The FBI is warning people that hackers are going after old Wi-Fi routers that aren't getting updates anymore. These outdated routers are easy to break into because they have known problems that haven't been fixed. Once the hackers get in, they install malware that lets them use the routers to hide their real location while doing illegal stuff online.

FreeDrain is a large-scale, sophisticated cryptocurrency phishing campaign that has operated for several years, silently stealing digital assets by exploiting weaknesses in free-tier web infrastructure, search engine optimization, and user trust in legitimate platforms.

Vishing, or voice phishing, is a social engineering attack that manipulates victims into revealing confidential information over the phone, often after being lured in by fake emails, PDFs, or image attachments.

Ransomware affiliates, including those linked to Qilin and Hunters International, have been observed using the legitimate employee monitoring software Kickidler as a stealthy reconnaissance tool after breaching enterprise networks.

On May 7, 2025, the LockBit ransomware operation suffered a major blow when unknown actors defaced its dark web infrastructure, replacing the usual content with a provocative message: “Don't do crime CRIME IS BAD xoxo from Prague.” Accompanying the message was a link to download a file titled “paneldb_dump.zip,” which contained a MySQL database dump from LockBit's affiliate management panel.

A novel malware campaign has been uncovered by Morphisec researchers, leveraging the popularity of artificial intelligence to distribute a new information stealer named Noodlophile Stealer that's often bundled with XWorm to establish deeper control. Cybercriminals are creating deceptive fake AI platforms, advertised on social media platforms like Facebook, to lure unsuspecting users with promises of free AI video and image generation.

This was shared with the IT-ISAC by our friends over at the E-ISAC. Sharing for your situational awareness.

Google's Threat Intelligence Group has discovered a new malware strain named LOSTKEYS, linked to the Russian state-sponsored group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). This malware is designed to exfiltrate files from targeted directories based on specific extensions, collect system information, and report running processes to the attacker.

Trend Micro researchers have uncovered significant developments in the operations of the Agenda ransomware group, also known as Qilin, highlighting their use of the well-known SmokeLoader and a newly identified .NET-based loader named NETXLOADER.

Global ransomware attacks experienced a notable decrease in April 2025, falling to 450 incidents from 564 in March, marking the lowest amount since November 2024. This decline is at least partially attributed to significant shifts within prominent Ransomware-as-a-Service (RaaS) groups, causing affiliates to migrate to new operators.

The U.S. government is warning that hackers are going after really important oil and gas systems in the country. These hackers aren't even using super advanced techniques—they're using pretty basic stuff—but because a lot of these systems aren't well protected, the attacks can still cause serious problems.

In April 2025, the Akamai Security Intelligence and Response Team (SIRT) identified active exploitation of two critical command injection vulnerabilities, CVE-2024-6047 and CVE-2024-11120, targeting discontinued GeoVision IoT devices.

In an attempted attack against a U.S. organization, threat actors linked to the Play ransomware group (Balloonfly) exploited a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS) driver to gain elevated privileges.

In March 2025, Resecurity identified a new smishing kit called "Panda Shop," closely tied to Smishing Triad operations. The kit, marketed through Telegram bots and channels, supports multiple smishing templates and integrates with platforms like Apple Pay and Google Wallet to steal personal and financial information.

Proofpoint has identified a notable surge in high-volume Japanese language phishing campaigns targeting organizations in Japan. These campaigns utilize a sophisticated phishing kit, dubbed CoGUI, to impersonate popular Japanese consumer and payment brands like Amazon, PayPay, and Rakuten.

The Luna Moth threat group, also known as Silent Ransom Group, has significantly escalated its data-theft extortion campaigns, particularly targeting legal and financial institutions in the United States.

UNC3944, also known through public reporting as Scattered Spider, is a financially motivated threat actor known for its aggressive use of social engineering and direct engagement with victims.

Mamona is a new commodity ransomware variant that does all its activities offline, therefore remaining silent and harder to be detected. It neither talks to any outside servers nor exfiltrates data—instead, it locally encrypts data with custom-made encryption routines.

Researchers at Mnemonic have shed light on a global phishing-as-a-service operation that has been responsible for stealing approximately 884,000 credit card details to date.

Arctic Wolf Labs has uncovered a recent phishing campaign executed by the financially motivated threat actor Venom Spider (TA4557, GoldenChickens) that leverages the job hiring process to spread the More_eggs backdoor.

Socket's Threat Research Team uncovered a stealthy and highly destructive supply-chain attack that targeted the Go module ecosystem, exploiting its decentralized nature.

Threat actors are actively exploiting a free PDF utility, PDFast, to distribute malware via a malicious executable embedded in the installation process. This activity has been independently detected and analyzed by both Todyl's MXDR team and Lumifi Cyber, with indicators of compromise observed in multiple environments since at least April 9, 2025.

A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce websites through 21 maliciously backdoored third-party extensions, some of which were injected with malicious code as early as 2019.

Researchers at Recorded Future found two new types of malware made by a cybercriminal group called Golden Chickens. These hackers are known for selling malware to other criminals online.

Recorded Future's Insikt Group has identified two novel malware families, TerraStealerV2 and TerraLogger, and attributed their use to the financially motivated threat actor Golden Chickens (AKA Venom Spider).

StealC V2 is the latest version of the information stealer and malware downloader originally introduced in January 2023, with significant upgrades released in March 2025.

Mints Loader is a modular and evasive malware loader leveraged by cybercriminals and advanced persistent threat actors to deploy secondary payloads in highly targeted attacks.

The U.S. Department of Justice has indicted Rami Khaled Ahmed, a 36-year-old Yemeni national, for developing and operating the 'Black Kingdom' ransomware, which was used in approximately 1,500 cyberattacks on vulnerable Microsoft Exchange servers in the U.S. and internationally.

Security researchers recently flagged a huge spike in online subscription scams—and these aren't the sloppy, obvious cons people might remember from the past. This time, scammers have gone all-in, creating fake stores that look and feel incredibly real, even down to running Facebook ads and impersonating popular content creators.

Nebulous Mantis, also known as Cuba, STORM-0978, Tropical Scorpius, and UNC2596, is a Russian-speaking cyber espionage group active since mid-2019. The group primarily targets critical infrastructure, government agencies, political leaders, and NATO-related defense organizations, driven by geopolitical motives.

Ongoing attacks leveraging zero-day vulnerabilities have been observed by Orange Cyberdefense's CSIRT targeting Craft CMS, exploiting the two distinct vulnerabilities sequentially to upload a PHP file manager. The initial exploit uses CVE-2025-32432, a remote code execution flaw in Craft CMS itself that carries a critical CVSS score of 10.0. Attackers leverage this by sending a request with a "return URL" that is saved in a PHP session file.

In March 2025, senior leaders of the World Uyghur Congress (WUC)—a group made up of Uyghurs living outside of China who speak out about the treatment of Uyghurs—were targeted in a cyberattack.

Cisco Talos investigates why cybercriminals are increasingly bypassing multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks using reverse proxies, allowing them to steal credentials and authentication cookies.

Between late 2021 and early 2024, the service LabHost quietly propagated to become one of the most popular tools used by internet scammers. Before it was shut down by law enforcement in April of 2024, LabHost helped cyberthieves deliver phishing campaigns globally.

A phishing campaign disguised as official communication from the U.S. Social Security Administration has been uncovered, aiming to trick recipients into downloading ScreenConnect, a legitimate remote access tool commonly used for IT support.

Nullpoint-Stealer is a newly released, sophisticated information-stealing malware toolkit hosted on GitHub by a user named monroe31s. Nullpoint-Stealer has been marketed as an educational cybersecurity tool but has raised significant concerns due to its advanced capabilities and potential for misuse.

Back in 2022, cybersecurity researchers discovered an advanced threat group, now known as TheWizards, that has been carrying out targeted attacks using a set of custom tools designed to hijack software updates and spy on victims. One of their tools, called Spellbinder, uses a technique called SLAAC spoofing to perform adversary-in-the-middle (AitM) attacks over IPv6 networks.

Nebulous Mantis, also known as Cuba, STORM-0978, Tropical Scorpius, and UNC2596, is a Russian-speaking cyber espionage group active since mid-2019. The group primarily targets critical infrastructure, government agencies, political leaders, and NATO-related defense organizations, driven by geopolitical motives.

In March 2025, Earth Kasha, an advanced persistent threat (group linked to China and considered part of the broader APT10 umbrella—launched a spear-phishing campaign targeting government agencies and public institutions in Taiwan and Japan. This operation appears to be part of an ongoing cyberespionage effort, building upon previous campaigns observed in 2024.

Researchers at Group-IB have released a new blog post, providing a detailed analysis of RansomHub, a prominent Ransomware-as-a-Service (RaaS) operation that surfaced in early 2024. Built on the foundation of the defunct Knight (formerly Cyclops) ransomware, RansomHub offers a highly adaptable encryptor capable of targeting a broad range of systems, including Windows, Linux, FreeBSD, ESXi, and ARM-based architectures.

SentinelOne has observed a sustained and diverse range of cyber intrusion attempts targeting its environment, highlighting a critical but often overlooked risk surface: security vendors themselves. As a leading cybersecurity company, SentinelOne has become a high-value target for both financially motivated cybercriminals and advanced nation-state threat actors.

VeriSource Services Inc. (VSI), a company that helps businesses administer employees' benefits, was hacked in February 2024. Hackers stole sensitive personal information of about 4 million people, including employees and their families, on Feb. 27. The stolen data included names, addresses, birth dates, gender, and Social Security numbers in some cases.

Ongoing attacks leveraging zero-day vulnerabilities have been observed by Orange Cyberdefense's CSIRT targeting Craft CMS, exploiting the two distinct vulnerabilities sequentially to upload a PHP file manager. The initial exploit uses CVE-2025-32432, a remote code execution flaw in Craft CMS itself that carries a critical CVSS score of 10.0.

In March 2025, senior leaders of the World Uyghur Congress (WUC)—a group made up of Uyghurs living outside of China who speak out about the treatment of Uyghurs—were targeted in a cyberattack. The attackers used a fake version of a real Uyghur-language word processing app to trick people into downloading malware (bad software). This malware allowed the attackers to spy on people's computers.

In 2024, the Google Threat Intelligence Group observed a total of 75 zero-day vulnerabilities exploited in the wild, reflecting a gradual upward trend despite a slight decline from the previous year.

Recently, cybersecurity experts at Unit 42 discovered a new piece of malware called Gremlin Stealer that has been spreading online since March 2025. It's written in a computer language called C# and is designed to steal all kinds of personal data from people's computers without them knowing.

In a major victory for international cybercrime enforcement, two individuals have been arrested following a three-year investigation into JokerOTP, a phishing tool designed to intercept two-factor authentication (2FA) codes and facilitate large-scale bank fraud.

