ALERTS  HOME  AI  APT  BOTNET  CAMPAIGN  CRIME  CRYPTOCURRENCY  EXPLOIT  HACKING  GROUP  OPERATION  PHISHING  RANSOM  SPAM  VIRUS  VULNEREBILITY


2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(13) November(80) December(6)  2025 January(36) February(50) March(77) April(54) May(0) June(0) July(0) August(0) SEPTEMBER(0) October(0) November(0) December(0)


DATE

NAME

INFO

CATEGORY

SUBCATE

21.6.25 Amatera Stealer Amatera is a recently identified infostealer variant believed to be an evolution of the older ACR Stealer malware. It has been reported as being offered for sale via the malware-as-a-service (MaaS) model.

ALERTS

VIRUS
21.6.25 CVE‑2025‑49113 – Post‑Auth Remote Code Execution vulnerability in Roundcube CVE-2025-4123 is a recently disclosed critical (CVSS score 9.9) Post‑Auth Remote Code Execution (RCE) vulnerability affecting Roundcube, which is a free and open-source webmail application.

ALERTS

VULNEREBILITY
21.6.25 Discord Vanity Link Flaw Exploited in New Malware Campaign Dropping AsyncRAT and Skuld Stealer A new sophisticated malware campaign aimed at financial gain from cryptocurrency users is exploiting a subtle weakness in Discord's invitation system to distribute an information stealer called Skuld and the AsyncRAT. Targeted victims have been identified primarily in Austria, France, Germany, Slovakia, Vietnam, the Netherlands, the United States, and the United Kingdom.

ALERTS

EXPLOIT
21.6.25 Stargazers malware campaign targets Minecraft players via fake mods A large-scale malware campaign operated by the Stargazers Ghost Network is actively targeting Minecraft players, according to a recent report from Checkpoint.

ALERTS

CAMPAIGN
21.6.25 Modified XWorm RAT distributed through trojanized MSI A China-linked threat actor distributing a trojanized MSI installer posing as a WhatsApp setup to deliver a customized XWorm Remote Access Trojan (RAT) has been reported targeting users in East and Southeast Asia.

ALERTS

VIRUS
21.6.25 New variant of the Godfather mobile malware employs virtualization techniques A new variant of the Godfather Android banking malware has been discovered in the wild. The malware leverages on-device virtualization techniques to hijack several legitimate applications.

ALERTS

VIRUS

21.6.25 CVE-2023-0386 - Linux Kernel Improper Ownership Management vulnerability exploited in the wild CVE-2023-0386 is a high severity (CVSS score 7.8) Improper Ownership Management vulnerability affecting the Linux Kernel.

ALERTS

VULNEREBILITY
21.6.25 FIN7-linked GrayAlpha uses PowerShell loaders and TDS to spread NetSupport RAT GrayAlpha, a cybercriminal group associated with FIN7, has been reported conducting a sophisticated malware campaign using multiple infection vectors to distribute NetSupport RAT via custom PowerShell loaders, PowerNet and MaskBat.

ALERTS

APT
21.6.25 New Librarian Ghouls Campaign A new cyber espionage campaign by APT group "Librarian Ghouls" (also known as Rare Werewolf and Rezet) was observed targeting organizations primarily in Russia, Belarus and Kazakhstan focusing on industrial organizations and engineering schools, along with sectors like rocket, aviation, space, defense, and petrochemical industries.

ALERTS

CAMPAIGN
21.6.25 HijackLoader campaign delivers DeerStealer payload A recent campaign leveraging the HijackLoader malware has been observed to distribute the DeerStealer malicious payload.

ALERTS

CAMPAIGN
21.6.25 Threat Actors Abuse Paste.ee and use Unicode Deception to Deploy XWorm RAT A sophisticated malware campaign initiated by a deceptively named JavaScript file designed to download a malicious payload was observed.

ALERTS

VIRUS
21.6.25 XDSpy campaign employs whitespace-obfuscated LNK files A new XDSpy malware campaign, attributed to the SadFuture threat actor, has been observed targeting Eastern European and Russian government entities.

