#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

Malware | Breaking Cybersecurity News | The Hacker News

Category — Malware
Researchers Demonstrate How MCP Prompt Injection Can Be Used for Both Attack and Defense

Researchers Demonstrate How MCP Prompt Injection Can Be Used for Both Attack and Defense

Apr 30, 2025 Artificial Intelligence / Email Security
As the field of artificial intelligence (AI) continues to evolve at a rapid pace, new research has found how techniques that render the Model Context Protocol ( MCP ) susceptible to prompt injection attacks could be used to develop security tooling or identify malicious tools, according to a new report from Tenable. MCP, launched by Anthropic in November 2024, is a framework designed to connect Large Language Models (LLMs) with external data sources and services, and make use of model-controlled tools to interact with those systems to enhance the accuracy, relevance, and utility of AI applications. It follows a client-server architecture, allowing hosts with MCP clients such as Claude Desktop or Cursor to communicate with different MCP servers, each of which exposes specific tools and capabilities. While the open standard offers a unified interface to access various data sources and even switch between LLM providers, they also come with a new set of risks, ranging from excess...
Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool

Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool

Apr 30, 2025 Malware / DNS Security
A China-aligned advanced persistent threat (APT) group called TheWizards has been linked to a lateral movement tool called Spellbinder that can facilitate adversary-in-the-middle (AitM) attacks. "Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration ( SLAAC ) spoofing , to move laterally in the compromised network, intercepting packets and redirecting the traffic of legitimate Chinese software so that it downloads malicious updates from a server controlled by the attackers," ESET researcher Facundo Muñoz said in a report shared with The Hacker News. The attack paves the way for a malicious downloader that's delivered by hijacking the software update mechanism associated with Sogou Pinyin. The downloader then acts as a conduit to drop a modular backdoor codenamed WizardNet. This is not the first time Chinese threat actors have abused Sogou Pinyin's software update process to deliver their own malware. In Janu...
cyber security

10 Steps to Microsoft 365 Cyber Resilience

websiteVeeamCyber Resilience / Data Security
75% of organizations get hit by cyberattacks, and most report getting hit more than once. Read this ebook to learn 10 steps to take to build a more proactive approach to securing your organization's Microsoft 365 data from cyberattacks and ensuring cyber resilience.
Customer Account Takeovers: The Multi-Billion Dollar Problem You Don’t Know About

Customer Account Takeovers: The Multi-Billion Dollar Problem You Don't Know About

Apr 30, 2025 Malware / Data Breach
Everyone has cybersecurity stories involving family members. Here's a relatively common one. The conversation usually goes something like this:  "The strangest thing happened to my streaming account. I got locked out of my account, so I had to change my password. When I logged back in, all my shows were gone. Everything was in Spanish and there were all these Spanish shows I've never seen before. Isn't that weird?" This is an example of an account takeover attack on a customer account. Typically what happens is that a streaming account is compromised, probably due to a weak and reused password, and access is resold as part of a common digital black market product, often advertised as something like "LIFETIME STREAMING SERVICE ACCOUNT - $4 USD." In the grand scheme of things, this is a relatively mild inconvenience for most customers. You can reset your credentials with a much stronger password, call your bank to issue a new credit card and be back to binge-watching The Crown i...
cyber security

The Ultimate Guide to SaaS Identity Security in 2025

websiteWing SecuritySaaS Security / Identity Threat Detection
Discover how to protect your SaaS apps from identity-based breaches with this expert 2025 guide—learn practical steps to secure every account and keep your data safe.
Nebulous Mantis Targets NATO-Linked Entities with Multi-Stage Malware Attacks

Nebulous Mantis Targets NATO-Linked Entities with Multi-Stage Malware Attacks

Apr 30, 2025 Threat Intelligence / Malware
Cybersecurity researchers have shed light on a Russian-speaking cyber espionage group called Nebulous Mantis that has deployed a remote access trojan called RomCom RAT since mid-2022. RomCom "employs advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications, while continuously evolving its infrastructure – leveraging bulletproof hosting to maintain persistence and evade detection," Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. Nebulous Mantis, also tracked by the cybersecurity community under the names CIGAR , Cuba , Storm-0978, Tropical Scorpius, UNC2596 , and Void Rabisu , is known to target critical infrastructure, government agencies, political leaders, and NATO-related defense organizations. Attack chains mounted by the group typically involve the use of spear-phishing emails with weaponized document links to distribute RomCom RAT. The domains and command-and-c...
RansomHub Went Dark April 1; Affiliates Fled to Qilin, DragonForce Claimed Control

RansomHub Went Dark April 1; Affiliates Fled to Qilin, DragonForce Claimed Control