A serious security lapse saw employee monitoring software WorkComposer leave over 21 million screenshots vulnerable by making them freely available on an unsecured Amazon AWS S3 bucket.

In December 2024, an open directory (hosted at 194.48.154.79:80) was identified by The DFIR Report's Threat Intel Group, likely associated with an operator of the Fog ransomware group, which emerged in mid-2024. The exposed directory contained a significant arsenal of tools designed for reconnaissance, exploitation, credential theft, and command-and-control activities.

In response to intensified global law enforcement crackdowns, ransomware groups such as DragonForce and Anubis have adopted innovative affiliate models to remain operational. DragonForce, which began as a conventional ransomware-as-a-service (RaaS) operation, rebranded itself as a “cartel” and introduced a distributed affiliate branding model that allows affiliates to create their own ransomware brands while leveraging DragonForce's infrastructure and support services.

SAP has pushed out an emergency out-of-band update for a serious vulnerability in NetWeaver Visual Composer, tracked as CVE-2025-31324. The flaw is rated critical with a CVSS score of 10.0 and is already being actively exploited in the wild.

In January 2025, Ivanti released patches to address an actively exploited zero-day vulnerability impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Tracked as CVE-2025-0282, the flaw pertains to a stack-based buffer overflow and could allow actors to gain unauthenticated remote code execution on vulnerable appliances.

Okta Threat Intelligence has released a blog post regarding the in-depth research they conducted into online services used by individuals identified by US authorities and trusted third parties as agents for the Democratic People's Republic of Korea (DPRK). North Korean nationals are increasingly relying on generative artificial intelligence to obtain remote technical employment worldwide.

Trend Micro uncovered a sophisticated cyber-espionage campaign known as Earth Kurma, attributed to a new APT group targeting government and telecommunications sectors in Southeast Asia, specifically in the Philippines, Vietnam, Thailand, and Malaysia.

Following the death of Pope Francis, cybercriminals swiftly launched opportunistic malicious campaigns, exploiting the surge in public curiosity and emotional reactions. This tactic, known as “cyber threat opportunism” mirrors previous threat activity observed during major events such as the death of Queen Elizabeth II, the COVID-19 pandemic, and natural disasters.

Chief Deputy Attorney General Steven Popps communicated to staff via email that the majority of the office's IT resources, which included vital systems such as email, virtual private network access, internet connectivity, and the attorney general's website were rendered inoperative, as reported by the Washington Post.

A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.

Last week, a critical vulnerability, CVE-2025-32433, was identified in the SSH implementation of Erlang/OTP, a framework crucial for building high-availability real-time systems in critical verticals like banking and communications. This flaw allows unauthenticated attackers to gain initial access and execute arbitrary code, leading to full compromise of hosts, data breaches and data manipulation, and denial-of-service attacks.

Void Dokkaebi, also known as Famous Chollima, is a financially motivated threat group primarily focused on stealing cryptocurrency from software developers and blockchain enthusiasts through carefully crafted social engineering campaigns.

SessionShark is an advanced phishing kit that enables cybercriminals to bypass Microsoft Office 365 multi-factor authentication by stealing session tokens, granting unauthorized access even without the user's one-time passcode.

Malicious actors are increasingly exploiting Google Forms due to its widespread use, trusted reputation, and user-friendly design. Since its launch in 2008, Google Forms has gained nearly 50% of the form-building market, making it an attractive target for cybercriminals.

South Korea's largest mobile network operator, SK Telecom, has confirmed that a data breach occurred that targeted the USIM (Universal Subscriber Identity Module) data of the users.

In 2023, Cisco Talos uncovered a sophisticated compromise within a critical infrastructure enterprise, orchestrated by a blend of threat actors operating in a staged intrusion. Initial access was brokered by a financially motivated actor dubbed ToyMaker, who exploited vulnerable internet-facing systems to deploy a custom backdoor named LAGTOY.

In October 2024, the Iran-aligned threat actor UNC2428 launched a social engineering campaign targeting individuals in Israel by posing as recruiters from the Israeli defense contractor Rafael.

Since early March 2025, Volexity has observed a phishing campaign carried out by at least two Russian threat actors, UTA0352 and UTA0355, targeting individuals and organizations with ties to Ukraine and human rights.

A newly discovered flaw disclosed by researchers at Cyberdom Blog poses a significant security risk to Windows users and organizations that employ the Windows Update mechanism for feature and security updates, as it is the core component responsible for managing them.

Trend Micro researchers recently analyzed a new wave of FOG ransomware samples being distributed via phishing campaigns. A total of nine samples were uploaded to VirusTotal between March 27 and April 2, each embedded in a ZIP file named “Pay Adjustment.zip” containing a malicious LNK file disguised as a PDF.

Lumma Stealer, a sophisticated information-stealing malware first discovered in 2022, continues to evolve as a formidable threat in the cyber landscape. Distributed via a Malware-as-a-Service (MaaS) model on dark web marketplaces, Lumma is engineered with advanced evasion tactics, such as anti-sandboxing, virtual machine detection, and obfuscation. I

Two significant data breaches have recently been confirmed within the healthcare sector, each impacting over 100,000 individuals after being targeted by ransomware attacks.

Varonis researchers have disclosed a proof-of-concept attack known as “Cookie-Bite”, which leverages a malicious Chrome extension to steal session cookies from Azure Entra ID, allowing adversaries to bypass multi-factor authentication and maintain persistent access to Microsoft cloud services like Microsoft 365, Outlook, and Teams.

Researchers found that hackers exploited a flaw in Google's systems to send convincing phishing emails that passed all standard authentication checks. The attackers used Google's infrastructure to send a fake email, appearing to come from “no-reply@google[.]com,” which passed DomainKeys Identified Mail (DKIM) verification but pointed to a fraudulent login page designed to steal credentials.

Researchers at Trail of Bits have uncovered details of a sophisticated social engineering campaign orchestrated by the threat actor known as ELUSIVE COMET, notorious for stealing millions in cryptocurrency.

Researchers at Palo Alto Networks' Unit 42 have observed evidence of North Korean IT workers utilizing real-time deepfake technology to infiltrate organizations by leveraging remote work job positions, which poses a myriad of challenges for defenders.

The FBI has issued a detailed public service announcement warning about a persistent scam in which cybercriminals impersonate employees of the FBI's Internet Crime Complaint Center (IC3) to exploit individuals who were previously targeted by fraud.

The Interlock ransomware gang has recently adopted the ClickFix technique, a deceptive social engineering method that tricks users into running malicious PowerShell commands under the pretense of fixing errors or verifying their identity.

StrelaStealer, first uncovered in 2022, is a sophisticated information-stealing malware designed to extract email account credentials from widely used email clients like Microsoft Outlook and Mozilla Thunderbird. It is primarily distributed through large-scale phishing campaigns, which deliver ZIP archives containing malicious JavaScript files.

A significant security incident involving Amazon Web Services has been uncovered, revealing an ongoing ransomware campaign leveraging approximately 1,200 compromised AWS access keys.

CVE-2025-32433 is a newly disclosed critical vulnerability in the Erlang/OTP SSH application that enables unauthenticated remote code execution, posing a serious risk to any system running the affected software. Assigned a perfect CVSS score of 10.0, the flaw was discovered by researchers Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk from Ruhr University Bochum in Germany.

In December 2024, Palo Alto Networks researchers uncovered a highly structured, multi-stage malware campaign that relied on layered delivery mechanisms to distribute variants of Agent Tesla, Remcos RAT, and XLoader.

This article investigates Network Time Protocol (NTP), which typically operates over UDP port 123. While this might seem like a simple utility for keeping computer clocks synchronized, its fundamental role in network operations creates unique opportunities for covert communication.

Apple released security advisories on Wednesday for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two vulnerabilities, CVE-2025-31200 and CVE-2025-31201, that have been observed being actively exploited in the wild.

Summary: In 2024, small and midsized businesses continued to be significant targets for cybercriminals, with ransomware standing out as the most prominent threat. Sophos reported that ransomware was responsible for 70% of its Incident Response cases involving small businesses and over 90% for midsized organizations.

Between late 2024 and early 2025, Proofpoint researchers observed a notable trend in which multiple state-sponsored threat actors, including groups from North Korea, Iran, and Russia began using the ClickFix social engineering technique, which was previously popular among cybercriminals.

CVE-2025-24054 is a recently patched Windows vulnerability that enables NTLM hash disclosure and has been actively exploited in targeted phishing campaigns. The flaw allows attackers to capture the NTLMv2-SSP response sent by a victim's machine to a malicious SMB server, without requiring the victim to open the malicious file—only minimal interaction, such as selecting or inspecting the file, is enough to trigger the exploit.

Zscaler ThreatLabz recently uncovered new espionage tools used by the China-linked group Mustang Panda, including two keyloggers named PAKLOG and CorKLOG, as well as an EDR evasion driver called SplatCloak. These tools were discovered on the same staging server previously used to distribute malware like ToneShell and StarProxy.

A new report by Cyble reveals that hacktivism is evolving into a more complex and dangerous form of cyber warfare, with groups increasingly targeting critical infrastructure using tactics once reserved for nation-states and financially motivated hackers. The report describes hacktivism as a “decentralized cyber insurgency” capable of influencing geopolitical events and destabilizing essential systems.

Check Point Research has uncovered a sophisticated phishing campaign conducted by APT29, a Russian state-linked group also known as Midnight Blizzard or Cozy Bear. The campaign targets European diplomatic entities, including embassies, by impersonating a major European Ministry of Foreign Affairs.

CloudSEK researchers have uncovered a new campaign exploiting the popularity of PDFCandy[.]com, a widely-used online file conversion tool that is especially popular in India.

Morphisec has uncovered a new malware called ResolverRAT, which is indiscriminately targeting organizations globally. The most recently documented attacks from Morphisec have been observed targeting the healthcare and pharmaceutical sectors.

In Q2 2024, the education sector ranked as the third most targeted industry for cyberattacks, with APT groups aligned to China, North Korea, Iran, and Russia increasingly focusing on academic institutions.

A China-linked threat actor, UNC5174 (also known as Uteus), has been tied to a new campaign targeting Linux systems. This campaign leverages a variant of the well-known SNOWLIGHT malware and a new open-source tool called VShell.

The North Korean state-sponsored group known as Slow Pisces (also tracked as Jade Sleet, TraderTraitor, or PUKCHONG) has launched a sophisticated cyber campaign targeting cryptocurrency developers, with the goal of generating revenue for the DPRK regime.

A China-nexus APT group exploited critical stack buffer overflow vulnerabilities (CVE-2025-0282 and CVE-2025-22457) in Ivanti Connect Secure VPN appliances. The victims span nearly twenty different industries across twelve countries: Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States.

Fortinet has issued an urgent advisory warning that threat actors are leveraging a stealthy post-exploitation persistence technique on FortiGate VPN appliances, allowing them to maintain read-only access to compromised systems even after initial vulnerabilities were patched.