ALERTS

VIRUS
21.6.25 Financial communications lead to malware downloads for Taiwanese users A threat actor has been targeting users in Taiwan through campaigns masquerading as communications from official financial entities.

ALERTS

VIRUS
21.6.25 CVE-2025-48828 - a new vBulletin RCE vulnerability CVE-2025-48828 is a recently disclosed critical (CVSS score 9.0) template engine vulnerability affecting vBulletin, which is a commercial forum software platform.

ALERTS

VULNEREBILITY
21.6.25 MintsLoader Malware Campaign Hits Italian PEC Users A new MintsLoader malware campaign has targeted Italy, showcasing the attacker's strategy of adapting to the local Italian work calendar.

ALERTS

VIRUS
21.6.25 Pickai Backdoor A new backdoor malware dubbed Pickai (AI Pickpocket) has been observed spreading through vulnerabilities in the popular ComfyUI framework. Written in C++, Pickai spreads through innocuous-looking configuration files like JSON and TMUX settings.

ALERTS

VIRUS
21.6.25 Hackers Weaponize Legitimate 'Netbird' Tool in Phishing Campaign Targeting CFOs A new fake recruiter spear-phishing campaign has been observed targeting high-level financial executives at banks, energy companies, insurers, and investment firms across Africa, Canada, Europe, the Middle East, and South Asia.

ALERTS

PHISHING
21.6.25 CVE-2025-4123 - Grafana XSS and Full-Read SSRF vulnerability CVE-2025-4123 is a recently discovered high severity (CVSS score 7.6) open redirect vulnerability affecting Grafana, which is an open-source data visualization platform.

ALERTS

VULNEREBILITY
13.6.25 CyberEye RAT CyberEye is a modular Remote Access Trojan that relies on Telegram for its C2 communications. Using a publicly available builder, its implants can be customized to include features like anti-analysis, cryptocurrency hijacking, and persistence.

ALERTS

VIRUS
13.6.25 Spectra Ransomware Spectra is a new ransomware variant found in the wild just this year. The malware belongs to the well known Chaos ransomware family.

ALERTS

RANSOM
13.6.25 Stealth Falcon exploits Zero-Day Vulnerability CVE-2025-33053 As reported by Check Point, the APT group Stealth Falcon has been observed exploiting a zero-day vulnerability (CVE-2025-33053) in a new malware campaign.

ALERTS

VULNEREBILITY
13.6.25 Unusual Fog ransomware activity In a recent report, the Symantec and Carbon Black Threat Hunter Team analyzed a Fog ransomware attack that targeted a financial institution in Asia.

ALERTS

RANSOM
13.6.25 FIN6 abuses Job Portals and Cloud Infrastructure to evade detection A malware campaign attributed to the threat actor FIN6, posing as job applicants on platforms like LinkedIn and Indeed, has been observed in the wild. Once a target is lured, the threat actor sends phishing emails containing non-clickable URLs that lead to cloud-hosted “resume” sites on AWS.

ALERTS

GROUP
13.6.25 Chinese threat actor groups target cybersecurity vendor
According to a recent report from SentinelLabs, China-backed threat actors have deployed ShadowPad and PurpleHaze malware in global campaigns.

ALERTS

GROUP
13.6.25 Myth Stealer malware Myth is a new Rust-based infostealing malware discovered recently in the wild. The malware has been previously advertised on various Telegram groups and lately reported as being distributed via fraudulent gaming websites and online portals offering software cracks, among others.

ALERTS

VIRUS
11.6.25 Exploitaiton of Wazuh CVE-2025-24016 vulnerability leads to Mirai botnet distribution New campaigns distributing variants of the popular Mirai botnet have been reported in the wild. The attackers have been exploiting critical (CVSS score 9.9) CVE-2025-24016 deserialization vulnerability affecting Wazuh Server which might allow for a remote code execution on the vulnerable devices.

ALERTS

BOTNET
11.6.25 Datarip - a new MedusaLocker ransomware variant Datarip ransomware is a new malware strain from the MedusaLocker ransomware family recently seen in the wild. The malware encrypts sensitive data while appending ".datarip" extension to the locked files.

