cryptocurrency | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. "A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment," Zimperium zLabs researcher Vishnu Pratapagiri said . "This overlay presents an alarming '*WARNING*' message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server." The mobile security company said the overlay is remotely initiated when the command "ransome" is issued by the C2 server. The overlay can be dismissed by the attacker by sending the "delete_ransome" command. HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the int...

Cybersecurity today moves at the pace of global politics. A single breach can ripple across supply chains, turn a software flaw into leverage, or shift who holds the upper hand. For leaders, this means defense isn't just a matter of firewalls and patches—it's about strategy. The strongest organizations aren't the ones with the most tools, but the ones that see how cyber risks connect to business, trust, and power. This week's stories highlight how technical gaps become real-world pressure points—and why security decisions now matter far beyond IT. ⚡ Threat of the Week Popular Password Managers Affected by Clickjacking — Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent sec...

Cybersecurity researchers are calling attention to multiple campaigns that are taking advantage of known security vulnerabilities and exposed Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure. The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year. "Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies," Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report. "This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app develo...

INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. "The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation," the agency said . The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti , which took place between June and August 2025 to tackle severe crimes like ransomware, online scams. and business email compromise (BEC). The first wave of arrests occurred late last year. Among the highlights are the dismantling of 25 cryptocurrency mining centres in Angola, where 60 Chinese nationals were involved in the illicit money-making scheme. "The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than $37 million, now earmarked by the government to support...

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3. Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups. "The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box," Google said in a report published today. The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads - UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads UNC4108, a threat act...

A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts. Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban's sentencing was reported by Bloomberg and Jacksonville news outlet News4JAX . In addition to 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. In a statement shared with security journalist Brian Krebs, Urban called the sentence unjust. Urban, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023. These incidents led to the theft of at least $800,000 fr...

Power doesn't just disappear in one big breach. It slips away in the small stuff—a patch that's missed, a setting that's wrong, a system no one is watching. Security usually doesn't fail all at once; it breaks slowly, then suddenly. Staying safe isn't about knowing everything—it's about acting fast and clear before problems pile up. Clarity keeps control. Hesitation creates risk. Here are this week's signals—each one pointing to where action matters most. ⚡ Threat of the Week Ghost Tap NFC-Based Mobile Fraud Takes Off — A new Android trojan called PhantomCard has become the latest malware to abuse near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. In these attacks, users who end up installing the malicious apps are instructed to place their credit/debit card on the back of the phone to begin the verification process, only for the card data to be sent to an attacker-controlled NFC relay...

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday renewed sanctions against Russian cryptocurrency exchange platform Garantex for facilitating ransomware actors and other cybercriminals by processing more than $100 million in transactions linked to illicit activities since 2019. The Treasury said it's also imposing sanctions on Garantex's successor, Grinex , as well as three executives of Garantex and six associated companies in Russia and the Kyrgyz Republic that have enabled these activities - Sergey Mendeleev (Co-founder) Aleksandr Mira Serda (Co-founder) Pavel Karavatsky (Co-founder) Independent Decentralized Finance Smartbank and Ecosystem (InDeFi Bank) Exved Old Vector A7 LLC A71 LLC A7 Agent LLC "Digital assets play a crucial role in global innovation and economic development, and the United States will not tolerate abuse of this industry to support cybercrime and sanctions evasion," said Under Secretar...

Google said it's implementing a new policy requiring developers of cryptocurrency exchanges and wallets to obtain government licenses before publishing apps in 15 jurisdictions in order to "ensure a safe and compliant ecosystem for users." The policy applies to markets like Bahrain, Canada, Hong Kong, Indonesia, Israel, Japan, the Philippines, South Africa, South Korea, Switzerland, Thailand, the United Arab Emirates, the United Kingdom, the United States, and the European Union. The changes do not apply to non-custodial wallets. This means developers publishing cryptocurrency exchange and wallet apps have to hold appropriate licences or be registered with relevant authorities like the Financial Conduct Authority (FCA) or Financial Crimes Enforcement Network (FinCEN), or authorized as a crypto-asset service provider (CASP) under the Markets in Crypto-Assets (MiCA) regulation before distribution. "If your targeted location is not on the list, you may continue to p...

Cybersecurity researchers have discovered a new malvertising campaign that's designed to infect victims with a multi-stage malware framework called PS1Bot . "PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access," Cisco Talos researchers Edmund Brumaghin and Jordyn Dunk said . "PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk." Campaigns distributing the PowerShell and C# malware have been found to be active since early 2025, leveraging malvertising as a propagation vector, with the infection chains executing modules in-memory to minimize forensic trail. PS1Bot is assessed to share ...

This week, cyber attackers are moving quickly, and businesses need to stay alert. They're finding new weaknesses in popular software and coming up with clever ways to get around security. Even one unpatched flaw could let attackers in, leading to data theft or even taking control of your systems. The clock is ticking—if defenses aren't updated regularly, it could lead to serious damage. The message is clear: don't wait for an attack to happen. Take action now to protect your business. Here's a look at some of the biggest stories in cybersecurity this week: from new flaws in WinRAR and NVIDIA Triton to advanced attack techniques you should know about. Let's get into the details. ⚡ Threat of the Week Trend Micro Warns of Actively Exploited 0-Day — Trend Micro has released temporary mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities (CVE-2025-54948 and CVE-2025-54987),...

Cybersecurity researchers are drawing attention to a new campaign that's using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivated campaign. The activity involves the creation of lookalike sites imitating Brazil's State Department of Traffic and Ministry of Education, which then trick unsuspecting users into making unwarranted payments through the country's PIX payment system, Zscaler ThreatLabz said. These fraudulent sites are artificially boosted using search engine optimization (SEO) poisoning techniques to enhance their visibility, thereby increasing the likelihood of success of the attack. "Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and...

A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services to steal credentials from unsuspecting users and likely resell them on dark web forums like Russian Market. The activity is assessed to be active since at least March 2023, according to the software supply chain security company Socket. Cumulatively, the gems have been downloaded more than 275,000 times. That said, it bears noting that the figure may not accurately represent the actual number of compromised systems, as not every download results in execution, and it's possible several of these gems have been downloaded to a single machine. "Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver," security researche...

A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets. The published browser add-ons masquerade as MetaMask, TronLink, Exodus, and Rabby Wallet, among others, Koi Security researcher Tuval Admoni said. What makes the activity notable is the threat actor's use of a technique that the cybersecurity company called Extension Hollowing to bypass safeguards put in place by Mozilla and exploit user trust. It's worth noting that some aspects of the campaign were first documented by security researcher Lukasz Olejnik last week. "Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody's watching," Admoni said in a report published Thursday. To achieve this, the attackers first create ...

Cybersecurity researchers have lifted the veil on a widespread malicious campaign that's targeting TikTok Shop users globally with an aim to steal credentials and distribute trojanized apps. "Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users," CTM360 said . "The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking theyʼre interacting with a legitimate affiliate or the real platform." The scam campaign has been codenamed FraudOnTok  by the Bahrain-based cybersecurity company, calling out the threat actor's multi-pronged distribution strategy that involves Meta ads and artificial intelligence (AI)-generated TikTok videos that mimic influencers or official brand ambassadors. Central to the effort is the use of lookalike domains that resemble legitimate TikTok URLs. Over 15,000 such impersonated websites have been identified...