Threat Intelligence | Breaking Cybersecurity News | The Hacker News

Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper . "The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal," Slovakian cybersecurity company ESET said in a report shared with The Hacker News. "GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C&C) communication and exfiltration." The group was first discovered in January 2025 following the discovery of a never-before-seen backdoor codenamed LaxGopher on a system belonging to a Mongolian governmental entity. Also discovered as part of the threat actor's arsenal are a number of other malware families, mostly developed using Golang to receive instructions from the C&C server, execute them, and send the results back. Also...

Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled unauthorized access to its internal systems. The company said it made the discovery after expanding its investigation to include an extra set of compromise indicators, alongside a review of requests to the Vercel network and environment variable read events in its logs. "Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods," the company said in an update. In both cases, Vercel said it notified affected parties. It did not disclose the exact number of customers who were impacted. The development comes after the company that created the Next.js framework acknowledged the breach originated with a compromise of Context.ai after it was used by a Vercel em...

The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks likely targeting entities in South Asia. "The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses," the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News. The cybersecurity company said it identified artifacts uploaded to the VirusTotal platform from India and Afghanistan, suggesting that the two countries may be the target of the espionage activity. Harvester was first publicly documented by Symantec in late 2021, linking it to an information-stealing campaign aimed at telecommunications, government, and information technology sectors in South Asia since June 2021, using a bespoke implant called Graphon that used the Microsoft Graph API for C2. Subsequent activity flagged in Au...

Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE that's distributed via a theme related to India's banking sector. "The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating a continued espionage-focused capability set rather than financially motivated objectives," Acronis researchers Subhajeet Singha and Santiago Pontiroli said in an analysis. The use of LOTUSLITE was previously observed in spear-phishing attacks targeting U.S. government and policy entities using decoys associated with the geopolitical developments between the U.S. and Venezuela. The activity was attributed with medium confidence to a Chinese nation-state group tracked as Mustang Panda. The latest activity flagged by Acronis involves deploying an evolved version of LOTUSLITE that demonstrates "incremental improvements" over ...

Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC . According to new research published by Check Point, the command-and-control (C2 or C&C) server linked to SystemBC has led to the discovery of a botnet of more than 1,570 victims. "SystemBC establishes SOCKS5 network tunnels within the victim’s environment and connects to its C&C server using a custom RC4‑encrypted protocol," Check Point said. "It can also download and execute additional malware, with payloads either written to disk or injected directly into memory." Since its emergence in July 2025, The Gentlemen has quickly established itself as one of the most prolific ransomware groups, claiming more than 320 victims on its data leak site. Operating under a classic double-extortion model, the group is versatile as it's sophisticated, exhibiting capabilities to target Windows, Linux, N...

Security teams often present MTTR as an internal KPI. Leadership sees it differently: every hour a threat dwells inside the environment is an hour of potential data exfiltration, service disruption, regulatory exposure, and brand damage.  The root cause of slow MTTR is almost never "not enough analysts." It is almost always the same structural problem: threat intelligence that exists outside the workflow. Feeds that require manual lookup. Reports that live in a shared drive. Enrichment that happens in a separate tab. Every handoff costs minutes; over the course of a workday, those minutes become hours. Mature SOCs have collapsed those handoffs. Their intelligence is embedded in the workflow itself at the exact moment a decision needs to be made. Below are the five places where separation matters most. 1. Detection: Catching Threats Before They Become Incidents In many SOCs, detection begins only when an alert fires. By that point, the attacker may already have a foothol...

Cybersecurity researchers have discovered a new iteration of an Android malware family called  NGate  that has been found to abuse a legitimate application called  HandyPay instead of NFCGate. "The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated," ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. "As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim's payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments." In addition, the malicious payload is capable of capturing the victim's payment card PIN and exfiltrating it to the threat actor's command-and-control (C2) server. NGate, also known as NFSkate, was first publicly documented by the Slovakian cybersecurity vendor in August 2024, detailing its ability to carry out relay ...

The cybersecurity industry has spent the last several years chasing sophisticated threats like zero-days, supply chain compromises, and AI-generated exploits. However, the most reliable entry point for attackers still hasn't changed: stolen credentials. Identity-based attacks remain a dominant initial access vector in breaches today. Attackers obtain valid credentials through credential stuffing from prior breach databases, password spraying against exposed services, or phishing campaigns — and use them to walk through the front door. No exploits needed. Just a valid username and password. What makes this difficult to defend against is how unremarkable the initial access looks. A successful login from a legitimate credential doesn't trigger the same alarms as a port scan or a malware callback. The attacker looks like an employee. Once inside, they dump and crack additional passwords, reuse those credentials to move laterally, and expand their foothold across the environment....

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class. CVE-2024-27199 (CVSS score: 7.3) - A relative path traversal vulnerability in JetBrains TeamCity that could allow an attacker to perform limited admin actions. CVE-2025-2749 (CVSS score: 7.2) - A path traversal vulnerability in Kentico Xperience that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations. CVE-2025-32975 (CVSS score: 10.0) - An improper authentication vulnerability in Quest KACE Systems Ma...

Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israeli water treatment and desalination systems. The malware has been codenamed ZionSiphon by Darktrace, highlighting its ability to set up persistence, tamper with local configuration files, and scan for operational technology (OT)-relevant services on the local subnet. According to details on VirusTotal, the sample was first detected in the wild on June 29, 2025, right after the Twelve-Day War between Iran and Israel that took place between June 13 and 24. "The malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure controls, highlighting growing experimentation with politically motivated critical infrastructure attacks against industrial operational technologies globally," the company said . ZionSiphon, currently in an unfinished state, is characterized by it...

The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST ," it said . "This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon." The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows - CVEs appearing in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. CVEs for software used within the federal government. CVEs for critical software as defined by Executive Order 14028: this includes soft...

A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). To that end, the agency has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by April 30, 2026. CVE-2026-34197 has been described as a case of improper input validation that could lead to code injection, effectively allowing an attacker to execute arbitrary code on susceptible installations. According to Horizon3.ai's Naveen Sunkavally, CVE-2026-34197 has been "hiding in plain sight" for 13 years.  "An attacker can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS c...

A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage elaborate social engineering tactics through LinkedIn and Telegram to breach both Windows and macOS systems, approaching prospective individuals on the professional social network under the guise of a venture capital firm and then moving the conversation to a Telegram group where several purported partners are present. The Telegram group chat is engineered to lend the operation a smidgen of credibility, with the members discussing topics related to financial services and cryptocurrency liquidity solutions. The target is then instructed to use Obsidian to access what appears to be a s...

The Computer Emergencies Response Team of Ukraine (CERT-UA) has disclosed details of a new campaign that has targeted governments and municipal healthcare institutions, mainly clinics and emergency hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and WhatsApp. The activity, which was observed between March and April 2026, has been attributed to a threat cluster dubbed UAC-0247 . The origins of the campaign are presently unknown. According to CERT-UA, the starting point of the attack chain is an email message claiming to be a humanitarian aid proposal, urging recipients to click on a link that redirects to either a legitimate website compromised via a cross-site scripting (XSS) vulnerability or a bogus site created with help from artificial intelligence (AI) tools. Regardless of what the site is, the goal is to download and run a Windows Shortcut (LNK) file, which then execut...

Threat actors have been observed weaponizing n8n , a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access," Cisco Talos researchers Sean Gallagher and Omid Mirzaei said in an analysis published today. N8n is a workflow automation platform that allows users to connect various web applications, APIs, and AI model services to sync data, build agentic systems, and run repetitive rule-based tasks. Users can register for a developer account at no extra cost to avail a managed cloud-hosted service and run automation workflows without having to set up their own infrastructure.Doing so, however, creates a unique custom domain t...

A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild. The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service. It has been codenamed MCPwn by Pluto Security. "The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message," according to an advisory released by nginx-ui maintainers last month. "While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting -- and the default IP whitelist is empty, which the middleware treats as 'allow all.'"  "This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and t...

OpenAI on Tuesday unveiled GPT-5.4-Cyber , a variant of its latest flagship model, GPT‑5.4 , that's specifically optimized for defensive cybersecurity use cases, days after rival Anthropic unveiled its own frontier model, Mythos . "The progressive use of AI accelerates defenders – those responsible for keeping systems, data, and users safe – enabling them to find and fix problems faster in the digital infrastructure everyone relies on," OpenAI said . In conjunction with the announcement, the artificial intelligence (AI) company said it's ramping up its Trusted Access for Cyber ( TAC ) program to thousands of authenticated individual defenders and hundreds of teams responsible for securing critical software. AI systems are inherently dual-use, as bad actors can repurpose technologies developed for legitimate applications to their own advantage and achieve malicious goals. One core area of concern is that adversaries could invert the models fine...

Cybersecurity researchers have unmasked a novel ad fraud scheme that has been found to leverage search engine poisoning (SEO) techniques and artificial intelligence (AI)-generated content to push deceptive news stories into Google's Discover feed and trick users into enabling persistent browser notifications that lead to scareware and financial scams. The campaign, which has been found to target the personalized content feeds of Android and Chrome users, has been codenamed Pushpaganda by HUMAN's Satori Threat Intelligence and Research Team. "This operation, named for push notifications central to the scheme, generates invalid organic traffic from real mobile devices by tricking users into subscribing to enabling notifications that presented alarming messages," researchers Louisa Abel, Vikas Parthasarathy, João Santos, and Adam Sell said in a report shared with The Hacker News. At its peak, about 240 million bid requests have been associated wit...

A critical security vulnerability impacting ShowDoc , a document management and collaboration service popular in China, has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0. It relates to a case of unrestricted file upload that stems from improper validation of file extension, allowing an attacker to upload arbitrary PHP files and achieve remote code execution. "[In] ShowDoc version before 2.8.7, an unrestricted and unauthenticated file upload issue is found and [an] attacker is able to upload a web shell and execute arbitrary code on server," according to an advisory released by Vulhub.  The vulnerability was addressed in ShowDoc version 2.8.7 , which was shipped in October 2020. The current version of the software is 3.8.1 . According to new details shared by Caitlin Cond...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2026-21643 (CVSS score: 9.1) -  An SQL injection vulnerability in  Fortinet FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. CVE-2020-9715 (CVSS score: 7.8) - A use-after-free vulnerability in Adobe Acrobat Reader that could result in remote code execution. CVE-2023-36424 (CVSS score: 7.8) - An out-of-bounds read vulnerability in Microsoft Windows Common Log File System Driver that could result in privilege escalation. CVE-2023-21529 (CVSS score: 8.8) - A deserialization of untrusted data in Microsoft Exchange Server that could allow an authenticated attacker to achieve remote code execution.  CVE-2025-60...