hacking | Breaking Cybersecurity News | The Hacker News

The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them. "To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an [sic] PDF attachment," the Microsoft Threat Intelligence team said in a series of posts shared on X. To read the purported PDF document, victims are persuaded to click a URL containing a list of steps to register their Windows system. The registration link urges them to launch PowerShell as an administrator and copy/paste the displayed code snippet into the terminal, and execute it. Should the victim follow through, the malicious code downloads and installs a browser-based remote desktop tool, along with a certificate file with a hardcoded PIN from a rem...

The North Korea-linked nation-state hacking group known as Kimsuky has been observed conducting spear-phishing attacks to deliver an information stealer malware named forceCopy, according to new findings from the AhnLab Security Intelligence Center (ASEC). The attacks commence with phishing emails containing a Windows shortcut (LNK) file that's disguised as a Microsoft Office or PDF document. Opening this attachment triggers the execution of PowerShell or mshta.exe, a legitimate Microsoft binary designed to run HTML Application (HTA) files, that are responsible for downloading and running next-stage payloads from an external source. The South Korean cybersecurity company said the attacks culminated in the deployment of a known trojan dubbed PEBBLEDASH and a custom version of an open-source Remote Desktop utility named RDP Wrapper . Also delivered as part of the attacks is a proxy malware that allows the threat actors to establish persistent communications with an external ...

Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations. "Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities," Google Threat Intelligence Group (GTIG) said in a new report. "At present, they primarily use AI for research, troubleshooting code, and creating and localizing content." Government-backed attackers, otherwise known as Advanced Persistent Threat (APT) groups, have sought to use its tools to bolster multiple phases of the attack cycle, including coding and scripting tasks, payload development, gathering information about potential targets, researching publicly known vulnerabilities, and enabling post-compromise activities, such as defense evasion. Describing Iranian APT actors as the "he...

An international law enforcement operation has dismantled the domains associated with various online platforms linked to cybercrime such as Cracked, Nulled, Sellix, and StarkRDP. The effort, which took place between January 28 and 30, 2025, targeted the following domains - www.cracked.io www.nulled.to www.mysellix.io www.sellix.io www.starkrdp.io Visitors to these websites are now greeted by a seizure banner that says they were confiscated as part of Operation Talent that involved authorities from Australia, France, Greece, Italy, Romania, Spain, and the United States, along with Europol. "This website, as well as the information on the customers and victims of the website, has been seized by international law enforcement partners," the message reads. Operational since at 2015 and 2018, both Nulled and Cracked have been used to peddle various hack tools, such as ScrubCrypt, a malware obfuscation engine that has been observed delivering stealer malware in the pas...

The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard's STRIKE team said in a new report shared with The Hacker News. "This administrative layer was consistent across all the C2 servers analyzed, even as the attackers varied their payloads and obfuscation techniques to evade detection." The hidden framework has been described as a comprehensive system and a hub that allows attackers to organize and manage exfiltrated data, maintain oversight of their compromised hosts, and handle payload delivery. The web-based admin panel has been identified in connection with a supply chain attack campaign dubbed Operation ...

While passwords remain the first line of defense for protecting user accounts against unauthorized access, the methods for creating strong passwords and protecting them are continually evolving. For example, NIST password recommendations are now prioritizing password length over complexity. Hashing, however, remains a non-negotiable. Even long secure passphrases should be hashed to prevent them from being completely exposed in the event of a data breach – and never stored in plaintext. This article examines how today’s cyber attackers attempt to crack hashed passwords, explores common hashing algorithms and their limitations, and discusses measures you can take to protect your hashed passwords, regardless of which algorithm you are using. Modern password cracking techniques Malicious actors have an array of tools and methods at their disposal for cracking hashed passwords. Some of the more widely used methods include brute force attacks, password dictionary attacks, hybrid attacks...

A Brazilian citizen has been charged in the United States for allegedly threatening to release data stolen by hacking into a company's network in March 2020. Junior Barros De Oliveira , 29, of Curitiba, Brazil has been charged with four counts of extortionate threats involving information obtained from protected computers and four counts of threatening communications, the U.S. Department of Justice (DoJ) said in an unsealed indictment earlier this week. The said victim, a Brazilian subsidiary of a New Jersey-based company, had its computers breached by the defendant, who then exploited the access to steal confidential customer information from about 300,000 customers on at least three occasions. De Oliveira is alleged to have subsequently sent the chief executive officer (CEO) of the company an email message in September 2020 using an alias, demanding a payment of 300 bitcoin (valued at about $3.2 million at the time) in return for not selling the data. A month later, the de...

