#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
DevSecOps

powershell | Breaking Cybersecurity News | The Hacker News

Category — powershell
OBSCURE#BAT Malware Uses Fake CAPTCHA Pages to Deploy Rootkit r77 and Evade Detection

OBSCURE#BAT Malware Uses Fake CAPTCHA Pages to Deploy Rootkit r77 and Evade Detection

Mar 14, 2025 Threat Intelligence / Malware
A new malware campaign has been observed leveraging social engineering tactics to deliver an open-source rootkit called r77 . The activity, condemned OBSCURE#BAT by Securonix, enables threat actors to establish persistence and evade detection on compromised systems. It's currently not known who is behind the campaign. The rootkit "has the ability to cloak or mask any file, registry key or task beginning with a specific prefix," security researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker News. "It has been targeting users by either masquerading as legitimate software downloads or via fake captcha social engineering scams." The campaign is designed to mainly target English-speaking individuals, particularly the United States, Canada, Germany, and the United Kingdom. OBSCURE#BAT gets its name from the fact that the starting point of the attack is an obfuscated Windows batch script that, in turn, executes PowerShell commands to activ...
FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations

FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations

Mar 07, 2025
Threat hunters have shed light on a "sophisticated and evolving malware toolkit" called Ragnar Loader that's used by various cybercrime and ransomware groups like Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (ex-REvil). "Ragnar Loader plays a key role in keeping access to compromised systems, helping attackers stay in networks for long-term operations," Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News. "While it's linked to the Ragnar Locker group, it's unclear if they own it or just rent it out to others. What we do know is that its developers are constantly adding new features, making it more modular and harder to detect." Ragnar Loader, also referred to as Sardonic, was first documented by Bitdefender in August 2021 in connection with an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution located in the U.S. It's said to have been put to use ...
Why The Modern Google Workspace Needs Unified Security

Why The Modern Google Workspace Needs Unified Security

Mar 10, 2025Data Protection / SaaS Security
The Need For Unified Security Google Workspace is where teams collaborate, share ideas, and get work done. But while it makes work easier, it also creates new security challenges. Cybercriminals are constantly evolving, finding ways to exploit misconfigurations, steal sensitive data, and hijack user accounts. Many organizations try to secure their environment by piecing together different security tools, hoping that multiple layers of protection will keep them safe.  But in reality, this patchwork approach often creates blind spots, making it harder—not easier—to defend against threats. To truly secure Google Workspace, businesses need a unified security strategy that offers complete protection without unnecessary complexity. The problem with most security solutions is that they only solve part of the puzzle. Point solutions, like tools that block malware or phishing attacks, might work well for a specific type of threat but fail to recognize suspicious user behavior, unauthori...
Microsoft Warns of Malvertising Campaign Infecting Over 1 Million Devices Worldwide

Microsoft Warns of Malvertising Campaign Infecting Over 1 Million Devices Worldwide

Mar 07, 2025 Malvertising / Open Source
Microsoft has disclosed details of a large-scale malvertising campaign that's estimated to have impacted over one million devices globally as part of what it said is an opportunistic attack designed to steal sensitive information. The tech giant, which detected the activity in early December 2024, is tracking it under the broader umbrella Storm-0408, a moniker used for a set of threat actors that are known to distribute remote access or information-stealing malware via phishing, search engine optimization (SEO), or malvertising. "The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms," the Microsoft Threat Intelligence team said . "The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack." The most signifi...
cyber security

The State of GRC 2025: From Cost Center to Strategic Business Driver

websiteDrataGovernance / Compliance
Drata's new report takes a look at how GRC professionals are approaching data protection regulations, AI, and the ability to maintain customer trust.
Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers

Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers

Mar 04, 2025 Network Security / Ransomware
Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts. The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer ways to establish persistence on the systems. The unidentified threat actors performed "minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised," the Cisco-owned company said in a technical report published last week. "This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for C2 [command-and-control] operations." The attacks have been ob...
New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

