2025-11-05 AI创业新闻
A Cybercrime Merger Like No Other — Scattered Spider, LAPSUS$, and ShinyHunters Join Forces
The nascent collective that combines three prominent cybercrime groups, Scattered Spider, LAPSUS$, and ShinyHunters, has created no less than 16 Telegram channels since August 8, 2025. “Since its debut, the group’s Telegram channels have been removed and recreated at least 16 times under varying iterations of the original name – a recurring cycle reflecting platform moderation and the operators’ determination to sustain this specific type of public presence despite disruption,” Trustwave SpiderLabs, a LevelBlue company, said in a report shared with The Hacker News. Scattered LAPSUS$ Hunters (SLH) emerged in early August, launching data extortion attacks against organizations, including those using Salesforce in recent months. Chief among its offerings is an extortion-as-a-service (EaaS) that other affiliates can join to demand a payment from targets in exchange for using the “brand” and notoriety of the consolidated entity.
All three groups are assessed to be affiliated with a loose-knit and federated cybercriminal enterprise referred to as The Com that’s marked by “fluid collaboration and brand-sharing.” The threat actors have since exhibited their associations with other adjacent clusters tracked as CryptoChameleon and Crimson Collective . Telegram, according to the cybersecurity vendor, continues to be the central place for its members to coordinate and bring visibility to the group’s operations, embracing a style akin to hacktivist groups. This serves a fold purpose: turning its channels into a megaphone for the threat actors to disseminate their messaging, as well as market their services. “As activity matured, administrative posts began to include signatures referencing the ‘SLH/SLSH Operations Centre,’ a self-applied label carrying symbolic weight that projected the image of an organized command structure that lent bureaucratic legitimacy to otherwise fragmented communications,” Trustwave noted.
Observed Telegram channels and activity periods Members of the group have also used Telegram to accuse Chinese state actors of exploiting vulnerabilities allegedly targeted by them, while simultaneously taking aim at U.S. and U.K. law enforcement agencies. Furthermore, they have been found to invite channel subscribers to participate in pressure campaigns by finding the email addresses of C-suite executives and relentlessly emailing them in return for a minimum payment of $100.
Some of the known threat clusters part of the crew are listed below, highlighting a cohesive alliance that brings together several semi-autonomous groups within The Com network and their technical capabilities under one umbrella - Shinycorp (aka sp1d3rhunters), who acts as a coordinator and manages brand perception UNC5537 (linked to Snowflake extortion campaign) UNC3944 (associated with Scattered Spider) UNC6040 (linked to recent Salesforce vishing campaign) Also part of the group are identities like Rey and SLSHsupport, who are responsible for sustaining engagement, along with yuka (aka Yukari or Cvsp), who has a history of developing exploits and presents themselves as an initial access broker (IAB). Consolidated administrative and affiliated personas While data theft and extortion continue to be Scattered LAPSUS$ Hunters’ mainstay, the threat actors have hinted at a custom ransomware family named Sh1nySp1d3r (aka ShinySp1d3r) to rival LockBit and DragonForce , suggesting possible ransomware operations in the future. Trustwave has characterized the threat actors as positioned somewhere in the spectrum of financially motivated cybercrime and attention-driven hacktivism, commingling monetary incentives and social validation to fuel their activities. “Through theatrical branding, reputational recycling, cross-platform amplification, and layered identity management, the actors behind SLH have shown a mature grasp of how perception and legitimacy can be weaponized within the cybercriminal ecosystem,” it added.
“Taken together, these behaviors illustrate an operational structure that combines social engineering, exploit development, and narrative warfare – a blend more characteristic of established underground actors than opportunistic newcomers.” Cartelization of Another Kind The disclosure comes as Acronis revealed that the threat actors behind DragonForce have unleashed a new malware variant that uses vulnerable drivers such as truesight.sys and rentdrv2.sys (part of BadRentdrv2 ) to disable security software and terminate protected processes as part of a bring your own vulnerable driver ( BYOVD ) attack. DragonForce, which launched a ransomware cartel earlier this year, has since also partnered with Qilin and LockBit in an attempt to “facilitate the sharing of techniques, resources, and infrastructure” and bolster their own individual capabilities. “Affiliates can deploy their own malware while using DragonForce’s infrastructure and operating under their own brand,” Acronis researchers said . “This lowers the technical barrier and allows both established groups and new actors to run operations without building a full ransomware ecosystem.” The ransomware group, per the Singapore headquartered company, is aligned with Scattered Spider, with the latter functioning as an affiliate to break into targets of interest through sophisticated social engineering techniques like spear-phishing and vishing, followed by deploying remote access tools like ScreenConnect, AnyDesk, TeamViewer, and Splashtop to conduct extensive reconnaissance prior to dropping DragonForce.
“DragonForce used the Conti leaked source code to forge a dark successor crafted to carry its own mark,” it said. “While other groups made some changes to the code to give it a different spin, DragonForce kept all functionality unchanged, only adding an encrypted configuration in the executable to get rid of command-line arguments that were used in the original Conti code.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Europol and Eurojust Dismantle €600 Million Crypto Fraud Network in Global Sweep
Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of €600 million (~$688 million). According to a statement released by Eurojust today, the action took place between October 27 and 29 across Cyprus, Spain, and Germany, with the suspects arrested on charges of involvement in money laundering from fraudulent activities. In addition to the arrests of the individuals from their homes, authorities conducted searches that led to the seizure of €800,000 ($918,000) in bank accounts, €415,000 ($476,000) in cryptocurrencies, and €300,000 ($344,000) in cash. Participating nations in the “synchronized” effort alongside Eurojust were agencies from France, Belgium, Cyprus, Germany, and Spain.
“The members of the network created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns,” Eurojust said . “They recruited their victims using a variety of methods such as social media advertising, cold calling, fake news articles, and fake testimonials from celebrities or successful investors.” Once victims invested their funds in the bogus platforms, the crypto assets were laundered using blockchain, netting them about €600 million in illicit revenue. Eurojust said an investigation into the money laundering and scam network was initiated after victims complained of not being able to recover their investments, eventually culminating in the raids that occurred last week. The disclosure comes as Europol revealed that the criminal use of cryptocurrency and blockchain is becoming increasingly professionalized, sophisticated, and organized, and that countering the “borderless nature” of the threat requires a similar response.
“Law enforcement, private sector partners, and academia are rapidly advancing their ability to counter the threats posed by sophisticated crypto-related crimes and money laundering,” the agency said . “Advanced tools are reducing reliance on manual tracing, while a host of successful cross-border operations show the power of collaboration.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks
Details have emerged about a now-patched critical security flaw in the popular “ @react-native-community/cli “ npm package that could be potentially exploited to run malicious operating system (OS) commands under certain conditions. “The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to developers,” JFrog Senior Security Researcher Or Peles said in a report shared with The Hacker News. The vulnerability, tracked as CVE-2025-11953, carries a CVSS score of 9.8 out of a maximum of 10.0, indicating critical severity. It also affects the “@react-native-community/cli-server-api” package versions 4.8.0 through 20.0.0-alpha.2, and has been patched in version 20.0.0 released early last month.
The command-line tools package , which is maintained by Meta, enables developers to build React Native mobile applications. It receives approximately 1.5 million to 2 million downloads per week. According to the software supply chain security firm, the vulnerability arises from the fact that the Metro development server used by React Native to build JavaScript code and assets binds to external interfaces by default (instead of localhost) and exposes an “/open-url” endpoint that is susceptible to OS command injection. “The server’s ‘/open-url’ endpoint handles a POST request that includes a user-input value that is passed to the unsafe open() function provided by the open NPM package, which will cause OS command execution,” Peles said.