Tycoon2FA is a phishing-as-a-service (PhaaS) platform that was unearthed by researchers at Sekoia back in October 2023. The phishing kit is known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts and has recently adopted several new evasion techniques to bypass endpoint detection systems.

Large Language Models have become integral to modern software development, accelerating the creation of web applications, automation scripts, and more. While these AI tools offer significant productivity gains, they also introduce new security risks, including an emerging threat known as slopsquatting.

A significant surge in phishing attacks leveraging Scalable Vector Graphics (SVG) files to deliver malware has been reported by Trustwave SpiderLabs, who marked a staggering 1800% increase.

FortiGuard Labs has identified a wave of malicious NPM packages created by a threat actor operating under the aliases tommyboy_h1 and tommyboy_h2. These packages were published between March 5 and March 14, 2025, and are part of a targeted campaign aimed at harvesting sensitive information from compromised systems—primarily focusing on PayPal users.

In October 2024, Google's Threat Intelligence Group identified a novel phishing campaign attributed to a suspected Russian espionage group, UNC5837, that targeted European government and military entities.

A critical zero-day vulnerability, identified as CVE-2025-30406, has been discovered in Gladinet's CentreStack, a widely used file-sharing platform among MSPs. This deserialization flaw, stemming from a hardcoded or improperly protected machine Key in the IIS web[.]config file, has been under active exploitation since March.

A recent report by Cyble highlights critical vulnerabilities affecting industrial control system (ICS) devices from multiple vendors. The report examined 70 flaws in ICS, operational technology (OT) and supervisory control and data acquisition (SCADA) systems.

Bleeping Computer reports that email notifications are being sent to customers that a hacker stole and leaked credentials that were stolen from what Oracle described as "two obsolete servers.”

A targeted campaign discovered by F5 labs, exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on Amazon EC2 instances. These SSRF flaws allowed attackers to trick vulnerable servers into making unauthorized internal HTTP requests, specifically to the EC2 Instance Metadata Service v1 (IMDSv1), which does not require authentication.

Gamaredon, also known as Shuckworm, a Russian state-linked threat actor, has been linked to a cyber attack targeting a foreign military mission operating in Ukraine, with the goal of deploying an updated version of its GammaSteel information-stealing malware.

Security researchers at SentinelLabs have identified a significant new spam campaign propagated by a framework, dubbed "AkiraBot," that has targeted over 400,000 websites to promote a low-quality SEO service, successfully posting spam content on 80,000 of them since September 2024.

Phishing actors are now deploying a stealthy technique called Precision-Validated Phishing, which significantly hinders traditional detection methods by selectively displaying phishing content only to intended victims.

A Chinese-affiliated threat actor known as ToddyCat has been observed exploiting a vulnerability in ESET's Command Line Scanner to deploy a newly discovered malware strain called TCESB.

Microsoft has recently patched a zero-day vulnerability, identified as CVE-2025-29824, which impacts the Windows Common Log File System (CLFS) that was actively exploited in a small number of targeted ransomware attacks. These attacks, tracked under the threat cluster Storm-2460, primarily affected organizations in the IT and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Exploiting this privilege escalation flaw in CLFS allowed attackers to gain SYSTEM privileges.

Akamai has reported a critical remote code execution (RCE) vulnerability in CUPS (Common Unix Printing System), which impacts Unix-like systems. While severe, the vulnerability does require a threat actor to chain together four vulnerabilities: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177.

In May of last year, Global law enforcement carried out Operation Endgame, a historic, multinational operation that targeted several malware-as-a-service (MaaS) platforms including: IcedID, Smokeloader, Pikabot, and Bumblebee.

A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs was detected on April 3, 2025, with over 2,500 unique IP addresses scanning for vulnerable devices. These attacks exploit an information disclosure vulnerability that was first disclosed by an SSD Advisory in May 2024.

Meta has recently issued a warning to Windows users of WhatsApp to update their messaging app to the latest version (2.2450.6) in order to patch a security vulnerability tracked as CVE-2025-30401.

Researchers from Cyfirma have observed the latest version of a Windows RAT called Neptune RAT being distributed via GitHub using a notable technique that leverages 2 PowerShell commands.

CISA has added CVE-2025-31161 to their known exploited vulnerability (KEV) database. CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.

A recently discovered vulnerability in WinRAR, tracked as CVE-2025-31334, allows attackers to bypass the Window's "Mark of the Web" (MotW) security mechanism, which tags files downloaded from the internet as potentially unsafe.

A recent report published by Outpost24 KrakenLabs has exposed the identity and evolution of the threat actor known as “EncryptHub,” believed to be a lone individual walking a fine line between legitimate cybersecurity research and malicious cyber activity.

A newly identified malicious campaign known as PoisonSeed is targeting both individuals and enterprises by exploiting compromised credentials from customer relationship management tools and bulk email providers.

North Korean threat actors behind the ongoing "Contagious Interview" operation have significantly expanded their malicious activities within the npm ecosystem, according to Socket researcher Kirill Boychenko.

A complex and far-reaching supply chain attack that ultimately impacted Coinbase has been traced back to the compromise of a personal access token belonging to a maintainer of SpotBugs, a popular open-source static code analysis tool.

March 2025 marked significant shifts within the ransomware ecosystem. The potential downfall of RansomHub, the dominant group of 2024, following their data leak site being taken offline and claims of a takeover of their infrastructure by their rival DragonForce, signals a potentially major restructuring of the ransomware landscape.

As Tax Day in the U.S. approaches, Microsoft has observed a surge in phishing campaigns leveraging tax-related themes to steal credentials and deploy malware. These campaigns utilize various redirection techniques—such as URL shorteners, QR codes in attachments, and legitimate services like file-hosting platforms and business profile pages—to evade detection.

Hunters International is a ransomware group that emerged in late 2023 and is suspected to be a rebrand of the former Hive ransomware. Initially, the group focused heavily on data exfiltration rather than encryption, which set it apart from other ransomware groups.

On April 3, 2025, Ivanti disclosed a critical buffer overflow vulnerability affecting Ivanti Connect Secure (ICS) VPN appliances versions 22.7R2.5 and earlier. Tracked as CVE-2025-22457, the flaw can be exploited by actors for remote code execution.

A critical vulnerability (CVE-2025-31161) in CrushFTP versions 10 and 11, allowing for remote authentication bypass and admin access, was disclosed privately to customers on March 21st. Outpost24, the discoverer, had initiated a responsible disclosure process with MITRE, aiming for a 90-day embargo to prevent malicious exploitation.

A significant uptick in generative AI scraper bot activity has been observed between December 2024 and February 2025, signaling a growing operational concern for organizations managing web applications.

In the first quarter of 2025, Steam became the most imitated brand in phishing campaigns, marking a shift from the usual dominance of tech giants like Microsoft and Meta, Guardio researchers reported.

According to a new report from the AhnLab SEcurity intelligence Center (ASEC), threat actors were observed impersonating a recruitment email from a developer community called Dev.[]to to distribute malware.

Wiz Threat Research uncovered a new variant of an ongoing campaign targeting misconfigured and publicly exposed PostgreSQL servers, primarily those with weak or easily guessable login credentials.

The financially motivated cybercrime group FIN7—also known as Carbon Spider, Sangria Tempest, ELBRUS, Gold Niagara, and Savage Ladybug, has been linked to a sophisticated Python-based backdoor called Anubis. This malware is designed to provide remote access and control over compromised Windows systems.

Beginning in late 2024, Unit 42 researchers have noticed a shift in QR code phishing tactics. Attackers are employing strategies such as hiding the final malicious website destination by leveraging the redirection mechanisms of legitimate sites and other phishing tactics.

In late January 2025, a Managed Service Provider (MSP) administrator fell victim to a sophisticated phishing attack targeting their ScreenConnect Remote Monitoring and Management (RMM) tool. The attack, attributed with high confidence by Sophos to the ransomware affiliate tracked as STAC4365, began with a well-crafted phishing email purporting to be a ScreenConnect authentication alert.

North Korean IT workers, often referred to as “IT warriors,” have expanded their operations beyond the United States and are now increasingly targeting organizations across Europe.

Ontinue's Cyber Defence Centre (CDC) analyzed a sophisticated, multi-stage attack that effectively combined vishing, remote access tools, and living-off-the-land techniques to infiltrate the victim's system.

Ontinue's Cyber Defence Centre investigated a complex, multi-stage attack involving social engineering, remote support abuse, and stealthy post-exploitation techniques. The intrusion began with a vishing campaign where the threat actor impersonated IT support and delivered a malicious PowerShell payload via Microsoft Teams chat.

Attackers are actively exploiting a critical authentication bypass vulnerability in CrushFTP file transfer software, tracked as CVE-2025-2825.

Yesterday, Apple released security updates to address several vulnerabilities impacting a range of products including macOS, ipadOS, iOS, and much more. Notably, three of the flaws, tracked as CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085, were exploited as zero-days in attacks in the wild:

GreyNoise has reported a significant increase in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals, with nearly 24,000 unique IP addresses attempting access in the past 30 days. This surge, which peaked at nearly 20,000 IPs per day from March 17 to March 26, suggests a coordinated effort to probe for vulnerable systems, potentially indicating preparations for future exploitation.

Ukrainian entities have been targeted in a phishing campaign aimed at delivering Remcos RAT, a remote access trojan used for surveillance and data theft.

North Korea's Lazarus Group has adopted a new tactic known as "ClickFix" in its ongoing efforts to compromise job seekers in the cryptocurrency industry, particularly within the centralized finance space.

CISA has identified a new malware strain named RESURGE targeting the patched vulnerability CVE-2025-0282 in Ivanti Connect Secure (ICS) appliances. RESURGE is an improved version of the SPAWNCHIMERA malware, retaining its reboot persistence mechanisms but introducing 3 distinct commands for malware behavior modification.

DarkCloud is a sophisticated infostealer malware that first gained prominence in 2022 and has continued to evolve and expand its presence since then. It is primarily distributed through phishing campaigns, where attackers impersonate legitimate entities or use social engineering tactics to compromise targets, especially HR departments.

DFIR Report researchers shared details of an intrusion that occurred in May 2024, where actors leveraged a fake zoom installer to infect the targeted system with BlackSuit ransomware. The attack initiated when an unsuspecting victim visited a malicious site masquerading Zoom's official download page (zoommanager[.]com).

Lucid is identified as a significantly impactful and sophisticated Phishing-as-a-Service (PhAAS) platform operated by Chinese-speaking threat actors. This platform targets a vast global landscape, impacting 169 entities across 88 countries.

CoffeeLoader is a sophisticated malware loader identified by security firm Zscaler in September 2024, designed to download and execute second-stage payloads while evading detection by security solutions.

