Malware | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered an ongoing campaign that's targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign. The activity , per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat actors persistent access to their machines for continuous monitoring and data exfiltration. The end goal of the sophisticated attack is to deploy a variant of a known banking trojan called Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM (Terminal Security Management) that's developed by Nanjing Zhongke Huasai Technology Co., Ltd , a Chinese company. The campaign has not been attributed to any known threat actor or group. "While marketed as a legitimate enterprise tool, it is repurposed in this campaign as a powerful, all-in-one espionage framework,...

Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants, but also harbor covert functionality to siphon developer data to China-based servers. The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio Marketplace , are listed below - ChatGPT - 中文版 (ID: whensunset.chatgpt-china) - 1,340,869 installs ChatGPT - ChatMoss（CodeMoss）(ID: zhukunpeng.chat-moss) - 151,751 installs Koi Security said the extensions are functional and work as expected, but they also capture every file being opened and every source code modification to servers located in China without users' knowledge or consent. The campaign has been codenamed MaliciousCorgi. "Both contain identical malicious code -- the same spyware infrastructure running under different publisher names," security researcher Tuval ...

Security failures rarely arrive loudly. They slip in through trusted tools, half-fixed problems, and habits people stop questioning. This week's recap shows that pattern clearly. Attackers are moving faster than defenses, mixing old tricks with new paths. "Patched" no longer means safe, and every day, software keeps becoming the entry point. What follows is a set of small but telling signals. Short updates that, together, show how quickly risk is shifting and why details can't be ignored. ⚡ Threat of the Week Improperly Patched Flaw Exploited Again in Fortinet Firewalls — Fortinet confirmed that it's working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. "We have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path," the company said. The activi...

The North Korean threat actor known as Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector. The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary's expansion of the targeting scope beyond South Korea , Russia , Ukraine , and European nations , Check Point Research said in a technical report published last week. Active since at least 2014, Konni is primarily known for its targeting of organizations and individuals in South Korea. It's also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia. In November 2025, the Genians Security Center (GSC) detailed the hacking group's targeting of Android devices by exploiting Google's asset tracking service, Find Hub, to remotely reset victim devices and erase personal data from them, signaling a new escalation of their tradecraft. As recently as this month, Konni ha...

A new multi-stage phishing campaign has been observed targeting users in Russia with ransomware and a remote access trojan called Amnesia RAT. "The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign," Fortinet FortiGuard Labs researcher Cara Lin said in a technical breakdown published this week. "These documents and accompanying scripts serve as visual distractions, diverting victims to fake tasks or status messages while malicious activity runs silently in the background." The campaign stands out for a couple of reasons. First, it uses multiple public cloud services to distribute different kinds of payloads. While GitHub is mainly used to distribute scripts, binary payloads are staged on Dropbox. This separation complicates takedown efforts, effectively improving resilience. Another "defining characteristic" of the campaign, per Fortinet, is the operational abuse of defendnot to d...

The Russian nation-state hacking group known as Sandworm has been attributed to what has been described as the "largest cyber attack" targeting Poland's power system in the last week of December 2025. The attack was unsuccessful, the country's energy minister, Milosz Motyka, said last week. "The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on the energy infrastructure in years," Motyka was quoted as saying. According to a new report by ESET, the attack was the work of Sandworm, which deployed a previously undocumented wiper malware codenamed DynoWiper (aka Win32/KillFiles.NMO). The links to Sandworm are based on overlaps with prior wiper activity associated with the adversary, particularly in the aftermath of Russia's military invasion of Ukraine in February 2022. The Slovakian cybersecurity company, which identified the use of the wiper as part of the attempted disruptive attack aimed at the...

Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. "Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust," KnowBe4 Threat Labs researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke said . "By stealing a 'skeleton key' to the system, they turn legitimate Remote Monitoring and Management (RMM) software into a persistent backdoor." The attack unfolds in two distinct waves, where the threat actors leverage fake invitation notifications to steal victim credentials, and then leverage those pilfered credentials to deploy RMM tools to establish persistent access. The bogus emails are disguised as an invitation from a legitimate platform called Greenvelope, and aim to tri...

Cybersecurity researchers have disclosed details of a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. The attack leveraged a malicious driver called POORTRY as part of a known technique referred to as bring your own vulnerable driver (BYOVD) to disarm security software, the Symantec and Carbon Black Threat Hunter Team said. It's worth noting that Osiris is assessed to be a brand-new ransomware strain, sharing no similarities with another variant of the same name that emerged in December 2016 as an iteration of the Locky ransomware. It's currently not known who the developers of the locker are, or if it's advertised as a ransomware-as-a-service (RaaS). However, the Broadcom-owned cybersecurity division said it identified clues that suggest the threat actors who deployed the ransomware may have been previously associated with INC ransomware (aka Warble). "A wide range of living off...

Most of this week's threats didn't rely on new tricks. They relied on familiar systems behaving exactly as designed, just in the wrong hands. Ordinary files, routine services, and trusted workflows were enough to open doors without forcing them. What stands out is how little friction attackers now need. Some activity focused on quiet reach and coverage, others on timing and reuse. The emphasis wasn't speed or spectacle, but control gained through scale, patience, and misplaced trust. The stories below trace where that trust bent, not how it broke. Each item is a small signal of a larger shift, best seen when viewed together. Spear-phishing delivers custom backdoor Operation Nomad Leopard Targets Afghanistan Government entities in Afghanistan have been at the receiving end of a spear-phishing campaign dubbed Operation Nomad Leopard that employs bogus administrative documents as decoys to distribute a backdoor named FALSECUB by means o...

