Microsoft Windows | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have flagged the tactical similarities between the threat actors behind the RomCom RAT and a cluster that has been observed delivering a loader dubbed TransferLoader . Enterprise security firm Proofpoint is tracking the activity associated with TransferLoader to a group dubbed UNK_GreenSec and the RomCom RAT actors under the moniker TA829 . The latter is also known by the names CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu. The company said it discovered UNK_GreenSec as part of its investigation into TA829, describing it as using an "unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes." TA829 is something of an unusual hacking group in the threat landscape given its ability to conduct both espionage as well as financially motivated attacks. The Russia-aligned hybrid group has also been linked to the zero-day exploitation of security flaws in Mozil...

Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions. The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," the company said in an advisory. CVE-2025-23121 impacts all earlier version 12 builds, including 12.3.1.1139. It has been addressed in version 12.3.2 (build 12.3.2.3617). Security researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability. Cybersecurity company Rapid7 noted that the update likely addresses concerns shared by CODE WHITE in late March 2025 that the patch put in place to plug a similar hole ( CVE-2025-23120 , CVSS score: 9.9) could be bypassed. Also addressed by Veeam is another flaw in the same product (CVE-2025...

Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. "Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys security researcher Akshay Thorve said in a technical report. "The attack chain leverages mshta.exe for proxy execution during the initial stage." The latest wave of attacks, as detailed by Qualys, employs tax-related lures to entice users into opening a malicious ZIP archive containing a Windows shortcut (LNK) file, which, in turn, makes use of mshta.exe, a legitimate Microsoft tool used to run HTML Applications (HTA). The binary is used to execute an obfuscated HTA file named "xlab22.hta" hosted on a remote server, which incorporates Visual Basic Script code to download a PowerShell script, a decoy PDF, and another HTA file similar to xlab22.hta called "3...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp . The activity has been attributed to a suspected Russian hacking group called Water Gamayun , which is also known as EncryptHub and LARVA-208. "The threat actor deploys payloads primarily by means of malicious provisioning packages, signed .msi files, and Windows MSC files, using techniques like the IntelliJ runnerw.exe for command execution," Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a follow-up analysis published last week. Water Gamayun has been linked to the active exploitation of CVE-2025-26633 (aka MSC EvilTwin), a vulnerability in the Microsoft Management Console (MMC) framework, to execute malware by means of a rogue Microsoft Console (.msc) file. The attack chains involve the use of provisioning packages (.ppkg), signed Microsoft Windows...

Microsoft on Tuesday shipped fixes to address a total of 90 security flaws , including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, nine are rated Critical, 80 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday updates are notable for addressing six actively exploited zero-days - CVE-2024-38189 (CVSS score: 8.8) - Microsoft Project Remote Code Execution Vulnerability CVE-2024-38178 (CVSS score: 7.5) - Windows Scripting Engine Memory Corruption Vulnerability CVE-2024-38193 (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability CVE-2024-38106 (CVSS score: 7.0) - Windows Kernel Elevation of Privilege Vulnerability CVE-2024-38107 (CVSS score: 7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability CVE-2024-38213 (CVS...

Threat actors have been observed leveraging a now-patched security flaw in Microsoft Windows to deploy an open-source information stealer called  Phemedrone Stealer . "Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord," Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun  said . "It also takes screenshots and gathers system information regarding hardware, location, and operating system details. The stolen data is then sent to the attackers via Telegram or their command-and-control (C&C) server." The attacks leverage  CVE-2023-36025  (CVSS score: 8.8), a security bypass vulnerability in Windows SmartScreen, that could be exploited by tricking a user into clicking on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file. The actively-exploited shortcoming was  addressed  by Microsoft as part of its November...

Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a  two-part   report  shared with The Hacker News. The security issues, which were addressed by Microsoft in  August  and  October 2023 , respectively, are listed below - CVE-2023-35384  (CVSS score: 5.4) - Windows HTML Platforms Security Feature Bypass Vulnerability CVE-2023-36710  (CVSS score: 7.8) - Windows Media Foundation Core Remote Code Execution Vulnerability CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. T...

Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS). The exploits, dubbed  LogCrusher  and  OverLog  by Varonis, take aim at the EventLog Remoting Protocol ( MS-EVEN ), which enables remote access to event logs. While the former allows "any domain user to remotely crash the Event Log application of any Windows machine," OverLog causes a DoS by "filling the hard drive space of any Windows machine on the domain," Dolev Taler  said  in a report shared with The Hacker News. OverLog has been assigned the CVE identifier CVE-2022-37981 (CVSS score: 4.3) and was addressed by Microsoft as part of its  October Patch Tuesday  updates. LogCrusher, however, remains unresolved. "The performance can be interrupted and/or reduced, but the attacker cannot fully deny service," the tech giant said in an advisory for the flaw released earli...

