Tag: malicious
-
UNC6148 Backdoors Fully-Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit
A threat activity cluster has been observed targeting fully-patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances as part of a campaign designed to drop a backdoor called OVERSTEP.The malicious activity, dating back to at least October 2024, has been attributed by the Google Threat Intelligence Group (GTIG) to a group it tracks as…
-
Salt Typhoon hacked the US National Guard for 9 months, and accessed networks in every state
Tags: access, attack, best-practice, breach, credentials, cve, cyber, cybersecurity, data, defense, exploit, government, group, hacking, infrastructure, Internet, malicious, military, network, service, theft, threat, vulnerabilitySensitive military data stolen: The attackers gained access to highly sensitive military and infrastructure information during the nine-month intrusion. The memo stated that “in 2024, Salt Typhoon used its access to a US state’s Army National Guard network to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII…
-
Dark Partners Hacker Group Drains Crypto Wallets Using Fake AI Tools and VPN Services
The financially driven organization known as Dark Partners has been planning massive cryptocurrency theft since at least May 2025, using a complex network of more than 250 malicious domains that pose as AI tools, VPN services, cryptocurrency wallets, and well-known software brands. This is part of a rapidly developing cybercrime operation. These fake websites, distributed…
-
Konfety Android Malware Exploits ZIP Tricks to Masquerade as Legit Apps on Google Play
Security researchers from zLabs have discovered a more advanced version of the Konfety Android malware, which uses complex ZIP-level changes to avoid detection and mimic genuine apps on the Google Play Store, marking a dramatic increase in mobile dangers. This malware employs an >>evil-twin
-
Email Filters Defeated by Polyglot File Trick Used in Malware Campaigns
Attackers are increasingly using advanced disguising techniques, such polyglot files, to get around email filters and successfully send phishing payloads in the constantly changing world of cyber threats. These polyglot files, which can be interpreted as multiple file formats simultaneously, allow malicious content to evade detection by appearing benign to security scanners. This shift marks…
-
Fake Telegram Apps Spread via 607 Domains in New Android Malware Attack
Fake Telegram apps are being spread through 607 malicious domains to deliver Android malware, using blog-style pages and phishing tactics to trick users. First seen on hackread.com Jump to article: hackread.com/fake-telegram-apps-domains-android-malware-attack/
-
Attackers Hide JavaScript in SVG Images to Lure Users to Malicious Sites
Beware! SVG images are now being used with obfuscated JavaScript for stealthy redirect attacks via spoofed emails. Get insights from Ontinue’s latest research on detection and defence. First seen on hackread.com Jump to article: hackread.com/attackers-hide-javascript-svg-images-malicious-sites/
-
North Korean XORIndex malware hidden in 67 malicious npm packages
North Korean threat actors planted 67 malicious packages in the Node Package Manager (npm) online repository to deliver a new malware loader called XORIndex to developer systems. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/north-korean-xorindex-malware-hidden-in-67-malicious-npm-packages/
-
Attackers Abuse AWS Cloud to Target Southeast Asian Governments
The intelligence-gathering cyber campaign introduces the novel HazyBeacon backdoor and uses legitimate cloud communication channels for command-and-control (C2) and exfiltration to hide its malicious activities. First seen on darkreading.com Jump to article: www.darkreading.com/cloud-security/attackers-abuse-aws-southeast-asian-governments-novel-rat
-
North Korean Hackers Exploit 67 Malicious npm Packages to Spread XORIndex Malware
Tags: attack, cyber, exploit, hacker, malicious, malware, north-korea, software, supply-chain, threatThe Socket Threat Research Team has discovered a new software supply chain attack that uses a malware loader called XORIndex that had not been previously reported, marking a major uptick in North Korean cyber operations. This activity builds on the Contagious Interview campaign previously detailed in June 2025, which involved the HexEval Loader. The adversaries,…
-
North Korean Actors Expand Contagious Interview Campaign with New Malware Loader
Socket has identified a new malware loader called XORIndex incorporated into malicious packages published to the npm registry, with over 9000 downloads so far First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/north-korean-contagious-interview/
-
North Korea-linked actors spread XORIndex malware via 67 malicious npm packages
North Korea-linked hackers uploaded 67 malicious npm packages with XORIndex malware, hitting 17K+ downloads in ongoing supply chain attacks. North Korea-linked threat actors behind the Contagious Interview campaign have uploaded 67 malicious npm packages with XORIndex malware loader, hitting over 17,000 downloads in ongoing supply chain attacks. XORIndex was built to evade detection and deploy…
-
Apache Tomcat Coyote Flaw Allows Attackers to Launch DoS Attacks
The Apache Software Foundation has revealed a vulnerability in the Tomcat Coyote module, specifically within the Maven artifact org.apache.tomcat:tomcat-coyote, that could enable malicious actors to orchestrate denial-of-service (DoS) attacks. This flaw stems from an uncontrolled resource consumption issue tied to HTTP/2 protocol handling, potentially allowing attackers to overwhelm server resources by manipulating stream concurrency limits.…
-
North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign
The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks.The packages, per Socket, have attracted more than 17,000 downloads, and incorporate a previously undocumented version of a…
-
ImageMagick Vulnerability Enables RCE via Malicious File Name Patterns
A critical vulnerability in ImageMagick’s image processing library has been disclosed, enabling remote code execution through carefully crafted filename templates. Tracked as CVE-2025-53101, the flaw stems from a stack buffer underwrite in the MagickCore/image.c module. By specifying multiple consecutive format specifiers in a filename pattern for the magick mogrify command, an attacker can force internal…
