Check Point | Breaking Cybersecurity News | The Hacker News

SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. "In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs," Arctic Wolf Labs researcher Julian Tuin said in a report. The cybersecurity company suggested that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meaning a zero-day vulnerability, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn't been ruled out. The uptick in attacks involving SonicWall SSL VPNs was first registered on July 15, 2025, although Arctic Wolf said that it has observed similar malicious VPN logins as far back as October 2024 , suggesting sustained efforts to target the devices. "A short interval was obser...

The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework called AK47 C2 (also spelled ak47c2) in its operations. The framework includes at least two different types of clients, HTTP-based and Domain Name System ( DNS )-based, which have been dubbed AK47HTTP and AK47DNS, respectively, by Check Point Research. The activity has been attributed to Storm-2603 , which, according to Microsoft, is a suspected China-based threat actor that has leveraged the SharePoint flaws – CVE-2025-49706 and CVE-2025-49704 (aka ToolShell) – to deploy Warlock (aka X2anylock) ransomware. A previously unreported threat cluster, evidence gathered following an analysis of VirusTotal artifacts shows that the group may have been active since at least March 2025, deploying ransomware families like LockBit Black and Warlock together – something that's not observed commonly among established e-c...

Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) malware called JSCEAL that can capture data such as credentials and wallets. The activity leverages thousands of malicious advertisements posted on Facebook in an attempt to redirect unsuspecting victims to counterfeit sites that instruct them to install the bogus apps, according to Check Point. These ads are shared either via stolen accounts or newly created ones. "The actors separate the installer's functionality into different components and most notably move some functionality to the JavaScript files inside the infected websites," the company said in an analysis. "A modular, multi-layered infection flow enables the attackers to adapt new tactics and payloads at every stage of the operation." It's worth noting that some aspects of the activity were previously documented by Microsoft in April 2...

Python supply chain attacks are surging in 2025. Join our webinar to learn how to secure your code, dependencies, and runtime with modern tools and strategies.

Cybersecurity experts have released a decryptor for a ransomware strain called FunkSec, allowing victims to recover access to their files for free. "Because the ransomware is now considered dead, we released the decryptor for public download," Gen Digital researcher Ladislav Zezula said . FunkSec , which emerged towards the end of 2024, has claimed 172 victims , according to data from Ransomware.live. The vast majority of targeted entities are located in the U.S., India, and Brazil, with technology, government, and education being the top three sectors attacked by the group. An analysis of FunkSec by Check Point earlier this January found signs that the encryptor was developed with assistance from artificial intelligence (AI) tools. The group has not added any new victims to its data leak site since March 18, 2025, suggesting that the group may no longer be active. It's also believed that the group consisted of inexperienced hackers seeking visibility and recogniti...

A previously unknown threat activity cluster targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, ShadowPad, with the intrusions ultimately leading to deployment of a ransomware called NailaoLocker in some cases. The campaign, codenamed Green Nailao by Orange Cyberdefense CERT, involved the exploitation of a now-patched security flaw in Check Point network gateway security products ( CVE-2024-24919 , CVSS score: 7.5). The attacks were observed between June and October 2024. "The campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions," the company said in a technical report shared with The Hacker News. The initial access afforded by exploitation of vulnerable Check Point instances is said to have allowed the threat actors to retrieve user credentials and to connect to the VPN using a legitimate account. In the next stage,...

Check Point is warning of a zero-day vulnerability in its Network Security gateway products that threat actors have exploited in the wild. Tracked as CVE-2024-24919 (CVSS score: 8.6), the issue impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. "The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled," Check Point said . Hotfixes are available in the following versions - Quantum Security Gateway and CloudGuard Network Security Versions - R81.20, R81.10, R81, R80.40 Quantum Maestro and Quantum Scalable Chassis - R81.20, R81.10, R80.40, R80.30SP, R80.20SP Quantum Spark Gateways Version - R81.10.x, R80.20.x, R77.20.x The development comes days after the Israeli cybersecurity company warned of attacks targeting its VPN devices to infiltrate enterprise networks. "By May 24, 2024, we identi...

Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. "This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands," Check Point  said  in a technical report. "This exploit has been used by multiple threat actors, from e-crime to espionage." It's worth noting that Adobe Acrobat Reader – which is more prevalent in sandboxes or antivirus solutions – is not susceptible to this specific exploit, thus contributing to the campaign's low detection rate. The issue stems from the fact that the application shows "OK" as the default selected option in a pop-up when users are asked to trust the document prior to enabling certain features to avoid potential security risks. Once a user clicks OK, they are displayed a second pop-up warning that the file is about to execute...

Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that has been propagating the malware through malicious Windows Script Files ( WSFs ) since March 2024. "Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors," HP Wolf Security researcher Patrick Schläpfer  said  in a report shared with The Hacker News. Raspberry Robin, also called QNAP worm, was  first spotted  in September 2021 that has since  evolved into a downloader  for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware. While the malware was initially distributed by means of USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since  adopted other methods  such as social engineering and malv...

