cybersecurity | Breaking Cybersecurity News | The Hacker News

The threat actor known as TA558 has been attributed to a fresh set of attacks delivering various remote access trojans (RATs) like Venom RAT to breach hotels in Brazil and Spanish-speaking markets. Russian cybersecurity vendor Kaspersky is tracking the activity, observed in summer 2025, to a cluster it tracks as RevengeHotels. "The threat actors continue to employ phishing emails with invoice themes to deliver Venom RAT implants via JavaScript loaders and PowerShell downloaders," the company said . "A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents." The findings demonstrate a new trend among cybercriminal groups to leverage artificial intelligence (AI) to bolster their tradecraft. Known to be active since at least 2015, RevengeHotels has a history of hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised syste...

A China-aligned threat actor known as TA415 has been attributed to spear-phishing campaigns targeting the U.S. government, think tanks, and academic organizations utilizing U.S.-China economic-themed lures. "In this activity, the group masqueraded as the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP), as well as the U.S.-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy," Proofpoint said in an analysis. The enterprise security company said the activity, observed throughout July and August 2025, is likely an effort on part of Chinese state-sponsored threat actors to facilitate intelligence gathering amid ongoing U.S.-China trade talks, adding the hacking group shares overlaps with a threat cluster tracked broadly under the names APT41 and Brass Typhoon (formerly Barium). The findings come days ...

Quantum computing and AI working together will bring incredible opportunities. Together, the technologies will help us extend innovation further and faster than ever before. But, imagine the flip side, waking up to news that hackers have used a quantum computer to crack your company's encryption overnight, exposing your most sensitive data, rendering much of it untrustworthy. And with your sensitive data exposed, where does that leave trust from your customers? And the cost to mitigate - if that is even possible with your outdated pre-quantum systems? According to IBM, cyber breaches are already hitting businesses with an average of $4.44 million per incident, and as high as $10.22 million in the US, but with quantum and AI working simultaneously, experts warn it could go much higher. In 2025, nearly two-thirds of organizations see quantum computing as the biggest cybersecurity threat looming in the next 3-5 years, while 93% of security leaders are prepping for daily AI-driven a...

Generative AI has gone from a curiosity to a cornerstone of enterprise productivity in just a few short years. From copilots embedded in office suites to dedicated large language model (LLM) platforms, employees now rely on these tools to code, analyze, draft, and decide. But for CISOs and security architects, the very speed of adoption has created a paradox: the more powerful the tools, the more porous the enterprise boundary becomes. And here's the counterintuitive part: the biggest risk isn't that employees are careless with prompts. It's that organizations are applying the wrong mental model when evaluating solutions, trying to retrofit legacy controls for a risk surface they were never designed to cover. A new guide ( download here ) tries to bridge that gap. The Hidden Challenge in Today's Vendor Landscape The AI data security market is already crowded. Every vendor, from traditional DLP to next-gen SSE platforms, is rebranding around "AI security." On paper, this seems to of...

Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider , casting doubt on their claims of going "dark." Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. This is supported by an increase in lookalike domains potentially linked to the group that are geared towards the industry vertical, as well as a recently identified targeted intrusion against an unnamed U.S. banking organization. "Scattered Spider gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management," the company said . "From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and furthe...

The U.S. Department of Justice (DoJ) on Tuesday resentenced the former administrator of BreachForums to three years in prison in connection with his role in running the cybercrime forum and possessing child sexual abuse material (CSAM). Conor Brian Fitzpatrick (aka Pompompurin), 22, of Peekskill, New York, pleaded guilty to one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material. Fitzpatrick was initially arrested in March 2023 and pleaded guilty later that July. As part of the plea agreement, Fitzpatrick is also said to have agreed to forfeit over 100 domain names used in the operation of BreachForums, over a dozen electronic devices used to execute the scheme, and cryptocurrency that represented the illicit proceeds of the operation. "Conor Fitzpatrick personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data,...

Microsoft's Digital Crimes Unit said it teamed up with Cloudflare to coordinate the seizure of 338 domains used by RaccoonO365 , a financially motivated threat group that was behind a phishing-as-a-service (Phaas) toolkit used to steal more than 5,000 Microsoft 365 credentials from 94 countries since July 2024. "Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation's technical infrastructure and cutting off criminals' access to victims," Steven Masada, assistant general counsel at DCU, said . "This case shows that cybercriminals don't need to be sophisticated to cause widespread harm – simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk." The initial phase of the Cloudflare takedown commenced on September 2, 2025, with additional actions occurring on September 3 and September 4. This in...

Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments. "Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform's fault injections (such as shutting down pods or disrupting network communications), and perform further malicious actions, including stealing privileged service account tokens," JFrog said in a report shared with The Hacker News. Chaos Mesh is an open-source cloud-native Chaos Engineering platform that offers various types of fault simulation and simulates various abnormalities that might occur during the software development lifecycle. The issues, collectively called Chaotic Deputy, are listed below - CVE-2025-59358 (CVSS score: 7.5) - The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes clus...

