#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
AI Security

cyber espionage | Breaking Cybersecurity News | The Hacker News

Pro-Houthi Group Targets Yemen Aid Organizations with Android Spyware

Pro-Houthi Group Targets Yemen Aid Organizations with Android Spyware

Jul 19, 2024 Malware / Mobile Security
A suspected pro-Houthi threat group targeted at least three humanitarian organizations in Yemen with Android spyware designed to harvest sensitive information. These attacks, attributed to an activity cluster codenamed OilAlpha , entail a new set of malicious mobile apps that come with their own supporting infrastructure, Recorded Future's Insikt Group said . Targets of the ongoing campaign include, CARE International, the Norwegian Refugee Council (NRC), and the Saudi Arabian King Salman Humanitarian Aid and Relief Centre. "The OilAlpha threat group is highly likely active and executing targeted activity against humanitarian and human rights organizations operating in Yemen, and potentially throughout the Middle East," the cybersecurity company said. OilAlpha was first documented in May 2023 in connection with an espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula. These attacks leveraged What
APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

Jul 19, 2024 Cyber Espionage / Threat Intelligence
Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a "sustained campaign" by the prolific China-based APT41 hacking group. "APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period," Google-owned Mandiant said in a new report published Thursday. The threat intelligence firm described the adversarial collective as unique among China-nexus actors owing to its use of "non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions." Attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROV
10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit

10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit

Jul 15, 2024Cyber Crime / Data Protection
Imagine you could gain access to any Fortune 100 company for $10 or less, or even for free. Terrifying thought, isn't it? Or exciting, depending on which side of the cybersecurity barricade you are on. Well, that's basically the state of things today. Welcome to the infostealer garden of low-hanging fruit. Over the last few years, the problem has grown bigger and bigger, and only now are we slowly learning its full destructive potential. In this article, we will describe how the entire cybercriminal ecosystem operates, the ways various threat actors exploit data originating from it, and most importantly, what you can do about it. Let's start with what infostealer malware actually is. As the name suggests, it's malware that... steals data. Depending on the specific type, the information it extracts might differ slightly, but most will try to extract the following: Cryptocurrency wallets Bank account information and saved credit card details Saved passwords from various apps Bro
TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks

TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks

Jul 18, 2024 Open-Source / Cybercrime
Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations. Recorded Future's Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania, including two unnamed Asia-Pacific intergovernmental organizations. Also singled out since February 2024 are diplomatic, government, semiconductor supply-chain, non-profit, and religious entities located in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, Netherlands, Taiwan, the U.K., the U.S., and Vietnam. "TAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain initial access," the cybersecurity company said . "The group used open-source Go backdoors Pantegana and Spark RAT post-e
cyber security

Top 4 Security Risks of GenAI

websiteWizGenAI Security / Technology
Gain a competitive edge and unlock the top 4 major emerging risks within GenAI. This report from Gartner provides insights and recommended actions for security and product leaders.
North Korean Hackers Update BeaverTail Malware to Target MacOS Users

North Korean Hackers Update BeaverTail Malware to Target MacOS Users

Jul 17, 2024 Cyber Espionage / Cryptocurrency
Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers. The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name, but, in reality, serves as a conduit to deliver a native version of BeaverTail, security researcher Patrick Wardle said . BeaverTail refers to a JavaScript stealer malware that was first documented by Palo Alto Networks Unit 42 in November 2023 as part of a campaign dubbed Contagious Interview that aims to infect software developers with malware through a supposed job interview process. Securonix is tracking the same activity under the moniker DEV#POPPER . Besides siphoning sensitive information from web browsers and crypto wallets, the malware is capable of delivering addi
China-linked APT17 Targets Italian Companies with 9002 RAT Malware

China-linked APT17 Targets Italian Companies with 9002 RAT Malware

Jul 17, 2024 Cyber Espionage / Threat Intelligence
A China-linked threat actor called APT17 has been observed targeting Italian companies and government entities using a variant of a known malware referred to as 9002 RAT. The two targeted attacks took place on June 24 and July 2, 2024, Italian cybersecurity company TG Soft said in an analysis published last week. "The first campaign on June 24, 2024 used an Office document, while the second campaign contained a link," the company noted . "Both campaigns invited the victim to install a Skype for Business package from a link of an Italian government-like domain to convey a variant of 9002 RAT." APT17 was first documented by Google-owned Mandiant (then FireEye) in 2013 as part of cyber espionage operations called DeputyDog and Ephemeral Hydra that leveraged zero-day flaws in Microsoft's Internet Explorer to breach targets of interest. It's also known by the monikers Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avenge
Iranian Hackers Deploy New BugSleep Backdoor in Middle East Cyber Attacks

