cyber espionage | Breaking Cybersecurity News | The Hacker News

A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT ) and AGENTPSD to target Linux systems. The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo , which it said overlaps with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike). The cybersecurity company said it discovered the intrusion during an incident response engagement in September 2025, when it emerged that the adversary had compromised an unnamed victim's Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM. The issue was addressed in Storage Sync version 13.13 , released in March 2026.

Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 (where "OP" stands for "opponent") that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China. "OP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities," the company said in a report shared with The Hacker News. Although no overlaps have been found between OP-512 and other known China-aligned adversaries, it's the fourth such threat group after CL-STA-0048 , DragonRank , and GhostRedirector to single out IIS web servers over the past 12 months. As recently as last month, Cisco Talos revealed that multiple Chinese-speaking...

Unknown attackers spent at least five months inside the Outlook mailbox of a senior executive at a major global stock exchange, copying the inbox out in small, repeated batches and routing it through Dropbox and OneDrive so the traffic blended into normal cloud activity. Symantec and Carbon Black's Threat Hunter Team reported the campaign this week. This points to espionage, not a money grab: Symantec said the commands indicate intelligence collection, not theft for profit. Neither the executive nor the exchange was named. The value is plain enough: an exchange executive's inbox can hold non-public listing details, enforcement matters, deal terms, market-moving plans, plus the executive's calendar and contacts. Five months of quiet access handed the attacker a detailed read on the executive's dealings and where the organization was heading, without needing broad access to other business systems. The first malicious activity showed up on October 10, 2025. By th...

The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per Sekoia, the activity involves the weaponization of CVE-2025-8088 , a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an intermediate Visual Basic Script (VBScript) downloaders codenamed GammaLoad. The infection chain was observed by the French cybersecurity company in January 2026. "Their primary objectives are to fingerprint the host system, update the network configuration in the registry using dead drop resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers," Sekoia said . One of the payloads is a VBScript worm known as GammaWorm that establishes persistence via scheduled tasks and is designed to hide legitimate directories in network shares and USB drives and replace wit...

Cybersecurity researchers have disclosed details of a spear-phishing campaign likely undertaken by the Pakistan-aligned SideCopy group targeting Afghanistan's Ministry of Finance with an open-source remote access trojan called Xeno RAT . "The campaign opens with a spear phishing delivery - a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename," Seqrite Labs researcher Dixit Panchal said in a technical breakdown of the activity. Also targeted as part of the campaign are provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level government employees. The campaign has been codenamed Operation XENOFISCAL. The choice of Pashto for the lure file is a deliberate choice on the part of the attacker, as it's the main language spoken in the Afghan government circles. This aspect reflects the attacker's familiarity with the target environment. SideCopy is the name given to a P...