Phishing | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers are calling attention to a sophisticated social engineering campaign that's targeting supply chain-critical manufacturing companies with an in-memory malware dubbed MixShell. The activity has been codenamed ZipLine by Check Point Research. "Instead of sending unsolicited phishing emails, attackers initiate contact through a company's public 'Contact Us' form, tricking employees into starting the conversation," the company said in a statement shared with The Hacker News. "What follows are weeks of professional, credible exchanges, often sealed with fake NDAs, before delivering a weaponized ZIP file carrying MixShell, a stealthy in-memory malware." The attacks have cast a wide net, spanning multiple organizations across sectors and geographic locations, but with an emphasis on U.S.-based entities. Primary targets include companies in industrial manufacturing, such as machinery, metalwork, component production, and engine...

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. "A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment," Zimperium zLabs researcher Vishnu Pratapagiri said . "This overlay presents an alarming '*WARNING*' message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server." The mobile security company said the overlay is remotely initiated when the command "ransome" is issued by the C2 server. The overlay can be dismissed by the attacker by sending the "delete_ransome" command. HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the int...

Cybersecurity researchers have flagged a new phishing campaign that's using fake voicemails and purchase orders to deliver a malware loader called UpCrypter . The campaign leverages "carefully crafted emails to deliver malicious URLs linked to convincing phishing pages," Fortinet FortiGuard Labs researcher Cara Lin said . "These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter." Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others. UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT , DCRat (aka DarkCrystal RAT), and Babylon RAT , each of which enable an attacker to take full control of compromi...

The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks targeting Indian Government entities. "Initial access is achieved through spear-phishing emails," CYFIRMA said . "Linux BOSS environments are targeted via weaponized .desktop shortcut files that, once opened, download and execute malicious payloads." Transparent Tribe, also called APT36, is assessed to be of Pakistani origin, with the group – along with its sub-cluster SideCopy – having a storied history of breaking into Indian government institutions with a variety of remote access trojans (RATs). The latest dual-platform demonstrates the adversarial collective's continued sophistication, allowing it to broaden its targeting footprint and ensure access to compromised environments. The attack chains begin with phishing emails bearing sup...

Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell . The "Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file," Trellix researcher Sagar Bade said in a technical write-up. "The payload isn't hidden inside the file content or a macro, it's encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger." The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code. What's more, the technique offers the added advantage of...

Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that's being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024. Some of the notable malware families distributed using QuirkyLoader include Agent Tesla , AsyncRAT , Formbook , Masslogger , Remcos RAT , Rhadamanthys Stealer , and Snake Keylogger . IBM X-Force, which detailed the malware, said the attacks involve sending spam emails from both legitimate email service providers and a self-hosted email server. These emails feature a malicious archive, which contains a DLL, an encrypted payload, and a real executable. "The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL," security researcher Raymond Joseph Alfonso said . "This DLL, in turn, loads, decrypts, and injects the final payload into its target process....

Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page. Described by Guardio Labs an "AI-era take on the ClickFix scam," the attack technique demonstrates how AI-driven browsers, such as Perplexity's Comet , that promise to automate mundane tasks like shopping for items online or handling emails on behalf of users can be deceived into interacting with phishing landing pages or fraudulent lookalike storefronts without the human user's knowledge or intervention. "With PromptFix, the approach is different: We don't try to glitch the model into obedience," Guardio researchers Nati Tal and Shaked Chen said . "Instead, we mislead it using techniques borrowed from the human social engineering playbook – appealing directly to its core des...

North Korean threat actors have been attributed to a coordinated cyber espionage campaign targeting diplomatic missions in their southern counterpart between March and July 2025. The activity manifested in the form of at least 19 spear-phishing emails that impersonated trusted diplomatic contacts with the goal of luring embassy staff and foreign ministry personnel with convincing meeting invites, official letters, and event invitations. "The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel," Trellix researchers Pham Duy Phuc and Alex Lanstein said . The infection chains have been observed to rely on trusted cloud storage solutions like Dropbox and Daum Cloud, an online service from South Korean internet conglomerate Kakao Corporation, in order to deliver a variant of an open-source remote access trojan called Xeno RAT that grants the threat actors to take control of compromised systems. The campaign i...