As a result, an unauthenticated network attacker could weaponize the flaw to send a specially crafted POST request to the server and run arbitrary commands. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be abused to execute arbitrary binaries with limited parameter control. While the issue has since been addressed, developers who use React Native with a framework that doesn’t rely on Metro as the development server are not impacted. “This zero day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements and broad attack surface,” Peles said.
“It also exposes the critical risks hidden in third-party code.” “For developer and security teams, this underscores the need for automated, comprehensive security scanning across the software supply chain to ensure easily exploitable flaws are remediated before they impact your organization.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft Teams Bugs Let Attackers Impersonate Colleagues and Edit Messages Unnoticed
Cybersecurity researchers have disclosed details of four security flaws in Microsoft Teams that could have exposed users to serious impersonation and social engineering attacks. The vulnerabilities “allowed attackers to manipulate conversations, impersonate colleagues, and exploit notifications,” Check Point said in a report shared with The Hacker News. Following responsible disclosure in March 2024, some of the issues were addressed by Microsoft in August 2024 under the CVE identifier CVE-2024-38197, with subsequent patches rolled out in September 2024 and October 2025. In a nutshell, these shortcomings make it possible to alter message content without leaving the “Edited” label and sender identity and modify incoming notifications to change the apparent sender of the message, thereby allowing an attacker to trick victims into opening malicious messages by making them appear as if they are coming from a trusted source, including high-profile C-suite executives.
The attack, which covers both external guest users and internal malicious actors, poses grave risks, as it undermines security boundaries and enables prospective targets to perform unintended actions, such as clicking on malicious links sent in the messages or sharing sensitive data. On top of that, the flaws also made it possible to change the display names in private chat conversations by modifying the conversation topic, as well as arbitrarily modify display names used in call notifications and during the call, permitting an attacker to forge caller identities in the process. “Together, these vulnerabilities show how attackers can erode the fundamental trust that makes collaboration workspace tools effective, turning Teams from a business enabler into a vector for deception,” the cybersecurity company said . Microsoft has described CVE-2024-38197 (CVSS score: 6.5) as a medium-severity spoofing issue impacting Teams for iOS, which could allow an attacker to alter the sender’s name of a Teams message and potentially trick them into disclosing sensitive information through social engineering ploys.
The findings come as threat actors are abusing Microsoft’s enterprise communication platform in various ways, including approaching targets and persuading them to grant remote access or run a malicious payload under the guise of support personnel. Microsoft, in an advisory released last month, said the “extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors” and that its messaging (chat), calls, and meetings, and video-based screen-sharing features are weaponized at different stages of the attack chain. “These vulnerabilities hit at the heart of digital trust,” Oded Vanunu, head of product vulnerability research at Check Point, told The Hacker News in a statement. “Collaboration platforms like Teams are now as critical as email and just as exposed.” “Our research shows that threat actors don’t need to break in anymore; they just need to bend trust.
Organizations must now secure what people believe, not just what systems process. Seeing isn’t believing anymore, verification is.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ransomware Defense Using the Wazuh Open Source Platform
Ransomware is malicious software designed to block access to a computer system or encrypt data until a ransom is paid. This cyberattack is one of the most prevalent and damaging threats in the digital landscape, affecting individuals, businesses, and critical infrastructure worldwide. A ransomware attack typically begins when the malware infiltrates a system through various vectors such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once activated, the malware encrypts files using strong cryptographic algorithms, rendering them inaccessible to the legitimate owner.
The attackers then demand payment, usually in cryptocurrency like Bitcoin, in exchange for the decryption key. Modern ransomware variants have evolved beyond simple file encryption. Some employ double extortion tactics, where attackers encrypt data, exfiltrate sensitive information, and threaten to publish it publicly if the ransom is not paid. This puts pressure on victims, particularly organizations handling confidential customer data or proprietary business information.
Ransomware development and propagation Understanding ransomware creation and distribution is essential for developing effective defense strategies. The ransomware lifecycle involves sophisticated development processes and diverse propagation methods that exploit technical vulnerabilities and human behavior. Ransomware development Ransomware is typically developed by cybercriminal organizations or individual threat actors with programming expertise. The creation process involves: Malware coding: Developers write malicious code using various programming languages, incorporating encryption algorithms and command-and-control communication protocols.
Ransomware-as-a-Service (RaaS): Some criminal groups operate subscription-based models that provide ransomware tools to affiliates in exchange for a percentage of ransom payments. Customization and testing: Attackers test their malware against security solutions to ensure it can evade detection. Propagation methods Ransomware spreads through multiple attack vectors: Phishing emails: Malicious attachments or links that appear legitimate trick users into downloading ransomware. Exploit kits: Automated tools that scan for and exploit known vulnerabilities in applications and operating systems.
Remote Desktop Protocol (RDP) attacks: Attackers gain unauthorized access through weak or compromised RDP credentials. Malicious websites and downloads: Downloads from compromised or malicious websites install ransomware with or without the user’s knowledge. Supply chain attacks: Compromised trusted software or service providers can distribute ransomware to customers. Removable media: Infected USB drives and external storage devices can spread ransomware when connected to computer systems.
Effects of a ransomware attack The impact of ransomware extends far beyond the immediate encryption of files. Organizations and individuals affected by ransomware experience multiple consequences that can have long-lasting repercussions on operations, finances, and reputation. Financial consequences Ransomware attacks inflict financial damage beyond file encryption. Victims may face ransom demands ranging from hundreds to millions of dollars, with no guarantee of data recovery even after payment.
Additional expenses arise from incident response, forensic investigations, system restoration, and security enhancements, while regulatory non-compliance can lead to substantial legal fines and penalties for data breaches. Operational consequences Ransomware attacks cause significant operational disruption by crippling access to vital resources. Critical business data, customer information, and intellectual property may be lost or compromised, while essential services become unavailable, impacting customers, partners, and internal workflows. The resulting operational downtime often surpasses the ransom cost, as businesses can experience weeks or months of halted operations.
Reputational damage Ransomware incidents often lead to lasting reputational damage as data breaches erode customer trust and confidence in an organization’s ability to safeguard sensitive information. Public disclosure of such attacks can weaken market position, strain business relationships, and create a competitive disadvantage. Preventing ransomware attacks Preventing ransomware attacks requires a multi-layered defense strategy that combines technical controls, organizational policies, and user awareness. Understanding and implementing these protective measures reduces the risk of successful ransomware infections.
Technical defenses Security Information and Event Management (SIEM) and Extended Detection and Response (XDR): Implement continuous monitoring to detect and respond to suspicious activities and anomalous behavior. File integrity monitoring: Track changes to files, folders, and system configurations. This helps you identify malware behavior within your environment. Network traffic analysis: Monitor for unusual data exfiltration patterns or command-and-control communications.
Regular backups: To ensure recovery without ransom, maintain frequent, automated backups of critical data stored offline or in immutable storage. Patch management: Keep operating systems, applications, and firmware up to date to remediate known vulnerabilities that ransomware exploits. Network segmentation: Isolate critical systems and limit lateral movement opportunities for attackers. Email filtering: Implement robust email security solutions to block phishing attempts and malicious attachments.
Access controls: Enforce the principle of least privilege and implement strong authentication mechanisms, including multi-factor authentication. Application whitelisting: Allow only approved applications to execute in your environment, preventing unauthorized malware from running. Organizational practices Security awareness training: Educate employees about phishing tactics, social engineering, and safe computing practices. Incident response planning: Develop and regularly test comprehensive incident response procedures for ransomware scenarios.
