DNS Tunneling | Breaking Cybersecurity News | The Hacker News

The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework called AK47 C2 (also spelled ak47c2) in its operations. The framework includes at least two different types of clients, HTTP-based and Domain Name System ( DNS )-based, which have been dubbed AK47HTTP and AK47DNS, respectively, by Check Point Research. The activity has been attributed to Storm-2603 , which, according to Microsoft, is a suspected China-based threat actor that has leveraged the SharePoint flaws – CVE-2025-49706 and CVE-2025-49704 (aka ToolShell) – to deploy Warlock (aka X2anylock) ransomware. A previously unreported threat cluster, evidence gathered following an analysis of VirusTotal artifacts shows that the group may have been active since at least March 2025, deploying ransomware families like LockBit Black and Warlock together – something that's not observed commonly among established e-c...

An Iran-aligned hacking group has been attributed to a new set of cyber attacks targeting Kurdish and Iraqi government officials in early 2024. The activity is tied to a threat group ESET tracks as BladedFeline , which is assessed with medium confidence to be a sub-cluster within OilRig , a known Iranian nation-state cyber actor. It's said to be active since September 2017, when it targeted officials associated with the Kurdistan Regional Government (KRG). "This group develops malware for maintaining and expanding access within organizations in Iraq and the KRG," the Slovak cybersecurity company said in a technical report shared with The Hacker News. "BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq." BladedFeline was first documented by ESET in Ma...

Several ransomware actors are using a malware called Skitnet as part of their post-exploitation efforts to steal sensitive data and establish remote control over compromised hosts. "Skitnet has been sold on underground forums like RAMP since April 2024," Swiss cybersecurity company PRODAFT told The Hacker News. "However, since early 2025, we have observed multiple ransomware operators using it in real-world attacks."  "For example, in April 2025, Black Basta leveraged Skitnet in Teams-themed phishing campaigns targeting enterprise environments. With its stealth features and flexible architecture, Skitnet appears to be gaining traction rapidly within the ransomware ecosystem." Skitnet , also called Bossnet , is a multi-stage malware developed by a threat actor tracked by the company under the name LARVA-306. A notable aspect of the malicious tool is that it uses programming languages like Rust and Nim to launch a reverse shell over DNS and evade detecti...

Python supply chain attacks are surging in 2025. Join our webinar to learn how to secure your code, dependencies, and runtime with modern tools and strategies.

Cybersecurity researchers have discovered a new version of the ZLoader malware that employs a Domain Name System (DNS) tunnel for command-and-control (C2) communications, indicating that the threat actors are continuing to refine the tool after resurfacing a year ago. "Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands, which may be valuable for ransomware attacks," Zscaler ThreatLabz said in a Tuesday report. "These modifications provide additional layers of resilience against detection and mitigation." ZLoader , also referred to as Terdot, DELoader, or Silent Night, is a malware loader that's equipped with the ability to deploy next-stage payloads. Malware campaigns distributing the malware were observed for the first time in almost two years in September 2023 after its infrastructure was taken down. In addition to incorporating various...

Cybersecurity researchers have disclosed two new attack techniques against infrastructure-as-code (IaC) and policy-as-code (PaC) tools like HashiCorp's Terraform and Styra's Open Policy Agent (OPA) that leverage dedicated, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate data. "Since these are hardened languages with limited capabilities, they're supposed to be more secure than standard programming languages – and indeed they are," Tenable senior security researcher Shelly Raban said in a technical report published last week. "However, more secure does not mean bulletproof." OPA is a popular, open-source policy engine that allows organizations to enforce policies across cloud-native environments, such as microservices, CI/CD pipelines, and Kubernetes. Policies are defined using a native query language called Rego which are then evaluated by OPA to return a decision. The attack method devised by Tenable targets the supply ...

A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan. "The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The origins of the backdoor are presently unknown as are the objectives behind the attack. The initial access vector that likely facilitated the deployment of Msupedge is said to involve the exploitation of a recently disclosed critical flaw impacting PHP ( CVE-2024-4577 , CVSS score: 9.8), which could be used to achieve remote code execution . The backdoor in question is a dynamic-link library (DLL) that's installed in the paths "csidl_drive_fixed\xampp\" and "csidl_system\wbem\." One of the DLLs, wuplog.dll, is launched by the Apache HTTP server (httpd). The parent process for the second ...

A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed  MadMxShell . "The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh  said . As many as 45 domains are said to have been registered between November 2023 and March 2024, with the sites masquerading as port scanning and IT management software such as Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine. While this is  not the first time  threat actors are  banking  on  malvertising techniques  to serve malware via lookalike sites, the development marks the first time the delivery vehicle is being used to propagate a ...

An analysis of over 70 billion DNS records has led to the discovery of a new sophisticated malware toolkit dubbed  Decoy Dog  targeting enterprise networks. Decoy Dog , as the name implies, is evasive and employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains so as to not arouse any suspicion. "Decoy Dog is a cohesive toolkit with a number of highly unusual characteristics that make it uniquely identifiable, particularly when examining its domains on a DNS level," Infoblox  said  in an advisory published late last month. The cybersecurity firm, which identified the malware in early April 2023 following anomalous DNS beaconing activity, said its atypical characteristics allowed it to map additional domains that are part of the attack infrastructure. That said, the usage of Decoy Dog in the wild is "very rare," with the DNS signature matching less than 0.0000027%...