-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Cybercrime | Breaking Cybersecurity News | The Hacker News

Category — Cybercrime
Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

Jul 16, 2026 Cybercrime / Identity Security
Owen Flowers , 18, and Thalha Jubair , 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London. The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority's employees into an office to get their passwords reset in person. Both the NCA and the CPS put TfL's losses and recovery costs at £29 million. Both  pleaded guilty on 22 June 2026 , the day their trial was due to start. The charge was Section 3ZA of the Computer Misuse Act 1990, the Act's most serious, and they admitted it on the basis that they were reckless as to whether they caused or created a significant risk of serious damage to human welfare. The  CPS  says Flowers and Jubair are believed to be the first hackers successfully prosecuted under Section 3ZA. The  NCA  counts the case as only the second prosecution of its kind. The two readings can sit together, one countin...
ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

Jul 16, 2026 Hacking News / Cybersecurity News
A lot of this week’s trouble starts with something that looks close enough. A familiar repo. A useful installer. A harmless sync setting. Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research. Here’s the mess. Game cheats drop spyware 11 Malicious NuGet Tools Masquerade as Game Cheats to Drop Windows Surveillance Payload Cybersecurity researchers 11 malicious NuGet packages published as .NET command-line tools that present themselves as game utilities, bots, and "panels," each of which act as a first-stage downloader responsible for fetching and executing a second-stage Python payload named "pepesoft.exe" from GitHub Releases and Hugging Face paths under the username "pepegit666," along with a dormant BitTorrent fallback...
New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

Jul 16, 2026 Cybercrime / Endpoint Security
Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026. "The malware is full-featured, lightweight, and modular," Elastic Security Labs researcher Cyril François said in a technical report. "While the number of C2 [command-and-control] domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth." The disclosure makes it the second new threat actor after SCMBANKER to be propagated via ClickFix , a pervasive social engineering attack that tricks users into manually running malicious commands by disguising them as innocent fixes for fake browser errors, software updates, or CAPTCHA verifications. Underpinning the technique is an approach called clipboard hijacking. Because web pages using ClickFix inject malicious script or commands into...
cyber security

The AI Security Starter Pack

websiteWizAI Security / Cloud Security
Unlock 7 of the most widely used AI security resources in one place. Each asset provides practical tools for securing AI apps, models, and agents.
cyber security

11 real-world stories proving how identity drift opens active attack paths

websiteXM CyberIdentity Security / Exposure Management
Learn how attackers leverage privilege drift to reach critical assets across 11 architectural teardowns.
20+ Hijacked Government Websites Became
an Attack Channel

20+ Hijacked Government Websites Became
an Attack Channel

Jul 16, 2026 Malware / Endpoint Security
More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN , a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk. By connecting hundreds of seemingly unrelated sandbox sessions, ANY.RUN researchers exposed the operation’s broader scope and showed how trusted .gov.br links and authenticated emails helped the activity remain hidden. For the complete technical analysis, infrastructure details, indicators, and detection guidance, read the full PhantomEnigma investigation report Trusted Government Infrastructure Became the Lure The attack began with fake police-themed documents presented as official “Ofício Polícia Civil” or “Procuração Digital” notices. Some ...
TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

Jul 15, 2026 IoT Security / Network Security
Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results. "While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping," Palo Alto Networks Unit 42 said . "Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly." The cybersecurity company said a manual code review would have resolved these errors and that it's possible more polished iterations of the malware exist out there in the wild. The botnet framework consists of multiple components: a C-based bot agent that cross-compiles for multiple architectures (e.g., ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V), a Go-based command-...
OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

Jul 15, 2026 Endpoint Security / Malware
A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase. On an infected PC, the request comes from inside the wallet's own desktop software. Sometimes it waits until you plug the device in first. The page is malicious. The app around it is the real one you installed, and the phrase is the wallet. Kaspersky's GReAT team  published the teardown  on Wednesday, counting hundreds of victims in its telemetry across more than 25 countries. The largest share of attacked users is in Brazil, Vietnam, Canada, Mexico, and Türkiye. How many of them typed a phrase in, the report does not say. OkoBot carries more than 20 payloads and implants and was still active as of the July 15 report. SeedHunter Waits for the Device SeedHunter is the OkoBot module that steals the phrase. Once the framework lands, it watches for Trezor Suite, Ledger Wallet, and Ledger Live...
LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts

LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts

Jul 14, 2026 Malware / Threat Intelligence
Cybersecurity researchers have flagged a previously undocumented Rust-based remote access trojan (RAT) codenamed LabubaRAT that masquerades as NVIDIA software to blend into target environments. "LabubaRAT creates a reusable foothold for hands-on activity," Blackpoint Cyber researchers Sam Decker and Nevan Beal said in an analysis published today. "Once deployed, it can profile the host, identify security tools, receive operator commands, move files, capture screenshots, and proxy traffic through the affected system." The implant also supports multiple communication methods, including HTTPS, WebView2, and DNS tunneling, allowing attackers to maintain access to compromised hosts even if one pathway is detected and closed off. There are some signs that LabubuRAT is being offered under a malware-as-a-service (MaaS) model. The starting point of the attack chain is an executable named "nvidia-sysruntime.exe," which impersonates NVIDIA's container ru...
U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