Feb 17, 2025 Threat Intelligence / Cyber Attack
Cybersecurity researchers have shed light on a new Golang-based backdoor that uses Telegram as a mechanism for command-and-control (C2) communications. Netskope Threat Labs, which detailed the functions of the malware, described it as possibly of Russian origin. "The malware is compiled in Golang and once executed it acts like a backdoor," security researcher Leandro Fróes said in an analysis published last week. "Although the malware seems to still be under development it is completely functional." Once launched, the backdoor is designed to check if it's running under a specific location and using a specific name – "C:\Windows\Temp\svchost.exe" – and if not, it reads its own contents, writes them to that location, and creates a new process to launch the copied version and terminate itself. A notable aspect of the malware is that it uses an open-source library that offers Golang bindings for the Telegram Bot API for C2 purposes. This involves...
North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks

North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks

Feb 13, 2025 United States
A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors. The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky , which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima. "Leveraging tailored phishing lures written in Korean and disguised as legitimate documents, the attackers successfully infiltrated targeted environments," security researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker News, describing the activity as a "sophisticated and multi-stage operation." The decoy documents, sent via phishing emails as .HWP, .XLSX, and .PPTX files, are disguised as work logs, insurance documents and crypto-related files to trick recipients into opening them, thereby triggering the infection process. The attack...
Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks

Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks

Feb 11, 2025 Malware / Cyber Attack
Threat actors have observed the increasingly common ClickFix technique to deliver a remote access trojan named NetSupport RAT since early January 2025. NetSupport RAT, typically propagated via bogus websites and fake browser updates, grants attackers full control over the victim's host, allowing them to monitor the device's screen in real-time, control the keyboard and mouse, upload and download files, and launch and execute malicious commands. Originally known as NetSupport Manager, it was developed as a legitimate remote IT support program, but has since been repurposed by malicious actors to target organizations and capture sensitive information, including screenshots, audio, video, and files. "ClickFix is a technique used by threat actors to inject a fake CAPTCHA webpage on compromised websites, instructing users to follow certain steps to copy and execute malicious PowerShell commands on their host to download and run malware payloads," eSentire said in an...
Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks

Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks

Feb 05, 2025 Threat Intelligence / Malware
A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan. "This threat group has previously targeted entities around Eastern Europe and Central Asian government think tanks involved in economic decision making and banking sector," Seqrite Labs researcher Subhajeet Singha said in a technical report published late last month. Targets of the hacking group's attacks include embassies, lawyers, government-backed banks, and think tanks. The activity has been attributed to a Kazakhstan-origin threat actor with a medium level of confidence. The infections commence with a spear-phishing email containing a RAR archive attachment that ultimately acts as a delivery vehicle for malicious payloads responsible for granting remote access to the compromised hosts. The first of the two campaigns, detected by the cybersecurity company on December 27, 2024, leverages the RAR archive to launc...
Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions

Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions

Feb 03, 2025 Financial Security / Malware
Brazilian Windows users are the target of a campaign that delivers a banking malware known as Coyote . "Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials," Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published last week. The cybersecurity company said it discovered over the past month several Windows Shortcut (LNK) file artifacts that contain PowerShell commands responsible for delivering the malware. Coyote was first documented by Kaspersky in early 2024, detailing its attacks targeting users in the South American nation. It's capable of harvesting sensitive information from over 70 financial applications. In the previous attack chain documented by the Russian cybersecurity firm, a Squirrel installer executable is used to trigger a Node.js application compiled with Electron, that, for its part, runs a...
MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks

MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks

Jan 27, 2025 Malware / SEO Poisoning
Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network computing platform called BOINC . "MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file," cybersecurity firm eSentire said in an analysis. The campaign has targeted electricity, oil and gas, and the legal services sectors in the United States and Europe, per the company, which detected the activity in early January 2025. The development comes amid a spike in malicious campaigns that are abusing fake CAPTCHA verification prompts to trick users into copying and executing PowerShell scripts to get around the checks, a technique that has come to be known ClickFix and KongTuke. "KongTuke involves an injected script that currently causes associated websites to displa...
Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks

Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks

Jan 23, 2025 Phishing / Malware
Cybersecurity researchers are calling attention to a new malware campaign that leverages fake CAPTCHA verification checks to deliver the infamous Lumma information stealer. "The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world," Leandro Fróes, senior threat research engineer at Netskope Threat Labs, said in a report shared with The Hacker News. "The campaign also spans multiple industries, including healthcare, banking, and marketing, with the telecom industry having the highest number of organizations targeted." The attack chain begins when a victim visits a compromised website, which directs them to a bogus CAPTCHA page that specifically instructs the site visitor to copy and paste a command into the Run prompt in Windows that uses the native mshta.exe binary to download and execute an HTA file from a remote server. It's worth noting...
Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware

Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware

Dec 17, 2024 Cyber Espionage / Malware
A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT. "The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin said in a report shared with The Hacker News. The enterprise security company is tracking the threat actor under the name TA397. Known to be active since at least 2013, the adversary is also referred to as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali. Prior attacks conducted by the hacking group have targeted entities in China, Pakistan, India, Saudi Arabia, and Bangladesh with malware such as BitterRAT , ArtraDownloader , and ZxxZ, indicating a heavy Asian focus. Bitter has also been linked to cyber...
Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques

Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques

Dec 14, 2024 Malware / Cyber Threat
Thai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai . "The target of the threat actors were Thailand officials based on the nature of the lures," Nikhil Hegde, senior engineer for Netskope's Security Efficacy team, told The Hacker News. "The Yokai backdoor itself is not limited and can be used against any potential target." The starting point of the attack chain is a RAR archive containing two Windows shortcut files named in Thai that translate to "United States Department of Justice.pdf" and "United States government requests international cooperation in criminal matters.docx." The exact initial vector used to deliver the payload is currently not known, although Hegde speculated that it would likely be spear-phishing due to the lures employed and the fact that RAR files have been used as malicious attachment...
Ongoing Phishing and Malware Campaigns in December 2024

Ongoing Phishing and Malware Campaigns in December 2024

Dec 10, 2024 Malware Analysis / Cyber Threat
Cyber attackers never stop inventing new ways to compromise their targets. That's why organizations must stay updated on the latest threats.  Here's a quick rundown of the current malware and phishing attacks you need to know about to safeguard your infrastructure before they reach you. Zero-day Attack: Corrupted Malicious Files Evade Detection by Most Security Systems  The analyst team at ANY.RUN recently shared their analysis of an ongoing zero-day attack . It has been active since at least August and still remains unaddressed by most detection software to this day. The attack involves the use of intentionally corrupted Word documents and ZIP archives with malicious files inside. VirusTotal shows 0 detections for one of the corrupted files Due to corruption, security systems cannot properly identify the type of these files and run analysis on them, which results in zero threat detections. Word will ask the user if they want to restore a corrupted file Once these fi...
CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security Force

CERT-UA Warns of Phishing Attacks Targeting Ukraine's Defense and Security Force

Dec 10, 2024 Malware / Cyber Attack
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new set of cyber attacks that it said were aimed at defense companies in the country as well as its security and defense forces. The phishing attacks have been attributed to a Russia-linked threat actor called UAC-0185 (aka UNC4221), which has been active since at least 2022. "The phishing emails mimicked official messages from the Ukrainian League of Industrialists and Entrepreneurs," CERT-UA said . "The emails advertised a conference held on December 5th in Kyiv, aimed at aligning the products of domestic defense industry companies with NATO standards." The email messages come embedded with a malicious URL that urges the recipients to click on it to view "important information" related to their participation in the conference. But in reality, doing so results in the download of a Windows shortcut file that, upon opening, is designed to execute an HTML Application, which, in t...
Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates

Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates

Oct 15, 2024 Threat Detection / Malware
Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates. French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma. Hijack Loader , also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies. Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive. HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 - A PowerShell script ...
Cybersecurity
Expert Insights / Articles Videos
Cybersecurity Resources