Malware | Breaking Cybersecurity News | The Hacker News

The threat actor known as EncryptHub exploited a recently-patched security vulnerability in Microsoft Windows as a zero-day to deliver a wide range of malware families, including backdoors and information stealers such as Rhadamanthys and StealC. "In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems," Trend Micro researcher Aliakbar Zahravi said in an analysis. The vulnerability in question is CVE-2025-26633 (CVSS score: 7.0), described by Microsoft as an improper neutralization vulnerability in Microsoft Management Console ( MMC ) that could allow an attacker to bypass a security feature locally. It was fixed by the company earlier this month as part of its Patch Tuesday update. Trend Micro has given the exploit the moniker MSC EvilTwin, tracking the suspected Russian activity cluster under the name Water...

The Russian-speaking hacking group called RedCurl has been linked to a ransomware campaign for the first time, marking a departure in the threat actor's tradecraft. The activity, observed by Romanian cybersecurity company Bitdefender, involves the deployment of a never-before-seen ransomware strain dubbed QWCrypt. RedCurl , also called Earth Kapre and Red Wolf, has a history of orchestrating corporate espionage attacks aimed at various entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States. It's known to be active since at least November 2018. Attack chains documented by Group-IB in 2020 entailed the use of spear-phishing emails bearing Human Resources (HR)-themed lures to activate the malware deployment process. Earlier this January, Huntress detailed attacks mounted by the threat actor targeting several organizations in Canada to deploy a loader dubbed RedLoader with "simple backdoor capabilities." Then l...

Identity-based attacks are on the rise. Attackers are targeting identities with compromised credentials, hijacked authentication methods, and misused privileges. While many threat detection solutions focus on cloud, endpoint, and network threats, they overlook the unique risks posed by SaaS identity ecosystems. This blind spot is wreaking havoc on heavily SaaS-reliant organizations big and small. The question is, what can security teams do about it? Have no fear, because Identity Threat Detection and Response (ITDR) is here to save the day. It's essential to have the visibility and response mechanisms to stop attacks before they become breaches. Here's the super lineup that every team needs to stop SaaS identity threats. #1 Full coverage: cover every angle  Like Cap's shield, this defense should cover every angle. Traditional threat detection tools such as XDRs and EDRs fail to cover SaaS applications and leave organizations vulnerable. SaaS identity threat detection and re...

Cybersecurity researchers have discovered two malicious packages on the npm registry that are designed to infect another locally installed package, underscoring the continued evolution of software supply chain attacks targeting the open-source ecosystem. The packages in question are ethers-provider2 and ethers-providerz , with the former downloaded 73 times to date since it was published on March 15, 2025. The second package, likely removed by the malware author themselves, did not attract any downloads. "They were simple downloaders whose malicious payload was cleverly hidden," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. "The interesting part lay in their second stage, which would 'patch' the legitimate npm package ethers , installed locally, with a new file containing the malicious payload. That patched file would ultimately serve a reverse shell." The development marks a new escalation of threat actors...

Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that has been exploited in the wild as part of attacks targeting organizations in Russia.  The vulnerability, tracked as CVE-2025-2783 , has been described as a case of "incorrect handle provided in unspecified circumstances in Mojo on Windows." Mojo refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). As is customary, Google did not reveal additional technical specifics about the nature of the attacks, the identity of the threat actors behind them, and who may have been targeted. The vulnerability has been plugged in Chrome version 134.0.6998.177/.178 for Windows. "Google is aware of reports that an exploit for CVE-2025-2783 exists in the wild," the tech giant acknowledged in a terse advisory. It's worth noting that CVE-2025-2783 is the first actively exploited Chrome ze...

A new investigation has unearthed nearly 200 unique command-and-control (C2) domains associated with a malware called Raspberry Robin . "Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia," Silent Push said in a report shared with The Hacker News. Since its emergence in 2019, the malware has become a conduit for various malicious strains like SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. It's also referred to as QNAP worm owing to the use of compromised QNAP devices to retrieve the payload. Over the years, Raspberry Robin attack chains have added a new distribution method that involves downloading it via archives and Windows Script Files sent as attachments using the messaging service Discord, not to mention acquiring one-day exploits to achieve local privilege escalation before they we...