Security audits: Conduct regular vulnerability assessments and penetration testing to identify security weaknesses. Vendor risk management: Assess and monitor the security posture of third-party service providers. What Wazuh offers for ransomware protection Wazuh is a free and open source security platform that provides comprehensive capabilities for detecting, preventing, and responding to ransomware threats. It is a unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) platform.
Wazuh helps organizations build resilience against ransomware attacks through its out-of-the-box capabilities and integration with other security platforms. Threat detection and prevention Wazuh employs multiple detection mechanisms to identify ransomware activities. These include: Malware detection: Wazuh integrates with threat intelligence feeds and utilizes signature-based and anomaly-based detection methods to identify known ransomware variants. Vulnerability detection: This Wazuh capability scans systems for known vulnerabilities that ransomware commonly exploits, enabling proactive patching and reducing the likelihood of successful compromise.
Log data analysis: This Wazuh capability analyzes security events collected from user endpoints, servers, cloud workloads, and network devices to detect ransomware indicators. Security configuration monitoring (SCA): The Wazuh SCA evaluates system configurations against security best practices and compliance frameworks. File integrity monitoring (FIM): This Wazuh capability monitors critical files and directories, detecting unauthorized modifications that may indicate ransomware encryption activity. Regulatory compliance monitoring: This Wazuh capability helps organizations maintain security standards and regulatory compliance requirements that deter ransomware attacks.
Incident response capabilities Active response: The Wazuh Active Response capability automatically executes predefined actions when threats are detected, such as isolating infected systems, blocking malicious processes, or quarantining files. Integration with external solutions: Wazuh integrates with other security tools and platforms to improve organizations’ security posture. Use cases The following sections show some use cases of Wazuh detection and response to ransomware. Detecting and responding to DOGE Big Balls ransomware with Wazuh The DOGE Big Balls ransomware, a modified version of the FOG ransomware, combines technical exploits with psychological manipulation targeting enterprise environments.
This malware variant delivers its payload through phishing campaigns or unpatched vulnerabilities. It then performs privilege escalation, reconnaissance, file encryption, and note creation on the victim’s endpoint. Detection Wazuh detects the DOGE Big Balls ransomware using threat detection rules and a Wazuh Custom Database (CBD) list to match its specific pattern. CBD list containing DOGE Big Balls reconnaissance commands.
net config Workstation: systeminfo: hostname: net users: ipconfig /all: route print: arp -A: netstat -ano: netsh firewall show state: netsh firewall show config: schtasks /query /fo LIST /v: tasklist /SVC: net start: DRIVERQUERY: Threat detection rules
- etc/lists/doge-big-balls-ransomware
These rules flag the execution of known reconnaissance commands and detect when multiple ransom notes appear across directories.
These are DOGE Big Balls ransomware IOCs that indicate file encryption and other ransomware activities. Automated response Wazuh enables ransomware detection and removal using its File Integrity Monitoring (FIM) capability and integration with YARA. In this use case, Wazuh monitors the Downloads directory in real-time. When a new or modified file appears, it triggers the active response capability to execute a YARA scan.
If a file matches known YARA ransomware signatures like DOGE Big Balls, the custom active response script deletes it automatically and logs the action. Custom decoders and rules on the Wazuh server parse those logs to generate alerts showing whether the file was detected and successfully removed. Detecting Gunra ransomware with Wazuh The Gunra ransomware is typically used by private cybercriminals to extort money from its victims. It utilizes a double-extortion model that encrypts files and exfiltrates data for publication should its victim fail to pay the ransom.
The Gunra ransomware spreads through Windows systems by encrypting files, appending the .ENCRT extension, and leaving ransom notes named R3ADM3.txt. It deletes shadow copies, disables backup and antivirus services to block recovery, and uses Tor networks to hide its operators. These actions make data restoration difficult and help the attackers maintain anonymity during ransom negotiations. Detection The following Wazuh rules alert when ransom notes named R3ADM3.txt appear, system components like VSS or amsi.dll are tampered with, or suspicious modules such as urlmon.dll are loaded for network activity.
The rules also track attempts to delete shadow copies or disable backup and admin functions, indicating behavior typical of ransomware preparing for file encryption. Threat detection rules
Automated response Wazuh performs automated responses to Gunra ransomware malicious file activities using its FIM capability and integration with VirusTotal. In this use case, the Wazuh File Integrity Monitoring (FIM) module monitors the Downloads folder in real-time, triggering scans whenever files are added or changed. A custom active response executable, then securely deletes any file that VirusTotal flags as a threat.
Ransomware protection on Windows with Wazuh Wazuh provides ransomware protection and file recovery on monitored Windows endpoints using its command module and the Windows Volume Shadow Copy Service (VSS). This integration allows administrators to automatically take snapshots of monitored endpoints to recover files to a state before they are encrypted by malware. The following image shows successful Wazuh Active Response file recovery alerts. Conclusion Ransomware attacks pose significant financial, operational, and reputational damage.
They require multi-layered defenses that combine early detection with incident response. Organizations that invest in these practices are better equipped to withstand and recover from such attacks. Wazuh provides capabilities that enable early detection and rapid response to contain ransomware attacks. It offers out-of-the-box capabilities for vulnerability detection, file integrity monitoring, log data analysis, and automated responses to prevent ransomware-caused data loss and downtime.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors
Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus. According to multiple reports from Cyble and Seqrite Labs , the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for traffic obfuscation. The activity has been codenamed Operation SkyCloak by Seqrite, stating the phishing emails utilize lures related to military documents to convince recipients into opening a ZIP file containing a hidden folder with a second archive file, along with a Windows shortcut (LNK) file, which, when opened, triggers the multi-step infection chain. “They trigger PowerShell commands which act as the initial dropper stage where another archive file besides the LNK is used to set up the entire chain,” security researchers Sathwik Ram Prakki and Kartikkumar Jivani said, adding the archive files were uploaded from Belarus to the VirusTotal platform in October 2025.
One such intermediate module is a PowerShell stager that’s responsible for running anti-analysis checks to evade sandbox environments, as well as writing a Tor onion address (“yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion” to a file named “hostname” in the “C:\Users<Username>\AppData\Roaming\logicpro\socketExecutingLoggingIncrementalCompiler" location. As part of its analysis checks, the malware confirms that the number of recent LNK files present on the system is greater than or equal to 10 and verifies that the current process count exceeds or equals 50. If either of the conditions is not met, the PowerShell abruptly ceases execution. “These checks serve as environmental awareness mechanisms, as sandbox environments typically exhibit fewer user-generated shortcuts and reduced process activity compared to genuine user workstations,” Cyble said.
Once these environmental checks are satisfied, the script proceeds to display a PDF decoy document stored in the aforementioned “logicpro” folder, while setting up persistence on the machine using a scheduled task under the name “githubdesktopMaintenance” that runs automatically after user logon and runs at regular intervals every day at 10:21 a.m. UTC. The scheduled task is designed to launch “logicpro/githubdesktop.exe,” which is nothing but a renamed version of “sshd.exe,” a legitimate executable associated with OpenSSH for Windows,” allowing the threat actor to establish an SSH service that restricts communications to pre-deployed authorized keys stored in the same “logicpro” folder. Besides enabling file transfer capabilities using SFTP, the malware also creates a second scheduled task that’s configured to execute “logicpro/pinterest.exe,” a customized Tor binary used to create a hidden service that communicates with the attacker’s .onion address by obfuscating the network traffic using obfs4.
