The Hacker News | #1 Trusted Source for Cybersecurity News

Cybersecurity researchers have discovered malware campaigns using the now-prevalent ClickFix social engineering tactic to deploy Amatera Stealer and NetSupport RAT . The activity, observed this month, is being tracked by eSentire under the moniker EVALUSION . First spotted in June 2025, Amatera is assessed to be an evolution of ACR (short for "AcridRain") Stealer, which was available under the malware-as-a-service (MaaS) model until sales of the malware were suspended in mid-July 2024. Amatera is available for purchase via subscription plans that go from $199 per month to $1,499 for a year. "Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services," the Canadian cybersecurity vendor said. "Notably, Amatera employs advanced evasion techniques such as WoW64 SysCalls to circumvent user-mode hooking mechanisms commonly used by sandboxes, Anti-Vi...

This week showed just how fast things can go wrong when no one's watching. Some attacks were silent and sneaky. Others used tools we trust every day — like AI, VPNs, or app stores — to cause damage without setting off alarms. It's not just about hacking anymore. Criminals are building systems to make money, spy, or spread malware like it's a business. And in some cases, they're using the same apps and services that businesses rely on — flipping the script without anyone noticing at first. The scary part? Some threats weren't even bugs — just clever use of features we all take for granted. And by the time people figured it out, the damage was done. Let's look at what really happened, why it matters, and what we should all be thinking about now. ⚡ Threat of the Week Silently Patched Fortinet Flaw Comes Under Attack — A vulnerability that was patched by Fortinet in FortiWeb Web Application Firewall (WAF) has been exploited in the wild since early October 2025 by threat actors to c...

Phishing attacks are no longer confined to the email inbox, with 1 in 3 phishing attacks now taking place over non-email channels like social media, search engines, and messaging apps. LinkedIn in particular has become a hotbed for phishing attacks, and for good reason. Attackers are running sophisticated spear-phishing attacks against company executives, with recent campaigns seen targeting enterprises in financial services and technology verticals.  But phishing outside of email remains severely underreported — not exactly surprising when we consider that most of the industry's phishing metrics come from email security tools. Your initial thought might be "why do I care about employees getting phished on LinkedIn?" Well, while LinkedIn is a personal app, it's routinely used for work purposes, accessed from corporate devices, and attackers are specifically targeting business accounts like Microsoft Entra and Google Workspace. So, LinkedIn phishing is a key threat that busi...

The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT. The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs. "The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques, with many redundancies aimed at neutralising endpoint security products popular in the Chinese market," security researchers Jia Yu Chan and Salim Bitam said . "These include bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender binary through PPL [Protected Process Light] abuse." Dragon Breath, also known as APT-Q-27 and Golden Eye, was previously highlighted by Sophos in May 2023 in connection with a campaign ...

Google has disclosed that the company's continued adoption of the Rust programming language in Android has resulted in the number of memory safety vulnerabilities falling below 20% of total vulnerabilities for the first time. "We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android's C and C++ code. But the biggest surprise was Rust's impact on software delivery," Google's Jeff Vander Stoep said . "With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one." The development comes a little over a year after the tech giant disclosed that its transition to Rust led to a decline in memory safety vulnerabilities from 223 in 2019 to less than 50 in 2024. The company pointed out that Rust code requires fewer revisions, necessitating about 20% fewer revisions than their C++ counterparts, and has contributed to a d...

The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. It was patched by the maintainers in XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025. While there was evidence that the shortcoming had been exploited in the wild since at least March, it wasn't until late October, when VulnCheck disclosed it had observed fresh attempts weaponizing the flaw as part of a two-stage attack chain to deploy a cryptocurrency miner. Subsequently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to a...