ALERTS

RANSOM
11.6.25 DuplexSpy RAT DuplexSpy is a new Remote Access Trojan (RAT) variant identified in the wild. The malware is written in C#, has modular architecture and uses DLL injection technique for in-memory payload execution.

ALERTS

VIRUS
11.6.25 DragonClone malicious operation DragonClone is a new malicious campaign identified in the wild. The attackers have been targeting the Chinese Telecom Industry and distributing Veletrix and VShell malware implants as payloads.

ALERTS

OPERATION
11.6.25 Golden Piranha - a new banking threat Golden Piranha is the name of an emerging banking trojan identified by the researchers from SCILabs. The malware is leveraging Google Chrome browser extensions in order to steal banking related inputs from miscellaneous banking website forms.

ALERTS

VIRUS

7.6.25 Interlock ransomware group deploys a new RAT named "NodeSnake" Interlock ransomware group has been observed deploying a new RAT named "NodeSnake" and targeting educational institutions.

ALERTS

RANSOM
7.6.25 APT41 using custom malware "TOUGHPROGRESS" to exploit Google Calendar Threat Actor group APT41 has been observed using custom malware named TOUGHPROGRESS, which leverages Google Calendar events as its C2 channel, allowing it to hide malicious commands in seemingly benign public calendar entries.

ALERTS

APT
7.6.25 Cheating in games might get you Blitz'ed Blitz is a multi-stage malware composed of downloader and botnet components. A recent report by researchers at Palo Alto Networks provides details of campaigns attempting to proliferate this malware

ALERTS

VIRUS
7.6.25 Android malware targets users in India by pretending to be a government app In some recently observed malicious activity, a fake government application was found to be targeting Android users in India.

ALERTS

VIRUS
7.6.25 Chaos RAT malware A new Golang-based 5.0.3 variant of the Chaos RAT (Remote Access Trojan) has been recently discovered in the wild.

ALERTS

VIRUS
7.6.25 Increased activity of DCRAT malware in Latin America DCRAT (aka Dark Crystal RAT) is a modular RAT (Remote Access Trojan) offered for sale in form of Malware-as-a-Service (MaaS) model for last several years.

ALERTS

VIRUS
7.6.25 AMOS malware for macOS spread via Clickfix social engineering techniques A new campaign delivering the AMOS malware for macOS has been reported to leverage Clickfix social engineering techniques.

ALERTS

VIRUS
7.6.25 Fake CAPTCHAs deliver multi-stage PowerShell downloaders CAPTCHAs are used to determine whether a website visitor is human versus a bot. Malware campaigns have introduced fake CAPTCHAs into the attack chain to encourage interaction by the proposed victim. ClickFix is a name often given to such behavior.

ALERTS

VIRUS
7.6.25 ViperSoftX activities continues via fake software According to recent reports ViperSoftX continues to circulate widely across the globe, with a noticeable uptick in South Korea.

ALERTS

VIRUS
7.6.25 CVE-2025-27920 - Srimax Output Messenger Directory Traversal vulnerability CVE-2025-27920 is a recently discovered directory traversal vulnerability affecting Srimax Output Messenger software.

ALERTS

VULNEREBILITY
4.6.25 New campaigns delivering Crocodilus mobile malware A new variant of the Crocodilus mobile malware has been spread in recent campaigns targeting users in Europe and South America.

ALERTS

CAMPAIGN
4.6.25 CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability CVE-2023-38950 is a path traversal vulnerability affecting ZKTeco BioTime which is a web-based time and attendance management software.

ALERTS

VULNEREBILITY
4.6.25 Exploiting the hype around popular AI tools to distribute various malware via fraudulent installers Threat Actors are exploiting the hype around AI to distribute various malware strains. By capitalizing on the public's eagerness to access popular AI tools (such as ChatGPT, Copilot, DALL-E, Gemini, Midjourney, and Sora) Threat Actors are creating convincing but fraudulent installers.

