The Hacker News | #1 Trusted Source for Cybersecurity News

The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability. Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files. "When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of a specified path," WinRAR said in an advisory. Anton Cherepanov, Peter Kosinar, and Peter Strycek from ESET have been credited for discovering and reporting the security defect, which has been addressed in WinRAR version 7.13 released on July 31, 2025. It's currently not known how the vulnerability is being weaponized in real-world attacks, and by whom. In 2023, another vulnerability affect...

A novel attack technique could be weaponized to rope thousands of public domain controllers (DCs) around the world to create a malicious botnet and use it to conduct powerful distributed denial-of-service (DDoS) attacks. The approach has been codenamed Win-DDoS by SafeBreach researchers Or Yair and Shahak Morag, who presented their findings at the DEF CON 33 security conference today. "As we explored the intricacies of the Windows LDAP client code, we discovered a significant flaw that allowed us to manipulate the URL referral process to point DCs at a victim server to overwhelm it," Yair and Morag said in a report shared with The Hacker News. "As a result, we were able to create Win-DDoS, a technique that would enable an attacker to harness the power of tens of thousands of public DCs around the world to create a malicious botnet with vast resources and upload rates. All without purchasing anything and without leaving a traceable footprint." In transfor...

Cybersecurity researchers have presented new findings related to a now-patched security issue in Microsoft's Windows Remote Procedure Call (RPC) communication protocol that could be abused by an attacker to conduct spoofing attacks and impersonate a known server. The vulnerability, tracked as CVE-2025-49760 (CVSS score: 3.5), has been described by the tech giant as a Windows Storage spoofing bug. It was fixed in July 2025 as part of its monthly Patch Tuesday update. Details of the security defect were shared by SafeBreach researcher Ron Ben Yizhak at the DEF CON 33 security conference this week. "External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network," the company said in an advisory released last month. The Windows RPC protocol utilizes universally unique identifiers (UUIDs) and an Endpoint Mapper (EPM) to enable the use of dynamic endpoints in client-server communications, and connect an RPC clien...

Cybersecurity researchers have disclosed vulnerabilities in select model webcams from Lenovo that could turn them into BadUSB attack devices. "This allows remote attackers to inject keystrokes covertly and launch attacks independent of the host operating system," Eclypsium researchers Paul Asadoorian, Mickey Shkatov, and Jesse Michael said in a report shared with The Hacker News. The vulnerabilities have been codenamed BadCam by the firmware security company. The findings were presented at the DEF CON 33 security conference today. The development likely marks the first time it has been demonstrated that threat actors who gain control of a Linux-based USB peripheral that's already attached to a computer can weaponize it for malicious intent. In a hypothetical attack scenario, an adversary can take advantage of the vulnerability to send a victim a backdoored webcam, or attach it to a computer if they are able to secure physical access, and remotely issue commands to ...

Cybersecurity researchers have uncovered multiple security flaws in Dell's ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware. The vulnerabilities have been codenamed ReVault by Cisco Talos. More than 100 models of Dell laptops running Broadcom BCM5820X series chips are affected. There is no evidence that the vulnerabilities have been exploited in the wild. Industries that require heightened security when logging in, via smart card readers or near-field communication (NFC) readers, are likely to use ControlVault devices in their settings. ControlVault is a hardware-based security solution that offers a secure way to store passwords, biometric templates, and security codes within the firmware. Attackers can chain the vulnerabilities, which were pres...

Cybersecurity researchers have uncovered a jailbreak technique to bypass ethical guardrails erected by OpenAI in its latest large language model (LLM) GPT-5 and produce illicit instructions. Generative artificial intelligence (AI) security platform NeuralTrust said it combined a known technique called Echo Chamber with narrative-driven steering to trick the model into producing undesirable responses. "We use Echo Chamber to seed and reinforce a subtly poisonous conversational context, then guide the model with low-salience storytelling that avoids explicit intent signaling," security researcher Martí Jordà said . "This combination nudges the model toward the objective while minimizing triggerable refusal cues." Echo Chamber is a jailbreak approach that was detailed by the company back in June 2025 as a way to deceive an LLM into generating responses to prohibited topics using indirect references, semantic steering, and multi-step inference. In recent weeks, the...

Cybersecurity researchers have discovered over a dozen vulnerabilities in enterprise secure vaults from CyberArk and HashiCorp that, if successfully exploited, can allow remote attackers to crack open corporate identity systems and extract enterprise secrets and tokens from them.  The 14 vulnerabilities, collectively named Vault Fault , affect CyberArk Secrets Manager, Self-Hosted, and Conjur Open Source and HashiCorp Vault, according to a report from an identity security firm Cyata. Following responsible disclosure in May 2025, the flaws have been addressed in the following versions - CyberArk Secrets Manager and Self-Hosted 13.5.1 and 13.6.1 CyberArk Conjur Open Source 1.22.1 HashiCorp Vault Community Edition 1.20.2 or Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24 These include authentication bypasses, impersonation, privilege escalation bugs, code execution pathways, and root token theft. The most severe of the issues allows for remote code execution, allowing a...

Cybersecurity researchers are drawing attention to a new campaign that's using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivated campaign. The activity involves the creation of lookalike sites imitating Brazil's State Department of Traffic and Ministry of Education, which then trick unsuspecting users into making unwarranted payments through the country's PIX payment system, Zscaler ThreatLabz said. These fraudulent sites are artificially boosted using search engine optimization (SEO) poisoning techniques to enhance their visibility, thereby increasing the likelihood of success of the attack. "Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and...

When an organization's credentials are leaked, the immediate consequences are rarely visible—but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction, many real-world cyber breaches begin with something deceptively simple: a username and password. According to Verizon's 2025 Data Breach Investigations Report, leaked credentials accounted for 22% of breaches in 2024, outpacing phishing and even software exploitation. That's nearly a quarter of all incidents, initiated not through zero-days or advanced persistent threats, but by logging in through the front door. This quiet and persistent threat has been growing. New data compiled by Cyberint—an external risk management and threat intelligence company recently acquired by Check Point—shows a 160% increase in leaked credentials in 2025 compared to the previous year. The report, titled The Rise of Leaked Credentials , provides a look into not just the volume of these leaks, but how they are exploi...

A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services to steal credentials from unsuspecting users and likely resell them on dark web forums like Russian Market. The activity is assessed to be active since at least March 2023, according to the software supply chain security company Socket. Cumulatively, the gems have been downloaded more than 275,000 times. That said, it bears noting that the figure may not accurately represent the actual number of compromised systems, as not every download results in execution, and it's possible several of these gems have been downloaded to a single machine. "Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver," security researche...

A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets. The published browser add-ons masquerade as MetaMask, TronLink, Exodus, and Rabby Wallet, among others, Koi Security researcher Tuval Admoni said. What makes the activity notable is the threat actor's use of a technique that the cybersecurity company called Extension Hollowing to bypass safeguards put in place by Mozilla and exploit user trust. It's worth noting that some aspects of the campaign were first documented by security researcher Lukasz Olejnik last week. "Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody's watching," Admoni said in a report published Thursday. To achieve this, the attackers first create ...

The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content. "The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organizations," Silent Push said in an analysis. SocGholish, also called FakeUpdates, is a JavaScript loader malware that's distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, as well as other software such as Adobe Flash Player or Microsoft Teams. It's attributed to a threat actor called TA569, which is also tracked as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543. Attack chains involve deploying SocGholish to establish initial access and broker that compromised system access to a diverse clientele, includ...