cyber espionage | Breaking Cybersecurity News | The Hacker News

Iran's state-owned TV broadcaster was hacked Wednesday night to interrupt regular programming and air videos calling for street protests against the Iranian government, according to multiple reports. It's currently not known who is behind the attack, although Iran pointed fingers at Israel, per Iran International. "If you experience disruptions or irrelevant messages while watching various TV channels, it is due to enemy interference with satellite signals," the broadcaster was quoted as saying. The breach of state television is the latest in a string of cyber attacks inside Iran that have been attributed to Israel-linked actors. It also coincides with the hack of Bank Sepah and Nobitex, Iran's largest cryptocurrency exchange. The Nobitex breach led to the theft of more than $90 million, a brazen escalation in the cyber war that has simmered between Israel and Iran for more than a decade. "Iranian entities have experimented with virtual assets as bot...

A former U.S. Central Intelligence Agency (CIA) analyst has been sentenced to little more than three years in prison for unlawfully retaining and transmitting top secret National Defense Information (NDI) to people who were not entitled to receive them and for attempting to cover up the malicious activity. Asif William Rahman, 34, of Vienna, has been sentenced today to 37 months on charges of stealing and divulging classified information. He was an employee of the CIA since 2016 and had Top Secret security clearance to access Sensitive Compartmented Information (SCI) until he was terminated from his job after he was arrested last November in Cambodia. Earlier this January, Rahman pleaded guilty to two counts of willful retention and transmission of classified information related to the national defense. As previously reported by The Hacker News, Rahman retained multiple Secret and Top Secret documents without authorization on October 17, 2024, took them to his place of residence...

A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff to deploy a backdoor codenamed Trinper . The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3). Google addressed the flaw later that month after Kaspersky reported in-the-wild exploitation in a campaign dubbed Operation ForumTroll targeting various Russian organizations. "The initial attack vector was a phishing email containing a malicious link," security researchers Stanislav Pyzhov and Vladislav Lunin said . "When the victim clicked the link, it triggered a one-click exploit (CVE-2025-2783), leading to the installation of the Trinper backdoor employed by TaxOff." The phishing email is said to have been disguised as an invitation to the Primakov Readings forum – the same lure detailed by Kaspersky – urging users to click on a link that led to a fake...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider. "This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025," the agency said in an advisory. Earlier this year, SimpleHelp disclosed a set of flaws (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could result in information disclosure, privilege escalation, and remote code execution. The vulnerabilities have since come under repeated exploitation in the wild, including by ransomware groups like DragonForce, to breach targets of interest. Last month, Sophos revealed that a Managed Service Provider's SimpleHelp deployed was accessed by the threat actor using these flaws, and then leveraged it to pivot t...

The reconnaissance activity targeting American cybersecurity company SentinelOne was part of a broader set of partially-related intrusions into several targets between July 2024 and March 2025. "The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors," SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel said in a report published today. Some of the targeted sectors include manufacturing, government, finance, telecommunications, and research. Also present among the victims was an IT services and logistics company that was managing hardware logistics for SentinelOne employees at the time of the breach in early 2025. The malicious activity has been attributed with high confidence to China-nexus threat actors, with some of the attacks tied to a threat cluster dubbed PurpleHaze , which, in turn, overlaps with Chinese cyber espionage groups publicly reported as APT15...

The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government. That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. "Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation," researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said. Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities , with select intrusions also targeting China, Saudi Arabia, and South America. In December 2024, evidence emerged of the threat actor's targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion. Stating that Bitter fr...

The Czech Republic on Wednesday formally accused a threat actor associated with the People's Republic of China (PRC) of targeting its Ministry of Foreign Affairs. In a public statement, the government said it identified China as the culprit behind a malicious campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs. The extent of the breach is presently not known. "The malicious activity [...] lasted from 2022 and affected an institution designated as Czech critical infrastructure," it added . The attack has been attributed to a state-sponsored threat actor tracked as APT31 , which also overlaps with threat clusters known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium). The hacking group, publicly associated with the Ministry of State Security (MSS) and the Hubei State Security Department, is assessed to be active since at least 2010, per the U.S. Departme...

The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload. The attack chain is a departure from the threat actor's previously documented use of an HTML Application (.HTA) loader dubbed HATVIBE, Recorded Future's Insikt Group said in an analysis. "Given TAG-110's historical targeting of public sector entities in Central Asia, this campaign is likely targeting government, educational, and research institutions within Tajikistan," the cybersecurity company noted . "These cyber espionage operations likely aim to gather intelligence for influencing regional politics or security, particularly during sensitive events like elections or geopolitical tensions." TAG-110, also called UAC-0063, is the name assigned to a threat activity group that's known for its targeting of European embassies, as well as other organizations in Cent...