The Iranian nation-state hacking group known as Charming Kitten has been observed deploying a C++ variant of a known malware called BellaCiao. Russian cybersecurity company Kaspersky, which dubbed the new version BellaCPP , said it discovered the artifact as part of a "recent" investigation into a compromised machine in Asia that was also infected with the BellaCiao malware. BellaCiao was first documented by Romanian cybersecurity firm Bitdefender in April 2023, describing it as a custom dropper capable of delivering additional payloads. The malware has been deployed by the hacking group in cyber attacks targeting the United States, the Middle East, and India. It's also one of the many bespoke malware families the Charming Kitten actor has developed over the years. Affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), the advanced persistent threat (APT) group is also known by the monikers APT35, CALANQUE, CharmingCypress, Educated Manticore, ITG18,Mi...

Meta Platforms-owned WhatsApp scored a major legal victory in its fight against Israeli commercial spyware vendor NSO Group after a federal judge in the U.S. state of California ruled in favor of the messaging giant for exploiting a security vulnerability to deliver Pegasus. "The limited evidentiary record before the court does show that defendants' Pegasus code was sent through plaintiffs' California-based servers 43 times during the relevant time period in May 2019," United States District Judge Phyllis J. Hamilton said . The order further lambasted NSO Group, stating it "repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery," referring to the company's failure to produce the Pegasus source code and for limiting the access to Israeli citizens present in Israel. This information, per WhatsApp, included code only pertaining to an Amazon Web Services (AWS) server, and not the entire codebase that wo...

A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT. "The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin said in a report shared with The Hacker News. The enterprise security company is tracking the threat actor under the name TA397. Known to be active since at least 2013, the adversary is also referred to as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali. Prior attacks conducted by the hacking group have targeted entities in China, Pakistan, India, Saudi Arabia, and Bangladesh with malware such as BitterRAT , ArtraDownloader , and ZxxZ, indicating a heavy Asian focus. Bitter has also been linked to cyber...

Dive into the evolution of phishing and malware evasion techniques and understand how attackers are using increasingly sophisticated methods to bypass security measures. The Evolution of Phishing Attacks “I really like the saying that ‘This is out of scope’ said no hacker ever. Whether it’s tricks, techniques or technologies, hackers will do anything to evade detection and make sure their attack is successful,” says Etay Maor, Chief Security Strategist at Cato Networks and member of Cato CTRL . Phishing attacks have transformed significantly over the years. 15-20 years ago, simple phishing sites were sufficient for capturing the crown jewels of the time - credit card details. Today, attacks and defense methods have become much more sophisticated, as we’ll detail below. “This is also the time where the “cat-and-mouse” attack-defense game began,” says Tal Darsan, Security Manager and member of Cato CTRL. At the time, a major defense technique against credit card phishing sites inv...

A threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities. The activity, linked to a group called WIRTE , has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis. "The [Israel-Hamas] conflict has not disrupted the WIRTE's activity, and they continue to leverage recent events in the region in their espionage operations," the company said . "In addition to espionage, the threat actor recently engaged in at least two waves of disruptive attacks against Israel." WIRTE is the moniker assigned to a Middle Eastern advanced persistent threat (APT) that has been active since at least August 2018, targeting a broad spectrum of entities across the region. It was first documented by Spanish cybersecurity company S2 Grupo. The hacking crew is assessed to be part of a politically motivated group ca...

Cybersecurity researchers have warned of a spike in phishing pages created using a website builder tool called Webflow, as threat actors continue to abuse legitimate services like Cloudflare and Microsoft Sway to their advantage. "The campaigns target sensitive information from different crypto wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as login credentials for multiple company webmail platforms, as well as Microsoft 365 login credentials," Netskope Threat Labs researcher Jan Michael Alcantara said in an analysis. The cybersecurity company said it tracked a 10-fold increase in traffic to phishing pages crafted using Webflow between April and September 2024, with the attacks targeting more than 120 organizations across the world. A majority of those targeted are located in North America and Asia spanning financial services, banking, and technology sectors. The attackers have been observed using Webflow to create standalone phishing pages...

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters . The incident took place on the night of October 7, VGTRK confirmed , describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally despite attempts to interrupt radio and TV broadcasts. That said, Russian media outlet Gazeta.ru reported that the hackers wiped "everything" from the company's servers, including backups, citing an anonymous source. A source told Reuters that "Ukrainian hackers 'congratulated' Putin on his birthday by carrying out a large-scale attack on the all-Russian state television and radio broadcasting company." The attack is believed to be the work of a pro-Ukrainian hacker group called Sudo rm-RF . The Russian government has since said an investi...