Malware | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a new vulnerability in OpenAI's ChatGPT Atlas web browser that could allow malicious actors to inject nefarious instructions into the artificial intelligence (AI)-powered assistant's memory and run arbitrary code. "This exploit can allow attackers to infect systems with malicious code, grant themselves access privileges, or deploy malware," LayerX Security Co-Founder and CEO, Or Eshed, said in a report shared with The Hacker News. The attack, at its core, leverages a cross-site request forgery ( CSRF ) flaw that could be exploited to inject malicious instructions into ChatGPT's persistent memory. The corrupted memory can then persist across devices and sessions, permitting an attacker to conduct various actions, including seizing control of a user's account, browser, or connected systems, when a logged-in user attempts to use ChatGPT for legitimate purposes. Memory, first introduced by OpenAI in February 2024, is...

Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior. Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert. Here's how that false sense of security was broken again this week. ⚡ Threat of the Week Newly Patched Critical Microsoft WSUS Flaw Comes Under Attack — Microsoft released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability that has since come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. According to Eye Security and Huntress, the security flaw is being weaponized to drop a .N...

The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups , accounting for 84 victims each in the months of August and September 2025. Qilin is known to be active since around July 2022. According to data compiled by Cisco Talos, the U.S., Canada, the U.K., France, and Germany are some of the countries most impacted by Qilin. The attacks have primarily singled out manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors. Attacks mounted by Qilin affiliates have likely leveraged leaked administrative credentials on the dark web for initial access using a VPN interface, followed by performing RDP connections to the domain...

The newly released OpenAI ChatGPT Atlas web browser has been found to be susceptible to a prompt injection attack where its omnibox can be jailbroken by disguising a malicious prompt as a seemingly harmless URL to visit. "The omnibox (combined address/search bar) interprets input either as a URL to navigate to, or as a natural-language command to the agent," NeuralTrust said in a report published Friday. "We've identified a prompt injection technique that disguises malicious instructions to look like a URL, but that Atlas treats as high-trust 'user intent' text, enabling harmful actions." Last week, OpenAI launched Atlas as a web browser with built-in ChatGPT capabilities to assist users with web page summarization, inline text editing, and agentic functions. In the attack outlined by the artificial intelligence (AI) security company, an attacker can take advantage of the browser's lack of strict boundaries between trusted user input and untru...

A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT . The activity, observed in August and September 2025 by Sekoia, has been attributed to Transparent Tribe (aka APT36), a state-sponsored hacking group known to be active since at least 2013. It also builds upon a prior campaign disclosed by CYFIRMA in August 2025. The attack chains involve sending phishing emails containing a ZIP file attachment, or in some cases, a link pointing to an archive hosted on legitimate cloud services like Google Drive. Present within the ZIP file is a malicious Desktop file embedding commands to display a decoy PDF ("CDS_Directive_Armed_Forces.pdf") using Mozilla Firefox while simultaneously executing the main payload. Both the artifacts are pulled from an external server "modgovindia[.]com" and executed. Like before, the campaign is designed to target BO...

A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads. Active since 2021, the network has published more than 3,000 malicious videos to date, with the volume of such videos tripling since the start of the year. It has been codenamed the YouTube Ghost Network by Check Point. Google has since stepped in to remove a majority of these videos. The campaign leverages hacked accounts and replaces their content with "malicious" videos that are centred around pirated software and Roblox game cheats to infect unsuspecting users searching for them with stealer malware. Some of these videos have racked up hundreds of thousands of views, ranging from 147,000 to 293,000. "This operation took advantage of trust signals, including views, likes, and comments, to make malicious content seem safe,...

Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks. The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span of a month after the Shai-Hulud worm that targeted the npm ecosystem in mid-September 2025. What makes the attack stand out is the use of the Solana blockchain for command-and-control (C2), making the infrastructure resilient to takedown efforts. It also uses Google Calendar as a C2 fallback mechanism. Another novel aspect is that the GlassWorm campaign relies on "invisible Unicode characters that make malicious code literally disappear from code editors," Idan Dardikman said in a technical report. "The attacker used Unicode variation selectors – special characters that are...

Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job . "Some of these [companies] are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea's current efforts to scale up its drone program," ESET security researchers Peter Kálnai and Alexis Rapin said in a report shared with The Hacker News. It's assessed that the end goal of the campaign is to plunder proprietary information and manufacturing know-how using malware families such as ScoringMathTea and MISTPEN. The Slovak cybersecurity company said it observed the campaign starting in late March 2025. Some of the targeted entities include a metal engineering company in Southeastern Europe, a manufacturer of aircraft components in Central Europe, and a defense company in Central Europe. While Sc...

Criminals don't need to be clever all the time; they just follow the easiest path in: trick users, exploit stale components, or abuse trusted systems like OAuth and package registries. If your stack or habits make any of those easy, you're already a target. This week's ThreatsDay highlights show exactly how those weak points are being exploited — from overlooked misconfigurations to sophisticated new attack chains that turn ordinary tools into powerful entry points. Lumma Stealer Stumbles After Doxxing Drama Decline in Lumma Stealer Activity After Doxxing Campaign The activity of the Lumma Stealer (aka Water Kurita) information stealer has witnessed a "sudden drop" since last months after the identities of five alleged core group members were exposed as part of what's said to be an aggressive underground exposure campaign dubbed Lumma Rats since late August 2025. The targeted individuals are affiliated with the malware's development and administ...

