-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Malware | Breaking Cybersecurity News | The Hacker News

Category — Malware
GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

Jul 17, 2026 Malware / Threat Intelligence
Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine . Expel, which shared technical details of the event, described the threat actor as a sub-group of GoldenEyeDog (aka APT-Q-27, Dragon Breath, and Miuuti Group), a Chinese cybercrime group known for its targeting of the gambling and gaming sectors using counterfeit websites to push malware-laced software. It's known to be active since at least 2015. "In April 2026, GoldenEyeDog used their malware to access a support member's device at DigiCert, a code-signing certificate provider, and leveraged their access to steal certificates intended for DigiCert customers," Expel security researcher Aaron Walton said in an analysis. "This attack highlighted the capability of the malware and operators." Central to the threat actor's operations is a modified version of Gh0st RAT (aka Farfli), a remote access trojan (RAT) w...
Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images

Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images

Jul 17, 2026 Social Engineering / Malware
North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges. "Any user who ran the project ended up with a four-stage payload aligned with OTTERCOOKIE: a browser credential and crypto wallet stealer, a file stealer, a Socket.IO-based remote access trojan (RAT), and a clipboard stealer," Elastic Security Labs said in a report shared with The Hacker News. The findings once again highlight the continued targeting of software developers by state-sponsored hackers aligned with the Democratic People's Republic of Korea (DPRK) with an aim to steal sensitive data and plunder cryptocurrency wallets. The activity is being tracked under the moniker REF9403. The cybersecurity arm of the Dutch enterprise search and observability platform said it discovered the campaign after the threat actors targeted membe...
Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

Jul 17, 2026 Ransomware / Law Enforcement
Armenia has held a Russian tourist named Aleksandr Ermakov in a detention center since June 28, on a U.S. extradition request for a REvil ransomware suspect named Aleksandr Ermakov. His wife, Maria Yurova, told REN TV that border officers pulled him out of the departure hall at Yerevan's Zvartnots airport, held up a phone with a photo of him off his VKontakte page, and walked him into a side room. His lawyers say Washington has the wrong man. The Ermakov the U.S. wants is Aleksandr Gennadievich Ermakov , sanctioned by Australia, the US, and the UK in January 2024 for stealing 9.7 million records from Medibank Private , one of Australia's largest private health insurers, and dumping some on the dark web. He is also serving a two-year Russian sentence that bars him from leaving the country, according to TASS and to case files two Russian outlets say they have read. The man in the Armenian cell, his lawyers say, is Aleksandr Yuryevich Ermakov , from Omsk, a former priso...
cyber security

The AI Security Starter Pack

websiteWizAI Security / Cloud Security
Unlock 7 of the most widely used AI security resources in one place. Each asset provides practical tools for securing AI apps, models, and agents.
cyber security

11 real-world stories proving how identity drift opens active attack paths

websiteXM CyberIdentity Security / Exposure Management
Learn how attackers leverage privilege drift to reach critical assets across 11 architectural teardowns.
ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

Jul 17, 2026 Malware / Windows Security
ACR Stealer , an infostealer in circulation since 2024, is walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders. It gets in because someone pasted a command into a Run box and pressed Enter. Microsoft laid out two of the delivery chains on Thursday. Its Defender Experts team, the company's managed detection arm, had watched ACR Stealer activity climb across customer environments from late April to mid-June, and says the campaigns are "successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents." Both chains open with the same prompt, then split: one leaves traces on disk, the other runs almost entirely in memory. Microsoft's remediation guidance tells victims to revoke tokens, not just rotate passwords. A payload in the pixels The prompt likely arrives through malvertising or SEO-manipulated...
New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

Jul 17, 2026 Cyber Espionage / Threat Intelligence
Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering. Russian cybersecurity company Kaspersky, which uncovered the activity in February 2026, said it was aimed at government and diplomatic entities in the region. GoSerpent is designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system. "Monitoring the activities of this threat actor revealed that in May 2026 they came back with an evolved set of malicious tools: new Stowaway RAT and proxy tool which resembled the initial malware as well as an additional stealthy tool to exfiltrate sensitive data collected for the previous few months through network share," security researcher Noushin Shabab said . The end goal of these efforts is to harvest sensitive fi...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources