cybersecurity | Breaking Cybersecurity News | The Hacker News

Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries. The PhaaS kit is used to conduct large-scale SMS phishing attacks that exploit trusted brands like E-ZPass and USPS to steal people's financial information by prompting them to click on a link using lures related to fake toll fees or package deliveries. While the scam in itself is fairly simple, it's the industrial scale of the operation that has allowed it to illegally make more than a billion dollars over the past three years. "They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites," Halimah DeLaine Prado, General Counsel at Google, said . "We found at least 107 website templates featuring Google's branding o...

Amazon's threat intelligence team on Wednesday disclosed that it observed an advanced threat actor exploiting two then-zero-day security flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products as part of attacks designed to deliver custom malware. "This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure – the systems enterprises rely on to enforce security policies and manage authentication across their networks," CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News. The attacks were flagged by its MadPot honeypot network, with the activity weaponizing the following two vulnerabilities - CVE-2025-5777 or Citrix Bleed 2 (CVSS score: 9.3) - An insufficient input validation vulnerability in Citrix NetScaler ADC and Gateway that could be exploited by an attacker to bypass authentication. (Fixed by Citrix in June 2025 ) CVE-2025-20337 (CV...

Every day, security teams face the same problem—too many risks, too many alerts, and not enough time. You fix one issue, and three more show up. It feels like you're always one step behind. But what if there was a smarter way to stay ahead—without adding more work or stress? Join The Hacker News and Bitdefender for a free cybersecurity webinar to learn about a new approach called Dynamic Attack Surface Reduction (DASR) —a method that helps security teams close gaps before attackers even find them. Most tools today only tell you what's wrong. They scan, report, and give you long lists of problems. But they don't help you fix them fast enough. The truth is, the attack surface keeps changing—new apps, cloud systems, remote devices, misconfigurations. It never stops. Attackers only need one open door. And that's why traditional defenses often fail—they react too slowly. Meet DASR: A Smarter Way to Stay Safe Dynamic Attack Surface Reduction (DASR) changes how we defend. Instead o...

Active Directory remains the authentication backbone for  over 90% of Fortune 1000 companies. AD's importance has grown as companies adopt hybrid and cloud infrastructure, but so has its complexity. Every application, user, and device traces back to AD for authentication and authorization, making it the ultimate target. For attackers, it represents the holy grail: compromise Active Directory , and you can access the entire network. Why attackers target Active Directory  AD serves as the gatekeeper for everything in your enterprise. So, when adversaries compromise AD, they gain privileged access that lets them create accounts, modify permissions, disable security controls, and move laterally, all without triggering most alerts. The  2024 Change Healthcare breach showed what can happen when AD is compromised. In this attack, hackers exploited a server lacking multifactor authentication, pivoted to AD, escalated privileges, and then executed a highly costly cyberattac...

Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild. Of the 63 flaws, four are rated Critical and 59 are rated Important in severity. Twenty-nine of these vulnerabilities are related to privilege escalation, followed by 16 remote code execution, 11 information disclosure, three denial-of-service (DoS), two security feature bypass, and two spoofing bugs. The patches are in addition to the 27 vulnerabilities the Windows maker addressed in its Chromium-based Edge browser since the release of October 2025's Patch Tuesday update. The zero-day vulnerability that has been listed as exploited in Tuesday's update is CVE-2025-62215 (CVSS score: 7.0), a privilege escalation flaw in Windows Kernel. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the issue. "Concurre...

Google on Tuesday unveiled a new privacy-enhancing technology called Private AI Compute to process artificial intelligence (AI) queries in a secure platform in the cloud. The company said it has built Private AI Compute to "unlock the full speed and power of Gemini cloud models for AI experiences, while ensuring your personal data stays private to you and is not accessible to anyone else, not even Google." Private AI Compute has been described as a "secure, fortified space" for processing sensitive user data in a manner that's analogous to on-device processing but with extended AI capabilities. It's powered by Trillium Tensor Processing Units (TPUs) and Titanium Intelligence Enclaves (TIE), allowing the company to use its frontier models without sacrificing on security and privacy. In other words, the privacy infrastructure is designed to take advantage of the computational speed and power of the cloud while retaining the security and privacy assuran...

Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp. According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications. More importantly, both include the ability to spread through WhatsApp Web . Maverick was first documented by Trend Micro early last month, attributing it to a threat actor dubbed Water Saci . The campaign involves two components: A self-propagating malware referred to as SORVEPOTEL that's spread via the desktop web version of WhatsApp and is used to deliver a ZIP archive containing the Maverick payload. The malware is designed to monitor active browser window tabs for URLs that match a hard-coded list of financial institutions in Latin America. Should the URLs match, it establishes con...

The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. "GootLoader is back and now leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames," security researcher Anna Pham said , adding the malware "exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file." GootLoader, affiliated with a threat actor tracked as Hive0127 (aka UNC2565), is a JavaScript-based malware loader that's often distributed via search engine optimization (SEO) poisoning tactics to deliver additional payloads, including ransomware. In a report published last September, Microsoft revealed the th...

AI-enabled supply chain attacks jumped 156% last year. Discover why traditional defenses are failing and what CISOs must do now to protect their organizations. Download the full CISO's expert guide to AI Supply chain attacks here .  TL;DR AI-enabled supply chain attacks are exploding in scale and sophistication - Malicious package uploads to open-source repositories jumped 156% in the past year . AI-generated malware has game-changing characteristics - It's polymorphic by default, context-aware, semantically camouflaged, and temporally evasive. Real attacks are already happening - From the 3CX breach affecting 600,000 companies to NullBulge attacks weaponizing Hugging Face and GitHub repositories. Detection times have dramatically increased - IBM's 2025 report shows breaches take an average of 276 days to identify, with AI-assisted attacks potentially extending this window. Traditional security tools are struggling - Static analysis and signature-based detec...

