Advanced Persistent Threat | Breaking Cybersecurity News | The Hacker News

The China-linked advanced persistent threat (APT) actor known as Salt Typhoon has continued its attacks targeting networks across the world, including organizations in the telecommunications, government, transportation, lodging, and military infrastructure sectors. "While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks," according to a joint cybersecurity advisory published Wednesday. "These actors often modify routers to maintain persistent, long-term access to networks." The bulletin , courtesy of authorities from 13 countries, said the malicious activity has been linked to three Chinese entities, Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. These companies,...

The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks targeting Indian Government entities. "Initial access is achieved through spear-phishing emails," CYFIRMA said . "Linux BOSS environments are targeted via weaponized .desktop shortcut files that, once opened, download and execute malicious payloads." Transparent Tribe, also called APT36, is assessed to be of Pakistani origin, with the group – along with its sub-cluster SideCopy – having a storied history of breaking into Indian government institutions with a variety of remote access trojans (RATs). The latest dual-platform demonstrates the adversarial collective's continued sophistication, allowing it to broaden its targeting footprint and ensure access to compromised environments. The attack chains begin with phishing emails bearing sup...

A Chinese-speaking advanced persistent threat (APT) actor has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments. The activity has been attributed by Cisco Talos to an activity cluster it tracks as UAT-7237 , which is believed to be active since at least 2022. The hacking group is assessed to be a sub-group of UAT-5918 , which is known to be attacking critical infrastructure entities in Taiwan as far back as 2023. "UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise," Talos said . The attacks are characterized by the use of a bespoke shellcode loader dubbed SoundBill that's designed to decode and launch secondary pay...

Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle East's public sector and aviation industry. The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software. The DLL side-loading techniques resemble those previously documented as part of attacks orchestrated by a China-linked hacking group called Earth Baxia , which was flagged by the cybersecurity company as targeting government entities in Taiwan and the Asia-Pacific region to deliver a backdoor known as EAGLEDOOR following the exploitation of a now-patched security flaw affecting OSGeo GeoServer GeoTools. "The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a...

Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign. The activity, observed this year, is primarily designed Now to infiltrate organizations' VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today. "The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments," the cybersecurity company said . "The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure." Fire Ant is assessed to share tooling and targeting overlaps with prior campaigns orchestrated by UNC3886 , a...

The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. Check Point also said the exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances ( CVE-2025-4427 and CVE-2025-4428 ). "We're witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk," Lotem Finkelstein, Director of Threat Intelligence at Chec...

Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. "This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims," Seqrite Labs researcher Subhajeet Singha said in a report published this week. The activity encompasses two major campaigns, one called Operation Cobalt Whisper which took place between May and September 2024, and Operation AmberMist that occurred between January and May 2025. Targets of these campaigns include defense, electrotechnical engineering, energy, civil aviation, academia, medical institutions, cybersecurity, gaming, and software development sectors. Operation Cobalt Whisper was first documented by Seqrite Labs in late October 2024, detai...

An Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC) has been linked to a spear-phishing campaign targeting journalists, high-profile cyber security experts, and computer science professors in Israel. "In some of those campaigns, Israeli technology and cyber security professionals were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages," Check Point said in a report published Wednesday. "The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations." The cybersecurity company attributed the activity to a threat cluster it tracks as Educated Manticore , which overlaps with APT35 (and its sub-cluster APT42 ), CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda. The advanced persist...

Microsoft has released patches to fix 67 security flaws , including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild. Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws. The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV ( CVE-2025-33053 , CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL. The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It's worth mentioning that CVE-2025-33053 is the first zero-day vulnerab...

The threat actor known as Rare Werewolf (formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries. "A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries," Kaspersky said . "The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts." The intent of the attacks is to establish remote access to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The activity impacted hundreds of Russian users spanning industrial enterprises and engineering schools, with a smaller number of infections also recorded in Belarus and Kazakhstan. Rare Werewolf , also known by the names Librarian Ghouls and Rezet, is the moniker assigned to an advanced persistent threat (APT) group that has a track record of...

A critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, according to new findings from Cisco Talos. "The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints," researchers Jacob Finn, Dmytro Korzhevin, and Asheer Malhotra said in an analysis published Thursday. The attack is assessed to be the work of a Russia-nexus advanced persistent threat (APT) actor based on the tradecraft observed and the overlapping capabilities with destructive malware used in attacks against Ukraine. Talos said the commands issued by the administrative tool's console were received by its client running on the victim endpoints and then executed as a batch (BAT) file. The BAT file, in turn, consisted of a command to run a malicious Visu...

The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government. That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. "Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation," researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said. Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities , with select intrusions also targeting China, Saudi Arabia, and South America. In December 2024, evidence emerged of the threat actor's targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion. Stating that Bitter fr...

Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. The threat actor has been observed exploiting a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers (CVE-2023-20118) to corral them into a set of honeypots en masse. A majority of the infections are located in Macau, with 850 compromised devices.