Espionage | Breaking Cybersecurity News | The Hacker News

Can a harmless click really lead to a full-blown cyberattack? Surprisingly, yes — and that's exactly what we saw in last week's activity. Hackers are getting better at hiding inside everyday actions: opening a file, running a project, or logging in like normal. No loud alerts. No obvious red flags. Just quiet entry through small gaps — like a misconfigured pipeline, a trusted browser feature, or reused login tokens. These aren't just tech issues — they're habits being exploited. Let's walk through the biggest updates from the week and what they mean for your security. ⚡ Threat of the Week Recently Patched Windows Flaw Comes Under Active Exploitation — A recently patched security flaw affecting Windows NTLM has been exploited by malicious actors to leak NTLM hashes or user passwords and infiltrate systems since March 19, 2025. The flaw, CVE-2025-24054 (CVSS score: 6.5), is a hash disclosure spoofing bug that was fixed by Microsoft last month as part of its Patch Tuesday updates...

Australia has become the latest country to ban the installation of security software from Russian company Kaspersky, citing national security concerns. "After considering threat and risk analysis, I have determined that the use of Kaspersky Lab, Inc. products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage," Stephanie Foster PSM, the Secretary of the Department of Home Affairs, said . "I have also considered the important need for a strong policy signal to critical infrastructure and other Australian governments regarding the unacceptable security risk associated with the use of Kaspersky Lab, Inc. products and web services." Foster further pointed out that entities are responsible for managing the risks arising from Kaspersky's extensive collection of user data and exposure of that data to extrajudicial di...

The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture.  The solution is more complex. For this article, we'll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization's security infrastructure. However, relying solely on these tools to manage device risk actually creates a false sense of security. Instead of the blunt tools of device management, organizations are looking for solutions that deliver device trust . Device trust provides a comprehensive, risk-based approach to device security enforcement, closing the large gaps left behind by traditional device management solutions. Here are 5 of those limitations and how to ov...

OpenAI on Friday revealed that it banned a set of accounts that used its ChatGPT tool to develop a suspected artificial intelligence (AI)-powered surveillance tool. The social media listening tool is said to likely originate from China and is powered by one of Meta's Llama models , with the accounts in question using the AI company's models to generate detailed descriptions and analyze documents for an apparatus capable of collecting real-time data and reports about anti-China protests in the West and sharing the insights with Chinese authorities. The campaign has been codenamed Peer Review owing to the "network's behavior in promoting and reviewing surveillance tooling," researchers Ben Nimmo, Albert Zhang, Matthew Richard, and Nathaniel Hartley noted, adding the tool is designed to ingest and analyze posts and comments from platforms such as X, Facebook, YouTube, Instagram, Telegram, and Reddit. In one instance flagged by the company, the actors used ChatG...

The notorious North Korea-linked threat actor known as the  Lazarus Group  has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader. The cybersecurity firm described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella. "Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government's national interests," Talos researchers Jung soo An, As...

The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services ( IIS ) servers as an initial breach route to deploy malware on targeted systems. The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat's (APT) continued abuse of DLL side-loading techniques to run arbitrary payloads. "The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe," ASEC explained . "They then execute the normal application to initiate the execution of the malicious DLL." DLL side-loading , similar to DLL search-order hijacking, refers to the proxy execution of a rogue DLL via a benign binary planted in the same directory. Lazarus , a highly-capable and relentless nation-state group linked to North Korea, was most recently spotted leveraging the same t...

An OPSEC error by an Iranian threat actor has laid bare the inner workings of the hacking group by providing a rare insight into the "behind-the-scenes look into their methods." IBM's X-Force Incident Response Intelligence Services (IRIS) got hold of nearly five hours worth of video recordings of the state-sponsored group it calls ITG18 (also called Charming Kitten , Phosphorous , or APT35 ) that it uses to train its operators. Some of the victims in the videos included personal accounts of U.S. and Greek Navy personnel, in addition to unsuccessful phishing attempts directed against U.S. state department officials and an unnamed Iranian-American philanthropist. "Some of the videos showed the operator managing adversary-created accounts while others showed the operator testing access and exfiltrating data from previously compromised accounts," the researchers said. The IBM researchers said they found the videos on a virtual private cloud server that wa...

