ALERTS
HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY | 2024 2025
2025 January(36) February(50) March(77) April(54) May(54) June(65) July(50) August(54) SEPTEMBER(61) October(43) November(0) December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 5.12.25 | Benzona Ransomware | A new ransomware operation known as Benzona has surfaced, showing signs of rapid development and growing confidence. The malware encrypts victim files using the “.benzona” extension and drops a ransom note titled RECOVERY_INFO.txt, warning that sensitive data has already been exfiltrated. Victims are given a 72-hour deadline to negotiate via a Tor-based chat portal, with threats of data publication should they refuse. | RANSOM | |
| 5.12.25 | DupeRunner and AdaptixC2 malware deployed within the Operation DupeHike | The SEQRITE researchers have uncovered a targeted cyber espionage campaign dubbed Operation DupeHike. The campaign is focused on various sectors including HR, payroll, and administrative departments. The attack utilizes sophisticated social engineering tactics, deploying realistic decoy documents centered on employee financial bonuses to lure victims. | OPERATION | |
| 5.12.25 | Symbiote and BPFdoor Linux malware variants implement new eBPF filters | Symbiote and BPFdoor are two Linux malware strains known to utilize Berkeley Packet Filter (BPF) packet sniffer to monitor network traffic and send packets only on existing open ports, bypassing firewall rules and network protections. As reported by researchers from Fortinet, both called out malware families have recently implemented new extended Berkeley Packet Filters (eBPFs) within the distributed payloads. | VIRUS | |
| 5.12.25 | Datebug APT deploys malware targeting BOSS Linux systems | The Pakistan-based advanced persistent threat (APT) group known as Datebug (aka APT36, Transparent Tribe, Storm-0156) is reported to be behind recent attacks targeting Indian government entities running Bharat Operating System Solutions (BOSS) Linux. | APT | |
| 5.12.25 | CVE-2025-61757 - Oracle Fusion Middleware vulnerability | CVE-2025-61757 is a recently disclosed critical (CVSS score 9.8) missing authentication vulnerability affecting the Identity Manager product of Oracle Fusion Middleware. If successfully exploited the flaw might provide unauthenticated attackers with network access via HTTP to compromise Identity Manager leading up to takeover of the vulnerable Identity Manager instance by the threat actors. | VULNEREBILITY | |
| 5.12.25 | CVE-2025-12480 - Gladinet Triofox vulnerability | CVE-2025-12480 is a recently disclosed critical (CVSS score 9.1) improper access control vulnerability affecting Gladinet Triofox file server and storage solution. If successfully exploited the flaw might allow unauthenticated remote attackers access to the vulnerable application configuration pages and enable them to perform upload and execution of arbitrary payloads. | VULNEREBILITY | |
| 5.12.25 | LotusHarvest malware deployed in Operation Hanoi Thief | SEQRITE Labs’ researchers have identified "Operation Hanoi Thief," a malicious cyber campaign targeting IT professionals and HR recruiters in Vietnam. The campaign employs spear-phishing emails containing fake resumes to deliver malware used to steal confidential user data. | OPERATION | |
| 5.12.25 | Arkanix Stealer | Researchers at G DATA recently observed a new infostealer dubbed Arkanix. According to their findings, it was initially built in Python and distributed via Discord as a fake “utility,” but it quickly evolved — a native C++ “premium” version now exists, complete with VMProtect obfuscation. Its capabilities are standard for commodity stealers. | VIRUS | |
| 5.12.25 | Albiriox mobile RAT | Albiriox is a new Android malware operating under a Malware-as-a-Service (MaaS) model, designed to facilitate on-device fraud, VNC‑based remote control and overlay attacks. As reported by researchers from Cleafy, the malware spreads through social engineering, specifically targeting Austrian victims via fake applications distributed through SMS and WhatsApp lures | VIRUS | |
| 5.12.25 | CVE-2025-34299 - Monsta FTP vulnerability | CVE-2025-34299 is a recently disclosed critical (CVSS score 9.3) arbitrary file upload vulnerability affecting Monsta FTP solution (version 2.11.2 and earlier). If successfully exploited the flaw might allow unauthenticated remote attackers to perform arbitrary code execution by uploading a specially crafted file from malicious SFTP or FTP servers. | VULNEREBILITY | |
| 29.11.25 | TangleCrypt packer employed in recent StoneStop malware delivery campaign | The researchers from WithSecure have released a technical analysis of TangleCrypt, a previously undocumented packer identified in recent attacks utilizing StoneStop EDR killer malware. | VIRUS | |
| 29.11.25 | Flexible Ferret malware distribution campaigns continue to target macOS users | A new run of the malicious campaign dubbed "Contagious Interview" has been reported on by the researchers from JAMF. The attackers target macOS users, lure them to fake job websites, and then trick into downloading malware via a bogus software updates. | VIRUS | |
