#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
AWS EKS Security Best Practices

The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

China's Massistant Tool Secretly Extracts SMS, GPS Data, and Images From Confiscated Phones

China's Massistant Tool Secretly Extracts SMS, GPS Data, and Images From Confiscated Phones

Jul 18, 2025 Surveillance / Mobile Security
Cybersecurity researchers have shed light on a mobile forensics tool called Massistant that's used by law enforcement authorities in China to gather information from seized mobile devices. The hacking tool, believed to be a successor of MFSocket , is developed by a Chinese company named SDIC Intelligence Xiamen Information Co., Ltd. , which was formerly known as Meiya Pico. It specializes in the research, development, and sale of electronic data forensics and network information security technology products. According to a report published by Lookout, Massistant works in conjunction with a corresponding desktop software, allowing for access to the device's GPS location data, SMS messages, images, audio, contacts, and phone services. "Meiya Pico maintains partnerships with domestic and international law enforcement partners, both as a surveillance hardware and software provider, as well as through training programs for law enforcement personnel," security resear...
UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns

UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns

Jul 18, 2025 Cyber Espionage / Malware
Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. "This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims," Seqrite Labs researcher Subhajeet Singha said in a report published this week. The activity encompasses two major campaigns, one called Operation Cobalt Whisper which took place between May and September 2024, and Operation AmberMist that occurred between January and May 2025. Targets of these campaigns include defense, electrotechnical engineering, energy, civil aviation, academia, medical institutions, cybersecurity, gaming, and software development sectors. Operation Cobalt Whisper was first documented by Seqrite Labs in late October 2024, detai...
Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks

Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks

Jul 18, 2025 Malware / Vulnerability
Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory. CVE-2025-0282 is a critical security flaw in ICS that could permit unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457, patched in April 2025, concerns a stack-based buffer overflow that could be exploited to execute arbitrary code. While both vulnerabilities have been weaponized in the wild as zero-days, previous findings from JPCERT/CC in April have revealed that the first of the two issues had been abused to deliver malware...
cyber security

New Webinar: Identity Attacks Have Changed — Have Your IR Playbooks?

websitePush SecurityThreat Detection / Identity Security
With modern identity sprawl, the blast radius of a breach is bigger than ever. Are you prepared? Sign up now.
cyber security

AI Can Personalize Everything—Except Trust. Here's How to Build It Anyway

websiteTHN WebinarIdentity Management / AI Security
We'll unpack how leading teams are using AI, privacy-first design, and seamless logins to earn user trust and stay ahead in 2025.
Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services

Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services

Jul 18, 2025 Cloud Security / AI Security
Cybersecurity researchers have disclosed a critical container escape vulnerability in the NVIDIA Container Toolkit that could pose a severe threat to managed AI cloud services. The vulnerability, tracked as CVE-2025-23266, carries a CVSS score of 9.0 out of 10.0. It has been codenamed NVIDIAScape by Google-owned cloud security company Wiz. "NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions," NVIDIA said in an advisory for the bug. "A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial-of-service." The shortcoming impacts all versions of NVIDIA Container Toolkit up to and including 1.17.7 and NVIDIA GPU Operator up to and including 25.3.0. It has been addressed by the GPU maker in versions 1.17.8 and 25.3.1, respectively. The NVIDIA Container...
CERT-UA Discovers LAMEHUG Malware Linked to APT28, Using LLM for Phishing Campaign

CERT-UA Discovers LAMEHUG Malware Linked to APT28, Using LLM for Phishing Campaign

Jul 18, 2025 Cyber Attack / Malware
The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a phishing campaign that's designed to deliver a malware codenamed LAMEHUG . "An obvious feature of LAMEHUG is the use of LLM (large language model), used to generate commands based on their textual representation (description)," CERT-UA said in a Thursday advisory. The activity has been attributed with medium confidence to a Russian state-sponsored hacking group tracked as APT28 , which is also known as Fancy Bear, Forest Blizzard, Sednit, Sofacy, and UAC-0001. The cybersecurity agency said it found the malware after receiving reports on July 10, 2025, about suspicious emails sent from compromised accounts and impersonating ministry officials. The emails targeted executive government authorities. Present within these emails was a ZIP archive that, in turn, contained the LAMEHUG payload in the form of three different variants named "Додаток.pif, "AI_generator_uncensored_Can...
Google Sues 25 Chinese Entities Over BADBOX 2.0 Botnet Affecting 10M Android Devices

Google Sues 25 Chinese Entities Over BADBOX 2.0 Botnet Affecting 10M Android Devices

