-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Malware | Breaking Cybersecurity News | The Hacker News

Category — Malware
Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware

Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware

Jul 01, 2026 Artificial Intelligence / Threat Intelligence
Large language models keep inventing web addresses that do not exist. Attackers have started buying those made-up domains before anyone else can, then hosting phishing pages on them to catch traffic that AI tools point their way. Palo Alto Networks' Unit 42 calls the trick phantom squatting , and its new research shows it is already happening in the wild. The reason it matters is trust. Developers and AI assistants increasingly treat the links a model hands back as real. When a model invents a domain that does not exist yet, whoever registers it first inherits all of that misplaced trust, with no phishing email and no malicious ad required. To measure the problem, Unit 42 asked two AI models 685,339 questions about 913 well-known brands across technology, finance, healthcare, government, gambling, and other sectors. The models produced 2.1 million links. Threat intelligence already flagged 13,229 of them as outright malicious, meaning the AI was handing out known-ba...
Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

Jul 01, 2026 Threat Intelligence / Social Engineering
ClickFix , the trick that fools people into running malware by hand, has quietly grown a back office. New research shows the malicious commands behind its fake "prove you're human" pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows' script scanning. Security researcher Bert-Jan Pals took apart several ClickFix platforms and analyzed roughly 3,000 payloads from live campaigns. He presented the findings at  OrangeCon  in early June and  published the details  on June 30. ClickFix is simple by design. A booby-trapped page shows a fake CAPTCHA or error, hidden JavaScript drops a command into your clipboard, and the page tells you to press a key combo, paste, and hit Enter. You run the malware yourself. There's usually no exploit at the first step and often no file for traditional antivirus to flag, so conventional emai...
RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS

RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS

Jun 30, 2026 Botnet / Vulnerability
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. Researchers at QiAnXin's XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing. The end goal is a distributed denial-of-service (DDoS) attack: flooding a target with junk traffic from the infected machines until it buckles. RustDuck is one more entrant in a crowded field, but it stands out for two reasons. It is being rewritten from the C programming language into Rust, and its newer versions go to unusual lengths to avoid being studied or shut down. How it spreads RustDuck does not lean on a single clever trick. It sprays a mix of old, well-known weaknesses and hopes one sticks. The first is the oldest in the book: devices left on the internet with weak or default passwords on their rem...
cyber security

The Systems That Power America Are Under Threat. Is Your ICS/OT Program Ready?

websiteSANS InstituteCritical infrastructure / Webinar
Discover where federal ICS programs are most exposed and what closing the skills gap requires in practice.
cyber security

Inside Device Code Phishing: Live Demos, Real Kits, and What's Next

websitePush SecurityPhishing Attack / Webinar
Device code attacks are up 37x this year, with 18+ kits in the wild. Now available on-demand.
Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Jun 30, 2026 Vulnerability / Malware
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks. The attack was observed over a 19-day window between March 27 and April 15, 2026. "In this campaign, a single line of Python code evaluated inside an unauthenticated Langflow API endpoint pulls down a shell script, fetches a miner binary, and launches it detached," Trend Micro researchers Simon Dulude and John Zhang said in a technical report published last week. At a high level, the malware is designed to terminate competing cryptocurrency miner processes associated with Kinsing , WatchDog , Rocke , and Outlaw ,...
Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input

Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input

Jun 29, 2026 Browser Security / Web Security
Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results. Microsoft says Google removed it from the store after responsible disclosure. The extension was called "Search for perplexity ai" (ID flkebkiofojicogddingbdmcmkpbplcd) and used a look-alike domain, perplexity-ai[.]online, to pass for the real service at perplexity.ai. Microsoft's Defender research team  says the point was to intercept searches and collect data. It found no proof of password theft, but far more access than a search box should ever need. Once installed, the extension sets itself as the browser's default search engine. When you searched, the query went first to perplexity-ai[.]online, where the attacker's server logged it with your browser headers, IP address,...
Expert Insights Articles Videos
Cybersecurity Resources