cybersecurity | Breaking Cybersecurity News | The Hacker News

A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East. The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary code, according to Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025. "This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks," Unit 42 said . Potential targets of the activity, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco based on VirusTotal submission data. The development comes as Samsung disclosed in September 2025 that another flaw in the same library (CVE-2025-21043, CVSS score: 8.8) had also been exploited in the wild as a...

A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues. The organization, according to a report from Broadcom's Symantec and Carbon Black teams, is "active in attempting to influence U.S. government policy on international issues." The attackers managed to gain access to the network for several weeks in April 2025. The first sign of activity occurred on April 5, 2025, when mass scanning efforts were detected against a server by leveraging various well-known exploits, including CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server). No further actions were recorded until April 16, when the attacks executed several curl commands to test internet connectivity, after which the Windows command-lin...

A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems. According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named " shanhai666 " and are designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times. "The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments," security researcher Kush Pandya said . The list of malicious packages is below - MyDbRepository (Last updated on May 13, 2023) MCDbRepository (Last updated on June 5, 2024) Sharp7Extend (Last updated on August 14, 2024) SqlDbRepo...

Imagine this: Sarah from accounting gets what looks like a routine password reset email from your organization's cloud provider. She clicks the link, types in her credentials, and goes back to her spreadsheet. But unknown to her, she's just made a big mistake. Sarah just accidentally handed over her login details to cybercriminals who are laughing all the way to their dark web marketplace, where they'll sell her credentials for about $15. Not much as a one-off, but a serious money-making operation when scaled up. The credential compromise lifecycle Users create credentials: With dozens of standalone business apps (each with its own login) your employees must create numerous accounts. But keeping track of multiple unique usernames/passwords is a pain, so they reuse passwords or make tiny variations. Hackers compromise credentials: Attackers snag these credentials through phishing, brute force attacks, third-party breaches, or exposed API keys. And many times, no...

Google on Thursday said it's rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative comments. The approach is designed to tackle a common practice called review bombing , where online users intentionally post negative user reviews in an attempt to harm a product, a service, or a business. "Bad actors try to circumvent our moderation systems and flood a business's profile with fake one-star reviews," Laurie Richardson, vice president of Trust & Safety at Google, said . "Following this initial attack, the scammers directly contact the business owner, often through third-party messaging apps, to demand payment." The threat actors warn of further escalation should the victim fail to pay the fee, risking potential damage to their public rating and reputation. These ploys are seen as an attempt to coe...

Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded. Secure Annex researcher John Tuckner, who flagged the extension " susvsex ," said it does not attempt to hide its malicious functionality. The extension was uploaded on November 5, 2025, by a user named "suspublisher18" along with the description "Just testing" and the email address "donotsupport@example[.]com." "Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch," reads the description of the extension. As of November 6, Microsoft has stepped in to remove it from the official VS Code Extension Marketplace.  According to details shared by "suspublisher18," the extension is designed to automatically activate itself on any even...

A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities. The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense , describing it as Russia-aligned. "InedibleOchotense sent spear-phishing emails and Signal text messages, containing a link to a trojanized ESET installer, to multiple Ukrainian entities," ESET said in its APT Activity Report Q2 2025–Q3 2025 shared with The Hacker News. InedibleOchotense is assessed to share tactical overlaps with a campaign documented by EclecticIQ that involved the deployment of a backdoor called BACKORDER and by CERT-UA as UAC-0212 , which it describes as a sub-cluster within the Sandworm (aka APT44) hacking group. While the email message is written in Ukrainian, ESET said the first line uses a Russian word, likely indicating a typo or a translation error. The email, which purp...

Cisco on Wednesday disclosed that it became aware of a new attack variant that's designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362 . "This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service (DoS) conditions," the company said in an updated advisory, urging customers to apply the updates as soon as possible. Both vulnerabilities were disclosed in late September 2025, but not before they were exploited as zero-day vulnerabilities in attacks delivering malware such as RayInitiator and LINE VIPER , according to the U.K. National Cyber Security Centre (NCSC). While successful exploitation of CVE-2025-20333 allows an attacker to execute arbitrary code as root using crafted HTTP requests, CVE-2025-20362 makes it possible to access a restricted URL without authentica...

Introduction Financial institutions are facing a new reality: cyber-resilience has passed from being a best practice, to an operational necessity, to a prescriptive regulatory requirement. Crisis management or Tabletop exercises, for a long time relatively rare in the context of cybersecurity, have become required as a series of regulations has introduced this requirement to FSI organizations in several regions, including DORA (Digital Operational Resilience Act) in the EU; CPS230 / CORIE (Cyber Operational Resilience Intelligence-led Exercises) in Australia; MAS TRM (Monetary Authority of Singapore Technology Risk Management guidelines); FCA/PRA Operational Resilience in the UK; the FFIEC IT Handbook in the US, and the SAMA Cybersecurity Framework in Saudi Arabia. What makes complying with these regulatory requirements complex is the cross-functional collaboration between technical and non-technical teams. For example, simulation of the technical aspects of the cyber inciden...

Cybercrime has stopped being a problem of just the internet — it's becoming a problem of the real world. Online scams now fund organized crime, hackers rent violence like a service, and even trusted apps or social platforms are turning into attack vectors. The result is a global system where every digital weakness can be turned into physical harm, economic loss, or political leverage. Understanding these links is no longer optional — it's survival. For a full look at the most important security news stories of the week, keep reading. Hidden flaws resurface in Windows core Security Flaws in Windows GDI Details have emerged about three now-patched security vulnerabilities in Windows Graphics Device Interface (GDI) that could enable remote code execution and information disclosure. These issues – CVE-2025-30388 , CVE-2025-53766 , and CVE-2025-47984 – involve out-of-bounds memory access triggered through malformed e...

