-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Malware | Breaking Cybersecurity News | The Hacker News

Category — Malware
ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

Jul 02, 2026 Hacking News / Cybersecurity News
This week’s security news is mostly about weak spots. Browsers, bots, sandboxes, AI systems, and email flows all show the same problem in different ways. Everything looks normal until someone tests a small gap and finds a way through. This is not one big break. It is small permissions, weak checks, open systems, and normal tools doing things they were allowed to do. That same pattern runs through the stories below.
AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

Jul 02, 2026 Artificial Intelligence / Malware
Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. Its Threat Research Team calls the operator JADEPUFFER and says a large language model handled the whole job: breaking in, stealing credentials, moving deeper into the network, then encrypting and wiping a company's production database. Ransomware has always needed a skilled person somewhere in the loop, either at the keyboard or writing the script the malware follows. If a model can chain those steps on its own, the skill needed to run an attack drops to whatever it costs to rent an AI agent. The way in was an old, already-patched bug. JADEPUFFER exploited  CVE-2025-3248 , a missing-authentication flaw in  Langflow , an open-source tool for building AI apps and agent workflows. The flaw lets anyone who can reach the server run their own Python code on it, no login needed. Langflow boxes are a tempting target because they often sit ...
New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

Jul 02, 2026 Malware / Vulnerability Research
Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC , travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine.  YesWeHack and Sekoia  published their joint findings on July 1 and warned that, as of that report, the malware and its servers were still live, so do not run any of these PoCs. The trick is where the code sits. The visible PoC looks clean. The malware hides in a Python package that the PoC pulls in as a dependency, so it slips past a quick code review. How the trap works The bait is time pressure. When a big flaw drops, researchers race to test it and grab community PoCs to move fast. This campaign turns that habit into an infection route. The chain, in plain terms: You clone the repo and r...
cyber security

The Systems That Power America Are Under Threat. Is Your ICS/OT Program Ready?

websiteSANS InstituteCritical infrastructure / Webinar
Discover where federal ICS programs are most exposed and what closing the skills gap requires in practice.
cyber security

Inside Device Code Phishing: Live Demos, Real Kits, and What's Next

websitePush SecurityPhishing Attack / Webinar
Device code attacks are up 37x this year, with 18+ kits in the wild. Now available on-demand.
SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

Jul 01, 2026 Malware / SEO Poisoning
Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT . Kaspersky said the activity is part of a "massive, multi-domain, multi-language" campaign that distributes malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others. The Russian cybersecurity company said it identified more than 90 domain names localized across 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic. Some of these domains were set up between August 2025 and March 2026. "The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library," security researcher Denis Kulik said . "It is loaded onto the device via DLL side-loading and deploys the ScreenConnect service, which awaits further instructions from the thr...
VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer

VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer

Jul 01, 2026 Malware / Cyber Attack
Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs . The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise , which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the attacker's control. "The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. At a high level, the PowerShell script is responsible for retrieving a next-stage payload hosted on Blogger ("htlwub00klocate.blogspot[.]com"), allowing the ...
Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures

Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures

Jul 01, 2026 Endpoint Security / Malware
A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal.  Fortinet's FortiGuard Labs  identified the campaign in May 2026. It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image. The goal is the usual one: steal banking logins and take over accounts. Ousaban sits quietly on a Windows PC and waits for the user to open a banking site. When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control. Together, those are the tools for hijacking a live banking session and taking over an account. Ousaban watches for more than two dozen banks across the two countries, among them Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. How the attack works It starts with a phishing PDF disguised as a corrupted file. Th...
AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android

AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android

Jul 01, 2026 Browser Security / Ransomware
Cybersecurity researchers have flagged a new malware artifact generated using DeepSeek that constructed a novel attack path combining "unrealistic browser-malware concepts with a real browser capability" to turn it into a working ransomware technique that runs entirely inside the browser on both Windows and Android devices. "This is the first documented case where a frontier AI model independently bridged the gap between a theoretical browser-only ransomware risk and a practical, working attack chain – surfacing a novel attack path that defenders had previously dismissed as unfeasible due to browser sandboxing limits," Check Point said in a statement shared with The Hacker News. "The expertise needed to discover a new attack path is no longer the bottleneck, and defenders need to account for that shift now — before threat actors operationalize it at scale." The identified sample is a Python Flask application named " deepseek_python_20260125_da...
2026 Cybersecurity Assessment: The Gap Between Awareness and Resilience