Iranian Hackers Deploy New BugSleep Backdoor in Middle East Cyber Attacks

Jul 16, 2024 Cyber Espionage / Network Security
The Iranian nation-state actor known as MuddyWater has been observed using a never-before-seen backdoor as part of a recent attack campaign, shifting away from its well-known tactic of deploying legitimate remote monitoring and management (RMM) software for maintaining persistent access. That's according to independent findings from cybersecurity firms Check Point and Sekoia, which have codenamed the malware strain BugSleep and MuddyRot , respectively. "Compared to previous campaigns, this time MuddyWater changed their infection chain and did not rely on the legitimate Atera remote monitoring and management tool (RRM) as a validator," Sekoia said in a report shared with The Hacker News. "Instead, we observed that they used a new and undocumented implant." Some elements of the campaign were first shared by Israeli cybersecurity company ClearSky on June 9, 2024. Targets include countries like Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal.
Australian Defence Force Private and Husband Charged with Espionage for Russia

Australian Defence Force Private and Husband Charged with Espionage for Russia

Jul 12, 2024 Cyber Crime / Online Safety
Two Russian-born Australian citizens have been arrested and charged in the country for spying on behalf of Russia as part of a "complex" law enforcement operation codenamed BURGAZADA . This includes a 40-year-old woman, an Australian Defence Force (ADF) Army Private, and her husband, a 62-year-old self-employed laborer. Media reports have identified them as Kira Korolev and Igor Korolev, respectively, noting that they had been in Australia for over a decade. The married couple were arrested at their home in the Brisbane suburb of Everton Park on July 11, 2024, the Australian Federal Police (AFP) said in a statement. They have been charged with one count each of preparing for an espionage offense, which carries a maximum penalty of 15 years' imprisonment. "It is the first time an espionage offense has been laid in Australia since new laws were introduced by the Commonwealth in 2018," the AFP said . The federal law enforcement agency has alleged the pair
Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk

Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk

Jul 11, 2024 Cyber Espionage / Network Security
The China-linked advanced persistent threat (APT) group codenamed APT41 is suspected to be using an "advanced and upgraded version" of a known malware called StealthVector to deliver a previously undocumented backdoor dubbed MoonWalk. The new variant of StealthVector – which is also referred to as DUSTPAN – has been designated DodgeBox by Zscaler ThreatLabz, which discovered the loader strain in April 2024. "DodgeBox is a loader that proceeds to load a new backdoor named MoonWalk," security researchers Yin Hong Chang and Sudeep Singh said . "MoonWalk shares many evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication." APT41 is the moniker assigned to a prolific state-sponsored threat actor affiliated with China that's known to be active since at least 2007. It's also tracked by the broader cybersecurity community under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atl
GuardZoo Malware Targets Over 450 Middle Eastern Military Personnel

GuardZoo Malware Targets Over 450 Middle Eastern Military Personnel

Jul 09, 2024
Military personnel from Middle East countries are the target of an ongoing surveillanceware operation that delivers an Android data-gathering tool called GuardZoo . The campaign , believed to have commenced as early as October 2019, has been attributed to a Houthi-aligned threat actor based on the application lures, command-and-control (C2) server logs, targeting footprint, and the attack infrastructure location, according to Lookout. More than 450 victims have been impacted by the malicious activity, with targets located in Egypt, Oman, Qatar, Saudi Arabia, Turkey, the U.A.E., and Yemen. Telemetry data indicates that most of the infections have been recorded in Yemen. GuardZoo is a modified version of an Android remote access trojan (RAT) named Dendroid RAT that was first discovered by Broadcom-owned Symantec in March 2014. The entire source code associated with the crimeware solution was leaked later that August. Originally marketed as a commodity malware for a one-off price
Cybersecurity Agencies Warn of China-linked APT40's Rapid Exploit Adaptation

Cybersecurity Agencies Warn of China-linked APT40's Rapid Exploit Adaptation

Jul 09, 2024 Cyber Espionage / Threat Intelligence
Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have released a joint advisory about a China-linked cyber espionage group called APT40 , warning about its ability to co-opt exploits for newly disclosed security flaws within hours or days of public release. "APT40 has previously targeted organizations in various countries, including Australia and the United States," the agencies said . "Notably, APT40 possesses the ability to quickly transform and adapt vulnerability proofs-of-concept (PoCs) for targeting, reconnaissance, and exploitation operations." The adversarial collective, also known as Bronze Mohawk, Gingham Typhoon (formerly Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, is known to be active since at least 2011 , carrying out cyber attacks targeting entities in the Asia-Pacific region. It's assessed to be based in Haikou. In July 2021, the
New APT Group "CloudSorcerer" Targets Russian Government Entities

New APT Group "CloudSorcerer" Targets Russian Government Entities

Jul 08, 2024 Cyber Espionage / Cloud Security
A previously undocumented advanced persistent threat (APT) group dubbed CloudSorcerer has been observed targeting Russian government entities by leveraging cloud services for command-and-control (C2) and data exfiltration. Cybersecurity firm Kaspersky, which discovered the activity in May 2024, said the tradecraft adopted by the threat actor bears similarities with that of CloudWizard , but pointed out the differences in the malware source code. The attacks wield an innovative data-gathering program and a slew of evasion tactics for covering its tracks. "It's a sophisticated cyber espionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure," the Russian security vendor said . "The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server.&q
Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware

Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware

Jul 02, 2024 Cyber Espionage / Vulnerability
A China-nexus cyber espionage group named Velvet Ant has been observed exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware. The vulnerability , tracked as CVE-2024-20399 (CVSS score: 6.0), concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. "By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices," cybersecurity firm Sygnia said in a statement shared with The Hacker News. Cisco said the issue stems from insufficient validation of arguments that are passed to specific configuration CLI commands, which could be exploited by an adversary by including crafted input as the argument of an affected configuration CLI command. W
CapraRAT Spyware Disguised as Popular Apps Threatens Android Users

CapraRAT Spyware Disguised as Popular Apps Threatens Android Users

Jul 01, 2024 Mobile Security / Spyware
The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. "These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex Delamotte said in a new report shared with The Hacker News. The campaign, dubbed CapraTube, was first outlined by the cybersecurity company in September 2023, with the hacking crew employing weaponized Android apps impersonating legitimate apps like YouTube to deliver a spyware called CapraRAT, a modified version of AndroRAT with capabilities to capture a wide range of sensitive data. Transparent Tribe, suspected to be of Pakistan origin, has leveraged CapraRAT for over two years in attacks targeting the Indian government and military personnel. The group has a history of lea
Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

Jun 28, 2024 Cyber Espionage / Cyber Attack
The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames, passwords, cookies, and browser screenshots. The targeted campaign is said to have been directed against South Korean academia, specifically those focused on North Korean political affairs. Kimsuky is a notorious hacking crew from North Korea that's known to be active since at least 2012, orchestrating cyber espionage and financially motivated attacks targeting South Korean entities. A sister group of the Lazarus cluster and part of the Reconnaissance General Bureau (RGB), it's also tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velv
Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware

Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware

Jun 26, 2024 Cyber Attack / Malware
Threat actors with suspected ties to China and North Korea have been linked to ransomware and data encryption attacks targeting government and critical infrastructure sectors across the world between 2021 and 2023. While one cluster of activity has been associated with the ChamelGang (aka CamoFei), the second cluster overlaps with activity previously attributed to Chinese and North Korean state-sponsored groups, cybersecurity firms SentinelOne and Recorded Future said in a joint report shared with The Hacker News. This includes ChamelGang's attacks aimed at the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using CatB ransomware , as well as those targeting a government entity in East Asia and an aviation organization in the Indian subcontinent in 2023. "Threat actors in the cyber espionage ecosystem are engaging in an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financia
RedJuliett Cyber Espionage Campaign Hits 75 Taiwanese Organizations

RedJuliett Cyber Espionage Campaign Hits 75 Taiwanese Organizations

Jun 24, 2024 Cyber Espionage / Hacking
A likely China-linked state-sponsored threat actor has been linked to a cyber espionage campaign targeting government, academic, technology, and diplomatic organizations in Taiwan between November 2023 and April 2024. Recorded Future's Insikt Group is tracking the activity under the name RedJuliett , describing it as a cluster that operates from Fuzhou, China, to support Beijing's intelligence collection goals related to the East Asian country. It's also tracked under the names Flax Typhoon and Ethereal Panda . Among other countries targeted by the adversarial collective include Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the U.S. In all, as many as 24 victim organizations have been observed communicating with the threat actor infrastructure, including government agencies in Taiwan, Laos, Kenya, and Rwanda. It's also estimated to have targeted at least 75 Taiwanese entities for broader reconnaissance and follow-on exploita
Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices

Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices

Jun 24, 2024 Mobile Security / Threat Intelligence
Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called Rafel RAT to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps. "It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation," Check Point said in an analysis published last week. It boasts a wide range of features, such as the ability to wipe SD cards, delete call logs, siphon notifications, and even act as ransomware. The use of Rafel RAT by DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant) was previously highlighted by the Israeli cybersecurity company in cyber attacks that leveraged a design flaw in Foxit PDF Reader to trick users into downloading malicious payloads. The campaign, which took place in April 2024, is said to have utilized military-them
ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

Jun 22, 2024 Cyber Espionage / Threat Intelligence
Russian organizations have been targeted by a cybercrime gang called ExCobalt using a previously unknown Golang-based backdoor known as GoRed. "ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang ," Positive Technologies researchers Vladislav Lunin and Alexander Badayev said in a technical report published this week. "Cobalt attacked financial institutions to steal funds. One of Cobalt's hallmarks was the use of the CobInt tool , something ExCobalt began to use in 2022." Attacks mounted by the threat actor have singled out various sectors in Russia over the past year, including government, information technology, metallurgy, mining, software development, and telecommunications. Initial access to environments is facilitated by taking advantage of a previously compromised contractor and a supply chain attack, wherein the adversary infected a component used to bu
Cybersecurity
Expert Insights
Cybersecurity Resources