The Hacker News | #1 Trusted Source for Cybersecurity News

An Iran-nexus cyber espionage group known as UNC1549 has been attributed to a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations as part of a recruitment-themed activity on LinkedIn. Swiss cybersecurity company PRODAFT is tracking the cluster under the name Subtle Snail . It's assessed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). The targeted 11 companies are located in Canada, France, the United Arab Emirates, the United Kingdom, and the United States. "The group operates by posing as HR representatives from legitimate entities to engage employees, then compromises them through deployment of a MINIBIKE backdoor variant that communicates with command-and-control (C2) infrastructure proxied through Azure cloud services to bypass detection," the company said in a report shared with The Hacker News. UNC1549 (aka TA455), believed to be active since at least June 2022, ...

A proxy network known as REM Proxy is powered by malware known as SystemBC , offering about 80% of the botnet to its users, according to new findings from the Black Lotus Labs team at Lumen Technologies. "REM Proxy is a sizeable network, which also markets a pool of 20,000 Mikrotik routers and a variety of open proxies it finds freely available online," the company said in a report shared with The Hacker News. "This service has been a favorite for several actors such as those behind TransferLoader , which has ties to the Morpheus ransomware group." SystemBC is a C-based malware that turns infected computers into SOCKS5 proxies, allowing infected hosts to communicate with a command-and-control (C2) server and download additional payloads. First documented by Proofpoint in 2019, it's capable of targeting both Windows and Linux systems . In a report earlier this January, ANY.RUN revealed that the Linux variant of SystemBC proxy implant is potentially desi...

Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands. The vulnerability, tracked as CVE-2025-10035 , carries a CVSS score of 10.0, indicating maximum severity. "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection," Fortra said in an advisory released Thursday. The company also noted that successful exploitation of the vulnerability is dependent on the system being publicly accessible over the internet. Users are advised to update to the patched release – version 7.8.4, or the Sustain Release 7.6.3 – to safeguard against potential threats. If immediate patching is not possible, it's advisable to ensure that access to the GoAnywhere Admin Console is not open to the public...

The phishing-as-a-service (PhaaS) offering known as Lighthouse and Lucid has been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries. "Phishing-as-a-Service (PhaaS) deployments have risen significantly recently," Netcraft said in a new report. "The PhaaS operators charge a monthly fee for phishing software with pre-installed templates impersonating, in some cases, hundreds of brands from countries around the world." Lucid was first documented by Swiss cybersecurity company PRODAFT earlier this April, detailing the phishing kit's ability to send smishing messages via Apple iMessage and Rich Communication Services (RCS) for Android. The service is assessed to be the work of a Chinese-speaking threat actor known as the XinXin group (changqixinyun), which has also leveraged other phishing kits like Lighthouse and Darcula in its operations. Darcula is developed by an actor named LARVA-246 (aka X667788X0 or xxhcvv), while Lighth...

Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community - all free to import and deploy through the platform's Community Edition. The workflow we are highlighting streamlines security alert handling by automatically identifying and executing the appropriate Standard Operating Procedures (SOPs) from Confluence. When an alert triggers, AI agents analyze it, locate relevant SOPs, and perform required remediation steps - all while keeping the on-call team informed via Slack. It was created by Michael Tolan, Security Researcher L2 at Tines, and Peter Wrenn, Senior Solutions Engineer at Tines. In this guide, we'll share an overview of the workflow, plus step-by-step instructions for getting it up and running. The problem - manual alert triage and SOP execution For security teams, responding to alerts efficiently requires quickly identifying the threat ty...