-
Google Gemini AI Bug Allows Invisible, Malicious Prompts
A prompt-injection vulnerability in the AI assistant allows attackers to create messages that appear to be legitimate Google Security alerts but instead can be used to target users across various Google products with vishing and phishing. First seen on darkreading.com Jump to article: www.darkreading.com/remote-workforce/google-gemini-ai-bug-invisible-malicious-prompts
-
Malicious VSCode extension in Cursor IDE led to $500K crypto theft
A fake extension for the Cursor AI IDE code editor infected devices with remote access tools and infostealers, which, in one case, led to the theft of $500,000 in cryptocurrency from a Russian crypto developer. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/malicious-vscode-extension-in-cursor-ide-led-to-500k-crypto-theft/
-
Summarizing Emails With Gemini? Beware Prompt Injection Risk
Attackers Can Trick Gemini Into Displaying Deceptive Messages, Researchers Warn. Attackers can hide malicious instructions inside emails to trick Google’s Gemini into delivering falsified summaries with deceptive messages to end users, researchers warn. Google said it’s continuing to put multiple defenses in place to combat these types of prompt injection attacks. First seen on govinfosecurity.com…
-
New Grok-4 AI breached within 48 hours using ‘whispered’ jailbreaks
Safety systems cheated by contextual tricks: The attack exploits Grok 4’s contextual memory, echoing its own earlier statements back to it, and gradually guides it toward a goal without raising alarms. Combining Crescendo with Echo Chamber, the jailbreak technique that achieved over 90% success in hate speech and violence tests across top LLMs, strengthens the…
-
Hackers Weaponize Compiled HTML Help to Deliver Malicious Payload
Threat actors have exploited Microsoft Compiled HTML Help (CHM) files to distribute malware, with a notable sample named deklaracja.chm uploaded to VirusTotal from Poland. This CHM file, a binary container for compressed HTML and associated objects, serves as a delivery vehicle for a multi-stage infection chain. Upon execution via the default hh.exe handler, the file…
-
8 tough trade-offs every CISO must navigate
Tags: access, ai, attack, business, ciso, cloud, compliance, computer, cyber, cybersecurity, ddos, defense, detection, framework, group, healthcare, incident response, jobs, malicious, mfa, regulation, resilience, risk, service, technology, threat, tool, vulnerability2. Weighing security investments when the budget forces choices: Closely related to the trade-off around risk is what CISOs must navigate when it comes to security investments.”For most CISOs, when they have to make tough choices, 99% of the time it’s due to budget constraints that force them to weight risks versus rewards,” says John…
-
RenderShock 0-Click Exploit Executes Payloads Silently via Background Process
A new class of cyberattack called RenderShock has been identified that can compromise enterprise systems without requiring any user interaction, exploiting the very productivity features designed to help workers preview and process files automatically. Unlike traditional malware that requires users to click on malicious attachments or links, RenderShock leverages passive execution surfaces that operate silently…
-
eSIM Vulnerability in Kigen’s eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks
Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks.The issues impact the Kigen eUICC card. According to the Irish company’s website, more than two billion SIMs in IoT devices have been enabled as of December 2020.The findings come from Security…
-
Google Gemini flaw hijacks email summaries for phishing
Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-email-summaries-for-phishing/
-
Researchers Bypass Meta’s Llama Firewall Using Prompt Injection Vulnerabilities
Researchers at Trendyol, a leading e-commerce platform, have uncovered multiple vulnerabilities in Meta’s Llama Firewall, a suite of tools designed to safeguard large language models (LLMs) against malicious inputs. Llama Firewall incorporates components like PROMPT_GUARD for mitigating prompt injection attacks and CODE_SHIELD for detecting insecure code generation. However, Trendyol’s Application Security team, motivated by internal…
-
Hackers Compromise WordPress GravityForms Plugin with Malicious Code Injection
Hackers have targeted the popular WordPress plugin Gravity Forms, injecting malicious code into versions downloaded from the official gravityforms.com domain. The breach was first reported on July 11, 2025, when security researchers noticed suspicious HTTP requests to the domain gravityapi.org, which was registered just days earlier on July 8, 2025. This domain, now suspended by…
-
SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
Security researchers have uncovered a sophisticated evolution in the SLOW#TEMPEST malware campaign, where threat actors are deploying innovative obfuscation methods to evade detection and complicate analysis. This variant, distributed via an ISO file containing a mix of benign and malicious components, leverages DLL sideloading through a legitimate signed binary, DingTalk.exe, to load a malicious DLL…
-
Rubio Impersonation Incident is Latest High-Profile Deepfake Scam
The State Department sent an alert to embassies and consulates warning of AI-generated impersonations of high-ranking federal officials after someone posing at Secretary of State Marco Rubio tried to contact foreign ministers and U.S. Congress members. It’s the latest incident in what the FBI calls an “ongoing malicious campaign.” First seen on securityboulevard.com Jump to…
-
Crypto Roundup: Malicious Firefox Extensions
Also: Winkle Abduction Sentencing and Crypto Theft Rising. This week, uncovering 40 malicious crypto Firefox extensions, three sentenced in a Belgium court for crypto kidnapping, the rise of crypto theft. The U.S. Secret Service is a huge crypto custodian, and prosecutors claw back funds pilfered by a fake presidential inaugural committee. First seen on govinfosecurity.com…