Cybercriminals are now exploiting sponsored Google ads to target users searching for the popular AI chatbot, DeepSeek. According to security firm Malwarebytes, the attackers are using Google Ads to promote domains that mimic DeepSeek's official site, such as deepseek-ai-soft[.]com and deepseakr[.]com.

ESET researchers have uncovered that a custom security evasion tool developed by the RansomHub ransomware group has been used in attacks linked to three additional cybercrime gangs: Play, Medusa, and BianLian.

A sophisticated Phishing-as-a-Service platform, identified by Infoblox Threat Intelligence and dubbed Morphing Meerkat, has been observed spoofing over 100 well-known brands in order to steal user credentials through dynamic and highly evasive phishing attacks.

Security researchers from Forescout's Vedere Labs have disclosed 46 serious vulnerabilities in solar inverters produced by the world's top three manufacturers. These flaws, which affect both the devices and their associated cloud platforms, could allow attackers to remotely take control of the inverters, execute malicious code, access sensitive user data, or even physically damage components.

A widespread and persistent cyber campaign compromised around 150,000 legitimate websites by injecting malicious JavaScript to redirect users to Chinese-language gambling platforms. According to c/side security analyst Himanshu Anand, the threat actor continues to rely on iframe injections to deliver fullscreen overlays in victims' browsers.

RedCurl, aka Earth Kapre and Red World, is a Russian-speaking hacking group, that has been active since November 2018. The group is known for launching spear-phishing attacks (e.g. phishing emails containing IMG files disguised as CV documents) against organizations in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States.

Credential stuffing is a type of cyberattack in which malicious actors exploit of a list of stolen or leaked usernames and passwords to gain unauthorized access to accounts that use the same credentials.

The Chinese threat actor FamousSparrow has been observed deploying new variants of its custom SparrowDoor backdoor and, for the first time, the widely shared Chinese state-sponsored malware ShadowPad RAT in attacks targeting a trade group in the United States and a research institute in Mexico during July 2024.

Cybersecurity researchers have uncovered two malicious packages on the npm registry ethers-provider2 and ethers-providerz that exemplify a new wave of software supply chain attacks targeting open-source ecosystems. Published on March 15, 2025, ethers-provider2 was downloaded 73 times before detection, while ethers-providerz received no downloads and was likely removed by its author.

The threat actor known as EncryptHub has been exploiting a recently patched zero-day vulnerability in Microsoft Windows, CVE-2025-26633 (CVSS score: 7.0), to deliver various malware families, including Rhadamanthys and StealC, which are commonly used for backdoor access and information stealing.

A recent analysis by K7 Labs has uncovered a new campaign attributed to the North Korean APT group Kimsuky, also known as "Black Banshee." The analysis details the group's latest infection chain, which involves the use of malicious VBScript and PowerShell scripts along with encoded text files to deliver and execute payloads.

On Tuesday, Google addressed a zero-day vulnerability in its Chrome browser that had been actively exploited in attacks. Tracked as CVE-2025-2783, the vulnerability stems from an “incorrect handle provided in unspecified circumstances in Mojo on Windows.”

IOCONTROL is a newly emerging malware strain attributed to the anti-Israeli and pro-Iranian hacktivist group, Cyber Av3ngers. First observed in December 2024, IOCONTROL targets IoT devices and Linux-based systems and supports various functions enabling operators to gain remote access to systems and conduct surveillance, manipulate systems, exfiltrate data, and facilitate lateral movement.

Sygnia investigated a prolonged cyber espionage campaign targeting a major telecommunications company in Asia. The threat actor, tracked as Weaver Ant, is assessed to have China-nexus ties based on their operational behavior, infrastructure, and targeting.

A new in-depth investigation by Silent Push, in collaboration with Team Cymru, has identified nearly 200 unique command-and-control domains linked to the Raspberry Robin malware, highlighting the growing scale and complexity of this threat.

Launched on March 7, 2025, VanHelsingRaaS is a rapidly growing ransomware-as-a-service platform that has already infected at least three known victims within its first two weeks of operation.

Threat actors are exploiting free online document converter tools to infect victims' computers with malware, including ransomware. The FBI's Denver Field Office has issued a warning, noting an increase in scams involving these tools, which claim to convert or merge files (such as turning a .doc file into a .pdf or combining multiple .jpg files into one .pdf) or, in some cases, masquerade as MP3 or MP4 downloaders.

Cyble has uncovered a new social engineering campaign targeting developers, particularly Polish-speaking job-seekers, by disguising malware as a technical coding challenge on GitHub.

Security researchers have issued a warning about a new malvertising campaign that exploits fake Google ads for Semrush, a SEO and marketing platform widely used by businesses, to harvest victims' Google account credentials and sensitive data.

A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.

New variants of the Albabat ransomware were recently discovered by researchers at Trend Micro, which now target not only Microsoft Windows systems but also gather hardware and system information from Linux and macOS environments.

Researchers at SEQRITE have uncovered a new C++ based information stealer, dubbed SvcStealer, which is being distributed through spear-phishing emails. First observed in late January 2025, SvcStealer is designed to harvest a wide range of sensitive information from the targeted system.

Cisco Talos researchers have identified a previously unknown threat actor, UAT-5918, which has been actively targeting critical infrastructure in Taiwan since at least 2023. The group is believed to be an advanced persistent threat actor focused on establishing long-term access to victim environments for the purpose of espionage and data theft.

Cybersecurity researchers at Sygnia have discovered a concerning attack method that exploits recent VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226). This observed technique allows attackers to escape virtual machines, circumvent security controls, and deploy ransomware at scale.

Cybercriminals are increasingly using malicious kernel drivers—either exploiting vulnerable legitimate ones or deploying custom-built drivers—to disable endpoint detection and response tools and evade detection.

Summary: Swiss Telecommunications provider, Ascom recently issued an advisory, stating that it is investigating a cyberattack that compromised it's technical ticketing system. The company reassured that other IT and customer systems remain unaffected, and there has been no disruption to business operations.

In November, 2024, NAKIVO patched a path traversal flaw in its backup & replication software, which could allow unauthenticated actors to read arbitrary files on vulnerable devices.

On March 5, 2025, the U.S. Department of Justice unsealed an indictment against employees of the Chinese contractor I‑SOON, revealing their involvement in global cyber espionage campaigns. The indictment detailed a series of attacks attributed to I‑SOON's operational arm, the FishMonger APT group, including a 2022 cyber campaign known as Operation FishMedley, which targeted governments, NGOs, and think tanks across Asia, Europe, and the United States.

Symantec researchers have uncovered a RansomHub affiliate deploying Betruger, a sophisticated multi-function backdoor designed to enhance cyberattacks. This malware provides extensive capabilities, including capturing screenshots, logging keystrokes, scanning networks, dumping credentials, escalating privileges, and uploading files to a command-and-control server.

As the April tax deadline draws near, scammers are taking advantage of the heightened stress and urgency of individuals rushing to file their returns. According to a press release by F-Secure, fraudsters are impersonating the Internal Revenue Service (IRS) to deceive victims through text messages and emails.

CERT-UA has issued a warning regarding a new campaign targeting Ukraine's defense sector, utilizing the Dark Crystal RAT (DCRat). They have recorded numerous cases of these cyberattacks. This activity cluster, identified in June 2024, targets both defense-industrial complex enterprises and military personnel.

Security firm Intel471 notes an increasing trend in threat actors leveraging remote monitoring and management (RMM) applications to gain initial access and move laterally across organizational networks.

A critical, unpatched security flaw in Microsoft Windows, identified as ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat groups from China, Iran, North Korea, and Russia since 2017. T

Threat actors are actively exploiting CVE-2024-4577, a severe argument injection vulnerability in PHP running on Windows in CGI mode, to deploy cryptocurrency miners and remote access trojans like Quasar RAT.

Pillar researchers have uncovered an undocumented supply chain attack vector, "Rules File Backdoor," that exploits AI-powered code editors like GitHub Copilot and Cursor. Attackers embed malicious prompts within seemingly benign configuration files, specifically, rules files that guide AI behavior.

The ongoing exploitation of VPN-related vulnerabilities such as CVE-2018-13379 and CVE-2022-40684, continues to be a major threat to organizations worldwide. These vulnerabilities, despite being disclosed years ago, are still widely used by attackers in large-scale campaigns targeting VPN infrastructure.

Researchers at BI.Zone have uncovered a campaign where a North Korean threat group dubbed Squid Werewolf (aka APT37, Ricochet Chollima, ScarCruft, Reaper Group) was observed masquerading as recruiters to target job seekers and employees at specific organizations.

Guardz researchers have identified a sophisticated phishing campaign that bypasses traditional email security controls by abusing the inherent trust of Microsoft 365 infrastructure.

Researchers have confirmed that BlackLock is a rebranded version of the notorious Eldorado ransomware group, revealing a direct link between the two. After facing increased pressure from law enforcement and security experts, Eldorado resurfaced under the BlackLock banner, refining its operational model while maintaining its ransomware-as-a-service structure.

Threat hunters have uncovered new details about a cyber espionage campaign by the China-aligned MirrorFace group, which targeted a European Union diplomatic organization using the ANEL backdoor. The attack, detected by ESET in late August 2024, specifically focused on a Central European diplomatic institute, using lures themed around the upcoming World Expo in Osaka, Japan.

According to security researchers at Akamai, a critical command injection flaw impacting the Edimax IC-7100 network camera has been exploited in attacks in the wild since at lest May 2024 to deliver Mirai botnet malware variants.

Microsoft has uncovered details of a novel remote access trojan (RAT), dubbed StilachiRAT, which it uncovered in November, 2024. For its part, StilachiRAT employs sophisticated techniques to evade detection, maintain persistence on targeted environments, and exfiltrate sensitive information.

Cybersecurity researchers have recently uncovered a significant supply chain compromise targeting the widely adopted GitHub Action, "tj-actions/changed-files," which is integrated into the CI/CD workflows of over 23,000 software repositories.

Malicious actors are exploiting Cascading Style Sheets to evade spam filters and track user activity in phishing campaigns, posing significant security and privacy risks. According to Cisco Talos, attackers leverage CSS features to bypass detection in email clients, which impose strict restrictions on JavaScript and other dynamic content.

Cybercriminals are leveraging malicious Microsoft OAuth apps disguised as Adobe and DocuSign applications to steal Microsoft 365 credentials and deliver malware. Proofpoint researchers identified these highly targeted campaigns, which impersonate Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign to appear legitimate.

A widespread phishing campaign is underway, where fake security alerts on are being posted on GitHub repositories to trick unsuspecting developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and source code.

EclecticIQ security researcher Arda Byukkaya has uncovered details of a novel framework, dubbed ‘BRUTED,' which the Black Basta ransomware gang has used since 2023 to conduct large-scaled credential-stuffing and brute force attacks against edge network devices.

A new malware campaign, OBSCURE#BAT, has been identified using social engineering tactics to deploy the r77 rootkit, an open-source tool that enables persistence and evasion on compromised systems.

