cyber espionage | Breaking Cybersecurity News | The Hacker News

A Chinese national accused of being a member of the Silk Typhoon hacking group has been extradited to the U.S. from Italy.  Xu Zewei, 34, was arrested in July 2025 by Italian authorities for his alleged links to the Chinese state-sponsored threat group and for orchestrating cyber attacks against American organizations and government agencies between February 2020 and June 2021, including breaking into systems at a Texas university to steal COVID-19 vaccine information. He was charged with nine counts of wire fraud and conspiracy to cause damage to and obtain information by unauthorized access to protected computers, as well as committing aggravated identity theft. Xu, along with co-defendant and Chinese national Zhang Yu, is said to have undertaken the attacks under directions issued by the Ministry of State Security's (MSS) Shanghai State Security Bureau (SSSB). Some of these attacks weaponized then zero-days in Microsoft Exchange Server, a threat activity cluster that Micro...

The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks likely targeting entities in South Asia. "The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses," the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News. The cybersecurity company said it identified artifacts uploaded to the VirusTotal platform from India and Afghanistan, suggesting that the two countries may be the target of the espionage activity. Harvester was first publicly documented by Symantec in late 2021, linking it to an information-stealing campaign aimed at telecommunications, government, and information technology sectors in South Asia since June 2021, using a bespoke implant called Graphon that used the Microsoft Graph API for C2. Subsequent activity flagged in Au...

Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE that's distributed via a theme related to India's banking sector. "The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating a continued espionage-focused capability set rather than financially motivated objectives," Acronis researchers Subhajeet Singha and Santiago Pontiroli said in an analysis. The use of LOTUSLITE was previously observed in spear-phishing attacks targeting U.S. government and policy entities using decoys associated with the geopolitical developments between the U.S. and Venezuela. The activity was attributed with medium confidence to a Chinese nation-state group tracked as Mustang Panda. The latest activity flagged by Acronis involves deploying an evolved version of LOTUSLITE that demonstrates "incremental improvements" over ...

An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to findings from Access Now , Lookout , and SMEX . Two of the targets included prominent Egyptian journalists and government critics, Mostafa Al-A'sar and Ahmed Eltantawy, who were at the receiving end of a series of spear-phishing attacks that sought to compromise their Apple and Google accounts in October 2023 and January 2024 by directing them to fake pages that tricked them into entering their credentials and two-factor authentication (2FA) codes. "The attacks were carried out from 2023 to 2024, and both targets are prominent critics of the Egyptian government who have previously faced political imprisonment; one of them was previously targeted with spyware ," Access Now's Digital Security Helpline said. Also...

The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX . "PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control," Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara said in a technical report. The campaign is believed to be active since at least  September 2025. The activity has targeted various sectors in Ukraine, including central executive bodies, hydrometeorology, defense, and emergency services, as well as rail logistics (Poland), maritime and transportation (Romania, Slovenia, Turkey), and logistical support partners involved in ammunition initiatives (Slovakia, Czech Republic), and military and NATO partners. The campaign is notable for the rapid weaponization of newly disclosed ...