Phishing | Breaking Cybersecurity News | The Hacker News

Threat hunters are calling attention to a new variant of a remote access trojan (RAT) called Chaos RAT that has been used in recent attacks targeting Windows and Linux systems. According to findings from Acronis, the malware artifact may have been distributed by tricking victims into downloading a network troubleshooting utility for Linux environments. "Chaos RAT is an open-source RAT written in Golang, offering cross-platform support for both Windows and Linux systems," security researchers Santiago Pontiroli, Gabor Molnar, and Kirill Antonenko said in a report shared with The Hacker News. "Inspired by popular frameworks such as Cobalt Strike and Sliver, Chaos RAT provides an administrative panel where users can build payloads, establish sessions, and control compromised machines." While work on the "remote administration tool" started way back in 2017, it did not attract attention until December 2022 , when it was put to use in a malicious campaig...

Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia.  "In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard-based remote access tool on the victim's computer," Trellix researcher Srini Seethapathy said in an analysis. The activity, first detected by the cybersecurity company in mid-May 2025, has not been attributed to a known threat actor or group. The starting point of the attack is a phishing email that impersonates a recruiter from Rothschild & Co. and claims to offer a "strategic opportunity" with the company. The email is designed to entice the recipients into opening a purported PDF attachment that, in reality, is a phishin...

Fake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero. "CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim's system," Cisco Talos researcher Chetan Raghuprasad said in a report published today. "Lucky_Gh0$t ransomware is yet another variant of the Yashma ransomware, which is the sixth iteration of the Chaos ransomware series, featuring only minor modifications to the ransomware binary." Numero, on the other hand, is a destructive malware that impacts victims by manipulating the graphical user interface (GUI) components of their Windows operating system, thereby rendering the machines unusable. The cybersecurity company said the legitimate versions of the AI tools are popular in the business-to-business (B2B) sal...

Google on Wednesday disclosed that the Chinese state-sponsored threat actor known as APT41 leveraged a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). The tech giant, which discovered the activity in late October 2024, said the malware was hosted on a compromised government website and was used to target multiple other government entities. "Misuse of cloud services for C2 is a technique that many threat actors leverage in order to blend in with legitimate activity," Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said . APT41, also tracked as Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, RedGolf, Red Kelpie, TA415, Wicked Panda, and Winnti, is the name assigned to a prolific nation-state group known for its targeting of governments and organizations within the global shipping and logistics, media and entertainment, technology, and automotive sectors. In July 2024, Google reve...

Would you expect an end user to log on to a cybercriminal's computer, open their browser, and type in their usernames and passwords? Hopefully not! But that's essentially what happens if they fall victim to a Browser-in-the-Middle (BitM) attack. Like Man-in-the-Middle (MitM) attacks, BiTM sees criminals look to control the data flow between the victim's computer and the target service , as University of Salento researchers Franco Tommasi, Christian Catalano, and Ivan Taurino have outlined in a paper for the International Journal of Information Security. However, there are several key differences. Man-in-the-Middle vs Browser-in-the-Middle A MiTM attack utilizes a proxy server that places itself between the victim's browser and the legitimate target service at the application layer. It needs some kind of malware to be placed and run on the victim's computer.  But a BiTM attack is different. Instead, the victim thinks they're using their own browser – conducting their normal on...

Threat hunters have exposed a novel campaign that makes use of search engine optimization (SEO) poisoning techniques to target employee mobile devices and facilitate payroll fraud. The activity, first detected by ReliaQuest in May 2025 targeting an unnamed customer in the manufacturing sector, is characterized by the use of fake login pages to access the employee payroll portal and redirect paychecks into accounts under the threat actor's control. "The attacker's infrastructure used compromised home office routers and mobile networks to mask their traffic, dodging detection and slipping past traditional security measures," the cybersecurity company said in an analysis published last week. "The adversary specifically targeted employee mobile devices with a fake website impersonating the organization's login page. Armed with stolen credentials, the adversary gained access to the organization's payroll portal, changed direct deposit information, and re...

The U.S. Federal Bureau of Investigation (FBI) has warned of social engineering attacks mounted by a criminal extortion actor known as Luna Moth targeting law firms over the past two years. The campaign leverages "information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims," the FBI said in an advisory. Luna Moth, also called Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, is known to be active since at least 2022 , primarily employing a tactic called callback phishing or telephone-oriented attack delivery (TOAD) to trick unsuspecting users into calling phone numbers listed in benign-looking phishing emails related to invoices and subscription payments. It's worth mentioning here that Luna Moth refers to the same hacking crew that previously carried out BazarCall (aka BazaCall) campaigns to deploy ransomware like Conti . The ...

As many as 60 malicious npm packages have been discovered in the package registry with malicious functionality to harvest hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The packages, published under three different accounts, come with an install‑time script that's triggered during npm install, Socket security researcher Kirill Boychenko said in a report published last week. The libraries have been collectively downloaded over 3,000 times. "The script targets Windows, macOS, or Linux systems, and includes basic sandbox‑evasion checks, making every infected workstation or continuous‑integration node a potential source of valuable reconnaissance," the software supply chain security firm said . The names of the three accounts, each of which published 20 packages within an 11-day time period, are listed below. The accounts no longer exist on npm - bbbb335656 cdsfdfafd1232436437, and  sdsds656565 The malicious code, per So...

Cybersecurity researchers have disclosed a malware campaign that uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. The campaign, first detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident loader called Catena. "Catena uses embedded shellcode and configuration switching logic to stage payloads like Winos 4.0 entirely in memory, evading traditional antivirus tools," security researchers Anna Širokova and Ivan Feigl said . "Once installed, it quietly connects to attacker-controlled servers – mostly hosted in Hong Kong – to receive follow-up instructions or additional malware." The attacks, like those that have deployed Winos 4.0 in the past, appear to focus specifically on Chinese-speaking environments, with the cybersecurity company calling out the "careful, long-term planning" by a very capable threat actor. Winos 4.0 (aka ValleyRAT) was first ...

The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security tools to detect or block the malware." Latrodectus, believed to be a successor to IcedID, is the name given to a malware that acts as a downloader for other payloads, such as ransomware. It was first documented by Proofpoint and Team Cymru in April 2024.

A sprawling operation undertaken by global law enforcement agencies and a consortium of private sector firms has disrupted the online infrastructure associated with a commodity information stealer known as Lumma (aka LummaC or LummaC2), seizing 2,300 domains that acted as the command-and-control (C2) backbone to commandeer infected Windows systems. "Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft," the U.S. Department of Justice (DoJ) said in a statement. The confiscated infrastructure has been used to target millions across the world through affiliates and other cyber criminals. Lumma Stealer, active since late 2022, is estimated to have been used in at least 1.7 million instances to steal information, such as browser data, autofill information, login credentials, and cryptocurrency seed phrases. Th...