A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts. The package, named sympy-dev , mimics SymPy , replicating the latter's project description verbatim in an attempt to deceive unsuspecting users into thinking that they are downloading a "development version" of the library. It has been downloaded over 1,100 times since it was first published on January 17, 2026. Although the download count is not a reliable yardstick for measuring the number of infections, the figure likely suggests some developers may have fallen victim to the malicious campaign. The package remains available for download as of writing. According to Socket , the original library has been modified to act as a downloader for an XMRig cryptocurrency miner on compromised systems. The malicious behavior is designed to trigger only when ...

As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified, with the campaign claiming 20 potential victim organizations spanning artificial intelligence (AI), cryptocurrency, financial services, IT services, marketing, and software development sectors in Europe, South Asia, the Middle East, and Central America. The new findings come from Recorded Future's Insikt Group, which is tracking the North Korean threat activity cluster under the moniker PurpleBravo . First documented in late 2023, the campaign is also known as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum. The 3,136 individual IP addresses, primarily concentrated around South Asia and North America, are assessed to have been targeted by the adversary from August 2024 to September 2025. The 20 victim companies are said to be based in Belgium, Bulgaria, Costa Rica, In...

The recently discovered sophisticated Linux malware framework known as VoidLink is assessed to have been developed by a single person with assistance from an artificial intelligence (AI) model. That's according to new findings from Check Point Research, which identified operational security blunders by malware's author that provided clues to its developmental origins. The latest insight makes VoidLink one of the first instances of an advanced malware largely generated using AI. "These materials provide clear evidence that the malware was produced predominantly through AI-driven development, reaching a first functional implant in under a week," the cybersecurity company said, adding it reached more than 88,000 lines of code by early December 2025. VoidLink, first publicly documented last week, is a feature-rich malware framework written in Zig that's specifically designed for long-term, stealthy access to Linux-based cloud environments. The malware is said...

LastPass is alerting users to a new active phishing campaign that's impersonating the password management service, which aims to trick users into giving up their master passwords. The campaign, which began on or around January 19, 2026, involves sending phishing emails claiming upcoming maintenance and urging them to create a local backup of their password vaults in the next 24 hours. The messages, LastPass said, come with the following subject lines - LastPass Infrastructure Update: Secure Your Vault Now Your Data, Your Protection: Create a Backup Before Maintenance Don't Miss Out: Backup Your Vault Before Maintenance Important: LastPass Maintenance & Your Vault Security Protect Your Passwords: Backup Your Vault (24-Hour Window) The emails are designed to steer unsuspecting users to a phishing site ("group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf") that then redirects to the domain " mail-lastpass[.]com ." The company emphasiz...

The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. The latest finding demonstrates continued evolution of the new tactic that was first discovered in December 2025, Jamf Threat Labs said. "This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system," security researcher Thijs Xhaflaire said in a report shared with The Hacker News. First disclosed by OpenSourceMalware last month, the attack essentially involves instructing prospective targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment. The end goal of these efforts is to abuse VS Code task configuration files to execute malicious payloads staged on Vercel domains, depending on the oper...

Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT). The activity delivers "weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script," ReliaQuest said in a report shared with The Hacker News. The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). Once launched, the archive extracts four different components - A legitimate open-source PDF reader application A malicious DLL that's sideloaded by the PDF reader A portable executable (PE) of the Python interpreter A RAR file that likely serves as a decoy The infection chain gets activated when the PDF reader application is run, causing the rogue DLL to be sid...

Cybersecurity researchers have disclosed details of a malware campaign that's targeting software developers with a new information stealer called Evelyn Stealer by weaponizing the Microsoft Visual Studio Code (VS Code) extension ecosystem. "The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems," Trend Micro said in an analysis published Monday. The activity is designed to single out organizations with software development teams that rely on VS Code and third-party extensions, along with those with access to production systems, cloud resources, or digital assets, it added. It's worth noting that details of the campaign were first documented by Koi Security last month, when details emerged of three VS Code extensions – BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme...

Cybersecurity researchers have disclosed details of an ongoing campaign dubbed KongTuke that used a malicious Google Chrome extension masquerading as an ad blocker to deliberately crash the web browser and trick victims into running arbitrary commands using ClickFix -like lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT. This new escalation of ClickFix, observed earlier this month, has been codenamed CrashFix by Huntress. KongTuke , also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124, is the name given to a traffic distribution system (TDS) known for profiling victim hosts before redirecting them to a payload delivery site that infects their systems. Access to these compromised hosts is then handed off to other threat actors, including ransomware groups, for follow-on malware delivery. Some of the cybercriminal groups that have leveraged TAG-124 infrastructure include Rhysida ransomware , Interlock ransomware , and TA866 (aka Asylu...

Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer, allowing them to gather crucial insights on one of the threat actors using the malware in their operations. "By exploiting it, we were able to collect system fingerprints, monitor active sessions, and – in a twist that will surprise no one – steal cookies from the very infrastructure designed to steal them," CyberArk researcher Ari Novick said in a report published last week. StealC is an information stealer that first emerged in January 2023 under a malware-as-a-service (MaaS) model, allowing potential customers to leverage YouTube as a primary mechanism – a phenomenon called the YouTube Ghost Network – to distribute the malicious program by disguising it as cracks for popular software. Over the past year, the stealer has also been observed being propagated via rogue Blender Foundation files and a soc...

Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta. In addition, the group's alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union's Most Wanted and INTERPOL's Red Notice lists, authorities noted. "According to the investigation, the suspects specialized in technical hacking of protected systems and were involved in preparing cyberattacks using ransomware," the Cyber Police of Ukraine said in a statement.  The agency said the accused individuals functioned as "hash crackers," who specialize in extracting passwords from information systems using specialized software. Once the credential information was obtained, members of the ransomware group broke into corporate networks and ultimately deployed ransomware and extorted money to recover the e...