Apr 30, 2025 Cybercrime / Threat Intelligence
Cybersecurity researchers have revealed that RansomHub 's online infrastructure has "inexplicably" gone offline as of April 1, 2025, prompting concerns among affiliates of the ransomware-as-a-service (RaaS) operation. Singaporean cybersecurity company Group-IB said that this may have caused affiliates to migrate to Qilin, given that "disclosures on its DLS [data leak site] have doubled since February."  RansomHub, which first emerged in February 2024, is estimated to have stolen data from over 200 victims. It replaced two high-profile RaaS groups, LockBit and BlackCat, to become a frontrunner, courting their affiliates, including Scattered Spider and Evil Corp , with lucrative payment splits. "Following a possible acquisition of the web application and ransomware source code of Knight (formerly Cyclops), RansomHub quickly rose in the ransomware scene, thanks to the dynamic features of its multi-platform encryptor and an aggressive, affiliate-friendly ...
New Reports Uncover Jailbreaks, Unsafe Code, and Data Theft Risks in Leading AI Systems

New Reports Uncover Jailbreaks, Unsafe Code, and Data Theft Risks in Leading AI Systems

Apr 29, 2025 Vulnerability / Artificial Intelligence
Various generative artificial intelligence (GenAI) services have been found vulnerable to two types of jailbreak attacks that make it possible to produce illicit or dangerous content. The first of the two techniques, codenamed Inception, instructs an AI tool to imagine a fictitious scenario, which can then be adapted into a second scenario within the first one where there exists no safety guardrails . "Continued prompting to the AI within the second scenarios context can result in bypass of safety guardrails and allow the generation of malicious content," the CERT Coordination Center (CERT/CC) said in an advisory released last week. The second jailbreak is realized by prompting the AI for information on how not to reply to a specific request.  "The AI can then be further prompted with requests to respond as normal, and the attacker can then pivot back and forth between illicit questions that bypass safety guardrails and normal prompts," CERT/CC added. Success...
SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients

SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients

Apr 29, 2025 Threat Intelligence / Cyber Espionage
Cybersecurity company SentinelOne has revealed that a China-nexus threat cluster dubbed PurpleHaze conducted reconnaissance attempts against its infrastructure and some of its high-value customers. "We first became aware of this threat cluster during a 2024 intrusion conducted against an organization previously providing hardware logistics services for SentinelOne employees," security researchers Tom Hegel, Aleksandar Milenkoski, and Jim Walter said in an analysis published Monday. PurpleHaze is assessed to be a hacking crew with loose ties to another state-sponsored group known as APT15 , which is also tracked as Flea, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda. The adversarial collective has also been observed targeting an unnamed South Asian government-supporting entity in October 2024, employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell. The implant, written in the Go programming language, repurp...
Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products

Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products

Apr 29, 2025 Enterprise Security / Vulnerability
Google has revealed that it observed 75 zero-day vulnerabilities exploited in the wild in 2024, down from 98 in 2023 but an increase from 63 the year before. Of the 75 zero-days, 44% of them targeted enterprise products. As many as 20 flaws were identified in security software and appliances. "Zero-day exploitation of browsers and mobile devices fell drastically, decreasing by about a third for browsers and by about half for mobile devices compared to what we observed last year," the Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker news. "Exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively (~90%) used to target mobile devices." While Microsoft Windows accounted for 22 of the zero-day flaws exploited in 2024, Apple's Safari had three, iOS had two, Android had seven, Chrome had seven, and Mozilla Firefox had one flaw that were abused during the same period. Three of the seven zero-days ...
Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool

Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool

Apr 29, 2025 Cybersecurity / Malware
In a new campaign detected in March 2025, senior members of the World Uyghur Congress (WUC) living in exile have been targeted by a Windows-based malware that's capable of conducting surveillance. The spear-phishing campaign involved the use of a trojanized version of a legitimate open-source word processing and spell check tool called UyghurEdit++ developed to support the use of the Uyghur language. "Although the malware itself was not particularly advanced, the delivery of the malware was extremely well customized to reach the target population and technical artifacts show that activity related to this campaign began in at least May of 2024," the Citizen Lab said in a Monday report. The investigation, according to the digital rights research laboratory based at the University of Toronto, was prompted after the targets received notifications from Google warning that their accounts had been at the receiving end of government-backed attacks. Some of these alerts we...
⚡ Weekly Recap: Critical SAP Exploit, AI-Powered Phishing, Major Breaches, New CVEs & More

⚡ Weekly Recap: Critical SAP Exploit, AI-Powered Phishing, Major Breaches, New CVEs & More

Apr 28, 2025 Cybersecurity / Hacking News
What happens when cybercriminals no longer need deep skills to breach your defenses? Today's attackers are armed with powerful tools that do the heavy lifting — from AI-powered phishing kits to large botnets ready to strike. And they're not just after big corporations. Anyone can be a target when fake identities, hijacked infrastructure, and insider tricks are used to slip past security unnoticed. This week's threats are a reminder: waiting to react is no longer an option. Every delay gives attackers more ground. ⚡ Threat of the Week Critical SAP NetWeaver Flaw Exploited as 0-Day — A critical security flaw in SAP NetWeaver (CVE-2025-31324, CVSS score: 10.0) has been exploited by unknown threat actors to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. The attacks have also been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections. ...
Expert Insights / Articles Videos
Cybersecurity Resources