Malware | Breaking Cybersecurity News | The Hacker News

Google has announced expanded Binary Transparency for Android as a way to safeguard the ecosystem from supply chain attacks. "This new public ledger ensures the Google apps on your device are exactly what we intended to build and distribute," Google's product and security teams said . The initiative builds upon the foundation of Pixel Binary Transparency , which Google introduced in October 2021 to bolster software integrity by ensuring that Pixel devices are only running verified operating system (OS) software by keeping a public, cryptographic log that records metadata about official factory images. The verifiable security infrastructure mirrors Certificate Transparency , an open framework that requires all issued SSL/TLS certificates to be recorded in public, append-only, and cryptographically verifiable logs to help detect mis-issued or malicious certificates. The move is aimed at countering the risks posed by binary supply chain attacks, which have found var...

Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft. "According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims' credentials and potentially one-time passwords (OTPs)," Cisco Talos researchers Alex Karkins and Chetan Raghuprasad said in a Tuesday analysis. What makes the attack novel is that CloudZ uses the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, permitting the plugin to monitor for active Phone Link processes and potentially intercept sensitive mobile data like SMS and one-time passwords (OTPs) without the need for deploying malware on the phone.  The findings demonstrate how legitimate cross-device syncing features can expose unintended attack pathways to credential theft...

A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers  Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin said . The installers have been trojanized since April 8, 2026, with versions ranging from 12.5.0.2421 to 12.5.0.2434 identified as compromised as part of the incident. While DAEMON Tools is also available for Mac, Kaspersky told The Hacker News that only the Windows version was compromised. The supply chain attack is active as of writing. AVB Disc Soft, the developer of the software, has been notified of the breach. Specifically, three different components of DAEMON Tools have been tampered with - DTHelper.exe DiscSoftBusServiceLite.exe DTShellHlp.exe ...

A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the moniker UAT-8302 , with post-exploitation involving the deployment of custom-made malware families that have been put to use by other China-aligned hacking groups. Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor) that has been previously linked to threat clusters known as Ink Dragon , CL-STA-0049, Earth Alux , Jewelbug , and REF7707 . ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin . Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor referred to as Erudite Mogwai (aka Space Pirates and Webworm), per Russian cybersecurity company Solar, which...

The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCall to likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the threat actors to also target Android devices, essentially turning it into a multi-platform threat. According to ESET, the campaign has singled out sqgame[.]net, a gaming platform used by ethnic Koreans living in the Yanbian region in China bordering North Korea and Russia. It's also known to act as a primary, high-risk transit point for North Korean defectors crossing the Tumen River. Filip Jurčacko, senior malware researcher at ESET, told The Hacker News that the campaign was discovered in October 2025, adding the trojanized Android games are still available for download on the sqgame[.]ne...