The U.S. Department of Justice (DoJ) on Thursday announced the disruption of the online infrastructure associated with DanaBot (aka DanaTools) and unsealed charges against 16 individuals for their alleged involvement in the development and deployment of the malware, which it said was controlled by a Russia-based cybercrime organization. The malware, the DoJ said, infected more than 300,000 victim computers around the world, facilitated fraud and ransomware, and caused at least $50 million in damages. Two of the defendants, Aleksandr Stepanov (aka JimmBee), 39, and Artem Aleksandrovich Kalinkin (aka Onix), 34, both from Novosibirsk, Russia, are currently at large. Stepanov has been charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorized access to a protected computer to obtain information, unauthorized impairment of a protected computer, wiretapping, and use of an intercepted communication. Kalinkin has been charged with cons...

Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165. Targets of the campaign include companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine, according to a joint advisory released by agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the bulletin said...

High-level government institutions in Sri Lanka, Bangladesh, and Pakistan have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder. "The attackers used spear phishing emails paired with geofenced payloads to ensure that only victims in specific countries received the malicious content," Acronis researchers Santiago Pontiroli, Jozsef Gegeny, and Prakas Thevendaran said in a report shared with The Hacker News. The attack chains leverage spear-phishing lures as a starting point to activate the infection process and deploy a known malware referred to as StealerBot. It's worth pointing out that the modus operandi is consistent with recent SideWinder attacks documented by Kaspersky in March 2025. Some of the targets of the campaign, per Acronis, include Bangladesh's Telecommunication Regulatory Commission, Ministry of Defence, and Ministry of Finance; Pakistan's Directorate of Indigenous Technical Development; and Sri Lanka...

Threat hunters have exposed the tactics of a China-aligned threat actor called UnsolicitedBooker that targeted an unnamed international organization in Saudi Arabia with a previously undocumented backdoor dubbed MarsSnake. ESET, which first discovered the hacking group's intrusions targeting the entity in March 2023 and again a year later, said the activity leverages spear-phishing emails using flight tickets as lures to infiltrate targets of interest. "UnsolicitedBooker sends spear-phishing emails, generally with a flight ticket as the decoy, and its targets include governmental organizations in Asia, Africa, and the Middle East," the company said in its latest APT Activity Report for the period ranging from October 2024 to March 2025. Attacks mounted by the threat actor are characterized by the use of backdoors like Chinoxy, DeedRAT, Poison Ivy, and BeRAT, which are widely used by Chinese hacking crews. UnsolicitedBooker is assessed to share overlaps with a clu...

A Russia-linked threat actor has been attributed to a cyber espionage operation targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities, including a then-zero-day in MDaemon, according to new findings from ESET. The activity, which commenced in 2023, has been codenamed Operation RoundPress by the Slovak cybersecurity company. It has been attributed with medium confidence to the Russian state-sponsored hacking group tracked as APT28, which is also referred to as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. "The ultimate goal of this operation is to steal confidential data from specific email accounts," ESET researcher Matthieu Faou said in a report shared with The Hacker News. "Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South ...

A cyber espionage group known as Earth Ammit has been linked to two related but distinct campaigns from 2023 to 2024 targeting various entities in Taiwan and South Korea, including military, satellite, heavy industry, media, technology, software services, and healthcare sectors. Cybersecurity firm Trend Micro said the first wave, codenamed VENOM, mainly targeted software service providers, while the second wave, referred to as TIDRONE, singled out the military industry. Earth Ammit is assessed to be connected to Chinese-speaking nation-state groups. "In its VENOM campaign, Earth Ammit's approach involved penetrating the upstream segment of the drone supply chain," security researchers Pierre Lee, Vickie Su, and Philip Chen said . "Earth Ammit's long-term goal is to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach." The TIDRONE campaign was first exposed by Trend Micro la...

The North Korea-linked threat actor known as Konni APT has been attributed to a phishing campaign targeting government entities in Ukraine, indicating the threat actor's targeting beyond Russia . Enterprise security firm Proofpoint said the end goal of the campaign is to collect intelligence on the "trajectory of the Russian invasion." "The group's interest in Ukraine follows historical targeting of government entities in Russia for strategic intelligence gathering purposes," security researchers Greg Lesnewich, Saher Naumaan, and Mark Kelly said in a report shared with The Hacker News. Konni APT , also known as Opal Sleet, Osmium, TA406, and Vedalia , is a cyber espionage group that has a history of targeting entities in South Korea, the United States, and Russia. It's operational since at least 2014. Attack chains mounted by the threat actor often involve the use of phishing emails to distribute malware called Konni RAT (aka UpDog) and redirect r...

A Türkiye-affiliated threat actor exploited a zero-day security flaw in an Indian enterprise communication platform called Output Messenger as part of a cyber espionage attack campaign since April 2024. "These exploits have resulted in a collection of related user data from targets in Iraq," the Microsoft Threat Intelligence team said . "The targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities." The activity has been attributed to a threat group it tracks as Marbled Dust (formerly Silicon), which is also known as Cosmic Wolf, Sea Turtle, Teal Kurma, and UNC1326. The hacking crew is believed to have been active since at least 2017, although it wasn't until two years later that Cisco Talos documented attacks targeting public and private entities in the Middle East and North Africa. Early last year, it was also identified as targeting telecommunication, media, in...