ALERTS HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY | 2024 2025
2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(13) November(80) December(6) 2025 January(36) February(50) March(77) April(54) May(54) June(65) July(3) August(0) SEPTEMBER(0) October(0) November(0) December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 6.7.25 | Malicious Abuse of ConnectWise (ScreenConnect) | Over the past several months, we have observed a sharp increase in the malicious use of the popular Remote Monitoring and Management (RMM) tool ConnectWise by ransomware operators, Initial Access Brokers, APTs, and other eCrime actors. | ALERTS | APT |
| 6.7.25 | Remcos malspam campaign starts with a tar archive | A recently observed Remcos campaign began with a malicious email containing a .tar archive attachment. The archive contains a .lnk file which launches PowerShell to download the Remcos payload. | CAMPAIGN | |
| 6.7.25 | Janela RAT delivered in a recent campaign | Janela RAT (Remote Access Trojan) is a modified variant of a malware known as BX RAT. Janela RAT has been previously seen spread in campaigns targeting banking users from the LATAM region. | VIRUS | |
| 6.7.25 | Blackmoon’s expanding arsenal | The Blackmoon banking trojan, known for targeting users of online financial services, particularly in South Korea, has evolved into a more deceptive and multi-functional threat. | VIRUS | |
| 6.7.25 | DEVMAN - a new DragonForce ransomware variant | DEVMAN is a new customized ransomware variant from the DragonForce malware family. The malware encrypts data and appends .DEVMAN extension to locked files. | RANSOM | |
| 6.7.25 | GIFTEDCROOK malware upgraded for document theft via Telegram | An enhanced version of the GIFTEDCROOK malware, operated by the UAC-0226 threat group has been reported, marking a significant upgrade from its earlier capabilities first observed in February 2025. | VIRUS | |
| 2.7.25 | Braodo infostealer hosts downloaded components on GitHub | A recently observed campaign involving Braodo stealer malware leveraged GitHub to house multiple components downloaded in the attack chain. | VIRUS | |
| 2.7.25 | CVE-2025-4322: WordPress Motors theme privilege escalation vulnerability | CVE-2025-4322 is a critical unauthenticated privilege escalation vulnerability (CVSS 9.8) affecting the WordPress Motors theme in versions up to 5.6.67. | VULNEREBILITY | |
| 2.7.25 | EmailJS and HubSpot Abused in CCMA Phishing Scheme | A new phishing campaign is circulating under the guise of a legal summons from South Africa’s Commission for Conciliation, Mediation and Arbitration (CCMA), leveraging urgency and fear to pressure recipients into action. | PHISHING | |
| 28.6.25 | Lotus V2 loader malware leveraged by the Lotus Spider threat group | A new campaign leveraging the Lotus V2 loader and attributed to the Lotus Spider threat group has been reported in the wild. The attack chain makes use of fake CAPTCHA-based delivery tactics leading the victims to execution of PowerShell scripts which in turn download and run malicious .MSI installers. | VIRUS | |
| 28.6.25 | Software Being Repackaged for Malware Delivery | Researchers have uncovered a rising trend where cybercriminals repackage legitimate commercial software (examples: SonicWall’s SSL VPN NetExtender) to deliver infostealers. | VIRUS | |
| 27.6.25 | Dire Wolf Ransomware | Dire Wolf is a new ransomware threat group discovered in the wild. The attackers have been focusing their efforts mostly on manufacturing and technology sectors. | RANSOM | |
| 27.6.25 | Open-source tools leveraged in attacks targeting the financial sector in Africa | Researchers from Palo Alto have recently reported on an ongoing campaign targeting financial institutions across Africa. The attackers are distributing various open-source tools often advertised as penetration testing or remote administration utilities including PoshC2, Chisel or Classroom Spy. | CAMPAIGN | |