Multiple threat actors, including LockBit ransomware affiliates, are  actively exploiting  a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments. The joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Australian Signals Directorate's Australian Cyber Security Center (ASD's ACSC). "Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances," the agencies  said . "Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to ...

Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called  LitterDrifter  in attacks targeting Ukrainian entities. Check Point, which  detailed  Gamaredon's (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are followed by "data collection efforts aimed at specific targets, whose selection is likely motivated by espionage goals." The LitterDrifter worm packs in two main features: automatically spreading the malware via connected USB drives as well as communicating with the threat actor's command-and-control (C&C) servers. It's also suspected to be an evolution of a PowerShell-based USB worm that was previously  disclosed  by Symantec in June 2023. Written in VBS, the spreader module is responsible for distributing the worm as a hidden file in a USB drive together with...

High-profile government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 that's designed to deploy basic backdoors and loaders for delivering next-stage malware. Cybersecurity company Check Point is tracking the activity under the name  Stayin' Alive . Targets include organizations located in Vietnam, Uzbekistan, Pakistan, and Kazakhstan. "The simplistic nature of the tools [...] and their wide variation suggests they are disposable, mostly utilized to download and run additional payloads," it  said  in a report published Wednesday. "These tools share no clear code overlaps with products created by any known actors and do not have much in common with each other." What's notable about the campaign is that the infrastructure  shares overlaps  with that used by  ToddyCat , a China-linked threat actor known for orchestrating cyber assaults against government and military agencies in Europe and Asia since at least...

An active malware campaign targeting Latin America is dispensing a new variant of a banking trojan called  BBTok , particularly users in Brazil and Mexico. "The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number," Check Point  said  in research published this week. The payloads are generated by a custom server-side PowerShell script and are unique for each victim based on the operating system and country, while being delivered via phishing emails that leverage a variety of file types. BBTok is a Windows-based banking malware that  first surfaced  in 2020. It's equipped with features that run the typical trojan gamut, allowing it to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries. The ...

Tactical similarities have been unearthed between the double extortion ransomware group known as Rhysida and Vice Society , including in their targeting of education and healthcare sectors. "As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware," Check Point  said  in a new report. Vice Society , tracked by Microsoft under the name Storm-0832, has a  pattern  of employing already existing ransomware binaries that are sold on criminal forums to pull off their attacks. The financially motivated gang has also been observed resorting to pure extortion-themed attacks wherein the data is exfiltrated without encrypting them. First observed in May 2023, the  Rhysida  ransomware group is known to rely on phishing attacks and Cobalt Strike to breach target...

A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of  .NET single-file deployment techniques , enabling threat actors to capture sensitive information from compromised hosts. "BundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static detection at all," Check Point  said  in a report published this week, adding it is "commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games." Some of these websites aim to mimic Google Bard, the company's conversational generative artificial intelligence chatbot, enticing victims into downloading a bogus RAR archive ("Google_AI.rar") hosted on legitimate cloud storage services such as Dropbox. The archive file, when unpacked, contains an executable file ("GoogleAI.exe"), which is the .NET single-file, self-con...

The Chinese nation-state actor known as  Mustang Panda  has been linked to a new set of sophisticated and targeted attacks aimed at European foreign affairs entities since January 2023. An analysis of these intrusions, per Check Point researchers Itay Cohen and Radoslaw Madej, has revealed a custom firmware implant designed explicitly for TP-Link routers. "The implant features several malicious components, including a custom backdoor named 'Horse Shell' that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks," the company said . "Due to its firmware-agnostic design, the implant's components can be integrated into various firmware by different vendors." The Israeli cybersecurity firm is tracking the threat group under the mythical creature name Camaro Dragon,  which  is  also known as  BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich. The ...

Various sectors in East Asian markets have been subjected to a new email phishing campaign that distributes a previously undocumented strain of Android malware called  FluHorse  that abuses the Flutter software development framework. "The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs," Check Point  said  in a technical report. "These malicious apps steal the victims' credentials and two-factor authentication (2FA) codes." The malicious apps have been found to imitate popular apps like ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. Evidence gathered so far shows that the activity has been active since at least May 2022.  The phishing scheme in itself is fairly straightforward, wherein victims are lured with emails that contain links to a bogus website that hosts malicious APK files. Also added to the website are checks that aim to screen victi...

An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that's designed to deploy an updated version of a Windows backdoor called PowerLess . Cybersecurity firm Check Point is tracking the activity cluster under its mythical creature handle  Educated Manticore , which exhibits "strong overlaps" with a hacking crew known as APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. "Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains," the Israeli company  said  in a technical report published today. Active since at least 2011, APT35 has cast a  wide net of targets  by leveraging  fake social media personas ,  spear-phishing techniques , and  N-day vulnerabilities in internet-exposed applications  to gain initial access and drop vario...