Microsoft Threat Intelligence has detected an active and evolving phishing campaign, designated as Storm-1865, which commenced in December 2024 and persists as of February 2025. This campaign specifically targets organizations within the hospitality sector, with a focus on individuals most likely to interact with Booking.com.

Barracuda's March Email Threat Radar report highlights a new campaign, where fraudsters are impersonating Clop ransomware to extort payments from victims. In this case, the attackers send emails falsely claiming to be Clop and state that they have successfully exploited a vulnerability in Cleo, a company known for developing managed file transfer platforms such as Cleo Harmony, VLTrader, and LexiCom.

A new ransomware group, dubbed SuperBlack (also referred to as "Mora_001"), was recently discovered by researchers at Forescout. This group has been exploiting two authentication bypass vulnerabilities (CVE-2024-55591 and CVE-2025-24472) affecting Fortigate firewall appliances.

A dual Russian-Israeli national, Rostislav Panev, has been extradited to the United States, where he faces charges for his alleged role as a key developer in the LockBit ransomware operation.

Facebook has issued a warning about a critical vulnerability in FreeType, an open-source font rendering library widely used across multiple platforms, including Linux, Android, game engines, GUI frameworks, and online services.

XWorm Remote Access Trojan (RAT) is a sophisticated malware tool that has gained popularity among cybercriminals due to its advanced capabilities and widespread availability.

This report details a sophisticated phishing campaign targeting users of Microsoft Copilot, a relatively new Generative AI service. Attackers are leveraging the novelty of Copilot and the widespread usage of the Microsoft ecosystem in organizations to deceive employees.

Mimecast recently conducted a study surveying 1,100 IT security professionals and decision-makers from the United States, United Kingdom, France, Germany, South Africa, and Australia to gain insights into their current cybersecurity challenges and priorities for the upcoming year.

Lookout has uncovered details of a new Android spyware, dubbed ‘KoSpy,' that is masquerading as utility apps to target Korean and English speaking users. KoSpy has been active since March 2022 and uses the Google Play store and Firebase Firestore for propagation.

A recent campaign, tracked by Trend Micro, leverages fake GitHub repositories to distribute malware, primarily SmartLoader, which then deploys Lumma Stealer. These repositories, designed to appear legitimate, offer gaming cheats, cracked software, and system tools, utilizing AI-generated content and social engineering to deceive users.

On March 9, GreyNoise detected a sharp and coordinated spike in Server-Side Request Forgery exploitation, affecting multiple widely used platforms. At least 400 unique IPs were observed actively exploiting 10 different SSRF-related CVEs simultaneously, with notable overlap in attack attempts.

Security firm Cyfirma has uncovered details of a new ransomware strain dubbed, “Ebyte” which has been made publicly available on GitHub by its developer, EvilByteCode. Written in the Go programming language, Ebyte utilizes a combination of ChaCha20 and ECIES encryption to lock victim files.

As part of the March Microsoft Patch Tuesday, Microsoft addressed 57 flaws, including 7 zero-days, 6 of which are being actively exploited in attacks in the wild. Of the 57 flaws, there were 23 elevation of privilege vulnerabilities, 3 security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, 4 information disclosure vulnerabilities, 1 denial of service vulnerabilities, and 3 spoofing vulnerabilities.

A hacktivist group calling themselves "Dark Storm," claiming pro-Palestinian motivations, has asserted they are responsible for a series of Distributed Denial-of-Service (DDoS) attacks that caused widespread outages on the X platform. X owner Elon Musk confirmed a "massive cyberattack" but initially didn't attribute it to Dark Storm.

SideWinder, an India-based cyber-espionage group active since at least 2012, has recently escalated its cyberattacks on maritime and logistics organizations across Africa and Asia. Security researchers from Kaspersky have tracked the group's activities since early 2024, identifying targeted organizations in Egypt, Djibouti, the United Arab Emirates, Bangladesh, Cambodia, and Vietnam.

The Ballista botnet is actively targeting unpatched TP-Link Archer routers by exploiting a remote code execution vulnerability (CVE-2023-1389). This high-severity flaw, affecting TP-Link Archer AX-21 routers, enables attackers to execute arbitrary commands and spread malware.

The misuse of Cobalt Strike, a legitimate adversary simulation tool, has significantly decreased over the past two years, according to its developer, Fortra. While initially designed for security penetration testing, cybercriminals and state-sponsored threat actors have exploited cracked versions of the tool to target critical sectors like healthcare with ransomware and other malware.

A new blog post by Group-IB highlights a surge in SIM swap fraud, despite security measures implemented by telecom providers to prevent such attacks. SIM swap fraud occurs when an actor obtains sensitive information, such as a victim's national ID, phone number, and card details, typically through phishing websites or social engineering tactics.

Researchers have detected a sharp rise in malicious software packages designed to exploit system vulnerabilities through obfuscation and stealth tactics. A newly published report from Fortinet, covering threats observed since November 2024, details how attackers are leveraging lightweight, concealed software packages to infiltrate systems while evading traditional security measures.

Travelers' latest Cyber Threat Report published on March 6, 2025 reveals a significant shift in ransomware tactics during 2024.

Former software developer Davis Lu, 55, of Houston, was convicted of sabotaging Eaton Corporation's computer systems after losing responsibilities following a corporate restructuring in 2018. Lu, who worked at the Ohio-based power management company from November 2007 to October 2019, retaliated by deploying malicious code that severely disrupted the company's operations.

The Medusa ransomware has become a primary weapon for the threat group Spearwing, which has claimed nearly 400 victims since 2023, as evidenced by its leak site. According to Symantec researchers, Spearwing has rapidly expanded its operations, likely filling the void left by the decline of major ransomware groups such as Noberus and LockBit.

Researchers at SquareX have uncovered a new campaign leveraging polymorphic browser extensions to steal credentials and other sensitive data. These malicious extensions can silently impersonate any extension installed on a victim's browser, creating the illusion that trusted tools like password managers, crypto wallets, or banking apps are requesting sensitive information.

Several U.S. cities are issuing warnings about a surge in phishing text messages that impersonate municipal parking violation departments in an attempt to steal sensitive data from unsuspecting recipients.

Microsoft has reported on X (formerly Twitter) that the North Korean hacking group Moonstone Sleet has recently deployed Qilin ransomware in a limited number of attacks, marking a shift in their operational tactics.

Medusa ransomware, a Ransomware-as-a-Service (RaaS) operation tracked as Spearwing by Symantec, has demonstrated a significant surge in activity since its emergence in early 2023. Claiming nearly 400 victims, the group has seen a 42% increase in attacks between 2023 and 2024, with over 40 attacks reported in the first two months of 2025 alone.

Threat hunters have uncovered Ragnar Loader, a sophisticated and adaptable malware toolkit leveraged by multiple ransomware and cybercrime groups, including Ragnar Locker, FIN7, FIN8, and Ruthless Mantis (formerly REvil). While it is closely associated with Ragnar Locker, it remains unclear whether the group owns it outright or if they rent it to other threat actors.

A new blog post by Microsoft highlights a large-scale malvertising campaign that has been active since early December, 2024, and that has impacted nearly one million devices to date.

Security firm S-RM recently uncovered details of an Akira ransomware intrusion where the group was able to identify and compromise an unsecured webcam on the targeted network and further deploy ransomware (T1486 - Data Encrypted for Impact) from it without triggering detection from existing Endpoint Detection and Response (EDR) solutions in place.

Phantom Goblin is a recently discovered malware campaign distributed through RAR attachments and social engineered malicious LNK files to infect systems. The malware employs a LNK file disguised as a legitimate document to execute a PowerShell script, which retrieves additional payloads from a GitHub repository to avoid detection.

EncryptHub, a financially motivated threat actor, has been conducting sophisticated phishing campaigns to distribute information stealers and ransomware while also developing a new tool called EncryptRAT.

The U.S. Department of Justice has charged 12 Chinese nationals for their involvement in a far-reaching cyberespionage campaign aimed at stealing sensitive data and suppressing free speech worldwide.

Software company Elastic has addressed a critical vulnerability in Kibana, a widely used data visualization platform for Elasticsearch, that could allow attackers to execute arbitrary code on affected systems by uploading a specially crafted file and sending malicious HTTP requests.

According to a post on the social media platform X by cybersecurity firm PRODAFT, a new ransomware group, dubbed SecP0, has emerged with a novel approach to extorting payments from organizations. Unlike traditional ransomware groups that typically encrypt victims' data and demand payment for decryption keys, SecP0 is reportedly identifying critical vulnerabilities in widely used applications and systems, threatening to publicly disclose these flaws unless a ransom is paid.

VMware has released a critical security advisory addressing three zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) that are being actively exploited in the wild. These vulnerabilities affect VMware ESXi, Workstation, and Fusion products, with severity levels ranging from high to critical.

Lotus Panda, a suspected China-nexus APT group active since at least 2012, has intensified its targeting of government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. Cisco Talos observed Lotus Panda deploying updated versions of its Sagerunex backdoor, including new "beta" variants, demonstrating a focus on long-term persistence and evasion.

The China-linked threat actor Silk Typhoon (formerly Hafnium), known for exploiting zero-day vulnerabilities in Microsoft Exchange servers in January 2021, has evolved its tactics to focus on the IT supply chain as a means of gaining initial access to corporate networks.

A newly identified polyglot malware is being leveraged in targeted attacks against aviation, satellite communication, and critical transportation organizations in the United Arab Emirates. The malware delivers a backdoor named Sosano, enabling attackers to establish persistence on infected systems.

A new botnet malware, dubbed 'Eleven11bot,' has infected over 86,000 IoT devices, primarily security cameras and network video recorders, to launch DDoS attacks against telecommunication providers and online gaming servers. Discovered by Nokia researchers, Eleven11bot is one of the largest DDoS botnets in recent years.

GuidePoint has uncovered a new campaign in which threat actors are sending physical ransom notes to senior executives at US organizations via the United States Postal Service.

The Splunk Threat Research Team has identified a mass exploitation campaign targeting ISP infrastructure providers on the West Coast of the United States and China.

Nisos has uncovered a network of likely North Korean DPRK-affiliated IT workers posing as Vietnamese, Japanese, and Singaporean nationals to obtain remote engineering and blockchain developer positions in Japan and the United States.

In 2024, a total of 33.5 million attacks involving malware and unwanted software targeting mobile devices were prevented. Notably, Adware was the most common type of mobile threat, accounting for 35% of detections observed by Kaspersky.

Paragon Partition Manager's BioNTdrv.sys driver, in versions prior to 2.0.0, contains five vulnerabilities that can be exploited by attackers with local access to escalate privileges on targeted devices or launch denial of service attacks.

Trend Micro researchers have uncovered a sophisticated cyber-attack leveraging social engineering and widely used remote access tools to deploy a stealthy infostealer malware. This campaign grants attackers persistent access to compromised machines, enabling them to steal sensitive data.

