Threat Intelligence | Breaking Cybersecurity News | The Hacker News

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned a North Korean front company and three associated individuals for their involvement in the fraudulent remote information technology (IT) worker scheme designed to generate illicit revenues for Pyongyang. The sanctions target Korea Sobaeksu Trading Company (aka Sobaeksu United Corporation), and Kim Se Un, Jo Kyong Hun, and Myong Chol Min for evading sanctions imposed by the U.S. and the United Nations against the Democratic People's Republic of Korea (DPRK) government.  "Our commitment is clear: Treasury, as part of a whole-of-government effort, will continue to hold accountable those who seek to infiltrate global supply chains and enable the sanctions evasion activities that further the Kim regime's destabilizing agenda," said Director of OFAC Bradley T. Smith. The latest action marks the U.S. government's continued efforts to dismantle North Korea's wide-ranging r...

The threat actor known as Patchwork has been attributed to a new spear-phishing campaign targeting Turkish defense contractors with the goal of gathering strategic intelligence. "The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems," Arctic Wolf Labs said in a technical report published this week. The activity, which also singled out an unnamed manufacturer of precision-guided missile systems, appears to be geopolitically motivated as the timing coincides amid deepening defense cooperation between Pakistan and Türkiye, and the recent India-Pakistan military skirmishes. Patchwork, also called APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson, is assessed to be a state-sponsored actor of Indian origin. Known to be active since at least 2009, the hacking group has a track record ...

Russian aerospace and defense industries have become the target of a cyber espionage campaign that delivers a backdoor called EAGLET to facilitate data exfiltration. The activity, dubbed Operation CargoTalon , has been assigned to a threat cluster tracked as UNG0901 (short for Unknown Group 901). "The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations," Seqrite Labs researcher Subhajeet Singha said in an analysis published this week. The attack commences with a spear-phishing email bearing cargo delivery-themed lures that contain a ZIP archive, within which is a Windows shortcut (LNK) file that uses PowerShell to display a decoy Microsoft Excel document, while also deploying the EAGLET DLL implant on the host. The decoy document, per Seqrite, references Obltransterminal, a ...

Threat hunters have disclosed two different malware campaigns that have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners. The threat activity clusters have been codenamed Soco404 and Koske by cloud security firms Wiz and Aqua, respectively. Soco404 "targets both Linux and Windows systems, deploying platform-specific malware," Wiz researchers Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger said . "They use process masquerading to disguise malicious activity as legitimate system processes." The activity is a reference to the fact that payloads are embedded in fake 404 HTML pages hosted on websites built using Google Sites. The bogus sites have since been taken down by Google. Wiz posited that the campaign, which has been previously observed going after Apache Tomcat services with weak credentials, as well as susceptible Apache Struts and Atlassian Confluence servers using the Sysrv botnet, is p...

Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign. The activity, observed this year, is primarily designed Now to infiltrate organizations' VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today. "The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments," the cybersecurity company said . "The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure." Fire Ant is assessed to share tooling and targeting overlaps with prior campaigns orchestrated by UNC3886 , a...

Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. The malware loader, first observed in the wild earlier this year, has been used to distribute DeerStealer , RedLine , StealC , NetSupport RAT , SectopRAT , and even other loaders like Hijack Loader . "It employs dead code injection and packing techniques to hinder analysis," the company said. "After unpacking itself at runtime, it connects to a C2 (command-and-control) server, downloads target modules, and executes them." CastleLoader's modular structure allows it to act as both a delivery mechanism and a staging utility, enabling...

Sophos and SonicWall have alerted users of critical security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances that could be exploited to achieve remote code execution.  The two vulnerabilities impacting Sophos Firewall are listed below - CVE-2025-6704 (CVSS score: 9.8) - An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode CVE-2025-7624 (CVSS score: 9.8) - An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA Sophos said CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 impacts as many as 0.73% of devices. Both vulnerabilities have been addressed alongside a high-severity command injection v...

The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. "The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems," security researchers Sudeep Singh and Roy Tay said in a Wednesday report. This is not the first time Chinese threat actors have resorted to watering hole attacks (aka strategic web compromises), a technique where adversaries break into websites frequently visited by a specific group to infect their devices with malware. Over the past two years, hacking groups like EvilBamboo , Evasive Panda , and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the u...

