Malware | Breaking Cybersecurity News | The Hacker News

The threat actor known as Confucius has been attributed to a new phishing campaign that has targeted Pakistan with malware families like WooperStealer and Anondoor. "Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries -- especially in Pakistan – using spear-phishing and malicious documents as initial access vectors," Fortinet FortiGuard Labs researcher Cara Lin said . Confucius is a long-running hacking group that's believed to have been active since 2013 and operating across South Asia. Recent campaigns undertaken by the threat actor have employed a Python-based backdoor called Anondoor, signaling an evolution of the group's tradecraft and its technical agility. One of the attack chains documented by Fortinet targeted users in Pakistan sometime in December 2024, tricking recipients into opening a .PPSX file, which then triggers the delivery of WooperStealer using DLL ...

Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems. The deceptive package, named soopsocks, attracted a total of 2,653 downloads before it was taken down. It was first uploaded by a user named " soodalpie " on September 26, 2025, the same date the account was created. "While providing this capability, it exhibits behavior as a backdoor proxy server targeting Windows platforms, using automated installation processes via VBScript or an executable version," JFrog said in an analysis. The executable ("_AUTORUN.EXE") is a compiled Go file that, besides including a SOCKS5 implementation as advertised, is also designed to run PowerShell scripts, set firewall rules, and relaunch itself with elevated permissions. It also carries out ...

Cybersecurity researchers have discovered two Android spyware campaigns dubbed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates (U.A.E.). Slovak cybersecurity company ESET said the malicious apps are distributed via fake websites and social engineering to trick unsuspecting users into downloading them. Once installed, both the spyware malware strains establish persistent access to compromised Android devices and exfiltrate data. "Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services," ESET researcher Lukáš Štefanko said . Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app." The ProSpy campaign, discovered in June 2025, is believed to have been ongoing since 2024, ...

Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022. French cybersecurity company SEKOIA said the attackers are exploiting the cellular router's API to send malicious SMS messages containing phishing URLs, with the campaigns primarily targeting Sweden, Italy, and Belgium using typosquatted URLs that impersonate government platforms like CSAM and eBox, as well as banking, postal, and telecom providers. Of the 18,000 routers of this type accessible on the public internet, no less than 572 are assessed to be potentially vulnerable due to them exposing the inbox/outbox APIs. About half of the identified vulnerable routers are located in Europe. "Moreover, the API enables retrieval of both incoming and outgoing SMS messages, which indicates that the vulnerability has been actively exploited to disseminate malicious SMS campaigns since at le...

Bitdefender's 2025 Cybersecurity Assessment Report paints a sobering picture of today's cyber defense landscape: mounting pressure to remain silent after breaches, a gap between leadership and frontline teams, and a growing urgency to shrink the enterprise attack surface. The annual research combines insights from over 1,200 IT and security professionals across six countries, along with an analysis of 700,000 cyber incidents by Bitdefender Labs. The results reveal hard truths about how organizations are grappling with threats in an increasingly complex environment. Breaches Swept Under the Rug This year's findings spotlight a disturbing trend: 58% of security professionals were told to keep a breach confidential , even when they believed disclosure was necessary. That's a 38% jump since 2023 , suggesting more organizations may be prioritizing optics over transparency. The pressure is especially acute for CISOs and CIOs , who report higher levels of expectation to remain quiet c...

A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy. Italian fraud prevention firm Cleafy, which discovered the sophisticated malware and remote access trojan (RAT) in late August 2025, said it leverages Hidden Virtual Network Computing (VNC) for remote control of infected devices and dynamic overlays for facilitating credential theft, ultimately enabling fraudulent transactions. "Klopatra represents a significant evolution in mobile malware sophistication," security researchers Federico Valentini, Alessandro Strino, Simone Mattia, and Michele Roviello said . "It combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection suite, making it exceptionally difficult to detect and analyze." Evidence gathered from the malware's command-and-control (C2) infrastructure and linguistic clues in the associated...