Cybersecurity researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate " @actions/artifact " package with the intent to target GitHub-owned repositories. "We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub," Veracode said in an analysis. The cybersecurity company said it observed six versions of the package – from 4.0.12 to 4.0.17 – that incorporated a post-install hook to download and run malware. That said, the latest version available for download from npm is 4.0.10, indicating that the threat actor behind the package, blakesdev , has removed all the offending versions. The package was first uploaded on October 29, 2025, and has since accrued 31,398 weekly downloads. In total, it has been downloaded 47,405 times , according...

Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model. According to its seller, the malware enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply, and delete incoming notifications. "It's a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry," Zimperium researcher Vishnu Pratapagiri said in a report last week. "Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting 2-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps." The threat actor, in their...

Google's Mandiant Threat Defense on Monday said it discovered n-day exploitation of a now-patched security flaw in Gladinet's Triofox file-sharing and remote access platform. The critical vulnerability, tracked as CVE-2025-12480 (CVSS score: 9.1), allows an attacker to bypass authentication and access the configuration pages, resulting in the upload and execution of arbitrary payloads.  The tech giant said it observed a threat cluster tracked as UNC6485 weaponizing the flaw as far back as August 24, 2025, nearly a month after Gladinet released patches for the flaw in version 16.7.10368.56560 . It's worth noting that CVE-2025-12480 is the third flaw in Triofox that has come under active exploitation this year alone, after CVE-2025-30406 and CVE-2025-11371 . "Added protection for the initial configuration pages," according to release notes for the software. "These pages can no longer be accessed after Triofox has been set up." Mandiant said the th...

The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control. "Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs," the Genians Security Center (GSC) said in a technical report. What's notable about the attacks targeting Android devices is also the destructive ability of the threat actors to exploit Google's asset tracking services Find Hub (formerly Find My Device) to remotely reset victim devices, thereby leading to the unauthorized deletion of personal data. The activity was detected in early September 2025. The development marks the first time the hacking group has weaponized legitimate management functions to remotely reset mobile devices. The activity is also preceded by an attack chain in whic...

Cyber threats didn't slow down last week—and attackers are getting smarter. We're seeing malware hidden in virtual machines, side-channel leaks exposing AI chats, and spyware quietly targeting Android devices in the wild. But that's just the surface. From sleeper logic bombs to a fresh alliance between major threat groups, this week's roundup highlights a clear shift: cybercrime is evolving fast, and the lines between technical stealth and strategic coordination are blurring. It's worth your time. Every story here is about real risks that your team needs to know about right now. Read the whole recap. ⚡ Threat of the Week Curly COMrades Abuses Hyper-V to Hide Malware in Linux VMs — Curly COMrades, a threat actor supporting Russia's geopolitical interests, has been observed abusing Microsoft's Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine and deploy malicious payloads. This method allows the malware to run completel...

According to the new Browser Security Report 2025 , security leaders are discovering that most identity, SaaS, and AI-related risks converge in a single place, the user's browser. Yet traditional controls like DLP, EDR, and SSE still operate one layer too low. What's emerging isn't just a blindspot. It's a parallel threat surface: unmanaged extensions acting like supply chain implants, GenAI tools accessed through personal accounts, sensitive data copy/pasted directly into prompt fields, and sessions that bypass SSO altogether. This article unpacks the key findings from the report and what they reveal about the shifting locus of control in enterprise security. GenAI Is Now the Top Data Exfiltration Channel The rise of GenAI in enterprise workflows has created a massive governance gap. Nearly half of employees use GenAI tools, but most do so through unmanaged accounts, outside of IT visibility. Key stats from the report: 77% of employees paste data into GenAI prompts 82% of...

Cybersecurity researchers have called attention to a massive phishing campaign targeting the hospitality industry that lures hotel managers to ClickFix-style pages and harvest their credentials by deploying malware like PureRAT . "The attacker's modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments," Sekoia said . "This campaign leverages spear-phishing emails that impersonate Booking.com to redirect victims to malicious websites, employing the ClickFix social engineering tactic to deploy PureRAT." The end goal of the campaign is to steal credentials from compromised systems that grant threat actors unauthorized access to booking platforms like Booking.com or Expedia, which are then either sold on cybercrime forums or used to send fraudulent emails to hotel customers to conduct fraud. The activity is assessed to be active since at least April 2025 and operational as of early October 2025. It...

Cybersecurity researchers have disclosed a new set of three extensions associated with the GlassWorm campaign, indicating continued attempts on part of threat actors to target the Visual Studio Code (VS Code) ecosystem. The extensions in question , which are still available for download, are listed below - ai-driven-dev.ai-driven-dev (3,402 downloads) adhamu.history-in-sublime-merge (4,057 downloads) yasuyuky.transient-emacs (2,431 downloads) GlassWorm, first documented by Koi Security late last month, refers to a campaign in which threat actors leverage VS Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace to harvest Open VSX, GitHub, and Git credentials, drain funds from 49 different cryptocurrency wallet extensions, and drop additional tools for remote access. What makes the malware notable is that it uses invisible Unicode characters to hide malicious code in code editors and abuses the pilfered credentials to compromise additional extens...