cyber espionage | Breaking Cybersecurity News | The Hacker News

Security experts have disclosed details of a new campaign that has targeted U.S. government and policy entities using politically themed lures to deliver a backdoor known as LOTUSLITE . The targeted malware campaign leverages decoys related to the recent geopolitical developments between the U.S. and Venezuela to distribute a ZIP archive ("US now deciding what's next for Venezuela.zip") containing a malicious DLL that's launched using DLL side-loading techniques. It's not known if the campaign managed to successfully compromise any of the targets. The activity has been attributed with moderate confidence to a Chinese state-sponsored group known as Mustang Panda (aka Earth Pret, HoneyMyte, and Twill Typhoon), citing tactical and infrastructure patterns. It's worth noting that the threat actor is known for extensively relying on DLL side-loading to launch its backdoors, including TONESHELL. "This campaign reflects a continued trend of targeted spear ...

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity under the name UAT-8837 , assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region. The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed. "After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their v...

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025. The activity has been attributed with medium confidence to a Russian hacking group tracked as Void Blizzard (aka Laundry Bear or UAC-0190). The threat actor is believed to be active since at least April 2024. Attack chains distributing the malware leverage instant messaging Signal and WhatsApp as vectors, with the threat actors masquerading as charity organizations to convince targets into clicking on a seemingly-harmless link ("harthulp-ua[.]com" or "solidarity-help[.]org") impersonating the foundation and download a password-protected archive.

Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink that's specifically designed for long-term, stealthy access to Linux-based cloud environments According to a new report from Check Point Research, the cloud-native Linux malware framework comprises an array of custom loaders, implants, rootkits, and modular plugins that enable its operators to augment or change its capabilities over time, as well as pivot when objectives change. It was first discovered in December 2025. "The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate reliably in cloud and container environments over extended periods," the cybersecurity company said in an analysis published today. "VoidLink's architecture is extremely flexible and highly modular, centered around a custom Plugin API that appears to be inspired by Cobalt Strike's Beacon Object Files (BOF) appr...

This week made one thing clear: small oversights can spiral fast. Tools meant to save time and reduce friction turned into easy entry points once basic safeguards were ignored. Attackers didn't need novel tricks. They used what was already exposed and moved in without resistance. Scale amplified the damage. A single weak configuration rippled out to millions. A repeatable flaw worked again and again. Phishing crept into apps people rely on daily, while malware blended into routine system behavior. Different victims, same playbook: look normal, move quickly, spread before alarms go off. For defenders, the pressure keeps rising. Vulnerabilities are exploited almost as soon as they surface. Claims and counterclaims appear before the facts settle. Criminal groups adapt faster each cycle. The stories that follow show where things failed—and why those failures matter going forward. ⚡ Threat of the Week Maximum Severity Security Flaw Disclosed in n8n — A maximum-severity vulnerability ...

The Iranian threat actor known as MuddyWater has been attributed to a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater . "The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion," CloudSEK resetter Prajwal Awasthi said in a report published this week. The latest development reflects continued evolution of MuddyWater's tradecraft, which has gradually-but-steadily reduced its reliance on legitimate remote access software as a post-exploitation tool in favor of a diverse custom malware arsenal comprising tools like Phoenix, UDPGangster , BugSleep (aka MuddyRot), and MuddyViper . Also tracked as Mango Sandstorm, Static Kitten, and TA450, the hacking group is assessed to be affiliated with Iran's Ministry of Intelli...

A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid, according to a Cisco Talos report published today. "In addition to conducting espionage-focused attacks where UAT-7290 burrows deep inside a victim enterprise's network infrastructure, their tactics, techniques, and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes," researchers Asheer Malhotra, Vitor Ventura, and Brandon White said . "The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290's dual role as an espionage-motiva...

The Russia-aligned threat actor known as UAC-0184 has been observed targeting Ukrainian military and government entities by leveraging the Viber messaging platform to deliver malicious ZIP archives. "This organization has continued to conduct high-intensity intelligence gathering activities against Ukrainian military and government departments in 2025," the 360 Threat Intelligence Center said in a technical report. Also tracked as Hive0156, the hacking group is primarily known for leveraging war-themed lures in phishing emails to deliver Hijack Loader in attacks targeting Ukrainian entities. The malware loader subsequently acts as a pathway for Remcos RAT infections. The threat actor was first documented by CERT-UA in early January 2024. Subsequent attack campaigns have been found to leverage messaging apps like Signal and Telegram as a delivery vehicle for malware. The latest findings from the Chinese security vendor points to a further evolution of this tactic. ...

The threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants them persistent control over compromised hosts. "The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document and embedded with full PDF content to evade user suspicion," CYFIRMA said in a technical report. Transparent Tribe, also called APT36, is a hacking group that's known for mounting cyber espionage campaigns against Indian organizations. Assessed to be of Pakistani origin, the state-sponsored adversary has been active since at least 2013. The threat actor boasts of an ever-evolving arsenal of RATs to realize its goals. Some of the trojans put to use by Transparent Tribe in recent years include CapraRAT , Crimson RAT , ElizaRAT , and DeskRAT . The latest set of attacks began with ...