DragonForce, a Ransomware-as-a-Service (RaaS) group discovered in August 2023, executed a considerably major cyberattack, first announced on February 14, 2025, against a large enterprise in Saudi Arabia's real estate and construction sector, marking their first major attack against a KSA entity.

In late February 2025, major updates for two prominent info-stealers, Vidar and StealC, were simultaneously released, both transitioning to version 2.0. These updates introduce new builds which have been written from scratch, modernized user interfaces, and enhanced capabilities, including a new “morpher” module to improve runtime stability and speed up execution.

Malwarebytes has uncovered a new campaign that exploits Google ads, directing victims to specially crafted PayPal payment links. These links trick users into calling fraudsters posing as legitimate customer service representatives.

Unit 42 researchers have identified phishing activity linked to the cyber threat actor JavaGhost, which has been active for over five years. Initially known for website defacement, the group shifted in 2022 to targeting cloud environments, specifically AWS, to conduct phishing campaigns for financial gain.

Microsoft has updated its civil lawsuit to name four individuals responsible for developing and distributing tools that bypass security measures in generative AI services, including Microsoft's Azure OpenAI Service.

Netskope Threat Labs researchers expanded upon their report on threat actors leveraging fake CAPTCHAs for phishing on February 12th, 2025, with new research published in a blog post yesterday.

According to a new report from GreyNoise, 40% of exploited CVEs in 2024 were at least four years old, with some dating back to the 1990s. Furthermore, in 2024, ransomware groups leveraged 28% of vulnerabilities listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating that mass exploitation is a major driver of financially motivated attacks.

Security firm Darktrace has shined light on an emerging ransomware group dubbed Lynx which is known for targeting organizations in the finance, architecture, retail, energy, and manufacturing sectors. Operating under a ransomware-as-a-service model, Lynx provides affiliates a portion of the ransom after gaining initial access and deploying Lynx's encryptor.

A newly uncovered malware campaign leveraging Winos 4.0 is actively targeting organizations in Taiwan through phishing emails that impersonate Taiwan's National Taxation Bureau. First observed by FortiGuard Labs in January 2025, this attack marks a shift in cybercriminal tactics, using government-themed social engineering to increase credibility and deceive victims.

Researchers at KELA have uncovered activity belonging to a group named Anubis Ransomware. Anubis has an official X account which suggests they have been active since at least November 2024.

On February 21, 2025, cryptocurrency exchange Bybit revealed that a cyberattack resulted in the theft of over $1.5 billion worth of cryptocurrency from one of its Ethereum cold wallets, marking the largest single crypto heist in history.

Sekoia has uncovered details of a new campaign targeting edge devices, integrating them into a sophisticated botnet dubbed “PolarEdge.” Based on network traces observed through honeypots set up by Sekoia, actors were found exploiting a remote code execution vulnerability (CVE-2023-20118) in the web-based management interface of Cisco Small Business routers on two separate occasions.

This report from Palo Alto Networks' Unit 42 details a sophisticated macOS malware campaign, attributed with moderate confidence to North Korean state-sponsored threat actors, targeting job-seeking software developers within the cryptocurrency sector.

Between November and December 2024, Palo Alto Networks researchers discovered a new Linux malware variant named Auto-color, which derives its name from the filename it renames itself to upon installation.

LCRYX ransomware, a VBScript-based malware, has resurfaced in February 2025 after its initial emergence in November 2024. The ransomware encrypts files using the ‘.lcryx' extension and demands a $500 bitcoin ransom for decryption.

The Have I Been Pwned (HIBP) service has added over 284 million accounts to its database, which were stolen by information-stealer malware and found on a Telegram channel.

Researchers at Securelist have uncovered details of a malware campaign, dubbed "GitVenom," which has been distributing malicious code through fraudulent repositories on GitHub to target developers seeking tools for automation, cryptocurrency, and gaming hacks.

A new report from Forescout's Vedere Labs reveals a significant shift in cyber threats against the healthcare sector, with attackers moving beyond hospital networks to infiltrate patient-facing medical software.

Researchers have discovered an upgraded version of the LightSpy spyware, now equipped with expanded data collection features targeting social media applications like Facebook and Instagram.

Hunt[.]io has published an analysis of a threat actor campaign targeting users attempting to download messaging apps including Signal, Line, and Gmail. Signal, Line, and Gmail are popular apps that users often discover and download via search engines, making them attractive targets for SEO poisoning by cybercriminals to distribute malware.

Researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a malware campaign distributing the LummaC2 information stealer disguised as a cracked version of Total Commander, a popular Windows file management tool.

Security firm Group-IB has uncovered details of a campaign dubbed “ScreamedJungle,” which is using stolen browser fingerprints to impersonate legitimate users and bypass defenses.

A newly discovered botnet of over 130,000 compromised devices is launching a highly coordinated password-spraying attack on Microsoft 365 accounts, exposing critical vulnerabilities in modern authentication practices.

Paypal users are facing an ongoing email scam campaign that leverages the platform's address settings to distribute fraudulent purchase notifications that use social engineering techniques to convince users to grant the attacker remote access.

Proof-of-concept (POC) code has been released on GitHub for a high severity command injection vulnerability in F5's iControl REST API and BIG-IP Traffic Management Shell (TMSH) command-line interface.

Researchers at DFIR Report have uncovered details of an intrusion where LockBit ransomware was deployed by a threat actor within 2 hours of gaining initial access. The intrusion initiated with the compromise of an exposed Windows Confluence server that was vulnerable to critical a server-side template injection vulnerability in Confluence.

Summary: The AhnLab Security Intelligence Center (ASEC) has observed a significant increase in the distribution of ACRStealer infostealer malware, often disguised as cracks and keygens for illegal software.

Cisco Talos has been tracking a widespread intrusion campaign targeting major U.S. telecommunications companies, attributed to the sophisticated threat actor Salt Typhoon. Initially reported in late 2024 and later confirmed by the U.S. government, this campaign demonstrates advanced persistence techniques, allowing the attackers to maintain access for over three years in some cases.

A leaker known as ExploitWhispers has released an archive of internal Matrix chat logs from the Black Basta ransomware operation, initially uploaded to MEGA before being removed and later shared on a dedicated Telegram channel. I

In December 2024, 18,000 devices were scanned using an application developed by iVerify, which leverages signature-based detection, heuristic analysis, and machine learning to identify Pegasus artifacts.

In January 2025, Ivanti addressed a stack-based buffer overflow flaw (CVE-2025-0282) in its Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways which could enable unauthenticated actors to remotely execute code.

The Darcula phishing-as-a-service (PhaaS) platform is set to launch a new version, Darcula V3, significantly enhancing its capabilities to allow anyone to create highly convincing phishing sites with no technical expertise.

U.S. authorities have released an advisory detailing the activities of Ghost, a financially motivated ransomware group originating from China, which has compromised organizations across more than 70 countries.

Cybercriminals have been observed approaching their targets under the guise of company recruiters in the past, enticing them with fake offers of employment. Cybercriminals exploit the vulnerability of an individual distracted by a potential job offer.

Microsoft recently addressed an elevation-of-privilege vulnerability in its Power Pages platform, which the vendor confirms was exploited as a zero-day in attacks in the wild. Power Pages is a low-code, Software-as-a-Service (SaaS) platform that allows organizations to build, host, and manage business websites with ease.

An unidentified threat actor has been observed targeting European organizations, notably in the healthcare sector, with an undocumented C++ ransomware strain, dubbed NailaoLocker. The campaign, tracked as Green Nailao, was uncovered by Orange Cyberdefense CERT and initiated between June and October last year.

Mustang Panda, a Chinese APT group also tracked as Earth Preta, has been observed abusing Microsoft's Application Virtualization Injector as a LOLBIN to stealthily inject malicious payloads into legitimate Windows processes, evading antivirus detection.

Exploitation attempts against CVE-2025-0108, a critical authentication bypass vulnerability affecting the management web interface of Palo Alto Networks' firewalls, have surged in recent days.

Google Threat Intelligence Group (GTIG) has observed and analyzed a significant uptick in Russian-aligned cyber operations targeting Signal Messenger to compromise accounts belonging to individuals of interest to Russian intelligence services like GRU.

Mustang Panda, a Chinese APT group also tracked as Earth Preta, has been observed abusing Microsoft's Application Virtualization Injector as a LOLBIN to stealthily inject malicious payloads into legitimate Windows processes, evading antivirus detection.

KnownHost recently conducted a study to examine the most commonly used passwords and the likelihood of these passwords being hacked based on the frequency of their appearance in recorded data breaches.

Researchers at Malwr-Analysis have uncovered details of a new campaign that is infecting end users with Arechclient2 (aka sectopRAT), a highly obfuscated .NET-based Remote Access Trojan. SectopRAT is being disguised as a legitimate Google Chrome extension, “Google Docs,” for propagation.

Recently, Proofpoint identified two new actors, TA2726 and TA2727, involved in web-based malware distribution. TA2726 functions as a TDS operator, selling traffic to other threat actors, including TA569 and TA2727.

FortiGuard Labs recently detected a new variant of Snake Keylogger (also known as 404 Keylogger) using FortiSandbox v5.0 (FSAv5), this malware has been responsible for over 280 million blocked infection attempts, with the highest concentrations in China, Turkey, Indonesia, Taiwan, and Spain.

In January 2025, the eSentire Threat Response Unit (TRU) observed the use of a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader. RedCurl APT is a highly sophisticated group known for targeting private-sector organizations with a focus on corporate data theft and persistence.

Researchers at Cyfirma have uncovered details of a new ransomware strain, dubbed Vgod, which specifically targets Windows systems with advanced encryption techniques. Similar to other ransomware families such as LockBit, Vgod employs the AES-256 encryption algorithm to lock files, with RSA-4096 encryption used for key protection.

On January 7, 2024, SonicWall released security updates to address an improper authentication vulnerability in the SSLVPN authentication mechanism, which could allow remote attackers to hijack active SSL VPN sessions without authentication.

Securonix has been tracking a cyberattack campaign being conducted by a North Korea-sponsored threat actor known as Kimsuky (APT43, Emerald Sleet). This ongoing campaign, dubbed DEEP#DRIVE has been targeting South Korean business, government, and cryptocurrency sectors.

Attackers leveraged a PostgreSQL zero-day vulnerability (CVE-2025-1094) in conjunction with two BeyondTrust flaws (CVE-2024-12356 and CVE-2024-12686) and a stolen API key to breach BeyondTrust's network in December 2023. BeyondTrust later revealed that 17 of its Remote Support SaaS instances were affected.

Microsoft Threat Intelligence Center has identified an ongoing and highly effective device code phishing campaign attributed to Storm-2372, a suspected Russian state-affiliated threat actor.