The United States Justice Department has unveiled charges against WikiLeaks founder Julian Assange with 17 new counts on the alleged violation of the Espionage Act by publishing classified information through WikiLeaks website. If convicted for all counts, Assange could face a maximum sentence of 175 years in U.S. prison for his "alleged role in one of the largest compromises of classified information in the history of the United States." Assange was arrested last month in London after Ecuador abruptly withdrew his asylum and later sentenced to 50 weeks in U.K. prison for breaching his bail conditions in 2012. The 47-year-old is currently facing extradition to the United States for his role in publishing thousands of classified diplomatic and military documents on WikiLeaks in 2010 that embarrassed the U.S. governments across the world. Though the previous indictment charged Assange with just one count of helping former Army intelligence analyst Chelsea Manning c...

Google has reportedly suspended all businesses with the world's second-biggest smartphone maker, Huawei, and revoked its Android license effective immediately—a move that will have a drastic impact on Huawei devices across the globe. Revoking Android license means Huawei future smartphones will no longer have access to Android updates and apps like Gmail or the Play Store, as well as Google technical support beyond services that are publicly available via open source licensing, Reuters report. Why? That's because last week, U.S. President Donald Trump signed an executive order declaring a national emergency banning foreign companies—over surveillance fear—from doing telecommunication business in the United States without the government's approval. About the executive order, White House Press Secretary Sarah Sanders said in a statement that President Trump "has made it clear that this Administration will do what it takes to keep America safe and prosperous, an...

The United States Department of Justice has announced espionage charges against a former US Air Force intelligence officer with the highest level of top-secret clearance for providing the Iranian government classified defense information after she defected to Iran in 2013. Monica Elfriede Witt , 39, was a former U.S. Air Force Intelligence Specialist and Special Agent of the Air Force Office of Special Investigations, who served the Air Force between 1997 and 2008 and Department of Defense (DOD) as a contractor until 2010. The indictment states that Witt once held the highest level of Top Secret security clearance and had access to details of highly classified counterintelligence operations, real names of sources, and the identities of U.S. intelligence officers. In February 2012, Witt allegedly traveled to Iran to attend an all-expenses-paid "Hollywoodism" conference held by the Iranian New Horizon Organization, which DoJ describes as focused on promoting anti-U.S....

The decision of the United Nations investigation into the Julian Assange case is set to be revealed and could order the release of Wikileaks founder on February 5 . " BREAKING: UN set to announce decision on #Assange's release on Friday, "BREAKING: UN set to announce decision on #Assange's release on Friday," Wikileaks has tweeted . Assange has been living in the Ecuadorian embassy in London for over 3 years, after being granted political asylum by the Ecuadorian government of the South American country. Assange has been residing in the embassy since 2012 to avoid extradition: First to Sweden where he is facing sexual assault allegations, which he has always denied. Ultimately to the United States where he could face cyber espionage charges for publishing classified US military and diplomat documents via his website Wikileaks. The leak of publishing secret documents has amounted to the largest information leak in United States history ...

The United States has filed criminal charges against Chinese military officials for hacking and cyber espionage against several American companies. This case is first of its own kind in which the prosecutors have formally accused members of a foreign government with economic espionage charges. Attorney General Eric Holder and FBI are expected to reveal the new indictment later this afternoon, in which five officials of China's People's Liberation Army will be named, who are believed to be the current members of Beijing's military establishment. Accused chinese officials allegedly worked for the People's Liberation Army and have spied on U.S companies and stolen trade secrets. The alleged hackers are said to work for the PLA's Unit 61398 in Shanghai. Among the trade secrets, they are also accused for stealing information about a nuclear power plant design and a solar panel company's cost and pricing data, " They used military and intelligence faci...

The Iranian hacking group, which calls itself the " Ajax Security Team ", was quite famous from last few years for websites defacement attacks , and then suddenly they went into dark since past few months. But that doesn't mean that the group was inactive, rather defacing the websites, the group was planning something bigger. The Group of hackers at Ajax Security Team last defaced a website in December 2013 and after that it transitioned to sophisticated malware-based espionage campaigns in order to target U.S. defense organizations and Iranian dissidents, according to the report released by FireEye researchers. " The transition from patriotic hacking to cyber espionage is not an uncommon phenomenon. It typically follows an increasing politicization within the hacking community, particularly around geopolitical events ," researchers Nart Villeneuve, Ned Moran, Thoufique Haq and Mike Scott wrote in the report. " This is followed by increasing links between the hacking ...