The Chinese hacking group known as Mustang Panda (aka HoneyMyte) has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia. The findings come from Kaspersky, which observed the new backdoor variant in cyber espionage campaigns mounted by the hacking group targeting government organizations in Southeast and East Asia, primarily Myanmar and Thailand. "The driver file is signed with an old, stolen, or leaked digital certificate and registers as a minifilter driver on infected machines," the Russian cybersecurity company said . "Its end-goal is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys." The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malwa...

Last week's cyber news in 2025 was not about one big incident. It was about many small cracks opening at the same time. Tools people trust every day behave in unexpected ways. Old flaws resurfaced. New ones were used almost immediately. A common theme ran through it all in 2025. Attackers moved faster than fixes. Access meant for work, updates, or support kept getting abused. And damage did not stop when an incident was "over" — it continued to surface months or even years later. This weekly recap brings those stories together in one place. No overload, no noise. Read on to see what shaped the threat landscape in the final stretch of 2025 and what deserves your attention now. ⚡ Threat of the Week MongoDB Vulnerability Comes Under Attack — A newly disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world. The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7)...

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda , which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It's assessed to be active since at least 2012. "The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims," Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. "These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests." This is not the first time Evasive Panda's DNS pois...

Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. "The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said in a technical breakdown shared with The Hacker News. "This threat group is still active, relevant, and dangerous." Infy is one of the oldest advanced persistent threat (APT) actors in existence, with evidence of early activity dating all the way back to December 2004, according to a report released by Palo Alto Networks Unit 42 in May 2016 that was also authored by Bar, along with researcher Simon Conant. The group has also managed to remain elusive, attracting little attention, unlike other Iranian hacking crews such as Charming Kitten , MuddyWater , and OilRig ...

A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. "LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers," security researchers Anton Cherepanov and Peter Strýček said . Group Policy is a mechanism for managing settings and permissions on Windows machines. According to Microsoft, Group Policy can be used to define configurations for groups of users and client computers, as well as manage server computers. The attacks are characterized by the use of a varied custom toolset that mainly consists of C#...

Threat actors with ties to the Democratic People's Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December. The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole $1.3 billion, according to Chainalysis' Crypto Crime Report shared with The Hacker News. "This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises," the blockchain intelligence company said . "Overall, 2025's numbers bring the lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK to $6.75 billion." The February compromise of cryptocurrency exchange Bybit alone is responsible for $1.5 billion of the $2.02 billion plundered by North ...

The threat actor known as Jewelbug has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America. Check Point Research is tracking the cluster under the name Ink Dragon . It's also referenced by the broader cybersecurity community under the names CL-STA-0049 , Earth Alux , and REF7707 . The China-aligned hacking group is assessed to be active since at least March 2023. "The actor's campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse platform-native tools to blend into normal enterprise telemetry," the cybersecurity company said in a technical breakdown published Tuesday. "This mix makes their intrusions both effective and stealthy." Eli Smadja, group manager of Products R&D at Check Point Software, told The Hacker News that the activity is still ongoing, and that the campaign has "impacte...

Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes. According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a threat cluster known as REF7707 (aka CL-STA-0049, Earth Alux, and Jewelbug). "One of the malware's primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API," Daniel Stepanic, principal security researcher at Elastic Security Labs, said. "This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file...

An advanced persistent threat (APT) known as WIRTE has been attributed to attacks targeting government and diplomatic entities across the Middle East with a previously undocumented malware suite dubbed AshTag since 2020 . Palo Alto Networks Unit 42 is tracking the activity cluster under the name Ashen Lepus . Artifacts uploaded to the VirusTotal platform show that the threat actor has trained its sights on Oman and Morocco, indicating an expansion in operational scope beyond the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt. The company told The Hacker News said it has observed "scores of unique lures" disseminated across the Middle East, indicating a "persistent and wide-reaching campaign" confined to government and diplomatic entities in the region. More than a dozen entities are estimated to have been targeted, although it's suspected that the real number could be higher. "Ashen Lepus remained persistently active throughout the Israel...

Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565 . Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. The campaign is assessed with high confidence to share overlaps with a hacking group known as Gold Blade , which is also tracked under the names Earth Kapre, RedCurl, and Red Wolf. The financially motivated threat actor is believed to be active since late 2018 , initially targeting entities in Russia, before expanding its focus to entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the U.K., and the U.S. The group has a history of using phishing emails to conduct commercial espionage. However, recent attack waves have found RedCurl to have engaged in ransomware attacks using a bespoke malware strain dubbed QWCrypt . One of the notable tools in the threat actor's arsenal is RedLoader, which s...

The Iranian hacking group known as MuddyWater has been observed leveraging a new backdoor dubbed UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The cyber espionage activity targeted users in Turkey, Israel, and Azerbaijan, according to a report from Fortinet FortiGuard Labs. "This malware enables remote control of compromised systems by allowing attackers to execute commands, exfiltrate files, and deploy additional payloads – all communicated through UDP channels designed to evade traditional network defenses," security researcher Cara Lin said . The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. Some of the phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections a...