A recent report from Group-IB reveals that RansomHub emerged as the most active ransomware group of 2024, targeting over 600 organizations across various sectors, including healthcare, finance, government, and critical infrastructure. RansomHub initiated operations in early February 2024, shortly after coordinated law enforcement efforts dismantled the infrastructure of the BlackCat and LockBit ransomware groups, both of which were among the most active at the time.

Recorded Future's Insikt Group has uncovered details of a campaign exploiting unpatched internet-facing Cisco network devices, primarily associated with global telecommunications providers and a handful of universities.

Astaroth, a newly emerged phishing tool, is rapidly gaining traction on cybercrime platforms due to its advanced ability to bypass two-factor authentication. First advertised in January 2025, it employs session hijacking and real-time credential interception to compromise accounts on major platforms like Gmail, Yahoo, and Office 365.

Symantec researchers have identified a China-based threat actor, Emperor Dragonfly, leveraging RA World ransomware in a financially motivated attack against an Asian software and services company in late 2024.

According to researchers at Hunt.io, hackers have been exploiting the open-source Pyramid pentesting tool to establish stealthy command-and-control (C2) communications. Pyramid, which was first released on GitHub in 2023, is a Python-based post-exploitation framework that is capable of evading endpoint detection and response tools by leveraging Python's widespread presence in many environments.

Netskope Threat Labs has uncovered details of a widespread phishing campaign aimed at stealing credit card information for financial fraud. The campaign has been ongoing since mid-2024 and exploits search engines to direct victims to PDF documents containing CAPTCHA images that are embedded with phishing links.

Microsoft has recently released research they conducted into a subgroup within the Russian state APT Seashell Blizzard (Sandworm) and the details of their initial access campaign that Microsoft dubbed BadPilot.

North Korean threat actor Kimsuky has been observed employing a new social engineering tactic to trick victims into running malicious PowerShell commands as administrators. The attackers impersonate South Korean government officials, gradually building rapport with targets before sending a spear-phishing email containing a PDF attachment.

The United States, Australia, and the United Kingdom have jointly sanctioned Zservers, a Russia-based bulletproof hosting provider, for facilitating ransomware attacks by supplying critical infrastructure to the LockBit gang.

Ivanti released an advisory detailing multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products. Some of the flaws allow for RCE and unauthorized data access. The vulnerabilities range from medium to critical severity and impact various versions of Ivanti products.

Although QR codes have transformed digital interactions by providing quick access to websites, services, and adding a layer of security to applications, their ubiquity has made them a prime target for threat actors. In "quishing" attacks, fraudsters use fake QR codes to redirect users to counterfeit websites, enabling them to steal personal data, login credentials, or financial details.

As part of the February Microsoft Patch Tuesday, Microsoft addressed 55 flaws, including 4 zero-day flaws, two of which are actively being exploited in attacks in the wild. Of the 55 flaws, there was 19 elevation of privilege vulnerabilities, 2 security feature bypass vulnerabilities, 22 remote code execution vulnerabilities, 1 information disclosure vulnerability, 9 denial of service vulnerabilities, and 3 spoofing vulnerabilities. 3 flaws have been rated critical in severity, all of which can lead to remote code execution.

The Russian military cyber-espionage group Sandworm (APT44), also tracked as UAC-0113 and Seashell Blizzard, has been actively targeting Windows users in Ukraine using trojanized Microsoft Key Management Service activators and fake Windows updates.

Beginning in early January 2025, eSentire Threat Response Unit observed an increase in the number of incidents involving the NetSupport Remote Access Trojan (RAT). The RAT was originally developed as a remote IT support tool in 1989 and was known as NetSupport Manager but has been weaponized by cybercriminals in recent years.

In 2024, ransomware groups such as Lynx, Akira, and RansomHub refined their techniques, prioritizing agility and speed over high-profile targets. According to the 2025 Cyber Threat Report by Huntress, these groups adopted a quantity-over-quality strategy, executing a larger number of attacks at an accelerated pace.

Four suspected European hackers were recently arrested in Phuket, Thailand, in connection with cyberattacks targeting over 1,000 victims worldwide. Dubbed, “Operation Phobos Aetor,” the arrest was carried out by Thai authorities after an urgent request for international cooperation from Swiss and US law enforcement.

Apple has issued out emergency security updates to address a zero-day vulnerability that it says has been exploited in the wild. Tracked as CVE-2025-24200, the flaw pertains to an authorization issue which could enable a malicious actor to disable the USB Restricted Mode on a locked device as part of a physical cyber attack.

Facebook is the third-most visited website on the internet, following Google and YouTube, which makes attacks abusing the brand have a consequential impact. Check Point researchers have recently discovered a new phishing campaign luring unwitting victims by utilizing Facebook-themed copyright infringement emails to harvest credentials.

A large-scale brute force password attack is currently underway, utilizing nearly 2.8 million IP addresses to target a variety of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall.

CISA has added a new vulnerability to its KEV catalog, impacting Trimble's Cityworks, a GIS-centric asset management software used by local governments, utilities, and public works organizations, to manage public assets, work orders, permitting, licensing, capital planning, and budgeting.

Microsoft has issued a critical warning about a growing security risk in which developers are unknowingly incorporating publicly disclosed ASP.NET machine keys from online sources, making their applications vulnerable to cyberattacks.

Cybercriminals are leveraging scalable vector graphics files in phishing attacks to evade detection by traditional security tools, according to a recent report from Sophos. SVG files, commonly used for rendering vector-based images, contain Extensible Markup Language (XML)-like instructions that allow for the embedding of interactive elements such as hyperlinks and scripts.

Field Effect thwarted a cyberattack where an threat actor exploited newly discovered vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) client to gain unauthorized access to a targeted network.

Linwei Ding, a 38 year old Chinese national and former software engineer at Google, has been been indicted for illegally transferring over 500 confidential AI files from Google to his personal accounts. The stolen data, which includes critical hardware and software designs, was allegedly shared with Chinese companies in the AI sector.

This new activity cluster leverages deceptive LinkedIn job offers and is a part of the North Korea-sponsored Contagious Interview operation, primarily targeting individuals in the cryptocurrency and travel industries, to deploy cross-platform malware capable of compromising Windows, macOS, and Linux systems.

Cybercriminals are increasingly leveraging legitimate HTTP client tools, such as Axios and Node Fetch, to facilitate account takeover attacks on Microsoft 365 environments. According to enterprise security company Proofpoint, these tools, often sourced from public repositories like GitHub, are being repurposed for sophisticated attack techniques, including Adversary-in-the-Middle and brute-force tactics.

A new report from Chainalysis highlights a promising shift in the ransomware landscape from 2023 to 2024: more victims are refusing to pay ransoms. As a result, total ransomware payments dropped by approximately 35%, from $1.25 billion in 2023 to $813.55 million in 2024.

Cisco has disclosed several high-severity vulnerabilities in the Simple Network Management Protocol (SNMP) subsystem of its IOS, IOS XE, and IOS XR software. Tracked as CVE-2025-20169, CVE-2025-20170, and CVE-2025-20171, these flaws could allow authenticated, remote attackers to trigger a Denial of Service (DoS) on affected devices.

Palo Alto Network's Unit 42 has observed a growing number of attacks targeting macOS users with infostealer malware. Infostealer malware is typically designed to exfiltrate sensitive credentials, financial records, and intellectual property, which often leads to data breaches, financial losses and reputational damage.

Cybersecurity researchers at Morphisec Threat Labs have investigated a series of indicators of attacks in a campaign that deploys a new version of ValleyRAT malware. Attacks utilizing this malware are frequently attributed to Silver Fox APT.

Five Eyes cybersecurity agencies (UK, Australia, Canada, New Zealand, and the U.S.) have issued guidance urging network device manufacturers to enhance forensic visibility, helping defenders detect and investigate breaches. Network edge devices—such as firewalls, routers, VPN gateways, OT, and IoT systems—are prime targets for both state-sponsored and financially motivated attackers.

In September 2024, the Trend Micro's Threat Hunting team identified CVE-2025-0411, a zero-day vulnerability in 7-Zip, exploited in a SmokeLoader malware campaign targeting Ukrainian entities.

Apple recently updated its XProtect malware tool to block several variants of the macOS Ferret family—FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.

The Forcepoint X-Labs research team recently uncovered an AsyncRAT malware campaign that leverages malicious payloads delivered via TryCloudflare quick tunnels and Python packages.

According to Security Scorecard STRIKE researchers, North Korea-nexus Lazarus Group has compromised hundreds of victims in multiple countries in a large-scale data harvesting supply chain attack campaign which is ongoing as of mid-January 2025.

Researchers at Trend Micro have uncovered details of a campaign where actors leveraged a zero-day vulnerability in 7-Zip (CVE-2025-0411), to deploy SmokeLoader malware, a modular loader first identified in 2011. SmokeLoader primarily serves as a downloader for secondary payloads but also has capabilities for credential theft, data exfiltration, establishing backdoors, and using obfuscation and sandbox evasion techniques to evade detection.

While the compromise of user credentials and phishing are popular tactics employed in cyberattacks, the widespread adoption of multi-factor authentication has led adversaries to focus more on exploiting vulnerabilities to gain initial access to organizational networks.

SentinelOne researchers have detailed an active phishing campaign targeting “high-profile” X accounts endeavoring to hijack and exploit them to conduct malicious and fraudulent activity. SentinelOne observed this campaign targeting a variety of individual and organization accounts including U.S. political figures, leading international journalists, an X employee, large technology organizations, cryptocurrency organizations, and owners of valuable, short usernames.

On January 29, 2025, two malicious Python packages, deepseeek and deepseekai, were uploaded to the PyPI repository, masquerading as legitimate client libraries for interacting with the DeepSeek AI API.

Brazilian Windows users are the target of an evolving malware campaign deploying the Coyote Banking Trojan, a sophisticated banking malware designed to steal financial credentials and sensitive information.

Last Friday, Meta-owned WhatsApp, a popular messaging platform, stated it disrupted a spyware campaign back in December 2024, targeting journalists and civil society members. In total, 90 individuals were targeted and possibly compromised in the latest campaign, which WhatsApp asserts with high confidence.

Security researchers at Malwarebytes have uncovered a malvertising campaign targeting Microsoft advertisers with fake Google ads that lead to phishing sites designed to steal login credentials.

The Cybereason Security Team has recently published an analysis of a new attack campaign involving the Phorpiex botnet. In this campaign, the botnet is being used to automatically deploy LockBit Black Ransomware. This differs from previous attacks, which often relied on human interaction from LockBit operators, by making the attacks faster and more difficult to detect via the botnet.

DeepSeek, a Chinese AI company known for its open-source large language models (LLMs), launched its chatbot app in January 2025, quickly becoming the most downloaded free app on the U.S. iOS App Store, surpassing OpenAI's ChatGPT.

