Malware | Breaking Cybersecurity News | The Hacker News

Threat actors are weaponizing exposed Java Debug Wire Protocol ( JDWP ) interfaces to obtain code execution capabilities and deploy cryptocurrency miners on compromised hosts. "The attacker used a modified version of XMRig with a hard-"coded configuration, allowing them to avoid suspicious command-line arguments that are often flagged by defenders," Wiz researchers Yaara Shriki and Gili Tikochinski said in a report published this week. "The payload used mining pool proxies to hide their cryptocurrency wallet address, thereby preventing investigators from pivoting on it." The cloud security firm, which is being acquired by Google Cloud, said it observed the activity against its honeypot servers running TeamCity, a popular continuous integration and continuous delivery (CI/CD) tool. JDWP is a communication protocol used in Java for debugging purposes. With JDWP, users can leverage a debugger to work in a different process, a Java application, on the same com...

A mobile ad fraud operation dubbed IconAds that consisted of 352 Android apps has been disrupted, according to a new report from HUMAN. The identified apps were designed to load out-of-context ads on a user's screen and hide their icons from the device home screen launcher, making it harder for victims to remove them, per the company's Satori Threat Intelligence and Research Team. The apps have since been removed from the Play Store by Google. The ad fraud scheme accounted for 1.2 billion bid requests a day, at the height of its activity. The vast majority of IconAds-associated traffic originated from Brazil, Mexico, and the United States. It's worth noting that IconAds is a variant of a threat that's also tracked by other cybersecurity vendors under the names HiddenAds and Vapor , with the malicious apps repeatedly slipping past the Google Play Store since at least 2019 . Some of the common characteristics of these apps include the use of obfuscation to conceal...

Cybersecurity researchers have uncovered over 40 malicious browser extensions for Mozilla Firefox that are designed to steal cryptocurrency wallet secrets, putting users' digital assets at risk. "These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox," Koi Security researcher Yuval Ronen said . The large-scale campaign is said to have been ongoing since at least April 2025, with new extensions uploaded to the Firefox Add-ons store as recently as last week. The identified extensions have been found to artificially inflate their popularity, adding hundreds of 5-star reviews that go far beyond the total number of active installations. This strategy is employed to give them an illusion of authenticity, making it seem like they are widely adopted and tricking unsuspecting users into installing them. Another tactic adopted by ...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

The French cybersecurity agency on Tuesday revealed that a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in the country were impacted by a malicious campaign undertaken by a Chinese hacking group by weaponizing several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The campaign, detected at the beginning of September 2024, has been attributed to a distinct intrusion set codenamed Houken , which is assessed to share some level overlaps with a threat cluster tracked by Google Mandiant under the moniker UNC5174 (aka Uteus or Uetus). "While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers," the French National Agency for the Security of Information Systems (ANSSI) said . "Houken's attack infrastructure is made up of diverse elements -- including commercial VPNs and d...

Threat actors with ties to North Korea have been observed targeting Web3 and cryptocurrency-related businesses with malware written in the Nim programming language, underscoring a constant evolution of their tactics. "Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol," SentinelOne researchers Phil Stokes and Raffaele Sabato said in a report shared with The Hacker News. "A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted." The cybersecurity company is tracking the malware components collectively under the name NimDoor. It's worth noting that some aspects of the campaign were previously documented by Huntabil.IT and later by Huntress and Validin , but with differences in the payloads deployed. The attack chains involve social enginee...