The U.S. Department of Justice (DoJ) on Friday announced that five individuals have pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling information technology (IT) worker fraud in violation of international sanctions. The five individuals are listed below - Audricus Phagnasay, 24 Jason Salazar, 30 Alexander Paul Travis, 34 Oleksandr Didenko, 28, and Erick Ntekereze Prince, 30 Phagnasay, Salazar, and Travis pleaded guilty to one count of wire fraud conspiracy for knowingly allowing IT workers located outside of the U.S. to use their U.S. identities between about September 2019 and November 2022 and secure jobs at American firms. The three defendants also served as facilitators, hosting the company-issued laptops at their residences and installing remote desktop software on those machines without authorization so that the IT workers could connect to them and give the impression that they were working remotely within the U.S. Furthermo...

The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads. "The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure," NVISO researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis said in a Thursday report. The campaign essentially involves approaching prospective targets on professional networking sites like LinkedIn, either under the pretext of conducting a job assessment or collaborating on a project, as part of which they are instructed to download a demo project hosted on platforms like GitHub, GitLab, or Bitbucket. In one such project spotted by NVISO, it has been found that a file named "server/config/.config.env" contains a Base64-encoded value that masquerades as an API key, but, in reality, is a URL ...

Cybersecurity researchers have uncovered critical remote code execution vulnerabilities impacting major artificial intelligence (AI) inference engines, including those from Meta, Nvidia, Microsoft, and open-source PyTorch projects such as vLLM and SGLang. "These vulnerabilities all traced back to the same root cause: the overlooked unsafe use of ZeroMQ (ZMQ) and Python's pickle deserialization," Oligo Security researcher Avi Lumelsky said in a report published Thursday. At its core, the issue stems from what has been described as a pattern called ShadowMQ , in which the insecure deserialization logic has propagated to several projects as a result of code reuse. The root cause is a vulnerability in Meta's Llama large language model (LLM) framework ( CVE-2024-50050 , CVSS score: 6.3/9.3) that was patched by the company last October. Specifically, it involved the use of ZeroMQ's recv_pyobj() method to deserialize incoming data using Python's pickle module. ...

The Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations that are of interest to the Islamic Revolutionary Guard Corps (IRGC) as part of a new espionage-focused campaign. The activity, detected in early September 2025 and assessed to be ongoing, has been codenamed  SpearSpecter by the Israel National Digital Agency (INDA). "The campaign has systematically targeted high-value senior defense and government officials using personalized social engineering tactics," INDA researchers Shimi Cohen, Adi Pick, Idan Beit-Yosef, Hila David, and Yaniv Goldman said. "These include inviting targets to prestigious conferences or arranging significant meetings." What's notable about the effort is that it also extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets. APT42 was first publicly documented in late 2022 by Google Mandiant, detailing its...

Key Takeaways: 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date. 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure. 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns. LockBit's reappearance with version 5.0 signals potential re-centralization after months of fragmentation. In Q3 2025, Check Point Research recorded a record 85 active ransomware and extortion groups , the highest ever observed. What was once a concentrated market dominated by a few ransomware-as-a-service (RaaS) giants has splintered into dozens of smaller, short-lived operations. This proliferation of leak sites represents a fundamental structural shift. The same enforcement and market pressures that disrupted large RaaS groups have fueled a wave of opportunistic, decentralized actors, many run by former affiliat...

State-sponsored threat actors from China used artificial intelligence (AI) technology developed by Anthropic to orchestrate automated cyber attacks as part of a "highly sophisticated espionage campaign" in mid-September 2025. "The attackers used AI's 'agentic' capabilities to an unprecedented degree – using AI not just as an advisor, but to execute the cyber attacks themselves," the AI upstart said . The activity is assessed to have manipulated Claude Code, Anthropic's AI coding tool, to attempt to break into about 30 global targets spanning large tech companies, financial institutions, chemical manufacturing companies, and government agencies. A subset of these intrusions succeeded. Anthropic has since banned the relevant accounts and enforced defensive mechanisms to flag such attacks. The campaign, GTG-1002, marks the first time a threat actor has leveraged AI to conduct a "large-scale cyber attack" without major human intervention an...