Malware | Breaking Cybersecurity News | The Hacker News

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3. Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups. "The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box," Google said in a report published today. The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads - UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads UNC4108, a threat act...

Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that's being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024. Some of the notable malware families distributed using QuirkyLoader include Agent Tesla , AsyncRAT , Formbook , Masslogger , Remcos RAT , Rhadamanthys Stealer , and Snake Keylogger . IBM X-Force, which detailed the malware, said the attacks involve sending spam emails from both legitimate email service providers and a self-hosted email server. These emails feature a malicious archive, which contains a DLL, an encrypted payload, and a real executable. "The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL," security researcher Raymond Joseph Alfonso said . "This DLL, in turn, loads, decrypts, and injects the final payload into its target process....

A Russian state-sponsored cyber espionage group known as Static Tundra has been observed actively exploiting a seven-year-old security flaw in Cisco IOS and Cisco IOS XE software as a means to establish persistent access to target networks. Cisco Talos, which disclosed details of the activity, said the attacks single out organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe. Prospective victims are chosen based on their "strategic interest" to Russia, it added, with recent efforts directed against Ukraine and its allies following the onset of the Russo-Ukrainian war in 2022. The vulnerability in question is CVE-2018-0171 (CVSS score: 9.8), a critical flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition or execute arbitrary code. It's worth noting that the security ...

Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page. Described by Guardio Labs an "AI-era take on the ClickFix scam," the attack technique demonstrates how AI-driven browsers, such as Perplexity's Comet , that promise to automate mundane tasks like shopping for items online or handling emails on behalf of users can be deceived into interacting with phishing landing pages or fraudulent lookalike storefronts without the human user's knowledge or intervention. "With PromptFix, the approach is different: We don't try to glitch the model into obedience," Guardio researchers Nati Tal and Shaked Chen said . "Instead, we mislead it using techniques borrowed from the human social engineering playbook – appealing directly to its core des...

A 22-year-old man from the U.S. state of Oregon has been charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet called RapperBot . Ethan Foltz of Eugene, Oregon, has been identified as the administrator of the service, the U.S. Department of Justice (DoJ) said. The botnet has been used to carry out large-scale DDoS-for-hire attacks targeting victims in over 80 countries since at least 2021. Foltz has been charged with one count of aiding and abetting computer intrusions. If convicted, he faces a maximum penalty of 10 years in prison. In addition, law enforcement authorities conducted a search of Foltz's residence on August 6, 2025, seizing administrative control of the botnet infrastructure. "RapperBot, aka 'Eleven Eleven Botnet' and 'CowBot,' is a Botnet that primarily compromises devices like Digital Video Recorders (DVRS) or Wi-Fi routers at scale by infecting those devices with specialized malware,"...

Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware called DripDropper . But in an unusual twist, the unknown attackers have been observed patching the exploited vulnerability after securing initial access to prevent further exploitation by other adversaries and evade detection, Red Canary said in a report shared with The Hacker News. "Follow-on adversary command-and-control (C2) tools varied by endpoint and included Sliver , and Cloudflare Tunnels to maintain covert command and control over the long term," researchers Christina Johns, Chris Brook, and Tyler Edmonds said. The attacks exploit a maximum-severity security flaw in Apache ActiveMQ ( CVE-2023-46604 , CVSS score: 10.0), a remote code execution vulnerability that could be exploited to run arbitrary shell commands. It was addressed in late October 2023. The security defect has since come under heavy exploitation...

Financial institutions like trading and brokerage firms are the target of a new campaign that delivers a previously unreported remote access trojan called GodRAT . The malicious activity involves the "distribution of malicious .SCR (screen saver) files disguised as financial documents via Skype messenger," Kaspersky researcher Saurabh Sharma said in a technical analysis published today. The attacks, which have been active as recently as August 12, 2025, employ a technique called steganography to conceal within image files shellcode used to download the malware from a command-and-control (C2) server. The screen saver artifacts have been detected since September 9, 2024, targeting countries and territories like Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. Assessed to be based on Gh0st RAT, GodRAT follows a plugin-based approach to augment its functionality in order to harvest sensitive information and deliver secondary payloads like AsyncRAT. It'...

The threat actors behind the Noodlophile malware are leveraging spear-phishing emails and updated delivery mechanisms to deploy the information stealer in attacks aimed at enterprises located in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region. "The Noodlophile campaign, active for over a year, now leverages advanced spear-phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information," Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News. Noodlophile was previously detailed by the cybersecurity vendor in May 2025, uncovering the attackers' use of fake artificial intelligence (AI)-powered tools as lures to propagate the malware. These counterfeit programs were found to be advertised on social media platforms like Facebook. That said, the adoption of copyright infringement lures is not a new development. Back in Nov...

