Threat Intelligence | Breaking Cybersecurity News | The Hacker News

A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actor's targeting beyond Ukraine and into entities supporting the war-torn nation . The activity, which targeted an unnamed entity involved in regional development and reconstruction initiatives, has been attributed to a cybercrime group tracked as UAC-0050 (aka DaVinci Group ). BlueVoyant has designated the name Mercenary Akula to the threat cluster. The attack was observed earlier this month. "The attack spoofed a Ukrainian judicial domain to deliver an email containing a link to a remote access payload," researchers Patrick McHale and Joshua Green said in a report shared with The Hacker News. "The target was a senior legal and policy advisor involved in procurement, a role with privileged insight into institutional operation...

The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team. Broadcom's threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023. The group has claimed more than 366 attacks to date. "Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025," the company said in a report shared with The Hacker News. "Victims included a non-profit in the mental health sector and an educational facility for autistic children. It is unknown if all these victims were targeted by North Korean opera...

The threat activity cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities. The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake, according to a report published by Positive Technologies last week. "The group used several unique and rare instruments of Chinese origin," researchers Alexander Badaev and Maxim Shamanov said . UnsolicitedBooker was first documented by ESET in May 2025, attributing the China-aligned threat actor to a cyber attack targeting an unnamed international organization in Saudi Arabia with a backdoor dubbed MarsSnake. The group is assessed to be active since at least March 2023 and has a history of targeting organizations in Asia, Africa, and the Middle East. Further analysis of the threat actor has uncovered tactical overlaps with two other clusters, including Space Pirates an...

The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze . "The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration," the cybersecurity company said . The attack chains employ spear-phishing emails as a starting point to distribute lure documents that contain a common structural element within their XML, a field named "INCLUDEPICTURE" that points to a webhook[.]site URL that hosts a JPG image. This, in turn, causes the image file to be fetched from the remote server when the document is opened. Put differently, this mechanism acts as a beaconing mechanism akin to a tracking pixel that triggers an outbound HTTP request to the webhook[.]si...

Cybersecurity researchers have disclosed details of a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner program on compromised hosts. "Analysis of the recovered dropper, persistence triggers, and mining payload reveals a sophisticated, multi-stage infection prioritizing maximum cryptocurrency mining hashrate, often destabilizing the victim system," Trellix researcher Aswath A said in a technical report published last week. "Furthermore, the malware exhibits worm-like capabilities, spreading across external storage devices, enabling lateral movement even in air-gapped environments." The entry point of the attack is the use of social engineering decoys, advertising free premium software in the form of pirated software bundles, such as installers for office productivity suites, to trick unsuspecting users into downloading malware-laced executables. The binary acts as the central nervous system of the infectio...

The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamed Operation Olalampo . The activity, first observed on January 26, 2026, has resulted in the deployment of new malware families that share overlapping samples previously identified as used by the threat actor, according to a report published by Group-IB. These include downloaders like GhostFetch and HTTP_VIP, along with a Rust backdoor called CHAR and an advanced implant codenamed GhostBackDoor that's dropped by GhostFetch. "These attacks follow similar patterns and align with the killchains previously observed in MuddyWater attacks; starting with a phishing email with a Microsoft Office document attached to it that contains malicious macro code that decodes the embedded payload and drops it on the system and executes it, pro...

A Russian-speaking, financially motivated threat actor has been observed taking advantage of commercial generative artificial intelligence (AI) services to compromise over 600 FortiGate devices located in 55 countries. That's according to new findings from Amazon Threat Intelligence, which said it observed the activity between January 11 and February 18, 2026. "No exploitation of FortiGate vulnerabilities was observed—instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale," CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, said in a report. The tech giant described the threat actor as having limited technical capabilities, a constraint they overcame by relying on multiple commercial generative AI tools to implement various phases of the attack cycle, such as tool development, attac...

Cybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) called MIMICRAT (aka AstarionRAT). "The campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries and geographies serve as delivery infrastructure, a multi-stage PowerShell chain performs ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic," Elastic Security Labs said in a Friday report. According to the enterprise search and cybersecurity company, MIMICRAT is a custom C++ RAT with support for Windows token impersonation, SOCKS5 tunneling, and a set of 22 commands for comprehensive post-exploitation capabilities. The campaign was discovered earlier this month. It's also assessed to share tactic...