Furthermore, it implements port forwarding for multiple critical Windows services such as RDP, SSH, and SMB to facilitate access to system resources through the Tor network. Once the connection is successfully established, the malware exfiltrates system information, in addition to a unique .onion URL hostname identifying the compromised system by means of a curl command. The threat actor ultimately gains remote access capabilities to the compromised system upon receipt of the victim’s .onion URL through the command-and-control channel. While it’s currently not clear who is behind the campaign, both security vendors said it’s consistent with Eastern European-linked espionage activity targeting defense and government sectors.
Cyble has assessed with medium confidence that the attack shares tactical overlaps with a prior campaign mounted by a threat actor tracked by CERT-UA under the moniker UAC-0125 . “Attackers access SSH, RDP, SFTP, and SMB via concealed Tor services, enabling full system control while preserving anonymity,” the company added. “All communications are directed through anonymous addresses using pre-installed cryptographic keys.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Google’s AI ‘Big Sleep’ Finds 5 New Vulnerabilities in Apple’s Safari WebKit
Google’s artificial intelligence (AI)-powered cybersecurity agent called Big Sleep has been credited by Apple for discovering as many as five different security flaws in the WebKit component used in its Safari web browser that, if successfully exploited, could result in a browser crash or memory corruption. The list of vulnerabilities is as follows - CVE-2025-43429
- A buffer overflow vulnerability that may lead to an unexpected process crash when processing maliciously crafted web content (addressed through improved bounds checking) CVE-2025-43430
- An unspecified vulnerability that could result in an unexpected process crash when processing maliciously crafted web content (addressed through improved state management) CVE-2025-43431 & CVE-2025-43433
- Two unspecified vulnerabilities that may lead to memory corruption when processing maliciously crafted web content (addressed through improved memory handling) CVE-2025-43434
- A use-after-free vulnerability that may lead to an unexpected Safari crash when processing maliciously crafted web content (addressed through improved state management) Patches for the shortcomings were released by Apple on Monday as part of iOS 26.1, iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, visionOS 26.1, and Safari 26.1. The updates are available for the following devices and operating systems - iOS 26.1 and iPadOS 26.1
- iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later macOS Tahoe 26.1
- Macs running macOS Tahoe tvOS 26.1
- Apple TV 4K (2nd generation and later) visionOS 26.1
- Apple Vision Pro (all models) watchOS 26.1
- Apple Watch Series 6 and later Safari 26.1
- Macs running macOS Sonoma and macOS Sequoia Big Sleep, formerly called Project Naptime, is an AI agent launched by Google last year as part of a collaboration between DeepMind and Google Project Zero to enable automated vulnerability discovery. Earlier this year, Google said the large language model (LLM)-assisted framework identified a security flaw in SQLite (CVE-2025-6965, CVSS score: 7.2) that it said was at “risk of being exploited” by malicious actors.
While none of the vulnerabilities listed in Monday’s security bulletins have been flagged as exploited in the wild, it’s always a good practice to keep devices updated to the latest version for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks
Federal prosecutors in the U.S. have accused a trio of allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them. Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co–conspirator (aka “Co-Conspirator 1”) based in Florida, all U.S.
nationals, are said to have used the ransomware strain against a medical device company based in Tampa, Florida, a pharmaceutical company based in Maryland, a doctor’s office based in California, an engineering company based in California, and a drone manufacturer based in Virginia. The Chicago Sun-Times first reported the indictment over the weekend, stating Martin and Co-Conspirator 1 were employed as ransomware threat negotiators for a company named DigitalMint at the time when these incidents took place. Goldberg was an incident response manager for cybersecurity company Sygnia. All three individuals are no longer working at the respective firms, with both DigitalMint and Sygnia stating they have cooperated with law enforcement on the matter.
In July 2025, Bloomberg reported that the U.S. Federal Bureau of Investigation (FBI) was looking into a former employee of DigitalMint for supposedly taking a cut from ransomware payments. According to the indictment document, Goldberg, Martin, and the co-conspirator have been accused of wilfully engaging in a conspiracy to “enrich” themselves by accessing victims’ networks or computers in an unauthorized manner, stealing their data, installing the BlackCat ransomware on their systems in exchange for a cryptocurrency payment, and dividing the illicit proceeds amongst them - Around May 13, 2023, the defendants attacked the medical device firm and demanded an approximate $10,000,000 ransom payment. The company ended up paying virtual currency worth approximately $1,274,000 at the time of payment.
Around May 2023, the defendants attacked the firm and demanded an unspecified amount as ransom. Around July 2023, the defendants attacked the doctor’s office and demanded an approximate $5,000,000 ransom payment. Around October 2023, the defendants attacked the engineering company and demanded an approximate $1,000,000 ransom payment. Around November 2023, the defendants attacked the drone manufacturer and demanded an approximate $300,000 ransom payment.
It’s said that they did not manage to extort a financial payment from the other victims. While Martin has pleaded not guilty, court records show that Goldberg allegedly confessed to being recruited by the unnamed co-conspirator to “try and ransom some companies” during an interview with the FBI and that he conducted the attacks to get out of debt. The third individual has not been indicted. Both Goldberg and Martin have been charged with conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce by extortion, and intentional damage to a protected computer.
These accusations could incur a maximum penalty up to 50 years in federal prison. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft Detects “SesameOp” Backdoor Using OpenAI’s API as a Stealth Command Channel
Microsoft has disclosed details of a novel backdoor dubbed SesameOp that uses OpenAI Assistants Application Programming Interface (API) for command-and-control (C2) communications. “Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment,” the Detection and Response Team (DART) at Microsoft Incident Response said in a technical report published Monday. “To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.” The tech giant said it discovered the implant in July 2025 as part of a sophisticated security incident in which unknown threat actors had managed to maintain persistence within the target environment for several months. It did not name the impacted victim.
Further investigation into the intrusion activity has led to the discovery of what it described as a “complex arrangement” of internal web shells, which are designed to execute commands relayed from “persistent, strategically placed” malicious processes. These processes, in turn, leverage Microsoft Visual Studio utilities that were compromised with malicious libraries, an approach referred to as AppDomainManager injection . SesameOp is a custom backdoor engineered to maintain persistence and allow a threat actor to covertly manage compromised devices, indicating that the attack’s overarching goal was to ensure long-term access for espionage efforts. OpenAI Assistants API enables developers to integrate artificial intelligence (AI)-powered agents directly into their applications and workflows.
The API is scheduled for deprecation by OpenAI in August 2026, with the company replacing it with a new Responses API. The infection chain, per Microsoft, includes a loader component (“Netapi64.dll”) and a .NET-based backdoor (“OpenAIAgent.Netapi64”) that leverages the OpenAI API as a C2 channel to fetch encrypted commands, which are subsequently decoded and executed locally. The results of the execution are sent back to OpenAI as a message. “The dynamic link library (DLL) is heavily obfuscated using Eazfuscator.NET and is designed for stealth, persistence, and secure communication using the OpenAI Assistants API,” the company said.