A major telecommunications company located in Asia was allegedly breached by Chinese state-sponsored hackers who spent over four years inside its systems, according to a new report from incident response firm Sygnia. The cybersecurity company is tracking the activity under the name Weaver Ant , describing the threat actor as stealthy and highly persistent. The name of the telecom provider was not disclosed. "Using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage," Sygnia said . "The group behind this intrusion [...] aimed to gain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting sensitive information." Oren Biderman, Incident Response and Digital Forensic Team Leader at Sygnia, told The Hacker News that Weaver Ant exploited a misconfiguration in a public-facing application to obtain an initial foothold into the target environment. The attack chain is said to h...

Cybersecurity researchers are calling attention to an Android malware campaign that leverages Microsoft's .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps targeting Indian and Chinese-speaking users. "These threats disguise themselves as legitimate apps, targeting users to steal sensitive information," McAfee Labs researcher Dexter Shin said . .NET MAUI is Microsoft's cross-platform desktop and mobile app framework for creating native applications using C# and XAML. It represents an evolution of Xamarin, with added capabilities to not only create multi-platform apps using a single project, but also incorporate platform-specific source code as and when necessary. It's worth noting that official support for Xamarin ended on May 1, 2024 , with the tech giant urging developers to migrate to .NET MAUI. While Android malware implemented using Xamarin has been detected in the past , the latest development signals that ...

Law enforcement authorities in seven African countries have arrested 306 suspects and confiscated 1,842 devices as part of an international operation codenamed Red Card that took place between November 2024 and February 2025. The coordinated effort "aims to disrupt and dismantle cross-border criminal networks which cause significant harm to individuals and businesses," INTERPOL said , adding it focused on targeted mobile banking, investment, and messaging app scams. The cyber-enabled scams involved more than 5,000 victims. The countries that participated in the operation include Benin, Côte d'Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia. "The success of Operation Red Card demonstrates the power of international cooperation in combating cybercrime, which knows no borders and can have devastating effects on individuals and communities," Neal Jetton, INTERPOL's Director of the Cybercrime Directorate, said. "The recovery of significant asse...

A ransomware-as-a-service (RaaS) operation called VanHelsing has already claimed three victims since it launched on March 7, 2025, demanding ransoms as high as $500,000. "The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%," Check Point said in a report published over the weekend. "The only rule is not to target the Commonwealth of Independent States (CIS)." As with any affiliate-backed ransomware program, VanHelsing claims to offer the ability to target a wide range of operating systems, including Windows, Linux, BSD, Arm, and ESXi. It also employs what's called the double extortion model of stealing data prior to encryption and threatening to leak the information unless the victim pays up. The RaaS operators have also revealed that the scheme offers a control panel that works "seamlessly" o...

A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn't the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad fraud at scale behind innocent-looking icons. Meanwhile, ransomware gangs are getting smarter—using stolen drivers to shut down defenses—and threat groups are quietly shifting from activism to profit. Even browser extensions are changing hands, turning trusted tools into silent threats. AI is adding fuel to the fire—used by both attackers and defenders—while critical bugs, cloud loopholes, and privacy shakeups are keeping teams on edge. Let's dive into the threats making noise behind the scenes. ⚡ Threat of the Week Coinbase the Initial Target of GitHub Action Supply Chain Breach — The supply chain compromise...

Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that's under development to its users. The extensions, named "ahban.shiba" and "ahban.cychelloworld," have since been taken down by the marketplace maintainers. Both the extensions, per ReversingLabs , incorporate code that's designed to invoke a PowerShell command, which then grabs a PowerShell-script payload from a command-and-control (C2) server and executes it. The payload is suspected to be ransomware in early-stage development, only encrypting files in a folder called "testShiba" on the victim's Windows desktop. Once the files are encrypted, the PowerShell payload displays a message, stating "Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them." However, no other instructions or cryptocurrency wallet addresses are provided to the victims, anothe...

The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver ( BYOVD ) attack designed to disable anti-malware tools. Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt. "This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors," the company said in a report. The driver in question, "smuol.sys," mimics a legitimate CrowdStrike Falcon driver ("CSAgent.sys"). Dozens of ABYSSWORKER artifacts have been detected on the VirusTotal platform dating from August 8, 2024, to February 25, 2025. All the identified samples are signed using likely stolen, revoked ce...