A massive ad fraud and click fraud operation dubbed SlopAds ran a cluster of 224 apps , collectively attracting 38 million downloads across 228 countries and territories. "These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks," HUMAN's Satori Threat Intelligence and Research Team said in a report shared with The Hacker News. The name "SlopAds" is a nod to the likely mass-produced nature of the apps and the use of artificial intelligence (AI)-themed services like StableDiffusion, AIGuide, and ChatGLM hosted by the threat actor on the command-and-control (C2) server. The company said the campaign accounted for 2.3 billion bid requests a day at its peak, with traffic from SlopAds apps mainly originating from the U.S. (30%), India (10%), and Brazil (7%). Google has since removed all the offending apps from the Play Store, effectively di...

Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News. At a high level, the attack chain involves the use of FileFix to entice users into launching an initial payload that then proceeds to download seemingly innocuous images containing the malicious components from a Bitbucket repository. This allows the attackers to abuse the trust associated with a legitimate source code hosting platform to bypass detection. FileFix, first documented by security researcher mrd0x as a proof-of-concept (PoC) in June 2025, is a little different from ClickFix in that it eschews the need for us...

Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild. The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said. Since then, WhatsApp has acknowledged that a vulnerability in its messaging apps for Apple iOS and macOS (CVE-2025-55177, CVSS score: 5.4) had been chained with CVE-2025-43300 as part of highly-targeted spyware attacks aimed at less than 200 individuals. While the shortcoming was first addressed by the iPhone maker late last month with the release of iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Ventura 13.7.8, macOS Sonoma 14.7.8, and macOS Sequoia 15.6.1, it has also been released for the f...

AI agents are rapidly becoming a core part of the enterprise, being embedded across enterprise workflows, operating with autonomy, and making decisions about which systems to access and how to use them. But as agents grow in power and autonomy, so do the risks and threats.  Recent studies show 80% of companies have already experienced unintended AI agent actions, from unauthorized system access to data leaks. These incidents aren't edge cases. They are the inevitable outcome of deploying AI agents at scale without purpose-built security mechanisms. Traditional IAM wasn't designed for this. Agents move too fast, operate 24/7, while relying on non-human identities (NHIs) to define precisely what they can and can't do. How can organizations possibly secure what they cannot see or control? To address this challenge, a new approach is needed—one that enables secure-by-design AI agent deployment across the enterprise. Enter: Astrix's Agent Control Plane (ACP) Astrix's AI Agent Cont...

A team of academics from ETH Zürich and Google has discovered a new variant of a RowHammer attack targeting Double Data Rate 5 (DDR5) memory chips from South Korean semiconductor vendor SK Hynix. The RowHammer attack variant, codenamed Phoenix ( CVE-2025-6202 , CVSS score: 7.1), is capable of bypassing sophisticated protection mechanisms put in place to resist the attack. "We have proven that reliably triggering RowHammer bit flips on DDR5 devices from SK Hynix is possible on a larger scale," the Computer Security Group (COMSEC) at ETH Zürich said. "We also proved that on-die ECC does not stop RowHammer, and RowHammer end-to-end attacks are still possible with DDR5." RowHammer refers to a hardware vulnerability where repeated access of a row of memory in a DRAM chip can trigger bit flips in adjacent rows, resulting in data corruption. This can be subsequently weaponized by bad actors to gain unauthorized access to data, escalate privileges, or even cause a...

Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers. "The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages," supply chain security company Socket said . The end goal of the campaign is to search developer machines for secrets using TruffleHog's credential scanner and transmit them to an external server under the attacker's control. The attack is capable of targeting both Windows and Linux systems. The following packages have been identified as impacted by the incident - angulartics2@14.1.2 @ctrl/deluge@7.2.2 @ctrl/golang-template@1.4.3 @ctrl/magnet-link@4.0.4 @ctrl/ngx-codemirror@7.0.2 @ctrl/ngx-csv@6.0.2 @ctrl/ngx-emoji-mart@...

The China-aligned threat actor known as Mustang Panda has been observed using an updated version of a backdoor called TONESHELL and a previously undocumented USB worm called SnakeDisk. "The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor," IBM X-Force researchers Golo Mühr and Joshua Chung said in an analysis published last week. The tech giant's cybersecurity division is tracking the cluster under the name Hive0154, which is also broadly referred to as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Polaris, RedDelta, Stately Taurus, and Twill Typhoon. The state-sponsored threat actor is believed to have been active since at least 2012. TONESHELL was first publicly documented by Trend Micro way back in November 2022 as part of cyber attacks targeting Myanmar, Australia, the Philippines, Japan, and Taiwan between May and October. Typically executed via DLL side-loading, its primary responsibility is to d...

Attacks that target users in their web browsers have seen an unprecedented rise in recent years. In this article, we'll explore what a "browser-based attack" is, and why they're proving to be so effective.  What is a browser-based attack? First, it's important to establish what a browser-based attack is. In most scenarios, attackers don't think of themselves as attacking your web browser. Their end-goal is to compromise your business apps and data. That means going after the third-party services that are now the backbone of business IT. The most common attack path today sees attackers log into third-party services, dump the data, and monetize it through extortion. You need only look at last year's Snowflake customer breaches or the still-ongoing Salesforce attacks to see the impact.  The most logical way to do this is by targeting users of those apps. And because of the changes to working practices, your users are more accessible than ever to external attackers — and ex...