“Netapi64.dll is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable.” The message supports three types of values in the description field of the Assistants list retrieved from OpenAI - SLEEP , to allow the process thread to sleep for a specified duration Payload , to extract the contents of the message from the instructions field and invoke it in a separate thread for execution Result , to transmit the processed result to OpenAI as a new message in which the description field is set to “Result” to signal the threat actor that the output of the execution of the payload is available It’s currently not clear who is behind the malware, but the development illustrates continued abuse of legitimate tools for malicious purposes to blend in with normal network activity and sidestep detection. Microsoft said it shared its findings with OpenAI, which identified and disabled an API key and associated account believed to have been used by the adversary. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Malicious VSX Extension “SleepyDuck” Uses Ethereum to Keep Its Command Server Alive
Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck . According to Secure Annex’s John Tuckner, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published on October 31, 2025, as a completely benign library that was subsequently updated to version 0.0.8 on November 1 to include new malicious capabilities after reaching 14,000 downloads. “The malware includes sandbox evasion techniques and utilizes an Ethereum contract to update its command and control address in case the original address is taken down,” Tuckner added . Campaigns distributing rogue extensions targeting Solidity developers have been repeatedly detected across both the Visual Studio Extension Marketplace and Open VSX.
In July 2025, Kaspersky disclosed that a Russian developer lost $500,000 in cryptocurrency assets after installing one such extension through Cursor. In the latest instance detected by the enterprise extension security firm, the malware is triggered when a new code editor window is opened or a .sol file is selected. Specifically, it’s configured to find the fastest Ethereum Remote Procedure Call (RPC) provider to connect to in order to obtain access to the blockchain, initialize contact with a remote server at “sleepyduck[.]xyz” (hence the name) via the contract address “ 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465 ,” and kicks off a polling loop that checks for new commands to be executed on the host every 30 seconds. It’s also capable of gathering system information, such as hostname, username, MAC address, and timezone, and exfiltrating the details to the server.
In the event the domain is seized or taken down, the malware has built-in fallback controls to reach out to a predefined list of Ethereum RPC addresses to extract the contract information that can hold the server details. What’s more, the extension is equipped to reach a new configuration from the contract address to set a new server, as well as execute an emergency command to all endpoints in the event that something unexpected occurs. The contract was created on October 31, 2025, with the threat actor updating the server details from “localhost:8080” to “sleepyduck[.]xyz” over the course of four transactions. It’s not clear if the download counts were artificially inflated by the threat actors to boost the relevance of the extension in search results – a tactic often adopted to increase the popularity so as to trick unsuspecting developers into installing a malicious library.
“The download counts likely are manipulated making it hard to know exactly,” Tuckner told The Hacker News. “This is very likely done to make it more relevant in the search results for Cursor/Open VSX.” The development comes as the company also disclosed details of another set of five extensions, this time published to the VS Code Extension Marketplace by a user named “developmentinc,” including a Pokémon-themed library that downloads a batch script miner from an external server (“mock1[.]su:443”) as soon as it’s installed or enabled, and executes it using “cmd.exe.” The script file, besides relaunching itself with administrator privileges using PowerShell and configuring Microsoft Defender Antivirus exclusions by adding every drive letter from C: through Z:, downloads a Monero mining executable from “mock1[.]su” and runs it. The extensions uploaded by the threat actor, now no longer available for download, are listed below - developmentinc.cfx-lua-vs developmentinc.pokemon developmentinc.torizon-vs developmentinc.minecraftsnippets developmentinc.kombai-vs Users are advised to exercise caution when it comes to downloading extensions, and make sure that they are from trusted publishers. Microsoft, for its part, announced back in June that it’s instituting periodic marketplace-wide scans to protect users against malware.
Every removed extension from the official marketplace can be viewed from the RemovedPackages page on GitHub. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cybercriminals Exploit Remote Monitoring Tools to Infiltrate Logistics and Freight Networks
Bad actors are increasingly training their sights on trucking and logistics companies with an aim to infect them with remote monitoring and management (RMM) software for financial gain and ultimately steal cargo freight. The threat cluster, believed to be active since at least June 2025 according to Proofpoint, is said to be collaborating with organized crime groups to break into entities in the surface transportation industry with the end goal of plundering physical goods. The most targeted commodities of the cyber-enabled heists are food and beverage products. “The stolen cargo most likely is sold online or shipped overseas,” researchers Ole Villadsen and Selena Larson said in a report shared with The Hacker News.
“In the observed campaigns, threat actors aim to infiltrate companies and use their fraudulent access to bid on real shipments of goods to ultimately steal them.” The campaigns share similarities with a previous set of attacks disclosed in September 2024 that involved targeting transportation and logistics companies in North America with information stealers and remote access trojans (RATs) such as Lumma Stealer, StealC, or NetSupport RAT. However, there is no evidence to suggest that they are the work of the same threat actor. In the current intrusion wave detected by Proofpoint, the unknown attackers have leveraged multiple methods, including compromised email accounts to hijack existing conversations, targeting asset-based carriers, freight brokerage firms, and integrated supply chain providers with spear-phishing emails, and posting fraudulent freight listings using hacked accounts on load boards. “The actor posts fraudulent freight listings using compromised accounts on load boards and then sends emails containing malicious URLs to carriers who inquire about the loads,” it said.
“This tactic exploits the trust and urgency inherent in freight negotiations.” Needless to say, the malicious URLs embedded within the messages lead to booby-trapped MSI installers or executables that deploy legitimate RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. In select instances, several of these programs are used together, with PDQ Connect being used to drop and install ScreenConnect and SimpleHelp. Once remote access is obtained, the attackers move to conduct system and network reconnaissance, followed by dropping credential harvesting tools such as WebBrowserPassView to capture additional credentials and burrow deeper into the corporate network. In at least one case, the threat actor is believed to have weaponized the access to delete existing bookings and block dispatcher notifications, and then added their own device to the dispatcher’s phone extension, booked loads under the compromised carrier’s name, and coordinated the transport.
As many as two dozen campaigns targeting transportation entities to deliver RMMs have been detected since August 2025. These efforts are assessed to be both indiscriminate and opportunistic, targeting small, family-owned businesses to large transport firms to infiltrate their networks and leverage insider information from other breaches to identify and bid on loads that are likely to be profitable if stolen. The use of RMM software offers several advantages. First, it obviates the need for threat actors to devise bespoke malware.
Second, it also allows them to fly under the radar, owing to the prevalence of such tools in enterprise environments and the fact that they are typically not flagged as malicious by security solutions. “It’s fairly easy for threat actors to create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans,” Proofpoint noted back in March 2025. “Additionally, such tooling may evade anti-virus or network detection because the installers are often signed, legitimate payloads distributed maliciously.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
⚡ Weekly Recap: Lazarus Hits Web3, Intel/AMD TEEs Cracked, Dark Web Leak Tool & More
Cyberattacks are getting smarter and harder to stop. This week, hackers used sneaky tools, tricked trusted systems, and quickly took advantage of new security problems—some just hours after being found. No system was fully safe. From spying and fake job scams to strong ransomware and tricky phishing, the attacks came from all sides.
Even encrypted backups and secure areas were put to the test. Keep reading for the full list of the biggest cyber news from this week—clearly explained and easy to follow. ⚡ Threat of the Week Motex Lanscope Flaw Exploited to Drop Gokcpdoor — A suspected Chinese cyber espionage actor known as Tick has been attributed to a target campaign that has leveraged a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager (CVE-2025-61932, CVSS score: 9.3) to infiltrate target networks and deploy a backdoor called Gokcpdoor. Sophos, which disclosed details of the activity, said it was “limited to sectors aligned with their intelligence objectives.” Bad Actors Are Using New AI Capabilities and Powerful AI Agents Traditional firewalls and VPNs aren’t helping—instead, they’re expanding your attack surface and enabling lateral threat movement.