A 29-year-old Ukrainian national has been sentenced to five years in prison in the U.S. for his role in facilitating North Korea's fraudulent information technology (IT) worker scheme. In November 2025, Oleksandr "Alexander" Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft for stealing the identities of U.S. citizens and selling them to IT workers to help them land jobs at 40 U.S. companies and draw regular salaries, which were then funneled back to the regime to support its weapons programs. He was apprehended by Polish authorities in late 2024, and later extradited to the U.S. Didenko has also been ordered to serve 12 months of supervised release and to pay $46,547.28 in restitution. Last year, Didenko also agreed to forfeit more than $1.4 million, which includes about $181,438 in U.S. dollars and cryptocurrency seized from him and his co-conspirators. The defendant is said to have run a website named Upworksell[.]com to help oversea...

We’ve all seen this before: a developer deploys a new cloud workload and grants overly broad permissions just to keep the sprint moving. An engineer generates a "temporary" API key for testing and forgets to revoke it. In the past, these were minor operational risks, debts you’d eventually pay down during a slower cycle. In 2026, “Eventually” is Now But today, within minutes, AI-powered adversarial systems can find that over-permissioned workload, map its identity relationships, and calculate a viable route to your critical assets. Before your security team has even finished their morning coffee, AI agents have simulated thousands of attack sequences and moved toward execution. AI compresses reconnaissance, simulation, and prioritization into a single automated sequence. The exposure you created this morning can be modeled, validated, and positioned inside a viable attack path before your team has lunch. The Collapse of the Exploitation Window Historically, the exploita...

Cybersecurity researchers have disclosed details of a new Android trojan called Massiv that's designed to facilitate device takeover ( DTO ) attacks for financial theft. The malware, according to ThreatFabric, masquerades as seemingly harmless IPTV apps to deceive victims, indicating that the activity is primarily singling out users looking for the online TV applications. "This new threat, while only seen in a limited number of rather targeted campaigns, already poses a great risk to the users of mobile banking, allowing its operators to remotely control infected devices and perform device takeover attacks with further fraudulent transactions performed from the victim's banking accounts," the Dutch mobile security company said in a report shared with The Hacker News. ThreatFabric told The Hacker News via email that the malware was first spotted in a campaign targeting users in Portugal and Greece earlier this year, although it has observed samples dating back to...

Cybersecurity researchers have disclosed details of a new campaign dubbed CRESCENTHARVEST , likely targeting supporters of Iran's ongoing protests to conduct information theft and long-term espionage. The Acronis Threat Research Unit (TRU) said it observed the activity after January 9, with the attacks designed to deliver a malicious payload that serves as a remote access trojan (RAT) and information stealer to execute commands, log keystrokes, and exfiltrate sensitive data. It's currently not known if any of the attacks were successful. "The campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos," researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio said in a report published this week. "These files are bundled with authentic media and a Farsi-language report providing updates from 'the rebellious cities of Iran.' This pro- protest framing appears ...

New research from the Citizen Lab has found signs that Kenyan authorities used a commercial forensic extraction tool manufactured by Israeli company Cellebrite to break into a prominent dissident's phone, making it the latest case of abuse of the technology targeting civil society. The interdisciplinary research unit at the University of Toronto's Munk School of Global Affairs & Public Policy said it found the indicators on a personal phone belonging to Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027. Specifically, it has emerged that Cellebrite's forensic extraction tools were used on his Samsung phone while it was in police custody following his arrest in July 2025. The phone was returned to him nearly two months later, in September, at which point Mwangi found that the phone was no longer password-protected and could be unlocked without requiring a password. It's been assessed with high confidence that ...

Cybersecurity researchers have disclosed a critical security flaw in the Grandstream GXP1600 series of VoIP phones that could allow an attacker to seize control of susceptible devices. The vulnerability, tracked as CVE-2026-2329 , carries a CVSS score of 9.3 out of a maximum of 10.0. It has been described as a case of unauthenticated stack-based buffer overflow that could result in remote code execution. "A remote attacker can leverage CVE-2026-2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device," Rapid7 researcher Stephen Fewer, who discovered and reported the bug on January 6, 2026, said . According to the cybersecurity company, the issue is rooted in the device's web-based API service ("/cgi-bin/api.values.get") and is accessible in a default configuration without requiring authentication. This endpoint is designed to fetch one or more configuration values from the phone, such as the firmware version number...

