Malware | Breaking Cybersecurity News | The Hacker News

The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. It was patched by the maintainers in XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025. While there was evidence that the shortcoming had been exploited in the wild since at least March, it wasn't until late October, when VulnCheck disclosed it had observed fresh attempts weaponizing the flaw as part of a two-stage attack chain to deploy a cryptocurrency miner. Subsequently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to a...

The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads. "The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure," NVISO researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis said in a Thursday report. The campaign essentially involves approaching prospective targets on professional networking sites like LinkedIn, either under the pretext of conducting a job assessment or collaborating on a project, as part of which they are instructed to download a demo project hosted on platforms like GitHub, GitLab, or Bitbucket. In one such project spotted by NVISO, it has been found that a file named "server/config/.config.env" contains a Base64-encoded value that masquerades as an API key, but, in reality, is a URL ...

The Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations that are of interest to the Islamic Revolutionary Guard Corps (IRGC) as part of a new espionage-focused campaign. The activity, detected in early September 2025 and assessed to be ongoing, has been codenamed  SpearSpecter by the Israel National Digital Agency (INDA). "The campaign has systematically targeted high-value senior defense and government officials using personalized social engineering tactics," INDA researchers Shimi Cohen, Adi Pick, Idan Beit-Yosef, Hila David, and Yaniv Goldman said. "These include inviting targets to prestigious conferences or arranging significant meetings." What's notable about the effort is that it also extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets. APT42 was first publicly documented in late 2022 by Google Mandiant, detailing its...

Key Takeaways: 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date. 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure. 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns. LockBit's reappearance with version 5.0 signals potential re-centralization after months of fragmentation. In Q3 2025, Check Point Research recorded a record 85 active ransomware and extortion groups , the highest ever observed. What was once a concentrated market dominated by a few ransomware-as-a-service (RaaS) giants has splintered into dozens of smaller, short-lived operations. This proliferation of leak sites represents a fundamental structural shift. The same enforcement and market pressures that disrupted large RaaS groups have fueled a wave of opportunistic, decentralized actors, many run by former affiliat...

Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb Web Application Firewall (WAF) that could allow an attacker to take over admin accounts and completely compromise a device. "The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product," Benjamin Harris, watchTowr CEO and founder, said in a statement. "Patched in version 8.0.2 , the vulnerability allows attackers to perform actions as a privileged user - with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers." The cybersecurity company said it was able to successfully reproduce the vulnerability and create a working proof-of-concept (Poc). It has also released an artifact generator tool for the authentication bypass to help identify susceptible devices. According to d...