cyber espionage | Breaking Cybersecurity News | The Hacker News

A hacking group with ties other than Pakistan has been found targeting Indian government organizations with a modified variant of a remote access trojan (RAT) called DRAT. The activity has been attributed by Recorded Future's Insikt Group to a threat actor tracked as TAG-140, which it said overlaps with SideCopy , an adversarial collective assessed to be an operational sub-cluster within Transparent Tribe (aka APT-C-56, APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM). "TAG-140 has consistently demonstrated iterative advancement and variety in its malware arsenal and delivery techniques," the Mastercard-owned company said in an analysis published last month. "This latest campaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but notable shift in both malware architecture and command-and-control (C2) functionality." The updated version of DRAT, called DRAT V2, is the latest a...

Cybersecurity researchers have shed light on a previously undocumented threat actor called NightEagle (aka APT-Q-95) that has been observed targeting Microsoft Exchange servers as a part of a zero-day exploit chain designed to target government, defense, and technology sectors in China. According to QiAnXin's RedDrip Team, the threat actor has been active since 2023 and has switched network infrastructure at an extremely fast rate. The findings were presented at CYDES 2025 , the third edition of Malaysia's National Cyber Defence & Security Exhibition and Conference held between July 1 and 3, 2025. "It seems to have the speed of an eagle and has been operating at night in China," the cybersecurity vendor said , explaining the rationale behind naming the adversary NightEagle. Attacks mounted by the threat actor have singled out entities operating in the high-tech, chip semiconductors, quantum technology, artificial intelligence, and military verticals with th...

The French cybersecurity agency on Tuesday revealed that a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in the country were impacted by a malicious campaign undertaken by a Chinese hacking group by weaponizing several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The campaign, detected at the beginning of September 2024, has been attributed to a distinct intrusion set codenamed Houken , which is assessed to share some level overlaps with a threat cluster tracked by Google Mandiant under the moniker UNC5174 (aka Uteus or Uetus). "While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers," the French National Agency for the Security of Information Systems (ANSSI) said . "Houken's attack infrastructure is made up of diverse elements -- including commercial VPNs and d...

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against Russia-based bulletproof hosting (BPH) service provider Aeza Group to assist threat actors in their malicious activities and targeting victims in the country and across the world. The sanctions also extend to its subsidiaries Aeza International Ltd., the U.K. branch of Aeza Group, as well as Aeza Logistic LLC, Cloud Solutions LLC, and four individuals linked to the company - Arsenii Aleksandrovich Penzev, CEO and 33% owner of Aeza Group Yurii Meruzhanovich Bozoyan, general director and 33% owner of Aeza Group Vladimir Vyacheslavovich Gast, technical director who works closely with Penzev and Bozoyan Igor Anatolyevich Knyazev, 33% owner of Aeza Group who manages the operations in the absence of Penzev and Bozoyan It's worth noting that Penzev was arrested in early April 2025 on charges of leading a criminal organization and enabling large-scale drug trafficking ...

Cybersecurity researchers have flagged the tactical similarities between the threat actors behind the RomCom RAT and a cluster that has been observed delivering a loader dubbed TransferLoader . Enterprise security firm Proofpoint is tracking the activity associated with TransferLoader to a group dubbed UNK_GreenSec and the RomCom RAT actors under the moniker TA829 . The latter is also known by the names CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu. The company said it discovered UNK_GreenSec as part of its investigation into TA829, describing it as using an "unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes." TA829 is something of an unusual hacking group in the threat landscape given its ability to conduct both espionage as well as financially motivated attacks. The Russia-aligned hybrid group has also been linked to the zero-day exploitation of security flaws in Mozil...

U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors.  "Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events," the agencies said . "These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices." There is currently no evidence of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) noted. Emphasizing the need for "incr...

Threat hunters have discovered a network of more than 1,000 compromised small office and home office (SOHO) devices that have been used to facilitate a prolonged cyber espionage infrastructure campaign for China-nexus hacking groups. The Operational Relay Box (ORB) network has been codenamed LapDogs by SecurityScorecard's STRIKE team. "The LapDogs network has a high concentration of victims across the United States and Southeast Asia, and is slowly but steadily growing in size," the cybersecurity company said in a technical report published this week. Other regions where the infections are prevalent include Japan, South Korea, Hong Kong, and Taiwan, with victims spanning IT, networking, real estate, and media sectors. Active infections span devices and services from Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology.  LapDogs' beating heart is a custom backdoor called ShortLeash that's engineered...

A China-linked threat actor known as Mustang Panda has been attributed to a new cyber espionage campaign directed against the Tibetan community. The spear-phishing attacks leveraged topics related to Tibet, such as the 9th World Parliamentarians' Convention on Tibet (WPCT), China's education policy in the Tibet Autonomous Region (TAR), and a recently published book by the 14th Dalai Lama, according to IBM X-Force. The cybersecurity division of the technology company said it observed the campaign earlier this month, with the attacks leading to the deployment of a known Mustang Panda malware called PUBLOAD . It's tracking the threat actor under the name Hive0154. The attack chains employ Tibet-themed lures to distribute a malicious archive containing a benign Microsoft Word file, along with articles reproduced by Tibetan websites and photos from WPCT, into opening an executable that's disguised as a document. The executable, as observed in prior Mustang Panda atta...

An Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC) has been linked to a spear-phishing campaign targeting journalists, high-profile cyber security experts, and computer science professors in Israel. "In some of those campaigns, Israeli technology and cyber security professionals were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages," Check Point said in a report published Wednesday. "The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations." The cybersecurity company attributed the activity to a threat cluster it tracks as Educated Manticore , which overlaps with APT35 (and its sub-cluster APT42 ), CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda. The advanced persist...

Thousands of personal records allegedly linked to athletes and visitors of the Saudi Games have been published online by a pro-Iranian hacktivist group called Cyber Fattah. Cybersecurity company Resecurity said the breach was announced on Telegram on June 22, 2025, in the form of SQL database dumps, characterizing it as an information operation "carried out by Iran and its proxies." "The actors gained unauthorized access to phpMyAdmin (backend) and exfiltrated stored records," Resecurity said . "This is an example of Iran using data breaches as part of a larger anti-U.S., anti-Israel, and anti-Saudi propaganda activity in cyberspace, targeting major sports and social events." It's believed that the data is likely pulled from the Saudi Games 2024 official website and then shared on DarkForums , a cybercrime forum that has gained attention in the wake of BreachForums' repeated takedowns. The information was published by a forum user named ZeroDay...

The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory warning of cyber attacks mounted by the China-linked Salt Typhoon actors to breach major global telecommunications providers as part of a cyber espionage campaign. The attackers exploited a critical Cisco IOS XE software ( CVE-2023-20198 , CVSS score: 10.0) to access configuration files from three network devices registered to a Canadian telecommunications company in mid-February 2025. The threat actors are also said to have modified at least one of the files to configure a Generic Routing Encapsulation ( GRE ) tunnel, enabling traffic collection from the network. The name of the targeted company was not disclosed. Stating that the targeting likely goes beyond the telecommunications sector, the agencies said the targeting of Canadian devices may permit the threat actors to collect information from the compromised networks and use them as leverage to breach additiona...

Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut ( LNK ) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said . XDSpy is the name assigned to a cyber espionage that's known to target government agencies in Eastern Europe and the Balkans since 2011. It was first documented by the Belarusian CERT in early 2020.  In recent years, companies in Russia and Moldova have been targeted by various campaigns to deliver malware families like UTask, XDDown, and DSDownloader that can download additional payloads and steal sensitive information from compromised hosts. HarfangLab said it observed the threat actor leveraging a remote code execution flaw in Microsoft Windows that's triggered when processing specially crafted LNK files. The v...

Iran's state-owned TV broadcaster was hacked Wednesday night to interrupt regular programming and air videos calling for street protests against the Iranian government, according to multiple reports. It's currently not known who is behind the attack, although Iran pointed fingers at Israel, per Iran International. "If you experience disruptions or irrelevant messages while watching various TV channels, it is due to enemy interference with satellite signals," the broadcaster was quoted as saying. The breach of state television is the latest in a string of cyber attacks inside Iran that have been attributed to Israel-linked actors. It also coincides with the hack of Bank Sepah and Nobitex, Iran's largest cryptocurrency exchange. The Nobitex breach led to the theft of more than $90 million, a brazen escalation in the cyber war that has simmered between Israel and Iran for more than a decade. "Iranian entities have experimented with virtual assets as bot...

A former U.S. Central Intelligence Agency (CIA) analyst has been sentenced to little more than three years in prison for unlawfully retaining and transmitting top secret National Defense Information (NDI) to people who were not entitled to receive them and for attempting to cover up the malicious activity. Asif William Rahman, 34, of Vienna, has been sentenced today to 37 months on charges of stealing and divulging classified information. He was an employee of the CIA since 2016 and had Top Secret security clearance to access Sensitive Compartmented Information (SCI) until he was terminated from his job after he was arrested last November in Cambodia. Earlier this January, Rahman pleaded guilty to two counts of willful retention and transmission of classified information related to the national defense. As previously reported by The Hacker News, Rahman retained multiple Secret and Top Secret documents without authorization on October 17, 2024, took them to his place of residence...

A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff to deploy a backdoor codenamed Trinper . The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3). Google addressed the flaw later that month after Kaspersky reported in-the-wild exploitation in a campaign dubbed Operation ForumTroll targeting various Russian organizations. "The initial attack vector was a phishing email containing a malicious link," security researchers Stanislav Pyzhov and Vladislav Lunin said . "When the victim clicked the link, it triggered a one-click exploit (CVE-2025-2783), leading to the installation of the Trinper backdoor employed by TaxOff." The phishing email is said to have been disguised as an invitation to the Primakov Readings forum – the same lure detailed by Kaspersky – urging users to click on a link that led to a fake...