cyber espionage | Breaking Cybersecurity News | The Hacker News

Multiple Russia-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal to gain unauthorized access to their accounts. "The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate 'linked devices' feature that enables Signal to be used on multiple devices concurrently," the Google Threat Intelligence Group (GTIG) said in a report. In the attacks spotted by the tech giant's threat intelligence teams, the threat actors, including one it's tracking as UNC5792, have resorted to malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance. As a result, future messages get delivered synchronously to both the victim and the threat actor in real-time, thereby granting threat actors a persistent way to eavesdrop on the victim's conversations. Google said UAC-...

The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control over infected systems. This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor's malicious payload into an external process, waitfor.exe, whenever ESET antivirus application is detected running, Trend Micro said in a new analysis. "The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim," security researchers Nathaniel Morales and Nick Dai noted. "Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintain persistence in compromised systems." The starting point of the attack sequence is an execu...

The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug , which has been assessed to be a subset within the APT41 cyber espionage group. It's also monitored by Cybereason under the name  Operation CuckooBees , and by Symantec as Blackfly. APT41 has been described as a highly skilled and methodical actor with the ability to mount espionage attacks as well as poison the supply chain. Its campaigns are often designed with stealth in mind, leveraging a bevy of tactics to achieve its goals by using a custom toolset that not only bypasses security software installed in the environment, but also harvests critical information and establishes covert channels for persistent remote access. "The group...

An RA World ransomware attack in November 2024 targeting an unnamed Asian software and services company involved the use of a malicious tool exclusively used by China-based cyber espionage groups, raising the possibility that the threat actor may be moonlighting as a ransomware player in an individual capacity. "During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. "In all the prior intrusions involving the toolset, the attacker appeared to be engaged in classic espionage, seemingly solely interested in maintaining a persistent presence on the targeted organizations by installing backdoors." This included a July 2024 compromise of the Foreign Ministry of a country in southeastern Europe that involved the use of classic DLL side-loading techniques to deploy PlugX ...

Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts. The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707 . Some of the other targets include a telecommunications entity and a university, both located in Southeast Asia. "While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices," security researchers Andrew Pease and Seth Goodwin said in a technical analysis. The exact initial access vector used in the attacks is currently not clear, although it has been observed that Microsoft's certutil application is used to download additional payloads from a web server associated with the Foreign Ministry. The certutil commands used to ...

A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe. "This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations," the Microsoft Threat Intelligence team said in a new report shared with The Hacker News ahead of publication. The geographical spread of the initial access subgroup's targets include the whole of North America, several countries in Europe, as well as others, including Angola, Argentina, Australia, China, Egypt, India, Kazakhstan, Myanmar, Nigeria, Pakistan, Turkey, and Uzbekistan. The development marks a significant expansion of the hacking group's victimology footprint over the past three years, which is otherwise known to be concentrated around Eastern Europe - 2022: Energy...

A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan. "This threat group has previously targeted entities around Eastern Europe and Central Asian government think tanks involved in economic decision making and banking sector," Seqrite Labs researcher Subhajeet Singha said in a technical report published late last month. Targets of the hacking group's attacks include embassies, lawyers, government-backed banks, and think tanks. The activity has been attributed to a Kazakhstan-origin threat actor with a medium level of confidence. The infections commence with a spear-phishing email containing a RAR archive attachment that ultimately acts as a delivery vehicle for malicious payloads responsible for granting remote access to the compromised hosts. The first of the two campaigns, detected by the cybersecurity company on December 27, 2024, leverages the RAR archive to launc...

A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware. The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web ( MotW ) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09 . "The vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files," Trend Micro security researcher Peter Girnus said . It's suspected that CVE-2025-0411 was likely weaponized to target governmental and non-governmental organizations in Ukraine as part of a cyber espionage campaign set against the backdrop of the ongoing Russo-Ukrainian conflict. MotW is a security feature implemented by Microsoft in Windows to prevent the a...