ALERTS

AI
4.6.25 Telegram-Based Email Credential Theft – Fake FedEx Invoice Campaign Shipping companies are frequently exploited in social engineering attacks due to their global recognition, trusted brand image, and association with package notifications, invoices, and delivery updates—topics that easily trigger urgency, curiosity, and user interaction. These characteristics make them prime targets for phishing and credential theft campaigns.

ALERTS

CAMPAIGN
4.6.25 EddieStealer delivered through ClickFix EddieStealer is a Rust-based information stealer malware which has recently been observed as the payload of ClickFix campaigns.

ALERTS

VIRUS
4.6.25 Latest PureHVNC RAT deployment campaigns New campaigns delivering the PureHVNC RAT have been reported in the wild. The threat actors conduct multi stage operations and make use of miscellaneous components in their attacks including malicious .lnk files, PowerShell code, JavaScript, AutoIt, etc.

ALERTS

CAMPAIGN
4.6.25 Python-based Lyrix Ransomware Lyrix ransomware is a new Python based ransomware discovered in underground forums. It behaves in a manner similar to most current ransomware families

ALERTS

RANSOM
4.6.25 New Katz Stealer malware-as-a-service compromises Web browsers Katz Stealer operates as a multi-feature credential-stealing Malware-as-a-Service, designed for extensive system reconnaissance and data theft. It targets a vast array of sensitive information, including saved passwords, cookies, and session tokens from popular web browsers (Chrome, Edge, Brave, Firefox), cryptocurrency wallet files, and private keys via keyword matching.

ALERTS

VIRUS
4.6.25 Earth Lamia exploits various SQL injection vulnerabilities APT threat actor Earth Lamia exploits vulnerabilities in web applications to gain access to organizations, using various SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations for data exfiltration.

ALERTS

APT
4.6.25 Recent VenomRAT activity
A recent activity attributed to the VenomRAT malware has been spotted in the wild. Malware is spread from a phishing website disguised as AV software download page.

ALERTS

VIRUS
4.6.25 PumaBot - a new botnet on the rise PumaBot is a new Go-based botnet strain identified recently in the wild. Unlike some more common botnet variants, PumaBot does not rely on scanning the Internet for vulnerable devices but instead targets very specific ones via a list of IP addresses retrieved from the attacker C2 servers.

ALERTS

BOTNET
4.6.25 Zanubis mobile malware latest activity Zanubis is an Android banking malware active in the threat landscape since at least 2022. The malware has been known to mostly target banks and financial entities in South America but also expanding over time and adding theft of virtual cards and cryptocurrency to its portfolio.

ALERTS

VIRUS

4.6.25 AsyncRAT malspam campaigns observed We've recently observed some malspam campaigns leveraging multiple downloads, starting with box.com, to deliver an AsyncRAT payload.

ALERTS

VIRUS
4.6.25 Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress Fancy Bear (aka APT28, Sofacy, Pawn Storm, Sednit, STRONTIUM, Tsar Team, and Threat Group-4127) is a Russian Threat Actor group that uses spearphishing to deliver SpyPress, a malicious JavaScript payload, by exploiting cross-site scripting (XSS) vulnerabilities in webmail interfaces to exfiltrate sensitive email data from high-value webmail servers. ALERTS PHISHING
4.6.25 Bofamet Stealer malware Bofamet is a new Python-based infostealer found in the wild. The malware collects miscellaneous information from the compromised endpoints including: credentials, system information, browser cookies, Telegram session data, Discord tokens, screenshots, Steam configuration files, etc.

ALERTS

VIRUS
28.5.25 AppleProcessHub infostealer for macOS AppleProcessHub is the name of a new infostealer variant targeting the macOS platform and masquerading as a system process.

ALERTS

VIRUS
28.5.25 Swan Vector APT campaign A newly APT campaign, dubbed “Swan Vector” has been targeting East Asian nations, particularly Japan and Taiwan.

ALERTS

APT
28.5.25 StarFire Ransomware Demands $3,000 in Bitcoin A group or individual calling themselves "StarFire" has recently emerged in the threat landscape, targeting individual machines with ransomware.

