Information security | Breaking Cybersecurity News | The Hacker News

Threat actors have observed the increasingly common ClickFix technique to deliver a remote access trojan named NetSupport RAT since early January 2025. NetSupport RAT, typically propagated via bogus websites and fake browser updates, grants attackers full control over the victim's host, allowing them to monitor the device's screen in real-time, control the keyboard and mouse, upload and download files, and launch and execute malicious commands. Originally known as NetSupport Manager, it was developed as a legitimate remote IT support program, but has since been repurposed by malicious actors to target organizations and capture sensitive information, including screenshots, audio, video, and files. "ClickFix is a technique used by threat actors to inject a fake CAPTCHA webpage on compromised websites, instructing users to follow certain steps to copy and execute malicious PowerShell commands on their host to download and run malware payloads," eSentire said in an...

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in information disclosure under certain conditions. The vulnerability, tracked as CVE-2025-25064 , carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as an SQL injection bug in the ZimbraSync Service SOAP endpoint affecting versions prior to 10.0.12 and 10.1.4. Stemming from a lack of adequate sanitization of a user-supplied parameter, the shortcoming could be weaponized by authenticated attackers to inject arbitrary SQL queries that could retrieve email metadata by "manipulating a specific parameter in the request." Zimbra also said it addressed another critical vulnerability related to stored cross-site scripting (XSS) in the Zimbra Classic Web Client. The flaw is yet to be assigned a CVE identifier. "The fix strengthens input sanitization and enhances security," the company said in an a...

Threat actors have been observed exploiting recently disclosed security flaws in SimpleHelp's Remote Monitoring and Management (RMM) software as a precursor for what appears to be a ransomware attack. The intrusion leveraged the now-patched vulnerabilities to gain initial access and maintain persistent remote access to an unspecified target network, cybersecurity company Field Effect said in a report shared with The Hacker News. "The attack involved the quick and deliberate execution of several post-compromise tactics, techniques and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware," security researchers Ryan Slaney and Daniel Albrecht said . The vulnerabilities in question, CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 , were disclosed by Horizon3.ai last month. Successful exploitation of the security holes could allow f...

Bogus websites advertising Google Chrome have been used to distribute malicious installers for a remote access trojan called ValleyRAT. The malware, first detected in 2023, is attributed to a threat actor tracked as Silver Fox, with prior attack campaigns primarily targeting Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China. "This actor has increasingly targeted key roles within organizations—particularly in finance, accounting, and sales department — highlighting a strategic focus on high-value positions with access to sensitive data and systems," Morphisec researcher Shmuel Uzan said in a report published earlier this week. Early attack chains have been observed delivering ValleyRAT alongside other malware families such as Purple Fox and Gh0st RAT, the latter of which has been extensively used by various Chinese hacking groups . As recently as last month, counterfeit installers for legitimate software have served as a distribution mechanism for t...

The North Korea-linked nation-state hacking group known as Kimsuky has been observed conducting spear-phishing attacks to deliver an information stealer malware named forceCopy, according to new findings from the AhnLab Security Intelligence Center (ASEC). The attacks commence with phishing emails containing a Windows shortcut (LNK) file that's disguised as a Microsoft Office or PDF document. Opening this attachment triggers the execution of PowerShell or mshta.exe, a legitimate Microsoft binary designed to run HTML Application (HTA) files, that are responsible for downloading and running next-stage payloads from an external source. The South Korean cybersecurity company said the attacks culminated in the deployment of a known trojan dubbed PEBBLEDASH and a custom version of an open-source Remote Desktop utility named RDP Wrapper . Also delivered as part of the attacks is a proxy malware that allows the threat actors to establish persistent communications with an external ...

Taiwan has become the latest country to ban government agencies from using Chinese startup DeepSeek's Artificial Intelligence (AI) platform, citing security risks. "Government agencies and critical infrastructure should not use DeepSeek, because it endangers national information security," according to a statement released by Taiwan's Ministry of Digital Affairs, per Radio Free Asia . "DeepSeek AI service is a Chinese product. Its operation involves cross-border transmission, and information leakage and other information security concerns." DeepSeek's Chinese origins have prompted authorities from various countries to look into the service's use of personal data. Last week, it was blocked in Italy, citing a lack of information regarding its data handling practices. Several companies have also prohibited access to the chatbot over similar risks. The chatbot has captured much of the mainstream attention over the past few weeks for the fact tha...

The advanced persistent threat (APT) group known as UAC-0063 has been observed leveraging legitimate documents obtained by infiltrating one victim to attack another target with the goal of delivering a known malware dubbed HATVIBE. "This research focuses on completing the picture of UAC-0063's operations, particularly documenting their expansion beyond their initial focus on Central Asia, targeting entities such as embassies in multiple European countries, including Germany, the U.K., the Netherlands, Romania, and Georgia," Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News. UAC-0063 was first flagged by the Romanian cybersecurity company in May 2023 in connection with a campaign that targeted government entities in Central Asia with a data exfiltration malware known as DownEx (aka STILLARCH). It's suspected to share links with a known Russian state-sponsored actor called APT28. Merely weeks later, the Compu...

