Threat Intelligence | Breaking Cybersecurity News | The Hacker News

A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date. Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability refers to the use of a hard-coded cryptographic key that could expose internet-accessible servers to remote code execution attacks. It has been addressed in CentreStack version 16.4.10315.56368 released on April 3, 2025. The vulnerability is said to have been exploited as a zero-day in March 2025, although the exact nature of the attacks is unknown. Now, according to Huntress, the weakness also affects Gladinet Triofox up to version 16.4.10317.56372. "By default, previous versions of the Triofox software have the same hardcoded cryptographic keys in their configuration file, and can be easily abused for remote code execution," John Hammond, principal cybersecurity researcher at Huntress, said in a report...

Cybersecurity researchers have discovered a new, sophisticated remote access trojan called ResolverRAT that has been observed in attacks targeting healthcare and pharmaceutical sectors. "The threat actor leverages fear-based lures delivered via phishing emails, designed to pressure recipients into clicking a malicious link," Morphisec Labs researcher Nadav Lorber said in a report shared with The Hacker News. "Once accessed, the link directs the user to download and open a file that triggers the ResolverRAT execution chain." The activity, observed as recently as March 10, 2025, shares infrastructure and delivery mechanism overlap with phishing campaigns that have distributed information stealer malware such as Lumma and Rhadamanthys, as documented by Cisco Talos and Check Point last year. A notable aspect of the campaign is the use of localized phishing lures, with the emails crafted in the languages predominantly spoken in the targeted countries. This includ...

Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures that the stolen information is associated with valid online accounts. The technique has been codenamed precision-validating phishing by Cofense, which it said employs real-time email validation so that only a select set of high-value targets are served the fake login screens. "This tactic not only gives the threat actors a higher success rate on obtaining usable credentials as they only engage with a specific pre-harvested list of valid email accounts," the company said . Unlike "spray-and-pray" credential harvesting campaigns that typically involve the bulk distribution of spam emails to obtain victims' login information in an indiscriminate fashion, the latest attack tactic takes spear-phishing to the next level by only engaging with email addresses that attackers have verified as active, legitimate, and high-value. In this scenario, the email address...

Attackers aren’t waiting for patches anymore — they are breaking in before defenses are ready. Trusted security tools are being hijacked to deliver malware. Even after a breach is detected and patched, some attackers stay hidden. This week’s events show a hard truth: it’s not enough to react after an attack. You have to assume that any system you trust today could fail tomorrow. In a world where AI tools can be used against you and ransomware hits faster than ever, real protection means planning for things to go wrong — and still staying in control. Check out this week’s update to find important threat news, helpful webinars, useful tools, and tips you can start using right away. ⚡ Threat of the Week Windows 0-Day Exploited for Ransomware Attacks — A security affecting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets, Microsoft revealed. The flaw, CVE-2025-29824, is a privilege escalation vulnerabilit...

A threat actor with ties to Pakistan has been observed targeting various sectors in India with various remote access trojans like Xeno RAT, Spark RAT, and a previously undocumented malware family called CurlBack RAT . The activity, detected by SEQRITE in December 2024, targeted Indian entities under railway, oil and gas, and external affairs ministries, marking an expansion of the hacking crew's targeting footprint beyond government, defence, maritime sectors, and universities. "One notable shift in recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism," security researcher Sathwik Ram Prakki said . SideCopy is suspected to be a sub-cluster within Transparent Tribe (aka APT36) that's active since at least 2019. It's so named for mimicking the attack chains associated with another threat actor called SideWinder to deliver its own payloads. In June 2024, SEQR...

Fortinet has revealed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched. The attackers are believed to have leveraged known and now-patched security flaws, including, but not limited to, CVE-2022-42475 , CVE-2023-27997 , and CVE-2024-21762 . "A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices," the network security company said in an advisory released Thursday. "This was achieved via creating a symbolic link connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN." Fortinet said the modifications took place in the user file system and managed to evade detection, causing the symbolic link (aka symlink) to be left behind even after the security holes responsible for the initial access were plugged. This, in turn, enabled the threa...

What are IABs? Initial Access Brokers (IABs) specialize in gaining unauthorized entry into computer systems and networks, then selling that access to other cybercriminals. This division of labor allows IABs to concentrate on their core expertise: exploiting vulnerabilities through methods like social engineering and brute-force attacks.  By selling access, they significantly mitigate the risks associated with directly executing ransomware attacks or other complex operations. Instead, they capitalize on their skill in breaching networks, effectively streamlining the attack process for their clients. This business model enables IABs to operate with a lower profile and reduced risk, while still profiting from their technical skills. Operating primarily on dark web forums and underground markets, IABs can function independently or as part of larger organizations like Ransomware-as-a-Service (RaaS) gangs.  They act as a crucial link in the cybercrime ecosystem, providing the i...