They’re also more easily exploited with AI-powered attacks. It’s time for Zero Trust + AI. Learn More ➝ 🔔 Top News TEE.Fail Side-Channel Attack Extracts Secrets from Intel and AMD DDR5 Secure Enclaves — A low-cost physical side-channel attack has been found to break the confidentiality and security guarantees offered by modern Trusted Execution Environments (TEEs) from Intel and AMD, enabling full extraction of cryptographic keys and subversion of secure attestation mechanisms. The attack, codenamed TEE.fail, exploits deterministic encryption and DDR5 bus interposition to successfully bypass protections in Intel’s SGX and TDX, as well as AMD’s SEV-SNP, by eavesdropping on memory transactions using a homemade logic analyzer setup built for under $1,000.
That having said, the attack requires physical access to the target as well as root-level privileges for Kernel driver modification. Russian Hackers Target Ukraine With Stealth Tactics — Suspected Russian hackers breached Ukrainian networks this summer using ordinary administrative tools to steal data and remain undetected, researchers have found. According to a report by Broadcom-owned Symantec and Carbon Black, the attackers targeted a large Ukrainian business services company and a local government agency in two separate incidents earlier this year. What makes these attacks notable is that the hackers deployed little custom malware and instead relied heavily on living-off-the-land tactics, i.e., using legitimate software already present in the victims’ networks, to carry out their malicious actions.
The targeted organizations were not named, and it remains unclear what information, if any, was stolen. N. Korea Targets Web3 Sector with GhostCall and GhostHire — The North Korea-affiliated threat actor BlueNoroff, also known under aliases APT38 and TA444, has resurfaced with two new campaigns dubbed GhostCall and GhostHire, targeting executives, Web3 developers, and blockchain professionals. The campaigns rely on social engineering via platforms like Telegram and LinkedIn to send fake meeting invites and initiate multi-stage malware chains to compromise Windows, Linux, and macOS hosts.
GhostCall marks a major leap in operational stealth compared to earlier BlueNoroff operations, with the attackers relying on multiple layers of staging to sidestep detection. The GhostHire operation takes a different approach, targeting Web3 developers through fake job offers and recruitment tests. BlueNoroff is a financially motivated sub-cluster of the Lazarus Group, North Korea’s state-sponsored cyber unit linked to the Reconnaissance General Bureau (RGB), and is believed to operate the long-running SnatchCrypto campaign. GhostCall and GhostHire are assessed to be the latest extensions of this campaign.
The threat actor’s strategy is said to have evolved beyond cryptocurrency and browser credential theft to comprehensive data acquisition across a range of assets. “This harvested data is exploited not only against the initial target but also to facilitate subsequent attacks, enabling the actor to execute supply chain attacks and leverage established trust relationships to impact a broader range of users,” Kaspersky said. New Android Banking Malware Herodotus Mimics Human Behavior — Researchers have discovered a new Android banking malware called Herodotus that evades detection by mimicking human behavior when remotely controlling infected devices. The malware is advertised by a little-known hacker who goes by the name K1R0.
Herodotus works like many modern Android banking trojans. Operators distribute it through SMS messages that trick users into downloading a malicious app. Once installed, the malware waits for a targeted application to be opened and then overlays a fake screen that mimics the real banking or payment interface to steal credentials. It also intercepts incoming SMS messages to capture one-time passcodes and exploits Android’s accessibility features to read what’s displayed on the device screen.
What makes Herodotus unusual, ThreatFabric said, is that it tries to “humanize” the actions attackers undertake during remote control. Instead of pasting stolen details into form fields all at once — a behavior that can easily be flagged as automated — the malware types each character separately with random pauses of about 0.3 to 3 seconds between keystrokes, imitating how a real person would type. Qilin Ransomware Uses Linux Encryptors in Windows Attacks — The Qilin ransomware actors have been observed leveraging the Windows Subsystem for Linux ( WSL ) to launch Linux encryptors in Windows in an attempt to evade detection. Qilin, which emerged in mid-2022, has attacked more than 700 victims across 62 countries this year.
The sustained rate of victims claimed on its data leak site underscores Qilin’s position as one of the most active and pernicious ransomware operations worldwide. In new attacks spotted by Trend Micro, Qilin affiliates have been seen using WinSCP to transfer the Linux ELF encryptor to compromised devices, which is then launched through the Splashtop remote management software. This is accomplished by enabling or installing WSL on the host, allowing them to natively run Linux binaries on Windows without the need for a virtual machine. ️🔥 Trending CVEs Hackers move fast.
They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week’s most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.
This week’s list includes — CVE-2025-55315 (QNAP NetBak PC Agent), CVE-2025-10680 (OpenVPN), CVE-2025-55752 , CVE-2025-55754 (Apache Tomcat), CVE-2025-52665 (Ubiquiti UniFi Access), CVE-2025-12044 , CVE-2025-11621 (HashiCorp Vault), CVE-2025-43995 (Dell Storage Manager), CVE-2025-5842 (Veeder-Root TLS4B Automatic Tank Gauge System), CVE-2025-24893 (XWiki), CVE-2025-62725 (Docker Compose), CVE-2025-12080 (Google Messages for Wear OS), CVE-2025-12450 (LiteSpeed Cache plugin), CVE-2025-11705 (Anti-Malware Security and Brute-Force Firewall plugin), CVE-2025-55680 (Microsoft Cloud Files Minifilter driver), CVE-2025-6325, CVE-2025-6327 (King Addons for Elementor plugin), CVE-2025-49401 (Quiz and Survey Master plugin), CVE-2025-54603 (Claroty Secure Remote Access), and CVE-2025-10932 (Progress MOVEit Transfer). 📰 Around the Cyber World Canada Warns of Hacktivist Attacks Targeting Critical Infra — The Canadian Centre for Cyber Security has issued an alert warning of attacks mounted by hacktivists targeting internet-exposed industrial control systems (ICS). “One incident affected a water facility, tampering with water pressure values and resulting in degraded service for its community,” the Cyber Centre said . “Another involved a Canadian oil and gas company, where an Automated Tank Gauge (ATG) was manipulated, triggering false alarms.
A third one involved a grain drying silo on a Canadian farm, where temperature and humidity levels were manipulated, resulting in potentially unsafe conditions if not caught on time.” Organizations are being recommended to ensure all services are properly inventoried, documented, and protected. Kinsing Exploits Apache ActiveMQ Flaw — The threat actor known as Kinsing is exploiting CVE-2023-46604 , a known flaw in Apache ActiveMQ, to conduct cryptojacking attacks on both Linux and Windows systems. The latest set of attacks, observed by AhnLab, is notable for the deployment of a .NET backdoor called Sharpire, along with XMRig and Stager. “ Sharpire is a .NET backdoor that supports PowerShell Empire,” the South Korean cybersecurity company said.
“During the process of taking control of the infected system, the threat actor uses CobaltStrike, Meterpreter, and PowerShell Empire together.” It’s worth noting that Kinsing was spotted exploiting the same flaw following its public disclosure in 2023. 2 Flaws in 8 Confidential Computing Systems — Two security flaws (CVE-2025-59054 and CVE-2025-58356) have been disclosed in eight different confidential computing systems (Oasis Protocol, Phala Network, Flashbots TDX, Fortanix Salmiac, Edgeless Constellation, Edgeless Contrast, and Cosmian VM) that use Linux Unified Key Setup version 2 (LUKS2) for disk encryption. A partial mitigation has been introduced in cryptsetup version 2.8.1. “Using these vulnerabilities, a malicious actor with access to storage disks can extract all confidential data stored on that disk and can modify the contents of the disk arbitrarily,” Trail of Bits researcher Tjaden Hess said .