Broadcom has alerted of a high-severity security flaw in VMware Avi Load Balancer that could be weaponized by malicious actors to gain entrenched database access. The vulnerability, tracked as CVE-2025-22217 (CVSS score: 8.6), has been described as an unauthenticated blind SQL injection. "A malicious user with network access may be able to use specially crafted SQL queries to gain database access," the company said in an advisory issued Tuesday. Security researchers Daniel Kukuczka and Mateusz Darda have been acknowledged for discovering and reporting the vulnerability. It affects the following version of the software - VMware Avi Load Balancer 30.1.1 (Fixed in 30.1.2-2p2) VMware Avi Load Balancer 30.1.2 (Fixed in 30.1.2-2p2) VMware Avi Load Balancer 30.2.1 (Fixed in 30.2.1-2p5) VMware Avi Load Balancer 30.2.2 (Fixed in 30.2.2-2p2) Broadcom further noted that versions 22.x and 21.x are not susceptible to CVE-2025-22217, and that users running version 30.1.1 must...

Cybersecurity reporting is a critical yet often overlooked opportunity for service providers managing cybersecurity for their clients, and specifically for virtual Chief Information Security Officers (vCISOs). While reporting is seen as a requirement for tracking cybersecurity progress, it often becomes bogged down with technical jargon, complex data, and disconnected spreadsheets that fail to resonate with decision-makers. The result? Clients who struggle to understand the value of your work and remain uncertain about their security posture. But what if reporting could be transformed into a strategic tool for aligning cybersecurity with business goals? What if your reports empowered clients, built trust, and showcased cybersecurity as a driver of business success? That’s exactly the focus of Cynomi’s new guide— “ Taking the Pain Out of Cybersecurity Reporting: The Guide to Mastering vCISO Reports .” This resource helps vCISOs reimagine reporting as an opportunity to create value,...

2024 had its fair share of high-profile cyber attacks, with companies as big as Dell and TicketMaster falling victim to data breaches and other infrastructure compromises. In 2025, this trend will continue. So, to be prepared for any kind of malware attack, every organization needs to know its cyber enemy in advance. Here are 5 common malware families that you can start preparing to counter right now. Lumma Lumma is a widely available malware designed to steal sensitive information. It has been openly sold on the Dark Web since 2022. This malware can effectively collect and exfiltrate data from targeted applications, including login credentials, financial information, and personal details. Lumma is regularly updated to enhance its capabilities. It can log detailed information from compromised systems, such as browsing history and cryptocurrency wallet data. It can be used to install other malicious software on infected devices. In 2024, Lumma was distributed through various methods...

Cybersecurity researchers have discovered two malicious packages uploaded to the Python Package Index (PyPI) repository that impersonated popular artificial intelligence (AI) models like OpenAI ChatGPT and Anthropic Claude to deliver an information stealer called JarkaStealer. The packages, named gptplus and claudeai-eng , were uploaded by a user named " Xeroline " in November 2023, attracting 1,748 and 1,826 downloads, respectively. Both libraries are no longer available for download from PyPI. "The malicious packages were uploaded to the repository by one author and, in fact, differed from each other only in name and description," Kaspersky said in a post. The packages purported to offer a way to access GPT-4 Turbo API and Claude AI API, but harbored malicious code that initiated the deployment of the malware upon installation. Specifically, the "__init__.py" file in these packages contained Base64-encoded data that incorporated code to download ...

Cybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza . BabbleLoader is an "extremely evasive loader, packed with defensive mechanisms, that is designed to bypass antivirus and sandbox environments to deliver stealers into memory," Intezer security researcher Ryan Robinson said in a report published Sunday. Evidence shows that the loader is being used in several campaigns targeting both English and Russian-speaking individuals, primarily singling out users looking for generic cracked software as well as business professionals in finance and administration by passing it off as accounting software. Loaders have become an increasingly prevalent method to deliver malware, like stealers or ransomware, often acting as the first stage in an attack chain in a manner that sidesteps traditional antivirus defenses by incorporating a be...

A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season. "The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII)," EclecticIQ said . The activity, first observed in early October 2024, has been attributed with high confidence to a Chinese financially motivated threat actor codenamed SilkSpecter. Some of the impersonated brands include IKEA, L.L.Bean, North Face, and Wayfare. The phishing domains have been found to use top-level domains (TLDs) such as .top, .shop, .store, and .vip, often typosquatting legitimate e-commerce organi...

In an unusually specific campaign, users searching about the legality of Bengal Cats in Australia are being targeted with the GootLoader malware. "In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: 'Are Bengal Cats legal in Australia?,'" Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher said in a report published last week. GootLoader , as the name implies, is a malware loader that's typically distributed using search engine optimization (SEO) poisoning tactics for initial access. Specifically, the malware is deployed onto victim machines when searching for certain terms like legal documents and agreements on search engines like Google surface booby-trapped links pointing to compromised websites that host a ZIP archive containing a JavaScript payload. Once installed, it makes way for a second-stage malware, often an...