#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

data theft | Breaking Cybersecurity News | The Hacker News

Category — data theft
U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Global Cybercrime Operation

U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Global Cybercrime Operation

May 23, 2025 Botnet / Financial Fraud
The U.S. Department of Justice (DoJ) on Thursday announced the disruption of the online infrastructure associated with DanaBot (aka DanaTools) and unsealed charges against 16 individuals for their alleged involvement in the development and deployment of the malware, which it said was controlled by a Russia-based cybercrime organization. The malware, the DoJ said, infected more than 300,000 victim computers around the world, facilitated fraud and ransomware, and caused at least $50 million in damages. Two of the defendants, Aleksandr Stepanov (aka JimmBee), 39, and Artem Aleksandrovich Kalinkin (aka Onix), 34, both from Novosibirsk, Russia, are currently at large. Stepanov has been charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorized access to a protected computer to obtain information, unauthorized impairment of a protected computer, wiretapping, and use of an intercepted communication. Kalinkin has been charged with cons...
North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures

North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures

Apr 25, 2025 Cryptocurrency / Artificial Intelligence
North Korea-linked threat actors behind the Contagious Interview have set up front companies as a way to distribute malware during the fake hiring process. "In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry – BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co) – to spread malware via 'job interview lures," Silent Push said in a deep-dive analysis. The activity, the cybersecurity company said, is being used to distribute three different known malware families, BeaverTail, InvisibleFerret , and OtterCookie . Contagious Interview is one of the several job-themed social engineering campaigns orchestrated by North Korea to entice targets into downloading cross-platform malware under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment. The activity is tracked by the broader cybersecu...
Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices

Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices

Apr 23, 2025 Spyware / Mobile Security
Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis. The trojan has been found embedded in older versions of the software and propagated as a freely available variant of Alpine Quest Pro , a paid offering that removes advertising and analytics features. The Russian cybersecurity vendor said it also observed the malware, dubbed Android.Spy.1292.origin, being distributed in the form of an APK file via a fake Telegram channel. While the threat actors initially provided a link for downloading the app in one of the Russian app catalogs through the Telegram channel, the trojanized version was later distributed directly as an A...
cyber security

GenAI Security Best Practices Cheat Sheet

websiteWizCybersecurity / GenAI Security
Secure your GenAI systems fast with 7 must-know best practices to stop data poisoning, model theft, and more—plus ways AI can boost your defenses.
cyber security

Find the Coverage Gaps in Your Security Tools

websitePrelude SecurityContinuous Control Monitoring
Try Prelude free for 14 days to find gaps in your security tools, maximizing the controls you already have.
SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks

SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks

Apr 21, 2025 Technology / Mobile Security
A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication ( NFC ) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to suggest that the service is promoted on Telegram channels. SuperCard X "employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud," security researchers Federico Valentini‍, Alessandro Strino, and Michele Roviello said . The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp mess...
Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States

Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States

Apr 18, 2025 Financial Fraud / Cybercrime
Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024. "The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by 'Wang Duo Yu,'" Cisco Talos researchers Azim Khodjibaev, Chetan Raghuprasad, and Joey Chen assessed with moderate confidence. The phishing campaigns , per the company, impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid toll and clicking on a fake link sent in the chat. It's worth noting some aspects of the toll phishing campaign were previously highlighted by security journalist Brian Krebs in January 2025, with the activity traced back to a China-b...
Paper Werewolf Deploys PowerModul Implant in Targeted Cyberattacks on Russian Sectors

Paper Werewolf Deploys PowerModul Implant in Targeted Cyberattacks on Russian Sectors

