Threat Intelligence | Breaking Cybersecurity News | The Hacker News

Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion. "PROMPTFLUX is written in VBScript and interacts with Gemini's API to request specific VBScript obfuscation and evasion techniques to facilitate 'just-in-time' self-modification, likely to evade static signature-based detection," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. The novel feature is part of its "Thinking Robot" component, which periodically queries the large language model (LLM), Gemini 1.5 Flash or later in this case, to obtain new code so as to sidestep detection. This, in turn, is accomplished by using a hard-coded API key to send the query to the Gemini API endpoint. The prompt sent to the model is both highly specif...

Behind every alert is an analyst; tired eyes scanning dashboards, long nights spent on false positives, and the constant fear of missing something big. It's no surprise that many SOCs face burnout before they face their next breach. But this doesn't have to be the norm. The path out isn't through working harder, but through working smarter, together. Here are three practical steps every SOC can take to prevent burnout and build a healthier, more resilient team. Step 1: Reduce Alert Overload with Real-Time Context SOC burnout often starts with alert fatigue. Analysts waste hours dissecting incomplete data because traditional systems provide only fragments of the story. By giving teams the full behavioral context behind alerts, leaders can help them prioritize faster and act with confidence. Leading SOCs are already turning to advanced solutions like ANY.RUN's interactive sandbox to cut through the noise. Instead of static logs, they see the full attack chain unfold in real time, fr...

Cybersecurity researchers have disclosed details of four security flaws in Microsoft Teams that could have exposed users to serious impersonation and social engineering attacks. The vulnerabilities "allowed attackers to manipulate conversations, impersonate colleagues, and exploit notifications," Check Point said in a report shared with The Hacker News. Following responsible disclosure in March 2024, some of the issues were addressed by Microsoft in August 2024 under the CVE identifier CVE-2024-38197, with subsequent patches rolled out in September 2024 and October 2025. In a nutshell, these shortcomings make it possible to alter message content without leaving the "Edited" label and sender identity and modify incoming notifications to change the apparent sender of the message, thereby allowing an attacker to trick victims into opening malicious messages by making them appear as if they are coming from a trusted source, including high-profile C-suite executives...

Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus. According to multiple reports from Cyble and Seqrite Labs , the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for traffic obfuscation. The activity has been codenamed Operation SkyCloak by Seqrite, stating the phishing emails utilize lures related to military documents to convince recipients into opening a ZIP file containing a hidden folder with a second archive file, along with a Windows shortcut (LNK) file, which, when opened, triggers the multi-step infection chain. "They trigger PowerShell commands which act as the initial dropper stage where another archive file besides the LNK is used to set up the entire chain," security researchers Sathwik Ram Prakki and Kartikkumar Jivani said, adding...

Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck . According to Secure Annex's John Tuckner, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published on October 31, 2025, as a completely benign library that was subsequently updated to version 0.0.8 on November 1 to include new malicious capabilities after reaching 14,000 downloads. "The malware includes sandbox evasion techniques and utilizes an Ethereum contract to update its command and control address in case the original address is taken down," Tuckner added . Campaigns distributing rogue extensions targeting Solidity developers have been repeatedly detected across both the Visual Studio Extension Marketplace and Open VSX. In July 2025, Kaspersky disclosed that a Russian developer lost $500,000 in cryptocurrency assets after installing one such extension through Cursor. In the latest...

Cyberattacks are getting smarter and harder to stop. This week, hackers used sneaky tools, tricked trusted systems, and quickly took advantage of new security problems—some just hours after being found. No system was fully safe. From spying and fake job scams to strong ransomware and tricky phishing, the attacks came from all sides. Even encrypted backups and secure areas were put to the test. Keep reading for the full list of the biggest cyber news from this week—clearly explained and easy to follow. ⚡ Threat of the Week Motex Lanscope Flaw Exploited to Drop Gokcpdoor — A suspected Chinese cyber espionage actor known as Tick has been attributed to a target campaign that has leveraged a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager (CVE-2025-61932, CVSS score: 9.3) to infiltrate target networks and deploy a backdoor called Gokcpdoor. Sophos, which disclosed details of the activity, said it was "limited to sectors aligned with their intelligence...

Security Operations Centers (SOC) today are overwhelmed. Analysts handle thousands of alerts every day, spending much time chasing false positives and adjusting detection rules reactively. SOCs often lack the environmental context and relevant threat intelligence needed to quickly verify which alerts are truly malicious. As a result, analysts spend excessive time manually triaging alerts, the majority of which are classified as benign. Addressing the root cause of these blind spots and alert fatigue isn't as simple as implementing more accurate tools. Many of these traditional tools are very accurate, but their fatal flaw is a lack of context and a narrow focus - missing the forest for the trees. Meanwhile, sophisticated attackers exploit exposures invisible to traditional reactive tools, often evading detection using widely-available bypass kits .  While all of these tools are effective in their own right, they often fail because of the reality that attackers don't employ just ...

Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices. According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it's being executed on a real device. BankBot-YNRK also checks if the device is manufactured by Oppo, or is running on ColorOS, a version of the Android operating system that's used on devices made by the Chinese original equipment manufacturer (OEM). "The malware also includes logic to identify specific devices," CYFIRMA said. "It verifies whether the device is a Google Pixel or a Samsung device and checks if its model is included in a predefined list of recognized or suppo...

A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025. The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday. "The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events," the cybersecurity company said. The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that's also referred to as Destroy...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation. "By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks," CISA said . The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Some of the best practices outlined are listed below - Maintain security updates and patching cadence Migrate end-o...

Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace. The action comes following a report from cloud security company Wiz earlier this month, which found several extensions from both Microsoft's VS Code Marketplace and Open VSX to have inadvertently exposed their access tokens within public repositories, potentially allowing bad actors to seize control and distribute malware, effectively poisoning the extension supply chain. "Upon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions," Mikaël Barbero, head of security at the Eclipse Foundation, said in a statement. "These exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure." Open VSX said it has also introduced a toke...

The open-source command-and-control (C2) framework known as AdaptixC2 is being used by a growing number of threat actors, some of whom are related to Russian ransomware gangs. AdaptixC2 is an emerging extensible post-exploitation and adversarial emulation framework designed for penetration testing. While the server component is written in Golang, the GUI Client is written in C++ QT for cross-platform compatibility. It comes with a wide range of features, including fully encrypted communications, command execution, credential and screenshot managers, and a remote terminal, among others. An early iteration was publicly released by a GitHub user named " RalfHacker " ( @HackerRalf on X) in August 2024, who describes themselves as a penetration tester, red team operator, and "MalDev" (short for malware developer). In recent months, AdaptixC2 has been adopted by various hacking groups, including threat actors tied to the Fog and Akira ransomware operations, as ...

Security doesn't fail at the point of breach. It fails at the point of impact.  That line set the tone for this year's Picus Breach and Simulation (BAS) Summit , where researchers, practitioners, and CISOs all echoed the same theme: cyber defense is no longer about prediction. It's about proof. When a new exploit drops, scanners scour the internet in minutes. Once attackers gain a foothold, lateral movement often follows just as fast. If your controls haven't been tested against the exact techniques in play, you're not defending, you're hoping things don't go seriously pear-shaped. That's why pressure builds long before an incident report is written. The same hour an exploit hits Twitter, a boardroom wants answers. As one speaker put it, "You can't tell the board, 'I'll have an answer next week.' We have hours, not days." BAS has outgrown its compliance roots and become the daily voltage test of cybersecurity, the current you run through your stack to see what actuall...

Cybersecurity researchers are calling attention to a spike in automated attacks targeting PHP servers, IoT devices, and cloud gateways by various botnets such as Mirai , Gafgyt , and Mozi . "These automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems and expand botnet networks," the Qualys Threat Research Unit (TRU) said in a report shared with The Hacker News. The cybersecurity company said PHP servers have emerged as the most prominent targets of these attacks owing to the widespread use of content management systems like WordPress and Craft CMS . This, in turn, creates a large attack surface as many PHP deployments can suffer from misconfigurations, outdated plugins and themes, and insecure file storage. Some of the prominent weaknesses in PHP frameworks that have been exploited by threat actors are listed below - CVE-2017-9841 - A Remote code execution vulnerability in PHPUnit CVE-2021-3129 - A Re...

Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks. The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week. The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time. "The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities," the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News. One of the web shells used in the attack was Localolive, which was previously flagged by Microsoft as put to use by a sub-group of the ...

Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems. "The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS," Socket security researcher Kush Pandya said . The npm packages were uploaded to the registry on July 4, 2025, and accumulated over 9,900 downloads collectively - deezcord.js dezcord.js dizcordjs etherdjs ethesjs ethetsjs nodemonjs react-router-dom.js typescriptjs zustand.js The multi-stage credential theft operation manifested in the form of various typosquatted packages impersonating popular npm libraries such as TypeScript, discord.js, ethers.js, nodemon, react...

Threat actors are actively exploiting multiple security flaws impacting Dassault Systèmes DELMIA Apriso and XWiki, according to alerts issued by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) and VulnCheck . The vulnerabilities are listed below - CVE-2025-6204 (CVSS score: 8.0) - A code injection vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to execute arbitrary code. CVE-2025-6205 (CVSS score: 9.1) - A missing authorization vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to gain privileged access to the application. CVE-2025-24893 (CVSS score: 9.8) - An improper neutralization of input in a dynamic evaluation call (aka eval injection ) in XWiki that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. Both CVE-2025-6204 and CVE-2025-6205 affect DELMIA Apriso versions from Release 2020 through Release 202...

Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover ( DTO ) attacks. "Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection," ThreatFabric said in a report shared with The Hacker News. The Dutch security company said the Trojan was first advertised in underground forums on September 7, 2025, as part of the malware-as-a-service (MaaS) model, touting its ability to run on devices running Android version 9 to 16. It's assessed that while the malware is not a direct evolution of another banking malware known as Brokewell , it certainly appears to have taken certain parts of it to put together the new strain. This includes similarities in the obfuscation technique used, as well as direct mentions of Brokewell in Herodotus (e.g., "BRKWL_...