ALERTS

RANSOM
28.5.25 DoubleLoader malware DoubleLoader is a new malware family recently identified in the wild. Its' main functionality, similarly to other loader variants, is to retrieve malicious payloads from attacker-controlled servers and to execute them on the compromised endpoints

ALERTS

VIRUS
28.5.25 Another Fake CAPTCHA campaign leads a range of stealers and RATs There have been reports of another campaign involving fake CAPTCHA pages to deceive users into executing malicious commands via the Windows Run dialog. ALERTS VIRUS
23.5.25 Vidar and StealC infostealers delivered via social engineering A new campaign distributing Vidar and StealC infostealers variants has been reported by the researchers from Trend Micro. The attackers are leveraging social engineering techniques with the use of TikTok videos in an attempt to entice users into running arbitrary PowerShell commands.

ALERTS

VIRUS
23.5.25 Dero cryptominer delivered to vulnerable Docker containers A new campaign delivering a Dero cryptocurrency miner to vulnerable Docker containers has been reported in the wild. While abusing exposed Docker APIs the attackers inject two malware components called “nginx” and “cloud”. The deployed cryptominer is written in Golang and based off an open-source DeroHE CLI miner project.

ALERTS

CRYPTOCURRENCY
23.5.25 TetraLoader distributed in the UAT-6382 campaign According to recent report from Cisco Talos, a new malicious activity dubbed UAT-6382 has been delivering a new malware called TetraLoader to its victims. The attackers have been leveraging a Cityworks RCE vulnerability (CVE-2025-0994) to get access to the targeted environments and perform the initial reconnaissance.

ALERTS

VIRUS
23.5.25 Rhadamanthys delivered via phishing campaign In a recently observed phishing campaign, we saw attackers attempting to deliver a Rhadamanthys stealer payload by way of a legal lure. Under the guise of a copyright infringement notification, the victim is encouraged to access a PDF for further details.

ALERTS

CAMPAIGN
22.5.25 SideWinder APT using old Office Vulnerabilities A new cyber-espionage campaign by APT group SideWinder has been targeting high-profile government institutions in Bangladesh, Pakistan, and Sri Lanka. The attackers leverage spear-phishing lures paired with geofenced payloads to ensure that only victims in specific countries receives the malicious content. To activate the infection process and deploy the StealerBot malware a combined exploitation of old vulnerabilities (CVE-2017-0199 and CVE-2017-11882) takes place. ALERTS APT
23.5.25 GhostSpy Android malware GhostSpy is a mobile malware variant recently seen being actively distributed in the wild. Similarly to other prevalent mobile malware strains, GhostSpy leverages Android Accessibility Services in order to sideload malicious .apk packages on the targeted devices.

ALERTS

VIRUS
23.5.25 Fake KeePass installers distributed in attacks targeting ESXi environments
KeePass is a popular open source password manager application. Recently there have been reports about an ongoing campaign distributing fake KeePass installers targeted at ESXi environments.

ALERTS

HACKING
23.5.25 CVE-2024-7399 & CVE-2025-4632 - Samsung MagicINFO vulnerabilities CVE-2024-7399 is an unauthenticated remote code execution (RCE) vulnerability affecting the Samsung MagicINFO 9 Server. The flaw enables attackers to upload malicious .jsp files via unauthenticated POST requests effectively allowing them to execute arbitrary OS commands as a result.

ALERTS

VULNEREBILITY
23.5.25 Spoofed Japan's e-Tax email notifications appear in phish runs E-Tax is the National Tax Agency's online tax website that helps to file tax returns and pay national corporation taxes. Recently, Symantec has observed phishing attempts mimicking e-Tax, enticing users to open fake notification emails.

ALERTS

PHISHING
23.5.25 Malvertising lures victims to fake Kling AI website Threat Actors use social media malvertising to lure victims to fake pages impersonating Kling AI platform. The campaign directs visitors to use the platform to create AI-generated images and videos.

ALERTS

AI
23.5.25 Trojanized installer delivers Bumblebee loader It was recently observed that the installer package for the RVTools application was trojanized with a Bumblebee loader dll. RVTools is free utility that collects and displays a multitude of information related to Virtual Machines in VMware environments.