Jul 14, 2026 Network Security / Cyber Espionage
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has designated two individuals and a VPN service provider for enabling ransomware actors' and other cybercriminals' malicious activities, including ransomware attacks against Americans. The VPN, named First VPN Service ( 1VPNS ), has been accused of offering its tools to ransomware groups, along with its 45-year-old Ukrainian administrator, Dmytro Rashevskyi. The department has also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national, for selling cryptors to help conceal ransomware and other malware as safe programs to avoid being detected by security tools. First VPN was dismantled in May 2026 as part of a joint law enforcement operation by European and North American authorities for assisting criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. The service had been operational since 2014, advertising that it neither keeps...
CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

Jul 13, 2026 Endpoint Security / Cybercrime
Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that's capable of harvesting sensitive data from compromised systems. Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs. "It validates the victim's login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself," security researcher Thijs Xhaflaire said in a report shared with The Hacker News. CrashStealer is said to be distributed by means of a signed and Apple-notarized dropper that's distributed as a disk image file named "Werkbit.app." Because both the disk image and binary are notarized and carry a valid developer ID ("Emil Grigorov...
Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

Jul 13, 2026 Email Security / Artificial Intelligence
A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing , adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing lures that make use of legitimate email delivery infrastructure, such as Amazon Simple Email Service (Amazon SES) and Twilio SendGrid, to imitate a redirection chain that blends into regular email traffic before it ends in Forg365-controlled domains. "The panel exposes a mature operator workflow: accounts, links, invitations, OAuth app configuration, redirect links, SVG generation, campaign sending, SMTP profiles, SMTP rotation, AI email generation, token vaulting, account intelligence, keyword alerts, viewer links, and browser-extension support," ZeroBEC said . The email securi...
Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365

Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365

Jul 13, 2026 Identity Security / Threat Intelligence
An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it:  python3 -m http.server 8080 , was still sitting in the readable  .bash_history . From that one lapse, French security firm  Lexfo  lifted the operator's entire toolkit and pivoted through it to two more phishing operators, three campaigns in all. Each ran a custom fork of the open-source Evilginx proxy , cloned from public GitHub. The largest of the three had been running for more than a year, its victims overwhelmingly corporate mailboxes. The three got past MFA in two mechanically different ways, one by proxying the live login , one by abusing a legitimate Microsoft sign-in flow. The two need different defenses, which is the part that matters most if you run Microsoft 365. Directory listing on a working attack server is close to a full confession. The listing exposed phishing conf...
New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

Jul 10, 2026 Malware / Enterprise Security
The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON . Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational structure , which compromises multiple distributors. "These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Gh0st RAT and WinOS (ValleyRAT) trojan families," QiAnXin said . One such campaign observed in mid-June 2026 involved a distributor delivering a previously undocumented modular RAT targeting technology, education, and state-owned enterprises in the country. MODBEACON's requested command-and-control (C2) infrastructure is hosted on Amazon and Cloudflare's Content Delivery Networ...
Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

Jul 10, 2026 Cybercrime / Website Security
A cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation's inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites. Far fewer were actually broken into, but the exposed files showed researchers how a mass site-hacking operation runs from the inside. The operation, now tracked as WP-SHELLSTORM , is what  SOCRadar  calls a webshell access brokerage: a crew that breaks into sites at scale, plants a hidden backdoor (a "webshell") on each, and packages that access for resale. The strongest activity hit WordPress sites running out-of-date plugins. If you run WordPress or Joomla, the two flaws that mattered most were in the Breeze caching plugin and Joomla's JCE editor; skip to the checklist below if that's you. A forgotten server Two teams dug into the same exposed folder. SOCRadar's threat intelligence team spotted it on June 11, 2026, on a U...
Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access

Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access

Jul 10, 2026 Enterprise Security / Authentication
A threat actor has been targeting organizations spanning multiple sectors with voice-based fake security requests that prompt Microsoft 365 users to enroll a new Entra passkey with an aim to carry out data extortion attacks. The threat actor, tracked by Okta under the moniker O-UNC-066 , has deployed a panel-controlled phishing kit that's capable of targeting the passkey enrollment process . The activity has singled out food and beverage, technology, healthcare, automotive, construction, and aviation industries. "The threat actor registers domains that incorporate the word passkey as part of a voice-enabled phishing ('vishing') scheme," Okta researcher Houssem Eddine Bordjiba said . "The threat actor then calls targeted users on the phone in an attempt to persuade them that they need to register a new passkey." Users are then directed to a phishing kit that's identical to the Microsoft passkey enrollment process, giving the impression that th...
Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets

Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets

Jul 10, 2026 Cryptocurrency / Vulnerability
Security firm  Coinspect  has disclosed a crypto wallet flaw it calls  Ill Bloom , and attackers are already using it. The flaw is in how some wallet software generated its recovery phrase, the words that control the money. When that phrase is made with weak randomness, an attacker can work it out and take everything it controls. The firm has confirmed one coordinated sweep on May 27 that drained about $3.1 million from 431 wallets, and it told The Hacker News that a further $2.1 million in USDT was stolen from an exposed wallet afterward, pushing confirmed losses past $5 million. As the firm puts it, "if funds recently moved without your permission, this vulnerability may be why." Most people are probably fine. Coinspect says wallets created on hardware devices are not affected, and most mainstream software wallets are not either. The real risk sits with older or lesser-known wallets, both mobile apps and browser extensions, some dating back to 2018. It has not...
Ransomware Negotiator Gets 70 Months in Prison for Aiding BlackCat Attacks

Ransomware Negotiator Gets 70 Months in Prison for Aiding BlackCat Attacks

Jul 10, 2026 Cybercrime / Law Enforcement
A 41-year-old former ransomware negotiator has been sentenced to nearly six years (i.e., 70 months) in prison in the U.S. for their role in conspiring with the now-defunct BlackCat ransomware operators to extort multiple victims and working with two other cybersecurity professionals to target additional victims in 2023. In a sentencing memorandum , federal prosecutors described Martino as a "double agent working to maximize the harm to his clients and the financial gain to cybercriminals who paid him a part of the ransom." Angelo Martino, 41, of Land O'Lakes, Florida, pleaded guilty to one-count information charging him with conspiring to interfere with interstate commerce through extortion back in April. The defendant worked as a negotiator on behalf of five different ransomware victims, while providing BlackCat attackers with confidential information regarding their negotiating position and strategy without their knowledge or permission. This information incl...
ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories

ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories

Jul 09, 2026 Hacking News / Cybersecurity News
Most security mess starts as admin work. A link gets clicked. A tool gets trusted. A bucket name gets reused. A setting stays loose because nobody wants to touch it. This week is full of that kind of damage. Not loud. Not clever. Just small gaps doing big jobs. The worst part is how normal it all looks until the bill arrives. The full ThreatsDay list is below. Global fraud bust Global Operation Leads to ~6K Arrests A global anti-fraud operation involving 97 countries and territories has resulted in the arrest of 5,811 individuals and the interception of $293 million in illicit assets as part of an operation codenamed First Light 2026 that took place between January 15 and April 30, 2026, to tackle social engineering scams and associated money laundering activities. "Over 142,000 victims globally were identified during Operation First Light 2026, highlighting the extent to which social engineering scams and fraud have escalated ...
GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses

GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses

Jul 09, 2026 Malware / Endpoint Security
Cybersecurity researchers have flagged a new ransomware family called GodDamn that employs the PoisonX kernel driver to neutralize security software as part of its defense evasion strategy. According to a new report published by the Threat Hunter Team from Symantec, the ransomware was first publicly spotted in the wild on May 21, 2026. It's assessed to be a rebrand of the Beast ransomware, which, in turn, was an enhanced version of Monster , a Delphi-based ransomware that surfaced in March 2022. Broadcom's cybersecurity arm is tracing the developer behind these ransomware families under the moniker Hyadina. In one attack orchestrated by the ransomware operation in early June 2026, the threat actors are said to have leveraged AnyDesk for remote access and used a NirSoft-based credential harvesting toolkit before deploying the ransomware. The exact initial access vector is unknown. The credential harvester is designed to extract sensitive data from common web browsers, W...
Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

Jul 09, 2026 Malware / Threat Intelligence
Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains. The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. One such campaign, observed earlier this year, involved the actor luring victims with a trojanized 7-Zip installer hosted on a domain named "7zip[.]com," covertly recruiting compromised devices as proxy nodes. Lurking Lizard is also known to impersonate major proxy providers, including IPIDEA , SmartProxy (now Decodo), IP Royal, and 911Proxy, not to mention going to the extent of running fake "independent" review sites to drive traffic to its own scam storefronts. Interestingly, IPIDEA's infrastructure was dismantled by Google in an operation earlier this January.
SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

Jul 08, 2026 Cybercrime / AI Security
A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures. The activity cluster, tracked by Elastic Security Labs under the moniker REF6045 , involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed SCMBANKER . Some components of the malware date back to October 2025. "Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard," security researchers Jia Yu Chan and Salim Bitam said . "For a full takeover, they can also deploy a commercial remote-access tool." SCMBANKER is specifically designed to go after Mexico's financial ecosystem, with evidence pointing to the use of a large...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources