Credential Theft | Breaking Cybersecurity News | The Hacker News

It takes just one email to compromise an entire system. A single well-crafted message can bypass filters, trick employees, and give attackers the access they need. Left undetected, these threats can lead to credential theft, unauthorized access, and even full-scale breaches. As phishing techniques become more evasive, they can no longer be reliably caught by automated solutions alone. Let's take a closer look at how SOC teams can ensure fast, accurate detection of even the most evasive phishing attacks, using the example of Tycoon2FA, the number one phishing threat in the corporate environment today. Step 1: Upload a suspicious file or URL to the sandbox Let's consider a typical situation: a suspicious email gets flagged by your detection system, but it's unclear whether it's indeed malicious. The fastest way to check it is to run a quick analysis inside a malware sandbox. A sandbox is an isolated virtual machine where you can safely open files, click links, and observe behavior ...

An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. "The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, crypto, banking and more to direct users to install corresponding malicious extensions on Google's Chrome Web Store (CWS)," the DomainTools Intelligence (DTI) team said in a report shared with The Hacker News. While the browser add-ons appear to offer the advertised features, they also enable credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Another factor that works in the extensions' favor is that they are configured to grant themselves excessive permissions via...

Cybersecurity leaders aren't just dealing with attacks—they're also protecting trust, keeping systems running, and maintaining their organization's reputation. This week's developments highlight a bigger issue: as we rely more on digital tools, hidden weaknesses can quietly grow.  Just fixing problems isn't enough anymore—resilience needs to be built into everything from the ground up. That means better systems, stronger teams, and clearer visibility across the entire organization. What's showing up now isn't just risk—it's a clear signal that acting fast and making smart decisions matters more than being perfect. Here's what surfaced—and what security teams can't afford to overlook. ⚡ Threat of the Week Microsoft Fixes 5 Actively Exploited 0-Days — Microsoft addressed a total of 78 security flaws in its Patch Tuesday update for May 2025 last week, out of which five of them have come under active exploitation in the wild. The vulnerabilities include CVE-2025-30397, CVE-2025-...

A new global phishing threat called " Meta Mirage " has been uncovered, targeting businesses using Meta's Business Suite. This campaign specifically aims at hijacking high-value accounts, including those managing advertising and official brand pages. Cybersecurity researchers at CTM360 revealed that attackers behind Meta Mirage impersonate official Meta communications, tricking users into handing over sensitive details like passwords and security codes (OTP). The scale of this operation is alarming. Researchers have already identified over 14,000 malicious URLs , a concerning majority of which —nearly 78%— were not blocked by browsers at the time the report was published. Cybercriminals cleverly hosted fake pages leveraging trusted cloud platforms like GitHub, Firebase, and Vercel, making it harder to spot the scams. This method aligns closely with recent findings from Microsoft, which highlighted similar abuse of cloud hosting services to compromise Kubernetes appli...

The North Korea-linked threat actor known as Konni APT has been attributed to a phishing campaign targeting government entities in Ukraine, indicating the threat actor's targeting beyond Russia . Enterprise security firm Proofpoint said the end goal of the campaign is to collect intelligence on the "trajectory of the Russian invasion." "The group's interest in Ukraine follows historical targeting of government entities in Russia for strategic intelligence gathering purposes," security researchers Greg Lesnewich, Saher Naumaan, and Mark Kelly said in a report shared with The Hacker News. Konni APT , also known as Opal Sleet, Osmium, TA406, and Vedalia , is a cyber espionage group that has a history of targeting entities in South Korea, the United States, and Russia. It's operational since at least 2014. Attack chains mounted by the threat actor often involve the use of phishing emails to distribute malware called Konni RAT (aka UpDog) and redirect r...

The North Korean threat actors behind the Contagious Interview campaign have been observed using updated versions of a cross-platform malware called OtterCookie with capabilities to steal credentials from web browsers and other files. NTT Security Holdings, which detailed the new findings, said the attackers have "actively and continuously" updated the malware, introducing versions v3 and v4 in February and April 2025, respectively. The Japanese cybersecurity company is tracking the cluster under the name WaterPlum , which is also known as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan. OtterCookie was first documented by NTT last year after having observed it in attacks since September 2024. Delivered by means of a JavaScript payload via a malicious npm package, trojanized GitHub or Bitbucket repository, or a bogus videoconferencing app, it's designed to contact an external server to execute commands on compromis...

Cybersecurity researchers are warning of a new campaign that's targeting Portuguese-speaking users in Brazil with trial versions of commercial remote monitoring and management (RMM) software since January 2025. "The spam message uses the Brazilian electronic invoice system, NF-e, as a lure to entice users into clicking hyperlinks and accessing malicious content hosted in Dropbox," Cisco Talos researcher Guilherme Venere said in a Thursday report. The attack chains begin with specially crafted spam emails that claim to originate from financial institutions or cell phone carriers, warning of overdue bills or outstanding payments in order to trick users into clicking on bogus Dropbox links that point to a binary installer for the RMM tool. Two notable RMM tools observed are N-able RMM Remote Access and PDQ Connect , granting attackers the ability to read and write files to the remote file system. In some cases, the threat actors then use the remote capabilities of th...

Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor. "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's main.js file, and disable auto-updates to maintain persistence," Socket researcher Kirill Boychenko said . The packages in question are listed below - sw-cur (2,771 downloads) sw-cur1 (307 downloads), and aiide-cur (163 downloads) All three packages continue to be available for download from the npm registry. "Aiide-cur" was first published on February 14, 2025. It was uploaded by a user named "aiide." The npm library is described as a "command-line tool for configuring the macOS version of the Cursor editor." The other two packages, ...

It wasn't ransomware headlines or zero-day exploits that stood out most in this year's Verizon 2025 Data Breach Investigations Report (DBIR) — it was what fueled them. Quietly, yet consistently, two underlying factors played a role in some of the worst breaches: third-party exposure and machine credential abuse . According to the 2025 DBIR, third-party involvement in breaches doubled year-over-year, jumping from 15% to 30% . In parallel, attackers increasingly exploited machine credentials and ungoverned machine accounts to gain access, escalate privileges, and exfiltrate sensitive data. The message is clear: it's no longer enough to protect your employee users alone. To truly defend against modern threats, organizations must govern all identities — human, non-employee, and machine — within a unified security strategy. Third-Party Risk: Expanding Faster Than Organizations Can Control Today's enterprise is a patchwork of partnerships: contractors, vendors, business p...

The threat actors known as Golden Chickens have been attributed to two new malware families dubbed TerraStealerV2 and TerraLogger, suggesting continued development efforts to fine-tune and diversify their arsenal. "TerraStealerV2 is designed to collect browser credentials, cryptocurrency wallet data, and browser extension information," Recorded Future Insikt Group said . "TerraLogger, by contrast, is a standalone keylogger. It uses a common low-level keyboard hook to record keystrokes and writes the logs to local files." Golden Chickens, also known as TA4557 and Venom Spider, is the name given to a financially motivated threat actor linked to a notorious malware family called More_eggs . It's known to be active since at least 2018, offering its warez under a malware-as-a-service (MaaS) model. Campaigns distributing More_eggs entail the use of spear-phishing emails to target hiring managers using fake resumes, allowing attackers to steal confidential data. ...

Artificial intelligence (AI) company Anthropic has revealed that unknown threat actors leveraged its Claude chatbot for an "influence-as-a-service" operation to engage with authentic accounts across Facebook and X. The sophisticated activity, branded as financially-motivated, is said to have used its AI tool to orchestrate 100 distinct personas on the two social media platforms, creating a network of "politically-aligned accounts" that engaged with "10s of thousands" of authentic accounts. The now-disrupted operation, Anthropic researchers said, prioritized persistence and longevity over vitality and sought to amplify moderate political perspectives that supported or undermined European, Iranian, the United Arab Emirates (U.A.E.), and Kenyan interests. These included promoting the U.A.E. as a superior business environment while being critical of European regulatory frameworks, focusing on energy security narratives for European audiences, and cultural...