Cybersecurity researchers have lifted the lid on the threat actors' exploitation of a now-patched security flaw in Microsoft Windows to deploy the PipeMagic malware in RansomExx ransomware attacks. The attacks involve the exploitation of CVE-2025-29824, a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS) that was addressed by Microsoft in April 2025, Kaspersky and BI.ZONE said in a joint report published today. PipeMagic was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia, capable of acting as a full-fledged backdoor providing remote access and executing a wide range of commands on compromised hosts. In those attacks, the threat actors have been found to exploit CVE-2017-0144 , a remote code execution flaw in Windows SMB, to infiltrate victim infrastructure. Subsequent infection chains observed in October 2024 in Saudi Arabia were spotted leveraging a fake OpenAI ChatGPT...

Power doesn't just disappear in one big breach. It slips away in the small stuff—a patch that's missed, a setting that's wrong, a system no one is watching. Security usually doesn't fail all at once; it breaks slowly, then suddenly. Staying safe isn't about knowing everything—it's about acting fast and clear before problems pile up. Clarity keeps control. Hesitation creates risk. Here are this week's signals—each one pointing to where action matters most. ⚡ Threat of the Week Ghost Tap NFC-Based Mobile Fraud Takes Off — A new Android trojan called PhantomCard has become the latest malware to abuse near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. In these attacks, users who end up installing the malicious apps are instructed to place their credit/debit card on the back of the phone to begin the verification process, only for the card data to be sent to an attacker-controlled NFC relay...

Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution. The package, named termncolor , realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler ThreatLabz said . While termncolor was downloaded 355 times, colorinal attracted 529 downloads. Both libraries are no longer available on PyPI. "This attack could leverage DLL side-loading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication, ending in remote code execution," according to researchers Manisha Ramcharan Prajapati and Satyam Singh. Once installed and executed, termncolor is designed to import colorinal, which, in turn, loads a rogue DLL that's responsible for decrypting and running the next-stage payload. Specifica...

Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators' infrastructure. "The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report. The latest iteration of the malware can send SMS or initiate phone calls to a phone number, set up call forwarding to a specified number, display custom push notification with, fetch Gmail email subject lines, take pictures using the front camera, launch overlays on top of financial apps, capture contact lists, SMS messages, installed apps, and remove itself from the device. ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attribut...

The threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads. Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin ) to trigger the infection routine via a rogue Microsoft Console (MSC) file. "These activities are part of a broad, ongoing wave of malicious activity that blends social engineering with technical exploitation to bypass security defenses and gain control over internal environments," Trustwave researchers Nathaniel Morales and Nikita Kazymirskyi said . EncryptHub, also tracked as LARVA-208 and Water Gamayun, is a Russian hacking group that first gained prominence in mid-2024. Operating at a high tempo, the financially motivated crew is known for leveraging several methods, including fake job of...

A Chinese-speaking advanced persistent threat (APT) actor has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments. The activity has been attributed by Cisco Talos to an activity cluster it tracks as UAT-7237 , which is believed to be active since at least 2022. The hacking group is assessed to be a sub-group of UAT-5918 , which is known to be attacking critical infrastructure entities in Taiwan as far back as 2023. "UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise," Talos said . The attacks are characterized by the use of a bespoke shellcode loader dubbed SoundBill that's designed to decode and launch secondary pay...

Japan's CERT coordination center (JPCERT/CC) on Thursday revealed it observed incidents that involved the use of a command-and-control (C2) framework called CrossC2 , which is designed to extend the functionality of Cobalt Strike to other platforms like Linux and Apple macOS for cross-platform system control. The agency said the activity was detected between September and December 2024, targeting multiple countries, including Japan, based on an analysis of VirusTotal artifacts. "The attacker employed CrossC2 as well as other tools such as PsExec, Plink, and Cobalt Strike in attempts to penetrate AD. Further investigation revealed that the attacker used custom malware as a loader for Cobalt Strike," JPCERT/CC researcher Yuma Masubuchi said in a report published today. The bespoke Cobalt Strike Beacon loader has been codenamed ReadNimeLoader. CrossC2, an unofficial Beacon and builder, is capable of executing various Cobalt Strike commands after establishing communicati...

Cybersecurity researchers have disclosed a new Android trojan called PhantomCard that abuses near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. "PhantomCard relays NFC data from a victim's banking card to the fraudster's device," ThreatFabric said in a report. "PhantomCard is based on Chinese-originating NFC relay malware-as-a-service." The Android malware, distributed via fake Google Play web pages mimicking apps for card protection, goes by the name "Proteção Cartões" (package name "com.nfupay.s145" or "com.rc888.baxi.English"). The bogus pages also feature deceptive positive reviews to persuade victims into installing the app. It's currently not known how links to these pages are distributed, but it likely involves smishing or a similar social engineering technique. Once the app is installed and opened, it requests victim...

Cybersecurity researchers have discovered a new malvertising campaign that's designed to infect victims with a multi-stage malware framework called PS1Bot . "PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access," Cisco Talos researchers Edmund Brumaghin and Jordyn Dunk said . "PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk." Campaigns distributing the PowerShell and C# malware have been found to be active since early 2025, leveraging malvertising as a propagation vector, with the infection chains executing modules in-memory to minimize forensic trail. PS1Bot is assessed to share ...