#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
AWS EKS Security Best Practices

The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775

Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775

Aug 26, 2025 Vulnerability / Remote Code Execution
Citrix has released fixes to address three security flaws in NetScaler ADC and NetScaler Gateway, including one that it said has been actively exploited in the wild. The vulnerabilities in question are listed below - CVE-2025-7775 (CVSS score: 9.2) - Memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service CVE-2025-7776 (CVSS score: 8.8) - Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial-of-Service CVE-2025-8424 (CVSS score: 8.7) - Improper access control on the NetScaler Management Interface The company acknowledged that "exploits of CVE-2025-7775 on unmitigated appliances have been observed," but stopped short of sharing additional details. However, for the flaws to be exploited, there are a number of prerequisites - CVE-2025-7775 - NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server; NetScaler ADC and NetScaler Gateway 13.1, 14.1...
New Sni5Gect Attack Crashes Phones and Downgrades 5G to 4G without Rogue Base Station

New Sni5Gect Attack Crashes Phones and Downgrades 5G to 4G without Rogue Base Station

Aug 26, 2025 Vulnerability / Mobile Security
A team of academics has devised a novel attack that can be used to downgrade a 5G connection to a lower generation without relying on a rogue base station (gNB). The attack , per the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), relies on a new open-source software toolkit named Sni5Gect (short for "Sniffing 5G Inject") that's designed to sniff unencrypted messages sent between the base station and the user equipment (UE, i.e., a phone) and inject messages to the target UE over-the-air. The framework can be used to carry out attacks such as crashing the UE modem, downgrading to earlier generations of networks, fingerprinting, or authentication bypass, according to Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou. "As opposed to using a rogue base station, which limits the practicality of many 5G attacks, SNI5GECT acts as a third-party in the communication, silently sniffs me...
MixShell Malware Delivered via Contact Forms Targets U.S. Supply Chain Manufacturers

MixShell Malware Delivered via Contact Forms Targets U.S. Supply Chain Manufacturers

Aug 26, 2025 Enterprise Security / Artificial Intelligence
Cybersecurity researchers are calling attention to a sophisticated social engineering campaign that's targeting supply chain-critical manufacturing companies with an in-memory malware dubbed MixShell. The activity has been codenamed ZipLine by Check Point Research. "Instead of sending unsolicited phishing emails, attackers initiate contact through a company's public 'Contact Us' form, tricking employees into starting the conversation," the company said in a statement shared with The Hacker News. "What follows are weeks of professional, credible exchanges, often sealed with fake NDAs, before delivering a weaponized ZIP file carrying MixShell, a stealthy in-memory malware." The attacks have cast a wide net, spanning multiple organizations across sectors and geographic locations, but with an emphasis on U.S.-based entities. Primary targets include companies in industrial manufacturing, such as machinery, metalwork, component production, and engine...
cyber security

The MCP Security Guide for Early Adopters

websiteWizArticles Intelligence / MCP Security
Thousands of MCP servers are already live, but most security teams don't have a clear strategy yet. Get the practical guide to MCP for security teams.
cyber security

How Security Leaders, like Snowflake's CISO, are Securing Unmanaged Devices

websiteBeyond IdentityIdentity Security / Enterprise Protection
Unmanaged devices fuel breaches. Learn 5 ways CISOs secure them without hurting productivity.
AI-Driven Trends in Endpoint Security: What the 2025 Gartner® Magic Quadrant™ Reveals

AI-Driven Trends in Endpoint Security: What the 2025 Gartner® Magic Quadrant™ Reveals

Aug 26, 2025 Endpoint Protection / Artificial Intelligence
Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target. With the rapid expansion and adoption of AI, it is more critical than ever to ensure the endpoint is adequately secured by a platform capable of not just keeping pace, but staying ahead of an ever-evolving threat landscape. SentinelOne's steadfast commitment to delivering AI-powered cybersecurity enables global customers and partners to achieve resiliency and reduce risk with real-time, autonomous protection across the entire enterprise — all from a single agent and console with a robust, rigorously tested platform that keeps the customer in control. Cybersecurity today isn't just about detection—it's about operational continuity under pressure. For example, endpoint solutions must account for encrypted traffic inspection, policy enforcement during identity compromise, and fast containment across distributed environments. ...
ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners

ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners

Aug 26, 2025 Ransomware / Cryptojacking
A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners. The large-scale cybercrime campaign, first detected in August 2025, has been codenamed ShadowCaptcha by the Israel National Digital Agency. "The campaign [...] blends social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to gain and maintain a foothold in targeted systems," researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman said . "The ultimate objectives of ShadowCaptcha are collecting sensitive information through credential harvesting and browser data exfiltration, deploying cryptocurrency miners to generate illicit profits, and even causing ransomware outbreaks." The attacks begin with unsuspecting users visiting a c...
HOOK Android Trojan Adds Ransomware Overlays, Expands to 107 Remote Commands

HOOK Android Trojan Adds Ransomware Overlays, Expands to 107 Remote Commands

Aug 26, 2025
Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. "A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment," Zimperium zLabs researcher Vishnu Pratapagiri said . "This overlay presents an alarming '*WARNING*' message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server." The mobile security company said the overlay is remotely initiated when the command "ransome" is issued by the C2 server. The overlay can be dismissed by the attacker by sending the "delete_ransome" command. HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the int...
Google to Verify All Android Developers in 4 Countries to Block Malicious Apps

Google to Verify All Android Developers in 4 Countries to Block Malicious Apps

Aug 26, 2025 Mobile Security / Data Privacy
Google has announced plans to begin verifying the identity of all developers who distribute apps on Android, even for those who distribute their software outside the Play Store. "Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices," the company said . "This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down." To that end, the tech giant said it intends to start sending out invitations gradually starting October 2025, before opening it up to all developers in March 2026. The new requirements are expected to go into effect starting a year from now, in September 2026, in Brazil, Indonesia, Singapore, and Thailand. "At this point, any app installed on a certified Android device in these regions must be registered by a verified developer," Suzanne Frey, vice president of Product,...
CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git

CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git

Aug 26, 2025 Vulnerability / Data Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws impacting Citrix Session Recording and Git to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2024-8068 (CVSS score: 5.1) - An improper privilege management vulnerability in Citrix Session Recording that could allow for privilege escalation to NetworkService Account access when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain CVE-2024-8069 (CVSS score: 5.1) - A deserialization of untrusted data vulnerability in Citrix Session Recording that allows limited remote code execution with the privileges of a NetworkService Account access when an attacker is an authenticated user on the same intranet as the session recording server CVE-2025-48384 (CVSS score: 8.1) - A link following vulnerability in Git that arises as a ...
UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats

UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats

Aug 25, 2025 Malware / Cyber Espionage
A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing's strategic interests. "This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection," Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said . UNC6384 is assessed to share tactical and tooling overlaps with a known Chinese hacking group called Mustang Panda , which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon. The campaign, detected by GTIG in March 2025, is characterized by use of a captive portal redirect to hijack web traffic and deliver a digitally signed downloader called STATICPLUGIN. The downloader then paves the way for the...
Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3

Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3

Aug 25, 2025 Container Security / Vulnerability
Docker has released fixes to address a critical security flaw affecting the Docker Desktop app for Windows and macOS that could potentially allow an attacker to break out of the confines of a container. The vulnerability, tracked as CVE-2025-9074 , carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3. "A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted," Docker said in an advisory released last week. "This could allow unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not mitigate this vulnerability." According to security researcher Felix Boulet, the vulnerability has to do with how it's possible for a container to connect to the Docker Engine API at 192.168.65[.]7:2375 without requiring any authentication, thereby opening the door to a scenario where a privileged container c...
Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads

Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads

Aug 25, 2025 Malware / Cloud Security
Cybersecurity researchers have flagged a new phishing campaign that's using fake voicemails and purchase orders to deliver a malware loader called UpCrypter . The campaign leverages "carefully crafted emails to deliver malicious URLs linked to convincing phishing pages," Fortinet FortiGuard Labs researcher Cara Lin said . "These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter." Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others. UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT , DCRat (aka DarkCrystal RAT), and Babylon RAT , each of which enable an attacker to take full control of compromi...
⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More

⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More

Aug 25, 2025 Cybersecurity News / Hacking
Cybersecurity today moves at the pace of global politics. A single breach can ripple across supply chains, turn a software flaw into leverage, or shift who holds the upper hand. For leaders, this means defense isn't just a matter of firewalls and patches—it's about strategy. The strongest organizations aren't the ones with the most tools, but the ones that see how cyber risks connect to business, trust, and power. This week's stories highlight how technical gaps become real-world pressure points—and why security decisions now matter far beyond IT. ⚡ Threat of the Week Popular Password Managers Affected by Clickjacking — Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent sec...
Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations

Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations

Aug 25, 2025 Network Security / Threat Detection
Security Information and Event Management (SIEM) systems act as the primary tools for detecting suspicious activity in enterprise networks, helping organizations identify and respond to potential attacks in real time. However, the new Picus Blue Report 2025 , based on over 160 million real-world attack simulations , revealed that organizations are only detecting 1 out of 7 simulated attacks , showing a critical gap in threat detection and response. While many organizations believe they're doing everything they can to detect adversary actions, the reality is that a large number of threats are slipping through their defenses unnoticed, leaving their networks far too vulnerable to compromise. This gap in detection creates a false sense of security when attackers have already accessed your sensitive systems, escalated their privileges, or are actively exfiltrating your valuable data. Which begs the question: why, after all this time, money, and attention, are these systems still ...
Transparent Tribe Targets Indian Govt With Weaponized Desktop Shortcuts via Phishing

Transparent Tribe Targets Indian Govt With Weaponized Desktop Shortcuts via Phishing

Aug 25, 2025 Malware / Cyber Attack
The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks targeting Indian Government entities. "Initial access is achieved through spear-phishing emails," CYFIRMA said . "Linux BOSS environments are targeted via weaponized .desktop shortcut files that, once opened, download and execute malicious payloads." Transparent Tribe, also called APT36, is assessed to be of Pakistani origin, with the group – along with its sub-cluster SideCopy – having a storied history of breaking into Indian government institutions with a variety of remote access trojans (RATs). The latest dual-platform demonstrates the adversarial collective's continued sophistication, allowing it to broaden its targeting footprint and ensure access to compromised environments. The attack chains begin with phishing emails bearing sup...
Malicious Go Module Poses as SSH Brute-Force Tool, Steals Credentials via Telegram Bot

Malicious Go Module Poses as SSH Brute-Force Tool, Steals Credentials via Telegram Bot

Aug 24, 2025 Malware / Supply Chain Security
Cybersecurity researchers have discovered a malicious Go module that presents itself as a brute-force tool for SSH but actually contains functionality to discreetly exfiltrate credentials to its creator. "On the first successful login, the package sends the target IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor," Socket researcher Kirill Boychenko said . The deceptive package, named "golang-random-ip-ssh-bruteforce," has been linked to a GitHub account called IllDieAnyway (G3TT), which is currently no longer accessible. However, it continues to be available on pkg.go[.]dev. It was published on June 24, 2022. The software supply chain security company said the Go module works by scanning random IPv4 addresses for exposed SSH services on TCP port 22, then attempting to brute-force the service using an embedded username-password list and exfiltrating the successful credentials to the attacker. A notable aspect of th...
GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

Aug 23, 2025 IoT Botnet / Cloud Security
Cybersecurity researchers are calling attention to multiple campaigns that are taking advantage of known security vulnerabilities and exposed Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure. The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year. "Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies," Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report. "This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app develo...
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection

Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection

Aug 22, 2025 Malware / Linux
Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell . The "Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file," Trellix researcher Sagar Bade said in a technical write-up. "The payload isn't hidden inside the file content or a macro, it's encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger." The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code. What's more, the technique offers the added advantage of...
Expert Insights Articles Videos
Cybersecurity Resources
//]]>