Google's Threat Intelligence Group conducted an in-depth analysis of how cyber threat actors interacted with Google's AI assistant, Gemini, to assess AI's role in cybersecurity threats. While AI has revolutionized cybersecurity by enhancing secure coding, vulnerability detection, and operational efficiency, it has also raised concerns about its misuse by cybercriminals and state-sponsored actors.

Europol, in coordination with law enforcement from eight countries, successfully dismantled the world's two largest cybercrime forums, Cracked and Nulled. Together, these platforms boasted over 10 million users and served as hubs for cybercrime discussions and marketplaces for illicit goods, including stolen data, malware, and hacking tools.

A critical unauthenticated Remote Code Execution vulnerability has been discovered in DSL-3788 routers, allowing attackers to remotely gain full control of the targeted device. The flaw impacts firmware versions v1.01R1B036_EU_EN and earlier and was reported by Max Bellia of SECURE NETWORK BVTECH.

A new attack technique dubbed Browser Hijacking was uncovered by security researchers at SquareX that enables a seemingly benign Chrome extension to take over a victim's device. This involves several steps, including Google profile hijacking, and browser hijacking, which eventually lead to device takeover.

POISONPLUG.SHADOW, also known as Shadowpad, is a highly sophisticated malware that leverages a custom obfuscating compiler to evade detection and analysis. Its complex obfuscation techniques make it particularly challenging for security researchers to identify and mitigate.

SecurityScorecard's investigation into Lazarus Group's recent cyber attacks on cryptocurrency entities and software developers uncovered a hidden administrative layer, dubbed Phantom Circuit, used to centrally manage the group's command-and-control infrastructure.

Researchers at SlashNext have uncovered a new SMS phishing tool, dubbed Devil-Traff, which features advanced capabilities like sender ID spoofing and automated messaging, allowing cybercriminals to send thousands of fraudulent messages in a short time.

A new variant of the Mirai-based botnet malware, Aquabotv3, has been observed exploiting a command injection vulnerability (CVE-2024-41710) in Mitel SIP phones.

Lynx ransomware has emerged as a highly structured and sophisticated Ransomware-as-a-Service operation, demonstrating an industrial-scale approach to cybercrime. The group operates through a well-organized affiliate program, providing cybercriminals with access to a centralized panel that facilitates ransomware deployment, victim management, and data leak coordination.

One of the most common methods cybercriminals use involves exploiting open redirects, a vulnerability that allows attackers to manipulate website links to redirect users to malicious destinations without proper validation. Cofense found that multiple .gov domains were primarily used for credential phishing, with some hosting as many as nine different phishing campaigns simultaneously.

Rapid advancements in AI are revealing new possibilities for the way humans work and accelerating innovation in science, technology, and more. AI is at the cusp of revolutionizing security and defense. With capabilities to sift through complex telemetry, secure coding, improve vulnerability discovery, and modernize operations.

In December, 2024, PowerSchool, a K-12 cloud-based software provider serving over 60 million students and 18,000 customers worldwide, experienced a breach where attackers were able to gain unauthorized access to its customer support portal, PowerSource.

CVE-2024-40891 is a critical command injection vulnerability impacting Zyxel CPE Series devices. The vulnerability was initially disclosed by VulnCheck back in August 1, 2024. However, the vulnerability has not been officially published by Zyxel, nor have patches been released.

Cisco Talos researchers have released a new report detailing a surge in the number of email phishing threats leveraging “Hidden Text Salting” techniques which they observed in the second half of 2024. Hidden Text Salting refers to poisoning the HTML source of an email.

Salt Labs researchers have uncovered details of a now-patched account takeover vulnerability affecting a popular online travel service used for booking hotels and car rentals.

Since its inception in March 2023, the Akira has grown to be one of the most prolific ransomware groups out here. Akira operates under a Ransomware-as-a-service model wherein affiliates or other cybercriminals are hired to gain initial access to victim environments and deploy the group's ransomware strain, in exchange for a portion of the ransom paid by victims.

Apple has patched a use-after-free zero-day vulnerability (CVE-2025-24085) in the Core Media component that could enable a malicious application already installed on the device to elevate privileges.

In early January 2025, threat hunters from eSentire detected and analyzed an ongoing threat campaign that utilizes the malware loader, MintsLoader, to deliver secondary payloads that include the StealC information stealer and BOINC, a legitimate open-source network computing platform.

A newly discovered phishing campaign is targeting mobile users with advanced social engineering techniques and malicious PDF files, aiming to compromise sensitive information on a global scale.

Ransomware actors have increasingly targeted VMware ESXi bare-metal hypervisors, exploiting SSH tunneling to establish persistence, move laterally, and deploy ransomware payloads without detection.

Such a sophisticated intrusion was initiated in January 2024 with a user downloading and executing the malicious file named setup_wm.exe, masquerading as the Windows Media Configuration Utility, with an almost legitimate-looking filename and icon.

A malware campaign has specifically targeted low-skilled hackers, or "script kiddies," to steal data and take control of systems. CloudSEK researchers report that a threat actor distributed a trojanized XWorm RAT builder through platforms like GitHub, file hosting sites, Telegram channels, YouTube, and various websites, promoting it as a free tool.

Almost 1000 fake websites, discovered by the Sekoia researcher, “crep1x”, are being distributed by a threat actor to deliver malware that leads to the deployment of Lumma Stealer malware on the victim's machine.

Over the past six months, ransomware activity has escalated significantly, marked by the rise of new groups such as FunkSec, Nitrogen, and Termite, alongside the reappearance of Cl0p and the introduction of LockBit 4.0.

Threat actors are capitalizing on the recent news about Ross Ulbricht, founder of the infamous Silk Road marketplace, to trick users into downloading malware. Using fake, verified accounts on X (formerly Twitter), these actors direct unsuspecting users to Telegram channels masquerading as official portals for Ulbricht.

Cybercriminals have introduced a new malicious AI chatbot named GhostGPT, which is specifically designed to assist in creating malware, developing exploits, and crafting phishing emails. Researchers from Abnormal Security discovered that GhostGPT has been actively marketed and sold through Telegram since late 2024.

The FBI has warned that North Korean IT worker schemes are stealing data to extort their victims as part of efforts to generate revenue for the Democratic People's Republic of Korea (DPRK). The US intelligence agency confirmed it has observed North Korean IT workers engaging in this tactic over recent months.

CYFIRMA's Research and Advisory team uncovered a new ransomware strain while monitoring various underground forums. Dubbed “Nnice,” the strain is designed to target Windows systems and comes with advanced encryption techniques.

Salt Typhoon is identified by the United States Cybersecurity and Infrastructure Security Agency (CISA) as a state-sponsored threat actor that has successfully compromised at least nine telecommunications companies with headquarters in the United States, thus prioritizing government and political figures and very high-profile targets.

Cisco Product Security Incident Response Team (PSIRT) recently released patches for a critical privilege escalation vulnerability in Meeting Management, CVE-2025-20156, and a heap-based buffer overflow flaw, CVE-2025-20128, that can terminate the ClamAV scanning process on endpoints running a Cisco Secure Endpoint Connector.

SonicWall has released patches for a pre-authentication of untrusted data vulnerability impacting its SMA1000 Appliance Management Console and Central Management Console, which in specific conditions could enable remote unauthenticated actors to execute arbitrary OS commands.

Cybersecurity researchers at Specops are delivering a new report regarding a major password-related security issue. According to them, over 1 billion passwords were stolen by malware in 2024.

Cyble Threat Intelligence has discovered thousands of account credentials belonging to some major cybersecurity vendors on the dark web. Cyble researchers shared their findings on January 22nd, 2025, noting they found credentials for at least 14 security providers.

PlushDaemon, a newly identified China-aligned advanced persistent threat (APT) group, has been linked to a supply chain attack targeting a South Korean VPN provider in 2023, as revealed by ESET.

In 2024, 84% of healthcare organizations (HCOs) experienced cyber-attacks or intrusions, with account hijacking and phishing being the most prevalent threats, according to a Netwrix study.

Asif William Rahman, a 34-year-old former CIA analyst from Vienna, admitted to leaking highly classified information to people who didn't have clearance to see it.

The Ukrainian government's Computer Emergency Response Team (CERT-UA) has received several reports of unidentified actors falsely claiming to represent CERT-UA in an attempt to connect to victims' systems via AnyDesk.

On January 13, the Biden administration proposed the "Framework for Artificial Intelligence Diffusion," a landmark rule with far-reaching implications for global AI development. It threads a difficult needle: encouraging U.S. AI technology globally,

Researchers at Sophos have raised concerns about two ransomware groups employing social engineering tactics to gain remote access to corporate machines for data theft and extortion.

Trend Micro uncovered an IoT botnet in late 2024 and has been continuously monitoring its activity as it conducts large-scale distributed denial-of-service (DDoS) attacks. The attack commands sent from its C2 server have mainly targeted Japan, but Trend Micro has observed these attacks targeting various companies in different countries as well.

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on two individuals and four entities tied to North Korea's extensive revenue-generation schemes that directly fund its weapons programs.

Cybersecurity researchers have uncovered a sophisticated phishing kit called Sneaky 2FA, specifically engineered to compromise Microsoft 365 accounts by stealing credentials and bypassing two-factor authentication (2FA). First identified in December 2024 by the French cybersecurity firm Sekoia, this adversary-in-the-middle (AitM) phishing kit has been linked to nearly 100 domains, reflecting its growing use among cybercriminals.

Consequently, it was found that GoDaddy, one of the major hosting service providers, had not taken proper security measures to protect the services since 2018. The FTC ordered GoDaddy to increase its security practices.

The Russian threat group Star Blizzard, formerly known as SEABORGIUM, has been linked to a new spear-phishing campaign targeting victims' WhatsApp accounts, marking a shift from its usual tactics to likely avoid detection.

A recently patched vulnerability, CVE-2024-7344 (CVSS 6.7), highlights a critical flaw in the Secure Boot mechanism for UEFI systems, potentially allowing attackers to bypass protections and execute unsigned malicious code during the boot process.

On Wednesday, 27 November 2024, Russian President Putin was on a 2-day state visit in Kazakhstan to discuss with local representatives the implementation of energy projects and to counter Chinese and Western influence. P

The North Korea-nexus APT, Lazarus Group, has been observed conducting a new cyber attack campaign dubbed Operation 99. This campaign targets software developers who are searching for freelance Web3 and cryptocurrency work to ultimately embed malware into the victim's environment.

On January 15, 2025, GuidePoint Security published findings from a Q4 2024 incident response involving a Python-based backdoor used by threat actors to maintain access to compromised systems. This access was leveraged to deploy RansomHub encryptors across the targeted network.

The U.S. Cybersecurity and Infrastructure Security Agency has released a new playbook providing detailed guidance for AI developers, providers, and adopters on how to voluntarily share cybersecurity information with federal agencies, private industry partners, and international stakeholders.