ALERTS

VIRUS
23.5.25 Russia-Ukraine conflict comes in picture in a new Binance phishing wave Binance is one of the world's major cryptocurrency exchanges that allows users to buy, sell and trade various digital assets, including Bitcoin, Ethereum, and altcoins. Lately, Symantec has observed phish runs that impersonate Binance services and entices users to open fake notification emails.

ALERTS

PHISHING
16.5.25 Stealthy Shellcode loader executes Remcos RAT in Fileless Attack Chain A sophisticated fileless malware campaign has been observed leveraging PowerShell to deploy the Remcos RAT. The attack begins with malicious LNK files embedded in ZIP archives, often masquerading as Office documents. These trigger obfuscated VBScript via mshta.exe leading to the in-memory execution of a PowerShell script.

ALERTS

VIRUS
16.5.25 Earth Ammit cyber espionage campaigns The Threat Actor known as Earth Ammit launched two distinct cyber espionage campaigns (dubbed VENOM and TIDRONE) across Central Asia, Southeast Asia, and Eastern Europe. These campaigns strategically target government entities and critical infrastructure - such as software service providers and upstream vendors across several critical sectors, including heavy industry, media, technology, healthcare, and military.

ALERTS

CAMPAIGN
16.5.25 TransferLoader malware TransferLoader is a newly identified malware loader active since February 2025, consisting of three components: a downloader, a backdoor and a backdoor loader. It uses advanced evasion techniques such as anti-debugging, runtime string decryption and junk code insertion to avoid detection and complicate reverse engineering.

ALERTS

VIRUS
16.5.25 New DarkCloud malware uses AutoIt obfuscation in targeted attacks According to a report published by Palo Alto Networks Unit 42, a new variant of the DarkCloud Stealer malware has been observed primarily targeting government organizations worldwide. The attack typically begins with phishing emails containing either a RAR archive or a PDF which prompts victims to download a malicious archive disguised as a software update.

ALERTS

VIRUS
16.5.25 Chihuahua Stealer malware Chihuahua Stealer is a new .NET-based infostealer distributed via a multi-staged campaign. The attackers leverage malicious documents hosted on the Google Drive repository and malicious PowerShell scripts to initiate the infection chain. The final payload - Chihuahua Stealer is delivered from a OneDrive repository path and has the functionality to collect and exfiltrate various sensitive data from the compromised endpoints including system information, data stored in the system web browsers, cryptocurrency wallet information, etc.

ALERTS

VIRUS
16.5.25 PupkinStealer: A .NET-based Malware PupkinStealer, a .NET-based malware has been observed being distributed via phishing emails containing malicious attachments or links. Targeting Windows users, the malware is capable of stealing sensitive data from Chromium-based browsers, Telegram, Discord, email clients, clipboard contents and more. The stolen data is compressed into a ZIP archive and exfiltrated using the Telegram Bot API.

ALERTS

VIRUS
13.5.25 BTMOB RAT According to recent reports, BTMOB RAT has resurfaced and now aims to steal Alipay PINs by mimicking the app’s interface. It spreads via phishing sites disguised as popular services and uses fake apps to lure victims.

ALERTS

VIRUS
13.5.25 Noodlophile Stealer spread under the disguise of fake AI tools An infostealing variant dubbed Noodlophile Stealer has been recently distributed in campaigns leveraging lures of AI video generators. The attackers have been advertising their fake AI platforms via social media platforms. The users are first asked to upload either photos or video for the AI to enhance and then are served with a download link for the supposedly edited content.

ALERTS

VIRUS
13.5.25 Astryrean Stealer malware Astryrean Stealer is a new Python-based infostealer recently identified in the wild. The malware targets collection and exfiltration of a wide variety of confidential or sensitive information including: compromised system information, data stored in system web browsers, Discord tokens or screenshots, among others.

ALERTS

VIRUS
13.5.25 More_eggs served by Venom Spider In a recent campaign threat actor known as "Venom Spider" has been targeting corporate hiring managers and recruiters with a complex spear-phishing scheme that capitalizes on the need for such users to open email attachments or click on links to review an applicants resume .

