cryptocurrency | Breaking Cybersecurity News | The Hacker News

In a world where threats are persistent, the modern CISO's real job isn't just to secure technology—it's to preserve institutional trust and ensure business continuity. This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together, from supply chains to strategic partnerships. With new regulations and the rise of AI-driven attacks, the decisions you make now will shape your organization's resilience for years to come. This isn't just a threat roundup; it's the strategic context you need to lead effectively. Here's your full weekly recap, packed with the intelligence to keep you ahead. ⚡ Threat of the Week New HybridPetya Ransomware Bypasses UEFI Secure Boot — A copycat version of the infamous Petya/NotPetya malware dubbed HybridPetya has been spotted. But no telemetry exists to suggest HybridPetya has been deployed in the wild yet. It also differs in one key respect: It can compromise the secure boot featu...

Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware. "The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites," Fortinet FortiGuard Labs researcher Pei Han Liao said . "By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware." The activity, which was discovered by the cybersecurity company in August 2025, leads to the deployment of malware families like HiddenGh0st and Winos (aka ValleyRAT), both of which are variants of a remote access trojan called Gh0st RAT. It's worth noting that the use of Winos has been attributed to a cybercrime group known as Silver Fox , which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. It's believed to be acti...

Cybersecurity researchers have disclosed details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deliver a fleshless loader that drops a remote access trojan (RAT) called AsyncRAT to steal sensitive data from compromised hosts. "The attacker used ScreenConnect to gain remote access, then executed a layered VBScript and PowerShell loader that fetched and ran obfuscated components from external URLs," LevelBlue said in a report shared with The Hacker News. "These components included encoded .NET assemblies ultimately unpacking into AsyncRAT while maintaining persistence via a fake 'Skype Updater' scheduled task." In the infection chain documented by the cybersecurity company, the threat actors have been found to leverage a ScreenConnect deployment to initiate a remote session and launch a Visual Basic Script payload via hands-on-keyboard activity. "We saw trojanized ScreenC...

A new Android malware called RatOn  has evolved from a basic tool capable of conducting Near Field Communication ( NFC ) relay attacks to a sophisticated remote access trojan with Automated Transfer System ( ATS ) capabilities to conduct device fraud. "RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat," the Dutch mobile security company said in a report published today. The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic. Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It's worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to d...

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it's knowing which risks matter most right now. That's what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the Salesloft–Drift breach, where attackers stole OAuth tokens and accessed Salesforce data from some of the biggest names in tech. It's a sharp reminder of how fragile integrations can become the weak link in enterprise defenses. Alongside this, we'll also walk through several high-risk CVEs under active exploitation, the latest moves by advanced threat actors, and fresh insights on making security workflows smarter, not noisier. Each section is designed to give you the essentials—enough to stay informed and prepared, without getting lost in the noise. ⚡ Threat of the Week Salesloft to Take Drift Of...

A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers. "The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor," Socket researcher Kush Pandya said in an analysis. The packages were uploaded to npm by a user named " flashbotts ," with the earliest library uploaded as far back as September 2023. The most recent upload took place on August 19, 2025. The packages in question, all of which are still available for download as of writing, are listed below - @flashbotts/ethers-provider-bundle (52 Downloads) flashbot-sdk-eth (467 Downloads) sdk-ethers (90 Downloads) gram-utilz (83 Downloads) The impersonation of Flashbots is not coincidental, given its role in combating the adverse effects of...

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system. The SVG files, according to VirusTotal , are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a portal for Fiscalía General de la Nación, the Office of the Attorney General of Colombia. The page then simulates an official government document download process with a fake progress bar, while it stealthily triggers the download of a ZIP archive in the background. The exact nature of the ZIP file was not disclosed. The Google-owned malware scanning service said it found 44 unique SVG files, all of which have remained undetected by antivirus engines, owing to the use of techniques like obfuscation, polymorphism, and large amounts of junk code to evade static detection methods. In all, as ...

Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar. "The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. The packages, both uploaded to npm in July 2025 and no longer available for download, are listed below - colortoolsv2 (7 downloads) mimelib2 (1 download) The software supply chain security firm said the libraries are part of a larger and sophisticated campaign impacting both npm and GitHub, tricking unsuspecting developers into downloading and running them. While the packages themselves make no effort to conceal their malici...