| 27.6.25 | Prometei Botnet evolves with Self-Updating Linux variants | As per the latest report by Palo Alto Networks’ Unit 42, the Prometei botnet has resurfaced with enhanced capabilities, particularly in its Linux variants (v3 and v4). Known for mining Monero and stealing credentials, Prometei has adopted a self-update mechanism and a domain generation algorithm (DGA) to bolster its resilience and maintain persistent C2 connectivity, even if existing domains are taken down. | BOTNET | |
| 27.6.25 | NightSpire Ransomware | Between March and June 2025, NightSpire ransomware actors claimed responsibility for attacks affecting 64 entities across 33 countries, with a globally dispersed victim base. | RANSOM | |
| 25.6.25 | Wedding Invite scam deploys SpyMax RAT on Indian Android devices | An Android phishing campaign dubbed “Wedding Invitation” has been observed targeting mobile users across India by distributing spyware-laced APK files via WhatsApp and Telegram. | VIRUS | |
| 25.6.25 | Python-based ransomware variant spread in a recent campaign | As reported by researchers from Tinexta, a new campaign spreading a Python ransomware variant has been observed in the wild. The attackers make use of publicly accessible GitHub repositories to host the malicious .ISO binaries . | RANSOM | |
| 25.6.25 | PylangGhost - a new Python-based Remote Access Trojan | PylangGhost is a new RAT (Remote Access Trojan) variant discovered recently by the researchers from Cisco Talos. As the name suggests the malware is written in Python and shares some code similarities and functionalities with an older RAT strain known as GolangGhost. | VIRUS | |
| 25.6.25 | Shadow Vector: SVG Smuggling campaign targets Colombian users | A phishing malware campaign dubbed Shadow Vector has been reported, targeting users in Colombia through malicious SVG files disguised as urgent court notifications. | CAMPAIGN | |
| 21.6.25 | Amatera Stealer | Amatera is a recently identified infostealer variant believed to be an evolution of the older ACR Stealer malware. It has been reported as being offered for sale via the malware-as-a-service (MaaS) model. | VIRUS | |
| 21.6.25 | CVE‑2025‑49113 – Post‑Auth Remote Code Execution vulnerability in Roundcube | CVE-2025-4123 is a recently disclosed critical (CVSS score 9.9) Post‑Auth Remote Code Execution (RCE) vulnerability affecting Roundcube, which is a free and open-source webmail application. | VULNEREBILITY | |
| 21.6.25 | Discord Vanity Link Flaw Exploited in New Malware Campaign Dropping AsyncRAT and Skuld Stealer | A new sophisticated malware campaign aimed at financial gain from cryptocurrency users is exploiting a subtle weakness in Discord's invitation system to distribute an information stealer called Skuld and the AsyncRAT. Targeted victims have been identified primarily in Austria, France, Germany, Slovakia, Vietnam, the Netherlands, the United States, and the United Kingdom. | EXPLOIT | |
| 21.6.25 | Stargazers malware campaign targets Minecraft players via fake mods | A large-scale malware campaign operated by the Stargazers Ghost Network is actively targeting Minecraft players, according to a recent report from Checkpoint. | CAMPAIGN | |
| 21.6.25 | Modified XWorm RAT distributed through trojanized MSI | A China-linked threat actor distributing a trojanized MSI installer posing as a WhatsApp setup to deliver a customized XWorm Remote Access Trojan (RAT) has been reported targeting users in East and Southeast Asia. | VIRUS | |
| 21.6.25 | New variant of the Godfather mobile malware employs virtualization techniques | A new variant of the Godfather Android banking malware has been discovered in the wild. The malware leverages on-device virtualization techniques to hijack several legitimate applications. | ||
| 21.6.25 | CVE-2023-0386 - Linux Kernel Improper Ownership Management vulnerability exploited in the wild | CVE-2023-0386 is a high severity (CVSS score 7.8) Improper Ownership Management vulnerability affecting the Linux Kernel. | VULNEREBILITY | |
| 21.6.25 | FIN7-linked GrayAlpha uses PowerShell loaders and TDS to spread NetSupport RAT | GrayAlpha, a cybercriminal group associated with FIN7, has been reported conducting a sophisticated malware campaign using multiple infection vectors to distribute NetSupport RAT via custom PowerShell loaders, PowerNet and MaskBat. | APT | |
| 21.6.25 | New Librarian Ghouls Campaign | A new cyber espionage campaign by APT group "Librarian Ghouls" (also known as Rare Werewolf and Rezet) was observed targeting organizations primarily in Russia, Belarus and Kazakhstan focusing on industrial organizations and engineering schools, along with sectors like rocket, aviation, space, defense, and petrochemical industries. | CAMPAIGN | |
| 21.6.25 | HijackLoader campaign delivers DeerStealer payload | A recent campaign leveraging the HijackLoader malware has been observed to distribute the DeerStealer malicious payload. | CAMPAIGN | |
| 21.6.25 | Threat Actors Abuse Paste.ee and use Unicode Deception to Deploy XWorm RAT | A sophisticated malware campaign initiated by a deceptively named JavaScript file designed to download a malicious payload was observed. | VIRUS | |
| 21.6.25 | XDSpy campaign employs whitespace-obfuscated LNK files | A new XDSpy malware campaign, attributed to the SadFuture threat actor, has been observed targeting Eastern European and Russian government entities. | VIRUS | |
| 21.6.25 | Financial communications lead to malware downloads for Taiwanese users | A threat actor has been targeting users in Taiwan through campaigns masquerading as communications from official financial entities. | VIRUS | |
| 21.6.25 | CVE-2025-48828 - a new vBulletin RCE vulnerability | CVE-2025-48828 is a recently disclosed critical (CVSS score 9.0) template engine vulnerability affecting vBulletin, which is a commercial forum software platform. | VULNEREBILITY | |
| 21.6.25 | MintsLoader Malware Campaign Hits Italian PEC Users | A new MintsLoader malware campaign has targeted Italy, showcasing the attacker's strategy of adapting to the local Italian work calendar. | VIRUS | |
| 21.6.25 | Pickai Backdoor | A new backdoor malware dubbed Pickai (AI Pickpocket) has been observed spreading through vulnerabilities in the popular ComfyUI framework. Written in C++, Pickai spreads through innocuous-looking configuration files like JSON and TMUX settings. | VIRUS | |
| 21.6.25 | Hackers Weaponize Legitimate 'Netbird' Tool in Phishing Campaign Targeting CFOs | A new fake recruiter spear-phishing campaign has been observed targeting high-level financial executives at banks, energy companies, insurers, and investment firms across Africa, Canada, Europe, the Middle East, and South Asia. | PHISHING | |
| 21.6.25 | CVE-2025-4123 - Grafana XSS and Full-Read SSRF vulnerability | CVE-2025-4123 is a recently discovered high severity (CVSS score 7.6) open redirect vulnerability affecting Grafana, which is an open-source data visualization platform. | VULNEREBILITY | |
| 13.6.25 | CyberEye RAT | CyberEye is a modular Remote Access Trojan that relies on Telegram for its C2 communications. Using a publicly available builder, its implants can be customized to include features like anti-analysis, cryptocurrency hijacking, and persistence. | VIRUS | |
| 13.6.25 | Spectra Ransomware | Spectra is a new ransomware variant found in the wild just this year. The malware belongs to the well known Chaos ransomware family. | RANSOM | |
| 13.6.25 | Stealth Falcon exploits Zero-Day Vulnerability CVE-2025-33053 | As reported by Check Point, the APT group Stealth Falcon has been observed exploiting a zero-day vulnerability (CVE-2025-33053) in a new malware campaign. | VULNEREBILITY | |
| 13.6.25 | Unusual Fog ransomware activity | In a recent report, the Symantec and Carbon Black Threat Hunter Team analyzed a Fog ransomware attack that targeted a financial institution in Asia. | RANSOM | |
| 13.6.25 | FIN6 abuses Job Portals and Cloud Infrastructure to evade detection | A malware campaign attributed to the threat actor FIN6, posing as job applicants on platforms like LinkedIn and Indeed, has been observed in the wild. Once a target is lured, the threat actor sends phishing emails containing non-clickable URLs that lead to cloud-hosted “resume” sites on AWS. | GROUP | |
| 13.6.25 | Chinese threat actor groups target cybersecurity vendor |
According to a recent report from SentinelLabs, China-backed
threat actors have deployed ShadowPad and PurpleHaze malware in global
campaigns.