Jul 18, 2025 Botnet / Network Security
Google on Thursday revealed it's pursuing legal action in New York federal court against 25 unnamed individuals or entities in China for allegedly operating BADBOX 2.0 botnet and residential proxy infrastructure. "The BADBOX 2.0 botnet compromised over 10 million uncertified devices running Android's open-source software (Android Open Source Project), which lacks Google's security protections," the tech giant said . "Cybercriminals infected these devices with pre-installed malware and exploited them to conduct large-scale ad fraud and other digital crimes." The company said it immediately took steps to update Google Play Protect, a malware and unwanted software protection mechanism built into Android, to automatically thwart BADBOX-related apps. The development comes a little over a month after the U.S. Federal Bureau of Investigation (FBI) issued a warning about the BADBOX 2.0 botnet. BADBOX, first detected in late 2022, is known to spread via ...
From Backup to Cyber Resilience: Why IT Leaders Must Rethink Backup in the Age of Ransomware

From Backup to Cyber Resilience: Why IT Leaders Must Rethink Backup in the Age of Ransomware

Jul 18, 2025 Data Backup / IT Resilience
With IT outages and disruptions escalating, IT teams are shifting their focus beyond simply backing up data to maintaining operations during an incident. One of the key drivers behind this shift is the growing threat of ransomware, which continues to evolve in both frequency and complexity. Ransomware-as-a-Service (RaaS) platforms have made it possible for even inexperienced threat actors with less or no technical expertise to launch large-scale, damaging attacks. And these attacks don't just encrypt data now. They exfiltrate sensitive information for double and triple extortion, alter or delete backups, and disable recovery infrastructure to block restoration efforts. This is especially critical for small and midsize businesses (SMBs), which are increasingly targeted due to their leaner defenses. For an SMB generating $10 million in annual revenue, even a single day of downtime can cost $55,076 , without factoring in the long-term impact on customer trust and brand reputation. While...
Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

Jul 17, 2025 Malware / Social Engineering
Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025. "The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson said in a report published today. The cybersecurity company said the attack chains leverage a malware loader called Emmenhtal (aka PEAKLIGHT) to deliver Amadey, which, for its part, downloads various custom payloads from public GitHub repositories operated by the threat actors. The activity shares tactical similarities with an email phishing campaign that used invoice payment and billing-related lures to distribute SmokeLoader via Emmenhtal in February 2025 in attacks targeting Ukrainian entities. Both Emmenhtal and Amadey function as a downloader for secondary payloads like info...
Hackers Exploit Apache HTTP Server Flaw to Deploy Linuxsys Cryptocurrency Miner

Hackers Exploit Apache HTTP Server Flaw to Deploy Linuxsys Cryptocurrency Miner

Jul 17, 2025 Cryptocurrency / Vulnerability
Cybersecurity researchers have discovered a new campaign that exploits a known security flaw impacting Apache HTTP Server to deliver a cryptocurrency miner called Linuxsys . The vulnerability in question is CVE-2021-41773 (CVSS score: 7.5), a high-severity path traversal vulnerability in Apache HTTP Server version 2.4.49 that could result in remote code execution. "The attacker leverages compromised legitimate websites to distribute malware, enabling stealthy delivery and evasion of detection," VulnCheck's Jacob Baines said in a report shared with The Hacker News. The infection sequence, observed earlier this month and originating from an Indonesian IP address 103.193.177[.]152 , is designed to drop a next-stage payload from "repositorylinux[.]org" using curl or wget. The payload is a shell script that's responsible for downloading the Linuxsys cryptocurrency miner from five different legitimate websites, suggesting that the threat actors behind the ...
Europol Disrupts NoName057(16) Hacktivist Group Linked to DDoS Attacks Against Ukraine

Europol Disrupts NoName057(16) Hacktivist Group Linked to DDoS Attacks Against Ukraine

Jul 17, 2025 Hacktivism / Cybercrime
An international operation coordinated by Europol has disrupted the infrastructure of a pro-Russian hacktivist group known as NoName057(16) that has been linked to a string of distributed denial-of-service (DDoS) attacks against Ukraine and its allies. The actions have led to the dismantling of a major part of the group's central server infrastructure and more than 100 systems across the world. The joint effort also included two arrests in France and Spain, searches of two dozen homes in Spain, Italy, Germany, the Czech Republic, France and Poland, and the issuance of arrest warrants for six Russian nationals. The effort, codenamed Operation Eastwood, took place between July 14 and 17, and involved authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands, and the United States. The investigation was also supported by Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine. NoName057(16) has been operatio...
CTEM vs ASM vs Vulnerability Management: What Security Leaders Need to Know in 2025

CTEM vs ASM vs Vulnerability Management: What Security Leaders Need to Know in 2025