2026 Cybersecurity Assessment: The Gap Between Awareness and Resilience

Jul 01, 2026 Attack Surface / Artificial Intelligence
Organizations have never had greater awareness of cyber risk. Yet turning that awareness into operational resilience has never been more challenging. The 2026 Bitdefender Cybersecurity Assessment confirms this is the case, as this year's findings reveal a series of surprising contradictions. Here are a few examples, based on the independent survey of 1,200 IT and cybersecurity professionals across six countries. IT & security leaders believe they have sufficient visibility into employee AI usage, while many frontline practitioners disagree .  Security teams understand the importance of reducing the attack surface, yet they often lack the skills, resources, or strategy to do so.  AI dominates cybersecurity conversations, but in some cases, it is drawing attention away from more prevalent attack techniques already causing significant damage.  Although organizations say they recognize the importance of transparency after a breach, many professionals st...
Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware

Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware

Jul 01, 2026 Artificial Intelligence / Threat Intelligence
Large language models keep inventing web addresses that do not exist. Attackers have started buying those made-up domains before anyone else can, then hosting phishing pages on them to catch traffic that AI tools point their way. Palo Alto Networks' Unit 42 calls the trick phantom squatting , and its new research shows it is already happening in the wild. The reason it matters is trust. Developers and AI assistants increasingly treat the links a model hands back as real. When a model invents a domain that does not exist yet, whoever registers it first inherits all of that misplaced trust, with no phishing email and no malicious ad required. To measure the problem, Unit 42 asked two AI models 685,339 questions about 913 well-known brands across technology, finance, healthcare, government, gambling, and other sectors. The models produced 2.1 million links. Threat intelligence already flagged 13,229 of them as outright malicious, meaning the AI was handing out known-ba...
Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

Jul 01, 2026 Threat Intelligence / Social Engineering
ClickFix , the trick that fools people into running malware by hand, has quietly grown a back office. New research shows the malicious commands behind its fake "prove you're human" pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows' script scanning. Security researcher Bert-Jan Pals took apart several ClickFix platforms and analyzed roughly 3,000 payloads from live campaigns. He presented the findings at  OrangeCon  in early June and  published the details  on June 30. ClickFix is simple by design. A booby-trapped page shows a fake CAPTCHA or error, hidden JavaScript drops a command into your clipboard, and the page tells you to press a key combo, paste, and hit Enter. You run the malware yourself. There's usually no exploit at the first step and often no file for traditional antivirus to flag, so conventional emai...
RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS

RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS

Jun 30, 2026 Botnet / Vulnerability
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. Researchers at QiAnXin's XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing. The end goal is a distributed denial-of-service (DDoS) attack: flooding a target with junk traffic from the infected machines until it buckles. RustDuck is one more entrant in a crowded field, but it stands out for two reasons. It is being rewritten from the C programming language into Rust, and its newer versions go to unusual lengths to avoid being studied or shut down. How it spreads RustDuck does not lean on a single clever trick. It sprays a mix of old, well-known weaknesses and hopes one sticks. The first is the oldest in the book: devices left on the internet with weak or default passwords on their rem...
Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Jun 30, 2026 Vulnerability / Malware
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks. The attack was observed over a 19-day window between March 27 and April 15, 2026. "In this campaign, a single line of Python code evaluated inside an unauthenticated Langflow API endpoint pulls down a shell script, fetches a miner binary, and launches it detached," Trend Micro researchers Simon Dulude and John Zhang said in a technical report published last week. At a high level, the malware is designed to terminate competing cryptocurrency miner processes associated with Kinsing , WatchDog , Rocke , and Outlaw ,...
Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input

Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input

Jun 29, 2026 Browser Security / Web Security
Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results. Microsoft says Google removed it from the store after responsible disclosure. The extension was called "Search for perplexity ai" (ID flkebkiofojicogddingbdmcmkpbplcd) and used a look-alike domain, perplexity-ai[.]online, to pass for the real service at perplexity.ai. Microsoft's Defender research team  says the point was to intercept searches and collect data. It found no proof of password theft, but far more access than a search box should ever need. Once installed, the extension sets itself as the browser's default search engine. When you searched, the query went first to perplexity-ai[.]online, where the attacker's server logged it with your browser headers, IP address,...
Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks

Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks

Jun 29, 2026 Threat Intelligence / Malware
The China-aligned espionage group  Mustang Panda  is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit  found active compromises inside Indian government networks, including machines used by senior administrative staff, and worked with  CERT-In  on notification and cleanup. The malware abuses  Zoho WorkDrive , a cloud storage platform common in India's government sector, to pass commands and exfiltrate data. That is the whole idea: the traffic looks like ordinary cloud activity, so it hides inside the network it is stealing from. Acronis names three new tools. SHARDLOADER is a loader that runs by sideloading a malicious DLL through a legitimately signed binary, a Solid PDF Creator executable in one campaign, and a Citrix Receiver binary in the other. It deploys one of two implants. MINIRECON is a rewor...
⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More

⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More

Jun 29, 2026 Cybersecurity / Hacking
This week was a reminder that attackers do not always need big tricks. One small mistake, one old access path, one missed patch, and suddenly the door is open. The noise is not all noise, either. Forums are talking, researchers are finding easy cracks, and defenders have more cleanup waiting. Here’s the full Monday recap. ⚡ Threat of the Week New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets — Cybersecurity researchers detailed a new variant of the Dirty Frag Linux kernel flaw. Called DirtyClone (aka CVE-2026-43503), it allows local users to gain root privileges via cloned packets. The exploit works successfully on Debian, Ubuntu, and Fedora systems with default namespace configurations. "Any local user on a server or device running a vulnerable kernel who holds or can acquire the CAP_NET_ADMIN capability (frequently obtainable via unprivileged user namespaces) [is exploitable]," JFrog said. "This poses the highest risk to multi-te...
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

Jun 29, 2026 Cloud Security / Malware
A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025. Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these efforts include Ukrainian governmental and military institutions. "Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine," ESET said . "The group's ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine." The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroS...
Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

Jun 29, 2026 Supply Chain Attack / Cryptocurrency
Cybersecurity researchers have uncovered two hijacked npm packages and a cluster of Go packages that are designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts. "This attack avoids the most common npm execution paths through lifecycle scripts, perhaps in an attempt to remain 'compatible' with npm v12's security hardenings ," JFrog said in a technical analysis. "The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code. From there, the malware retrieves encrypted JavaScript from blockchain transaction data, connects to attacker-controlled infrastructure, launches a socket.io backdoor, and eventually deploys a Python infostealer. The names of the identified npm packages are listed below - html-to-gutenberg fetch-page-assets (which lists html-to-gutenberg as a dependency) The two packages were uploaded to npm on May 25, 2026, an...
New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

Jun 26, 2026 Malware / Windows Security
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts. Kaspersky, which is tracking the activity under the moniker StrikeShark , said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.  "The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region," the Russian cybersecurity vendor said . The campaign does not exhibit direct links to any known threat actor or group, although the operators have utilized several open-source post-compromise tools like FScan and Pillager , which are commonly p...
Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

Jun 26, 2026 Cyber Espionage / Malware
A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia. The activity, particularly aimed at state-owned enterprises in the energy and government sectors, has been attributed to a threat actor called CL-STA-1062 , which Palo Alto Networks Unit 42 said shares overlaps with UAT-7237 , a hacking group that was first flagged by Cisco Talos in August 2025 in relation to a campaign directed against web infrastructure entities in Taiwan. Unit 42 said it also observed CL-STA-1062 campaigns in prior operations targeting strategic sectors in East Asia since March 2022, suggesting a broader but sustained focus in the region. "From a technical standpoint, the attackers behind CL-STA-1062 rely on a hybrid toolkit," Unit 42 said in a technical report. "While they frequently use common open-source tools such as SoftEther ...
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Jun 26, 2026 Supply Chain Attack / Developer Security
Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem. "The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project," Socket said . The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows. The list of affected packages is below - hexo-deployer-wrangler@1.0.4 hexo-shoka-swiper@0.1.10 leo-auth@4.0.6 leo-aws@2.0.4 leo-cache@1.0.2 leo-cdk-lib@0.0.2 leo-cli@3.0.3 leo-config@1.1.1 leo-connector-elasticsearch@2.0.6 leo-connector-mongo@3.0.8 leo-connector-mysql@3.0.3 ...
Expert Insights Articles Videos
Cybersecurity Resources