The threat actors behind the Noodlophile malware are leveraging spear-phishing emails and updated delivery mechanisms to deploy the information stealer in attacks aimed at enterprises located in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region. "The Noodlophile campaign, active for over a year, now leverages advanced spear-phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information," Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News. Noodlophile was previously detailed by the cybersecurity vendor in May 2025, uncovering the attackers' use of fake artificial intelligence (AI)-powered tools as lures to propagate the malware. These counterfeit programs were found to be advertised on social media platforms like Facebook. That said, the adoption of copyright infringement lures is not a new development. Back in Nov...

Cybersecurity researchers are drawing attention to a new campaign that's using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivated campaign. The activity involves the creation of lookalike sites imitating Brazil's State Department of Traffic and Ministry of Education, which then trick unsuspecting users into making unwarranted payments through the country's PIX payment system, Zscaler ThreatLabz said. These fraudulent sites are artificially boosted using search engine optimization (SEO) poisoning techniques to enhance their visibility, thereby increasing the likelihood of success of the attack. "Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and...

When an organization's credentials are leaked, the immediate consequences are rarely visible—but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction, many real-world cyber breaches begin with something deceptively simple: a username and password. According to Verizon's 2025 Data Breach Investigations Report, leaked credentials accounted for 22% of breaches in 2024, outpacing phishing and even software exploitation. That's nearly a quarter of all incidents, initiated not through zero-days or advanced persistent threats, but by logging in through the front door. This quiet and persistent threat has been growing. New data compiled by Cyberint—an external risk management and threat intelligence company recently acquired by Check Point—shows a 160% increase in leaked credentials in 2025 compared to the previous year. The report, titled The Rise of Leaked Credentials , provides a look into not just the volume of these leaks, but how they are exploi...

The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content. "The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organizations," Silent Push said in an analysis. SocGholish, also called FakeUpdates, is a JavaScript loader malware that's distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, as well as other software such as Adobe Flash Player or Microsoft Teams. It's attributed to a threat actor called TA569, which is also tracked as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543. Attack chains involve deploying SocGholish to establish initial access and broker that compromised system access to a diverse clientele, includ...

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country. The attacks, which leverage phishing emails as an initial compromise vector, are used to deliver malware families like MATCHBOIL, MATCHWOK, and DRAGSTARE. UAC-0099, first publicly documented by the agency in June 2023, has a history of targeting Ukrainian entities for espionage purposes. Prior attacks have been observed leveraging security flaws in WinRAR software (CVE-2023-38831, CVSS score: 7.8) to propagate a malware called LONEPAGE. The latest infection chain involves using email lures related to court summons to entice recipients into clicking on links that are shortened using URL shortening services like Cuttly. These links, which are sent via UKR.NET email addresses, point to a double archive file containing an HTML Application...

A combination of propagation methods, narrative sophistication, and evasion techniques enabled the social engineering tactic known as ClickFix to take off the way it did over the past year, according to new findings from Guardio Labs. "Like a real-world virus variant, this new ' ClickFix ' strain quickly outpaced and ultimately wiped out the infamous fake browser update scam that plagued the web just last year," security researcher Shaked Chen said in a report shared with The Hacker News. "It did so by removing the need for file downloads, using smarter social engineering tactics, and spreading through trusted infrastructure. The result – a wave of infections ranging from mass drive-by attacks to hyper-targeted spear-phishing lures." ClickFix is the name given to a social engineering tactic where prospective targets are deceived into infecting their own machines under the guise of fixing a non-existent issue or a CAPTCHA verification. It was first det...

Why do SOC teams still drown in alerts even after spending big on security tools? False positives pile up, stealthy threats slip through, and critical incidents get buried in the noise. Top CISOs have realized the solution isn't adding more and more tools to SOC workflows but giving analysts the speed and visibility they need to catch real attacks before they cause damage.  Here's how they're breaking the cycle and turning their SOCs into true threat-stopping machines. Starting with Live, Interactive Threat Analysis The first step to staying ahead of attackers is seeing threats as they happen. Static scans and delayed reports just can't keep up with modern, evasive malware. Interactive sandboxes like ANY.RUN let analysts detonate suspicious files, URLs, and QR codes in a fully isolated, safe environment and actually interact with the sample in real time . Why CISOs give access to interactive sandboxes: Analysts can click links, open files, and mimic real user actions to trig...