| 29.11.25 | W-8BEN Phishing Alert: Interactive Brokers users targeted via fake login pages | Interactive Brokers (IBKR) is a large, global securities firm offering an electronic trading platform for sophisticated investors, active traders, and institutions across a wide range of products. Recently, a phishing campaign was identified that impersonates a request for the W-8BEN tax form, primarily targeting non-U.S. residents to steal sensitive data. | PHISHING | |
| 29.11.25 | Recent ShadowV2 - a Mirai variant delivery campaign | FortiGuard Labs recently reported on ShadowV2, a Mirai-based malware, targeting IoT devices during the large-scale AWS disruption incident in October. | BOTNET | |
| 29.11.25 | StealC malware campaign targets Blender users | StealC malware was deployed in a campaign by Russian-linked threat actors targeting users of the popular open-source 3D creation suite, Blender. The multi-stage attack involves malicious .blend files published to legitimate 3D marketplaces. | VIRUS | |
| 29.11.25 | Silver Fox Campaign Uses Fake Apps & BYOVD | Researchers recently observed a “SwimSnake / Silver Fox” campaign distributing remote-control malware via SEO-boosted fake download sites that impersonate apps like Youdao Translator and WPS. The loaders perform multilayered decryption, use around 80 encrypted fallback C2 addresses, and deploy Gh0st-derived plugins to conceal payloads and support spying, remote command execution, and DDoS. | CAMPAIGN | |
| 29.11.25 | Banking malware spread to Brazilian users in campaign leveraging phishing and WhatsApp messaging | A sophisticated malware campaign, identified by K7 Security Labs as part of the "Water-Saci" operation, is targeting the Brazilian financial sector through a hybrid phishing and WhatsApp messaging propagation strategy. Initial access is gained via phishing emails with malicious .VBS attachments, followed by the deployment of Python scripts and Selenium webdriver used to hijack WhatsApp Web sessions. | VIRUS | |
| 29.11.25 | TamperedChef activity continues | TamperedChef is a cyber campaign utilizing malvertising and Search Engine Optimization (SEO) to distribute malicious payloads. The operation targets users searching for common software like web browsers, PDF editors, or product manuals. | CAMPAIGN | |
| 29.11.25 | Autumn Dragon APT activity | Autumn Dragon is a sophisticated cyber espionage campaign targeting government and media organizations across Southeast Asia. As reported by the researchers from CyberArmor, the campaign has been active since early 2025. It begins with spearphishing emails containing a malicious RAR archive that exploits CVE-2025-8088, a path traversal vulnerability in WinRAR. | APT | |
| 29.11.25 | Tsundere botnet | Researchers at Kaspersky have identified a growing botnet named Tsundere, which has been targeting Windows users since at least mid-2025. The malware is primarily propagated through fake MSI installers disguised as popular video games installers or other pirated software. | BOTNET | |
| 29.11.25 | New variant of Shai-Hulud worm found targeting npm packages | A new, aggressive wave of the "Shai Hulud" malware campaign has been reported, compromising hundreds of packages and impacting major organizations including Zapier, Postman, AsyncAPI, and ENS Domains. The malware operates like a sophisticated worm, autonomously spreading by re-publishing itself into other packages maintained by the compromised individual. | VIRUS | |
| 29.11.25 | CCLand Ransomware | A ransomware actor calling itself “CCLand Team” has recently surfaced. The group presents itself as purely financially motivated and appears to follow a conventional double-extortion model, claiming data theft, file encryption and threatening public disclosure. In the recent activity, they demanded USD 50,000 in Bitcoin with a one-week deadline. | RANSOM | |
| 23.11.25 | Sturnus mobile malware | A new Android malware called Sturnus has been discovered by MTI Security researchers and is reportedly used to target customers of financial institutions in Southern and Central Europe. The malware comes in a disguise of known legitimate apps, such as Google Chrome and Preemix Box. | VIRUS | |
| 23.11.25 | BadAudio malware distributed in campaigns attributed to Budminer APT group | Google’s Threat Intelligence Group has identified a sophisticated espionage campaign orchestrated by a threat actor known as Budminer (aka APT24 or Spicy Panda). Since at least 2022, the group has deployed a previously undocumented malware strain dubbed BadAudio to targeted Windows systems. | VIRUS | |
| 23.11.25 | Eternidade Stealer | The Eternidade stealer is a banking Trojan targeting Brazilian users. The campaign utilizes malicious scripts to propagate through WhatsApp and download the payload. This malware also features backdoor functionality, leveraging IMAP to identify the active C2. | VIRUS | |
| 23.11.25 | Backdoor NKNShell | Researchers have recently published a blog on a threat actor (Larva‑24010) who's been compromising a South Korean VPN provider’s official site to covertly install malware. The installer masquerades as a legitimate VPN client but triggers a PowerShell script that disables defenses and drops three key tools: the backdoor NKNShell, the remote-management agent MeshAgent, and the remote-shell gs‑netcat. | VIRUS | |
| 23.11.25 | Hospital-Impersonation Malspam Drives VIPKeylogger Targeting Across EU and Turkey | A new malspam campaign delivering VIPKeylogger is circulating across multiple regions, with the actor impersonating a prominent Turkish private hospital group / healthcare institution to establish credibility. The phishing email—bearing the subject “SİPARİŞİMİZDİR HK.” and posed as a procurement-related message—arrived from a spoofed sender and carried a RAR attachment framed as a purchase order. | VIRUS | |