|
GROUP | |
| 13.6.25 | Myth Stealer malware | Myth is a new Rust-based infostealing malware discovered recently in the wild. The malware has been previously advertised on various Telegram groups and lately reported as being distributed via fraudulent gaming websites and online portals offering software cracks, among others. | VIRUS | |
| 11.6.25 | Exploitaiton of Wazuh CVE-2025-24016 vulnerability leads to Mirai botnet distribution | New campaigns distributing variants of the popular Mirai botnet have been reported in the wild. The attackers have been exploiting critical (CVSS score 9.9) CVE-2025-24016 deserialization vulnerability affecting Wazuh Server which might allow for a remote code execution on the vulnerable devices. | BOTNET | |
| 11.6.25 | Datarip - a new MedusaLocker ransomware variant | Datarip ransomware is a new malware strain from the MedusaLocker ransomware family recently seen in the wild. The malware encrypts sensitive data while appending ".datarip" extension to the locked files. | RANSOM | |
| 11.6.25 | DuplexSpy RAT | DuplexSpy is a new Remote Access Trojan (RAT) variant identified in the wild. The malware is written in C#, has modular architecture and uses DLL injection technique for in-memory payload execution. | VIRUS | |
| 11.6.25 | DragonClone malicious operation | DragonClone is a new malicious campaign identified in the wild. The attackers have been targeting the Chinese Telecom Industry and distributing Veletrix and VShell malware implants as payloads. | OPERATION | |
| 11.6.25 | Golden Piranha - a new banking threat | Golden Piranha is the name of an emerging banking trojan identified by the researchers from SCILabs. The malware is leveraging Google Chrome browser extensions in order to steal banking related inputs from miscellaneous banking website forms. | ||
| 7.6.25 | Interlock ransomware group deploys a new RAT named "NodeSnake" | Interlock ransomware group has been observed deploying a new RAT named "NodeSnake" and targeting educational institutions. | RANSOM | |
| 7.6.25 | APT41 using custom malware "TOUGHPROGRESS" to exploit Google Calendar | Threat Actor group APT41 has been observed using custom malware named TOUGHPROGRESS, which leverages Google Calendar events as its C2 channel, allowing it to hide malicious commands in seemingly benign public calendar entries. | APT | |
| 7.6.25 | Cheating in games might get you Blitz'ed | Blitz is a multi-stage malware composed of downloader and botnet components. A recent report by researchers at Palo Alto Networks provides details of campaigns attempting to proliferate this malware | VIRUS | |
| 7.6.25 | Android malware targets users in India by pretending to be a government app | In some recently observed malicious activity, a fake government application was found to be targeting Android users in India. | VIRUS | |
| 7.6.25 | Chaos RAT malware | A new Golang-based 5.0.3 variant of the Chaos RAT (Remote Access Trojan) has been recently discovered in the wild. | VIRUS | |
| 7.6.25 | Increased activity of DCRAT malware in Latin America | DCRAT (aka Dark Crystal RAT) is a modular RAT (Remote Access Trojan) offered for sale in form of Malware-as-a-Service (MaaS) model for last several years. | VIRUS | |
| 7.6.25 | AMOS malware for macOS spread via Clickfix social engineering techniques | A new campaign delivering the AMOS malware for macOS has been reported to leverage Clickfix social engineering techniques. | VIRUS | |
| 7.6.25 | Fake CAPTCHAs deliver multi-stage PowerShell downloaders | CAPTCHAs are used to determine whether a website visitor is human versus a bot. Malware campaigns have introduced fake CAPTCHAs into the attack chain to encourage interaction by the proposed victim. ClickFix is a name often given to such behavior. | VIRUS | |
| 7.6.25 | ViperSoftX activities continues via fake software | According to recent reports ViperSoftX continues to circulate widely across the globe, with a noticeable uptick in South Korea. | VIRUS | |
| 7.6.25 | CVE-2025-27920 - Srimax Output Messenger Directory Traversal vulnerability | CVE-2025-27920 is a recently discovered directory traversal vulnerability affecting Srimax Output Messenger software. | VULNEREBILITY | |
| 4.6.25 | New campaigns delivering Crocodilus mobile malware | A new variant of the Crocodilus mobile malware has been spread in recent campaigns targeting users in Europe and South America. | CAMPAIGN | |