Cybersecurity researchers have discerned evidence of two Russian hacking groups Gamaredon and Turla collaborating together to target and co-comprise Ukrainian entities. Slovak cybersecurity company ESET said it observed the Gamaredon tools PteroGraphin and PteroOdd being used to execute Turla group's Kazuar backdoor on an endpoint in Ukraine in February 2025, indicating that Turla is very likely actively collaborating with Gamaredon to gain access to specific machines in Ukraine and deliver the Kazuar backdoor.  "PteroGraphin was used to restart the Kazuar v3 backdoor, possibly after it crashed or was not launched automatically," ESET said in a report shared with The Hacker News. "Thus, PteroGraphin was probably used as a recovery method by Turla." In a separate instance in April and June 2025, ESET said it also detected the deployment of Kazuar v2 through two other Gamaredon malware families tracked as PteroOdd and PteroPaste. Both Gamaredon (aka Aqua B...

Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city's public transportation agency. Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London and Owen Flowers, 18, from Walsall, West Midlands were arrested at their home addresses on Tuesday, the National Crime Agency (NCA) said. They are 19 and 18, respectively. It's worth noting that Flowers was initially arrested for his alleged involvement in the TfL attack in September 2024, but was subsequently released on bail. The agency said it found evidence of Flowers targeting U.S. healthcare companies, and that he has also been charged with conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and Sutter Health. Jubair has also been charged under the Regulation of Investigatory Powers...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization's network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM). "Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server," CISA said in an alert. The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428 , both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025. While CVE-2025-4427 concerns an authentication bypass that allows attackers to access protected resources, CVE-2025-4428 enables remote code execution. As a result, the two flaws could be chained to execute arbitrary code on a vulnerable device without authentication. According to CISA, the threat actors gained access to server running EPMM by combing the two vulner...

SonicWall is urging customers to reset credentials after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts. The company said it recently detected suspicious activity targeting the cloud backup service for firewalls, and that unknown threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers. "While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall," the company said . The network security company said it's not aware of any of these files being leaked online by the threat actors, adding it was not a ransomware event targeting its network. "Rather this was a series of brute-force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors," it noted. It's currently not known who is...

Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2 , and a remote access trojan known as PureHVNC RAT. "CountLoader is being used either as part of an Initial Access Broker's (IAB) toolset or by a ransomware affiliate with ties to the LockBit, Black Basta, and Qilin ransomware groups," Silent Push said in an analysis. Appearing in three different versions – .NET, PowerShell, and JavaScript – the emerging threat has been observed in a campaign targeting individuals in Ukraine using PDF-based phishing lures and impersonating the National Police of Ukraine. Silent Push told The Hacker News that it does not have any insight into the nature of malware that was dropped using CountLoader. It's worth noting that the PowerShell version of the malware was previously flagged by Kaspersky as being distributed using DeepSe...

Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. "SilentSync is capable of remote command execution, file exfiltration, and screen capturing," Zscaler ThreatLabz's Manisha Ramcharan Prajapati and Satyam Singh said . "SilentSync also extracts web browser data, including credentials, history, autofill data, and cookies from web browsers like Chrome, Brave, Edge, and Firefox." The packages, now no longer available for download from PyPI, are listed below. They were both uploaded by a user named "CondeTGAPIS." sisaws (201 Downloads) secmeasure (627 Downloads) Zscaler said the package sisaws mimics the behavior of the legitimate Python package sisa, which is associated with Argentina's national health information system, Sistema Integrado de Información Sanitaria Argentino (SISA). However, ...

AI's growing role in enterprise environments has heightened the urgency for Chief Information Security Officers (CISOs) to drive effective AI governance. When it comes to any emerging technology, governance is hard – but effective governance is even harder. The first instinct for most organizations is to respond with rigid policies. Write a policy document, circulate a set of restrictions, and hope the risk is contained. However, effective governance doesn't work that way. It must be a living system that shapes how AI is used every day, guiding organizations through safe transformative change without slowing down the pace of innovation.  For CISOs, finding that balance between security and speed is critical in the age of AI. This technology simultaneously represents the greatest opportunity and greatest risk enterprises have faced since the dawn of the internet. Move too fast without guardrails, and sensitive data leaks into prompts, shadow AI proliferates, or regulatory gaps bec...