Endpoint Protection | Breaking Cybersecurity News | The Hacker News

The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT. The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs. "The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques, with many redundancies aimed at neutralising endpoint security products popular in the Chinese market," security researchers Jia Yu Chan and Salim Bitam said . "These include bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender binary through PPL [Protected Process Light] abuse." Dragon Breath, also known as APT-Q-27 and Golden Eye, was previously highlighted by Sophos in May 2023 in connection with a campaign ...

Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target. With the rapid expansion and adoption of AI, it is more critical than ever to ensure the endpoint is adequately secured by a platform capable of not just keeping pace, but staying ahead of an ever-evolving threat landscape. SentinelOne's steadfast commitment to delivering AI-powered cybersecurity enables global customers and partners to achieve resiliency and reduce risk with real-time, autonomous protection across the entire enterprise — all from a single agent and console with a robust, rigorously tested platform that keeps the customer in control. Cybersecurity today isn't just about detection—it's about operational continuity under pressure. For example, endpoint solutions must account for encrypted traffic inspection, policy enforcement during identity compromise, and fast containment across distributed environments. ...

The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver ( BYOVD ) attack aimed at disarming security solutions installed on compromised hosts. The vulnerable driver in question is "amsdk.sys" (version 1.0.600), a 64-bit, validly signed Windows kernel device driver that's assessed to be built upon Zemana Anti-Malware SDK. "This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist , and not detected by community projects like LOLDrivers," Check Point said in an analysis. The attack is characterized by a dual-driver strategy, where a known vulnerable Zemana driver ("zam.exe") is used for Windows 7 machines, and the undetected WatchDog driver for systems that run on Windows 10 or 11. The WatchDog Anti-malware driver has been found to contain mu...

SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse. "We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability," the company said . "Instead, there is a significant correlation with threat activity related to CVE-2024-40766." CVE-2024-40766 (CVSS score: 9.3) was first disclosed by SonicWall in August 2024, calling it an improper access control issue that could allow malicious actors unauthorized access to the devices. "An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash," it noted in an advisory at the time. SonicWall also said it's investigating less than 40 incidents related to this activity, and that many of ...

Until recently, the cyber attacker methodology behind the biggest breaches of the last decade or so has been pretty consistent: Compromise an endpoint via software exploit, or social engineering a user to run malware on their device;  Find ways to move laterally inside the network and compromise privileged identities; Repeat as needed until you can execute your desired attack — usually stealing data from file shares, deploying ransomware, or both.  But attacks have fundamentally changed as networks have evolved. With the SaaS-ification of enterprise IT, core business systems aren't locally deployed and centrally managed in the way they used to be. Instead, they're logged into over the internet, and accessed via a web browser. Attacks have shifted from targeting local networks to SaaS services, accessed through employee web browsers. Under the shared responsibility model, the part that's left to the business consuming a SaaS service is mostly constrained to how they ma...

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems. The tech giant, in an update shared Wednesday, said the findings are based on an "expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 ." The threat actor attributed to the financially motivated activity is a suspected China-based threat actor that's known to drop Warlock and LockBit ransomware in the past. The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to deploy the spinstall0.aspx web shell payload. "This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint," Microsoft said. "Storm-2603 then initiates a series of discovery commands, incl...

The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. "LARVA-208 has evolved its tactics, using fake AI platforms (e.g., Norlax AI, mimicking Teampilot) to lure victims with job offers or portfolio review requests," Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News. While the group has a history of deploying ransomware, the latest findings demonstrate an evolution of its tactics and a diversification of its monetization methods by using stealer malware to harvest data from cryptocurrency wallets. EncryptHub's focus on Web3 developers isn't random—these individuals often manage crypto wallets, access to smart contract repositories, or sensitive test environments. Many operate as freelancers or work across multiple decentralized projects, making them harder to protect wit...

Despite years of investment in Zero Trust, SSE, and endpoint protection, many enterprises are still leaving one critical layer exposed: the browser. It's where 85% of modern work now happens. It's also where copy/paste actions, unsanctioned GenAI usage, rogue extensions, and personal devices create a risk surface that most security stacks weren't designed to handle. For security leaders who know this blind spot exists but lack a roadmap to fix it, a new framework may help. The Secure Enterprise Browser Maturity Guide: Safeguarding the Last Mile of Enterprise Risk , authored by cybersecurity researcher Francis Odum, offers a pragmatic model to help CISOs and security teams assess, prioritize, and operationalize browser-layer security. It introduces a clear progression from basic visibility to real-time enforcement and ecosystem integration, built around real-world threats, organizational realities, and evolving user behavior. Why the Browser Has Become the Security Blind Spot Over ...

A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection efforts and deliver the Gh0st RAT malware . "To further evade detection, the attackers deliberately generated multiple variants (with different hashes) of the 2.0.2 driver by modifying specific PE parts while keeping the signature valid," Check Point said in a new report published Monday. The cybersecurity company said the malicious activity involved thousands of first-stage malicious samples that are used to deploy a program capable of terminating endpoint detection and response (EDR) software by means of what's called a bring your own vulnerable driver ( BYOVD ) attack. As many as 2,500 distinct variants of the legacy version 2.0.2 of the vulnerable RogueKiller Antirootkit Driver, truesight.sys, have been identified on the VirusTotal platform, although the number is believed to be likely higher. The EDR-killer module...

In the past year, cross-domain attacks have gained prominence as an emerging tactic among adversaries. These operations exploit weak points across multiple domains – including endpoints, identity systems and cloud environments – so the adversary can infiltrate organizations, move laterally and evade detection. eCrime groups like SCATTERED SPIDER and North Korea-nexus adversaries such as FAMOUS CHOLLIMA exemplify the use of cross-domain tactics, leveraging advanced techniques to exploit security gaps across interconnected environments.  The foundation of these attacks is built around the exploitation of legitimate identities. Today's adversaries no longer "break in"; they "log in" – leveraging compromised credentials to gain access and blend seamlessly into their targets. Once inside, they exploit legitimate tools and processes, making them difficult to detect as they pivot across domains and escalate privileges. The Current State of Identity Security The rise in cross-domain...

A new attack campaign has targeted known Chrome browser extensions, leading to at least 35 extensions being compromised and exposing over 2.6 million users to data exposure and credential theft. The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens. The first company to shed light the campaign was cybersecurity firm Cyberhaven, one of whose employees was targeted by a phishing attack on December 24, allowing the threat actors to publish a malicious version of the extension. On December 27, Cyberhaven disclosed that a threat actor compromised its browser extension and injected malicious code to communicate with an external command-and-control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data. The phishing email, which purported...

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders is to keep IT environments up and running. To guard against cyber threats and prevent data breaches, it's vital to understand the current cybersecurity vendor landscape and continually assess the effectiveness of available solutions. Luckily, the 2024 MITRE ATT&CK Evaluation — the most widely trusted resource to track which solutions are effective — is now available. This practical guide distills key takeaways and advice to interpret the results. Cynet was the only vendor to achieve 100% Visibility and 100% Protection in the 2024 Evaluation. That means the All-in-One Cybersecurity Platform detected 100% of the threats tested in the Detection Phase and blocked 100% of the attacks simulated in the Protection Phase of the Evaluation. Moreover, Cynet achieved the 100% detection with no false positives. "These 2024 MITRE ATT&CK Evaluation results reflect o...