| 4.6.25 | CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability | CVE-2023-38950 is a path traversal vulnerability affecting ZKTeco BioTime which is a web-based time and attendance management software. | VULNEREBILITY | |
| 4.6.25 | Exploiting the hype around popular AI tools to distribute various malware via fraudulent installers | Threat Actors are exploiting the hype around AI to distribute various malware strains. By capitalizing on the public's eagerness to access popular AI tools (such as ChatGPT, Copilot, DALL-E, Gemini, Midjourney, and Sora) Threat Actors are creating convincing but fraudulent installers. | AI | |
| 4.6.25 | Telegram-Based Email Credential Theft – Fake FedEx Invoice Campaign | Shipping companies are frequently exploited in social engineering attacks due to their global recognition, trusted brand image, and association with package notifications, invoices, and delivery updates—topics that easily trigger urgency, curiosity, and user interaction. These characteristics make them prime targets for phishing and credential theft campaigns. | CAMPAIGN | |
| 4.6.25 | EddieStealer delivered through ClickFix | EddieStealer is a Rust-based information stealer malware which has recently been observed as the payload of ClickFix campaigns. | VIRUS | |
| 4.6.25 | Latest PureHVNC RAT deployment campaigns | New campaigns delivering the PureHVNC RAT have been reported in the wild. The threat actors conduct multi stage operations and make use of miscellaneous components in their attacks including malicious .lnk files, PowerShell code, JavaScript, AutoIt, etc. | CAMPAIGN | |
| 4.6.25 | Python-based Lyrix Ransomware | Lyrix ransomware is a new Python based ransomware discovered in underground forums. It behaves in a manner similar to most current ransomware families | RANSOM | |
| 4.6.25 | New Katz Stealer malware-as-a-service compromises Web browsers | Katz Stealer operates as a multi-feature credential-stealing Malware-as-a-Service, designed for extensive system reconnaissance and data theft. It targets a vast array of sensitive information, including saved passwords, cookies, and session tokens from popular web browsers (Chrome, Edge, Brave, Firefox), cryptocurrency wallet files, and private keys via keyword matching. | VIRUS | |
| 4.6.25 | Earth Lamia exploits various SQL injection vulnerabilities | APT threat actor Earth Lamia exploits vulnerabilities in web applications to gain access to organizations, using various SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations for data exfiltration. | APT | |
| 4.6.25 | Recent VenomRAT activity |
A recent activity attributed to the VenomRAT malware has
been spotted in the wild. Malware is spread from a phishing website
disguised as AV software download page.
|
VIRUS | |
| 4.6.25 | PumaBot - a new botnet on the rise | PumaBot is a new Go-based botnet strain identified recently in the wild. Unlike some more common botnet variants, PumaBot does not rely on scanning the Internet for vulnerable devices but instead targets very specific ones via a list of IP addresses retrieved from the attacker C2 servers. | BOTNET | |
| 4.6.25 | Zanubis mobile malware latest activity | Zanubis is an Android banking malware active in the threat landscape since at least 2022. The malware has been known to mostly target banks and financial entities in South America but also expanding over time and adding theft of virtual cards and cryptocurrency to its portfolio. | ||
| 4.6.25 | AsyncRAT malspam campaigns observed | We've recently observed some malspam campaigns leveraging multiple downloads, starting with box.com, to deliver an AsyncRAT payload. | VIRUS | |
| 4.6.25 | Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress | Fancy Bear (aka APT28, Sofacy, Pawn Storm, Sednit, STRONTIUM, Tsar Team, and Threat Group-4127) is a Russian Threat Actor group that uses spearphishing to deliver SpyPress, a malicious JavaScript payload, by exploiting cross-site scripting (XSS) vulnerabilities in webmail interfaces to exfiltrate sensitive email data from high-value webmail servers. | ALERTS | PHISHING |
| 4.6.25 | Bofamet Stealer malware | Bofamet is a new Python-based infostealer found in the wild. The malware collects miscellaneous information from the compromised endpoints including: credentials, system information, browser cookies, Telegram session data, Discord tokens, screenshots, Steam configuration files, etc. | VIRUS |