“The vulnerabilities are caused by malleable metadata headers that allow an attacker to trick a trusted execution environment guest into encrypting secret data with a null cipher.” That said, exploitation of this issue requires write access to encrypted disks. There is no evidence that the vulnerabilities were exploited in the wild. Hackers Abuse LinkedIn to Target Finance Executives — Hackers are abusing LinkedIn to target finance executives with direct-message phishing attacks that impersonate executive board invitations with an aim to steal their Microsoft credentials. The messages contain a malicious URL, clicking which triggers a redirect chain that leads victims to a fake landing page instructing them to sign in with their Microsoft account credentials to view a document.
The phishing page also implements bot protection like Cloudflare Turnstile to block automated scanners. “Sending phishing lures via social media apps like LinkedIn is a great way to reach employees in a place that they expect to be contacted by people outside of their organization,” Push Security said . “By evading the traditional phishing control point altogether (email) attackers significantly reduce the risk of interception.” WhatsApp Adds Support for Passkey-Encrypted Backups — WhatsApp has announced a new way to access encrypted backups with passkey support. “Passkeys will allow you to use your fingerprint, face, or screen lock code to encrypt your chat backups instead of having to memorize a password or a cumbersome 64-digit encryption key,” WhatsApp said .
“Now, with just a tap or a glance, the same security that protects your personal chats and calls on WhatsApp is applied to your chat backups so they are always safe, accessible, and private.” The change is expected to be rolled out gradually over the coming weeks and months. Passkeys are a passwordless authentication method based on the FIDO industry standard. They are designed to replace passwords with cryptographic keys stored on the user’s device and secured by biometric or device-lock methods. WhatsApp launched support for passkeys on Android in October 2023 and for iOS in April 2024.
12 Malicious VS Code Extensions Flagged — Cybersecurity researchers have flagged a set of 12 malicious components in the Visual Studio Code (VS Code) extension marketplace that come with capabilities to steal sensitive information or plant a backdoor that establishes a persistent connection with an attacker-controlled server address and executes arbitrary code on the user’s host. “Malware in IDE plugins is a supply chain attack channel that enterprise security teams need to take seriously,” HelixGuard said . The development comes as Aikido reported that the threat actors behind the GlassWorm campaign targeting the VS Code extension marketplace and Open VSX have moved to GitHub, employing the same Unicode steganography trick to hide their malicious payloads within JavaScript projects. The supply chain security company said the use of hidden malicious code injected with invisible Unicode Private Use Area (PUA) characters was first observed in a set of malicious npm packages back in March 2025.
“These incidents highlight the need for better awareness around Unicode misuse, especially the dangers of invisible Private Use Area characters,” security researcher Ilyas Makari said . “Developers can only defend against what they can see, and right now, most tools are not showing them enough. Neither GitHub’s web interface nor VS Code displayed any sign that something was wrong.” Proton Releases Data Breach Observatory — Swiss privacy-focused company Proton has released Data Breach Observatory as a way to scan the dark web for leaks of sensitive data from enterprises. It said over 306.1 million records have been leaked from 794 breaches, with retail, technology, and media emerging as the most targeted sectors.
“Small- and medium-sized businesses (companies with 1–249 employees) accounted for 70.5% of the breaches reported,” the company said . “Larger companies (250–999 employees) accounted for 13.5% of data breaches, and enterprise organizations of more than 1,000+ employees accounted for the remaining 15.9%. SMBs are perfect targets for hackers, because while they might offer a smaller payday than an enterprise organization, they’re much easier to breach because they have fewer security protections in place.” Russia Arrests 3 in Connection with Meduza Infostealer — Russian authorities arrested three individuals who are believed to have created and sold the Meduza infostealer. The suspects were arrested last week in the Moscow metropolitan area, according to Russia’s Interior Ministry.
Authorities said they seized computer equipment, phones, and bank cards during raids on the suspects’ homes. The Ministry’s spokesperson, Irina Volk, said the malware was used in attacks against at least one government network in the Astrakhan region. In a report published last September, Russian security firm BI.ZONE said Meduza was used in multiple attacks targeting Russian organizations last year. “The arrests of three alleged developers behind Meduza Stealer underscore a growing trend we flagged in Dark Covenant 3.0 – namely, the shift from tolerated cyber-malign behavior toward selective enforcement by Russian authorities,” Alexander Leslie, senior advisor for government affairs at Recorded Future, told The Hacker News.
“While the takedown is noteworthy, Dark Covenant 3.0 cautions that this does not signal a full-scale disruption of the underground marketplace – many stealer services continue to proliferate and will likely adapt quickly. In short, while the arrests may temporarily disrupt this particular actor’s operations, the broader infostealer ecosystem remains resilient and warrants continued vigilance.” Ukrainian National Extradited to U.S. for Conti Attacks — A Ukrainian national believed to be a member of the Conti ransomware operation has been extradited to the U.S. “From in or around 2020 and continuing until about June 2022, Oleksii Oleksiyovych Lytvynenko, 43, of Cork, Ireland, conspired with others to deploy Conti ransomware to extort victims and steal their data,” the U.S.
Justice Department said . “Lytvynenko controlled data stolen from numerous Conti victims and was involved in the ransom notes deployed on the victims’ systems.” Lytvynenko was arrested by Irish authorities in July 2023. He is charged with computer fraud conspiracy and wire fraud conspiracy. If convicted, he faces a maximum penalty of 5 years in prison for the computer fraud conspiracy and 20 years in prison for the wire fraud conspiracy.
According to estimates, Conti was used to attack more than 1,000 victims worldwide, resulting in at least $150 million in ransom payments as of January 2022. While the group shut down the “Conti” brand in 2022, its members have split into smaller crews and moved to other ransomware or extortion operations. Four of Lytvynenko’s alleged co-conspirators, Maksim Galochkin, Maksim Rudenskiy, Mikhail Mikhailovich Tsarev and Andrey Yuryevich Zhuykov, were indicted in 2023. FCC to Eliminate Cybersecurity Requirements for U.S.
Telcos — The U.S. Federal Communications Commission (FCC) said it will vote next month to eliminate new cybersecurity requirements for telecommunication providers. “Following extensive FCC engagement with carriers, the item announces the substantial steps that providers have taken to strengthen their cybersecurity defenses,” Brendan Carr, chairman of the FCC, said . Denmark Backs Off from E.U.
Chat Control — The Danish government has formally withdrawn its Chat Control legislation after the controversial proposal failed to garner majority support among E.U. bloc members. The German government, on October 8, announced it would not support the plan. While Chat Control was presented as a way to combat the threat arising from Child Sexual Abuse Material (CSAM), critics of the proposal said it would mandate scanning of all private digital communications, including encrypted messages and photos, threatening privacy and security for all citizens in the region.
Poland Arrests 11 for Running Investment Scam — Polish authorities have arrested 11 suspects who ran an investment scam scheme that relied on call centers located overseas to trick Polish citizens into investing their money in bogus investment websites. The gang allegedly made more than $20 million from at least 1,500 victims. 4 New RATs Use Discord for C2 — Cybersecurity researchers have shed light on four new remote access trojans (RATs) that utilize the Discord platform for command-and-control (C2). This includes UwUdisRAT, STD RAT, Minecraft RAT, and Propionanilide RAT.