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems. The tech giant, in an update shared Wednesday, said the findings are based on an "expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 ." The threat actor attributed to the financially motivated activity is a suspected China-based threat actor that's known to drop Warlock and LockBit ransomware in the past. The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to deploy the spinstall0.aspx web shell payload. "This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint," Microsoft said. "Storm-2603 then initiates a series of discovery commands, incl...

Europol on Monday announced the arrest of the suspected administrator of XSS.is (formerly DaMaGeLaB), a notorious Russian-speaking cybercrime platform. The arrest, which took place in Kyiv, Ukraine, on July 222, 2025, was led by the French Police and Paris Prosecutor, in collaboration with Ukrainian authorities and Europol. The action is the result of an investigation that was launched by the French Police in July 2021. Coupled with the arrest, law enforcement has also taken control of the clearnet domain of XSS.is, greeting visitors with a seizure notice, "This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance of the SBU Cyber Department." "The forum, which had more than 50,000 registered users, served as a key marketplace for stolen data, hacking tools and illicit services," the law enforcement agency said . "It has long been a central platform for some of the most active and dangerous cybercriminal networks, used t...

Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions. Must-use plugins (aka mu-plugins) are special plugins that are automatically activated on all WordPress sites in the installation. They are located in the "wp-content/mu-plugins" directory by default. What makes them an attractive option for attackers is that mu-plugins do not show in the default list of plugins on the Plugins page of wp-admin and cannot be disabled except by removing the plugin file from the must-use directory. As a result, a piece of malware that leverages this technique allows it to function quietly, without raising any red flags. In the infection spotted by web security company Sucuri, the PHP script in the mu-plugins directory ("wp-index.php") serves as a loader to fetch a next-stage payload and save it in the WordPr...

The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners. "Although Mimo's primary motivation remains financial, through cryptocurrency mining and bandwidth monetization, the sophistication of their recent operations suggests potential preparation for more lucrative criminal activities," Datadog Security Labs said in a report published this week. Mimo's exploitation of CVE-2025-32432, a critical security flaw in Craft CMS, for cryptojacking and proxyjacking was documented by Sekoia in May 2025. Newly observed attack chains associated with the threat actor involve the abuse of undetermined PHP-FPM vulnerabilities in Magento e-commerce inst...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on July 22, 2025, added two Microsoft SharePoint flaws, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. To that end, Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by July 23, 2025. "CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers," the agency said in an updated advisory. The inclusion of the two shortcomings, a spoofing vulnerability and a remote code execution vulnerability collectively tracked as ToolShell, to the KEV catalog comes after Microsoft revealed that Chinese hacking groups like Linen Typhoon and Violet Typhoon leveraged these flaws to breach on-premises SharePoint servers since July 7, 2025. As of writing, the tech...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws impacting SysAid IT support software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-2775 (CVSS score: 9.3) - An improper restriction of XML external entity (XXE) reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives CVE-2025-2776 (CVSS score: 9.3) - An improper restriction of XML external entity (XXE) reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives Both shortcomings were disclosed by watchTowr Labs researchers Sina Kheirkhah and Jake Knott back in May, alongside CVE-2025-2777 (CVSS score: 9.3), a pre-authenticated XXE within the /lshw endpoint. The three vulnerabilities were addressed by SysAid in the on-pre...

Microsoft has formally tied the exploitation of security flaws in internet-facing SharePoint Server instances to two Chinese hacking groups called Linen Typhoon and Violet Typhoon as early as July 7, 2025 , corroborating earlier reports. The tech giant said it also observed a third China-based threat actor, which it tracks as Storm-2603, weaponizing the flaws as well to obtain initial access to target organizations. "With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems," the tech giant said in a report published today. A brief description of the threat activity clusters is below - Linen Typhoon (aka APT27 , Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), which is active since 2012 and has been previously attributed to malware families like SysUpdate, HyperBro, and PlugX Violet Typhoon (aka ...

Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation. "In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild," the company said in an alert. The network equipment vendor did not disclose which vulnerabilities have been weaponized in real-world attacks, the identity of the threat actors exploiting them, or the scale of the activity. Cisco ISE plays a central role in network access control, managing which users and devices are allowed onto corporate networks and under what conditions. A compromise at this layer could give attackers unrestricted access to internal systems, bypassing authentication controls and logging mechanisms—turning a policy engine into an open door. The vulnerabilities outlined in the alert are all critical-ra...

The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. Check Point also said the exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances ( CVE-2025-4427 and CVE-2025-4428 ). "We're witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk," Lotem Finkelstein, Director of Threat Intelligence at Chec...