical sectors, including heavy industry, media, technology, healthcare, and military. | CAMPAIGN | |
| 16.5.25 | TransferLoader malware | TransferLoader is a newly identified malware loader active since February 2025, consisting of three components: a downloader, a backdoor and a backdoor loader. It uses advanced evasion techniques such as anti-debugging, runtime string decryption and junk code insertion to avoid detection and complicate reverse engineering. | VIRUS | |
| 16.5.25 | New DarkCloud malware uses AutoIt obfuscation in targeted attacks | According to a report published by Palo Alto Networks Unit 42, a new variant of the DarkCloud Stealer malware has been observed primarily targeting government organizations worldwide. The attack typically begins with phishing emails containing either a RAR archive or a PDF which prompts victims to download a malicious archive disguised as a software update. | VIRUS | |
| 16.5.25 | Chihuahua Stealer malware | Chihuahua Stealer is a new .NET-based infostealer distributed via a multi-staged campaign. The attackers leverage malicious documents hosted on the Google Drive repository and malicious PowerShell scripts to initiate the infection chain. The final payload - Chihuahua Stealer is delivered from a OneDrive repository path and has the functionality to collect and exfiltrate various sensitive data from the compromised endpoints including system information, data stored in the system web browsers, cryptocurrency wallet information, etc. | VIRUS | |
| 16.5.25 | PupkinStealer: A .NET-based Malware | PupkinStealer, a .NET-based malware has been observed being distributed via phishing emails containing malicious attachments or links. Targeting Windows users, the malware is capable of stealing sensitive data from Chromium-based browsers, Telegram, Discord, email clients, clipboard contents and more. The stolen data is compressed into a ZIP archive and exfiltrated using the Telegram Bot API. | VIRUS | |
| 13.5.25 | BTMOB RAT | According to recent reports, BTMOB RAT has resurfaced and now aims to steal Alipay PINs by mimicking the app’s interface. It spreads via phishing sites disguised as popular services and uses fake apps to lure victims. | VIRUS | |
| 13.5.25 | Noodlophile Stealer spread under the disguise of fake AI tools | An infostealing variant dubbed Noodlophile Stealer has been recently distributed in campaigns leveraging lures of AI video generators. The attackers have been advertising their fake AI platforms via social media platforms. The users are first asked to upload either photos or video for the AI to enhance and then are served with a download link for the supposedly edited content. | VIRUS | |
| 13.5.25 | Astryrean Stealer malware | Astryrean Stealer is a new Python-based infostealer recently identified in the wild. The malware targets collection and exfiltration of a wide variety of confidential or sensitive information including: compromised system information, data stored in system web browsers, Discord tokens or screenshots, among others. | VIRUS | |
| 13.5.25 | More_eggs served by Venom Spider | In a recent campaign threat actor known as "Venom Spider" has been targeting corporate hiring managers and recruiters with a complex spear-phishing scheme that capitalizes on the need for such users to open email attachments or click on links to review an applicants resume . | CAMPAIGN | |
| 9.5.25 | Earth Kasha threat actor targets Taiwan and Japan in a recent campaign | As recently reported by the researchers from Trend Micro, Earth Kasha threat group continues to target users in Taiwan and Japan. The attackers leverage a dropper malware dubbed RoamingMouse that comes in the form of a macro-enabled MS Excel file. | APT | |
| 9.5.25 | Deployment of RMM tools in malicious campaigns targeting Brazil | A new malicious campaign targeting users from Brazil has been reported by researchers from Cisco Talos. The attackers leverage a variety of commercial Remote Monitoring and Management (RMM) tools such as PDQ Connect and N-able remote access software. | VIRUS | |
| 9.5.25 | Mamona Ransomware |
Mamona Ransomware is a newly discovered threat in the
commodity ransomware landscape that operates entirely offline, with no
external communication or data exfiltration. The malware uses custom
encryption routines to encrypt user files, renaming them with the .HAes
extension.