ALERTS

CAMPAIGN
9.5.25 Earth Kasha threat actor targets Taiwan and Japan in a recent campaign As recently reported by the researchers from Trend Micro, Earth Kasha threat group continues to target users in Taiwan and Japan. The attackers leverage a dropper malware dubbed RoamingMouse that comes in the form of a macro-enabled MS Excel file.

ALERTS

APT
9.5.25 Deployment of RMM tools in malicious campaigns targeting Brazil A new malicious campaign targeting users from Brazil has been reported by researchers from Cisco Talos. The attackers leverage a variety of commercial Remote Monitoring and Management (RMM) tools such as PDQ Connect and N-able remote access software.

ALERTS

VIRUS
9.5.25 Mamona Ransomware
Mamona Ransomware is a newly discovered threat in the commodity ransomware landscape that operates entirely offline, with no external communication or data exfiltration. The malware uses custom encryption routines to encrypt user files, renaming them with the .HAes extension.

ALERTS

RANSOM
9.5.25 Mail campaign delivers Java-based RAT A malicious email campaign was recently observed targeting organizations in Italy, Portugal, and Spain. The campaign leveraged a Spanish email service provider in an effort to legitimize the emails which contained a PDF attachment.

ALERTS

VIRUS

9.5.25 LZRD - the latest Mirai variant distributed in the wild New campaigns distributing Mirai botnet have been reported in the wild. The malware exploits two command injection vulnerabilities affecting GeoVision IoT devices that have been disclosed last year - CVE-2024-6047 and CVE-2024-11120.

ALERTS

BOTNET
9.5.25 CVE-2025-31324 - a critical SAP NetWeaver vulnerability CVE-2025-31324 is a recently disclosed critical (CVSS score 10) unrestricted file upload vulnerability affecting the SAP NetWeaver Visual Composer.

ALERTS

VULNEREBILITY
9.5.25 CVE-2025-32433 - Erlang/OTP SSH RCE vulnerability CVE-2025-32433 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Erlang/OTP which is a set of libraries for the Erlang programming language. If successfully exploited, the flaw might allow unauthenticated attackers to gain access to affected Erlang/OTP SSH servers and execute arbitrary commands.

ALERTS

VULNEREBILITY
9.5.25 Bert Ransomware In April, a new ransomware actor known as "Bert" was observed operating in the wild and allegedly claimed several organizations as victims, including those in the Healthcare, Technology, and Event Services sectors across the US and Turkey.

ALERTS

RANSOM
9.5.25 NETXLOADER - a new loader used by the Agenda ransomware group In a recent report, details about a new malware loader named NETXLOADER have been shared. This loader, along with SmokeLoader, has been used in attacks perpetrated by the Agenda ransomware group.

ALERTS

VIRUS
9.5.25 Threat Actors use Pahalgam attack in malicious campaign In a strategic approach to exploiting current events threat actors target Indian government personnel using decoy documents referencing the recent Pahalgam attack in a malicious campaign.

ALERTS

VIRUS
9.5.25 FormBook malware distributed via weaponized Word Docs A recent attack beginning with phishing emails containing malicious MS Word documents as attachments has been observed. Social engineering plays a part in luring users to click on the weaponized attached document.

ALERTS

VIRUS
9.5.25 Balloonfly ransomware group leveraged 0-day in attack The Symantec Threat Hunter team recently observed activity which can be attributed to the Balloonfly attack group. This group is typically responsible for distributing Play ransomware.

ALERTS

VULNEREBILITY
9.5.25 CVE-2025–34028: Commvault Command Center Path Traversal Vulnerability CVE-2025-34028 is a critical vulnerability found in the Command Center installation, enabling remote attackers to execute arbitrary code without authentication.

ALERTS

VULNEREBILITY
9.5.25 Notaires de France Impersonated in Telegram-based Phishing Campaign Symantec has identified a credential phishing campaign leveraging malicious HTML that mimic official French notarial services – a professional body of state-appointed legal officers, known as notaires. It serves as a central information hub for legal matters in France involving notarized acts.