Palo Alto Networks has revealed that it's observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat hunters warned of a surge in suspicious login scanning activity targeting its appliances. "Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability," a spokesperson for the company told The Hacker News. "We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary." The development comes after threat intelligence firm GreyNoise alerted of a spike in suspicious login scanning activity aimed at PAN-OS GlobalProtect portals. The company further noted that the activity commenced on March 17, 2025, hitting a peak of 23,958 unique IP addresses before dropping off towards the end of last month. The pattern indicates...

Overview of the PlayPraetor Masquerading Party Variants CTM360 has now identified a much larger extent of the ongoing Play Praetor campaign. What started with 6000+ URLs of a very specific banking attack has now grown to 16,000+ with multiple variants. This research is ongoing, and much more is expected to be discovered in the coming days.  As before, all the newly discovered play impersonations are mimicking legitimate app listings, deceiving users into installing malicious Android applications or exposing sensitive personal information. While these incidents initially appeared to be isolated, further investigation has revealed a globally coordinated campaign that poses a significant threat to the integrity of the Play Store ecosystem. Evolution of the Threat This report expands on the earlier research into PlayPraetor, highlighting the discovery of five newly identified variants. These variants reveal the campaign’s increasing sophistication in terms of attack techniques, ...

The Russia-linked threat actor known as Gamaredon (aka Shuckworm) has been attributed to a cyber attack targeting a foreign military mission based in Ukraine with an aim to deliver an updated version of a known malware called GammaSteel. The group targeted the military mission of a Western country, per the Symantec Threat Hunter team, with first signs of the malicious activity detected on February 26, 2025. "The initial infection vector used by the attackers appears to have been an infected removable drive," the Broadcom-owned threat intelligence division said in a report shared with The Hacker News. The attack started with the creation of a Windows Registry value under the UserAssist key, followed by launching "mshta.exe" using "explorer.exe" to initiate a multi-stage infection chain and launch two files. The first file, named "NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms," is used to establish communications with a command-and...

Law enforcement authorities have announced that they tracked down the customers of the SmokeLoader malware and detained at least five individuals. "In a coordinated series of actions , customers of the Smokeloader pay-per-install botnet, operated by the actor known as 'Superstar,' faced consequences such as arrests, house searches, arrest warrants or 'knock and talks,'" Europol said in a statement. Superstar is alleged to have run a pay-per-install service that enabled its customers to gain unauthorized access to victim machines, using the loader as a conduit to deploy next-stage payloads of their choice. According to the European law enforcement agency, the access afforded by the botnet was used for various purposes such as keylogging, webcam access, ransomware deployment, and cryptocurrency mining. The latest action, part of an ongoing coordinated exercise called Operation Endgame , which led to the dismantling of online infrastructure associated with...

Lovable , a generative artificial intelligence (AI) powered platform that allows for creating full-stack web applications using text-based prompts, has been found to be the most susceptible to jailbreak attacks, allowing novice and aspiring cybercrooks to set up lookalike credential harvesting pages. "As a purpose-built tool for creating and deploying web apps, its capabilities line up perfectly with every scammer's wishlist," Guardio Labs' Nati Tal said in a report shared with The Hacker News. "From pixel-perfect scam pages to live hosting, evasion techniques, and even admin dashboards to track stolen data – Lovable didn't just participate, it performed. No guardrails, no hesitation." The technique has been codenamed VibeScamming – a play on the term vibe coding, which refers to an AI-dependent programming technique to produce software by describing the problem statement in a few sentences as a prompt to a large language model (LLM) tuned for codin...

A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB . "Previously unseen in ToddyCat attacks, [TCESB] is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device," Kaspersky said in an analysis published this week. ToddyCat is the name given to a threat activity cluster that has targeted several entities in Asia, with attacks dating all the way back to at least December 2020. Last year, the Russian cybersecurity vendor detailed the hacking group's use of various tools to maintain persistent access to compromised environments and harvest data on an "industrial scale" from organizations located in the Asia-Pacific region. Kaspersky said its investigation into ToddyCat-related incidents in early 2024 unearthed a suspicious DLL file ("version...

Microsoft has revealed that a now-patched security flaw impacting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," the tech giant said . The vulnerability in question is CVE-2025-29824, a privilege escalation bug in CLFS that could be exploited to achieve SYSTEM privileges. It was fixed by Redmond as part of its Patch Tuesday update for April 2025. Microsoft is tracking the activity and the post-compromise exploitation of CVE-2025-29824 under the moniker Storm-2460, with the threat actors also leveraging a malware named PipeMagic to deliver the exploit as well as ransomware payloads. The exact initial access vector used in the attacks is currently not known. However, the threa...