Malware | Breaking Cybersecurity News | The Hacker News

A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues. The organization, according to a report from Broadcom's Symantec and Carbon Black teams, is "active in attempting to influence U.S. government policy on international issues." The attackers managed to gain access to the network for several weeks in April 2025. The first sign of activity occurred on April 5, 2025, when mass scanning efforts were detected against a server by leveraging various well-known exploits, including CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server). Symantec and Carbon Black told The Hacker News that there is no indication that these exploitation efforts were successful. It's suspected that the attackers ul...

A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems. According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named " shanhai666 " and are designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times. "The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments," security researcher Kush Pandya said . The list of malicious packages is below - MyDbRepository (Last updated on May 13, 2023) MCDbRepository (Last updated on June 5, 2024) Sharp7Extend (Last updated on August 14, 2024) SqlDbRepo...

Google on Thursday said it's rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative comments. The approach is designed to tackle a common practice called review bombing , where online users intentionally post negative user reviews in an attempt to harm a product, a service, or a business. "Bad actors try to circumvent our moderation systems and flood a business's profile with fake one-star reviews," Laurie Richardson, vice president of Trust & Safety at Google, said . "Following this initial attack, the scammers directly contact the business owner, often through third-party messaging apps, to demand payment." The threat actors warn of further escalation should the victim fail to pay the fee, risking potential damage to their public rating and reputation. These ploys are seen as an attempt to coe...

Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded. Secure Annex researcher John Tuckner, who flagged the extension " susvsex ," said it does not attempt to hide its malicious functionality. The extension was uploaded on November 5, 2025, by a user named "suspublisher18" along with the description "Just testing" and the email address "donotsupport@example[.]com." "Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch," reads the description of the extension. As of November 6, Microsoft has stepped in to remove it from the official VS Code Extension Marketplace.  According to details shared by "suspublisher18," the extension is designed to automatically activate itself on any even...

A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities. The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense , describing it as Russia-aligned. "InedibleOchotense sent spear-phishing emails and Signal text messages, containing a link to a trojanized ESET installer, to multiple Ukrainian entities," ESET said in its APT Activity Report Q2 2025–Q3 2025 shared with The Hacker News. InedibleOchotense is assessed to share tactical overlaps with a campaign documented by EclecticIQ that involved the deployment of a backdoor called BACKORDER and by CERT-UA as UAC-0212 , which it describes as a sub-cluster within the Sandworm (aka APT44) hacking group. While the email message is written in Ukrainian, ESET said the first line uses a Russian word, likely indicating a typo or a translation error. The email, which purp...