Apr 11, 2025 Malware / Vulnerability
The threat actor known as Paper Werewolf has been observed exclusively targeting Russian entities with a new implant called PowerModul . The activity, which took place between July and December 2024, singled out organizations in the mass media, telecommunications, construction, government entities, and energy sectors, Kaspersky said in a new report published Thursday. Paper Werewolf, also known as GOFFEE, is assessed to have conducted at least seven campaigns since 2022, according to BI.ZONE, with the attacks mainly aimed at government, energy, financial, media, and other organizations. Attack chains mounted by the threat actor have also been observed incorporating a disruptive component, wherein the intrusions go beyond distributing malware for espionage purposes to also change passwords belonging to employee accounts. The attacks themselves are initiated via phishing emails that contain a macro-laced lure document, which, upon opening and enabling macros, paves the way for th...
Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware

Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware

Apr 03, 2025 Malware / Threat Intelligence
The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems. The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by French cybersecurity company Sekoia. Contagious Interview , also tracked as DeceptiveDevelopment, DEV#POPPER, and Famous Chollima, is known to be active since at least December 2022, although it was only publicly documented for the first time in late 2023. "It uses legitimate job interview websites to leverage the ClickFix tactic and install Windows and macOS backdoors," Sekoia researchers Amaury G., Coline Chavane, and Felix Aimé said , attributing the effort to the infamous Lazarus Group , a prolific adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic Pe...
Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images

Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images

Mar 31, 2025 Data Theft / Website Security
Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins , refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the admin dashboard. This also makes the directory an ideal location for staging malware. "This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks," Sucuri researcher Puja Srivastava said in an analysis. In the incidents analyzed by the website security company, three different kinds of rogue PHP code have been discovered in the directory - "wp-content/mu-plugins/redirect.php," ...
Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine

Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine

Mar 31, 2025 Threat Intelligence / Malware
Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT . "The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage ZIP file containing the Remcos backdoor." The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon , which is also tracked under the monikers Aqua Blizzard, Armageddon, Blue Otso, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder.  The threat actor, assessed to be affiliated with Russia's Federal Security Service (FSB), is known for its targeting of Ukrainian organizations for espionage and data theft. It's operational since at least ...
New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials

New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials

Mar 29, 2025 Threat Intelligence / Mobile Security
Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey. "Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging," ThreatFabric said . As with other banking trojans of its kind, the malware is designed to facilitate device takeover ( DTO ) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages reveals that the malware author is Turkish-speaking. The Crocodilus artifacts analyzed by the Dutch mobile security company masquerade as Google Chrome (package name: "quizzical.washbowl.calamity"), which act as a dropper capable of  bypassing Android 13+ restrictions .  Once installed and launched, the app requests permission to Android's access...
New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims’ DNS Email Records

New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims' DNS Email Records

Mar 27, 2025 Email Security / Malware
Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System ( DNS ) mail exchange ( MX ) records to serve fake login pages that impersonate about 114 brands. DNS intelligence firm Infoblox is tracking the actor behind the PhaaS, the phishing kit, and the related activity under the moniker Morphing Meerkat . "The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram," the company said in a report shared with The Hacker News. One such campaign leveraging the PhaaS toolkit was documented by Forcepoint in July 2024, where phishing emails contained links to a purported shared document that, when clicked, directed the recipient to a fake login page hosted on Cloudflare R2 with the end goal of collecting and exfiltrating the credentials via Tele...
Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps

Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps

Mar 25, 2025 Mobile Security / Data Theft
Cybersecurity researchers are calling attention to an Android malware campaign that leverages Microsoft's .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps targeting Indian and Chinese-speaking users. "These threats disguise themselves as legitimate apps, targeting users to steal sensitive information," McAfee Labs researcher Dexter Shin said . .NET MAUI is Microsoft's cross-platform desktop and mobile app framework for creating native applications using C# and XAML. It represents an evolution of Xamarin, with added capabilities to not only create multi-platform apps using a single project, but also incorporate platform-specific source code as and when necessary. It's worth noting that official support for Xamarin ended on May 1, 2024 , with the tech giant urging developers to migrate to .NET MAUI. While Android malware implemented using Xamarin has been detected in the past , the latest development signals that ...
Expert Insights Articles Videos
Cybersecurity Resources