ALERTS

PHISHING
9.5.25 StealC V2: Enhanced capabilities An enhanced version of the popular information stealer, StealC, has been observed. It features an upgraded control panel, a streamlined JSON-based C2 communication protocol and expanded payload delivery options including MSI packages and PowerShell scripts.

ALERTS

VIRUS
9.5.25 TerraStealerV2 and TerraLogger malware families Two new malware families, TerraStealerV2 and TerraLogger, have been reported in the wild and are associated with the financially motivated threat group Golden Chickens.

ALERTS

VIRUS
9.5.25 Tax season targeted by modified Stealerium Infostealer As U.S. tax day approaches, threat actors have been observed exploiting the season by distributing a modified version of the Stealerium infostealer through phishing emails. Malicious LNK files, disguised as tax-related documents like tax forms lure users into executing a Base64-encoded PowerShell script. ALERTS VIRUS
2.5.25 MintsLoader: The loader powering TAG-124’s targeted campaigns MintsLoader, a sophisticated loader first observed in 2024, is extensively used by TAG-124, more than by any other threat actor to deploy malicious payloads such as GhostWeaver, StealC and a modified BOINC client. These attacks primarily target sectors including industrial, legal and energy.

ALERTS

VIRUS
2.5.25 Discovery Bank Impersonated in FICA-Themed Smishing Scam Discovery Bank, a well-known digital bank in South Africa, has had its brand abused by a group or individual in a recent smishing campaign aimed at harvesting mobile users' banking credentials. The attack begins with a malicious SMS that leverages FICA (Financial Intelligence Centre Act in South Africa) compliance as a lure.

ALERTS

PHISHING
2.5.25 ClickFix social engineering tactic being used by various APT groups ClickFix has gained traction in targeted espionage operations across multiple APT groups from North Korea, Iran, and Russia. This is a social engineering tactic where malicious websites impersonate legitimate software or document sharing platforms.

ALERTS

APT
2.5.25 Iranian threat actor targeted critical Middle Eastern infrastructure Researchers at Fortinet have recently published their investigation into an Iranian threat actor's attack against critical infrastructure in the Middle East.

ALERTS

APT
2.5.25 Spear phishing campaign targets WUC with trojanized Uyghur Text Editor A spear phishing campaign delivering surveillance malware targeting high profile members of the World Uyghur Congress (WUC) has been reported. As part of the attack a trojanized version of a legitimate Uyghur language text editor to gain remote access, collect system information, and manipulate files.

ALERTS

PHISHING
2.5.25 Pentagon Stealer Pentagon Stealer is a recently identified malware strain built using both Python and Golang, engineered to exfiltrate a broad array of sensitive information. It primarily targets browser credentials, cookies, cryptocurrency wallet data and authentication tokens from apps like Discord and Telegram.

ALERTS

VIRUS
2.5.25 Hannibal Infostealer Hannibal Infostealer is a sophisticated malware observed in the wild, rebranded from the Sharp and TX stealer families. Developed in C#, it targets both Chromium and Gecko-based browsers, extracting sensitive data while bypassing browser protection.

ALERTS

VIRUS
2.5.25 TypeLib hijacking via Teams A Microsoft Teams phishing campaign was found to spread a unique PowerShell backdoor in recent attacks. The Threat Actor known as Storm-1811 initiates the attack by employing social engineering tricks on a targeted employee via Microsoft Teams chat, posing as internal IT support staff.

ALERTS

PHISHING
2.5.25 Gremlin Stealer Gremlin Stealer is a new C#-based malware variant recently discovered by the researchers from Palo Alto. Gremlin Stealer is currently advertised for sale via Telegram channels.

ALERTS

VIRUS
2.5.25 CVE-2025-24054 - NTLM vulnerability exploited in the wild CVE-2025-24054 is a recently disclosed vulnerability related to NTLM (New Technology LAN Manager) hash disclosure via spoofing. With help of crafted .library-ms files, an unauthorized attacker might be able to perform spoofing over the network. ALERTS VULNEREBILITY