| 23.11.25 | Steganography .NET Loader spreading Lokibot | In its latest analysis, the Splunk Threat Research Team has dissected a .NET loader that uses steganography to smuggle the Lokibot credential-stealer. Hiding modules inside image resources and loading them at runtime, the loader evades static detection and embeds a dual-stage container that ultimately drops Lokibot. | VIRUS | |
| 23.11.25 | ShinySp1d3r Ransomware | ShinySp1d3r is a new ransomware variant offered for sale in a form of Ransomware as a Service (RaaS) model. The malware is attributed to the threat actor known as ShinyHunters. Researchers from BleepingComputer have reported on a discovery of a Windows encryptor variant of this ransomware. | RANSOM | |
| 23.11.25 | Threat actors delivering RMM packages with help of seasonal party invite lures | A highly active threat actor that specializes in using the ScreenConnect remote management and monitoring (RMM) software in its attacks has changed tactics and is now infecting its victims with multiple RMM tools, including LogMeIn Resolve and Naverisk. | HACKING | |
| 23.11.25 | DigitStealer – MacOS stealer | Jamf Threat Labs examined DigitStealer, a macOS infostealer spread through a deceptive disk image that prompts users to run a Terminal script, slipping past Gatekeeper controls. According to their analysis, after checking the system’s region and evading virtual machines, the malware moves through a multi-stage chain that blends AppleScript and obfuscated JXA to harvest browser data, VPN creds, and crypto-wallet information. | VIRUS | |
| 23.11.25 | Amatera stealer delivered via ClickFix in EVALUSION campaign | Social engineering is an important component of a successful attack by threat actor groups. Researchers at eSentire have highlighted a recent campaign, identified as EVALUSION, whereby targets are socially engineered to participate in their own compromise via the ClickFix technique. | CAMPAIGN | |
| 23.11.25 | GMER anti-rootkit utility | Dual-use tools are common components of attack campaigns by established threat actors. A highly popular tool that is often observed in such attacks is the anti-rootkit utility GMER. | CAMPAIGN | |
| 23.11.25 | RONINGLOADER | Researchers at Elastic recently published an article on RONINGLOADER, a multi-stage Windows loader used by the DragonBreath (APT-Q-27) group and delivered through tampered installers disguised as everyday apps like Chrome or Teams. | VIRUS | |
|
15.11.25 |
Attackers leverage software brand impersonation to deliver Gh0st RAT |
A report by Unit42 at Palo Alto Networks highlights two brand impersonation campaigns observed in 2025 that deliver a Gh0st RAT payload. |
||
|
15.11.25 |
A new malspam campaign impersonating the GLS delivery service has been reported by CERT AGID. The attackers leverage malicious emails themed with a failed parcel delivery and urge the recipients to open an attached XHTML file. |
|||
|
15.11.25 |
Researchers from Canva Threat Detection and Hunting team reported on an increased use of weaponized AppleScript (.scpt) files by the malicious threat actors. |
|||
|
15.11.25 |
The DanaBot malware has resurfaced with a new Windows variant, approximately six months after its activity was severely disrupted by the international law enforcement action, Operation Endgame. |
|||
|
15.11.25 |
A new report by researchers at Cisco Talos details recent activity related to the Kraken ransomware group. The group, established in early 2025, runs a double extortion operation with no specific industry or geographical focus. |
|||
|
15.11.25 |
SkyCloak campaigns target Russian and Belarusian military entities |
Russian and Belarusian military entities are targeted in a multi-stage attack, intent on allowing backdoor access for the attackers. Details of the activity, given the name Operation SkyCloak in a report published by Seqrite, are further corroborated in a report shared by researchers at Cyble. |
||
|
12.11.25 |
CHAMELEON#NET campaign - from DarkTortilla loader to FormBook payload |
A new sophisticated malspam campaign utilizing the DarkTortilla .NET malware loader to deliver the FormBook Remote Access Trojan (RAT) has been documented by the researchers from Securonix. The attack is initiated via phishing, where users are manipulated into downloading a compressed .BZ2 archive containing a highly obfuscated JavaScript dropper. |
||
|
12.11.25 |
A new phishing campaign targeting hospitality industry customers |
A recent phishing campaign reported by the researchers from Sekoia is targeting hospitality customers. A key intrusion tactic involves sending malicious emails to popular hospitality sector businesses that lure the staff into clicking a URL employing the "ClickFix" social engineering technique, ultimately manipulating them into executing a malicious PowerShell command. |
||
|
9.11.25 |
CVE-2025-6205 - DELMIA Apriso vulnerability exploited in the wild |
CVE-2025-6205 is a recently disclosed critical (CVSS score 9.1) missing authorization vulnerability affecting DELMIA Apriso from release 2020 through release 2025. If successfully exploited the flaw might allow attackers to gain privileged access to the vulnerable application instances. This vulnerability has been added just last week to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. |
