Malware | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote . These bogus websites masquerade as Google Play Store install pages for apps like the Chrome web browser, indicating an attempt to deceive unsuspecting users into installing the malware instead. "The threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware itself," the DomainTools Investigations (DTI) team said in a report shared with The Hacker News. SpyNote (aka SpyMax) is a remote access trojan long known for its ability to harvest sensitive data from compromised Android devices by abusing accessibility services. In May 2024, the malware was propagated via another bogus site impersonating a legitimate antivirus solution known as Avast. Subsequent analysis by mobile security firm Zimperium h...

A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites. "The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78," Wordfence's István Márton said . "This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key." Successful exploitation of the vulnerabilit...

Explore how relying on CSRF tokens as a security measure against CSRF attacks is a recommended best practice, but in some cases, they are simply not enough. Introduction As per the Open Web Application Security Project (OWASP), CSRF vulnerabilities are recognized as a significant threat and are historically part of their top risks. The implications of CSRF attacks are far-reaching and could lead to critical security implications, such as: Unauthorized actions : Attackers can trick users into executing unwanted actions on websites where they're authenticated. For example, changing account settings, making purchases, or transferring funds. Identity exploitation : The attack works by exploiting the victim's authenticated session, making the application unable to distinguish between legitimate user requests and forged ones. Silent execution : CSRF attacks often happen without the victim's knowledge as they can be hidden in seemingly innocent links, images, or embedded c...

Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack. The newly discovered package, named pdf-to-office , masquerades as a utility for converting PDF files to Microsoft Word documents. But, in reality, it harbors features to inject malicious code into cryptocurrency wallet software associated with Atomic Wallet and Exodus. "Effectively, a victim who tried to send crypto funds to another crypto wallet would have the intended wallet destination address swapped out for one belonging to the malicious actor," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. The npm package in question was first published on March 24, 2025, and has received three updates since then but not before the previous versions were likely removed by the a...

Overview of the PlayPraetor Masquerading Party Variants CTM360 has now identified a much larger extent of the ongoing Play Praetor campaign. What started with 6000+ URLs of a very specific banking attack has now grown to 16,000+ with multiple variants. This research is ongoing, and much more is expected to be discovered in the coming days.  As before, all the newly discovered play impersonations are mimicking legitimate app listings, deceiving users into installing malicious Android applications or exposing sensitive personal information. While these incidents initially appeared to be isolated, further investigation has revealed a globally coordinated campaign that poses a significant threat to the integrity of the Play Store ecosystem. Evolution of the Threat This report expands on the earlier research into PlayPraetor, highlighting the discovery of five newly identified variants. These variants reveal the campaign's increasing sophistication in terms of attack techniques, ...

The Russia-linked threat actor known as Gamaredon (aka Shuckworm) has been attributed to a cyber attack targeting a foreign military mission based in Ukraine with an aim to deliver an updated version of a known malware called GammaSteel. The group targeted the military mission of a Western country, per the Symantec Threat Hunter team, with first signs of the malicious activity detected on February 26, 2025. "The initial infection vector used by the attackers appears to have been an infected removable drive," the Broadcom-owned threat intelligence division said in a report shared with The Hacker News. The attack started with the creation of a Windows Registry value under the UserAssist key, followed by launching "mshta.exe" using "explorer.exe" to initiate a multi-stage infection chain and launch two files. The first file, named "NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms," is used to establish communications with a command-and...

Law enforcement authorities have announced that they tracked down the customers of the SmokeLoader malware and detained at least five individuals. "In a coordinated series of actions , customers of the Smokeloader pay-per-install botnet, operated by the actor known as 'Superstar,' faced consequences such as arrests, house searches, arrest warrants or 'knock and talks,'" Europol said in a statement. Superstar is alleged to have run a pay-per-install service that enabled its customers to gain unauthorized access to victim machines, using the loader as a conduit to deploy next-stage payloads of their choice. According to the European law enforcement agency, the access afforded by the botnet was used for various purposes such as keylogging, webcam access, ransomware deployment, and cryptocurrency mining. The latest action, part of an ongoing coordinated exercise called Operation Endgame , which led to the dismantling of online infrastructure associated with...