The Chinese-backed Hafnium hacking group has been linked to a piece of a new malware that's used to maintain persistence on compromised Windows environments. The threat actor is said to have targeted entities in the telecommunication, internet service provider and data services sectors from August 2021 to February 2022, expanding from the initial victimology patterns observed during its attacks exploiting the then zero-day flaws in  Microsoft Exchange Servers  in March 2021. Microsoft Threat Intelligence Center (MSTIC), which dubbed the defense evasion malware " Tarrask ," characterized it as a tool that creates "hidden" scheduled tasks on the system. "Scheduled task abuse is a very common method of persistence and defense evasion — and an enticing one, at that," the researchers  said . Hafnium, while most notable for Exchange Server attacks, has since leveraged unpatched zero-day vulnerabilities as initial vectors to drop web shells and other mal...

Cybersecurity researchers have disclosed a novel technique adopted by a threat actor to deliberately evade detection with the help of malformed digital signatures of its malware payloads. "Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products," Google Threat Analysis Group's Neel Mehta  said  in a write-up published on Thursday. The new mechanism was observed to be exploited by a notorious family of unwanted software known as  OpenSUpdater  that's used to download and install other suspicious programs on compromised systems. Most targets of the campaign are users located in the U.S. who are prone to downloading cracked versions of games and other grey-area software. The findings come from a set of OpenSUpdater  samples   uploaded  to VirusTotal at least since mid-August. While adversaries in the past ...

Security researchers have disclosed an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise the integrity of devices. "These flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables," researchers from Eclypsium  said  in a report published on Monday. "These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like  Secured-core  because of the ubiquitous usage of  ACPI  [Advanced Configuration and Power Interface] and WPBT." WPBT, introduced with Windows 8 in 2012, is a  feature  that enables "boot firmware to provide Windows with a platform binary that the operating system can execute."  In other wor...

A recent wave of spear-phishing campaigns leveraged weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant, against a point-of-sale (PoS) service provider located in the U.S. The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "moderate confidence" to a financially motivated threat actor dubbed FIN7, according to researchers from cybersecurity firm Anomali. "The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi," Anomali Threat Research  said  in a technical analysis published on September 2. "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018." An Eastern European group active since at least mid-2015, FIN7 has a checkered history of targeting restaurant, gambling, and hospitality industries in th...

A day after releasing  Patch Tuesday updates , Microsoft acknowledged yet another remote code execution vulnerability in the Windows Print Spooler component, adding that it's working to remediate the issue in an upcoming security update. Tracked as  CVE-2021-36958  (CVSS score: 7.3), the unpatched flaw is the latest to join a  list  of  bugs  collectively known as  PrintNightmare  that have plagued the printer service and come to light in recent months. Victor Mata of FusionX, Accenture Security, who has been credited with reporting the flaw,  said  the issue was disclosed to Microsoft in December 2020. "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations," the company said in its out-of-band bulletin, echoing the vulnerability details for  CVE-2021-34481 . "An attacker who successfully exploited this vulnerability could run arbitrary code with S...

A proof-of-concept (PoC) exploit related to a remote code execution vulnerability affecting Windows Print Spooler and patched by Microsoft earlier this month was briefly published online before being taken down. Identified as  CVE-2021-1675 , the security issue could grant remote attackers full control of vulnerable systems.  Print Spooler  manages the printing process in Windows, including loading the appropriate printer drivers and scheduling the print job for printing, among others. Print Spooler flaws are concerning, not least because of the wide attack surface, but also owing to the fact that it runs at the highest privilege level and is capable of dynamically loading third-party binaries. The Windows maker addressed the vulnerability as part of its Patch Tuesday update on June 8, 2021. But almost two weeks later, Microsoft revised the flaw's impact from an elevation of privilege to remote code execution (RCE) as well as upgraded the severity level from Im...

Microsoft plugged as many as  89 security flaws  as part of its monthly Patch Tuesday updates released today, including fixes for an actively exploited zero-day in Internet Explorer that could permit an attacker to run arbitrary code on target machines. Of these flaws, 14 are listed as Critical, and 75 are listed as Important in severity, out of which two of the bugs are described as publicly known, while five others have been reported as under active attack at the time of release. Among those five security issues are a clutch of vulnerabilities known as  ProxyLogon  (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. But in the wake of Exchange servers coming under  indiscriminate assault  toward the end of February by multiple threat groups ...