||
|
9.11.25 |
Remote monitoring and management (RMM) tools are a common payload in today's threat landscape. A recent report by researchers at Proofpoint details campaigns against cargo and freight companies to attempt cargo theft. |
|||
|
9.11.25 |
A new variant of the BankBot mobile malware has been reported by the researchers from Cyfirma. This strain implements updated anti-emulation techniques. During initialization, it inspects device attributes like device manufacturer and model identifiers to detect virtualized or sandboxed environments, dynamically altering its behavior to evade automated analysis. |
|||
|
9.11.25 |
Recent activity focusing on organizations influencing U.S. policy |
China-linked actors continue to show interest in U.S. organizations with links to or involvement in policy issues, including an intrusion earlier this year into a U.S. non-profit organization that is active in attempting to influence U.S. government policy on international issues. |
||
|
9.11.25 |
New NGate mobile malware campaign targeting Polish banking users |
CERT Polska has uncovered a new mobile malware campaign called NGate that uses an NFC Relay attack to drain cash from victims' bank accounts at ATMs. The attack targets users of Polish banks and starts with a fake security message (email or SMS) concerning a technical issue or incident, tricking the victim into installing a malicious Android app. |
||
|
9.11.25 |
RMM Abuse Continues — Malicious LogMeIn Resolve Activity on the Rise |
In recent weeks we observed a decline in malicious ScreenConnect activity and a concurrent rise in campaigns abusing LogMeIn Resolve RMM (aka GoTo Resolve) – Using the “Unattended Access” feature within Resolve, which allows access to and control of computers or servers without an end user being present. |
||
|
9.11.25 |
CVE-2025-24893 - XWiki Platform injection vulnerability exploited in the wild |
CVE-2025-24893 is a recently disclosed template-injection vulnerability affecting XWiki, which is a open-source wiki software platform. If successfully exploited the flaw might allow unauthenticated attackers to inject and execute arbitrary Groovy code through crafted requests. |
||
|
9.11.25 |
Symantec has identified a new Agent Tesla campaign leveraging business-themed social engineering to target organizations across Latin America, Spain, and other international sectors. The actor impersonates a company that advertises outsourced management, consulting, and facility services. |
|||
|
9.11.25 |
CVE-2025-54247 is a recently disclosed improper input validation vulnerability affecting Adobe Experience Manager versions 6.5.23.0 and earlier. If successfully exploited the flaw might allow low-privileged attackers to bypass security measures and gain unauthorized read access. Product vendor has already released respective security patches to address this vulnerability. |
|||
|
9.11.25 |
Aramex, a global logistics and transportation company based in Dubai, offers services such as express courier delivery, freight forwarding, and supply chain management for businesses and consumers. Symantec has detected a new wave of phishing attacks that mimic Aramex services to steal credentials. |
|||
|
9.11.25 |
CVE-2025-54236 (aka SessionReaper) is a recently disclosed critical (CVSS score 9.1) improper input validation vulnerability affecting Adobe Commerce and Magento solution. If successfully exploited the flaw might allow an attacker for a session takeover through the Commerce REST API. |
|||
|
9.11.25 |
CVE-2025-11371 - Gladinet CenterStack LFI vulnerability exploited in the wild |
CVE-2025-11371 is a recently disclosed local file inclusion (LFI) vulnerability in Gladinet CenterStack and Triofox platforms, which are self-hosted file sharing solutions. If successfully exploited the flaw might allow attackers to perform unauthenticated remote file inclusion, retrieval of configuration keys and subsequent remote code execution. The vulnerability has been reported as being exploited in the wild. |
||
|
9.11.25 |
New phishing campaign targets Tether users with fake anti-money laundering notices |
A new phishing campaign has been observed, spoofing Tether and targeting its users with fraudulent anti-money laundering (AML) notice emails. Tether, a widely adopted stablecoin with tokens pegged 1-to-1 to fiat currencies and backed by reserves, is a popular target for such scams. |
||
|
9.11.25 |
Tangerine Turkey is a crypto mining campaign, delivered by the less-than-efficient mechanism of removable USB drives. The USB contains all the necessary components to complete the attack. Execution starts with a .vbs file which drops and executes a .bat. |
|||
|
9.11.25 |
BlueNoroff targets Crypto Sector with GhostCall and GhostHire campaigns |
Two new campaigns by the BlueNoroff APT group, dubbed GhostCall and GhostHire, targeting cryptocurrency and Web3 professionals, have been reported by Kaspersky. In GhostCall, attackers impersonate venture capitalists or startup founders luring victims into fake online meetings via Zoom or Teams and prompting them to install a “security update” that deploys multi-stage malware on macOS or Windows. |
||
|
9.11.25 |
