Malware | Breaking Cybersecurity News | The Hacker News

React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant referred to as ZinFoq. The cybersecurity company said it has observed attackers targeting numerous organizations via CVE-2025-55182, a critical security vulnerability in RSC that allows unauthenticated remote code execution. As of December 8, 2025, these efforts have been aimed at a wide range of sectors, but prominently the construction and entertainment industries. The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, follo...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file. "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user," CISA said in an alert. The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected. "This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to u...

Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical React2Shell security flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT . "EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org," Sysdig said in a report published Monday. The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview , which has been observed leveraging the EtherHiding technique to distribute malware since February 2025. Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware. These efforts typi...

Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader , strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future's Insikt Group, which was previously tracking it as TAG-150 . The malware first emerged in early 2025. GrayBravo is "characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure," the Mastercard-owned company said in an analysis published today. Some of the notable tools in the threat actor's toolset include a remote access trojan called CastleRAT and a malware framework referred to as CastleBot, which comprises three components: a shellcode stager/downloader, a loader, and a core backdoor. The CastleBot loader is responsible for injecting the core m...

Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565 . Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. The campaign is assessed with high confidence to share overlaps with a hacking group known as Gold Blade , which is also tracked under the names Earth Kapre, RedCurl, and Red Wolf. The financially motivated threat actor is believed to be active since late 2018 , initially targeting entities in Russia, before expanding its focus to entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the U.K., and the U.S. The group has a history of using phishing emails to conduct commercial espionage. However, recent attack waves have found RedCurl to have engaged in ransomware attacks using a bespoke malware strain dubbed QWCrypt . One of the notable tools in the threat actor's arsenal is RedLoader, which s...