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new targeted cyber attacks in the country using a backdoor called CABINETRAT. The activity, observed in September 2025, has been attributed to a threat cluster it tracks as UAC-0245 . The agency said it spotted the attack following the discovery of software tools taking the form of XLL files , which refer to Microsoft Excel add-ins that are typically used to extend the functionality of Excel with custom functions. Further investigation has uncovered that the XLL files are distributed within ZIP archives shared on the Signal messaging app, disguised as a document concerning the detention of individuals who had attempted to cross the Ukrainian border. The XLL, once launched, is designed to create a number of executables on the compromised host, namely an EXE file in the Startup folder, an XLL file named "BasicExcelMath.xll" in the "%APPDATA%\Microsoft\Excel\XLSTART\" directory, and a PNG ima...

Government and telecommunications organizations across Africa, the Middle East, and Asia have emerged as the target of a previously undocumented China-aligned nation-state actor dubbed Phantom Taurus over the past two-and-a-half years. "Phantom Taurus' main focus areas include ministries of foreign affairs, embassies, geopolitical events, and military operations," Palo Alto Networks Unit 42 researcher Lior Rochberger said . "The group's primary objective is espionage. Its attacks demonstrate stealth, persistence, and an ability to quickly adapt their tactics, techniques, and procedures (TTPs)." It's worth pointing out that the hacking group was first detailed by the cybersecurity company back in June 2023 under the moniker CL-STA-0043 . Then last May, the threat cluster was graduated to a temporary group, TGR-STA-0043 , following revelations about its sustained cyber espionage efforts aimed at governmental entities since at least late 2022 as part of...

A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor called UNC5174, according to NVISO Labs . The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting the following versions - VMware Cloud Foundation 4.x and 5.x VMware Cloud Foundation 9.x.x.x VMware Cloud Foundation 13.x.x.x (Windows, Linux) VMware vSphere Foundation 9.x.x.x VMware vSphere Foundation 13.x.x.x (Windows, Linux) VMware Aria Operations 8.x VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux) VMware Telco Cloud Platform 4.x and 5.x VMware Telco Cloud Infrastructure 2.x and 3.x "A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM," VMware sai...

Cybersecurity researchers have flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover ( DTO ) attacks and perform fraudulent transactions by preying on the elderly. Dutch mobile security company ThreatFabric said it discovered the campaign in August 2025 after users in Australia reported scammers managing Facebook groups promoting "active senior trips." Some of the other territories targeted by the threat actors include Singapore, Malaysia, Canada, South Africa, and the U.K. The campaigns, it added, specifically focused on elderly people looking for social activities, trips, in-person meetings, and similar events. These Facebook groups have been found to share artificial intelligence (AI)-generated content, claiming to organize various activities for seniors. Should prospective targets express willingness to participate in these events, they are subsequently approached via Facebook Messenger or WhatsApp, where they are as...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting the Sudo command-line utility for Linux and Unix-like operating systems to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerability in question is CVE-2025-32463 (CVSS score: 9.3), which affects Sudo versions prior to 1.9.17p1. It was disclosed by Stratascale researcher Rich Mirch back in July 2025. "Sudo contains an inclusion of functionality from an untrusted control sphere vulnerability," CISA said. "This vulnerability could allow a local attacker to leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file." It's currently not known how the shortcoming is being exploited in real-world attacks, and who may be behind such efforts. Also added to the KEV catalog are four other flaws - CVE-2021-21311 - Adminer...