Lovable , a generative artificial intelligence (AI) powered platform that allows for creating full-stack web applications using text-based prompts, has been found to be the most susceptible to jailbreak attacks, allowing novice and aspiring cybercrooks to set up lookalike credential harvesting pages. "As a purpose-built tool for creating and deploying web apps, its capabilities line up perfectly with every scammer's wishlist," Guardio Labs' Nati Tal said in a report shared with The Hacker News. "From pixel-perfect scam pages to live hosting, evasion techniques, and even admin dashboards to track stolen data – Lovable didn't just participate, it performed. No guardrails, no hesitation." The technique has been codenamed VibeScamming – a play on the term vibe coding, which refers to an AI-dependent programming technique to produce software by describing the problem statement in a few sentences as a prompt to a large language model (LLM) tuned for codin...

A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB . "Previously unseen in ToddyCat attacks, [TCESB] is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device," Kaspersky said in an analysis published this week. ToddyCat is the name given to a threat activity cluster that has targeted several entities in Asia, with attacks dating all the way back to at least December 2020. Last year, the Russian cybersecurity vendor detailed the hacking group's use of various tools to maintain persistent access to compromised environments and harvest data on an "industrial scale" from organizations located in the Asia-Pacific region. Kaspersky said its investigation into ToddyCat-related incidents in early 2024 unearthed a suspicious DLL file ("version...

Microsoft has revealed that a now-patched security flaw impacting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," the tech giant said . The vulnerability in question is CVE-2025-29824, a privilege escalation bug in CLFS that could be exploited to achieve SYSTEM privileges. It was fixed by Redmond as part of its Patch Tuesday update for April 2025. Microsoft is tracking the activity and the post-compromise exploitation of CVE-2025-29824 under the moniker Storm-2460, with the threat actors also leveraging a malware named PipeMagic to deliver the exploit as well as ransomware payloads. The exact initial access vector used in the attacks is currently not known. However, the threa...

Threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge , a popular software hosting service, under the guise of cracked versions of legitimate applications like Microsoft Office. "One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a legitimate GitHub project," Kaspersky said in a report published today. "The description and contents of officepackage provided below were also taken from GitHub." While every project created on sourceforge.net gets assigned a "<project>.sourceforge.io" domain name, the Russian cybersecurity company found that the domain for officepackage, "officepackage.sourceforge[.]io," displays a long list of Microsoft Office applications and corresponding links to download them in Russian. On top of that, hovering over the download button reveals a seemi...

Security Operations Centers (SOCs) today face unprecedented alert volumes and increasingly sophisticated threats. Triaging and investigating these alerts are costly, cumbersome, and increases analyst fatigue, burnout, and attrition. While artificial intelligence has emerged as a go-to solution, the term "AI" often blurs crucial distinctions. Not all AI is built equal, especially in the SOC. Many existing solutions are assistant-based, requiring constant human input, while a new wave of autonomous, Agentic AI has the potential to fundamentally transform security operations. This article examines Agentic AI (sometimes also known as Agentic Security ), contrasts it with traditional assistant-based AI (commonly known as Copilots), and explains its operational and economic impacts on modern SOCs. We'll also explore practical considerations for security leaders evaluating Agentic AI solutions. Agentic AI vs. Assistant AI (aka Copilots): Clarifying the Difference Agentic AI is defined by ...

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new set of cyber attacks targeting Ukrainian institutions with information-stealing malware. The activity is aimed at military formations, law enforcement agencies, and local self-government bodies, particularly those located near Ukraine's eastern border, the agency said. The attacks involve distributing phishing emails containing a macro-enabled Microsoft Excel spreadsheet (XLSM), which, when opened, facilities the deployment of two pieces of malware, a PowerShell script taken from the PSSW100AVB ("Powershell Scripts With 100% AV Bypass") GitHub repository that opens a reverse shell, and a previously undocumented stealer dubbed GIFTEDCROOK. "File names and email subject lines reference relevant and sensitive issues such as demining, administrative fines, UAV production, and compensation for destroyed property," CERT-UA said. "These spreadsheets contain malicious code which, ...

A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities ( KEV ) catalog after reports emerged of active exploitation in the wild. The vulnerability is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. It has been fixed in versions 10.8.4 and 11.3.1. "CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise," CISA said in an advisory. The shortcoming has been assigned the CVE identifier CVE-2025-31161 (CVSS score: 9.8). It bears noting that the same vulnerability was previously tracked as CVE-2025-2825 , which has now been marked Rejected in the CVE list. The development comes after th...