E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours. The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), a critical improper input validation flaw that could be abused to take over customer accounts in Adobe Commerce through the Commerce REST API. Also known as SessionReaper, it was addressed by Adobe last month. A security researcher who goes by the name Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236. The Dutch company said that 62% of Magento stores remain vulnerable to the security flaw six weeks after public disclosure, urging website administrators to apply the patches as soon as possible before broader exploitation activity picks up. Adobe has since revised its advisory to confirm reports of in-the-wil...

The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities. The end goal of the campaign is to infiltrate high-value targets and facilitate intelligence gathering, Singaporean cybersecurity company Group-IB said in a technical report published today. More than three-fourths of the campaign's targets include embassies, diplomatic missions, foreign affairs ministries, and consulates, followed by international organizations and telecommunications firms. "MuddyWater accessed the compromised mailbox through NordVPN (a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence," said security researchers Mahmoud Zohdy and Mansour Alhmoud. "By exploiting the trust a...

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine's war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2). The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee Council, United Nations Children's Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions, SentinelOne said in a new report published today. The phishing emails have been found to impersonate the Ukrainian President's Office, carrying a booby-trapped PDF document that contains an embedded link, which, when clicked, redirects victims to a fake Zoom site ("zoomconference[.]app") and tricks them into runn...

Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country. According to Broadcom's Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770 , a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution. CVE-2025-53770, assessed to be a patch bypass for CVE-2025-49704 and CVE-2025-49706, has been weaponized as a zero-day by three Chinese threat groups , including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer)...

Cybersecurity researchers have uncovered a new supply chain attack targeting the NuGet package manager with malicious typosquats of Nethereum , a popular Ethereum .NET integration platform, to steal victims' cryptocurrency wallet keys. The package, Netherеum.All , has been found to harbor functionality to decode a command-and-control (C2) endpoint and exfiltrate mnemonic phrases, private keys, and keystore data, according to security company Socket. The library was uploaded by a user named " nethereumgroup " on October 16, 2025. It was taken down from NuGet for violating the service's Terms of Use four days later. What's notable about the NuGet package is that it swaps the last occurrence of the letter "e" with the Cyrillic homoglyph "e" (U+0435) to fool unsuspecting developers into downloading it. In a further attempt to increase the credibility of the package, the threat actors have resorted to artificially inflating the download counts...

Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron , according to findings from Kaspersky. The cyber espionage activity was first flagged by the Russian cybersecurity vendor in November 2024, when it disclosed a set of attacks aimed at government entities in Latin America and East Asia in June, using never-before-seen malware families tracked as Neursite and NeuralExecutor. It also described the operation as exhibiting a high level of sophistication, with the threat actors leveraging already compromised internal servers as an intermediate command-and-control (C2) infrastructure to fly under the radar. "The threat actor is able to move laterally through the infrastructure and exfiltrate data, optionally creating virtual networks that allow attackers to steal files of interest even from machines isolated from the internet," Kaspersky noted at the time. "A plugin-based ap...

Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge . PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose. The TLS-based ELF implant, at its core, is designed to monitor incoming client connections and execute commands within them. Then, in August 2025, attack surface management platform Censys detailed the infrastructural backbone powering the botnet, with the company noting that PolarEdge exhibits characteristics that are consistent with an Operational Relay Box (ORB) network. There is evidence to suggest that the activity involving the malware may have started as far back as June 2023. In the attack chains observed in February 2025, the threat actors have been observed exploiting a known security flaw impacting Cisco routers (CVE-2023-20118) to download a ...

A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased "operations tempo" from the threat actor. The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time. While it's currently not known for how long the new malware families have been under development, the tech giant's threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure. The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is "a collection of related malware families connected via a delivery chain," GTIG researcher Wesley Shields said in a Monday analysis. The latest attack waves are something of a departure from COLDRIVER's typical modus opera...

A European telecommunications organization is said to have been targeted by a threat actor that aligns with a China-nexus cyber espionage group known as Salt Typhoon . The organization, per Darktrace , was targeted in the first week of July 2025, with the attackers exploiting a Citrix NetScaler Gateway appliance to obtain initial access. Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, is the name given to an advanced persistent threat actor with ties to China. Known to be active since 2019, the group gained prominence last year following its attacks on telecommunications services providers, energy networks, and government systems in the U.S. The adversary has a track record of exploiting security flaws in edge devices, maintaining deep persistence, and exfiltrating sensitive data from victims in more than 80 countries across North America, Europe, the Middle East, and Africa. In the incident observed against the European telecommunications enti...

It's easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn't just patching fast, but watching smarter and staying alert for what you don't expect. Here's a quick look at this week's top threats, new tactics, and security stories shaping the landscape. ⚡ Threat of the Week F5 Exposed to Nation-State Breach — F5 disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities in the product. The company said it learned of the incident on August 9, 2025, although it's believed that the attackers were in its network for at least 12 months. The attackers are said to have used a malware family called BRICKSTORM, which is attributed to a China-nexus espionage group dubbed UNC5221. GreyNoise said it observed elevat...