Airstalk, a Windows-based malware recently discovered by researchers at Unit42 of Palo Alto Networks. The name is derived from the malware's use of the AirWatch API for mobile device management (MDM) for C2 communications. Variants written in both PowerShell and .NET have been observed, with the .NET variant having more capabilities. |
|||
|
9.11.25 |
Attackers linked to Russia continue activity against Ukraine |
Attacks against a large business services organization and a local government organization were recently observed by our Threat Hunter team. Fueled by a heavy reliance on Living-off-the-Land tactics and dual-use tools, the attacker's goal appears to be establishing persistence and theft of sensitive information. |
||
|
9.11.25 |
Microsoft patched a critical unauthenticated RCE in Windows Server Update Services (CVE‑2025‑59287) with an out-of-band update on Oct 23, 2025, after the initial October Patch Tuesday release proved incomplete. Exploit code and active attacks were observed within hours, prompting warnings from security vendors, incident responders and CISA’s KEV catalog. |
|||
|
9.11.25 |
An advanced Android malware strain named GhostGrab that is actively used to mine cryptocurrency and steal banking credentials from compromised devices has been reported by CYFIRMA. |
|||
|
28.10.25 |
DarkCloud Campaign Targets Thailand and Turkey in Dual-Variant Operation |
Symantec has observed two concurrent DarkCloud campaigns leveraging the same PE payload distributed via a RAR archive. Both campaigns share identical execution chains and TTPs, but differ in regional focus, language localization, and spoofed organizations. |
||
|
28.10.25 |
Agent Tesla campaign impersonates WeTransfer to phish wide range of targets |
Symantec has observed a new Agent Tesla campaign that uses WeTransfer-themed lures to deliver a 7z archive containing the malware. The campaign targets a wide range of sectors, including Technology and IT (global and Taiwan), Finance and Banking (UK), Manufacturing and Electric industries, News and Media (South Africa and Israel), Education (Falkland Islands), and other commercial sectors across multiple countries — indicating opportunistic, broad targeting rather than a single vertical. |
||
|
28.10.25 |
Dark Vision campaign: Procurement email → fake PDF update → LZH archive → signed PE + DLL |
A new Dark Vision campaign uses procurement-themed social engineering to push victims from a PDF to an LZH archive hosted on domain. The archive extracts a signed 64-bit executable (InstCont.exe) which side-loads a 64-bit DLL (Instup.dll). Targets observed across manufacturing, construction & tech sectors in Taiwan, Germany, the U.S., and Sweden. |
||
|
28.10.25 |
The Qilin threat group operates a very prolific Ransomware-as-a-Service (RaaS) business model. A report by researchers at Cisco Talos provides highlights of recent Qilin activity. North America and Europe are the most targeted regions, with manufacturing, professional and scientific services, and wholesale trade as the most impacted industries. |
|||
|
28.10.25 |
Phishing campaign impersonates Exness to steal trading account credentials |
Founded in 2008, Exness is a global online multi-asset broker that provides clients with the opportunity to trade Contracts for Difference (CFDs) across a variety of financial instruments, including forex, cryptocurrencies, indices, commodities and stocks. |
||
|
28.10.25 |
Symantec has observed a phishing campaign that is targeting organizations across Austria by impersonating the Österreichische Datenschutzbehörde (Austrian Data Protection Authority). Targeting multiple sectors including finance, insurance, IT consulting, manufacturing, healthcare, and public services |
|||
|
28.10.25 |
Group-IB has reported a new malware campaign by the Iran-linked APT group Seedworm (aka MuddyWater) deploying the Phoenix v4 backdoor, primarily targeting government, defense and international organizations in the Middle East with spillover activity across Europe, Africa and North America |
|||
|
28.10.25 |
A new campaign exploiting misconfigured Windows Internet Information Services (IIS) servers across the globe has been reported by the researchers from Elastic Security Labs. The initial compromise leveraged IIS web servers using ASP.NET machine keys - cryptographic keys used for encryption and data validation - that were exposed in publicly shared resources. |
|||
|
28.10.25 |
The state-sponsored threat group Brimstone (also known as ColdRiver, UNC4057, Star Blizzard, and Callisto) rapidly overhauled its operations following the May 2025 public disclosure of its LostKeys malware as reported by the researchers from Google. |
|||
|
28.10.25 |
CVE-2025-33073 - SMB Client Privilege Escalation vulnerability exploited in the wild |
CVE-2025-33073 is a high severity (CVSS score 8.8) privilege escalation vulnerability in Windows Server Message Block (SMB) Client that has been disclosed earlier in June 2025. |
||
|
28.10.25 |
CVE-2025-41243 is a recently disclosed high severity (CVSS score 8.1) remote code execution vulnerability affecting Spring Cloud Gateway WebFlux which is an API Gateway built on the reactive Spring WebFlux framework. |
|||
|
28.10.25 |
Released in early October 2025, Vidar Stealer has been fully rewritten in the C programming language and now runs multithreaded, allowing it to complete data-collection tasks far faster and more efficiently than before. |
|||
|
28.10.25 |