In 2025, navigating the digital seas still felt like a matter of direction. Organizations charted routes, watched the horizon, and adjusted course to reach safe harbors of resilience, trust, and compliance. In 2026, the seas are no longer calm between storms. Cybersecurity now unfolds in a state of  continuous atmospheric instability : AI-driven threats that adapt in real time, expanding digital ecosystems, fragile trust relationships, persistent regulatory pressure, and accelerating technological change. This is not turbulence on the way to stability; it  is the climate. In this environment, cybersecurity technologies are no longer merely navigational aids. They are  structural reinforcements . They determine whether an organization endures volatility or learns to function normally within it. That is why security investments in 2026 are increasingly made not for coverage, but for  operational continuity : sustained operations, decision-grade visibility and cont...

A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024, according to a new report from Google Mandiant and Google Threat Intelligence Group (GTIG). The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions prior to 6.0.3.1 HF1. Other products, including RecoverPoint Classic, are not vulnerable to the flaw. "This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence," Dell said in a bulletin released Tuesday. The issue impacts the following products - RecoverPoint for Virtual Machines Version 5.3 SP4 P1 - Migrate from RecoverPoint for Virtual Machines 5.3 SP4 P1 to 6.0 SP3, and th...

Security, IT, and engineering teams today are under relentless pressure to accelerate outcomes, cut operational drag, and unlock the full potential of AI and automation. But simply investing in tools isn’t enough. 88% of AI proofs-of-concept never make it to production, even though 70% of workers cite freeing time for high-value work as the primary AI automation motivation. Real impact comes from intelligent workflows that combine automation, AI-driven decisioning, and human ingenuity into seamless processes that work across teams and systems.  In this article, we’ll highlight three use cases across Security and IT that can serve as powerful starting points for your intelligent workflow program. For each use case, we’ll share a pre-built workflow to help you tackle real bottlenecks in your organization with automation while connecting directly into your existing tech stack. These use cases are great starting points to help you turn theory into practice and achieve measurable gai...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2026-2441 (CVSS score: 8.8) - A use-after-free vulnerability in Google Chrome that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2024-7694 (CVSS score: 7.2) - An arbitrary file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware versions 3.4.5 and earlier that could allow an attacker to upload malicious files and achieve arbitrary system command execution on the server. CVE-2020-7796 (CVSS score: 9.8) - A server-side request forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow an attacker to send a crafted HTTP request to a remote host and obtain unauthorized access to sensitive information. CVE-2008-0015 (CVSS score: 8.8) - ...

Cybersecurity researchers have disclosed that artificial intelligence (AI) assistants that support web browsing or URL fetching capabilities can be turned into stealthy command-and-control (C2) relays, a technique that could allow attackers to blend into legitimate enterprise communications and evade detection. The attack method, which has been demonstrated against Microsoft Copilot and xAI Grok, has been codenamed AI as a C2 proxy by Check Point. It leverages "anonymous web access combined with browsing and summarization prompts," the cybersecurity company said. "The same mechanism can also enable AI-assisted malware operations, including generating reconnaissance workflows, scripting attacker actions, and dynamically deciding 'what to do next' during an intrusion." The development signals yet another consequential evolution in how threat actors could abuse AI systems, not just to scale or accelerate different phases of the cyber attack cycle, but als...

A new Android backdoor that's embedded deep into the device firmware can silently harvest data and remotely control its behavior, according to new findings from Kaspersky. The Russian cybersecurity vendor said it discovered the backdoor, dubbed Keenadu , in the firmware of devices associated with various brands, including Alldocube, with the compromise occurring during the firmware build phase. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023. In all cases, the backdoor is embedded within tablet firmware, and the firmware files carry valid digital signatures. The names of the other vendors were not disclosed. "In several instances, the compromised firmware was delivered with an OTA update," security researcher Dmitry Kalinin said in an exhaustive analysis published today. "A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader granting its operators the ...