Threat Intelligence | Breaking Cybersecurity News | The Hacker News

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability , tracked as CVE-2025-53690 , carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said . "This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution." Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team ...

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT . "Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell," Recorded Future Insikt Group said . The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders. CastleLoader was first documented by Swiss cybersecurity company PRODAFT in July 2025, as having been put to use in various campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. A subsequent analysis from IBM X-...

A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild. The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month. "SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC," according to a description of the flaw in the NIST National Vulnerability Database (NVD). "This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. Successful exploration of the defect could result in a full system compromise of the SAP environment, subverting the confidentiality, integrity, and availability of the system. In short, it can permit attackers to modify the SAP database, create superuser accounts with SAP_ALL privileges, download password hashes, and alter business processes. SecurityBri...

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system. The SVG files, according to VirusTotal , are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a portal for Fiscalía General de la Nación, the Office of the Attorney General of Colombia. The page then simulates an official government document download process with a fake progress bar, while it stealthily triggers the download of a ZIP archive in the background. The exact nature of the ZIP file was not disclosed. The Google-owned malware scanning service said it found 44 unique SVG files, all of which have remained undetected by antivirus engines, owing to the use of techniques like obfuscation, polymorphism, and large amounts of junk code to evade static detection methods. In all, as ...

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps," the web infrastructure and security company said in a post on X. "The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud." The entire attack lasted only about 35 seconds, with the company stating its "defenses have been working overtime." Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions. Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected t...

The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE. The attack, observed by NCC Group's Fox-IT in 2024, targeted an organization in the decentralized finance (DeFi) sector, ultimately leading to the compromise of an employee's system. "From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections," Yun Zheng Hu and Mick Koomen said . "Afterwards, the actor moved to a stealthier RAT, likely signifying a next stage in the attack." The attack chain begins with the threat actor impersonating an existing employee of a trading company on Telegram and using fake websites masquerading as Calendly and Picktime to schedule a meeting with the victim. Although the exact initial ...

Cybersecurity researchers have disclosed a stealthy new backdoor called MystRodX that comes with a variety of features to capture sensitive data from compromised systems. "MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management," QiAnXin XLab said in a report published last week. "Compared to typical backdoors, MystRodX stands out in terms of stealth and flexibility." MystRodX, also called ChronosRAT, was first documented by Palo Alto Networks Unit 42 last month in connection with a threat activity cluster called CL-STA-0969 that it said exhibits overlaps with a China-nexus cyber espionage group dubbed Liminal Panda. The malware's stealth stems from the use of various levels of encryption to obscure source code and payloads, while its flexibility allows it to dynamically enable different functions based on a configuration, such as choosing TCP or HTTP for network co...

Cybersecurity today is less about single attacks and more about chains of small weaknesses that connect into big risks. One overlooked update, one misused account, or one hidden tool in the wrong hands can be enough to open the door. The news this week shows how attackers are mixing methods—combining stolen access, unpatched software, and clever tricks to move from small entry points to large consequences.  For defenders, the lesson is clear: the real danger often comes not from one major flaw, but from how different small flaws interact together. ⚡ Threat of the Week WhatsApp Patches Actively Exploited Flaw — WhatsApp addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks. The vulnerability, CVE-2025-55177 relates to a case of insufficient authorization of linked device synchronization messages. The Meta-owned company ...

As enterprises continue to shift their operations to the browser, security teams face a growing set of cyber challenges. In fact, over 80% of security incidents now originate from web applications accessed via Chrome, Edge, Firefox, and other browsers. One particularly fast-evolving adversary, Scattered Spider, has made it their mission to wreak havoc on enterprises by specifically targeting sensitive data on these browsers. Scattered Spider, also referred to as UNC3944, Octo Tempest, or Muddled Libra, has matured over the past two years through precision targeting of human identity and browser environments. This shift differentiates them from other notorious cybergangs like Lazarus Group, Fancy Bear, and REvil. If sensitive information such as your calendar, credentials, or security tokens is alive and well in browser tabs, Scattered Spider is able to acquire them.  In this article, you'll learn details about Scattered Spider's attack methods and how you can stop them in their ...

Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor , illustrating ongoing abuse of legitimate software for malicious purposes. "In this incident, the threat actor used the tool to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command-and-control (C2) server," the Sophos Counter Threat Unit Research Team said in a report published this week.  While threat actors are known to adopt living-off-the-land (LotL) techniques or take advantage of legitimate remote monitoring and management (RMM) tools in their attacks, the use of Velociraptor signals a tactical evolution, where incident response programs are being used to obtain a foothold and minimize the need for having to deploy their own malware.  Further analysis of the incident has revealed that the attackers used the Wind...

Amazon on Friday said it flagged and disrupted what it described as an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors as part of their intelligence gathering efforts. The campaign used "compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow," Amazon's Chief Information Security Officer CJ Moses said . APT29, also tracked as BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, Earth Koshchei, ICECAP, Midnight Blizzard, and The Dukes, is the name assigned to a state-sponsored hacking group with ties to Russia's Foreign Intelligence Service (SVR). In recent months, the prolific threat actor has been linked to attacks leveraging malicious Remote Desktop Protocol (RDP) configuration files to target Ukrainian entities and exfiltrate sensitive data. Since the start of the year, the adversarial collec...

A widespread data theft campaign has allowed hackers to breach sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent. The activity, assessed to be opportunistic in nature, has been attributed to a threat actor tracked by Google Threat Intelligence Group (GTIG) and Mandiant, tracked as UNC6395. GTIG told The Hacker News that it's aware of over 700 potentially impacted organizations. "Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application," researchers Austin Larsen, Matt Lin, Tyler McLellan, and Omar ElAhdan said . In these attacks, the threat actors have been observed exporting large volumes of data from numerous corporate Salesforce instances, with the likely aim of harvesting credentials that could be then used to compromise vic...

Cybersecurity researchers have discovered five distinct activity clusters linked to a persistent threat actor known as Blind Eagle between May 2024 and July 2025. These attacks, observed by Recorded Future Insikt Group, targeted various victims, but primarily within the Colombian government across local, municipal, and federal levels. The threat intelligence firm is tracking the activity under the name TAG-144. "Although the clusters share similar tactics, techniques, and procedures (TTPs) such as leveraging open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging, they differ significantly in infrastructure, malware deployment, and other operational methods," the Mastercard-owned company said . Blind Eagle has a history of targeting organizations in South America since at least 2018, with the attacks reflecting both cyber espionage and financially driven motivations. This is evidenced in their ...

Cybersecurity researchers are calling attention to a sophisticated social engineering campaign that's targeting supply chain-critical manufacturing companies with an in-memory malware dubbed MixShell. The activity has been codenamed ZipLine by Check Point Research. "Instead of sending unsolicited phishing emails, attackers initiate contact through a company's public 'Contact Us' form, tricking employees into starting the conversation," the company said in a statement shared with The Hacker News. "What follows are weeks of professional, credible exchanges, often sealed with fake NDAs, before delivering a weaponized ZIP file carrying MixShell, a stealthy in-memory malware." The attacks have cast a wide net, spanning multiple organizations across sectors and geographic locations, but with an emphasis on U.S.-based entities. Primary targets include companies in industrial manufacturing, such as machinery, metalwork, component production, and engine...

Cybersecurity researchers have flagged a new phishing campaign that's using fake voicemails and purchase orders to deliver a malware loader called UpCrypter . The campaign leverages "carefully crafted emails to deliver malicious URLs linked to convincing phishing pages," Fortinet FortiGuard Labs researcher Cara Lin said . "These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter." Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others. UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT , DCRat (aka DarkCrystal RAT), and Babylon RAT , each of which enable an attacker to take full control of compromi...