|
RANSOM | |
| 9.5.25 | Mail campaign delivers Java-based RAT | A malicious email campaign was recently observed targeting organizations in Italy, Portugal, and Spain. The campaign leveraged a Spanish email service provider in an effort to legitimize the emails which contained a PDF attachment. | ||
| 9.5.25 | LZRD - the latest Mirai variant distributed in the wild | New campaigns distributing Mirai botnet have been reported in the wild. The malware exploits two command injection vulnerabilities affecting GeoVision IoT devices that have been disclosed last year - CVE-2024-6047 and CVE-2024-11120. | BOTNET | |
| 9.5.25 | CVE-2025-31324 - a critical SAP NetWeaver vulnerability | CVE-2025-31324 is a recently disclosed critical (CVSS score 10) unrestricted file upload vulnerability affecting the SAP NetWeaver Visual Composer. | VULNEREBILITY | |
| 9.5.25 | CVE-2025-32433 - Erlang/OTP SSH RCE vulnerability | CVE-2025-32433 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Erlang/OTP which is a set of libraries for the Erlang programming language. If successfully exploited, the flaw might allow unauthenticated attackers to gain access to affected Erlang/OTP SSH servers and execute arbitrary commands. | VULNEREBILITY | |
| 9.5.25 | Bert Ransomware | In April, a new ransomware actor known as "Bert" was observed operating in the wild and allegedly claimed several organizations as victims, including those in the Healthcare, Technology, and Event Services sectors across the US and Turkey. | RANSOM | |
| 9.5.25 | NETXLOADER - a new loader used by the Agenda ransomware group | In a recent report, details about a new malware loader named NETXLOADER have been shared. This loader, along with SmokeLoader, has been used in attacks perpetrated by the Agenda ransomware group. | VIRUS | |
| 9.5.25 | Threat Actors use Pahalgam attack in malicious campaign | In a strategic approach to exploiting current events threat actors target Indian government personnel using decoy documents referencing the recent Pahalgam attack in a malicious campaign. | VIRUS | |
| 9.5.25 | FormBook malware distributed via weaponized Word Docs | A recent attack beginning with phishing emails containing malicious MS Word documents as attachments has been observed. Social engineering plays a part in luring users to click on the weaponized attached document. | VIRUS | |
| 9.5.25 | Balloonfly ransomware group leveraged 0-day in attack | The Symantec Threat Hunter team recently observed activity which can be attributed to the Balloonfly attack group. This group is typically responsible for distributing Play ransomware. | VULNEREBILITY | |
| 9.5.25 | CVE-2025–34028: Commvault Command Center Path Traversal Vulnerability | CVE-2025-34028 is a critical vulnerability found in the Command Center installation, enabling remote attackers to execute arbitrary code without authentication. | VULNEREBILITY | |
| 9.5.25 | Notaires de France Impersonated in Telegram-based Phishing Campaign | Symantec has identified a credential phishing campaign leveraging malicious HTML that mimic official French notarial services – a professional body of state-appointed legal officers, known as notaires. It serves as a central information hub for legal matters in France involving notarized acts. | PHISHING | |
| 9.5.25 | StealC V2: Enhanced capabilities | An enhanced version of the popular information stealer, StealC, has been observed. It features an upgraded control panel, a streamlined JSON-based C2 communication protocol and expanded payload delivery options including MSI packages and PowerShell scripts. | VIRUS | |
| 9.5.25 | TerraStealerV2 and TerraLogger malware families | Two new malware families, TerraStealerV2 and TerraLogger, have been reported in the wild and are associated with the financially motivated threat group Golden Chickens. | VIRUS | |
| 9.5.25 | Tax season targeted by modified Stealerium Infostealer | As U.S. tax day approaches, threat actors have been observed exploiting the season by distributing a modified version of the Stealerium infostealer through phishing emails. Malicious LNK files, disguised as tax-related documents like tax forms lure users into executing a Base64-encoded PowerShell script. | ALERTS | VIRUS |
| 2.5.25 | MintsLoader: The loader powering TAG-124’s targeted campaigns | MintsLoader, a sophisticated loader first observed in 2024, is extensively used by TAG-124, more than by any other threat actor to deploy malicious payloads such as GhostWeaver, StealC and a modified BOINC client. These attacks primarily target sectors including industrial, legal and energy. | VIRUS | |
| 2.5.25 | Discovery Bank Impersonated in FICA-Themed Smishing Scam | Discovery Bank, a well-known digital bank in South Africa, has had its brand abused by a group or individual in a recent smishing campaign aimed at harvesting mobile users' banking credentials. The attack begins with a malicious SMS that leverages FICA (Financial Intelligence Centre Act in South Africa) compliance as a lure. | PHISHING | |
| 2.5.25 | ClickFix social engineering tactic being used by various APT groups | ClickFix has gained traction in targeted espionage operations across multiple APT groups from North Korea, Iran, and Russia. This is a social engineering tactic where malicious websites impersonate legitimate software or document sharing platforms. | APT | |
| 2.5.25 | Iranian threat actor targeted critical Middle Eastern infrastructure | Researchers at Fortinet have recently published their investigation into an Iranian threat actor's attack against critical infrastructure in the Middle East. | APT | |
| 2.5.25 | Spear phishing campaign targets WUC with trojanized Uyghur Text Editor | A spear phishing campaign delivering surveillance malware targeting high profile members of the World Uyghur Congress (WUC) has been reported. As part of the attack a trojanized version of a legitimate Uyghur language text editor to gain remote access, collect system information, and manipulate files. | PHISHING | |
| 2.5.25 | Pentagon Stealer | Pentagon Stealer is a recently identified malware strain built using both Python and Golang, engineered to exfiltrate a broad array of sensitive information. It primarily targets browser credentials, cookies, cryptocurrency wallet data and authentication tokens from apps like Discord and Telegram. | VIRUS | |
| 2.5.25 | Hannibal Infostealer | Hannibal Infostealer is a sophisticated malware observed in the wild, rebranded from the Sharp and TX stealer families. Developed in C#, it targets both Chromium and Gecko-based browsers, extracting sensitive data while bypassing browser protection. | VIRUS | |
| 2.5.25 | TypeLib hijacking via Teams | A Microsoft Teams phishing campaign was found to spread a unique PowerShell backdoor in recent attacks. The Threat Actor known as Storm-1811 initiates the attack by employing social engineering tricks on a targeted employee via Microsoft Teams chat, posing as internal IT support staff. | PHISHING | |
| 2.5.25 | Gremlin Stealer | Gremlin Stealer is a new C#-based malware variant recently discovered by the researchers from Palo Alto. Gremlin Stealer is currently advertised for sale via Telegram channels. | VIRUS | |
| 2.5.25 | CVE-2025-24054 - NTLM vulnerability exploited in the wild | CVE-2025-24054 is a recently disclosed vulnerability related to NTLM (New Technology LAN Manager) hash disclosure via spoofing. With help of crafted .library-ms files, an unauthorized attacker might be able to perform spoofing over the network. | ALERTS | VULNEREBILITY |