Jul 17, 2025 Enterprise Security / Threat Detection
The modern-day threat landscape requires enterprise security teams to think and act beyond traditional cybersecurity measures that are purely passive and reactive, and in most cases, ineffective against emerging threats and sophisticated threat actors. Prioritizing cybersecurity means implementing more proactive, adaptive, and actionable measures that can work together to effectively address the threats that most affect your business. Ideally, these measures should include the implementation of a Continuous Threat Exposure Management (CTEM) program, Vulnerability Management, and Attack Surface Management (ASM), which are all very different from one another, yet overlap. With CTEM , vulnerability management, and ASM, it's not a question of which one is "better" or "more effective", as they complement each other uniquely. By adopting all three, security teams get the continuous visibility and context they need to proactively boost defenses, giving them a le...
Chinese Hackers Target Taiwan's Semiconductor Sector with Cobalt Strike, Custom Backdoors

Chinese Hackers Target Taiwan's Semiconductor Sector with Cobalt Strike, Custom Backdoors

Jul 17, 2025 Malware / Cyber Espionage
The Taiwanese semiconductor industry has become the target of spear-phishing campaigns undertaken by three previously undocumented Chinese state-sponsored threat actors. "Targets of these campaigns ranged from organizations involved in the manufacturing, design, and testing of semiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well as financial investment analysts specializing in the Taiwanese semiconductor market," Proofpoint said in a report published Wednesday. The activity, per the enterprise security firm, took place between March and June 2025. They have been attributed to three China-aligned clusters it tracks as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp. UNK_FistBump is said to have targeted semiconductor design, packaging, manufacturing, and supply chain organizations in employment-themed phishing campaigns that resulted in the delivery of Cobalt Strike or a C-based custom backdoor dubbed Volde...
Cisco Warns of Critical ISE Flaw Allowing Unauthenticated Attackers to Execute Root Code

Cisco Warns of Critical ISE Flaw Allowing Unauthenticated Attackers to Execute Root Code

Jul 17, 2025 Vulnerability / Network Security
Cisco has disclosed a new maximum-severity security vulnerability impacting Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges. Tracked as CVE-2025-20337, the shortcoming carries a CVSS score of 10.0 and is similar to CVE-2025-20281 , which was patched by the networking equipment major late last month. "Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities," the company said in an updated advisory. "These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the att...
Hackers Leverage Microsoft Teams to Spread Matanbuchus 3.0 Malware to Targeted Firms

Hackers Leverage Microsoft Teams to Spread Matanbuchus 3.0 Malware to Targeted Firms

Jul 16, 2025 Threat Intelligence / Vulnerability
Cybersecurity researchers have flagged a new variant of a known malware loader called Matanbuchus that packs in significant features to enhance its stealth and evade detection. Matanbuchus is the name given to a malware-as-a-service (MaaS) offering that can act as a conduit for next-stage payloads , including Cobalt Strike beacons and ransomware. First advertised in February 2021 on Russian-speaking cybercrime forums for a rental price of $2,500, the malware has been put to use as part of ClickFix-like lures to trick users visiting legitimate-but-compromised sites not running it. Matanbuchus's delivery methods have evolved over time, leveraging phishing emails pointing to booby-trapped Google Drive links, drive-by downloads from compromised sites, malicious MSI installers , and malvertising . It has been used to deploy a variety of secondary payloads including DanaBot, QakBot, and Cobalt Strike, all known precursors to ransomware deployment. The latest version of the loade...
UNC6148 Backdoors Fully-Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit

UNC6148 Backdoors Fully-Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit

Jul 16, 2025 Vulnerability / Cyber Espionage
A threat activity cluster has been observed targeting fully-patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances as part of a campaign designed to drop a backdoor called OVERSTEP . The malicious activity, dating back to at least October 2024, has been attributed by the Google Threat Intelligence Group (GTIG) to a hacking crew it tracks as UNC6148 . The number of known victims is "limited" at this stage. The tech giant assessed with high confidence that the threat actor is "leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates." "Analysis of network traffic metadata records suggests that UNC6148 may have initially exfiltrated these credentials from the SMA appliance as early as January 2025." The exact initial access vector used to deliver the malware is currently not known due to the steps taken by the...
Critical Golden dMSA Attack in Windows Server 2025 Enables Cross-Domain Attacks and Persistent Access

Critical Golden dMSA Attack in Windows Server 2025 Enables Cross-Domain Attacks and Persistent Access

Jul 16, 2025 Windows Server / Enterprise Security
Cybersecurity researchers have disclosed what they say is a "critical design flaw" in delegated Managed Service Accounts (dMSAs) introduced in Windows Server 2025. "The flaw can result in high-impact attacks, enabling cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely," Semperis said in a report shared with The Hacker News. Put differently, successful exploitation could allow adversaries to sidestep authentication guardrails and generate passwords for all Delegated Managed Service Accounts ( dMSAs ) and group Managed Service Accounts ( gMSAs ) and their associated service accounts. The persistence and privilege escalation method has been codenamed Golden dMSA , with the cybersecurity company deeming it as low complexity owing to the fact that the vulnerability simplifies brute-force password generation. However, in order for bad actors to exploit it, they must already be ...
Expert Insights Articles Videos
Cybersecurity Resources