Threat actors have been observed using seemingly legitimate artificial intelligence (AI) tools and software to sneakily slip malware for future attacks on organizations worldwide. According to Trend Micro, the campaign is using productivity or AI-enhanced tools to deliver malware targeting various regions, including Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region. Manufacturing, government, healthcare, technology, and retail are some of the top sectors affected by the attacks, with India, the U.S., France, Italy, Brazil, Germany, the U.K., Norway, Spain, and Canada emerging as the regions with the most infections, indicating a global spread. "This swift, widespread distribution across multiple regions strongly indicates that EvilAI is not an isolated incident but rather an active and evolving campaign currently circulating in the wild," security researchers Jeffrey Francis Bonaobra, Joshua Aquino, Emmanuel Panopio, Emmanuel Roll, Joshua Lijandro ...

Cybersecurity never stops—and neither do hackers. While you wrapped up last week, new attacks were already underway. From hidden software bugs to massive DDoS attacks and new ransomware tricks, this week's roundup gives you the biggest security moves to know. Whether you're protecting key systems or locking down cloud apps, these are the updates you need before making your next security decision. Take a quick look to start your week informed and one step ahead. ⚡ Threat of the Week Cisco 0-Day Flaws Under Attack — Cybersecurity agencies warned that threat actors have exploited two security flaws affecting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER. The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection. The activity involves the exploitation of CVE-2025-20362 (CVSS score: 6.5) a...

Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses. "Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent," the Microsoft Threat Intelligence team said in an analysis published last week. The activity, detected on August 28, 2025, shows how threat actors are increasingly adopting artificial intelligence (AI) tools into their workflows, often with the goal of crafting more convincing phishing lures, automating malware obfuscation, and generating code that mimics legitimate content. In the attack chain documented by the Windows maker, bad actors have been observed leveraging an already compromised business email account to send phishing messages to stea...

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU). "The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week. The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay , a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It's also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls...

A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader , which is then used to drop Amatera Stealer and PureMiner . "The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments," Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The Hacker News. In the attack chains documented by the cybersecurity company, the SVG files are used to initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. The CHM file, when launched, activates a chain of events that culminate in the deployment of CountLoader. The email messages claim to be a notice from the National Police of Ukraine. CountLoader, which was the subject of a recent analysis by Silent Push, has been found to drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this attack chain, however,...

The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX. Zscaler ThreatLabz, which detected the new multi-stage ClickFix campaign earlier this month, described BAITSWITCH as a downloader that ultimately drops SIMPLEFIX, a PowerShell backdoor. COLDRIVER , also tracked as Callisto, Star Blizzard, and UNC4057, is the moniker assigned to a Russia-linked threat actor that's known to target a wide range of sectors since 2019. While early campaign waves were observed using spear-phishing lures to direct targets to credential harvesting pages, the group has been fleshing out its arsenal with custom tools like SPICA and LOSTKEYS , which underscores its technical sophistication. The adversary's use of ClickFix tactics was previously documented by the Google Threat Intelligence Group (GTIG) back in May 2...

Cybersecurity researchers have discovered an updated version of a known Apple macOS malware called XCSSET that has been observed in limited attacks. "This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms," the Microsoft Threat Intelligence team said in a Thursday report. "It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution, and expands its data exfiltration capabilities to include Firefox browser data. It also adds another persistence mechanism through LaunchDaemon entries." XCSSET is the name assigned to a sophisticated modular malware that's designed to infect Xcode projects used by software developers and unleash its malicious capabilities when it's being built. Exactly how the malware is distributed remains unclear, but it's suspected that the propagation relies on the Xcode project files being shared amo...

The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER . "The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection," the agency said . Cisco on Thursday revealed that it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May 2025 that targeted Adaptive Security Appliance (ASA) 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data from the compromised devices. An in-depth analysis of firmware extracted from the infected devices running Cisco Secure Firewall ASA Software with VPN web services enabled ultimately led to the discovery of a memory corruption bug in...

Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild. The zero-day vulnerabilities in question are listed below - CVE-2025-20333 (CVSS score: 9.9) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests CVE-2025-20362 (CVSS score: 6.5) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests Cisco said it's aware of "attempted exploitation" of both vulnerabilities, but did not reveal who may be behind it, ...