“Minecraft RAT […] is operated by a threat actor group who call themselves ‘STD Group,’” ReversingLabs said . “They also operate a series of very closely related RATs that use Discord as their C2 mechanism. The RATs are so closely related that they may be the same code base, just rebranded.” Propionanilide RAT, on the other hand, features a packer called Proplock or STD Crypter to decrypt and launch the Discord RAT functionality. Security Weaknesses in Tata Motors Sites — A number of security issues have been uncovered in Tata Motors’ sites like E-Dukaan, FleetEdge, and cvtestdrive.tatamotors[.]com, including exposed Azuga API keys, two AWS keys, and an embedded “backdoor” account that granted unauthorized access to over 70 TB of sensitive information and infrastructure across hundreds of buckets, compromise its test drive fleet management system, gain admin access to a Tableau account managed by the conglomerate.
Following responsible disclosure by security researcher Eaton Zveare in August 2023 in coordination with India’s Computer Emergency Response Team (CERT-In), the issues were eventually addressed by early January 2024. In recent months, Zveare has also demonstrated methods to break into Intel’s internal websites and identified flaws in an unnamed automaker’s centralized dealer platform that could have been abused to gain complete control over the systems of more than 1,000 car dealerships in the U.S. by creating a national admin account. The researcher also identified an API-level security defect in an unspecified platform that granted the ability to access commands to start and stop power generators.
While the problem was rectified in October 2023, the platform is no longer active. Tangerine Turkey Uses Batch and Visual Basic Scripts to Drop Crypto Miners — A cryptocurrency mining campaign dubbed Tangerine Turkey has been found leveraging batch files and Visual Basic Scripts to gain persistence, evade defenses, and deploy XMRig miners across victim environments. Since its emergence in late 2024, the campaign is assessed to have expanded in scope, targeting organizations indiscriminately across multiple industries and geographies. “Initial access in the Tangerine Turkey malware campaign is achieved through an infected USB device,” Cybereason said .
“The attack begins when the wscript.exe executes a malicious VB Script located on the removable drive. By leveraging living‑off-the‑land binaries such as wscript.exe and printui.exe, as well as registry modifications and decoy directories, the malware is able to evade traditional defenses and maintain persistence.” Hezi Rash Targets Global Sites in Hacktivist Campaign — A new ideologically-motivated threat actor known as Hezi Rash (meaning Black Force) has been linked to approximately 350 distributed denial-of-service (DDoS) attacks targeting countries perceived as hostile to Kurdish or Muslim communities between August and October 2025. Founded in 2023, the Kurdish nationalist hacktivist group has described itself as a digital collective defending Kurdish society against cyber threats, per Check Point, while pushing a mix of nationalism, religion, and activism in its messaging. It’s believed that the threat actor is using tools and services from more established threat actors such as EliteStress, a DDoS-as-a-service (DaaS) platform linked to Keymous+, KillNet, and Project DDoSia and Abyssal DDoS v3.
“While the technical impact of these attacks, such as temporary website outages, is evident, the broader business consequences remain unclear,” Check Point said . “The attacks appear to be of the ‘usual variety,’ focusing on disruption rather than sophisticated exploitation.” The disclosure follows a report from Radware, highlighting a surge in claimed DDoS activity between October 6 and October 8, 2025, by hacktivist groups targeting Israel. Some of the key participating groups include Sylhet Gang, Keymous+, Arabian Ghosts, and NoName057(16). “On October 7 alone, more than 50 cyberattack claims against Israeli targets were recorded,” Radware said .
“The weekly average number of attacks claimed spiked to almost three times the average compared to the weeks preceding October 7. This sharp escalation underscores how hacktivist campaigns continue to use symbolic anniversaries to amplify their visibility and coordinate global action.” Phishing Campaigns Distribute Lampion Stealer — A Brazilian threat group has been spotted employing bank transfer receipt lures containing ZIP files to drop the Lampion stealer by means of ClickFix-style pages present within HTML pages present in the archive. The banking trojan has been active since at least 2019. “The first change was around mid September 2024, where the TAs started using ZIP attachments instead of links to a ZIP; the second change was around mid December 2024 with the introduction of ClickFix lures as a new social engineering technique; the last change was at the end of June 2025, where persistence capabilities were added to the first stage,” Bitsight said .
The command executed following ClickFix paves the way for three different VB Scripts that ultimately deploy the DLL stealer component of the malware. MITRE Releases ATT&CK v18 — The MITRE Corporation has released an updated version of the ATT&CK (v18) framework, which updates detections with two new objects: Detection Strategies for detecting specific attacker techniques and Analytics that provide platform-specific threat detection logic. “On the Mobile front, there’s coverage of state-sponsored abuse of Signal/WhatsApp-linked devices and enhanced account collection techniques,” MITRE said . “And in ICS, new and updated Asset objects expand the range of industrial equipment and attack scenarios ATT&CK can represent, including improved connections across sector-specific terminology through Related Assets.” 🎥 Cybersecurity Webinars Stop Drowning in Vulnerability Lists: Discover Dynamic Attack Surface Reduction — Tired of too many security problems and not enough time to fix them?
Join The Hacker News and Bitdefender to learn about Dynamic Attack Surface Reduction (DASR)—a new way to quickly close security gaps using smart tools and automation. See how Bitdefender PHASR helps teams stay safe, reduce risk, and block threats before they cause harm. Securing Cloud Infrastructure: Strategies to Balance Agility, Compliance, and Security — As more companies move to the cloud, keeping data and access safe becomes harder. In this webinar, experts will share easy-to-follow tips to protect cloud systems, manage user access, and stay on top of global rules—all without slowing down your business.
You’ll learn real steps you can take right away to keep your cloud secure and your team moving fast. 🔧 Cybersecurity Tools runZeroHound — A new handy open‑source toolkit from runZero that turns your asset data into visual “attack graphs” so you can see exactly how threats could move through your network. With this in hand, you’ll spot dangerous paths, close the gaps faster, and stay ahead of what attackers might try next. DroidRun — It is a security testing tool that helps researchers and analysts safely run and monitor Android malware in a sandboxed environment.
It’s designed to make it easier to observe how malicious apps behave without risking your system. Perfect for dynamic analysis, it supports automation and gives detailed insights into malware activity. Disclaimer: These tools are for educational and research use only. They haven’t been fully security-tested and could pose risks if used incorrectly.
Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules. 🔒 Tip of the Week Why Attack Surface Reduction Matters More Than Ever — What if your biggest risk isn’t a new zero-day—but something already sitting quietly inside your system? This week, the spotlight turns to Attack Surface Reduction (ASR)—a strategy that’s fast becoming a must-have, not a nice-to-have. As companies spin up more cloud apps, APIs, and accounts, hackers are finding easy ways in through what’s already exposed.
Think forgotten subdomains, unused ports, old user accounts. The more you have, the more they have to work with. The good news? Open-source tools are stepping up.
EasyEASM helps map what’s live on the web. Microsoft’s Attack Surface Analyze r shows what changes after updates or installs. ASRGEN lets you test smart rules in Windows Defender to shut down risky behaviors before they’re exploited. Here’s the truth: you don’t have to stop building fast—you just have to build smart.
Shrinking your attack surface doesn’t slow innovation. It protects it. Don’t wait for an alert. Take control before attackers do.
Map it. Cut it. Lock it down. Conclusion The big lesson this week?
Cyber threats don’t always look like threats. They can hide in normal apps, trusted websites, or even job offers. It’s no longer just about stopping viruses—it’s about spotting tricks, acting fast, and thinking ahead. Every click, update, and login matters.
Cybersecurity isn’t a one-time fix. It’s an everyday habit. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.