Threat Intelligence | Breaking Cybersecurity News | The Hacker News

The North Korea-aligned threat actor known as BlueNoroff has been observed targeting an employee in the Web3 sector with deceptive Zoom calls featuring deepfaked company executives to trick them into installing malware on their Apple macOS devices. Huntress, which revealed details of the cyber intrusion, said the attack targeted an unnamed cryptocurrency foundation employee, who received a message from an external contact on Telegram. "The message requested time to speak to the employee, and the attacker sent a Calendly link to set up meeting time," security researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon said . "The Calendly link was for a Google Meet event, but when clicked, the URL redirects the end user to a fake Zoom domain controlled by the threat actor." After several weeks, the employee is said to have joined a group Zoom meeting that included several deepfakes of known members of the senior leadership of their company, along with oth...

Most cyberattacks today don't start with loud alarms or broken firewalls. They start quietly—inside tools and websites your business already trusts. It's called " Living Off Trusted Sites " (LOTS)—and it's the new favorite strategy of modern attackers. Instead of breaking in, they blend in. Hackers are using well-known platforms like Google, Microsoft, Dropbox, and Slack as launchpads. They hide malicious code inside routine traffic, making it incredibly difficult for traditional defenses to detect them. And here's the scary part: many security teams don't even realize it's happening—until it's too late. Why You're Not Seeing These Attacks LOTS tactics don't look suspicious at first glance. There's no malware signature to flag, and no unusual IP address to trace. It's legitimate traffic—until it's not. Attackers are exploiting: Common business tools like Teams, Zoom, and GitHub Shortened or vanity URLs to redirect users Trusted cloud services to host malicious payloads ...

Threat actors with suspected ties to Russia have been observed taking advantage of a Google account feature called application specific passwords (or app passwords) as part of a novel social engineering tactic designed to gain access to victims' emails. Details of the highly targeted campaign were disclosed by Google Threat Intelligence Group (GTIG) and the Citizen Lab, stating the activity seeks to impersonate the U.S. Department of State.  "From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs), GTIG researchers Gabby Roncone and Wesley Shields said . "Once the target shares the ASP passcode, the attackers establish persistent access to the victim's mailbox." The activity has been attributed by Google to a threat cluster it tracks as UNC6293, which it says is likely affiliate...

A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails. The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix. It leverages "the Cloudflare Tunnel infrastructure and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts," security researcher Tim Peck said in a report shared with The Hacker News. The attack starts with sending payment- or invoice-themed phishing emails bearing a link to a zipped document that contains a Windows shortcut (LNK) file. These shortcuts are disguised as documents to trick victims into opening them, effectively activating the infection sequence. The elaborate multi-step process culminates in the execution of a Python-based shellcode loader that executes payloads packed with the open-source Donut loader entirely in memory. Securonix said the campaign has targeted the...

A new multi-stage malware campaign is targeting Minecraft users with a Java-based malware that employs a distribution-as-service (DaaS) offering called Stargazers Ghost Network . "The campaigns resulted in a multi-stage attack chain targeting Minecraft users specifically," Check Point researchers Jaromír Hořejší and Antonis Terefos said in a report shared with The Hacker News. "The malware was impersonating Oringo and Taunahi, which are 'Scripts and macros tools' (aka cheats). Both the first and second stages are developed in Java and can only be executed if the Minecraft runtime is installed on the host machine." The end goal of the attack is to trick players into downloading a Minecraft mod from GitHub and deliver a .NET information stealer with comprehensive data theft capabilities. The campaign was first detected by the cybersecurity company in March 2025. What makes the activity notable is its use of an illicit offering called the Stargazers Ghost...

Cybersecurity researchers have exposed a previously unknown threat actor known as Water Curse that relies on weaponized GitHub repositories to deliver multi-stage malware. "The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems," Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta said in an analysis published this week. The "broad and sustained" campaign, first spotted last month, set up repositories offering seemingly innocuous penetration testing utilities, such as SMTP email bomber and Sakura-RAT, but harbored within their Visual Studio project configuration files malicious payloads that are designed to siphon sensitive data. Water Curse's arsenal incorporates a wide range of tools and programming languages, underscoring their cross-functional development capabilities to target the supply chain with "develope...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities ( KEV ) catalog, stating it has been actively exploited in the wild. The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges on susceptible systems. It was patched in early 2023. "Linux kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount," the agency said. "This uid mapping bug allows a local user to escalate their privileges on the system." It's currently not known how the security flaw is being exploited in the wild. In a report published in May 2023, Datadog said the vulnerability...

A former U.S. Central Intelligence Agency (CIA) analyst has been sentenced to little more than three years in prison for unlawfully retaining and transmitting top secret National Defense Information (NDI) to people who were not entitled to receive them and for attempting to cover up the malicious activity. Asif William Rahman, 34, of Vienna, has been sentenced today to 37 months on charges of stealing and divulging classified information. He was an employee of the CIA since 2016 and had Top Secret security clearance to access Sensitive Compartmented Information (SCI) until he was terminated from his job after he was arrested last November in Cambodia. Earlier this January, Rahman pleaded guilty to two counts of willful retention and transmission of classified information related to the national defense. As previously reported by The Hacker News, Rahman retained multiple Secret and Top Secret documents without authorization on October 17, 2024, took them to his place of residence...

Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions. The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," the company said in an advisory. CVE-2025-23121 impacts all earlier version 12 builds, including 12.3.1.1139. It has been addressed in version 12.3.2 (build 12.3.2.3617). Security researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability. Cybersecurity company Rapid7 noted that the update likely addresses concerns shared by CODE WHITE in late March 2025 that the patch put in place to plug a similar hole ( CVE-2025-23120 , CVSS score: 9.9) could be bypassed. Also addressed by Veeam is another flaw in the same product (CVE-2025...

Cybersecurity researchers have disclosed a now-patched security flaw in LangChain's LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts. The vulnerability, which carries a CVSS score of 8.8 out of a maximum of 10.0, has been codenamed AgentSmith by Noma Security. LangSmith is an observability and evaluation platform that allows users to develop, test, and monitor large language model (LLM) applications, including those built using LangChain. The service also offers what's called a LangChain Hub , which acts as a repository for all publicly listed prompts, agents, and models. "This newly identified vulnerability exploited unsuspecting users who adopt an agent containing a pre-configured malicious proxy server uploaded to 'Prompt Hub,'" researchers Sasi Levi and Gal Moyal said in a report shared with The Hacker News. "Once adopted, the malicious proxy discreetly intercepted all user communicatio...

Cybersecurity researchers are warning of a new phishing campaign that's targeting users in Taiwan with malware families such as HoldingHands RAT and Gh0stCringe. The activity is part of a broader campaign that delivered the Winos 4.0 malware framework earlier this January by sending phishing messages impersonating Taiwan's National Taxation Bureau, Fortinet FortiGuard Labs said in a report shared with The Hacker News. The cybersecurity company said it identified additional malware samples through continuous monitoring and that it observed the same threat actor, referred to as Silver Fox APT, using malware-laced PDF documents or ZIP files distributed via phishing emails to deliver Gh0stCringe and a malware strain based on HoldingHands RAT. It's worth noting that both HoldingHands RAT (aka Gh0stBins) and Gh0stCringe are variants of a known remote access trojan called Gh0st RAT, which is widely used by Chinese hacking groups. The starting point of the attack is a p...

The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG). "Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity," John Hultquist, chief analyst at GTIG, said in an email Monday. "We are now seeing incidents in the insurance industry. Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers." Scattered Spider is the name assigned to an amorphous collective that's known for its use of advanced social engineering tactics to breach organizations. In recent months, the threat actors are believed to have forged an alliance with the DragonForce ransomware cartel in the ...

Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution. Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports. The list of vulnerabilities is as follows - CVE-2025-34509 (CVSS score: 8.2) - Use of hard-coded credentials CVE-2025-34510 (CVSS score: 8.8) - Post-authenticated remote code execution via path traversal CVE-2025-34511 (CVSS score: 8.8) - Post-authenticated remote code execution via Sitecore PowerShell Extension watchTowr Labs researcher Piotr Bazydlo said the default user account "sitecore\ServicesAPI" has a single-character password that's hard-coded to " b ." In its documentation, Sitecore advises customers against changing default user account credentials. While the user has no roles and permission...

Cybersecurity researchers have called attention to a new campaign that's actively exploiting a recently disclosed critical security flaw in Langflow to deliver the Flodrix botnet malware. "Attackers use the vulnerability to execute downloader scripts on compromised Langflow servers, which in turn fetch and install the Flodrix malware," Trend Micro researchers Aliakbar Zahravi, Ahmed Mohamed Ibrahim, Sunil Bharti, and Shubham Singh said in a technical report published today. The activity entails the exploitation of CVE-2025-3248 (CVSS score: 9.8), a missing authentication vulnerability in Langflow , a Python-based "visual framework" for building artificial intelligence (AI) applications. Successful exploitation of the flaw could enable unauthenticated attackers to execute arbitrary code via crafted HTTP requests. It was patched by Langflow in March 2025 with version 1.3.0. Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagg...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.  The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when processing the ssid1 parameter in a specially crafted HTTP GET request. "TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm," the agency said. CISA has also warned that there is a possibility that affected products could be end-of-life (EoL) and/or end-of-service (EoS), urging users to discontinue their use if no mitigations are available. There is currently no public information available about how the shortcoming is being exploited in the wild, the scale of the attacks, and who is b...

The U.S. Department of Justice (DoJ) said it has filed a civil forfeiture complaint in federal court that targets over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets allegedly linked to a global IT worker scheme orchestrated by North Korea. "For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs," said Sue J. Bai, Head of the Justice Department's National Security Division. The Justice Department said the funds were originally restrained in connection with an April 2023 indictment against Sim Hyon-Sop, a North Korean Foreign Trade Bank (FTB) representative who is believed to have conspired with the IT workers. The IT workers, the department added, gained employment at U.S. cryptocurrency companies using fake identities and then laundered their ill-gotten gains through Sim to further Pyongyang's strategic objectives in violati...