The advanced persistent threat (APT) group known as UAC-0063 has been observed leveraging legitimate documents obtained by infiltrating one victim to attack another target with the goal of delivering a known malware dubbed HATVIBE. "This research focuses on completing the picture of UAC-0063's operations, particularly documenting their expansion beyond their initial focus on Central Asia, targeting entities such as embassies in multiple European countries, including Germany, the U.K., the Netherlands, Romania, and Georgia," Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News. UAC-0063 was first flagged by the Romanian cybersecurity company in May 2023 in connection with a campaign that targeted government entities in Central Asia with a data exfiltration malware known as DownEx (aka STILLARCH). It's suspected to share links with a known Russian state-sponsored actor called APT28. Merely weeks later, the Compu...

The Council of the European Union has sanctioned three individuals for allegedly carrying out "malicious cyber activities" against Estonia. The three Russian nationals – Nikolay Alexandrovich Korchagin, Vitaly Shevchenko, and Yuriy Fedorovich Denisov – are officers of the General Staff of the Armed Forces of the Russian Federation (GRU) Unit 29155, it said. Per the council decision, all the individuals are said to be responsible for cyber attacks against computer systems with the aim of collecting data from the data systems of multiple institutions with an aim to gain insights into the cyber security policy of Estonia. "The cyber-attacks granted attackers unauthorized access to classified information and sensitive data stored within several government ministries — including Economic Affairs and Communications, Social Affairs, and Foreign Affairs — leading to the theft of thousands of confidential documents," per the Council . This included business secrets, h...

A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities. The campaign has been attributed to a threat cluster dubbed GamaCopy , which is assessed to share overlaps with another hacking group named Core Werewolf , also tracked as Awaken Likho and PseudoGamaredon. According to the Knownsec 404 Advanced Threat Intelligence team, the attacks leverage content related to military facilities as lures to drop UltraVNC, allowing threat actors to remotely access the compromised hosts. "The TTP (Tactics, Techniques, and Procedures) of this organization imitates that of the Gamaredon organization which conducts attacks against Ukraine," the company said in a report published last week. The disclosure arrives nearly four months after Kaspersky revealed that Russian government agencies and industrial entities have been the target of Core Werewolf, ...

A former analyst working for the U.S. Central Intelligence Agency (CIA) pleaded guilty to transmitting top secret National Defense Information (NDI) to individuals who did not have the necessary authorization to receive it and attempted to cover up the activity. Asif William Rahman, 34, of Vienna, was an employee of the CIA since 2016 and had a Top Secret security clearance with access to Sensitive Compartmented Information (SCI). He was charged with two counts of unlawfully transmitting NDI in November 2024 following his arrest in Cambodia. He has pleaded guilty to two counts of willful retention and transmission of classified information related to the national defense. He is expected to be sentenced on May 15, 2025, potentially facing a maximum penalty of 10 years in prison. According to court filings , Rahman is alleged to have retained without authorization two documents classified as Top Secret on or about October 17, 2024, and delivered it to multiple individuals who wer...

Russia-linked threat actors have been attributed to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin's efforts to gather economic and political intelligence in Central Asia. The campaign has been assessed to be the work of an intrusion set dubbed UAC-0063 , which likely shares overlap with APT28, a nation-state group affiliated with Russia's General Staff Main Intelligence Directorate (GRU). It's also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. UAC-0063 was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in early 2023, detailing its attacks on government entities using malware families tracked as HATVIBE, CHERRYSPY, and STILLARCH (aka DownEx). It's worth pointing out that the use of these malware strains has been exclusive to this group. Subsequent campaigns have been observed setting their sights o...

Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia have been targeted by the China-nexus RedDelta threat actor to deliver a customized version of the PlugX backdoor between July 2023 and December 2024. "The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an Association of Southeast Asian Nations (ASEAN) meeting," Recorded Future's Insikt Group said in a new analysis. It's believed that the threat actor compromised the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. It's also said to have targeted various victims in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India from September to December 2024. RedDelta, active since at least 2012, is the moniker assigned to a state-sponsored threat actor from China. It's also tracked by the cybersecurity co...