Caminho LaaS: Stealthy malware delivery via Image Steganography |
Arctic Wolf reported a new Loader-as-a-Service (LaaS) operation called Caminho, which originates in Brazil and leverages LSB steganography to conceal malicious payloads within image files. It is primarily delivered via spear-phishing emails carrying malicious JavaScript or VBScript files; when those scripts are executed, the loader retrieves an image containing a hidden payload, extracts it using LSB techniques and runs it directly in memory |
||
|
28.10.25 |
The Warlock ransomware first appeared in June 2025 and made an impact weeks later, after it was discovered exploiting the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) on July 19, 2025. Warlock is an unusual threat. |
|||
|
28.10.25 |
China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025. The same threat actors also compromised two government departments in the same African country during the same time period. |
|||
|
28.10.25 |
Cybersecurity researchers at Seqrite Labs have identified a new campaign utilizing CAPI backdoor, a previously undocumented .NET malware, likely targeting E-commerce and automotive industries. The analysis is based upon a discovered malicious ZIP archive, which suggests the infection chain begins with phishing emails. |
|||
|
28.10.25 |
UAC-0239 group targets Ukraine with OrcaC2 framework and FILEMESS stealer |
CERT-UA published details about recent activity associated with the threat group UAC-0239. The group engaged in campaigns against Ukranian Defense forces and local governments, initiated through spear phishing. The emails were socially engineered to appear as communications by the Security Service of Ukraine. |
||
|
28.10.25 |
Kaiji is a malware variant primarily targeting Linux-based servers and IoT devices by exploiting vulnerable internet-connected services. As reported by the researchers from Aquasec, the malware’s main objectives is to launch large-scale Distributed Denial of Service (DDoS) attacks and proxy malicious traffic, effectively leveraging infected devices as part of a botnet. |
|||
|
19.10.25 |
A new campaign reported by Securelist researchers has been leveraging WhatsApp messenger to distribute a new sophisticated banking trojan named Maverick. The attack has been targeting Brazilian users and utilizing .ZIP archives containing malicious LNK files. |
|||
|
19.10.25 |
Purseweb APT delivers updated BeaverTail and OtterCookie variants in the latest campaign |
Cisco Talos researchers have identified a new campaign attributed to the Purseweb (aka Famous Chollima) threat group that targets job seekers using fake employment offers. The attackers deploy custom infostealing malware strains including BeaverTail and OtterCookie. |
||
|
19.10.25 |
A spear-phishing campaign dubbed Operation Silk Lure, which targets Chinese HR and hiring teams in fintech, crypto exchanges and trading firms by weaponizing realistic résumés, has been uncovered by Seqrite Labs. Attackers send CVs containing malicious .lnk shortcuts that download a second-stage payload, deploy a script to create a hidden daily scheduled task for persistence, and then RC4-decrypt an in-memory loader that launches the final payload — ValleyRAT. |
|||
|
19.10.25 |
Katz Stealer delivered by PhantomVAI loader in a recent campaign |
A new campaign leveraging PhantomVAI Loader to distribute information-stealing malware via an evasive, multi-stage infection chain has been reported by the researchers from Unit42. The loader, initially known as Katz Stealer Loader, was primarily used to deliver the Katz Stealer malware but recently has also been noted to deliver a variety of other infostealer variants such as DcRAT, AsyncRAT, XWorm or FormBook. |
||
|
19.10.25 |
CVE-2025-61882 - Oracle E-Business Suite 0-Day vulnerability |
CVE-2025-61882 is a recently disclosed critical (CVSS score 9.8) zero-day vulnerability affecting the Oracle Concurrent Processing product within Oracle E-Business Suite (EBS). |
||
|
19.10.25 |
Chinese APT group Jewelbug (aka REF7707, CL-STA-0049, Earth Alux) has been highly active in recent months, targeting organizations in South America, South Asia, Taiwan and Russia. One of its intrusions was on the network of a Russian IT service provider and lasted for the first five months of 2025. |
|||
|
19.10.25 |
An Android malware campaign dubbed GhostBat RAT which impersonates RTO (Regional Transport Office) apps like mParivahan to deceive Indian users, has been reported by Cyble. The malware spreads via WhatsApp and SMS with shortened URLs pointing to GitHub-hosted APKs, as well as through compromised websites. |
|||
|
19.10.25 |
A new threat actor dubbed TA585 has been observed conducting phishing campaigns that use tailored email lures, malvertising and web-injection techniques to redirect victims to attacker-controlled sites, sometimes even tagging GitHub users with fake security alerts to boost credibility and click-through rates. The group delivers a range of malware including the newly released MonsterV2, through these campaigns. |
|||
|
19.10.25 |
The Stealit malware operation has recently upgraded its deployment strategy, incorporating Node.js's Single Executable Application (SEA) feature to distribute malicious payloads. FortiGuard Labs identified this shift following an increase in detections of a particular VB script that facilitates persistence on infected machines. |