Bitdefender has once again been recognized as a Representative Vendor in the Gartner® Market Guide for Managed Detection and Response (MDR) — marking the fourth consecutive year of inclusion. According to Gartner, more than 600 providers globally claim to deliver MDR services, yet only a select few meet the criteria to appear in the Market Guide. While inclusion is not a ranking or comparative assessment, we believe it underscores Bitdefender's human-driven approach to MDR and our continued alignment with Gartner's rigorous inclusion standards. To be included, must demonstrate consistent visibility through Gartner client inquiries or Peer Insights reviews, focus on delivering end-user–oriented services rather than purely technological solutions, and represent a variety of company sizes and geographies. We believe independent analyst research like the Gartner Market Guide for Managed Detection and Response is a valuable resource for organizations assessing MDR providers. The rep...

The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware. According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. "This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat," security researcher Victor Vrabie, along with Adrian Schipor and Martin Zugec, said in a technical report. Curly COMrades was first documented by the Romanian cybersecurity vendor in August 2025 in connection with a series of attacks targeting Georgia and Moldova. The activity cluster is assessed to be active since late 2023, operating with interests that are aligned with Russia. These attacks were found to deploy tools like CurlCat for bidirection...

SonicWall has formally implicated state-sponsored threat actors as behind the September security breach that led to the unauthorized exposure of firewall configuration backup files. "The malicious activity – carried out by a state-sponsored threat actor – was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call," the company said in a statement released this week. "The incident is unrelated to ongoing global Akira ransomware attacks on firewalls and other edge devices." SonicWall, however, did not disclose which country was behind the incident or provide any indicators linking it to any known threat actor or group. The disclosure comes nearly a month after the company said an unauthorized party accessed firewall configuration backup files for all customers who have used the cloud backup service. In September, it claimed that the threat actors accessed the backup files stored in the cloud for less than ...

Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion. "PROMPTFLUX is written in VB Script and interacts with Gemini's API to request specific VBScript obfuscation and evasion techniques to facilitate 'just-in-time' self-modification, likely to evade static signature-based detection," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. The novel feature is part of its "Thinking Robot" component, which periodically queries the large language model (LLM), Gemini 1.5 Flash or later in this case, to obtain new code so as to sidestep detection. This, in turn, is accomplished by using a hard-coded API key to send the query to the Gemini API endpoint. The prompt sent to the model is both highly speci...

Cybersecurity researchers have disclosed a new set of vulnerabilities impacting OpenAI's ChatGPT artificial intelligence (AI) chatbot that could be exploited by an attacker to steal personal information from users' memories and chat histories without their knowledge. The seven vulnerabilities and attack techniques, according to Tenable, were found in OpenAI's GPT-4o and GPT-5 models. OpenAI has since addressed some of them .  These issues expose the AI system to indirect prompt injection attacks , allowing an attacker to manipulate the expected behavior of a large language model (LLM) and trick it into performing unintended or malicious actions, security researchers Moshe Bernstein and Liv Matan said in a report shared with The Hacker News. The identified shortcomings are listed below - Indirect prompt injection vulnerability via trusted sites in Browsing Context, which involves asking ChatGPT to summarize the contents of web pages with malicious instructions added...

Raise your hand if you've heard the myth, "Android isn't secure." Android phones, such as the Samsung Galaxy, unlock new ways of working. But, as an IT admin, you may worry about the security—after all, work data is critical. However, outdated concerns can hold your business back from unlocking its full potential. The truth is, with work happening everywhere, every device connected to your network is a potential security breach point. As threats evolve, so must the tools to defend against them. Allow me to introduce Samsung Knox— a built-in security platform that combines hardware and software protections on Samsung Galaxy devices. It's loaded with features and is designed to safeguard data, provide IT teams with deeper control, and offer a flexible foundation for enterprise needs. Let's take a look at some myths about open source and how Samsung can get you on the right path to success. Myth 1: "Isn't Android more prone to malware and attacks?" Common concerns around sideloadi...

A never-before-seen threat activity cluster codenamed UNK_SmudgedSerpent has been attributed as behind a set of cyber attacks targeting academics and foreign policy experts between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel. "UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the militarization of the Islamic Revolutionary Guard Corps (IRGC)," Proofpoint security researcher Saher Naumaan said in a new report shared with The Hacker News. The enterprise security company said the campaign shares tactical similarities with that of prior attacks mounted by Iranian cyber espionage groups like TA455 (aka Smoke Sandstorm or UNC1549), TA453  (aka Charming Kitten or Mint Sandstorm), and TA450 (aka Mango Sandstorm or MuddyWater). The email messages bear all hallmarks of a classic Charming Kitten attack, with the threat actors reeling in prospective targets by engagin...

The U.S. Treasury Department on Tuesday imposed sanctions against eight individuals and two entities within North Korea's global financial network for laundering money for various illicit schemes , including cybercrime and information technology (IT) worker fraud . "North Korean state-sponsored hackers steal and launder money to fund the regime's nuclear weapons program," said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. "By generating revenue for Pyongyang's weapons development, these actors directly threaten U.S. and global security. The Treasury will continue to pursue the facilitators and enablers behind these schemes to cut off the DPRK's illicit revenue streams." The names of sanctioned individuals and entities are listed below - Jang Kuk Chol (Jang) and Ho Jong Son , who are said to have helped manage funds, including $5.3 million in cryptocurrency, on behalf of First Credit Bank (aka Cheil ...