Cybersecurity researchers have discovered a malicious npm package that comes with stealthy features to inject malicious code into desktop apps for cryptocurrency wallets like Atomic and Exodus on Windows systems. The package, named nodejs-smtp , impersonates the legitimate email library nodemailer with an identical tagline, page styling, and README descriptions, attracting a total of 347 downloads since it was uploaded to the npm registry in April 2025 by a user named "nikotimon." It's currently no longer available. "On import, the package uses Electron tooling to unpack Atomic Wallet's app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory," Socket researcher Kirill Boychenko said . The main objective is to overwrite the recipient address with hard-coded wallets controlled by the threat actor, redirecting Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP...

Cybersecurity today is less about single attacks and more about chains of small weaknesses that connect into big risks. One overlooked update, one misused account, or one hidden tool in the wrong hands can be enough to open the door. The news this week shows how attackers are mixing methods—combining stolen access, unpatched software, and clever tricks to move from small entry points to large consequences.  For defenders, the lesson is clear: the real danger often comes not from one major flaw, but from how different small flaws interact together. ⚡ Threat of the Week WhatsApp Patches Actively Exploited Flaw — WhatsApp addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks. The vulnerability, CVE-2025-55177 relates to a case of insufficient authorization of linked device synchronization messages. The Meta-owned company ...

Authorities from the Netherlands and the United States have announced the dismantling of an illicit marketplace called VerifTools that peddled fraudulent identity documents to cybercriminals across the world. To that end, two marketplace domains (verif[.]tools and veriftools[.]net) and one blog have been taken down, redirecting site visitors to a splash page stating the action was undertaken by the U.S. Federal Bureau of Investigation (FBI) pursuant to a warrant issued by a United States District Court. The servers were seized in Amsterdam. However, a Telegram message posted by operators on August 28, 2025, shows that they have already relaunched the service on the domain "veriftools[.]com." The domain was created on December 10, 2018, per DomainTools . It's currently not known who the administrators of the platform are. "The operators of VerifTools produced and sold counterfeit driver's licenses, passports, and other identification documents that could be u...

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced a fresh round of sanctions against two individuals and two entities for their role in the North Korean remote information technology (IT) worker scheme to generate illicit revenue for the regime's weapons of mass destruction and ballistic missile programs. "The North Korean regime continues to target American businesses through fraud schemes involving its overseas IT workers, who steal data and demand ransom," said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. "Under President Trump, Treasury is committed to protecting Americans from these schemes and holding the guilty accountable." The key players targeted include Vitaliy Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology Co., Ltd, and Korea Sinjin Trading Corporation. The latest effort expands the scope of sanctions imposed against Chinyong Informat...

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. "A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment," Zimperium zLabs researcher Vishnu Pratapagiri said . "This overlay presents an alarming '*WARNING*' message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server." The mobile security company said the overlay is remotely initiated when the command "ransome" is issued by the C2 server. The overlay can be dismissed by the attacker by sending the "delete_ransome" command. HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the int...

Cybersecurity today moves at the pace of global politics. A single breach can ripple across supply chains, turn a software flaw into leverage, or shift who holds the upper hand. For leaders, this means defense isn't just a matter of firewalls and patches—it's about strategy. The strongest organizations aren't the ones with the most tools, but the ones that see how cyber risks connect to business, trust, and power. This week's stories highlight how technical gaps become real-world pressure points—and why security decisions now matter far beyond IT. ⚡ Threat of the Week Popular Password Managers Affected by Clickjacking — Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent sec...

Cybersecurity researchers are calling attention to multiple campaigns that are taking advantage of known security vulnerabilities and exposed Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure. The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year. "Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies," Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report. "This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app develo...

INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. "The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation," the agency said . The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti , which took place between June and August 2025 to tackle severe crimes like ransomware, online scams. and business email compromise (BEC). The first wave of arrests occurred late last year. Among the highlights are the dismantling of 25 cryptocurrency mining centres in Angola, where 60 Chinese nationals were involved in the illicit money-making scheme. "The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than $37 million, now earmarked by the government to support...

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3. Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups. "The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box," Google said in a report published today. The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads - UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads UNC4108, a threat act...

A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts. Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban's sentencing was reported by Bloomberg and Jacksonville news outlet News4JAX . In addition to 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. In a statement shared with security journalist Brian Krebs, Urban called the sentence unjust. Urban, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023. These incidents led to the theft of at least $800,000 fr...