|||
|
19.10.25 |
BeFirst is a recent MedusaLocker ransomware variant observed in the wild. The malware encrypts user data and appends .befirst1 extension to the locked files. |
|||
|
19.10.25 |
A new malicious campaign distributing the ClayRAT Android spyware has been reported by the researchers from Zimperium. The malware employs highly effective social engineering tactics, utilizing fraudulent Telegram channels and phishing websites that mimic legitimate services like Google Photos, WhatsApp, and TikTok to convince the victims to install the malicious application. Once deployed, ClayRat exhibits vast surveillance capabilities. |
|||
|
19.10.25 |
As per reports from McAfee, a new Astaroth campaign has been discovered that weaponizes legitimate GitHub repositories and image files, primarily targeting victims in South America. |
|||
|
19.10.25 |
ChaosBot: Hiding on your system and communicating through Discord |
Details regarding a newly identified, Rust-based malware dubbed ChaosBot have been shared by eSentire's Threat Response Unit. According to the report, the actors behind ChaosBot make use of varying methods to gain access to victim environments: |
||
|
19.10.25 |
Trend Micro reported on renewed malicious activities attributed to the RondoDox botnet. The researchers identified early intrusion attempts, noting that botnet operators quickly leverage publicly disclosed flaws such as CVE-2023-1389 vulnerability affecting TP-Link routers. |
|||
|
19.10.25 |
SumUp Payments Limited is a financial technology company that provides payment and point-of-sale solutions for small businesses and independent merchants. Lately, Symantec has observed phish runs that mimic SumUp and pose as account verification emails, to steal credentials. |
|||
|
19.10.25 |
The Chaos ransomware variant observed on the threat landscape in 2025 marks a significant evolution according to a latest blog from Fortinet. The malware has transitioned its codebase from .NET to C++ and integrated aggressive destructive extortion tactics alongside the traditional file encryption. |
|||
|
19.10.25 |
Symantec has detected a new wave of phishing runs targeting Japanese email users with fake 2025 Japan Population census emails. The emails use the subject line: |
|||
|
19.10.25 |
APAC Campaign: Malaysian Procurement Lures Load VIP Keylogger In-Memory |
Symantec observed a new malspam campaign that is leveraging procurement emails while posing as a well-known Malaysian company specializing in construction and civil engineering, to distribute credential-stealing malware against organizations in Malaysia and beyond. |
||
|
19.10.25 |
Multi-platform attacks leveraging IUAM ClickFix Generator phishing kit |
The popular social engineering technique known as "ClickFix" is being rapidly commercialized according to the latest report from Unit 42 Palo Alto. |
||
|
19.10.25 |
HiveWare is a new ransomware variant recently observed in the wild. The malware encrypts user data and appends .HIVELOCKED extension to the locked files. |
|||
|
19.10.25 |
FoalShell and StallionRAT malware deployed by Cavalry Werewolf APT |
Cavalry Werewolf APT has been observed to enhance its malicious toolkit with customized malware. According to the report published by BI.ZONE Threat Intelligence, the threat actors have been conducting phishing campaigns by assuming the identities of personnel from various governmental bodies. |
||
|
19.10.25 |
VampireBot malware distributed by the BatShadow threat group |
Aryaka Threat Research Labs has recently discovered a new campaign conducted by the Vietnamese threat group known as BatShadow. This operation relies heavily on sophisticated social engineering, primarily targeting digital marketers and job applicants. The attackers impersonate recruiters, distributing ZIP archives containing decoy PDF files with malicious executables packed alongside them. |
||
|
19.10.25 |
As the threat landscape continues to evolve, attackers are increasingly relying on sophisticated social engineering techniques to trick users into executing malicious code. These attacks often bypass traditional file-based detection methods, making proactive, behavior-based security measures more critical than ever. |
|||
|
19.10.25 |
Turkey-Focused Snake Keylogger Campaign Expands Across Sectors and Regions |
Symantec recently observed a malspam campaign delivering Snake Keylogger that abused the brand of a prominent Turkish financial institution to lend credibility to fraudulent messages. The emails carried subject lines such as “HESAP EKSTRESI” (account statement). |
||
|
19.10.25 |
JA Net Bank Phishing Pressures Users with Urgency & Compliance Lures |
A phishing campaign is impersonating JAネットバンク (JA Net Bank), using official-sounding messages that cite the 犯罪収益移転防止法 (Act on Prevention of Transfer of Criminal Proceeds) to add credibility. Victims are urged to complete “customer information and transaction purpose” verification or risk account restrictions. |
||
|
19.10.25 |
As per a report from Trend Micro, a new self-propagating Windows malware campaign dubbed SORVEPOTEL is spreading through WhatsApp messages that deliver malicious ZIP attachments. When opened on a desktop, the ZIP extracts a shortcut (.LNK) file that executes hidden PowerShell and batch commands to download payloads, establish persistence, and connect to attacker-controlled servers. |
|||
|
4.10.25 |
Security firm Mosyle and follow-up reports detailed the emergence of ModStealer, a cross-platform infostealer distributed via malvertising campaigns, often disguised as fake software downloads or job advertisements. |
|||
|
4.10.25 |
Cisco Talos has published details regarding UAT-8099, a cybercrime group focused on search engine optimization (SEO) fraud and the theft of miscellaneous sensitive data such as credentials, configuration files, logs, and more. This threat group specifically targets vulnerable Internet Information Services (IIS) servers globally, with confirmed victims spanning across universities, technology companies, and telecom providers, among others. |
|||
|
4.10.25 |
The cyber-espionage group Confucius, known for targeting government and critical industries across South Asia has been observed leveraging sophisticated phishing campaigns primarily against high-value targets in Pakistan, showing a major technical evolution. |
|||
|
4.10.25 |
New spyware campaigns targeting privacy-conscious Android users in the UAE has been reported by ESET. The campaigns deploy two previously undocumented spyware families, ProSpy and ToSpy, disguised as legitimate Signal or ToTok apps distributed via phishing sites and fake app stores. |
|||
|
4.10.25 |
Researchers recently published a report on the WARMCOOKIE backdoor, revealing that its operators have expanded their infrastructure and refined their tactics. First observed in recruitment-themed phishing campaigns, WARMCOOKIE is still active and capable of host fingerprinting, command execution, screenshot capture, and delivery of additional payloads. |
|||
|
4.10.25 |
CORS vulns exploited to deliver Latrodectus via injected FakeCaptcha |
According to recent reports, Lunar Spider (aka Gold SwathMore) has evolved its toolkit by exploiting CORS misconfigurations on websites—mainly in Europe—to inject a “FakeCaptcha” overlay that tricks victims into running malicious commands. The injected JavaScript creates a fake verification UI, copying a PowerShell command into the clipboard, which, when executed, initiates an MSI loader. |
||
|
4.10.25 |
A new activity delivering the DarkCloud version 3.2 payload has been reported by the researchers from eSentire. The attack is initiated via targeted spear-phishing campaign with financial lure that delivers the infostealing malware within the .zip archive attachment. |
|||
|
4.10.25 |
GuLoader campaign targets Francophone Businesses, deploying MassLogger |
Symantec has observed a new GuLoader campaign in which actors are impersonating a well-known hospitality and luxury resort/events group in Morocco. Sending fraudulent quotation requests with the subject line “DEMANDE DEVIS N° 25090358.” |
||
|
4.10.25 |
Acreed is an advanced infostealer variant first discovered in early 2025 and sold on underground markets. Once on the infected machine, Acreed deploys JavaScript modules designed for financial theft, performing cryptocurrency clipping (replacing legitimate wallet addresses on web pages) and clipboard hijacking. |
|||
|
4.10.25 |
The LockBit ransomware group has resurfaced following a February 2024 disruption, deploying an new variant dubbed LockBit 5.0. A new research published by Trend Micro has confirmed the existence of Windows, Linux, and ESXi variants, signifying the group’s continued cross-platform strategy targeting entire enterprise networks, including virtualized environments. |
|||
|
4.10.25 |
CVE-2025-10035 is a recently disclosed critical (CVSS score 10.0) deserialization vulnerability affecting Fortra GoAnywhere which is comprehensive managed file transfer (MFT) software. |
|||
|
4.10.25 |
Klopatra is a newly observed Android malware which functions as both a banking Trojan and Remote Access Trojan (RAT). A report provided by researchers at Cleafy shares technical details and campaign activity associated with this threat. Highlights from the report include: |
|||
|
4.10.25 |
A new assembly-written Malware-as-a-Service called Olymp Loader advertised as “FUD” (fully undetectable) has been reported by Outpost24. It includes anti-debugging, code-signing and crypter options and targets browsers, Telegram and crypto wallets. |
|||
|
4.10.25 |
Lately, Symantec has observed Halloween themed jumbo lottery phish runs targeting Japanese users. Threat actors have recently initiated jumbo lottery phish runs that masquerade as lottery campaign announcement emails. |
|||
|
4.10.25 |
A malware campaign delivering the XWorm .NET RAT using shellcode hidden inside Office attachments has been observed by Forcepoint. As part of the multi-stage attack, a phishing email is sent with a seemingly benign .xlam workbook that embeds an Ole10Native stream containing encrypted shellcode. |
|||
|
4.10.25 |
Microsoft Threat Intelligence has identified a new variant of XCSSET malware targeting Xcode projects. The malware employs run-only compiled AppleScripts for stealthy execution, now targets a broader range of browsers including Firefox, steals information from Telegram, hijacks clipboards by substituting wallet addresses and establishes persistence via LaunchDaemons and Git commits. |
|||
|
4.10.25 |
A recent campaign has been reported by Blackpoint SOC in which attackers are abusing SEO poisoning and malvertising to trick users into downloading trojanized Microsoft Teams installers that deliver the Oyster (also known as Broomstick) backdoor. |