Malware | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure. "Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site," Arctic Wolf said in a report published last week. Exclusively targeted IT and software development companies within Western Europe since at least December 2024, the links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain ("gitpage[.]app"). The first-stage malware delivered using poisoned search result...

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it's knowing which risks matter most right now. That's what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the Salesloft–Drift breach, where attackers stole OAuth tokens and accessed Salesforce data from some of the biggest names in tech. It's a sharp reminder of how fragile integrations can become the weak link in enterprise defenses. Alongside this, we'll also walk through several high-risk CVEs under active exploitation, the latest moves by advanced threat actors, and fresh insights on making security workflows smarter, not noisier. Each section is designed to give you the essentials—enough to stay informed and prepared, without getting lost in the noise. ⚡ Threat of the Week Salesloft to Take Drift Of...

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. "The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments," security researcher Subhajeet Singha said . The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named "KazMunayGaz_Viewer." The email, per the cybersecurity compa...

A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers. "The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor," Socket researcher Kush Pandya said in an analysis. The packages were uploaded to npm by a user named " flashbotts ," with the earliest library uploaded as far back as September 2023. The most recent upload took place on August 19, 2025. The packages in question, all of which are still available for download as of writing, are listed below - @flashbotts/ethers-provider-bundle (52 Downloads) flashbot-sdk-eth (467 Downloads) sdk-ethers (90 Downloads) gram-utilz (83 Downloads) The impersonation of Flashbots is not coincidental, given its role in combating the adverse effects of...

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability , tracked as CVE-2025-53690 , carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said . "This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution." Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team ...

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT . "Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell," Recorded Future Insikt Group said . The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders. CastleLoader (aka CastleBot) was first documented by Swiss cybersecurity company PRODAFT in July 2025, as having been put to use in various campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. A subsequent anal...

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system. The SVG files, according to VirusTotal , are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a portal for Fiscalía General de la Nación, the Office of the Attorney General of Colombia. The page then simulates an official government document download process with a fake progress bar, while it stealthily triggers the download of a ZIP archive in the background. The exact nature of the ZIP file was not disclosed. The Google-owned malware scanning service said it found 44 unique SVG files, all of which have remained undetected by antivirus engines, owing to the use of techniques like obfuscation, polymorphism, and large amounts of junk code to evade static detection methods. In all, as ...

The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor "is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word," S2 Grupo's LAB52 threat intelligence team said . "When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim's computer." The artifact gets its name from the use of the word "Nothing" within the source code, the Spanish cybersecurity company added. The activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel. The exact initial access vector used to deliver the malware is currently not known, but analysis shows that it's deployed via Microsoft's OneDrive executable ("onedrive.exe") using a t...

Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024. "While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website," ESET researcher Fernando Tavella said in a report shared with The Hacker News. "Even though Gamshen only modifies the response when the request comes from Googlebot – i.e., it does not serve malicious content or otherwise affect regular visitors of the ...

Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X's malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok. The findings were highlighted by Nati Tal, head of Guardio Labs, in a series of posts on X. The technique has been codenamed Grokking. The approach is designed to get around restrictions imposed by X in Promoted Ads that allow users to only include text, images, or videos, and subsequently amplify them to a broader audience, attracting hundreds of thousands of impressions through paid promotion. To achieve this, malvertisers have been found to run video card-promoted posts with adult content as bait, with the spurious link hidden in the "From:" metadata field below the video player by taking advantage of the fact that it's not scanned by the social media platform. It's worth mentioning here that the "From:" field is t...

Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar. "The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. The packages, both uploaded to npm in July 2025 and no longer available for download, are listed below - colortoolsv2 (7 downloads) mimelib2 (1 download) The software supply chain security firm said the libraries are part of a larger and sophisticated campaign impacting both npm and GitHub, tricking unsuspecting developers into downloading and running them. While the packages themselves make no effort to conceal their malici...

An Iran-nexus group has been linked to a "coordinated" and "multi-wave" spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world. The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice . "Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication," the company said . "Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension." The attack chains involve the use of spear-phishing emails with themes related to geopolitical tensions between Iran and Israel to send a malicious Microsoft Word that, when opened, urges recipients to "Enable Content" in order to execute an embedded Visual Basic for Application...

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps," the web infrastructure and security company said in a post on X. "The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud." The entire attack lasted only about 35 seconds, with the company stating its "defenses have been working overtime." Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions. Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected t...

The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE. The attack, observed by NCC Group's Fox-IT in 2024, targeted an organization in the decentralized finance (DeFi) sector, ultimately leading to the compromise of an employee's system. "From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections," Yun Zheng Hu and Mick Koomen said . "Afterwards, the actor moved to a stealthier RAT, likely signifying a next stage in the attack." The attack chain begins with the threat actor impersonating an existing employee of a trading company on Telegram and using fake websites masquerading as Calendly and Picktime to schedule a meeting with the victim. Although the exact initial ...

Cybersecurity researchers have disclosed a stealthy new backdoor called MystRodX that comes with a variety of features to capture sensitive data from compromised systems. "MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management," QiAnXin XLab said in a report published last week. "Compared to typical backdoors, MystRodX stands out in terms of stealth and flexibility." MystRodX, also called ChronosRAT, was first documented by Palo Alto Networks Unit 42 last month in connection with a threat activity cluster called CL-STA-0969 that it said exhibits overlaps with a China-nexus cyber espionage group dubbed Liminal Panda. The malware's stealth stems from the use of various levels of encryption to obscure source code and payloads, while its flexibility allows it to dynamically enable different functions based on a configuration, such as choosing TCP or HTTP for network co...

The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver ( BYOVD ) attack aimed at disarming security solutions installed on compromised hosts. The vulnerable driver in question is "amsdk.sys" (version 1.0.600), a 64-bit, validly signed Windows kernel device driver that's assessed to be built upon Zemana Anti-Malware SDK. "This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist , and not detected by community projects like LOLDrivers," Check Point said in an analysis. The attack is characterized by a dual-driver strategy, where a known vulnerable Zemana driver ("zam.exe") is used for Windows 7 machines, and the undetected WatchDog driver for systems that run on Windows 10 or 11. The WatchDog Anti-malware driver has been found to contain mu...