#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
DevSecOps

powershell | Breaking Cybersecurity News | The Hacker News

Category — powershell
Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks

Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks

Feb 05, 2025 Threat Intelligence / Malware
A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan. "This threat group has previously targeted entities around Eastern Europe and Central Asian government think tanks involved in economic decision making and banking sector," Seqrite Labs researcher Subhajeet Singha said in a technical report published late last month. Targets of the hacking group's attacks include embassies, lawyers, government-backed banks, and think tanks. The activity has been attributed to a Kazakhstan-origin threat actor with a medium level of confidence. The infections commence with a spear-phishing email containing a RAR archive attachment that ultimately acts as a delivery vehicle for malicious payloads responsible for granting remote access to the compromised hosts. The first of the two campaigns, detected by the cybersecurity company on December 27, 2024, leverages the RAR archive to launc...
Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions

Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions

Feb 03, 2025 Financial Security / Malware
Brazilian Windows users are the target of a campaign that delivers a banking malware known as Coyote . "Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials," Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published last week. The cybersecurity company said it discovered over the past month several Windows Shortcut (LNK) file artifacts that contain PowerShell commands responsible for delivering the malware. Coyote was first documented by Kaspersky in early 2024, detailing its attacks targeting users in the South American nation. It's capable of harvesting sensitive information from over 70 financial applications. In the previous attack chain documented by the Russian cybersecurity firm, a Squirrel installer executable is used to trigger a Node.js application compiled with Electron, that, for its part, runs a...
What Is Attack Surface Management?

What Is Attack Surface Management?

Feb 03, 2025Attack Surface Management
Attack surfaces are growing faster than security teams can keep up – to stay ahead, you need to know what's exposed and where attackers are most likely to strike. With cloud adoption dramatically increasing the ease of exposing new systems and services to the internet, prioritizing threats and managing your attack surface from an attacker's perspective has never been more important. In this guide, we look at why attack surfaces are growing and how to monitor and manage them properly with  tools like Intruder . Let's dive in. What is your attack surface? First, it's important to understand what we mean when we talk about an attack surface. An attack surface is the sum of your digital assets that are 'reachable' by an attacker – whether they are secure or vulnerable, known or unknown, in active use or not. You can also have both internal and external attack surfaces - imagine for example a malicious email attachment landing in a colleague's inbox, vs a new FTP server being...
MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks

MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks

Jan 27, 2025 Malware / SEO Poisoning
Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network computing platform called BOINC . "MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file," cybersecurity firm eSentire said in an analysis. The campaign has targeted electricity, oil and gas, and the legal services sectors in the United States and Europe, per the company, which detected the activity in early January 2025. The development comes amid a spike in malicious campaigns that are abusing fake CAPTCHA verification prompts to trick users into copying and executing PowerShell scripts to get around the checks, a technique that has come to be known ClickFix and KongTuke. "KongTuke involves an injected script that currently causes associated websites to displa...
cyber security

Practical, Tactical Guide to Securing AI in the Enterprise

websiteTinesEnterprise Security / AI Security
Supercharge your organization's AI adoption strategy, and go from complex challenges to secure success.
Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks

Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks

Jan 23, 2025 Phishing / Malware
Cybersecurity researchers are calling attention to a new malware campaign that leverages fake CAPTCHA verification checks to deliver the infamous Lumma information stealer. "The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world," Leandro Fróes, senior threat research engineer at Netskope Threat Labs, said in a report shared with The Hacker News. "The campaign also spans multiple industries, including healthcare, banking, and marketing, with the telecom industry having the highest number of organizations targeted." The attack chain begins when a victim visits a compromised website, which directs them to a bogus CAPTCHA page that specifically instructs the site visitor to copy and paste a command into the Run prompt in Windows that uses the native mshta.exe binary to download and execute an HTA file from a remote server. It's worth noting...
Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware

Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware

Dec 17, 2024 Cyber Espionage / Malware
A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT. "The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin said in a report shared with The Hacker News. The enterprise security company is tracking the threat actor under the name TA397. Known to be active since at least 2013, the adversary is also referred to as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali. Prior attacks conducted by the hacking group have targeted entities in China, Pakistan, India, Saudi Arabia, and Bangladesh with malware such as BitterRAT , ArtraDownloader , and ZxxZ, indicating a heavy Asian focus. Bitter has also been linked to cyber...
Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques

Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques

Dec 14, 2024 Malware / Cyber Threat
Thai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai . "The target of the threat actors were Thailand officials based on the nature of the lures," Nikhil Hegde, senior engineer for Netskope's Security Efficacy team, told The Hacker News. "The Yokai backdoor itself is not limited and can be used against any potential target." The starting point of the attack chain is a RAR archive containing two Windows shortcut files named in Thai that translate to "United States Department of Justice.pdf" and "United States government requests international cooperation in criminal matters.docx." The exact initial vector used to deliver the payload is currently not known, although Hegde speculated that it would likely be spear-phishing due to the lures employed and the fact that RAR files have been used as malicious attachment...
Ongoing Phishing and Malware Campaigns in December 2024

Ongoing Phishing and Malware Campaigns in December 2024

Dec 10, 2024 Malware Analysis / Cyber Threat
Cyber attackers never stop inventing new ways to compromise their targets. That's why organizations must stay updated on the latest threats.  Here's a quick rundown of the current malware and phishing attacks you need to know about to safeguard your infrastructure before they reach you. Zero-day Attack: Corrupted Malicious Files Evade Detection by Most Security Systems  The analyst team at ANY.RUN recently shared their analysis of an ongoing zero-day attack . It has been active since at least August and still remains unaddressed by most detection software to this day. The attack involves the use of intentionally corrupted Word documents and ZIP archives with malicious files inside. VirusTotal shows 0 detections for one of the corrupted files Due to corruption, security systems cannot properly identify the type of these files and run analysis on them, which results in zero threat detections. Word will ask the user if they want to restore a corrupted file Once these fi...
CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security Force

CERT-UA Warns of Phishing Attacks Targeting Ukraine's Defense and Security Force

Dec 10, 2024 Malware / Cyber Attack
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new set of cyber attacks that it said were aimed at defense companies in the country as well as its security and defense forces. The phishing attacks have been attributed to a Russia-linked threat actor called UAC-0185 (aka UNC4221), which has been active since at least 2022. "The phishing emails mimicked official messages from the Ukrainian League of Industrialists and Entrepreneurs," CERT-UA said . "The emails advertised a conference held on December 5th in Kyiv, aimed at aligning the products of domestic defense industry companies with NATO standards." The email messages come embedded with a malicious URL that urges the recipients to click on it to view "important information" related to their participation in the conference. But in reality, doing so results in the download of a Windows shortcut file that, upon opening, is designed to execute an HTML Application, which, in t...
Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates

Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates

Oct 15, 2024 Threat Detection / Malware
Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates. French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma. Hijack Loader , also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies. Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive. HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 - A PowerShell script ...
PEAKLIGHT Downloader Deployed in Attacks Targeting Windows with Malicious Movie Downloads

PEAKLIGHT Downloader Deployed in Attacks Targeting Windows with Malicious Movie Downloads

Aug 23, 2024 Malware / Threat Intelligence
Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders. "This memory-only dropper decrypts and executes a PowerShell-based downloader," Google-owned Mandiant said . "This PowerShell-based downloader is being tracked as PEAKLIGHT." Some of the malware strains distributed using this technique are Lumma Stealer , Hijack Loader (aka DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot , all of which are advertised under the malware-as-a-service (SaaS) model. The starting point of the attack chain is a Windows shortcut (LNK) file that's downloaded via drive-by download techniques -- e.g., when users look up a movie on search engines. It's worth pointing out that the LNK files are distributed within ZIP archives that are disguised as pirated movies. The LNK file connects to a content delivery network...
OneDrive Phishing Scam Tricks Users into Running Malicious PowerShell Script

OneDrive Phishing Scam Tricks Users into Running Malicious PowerShell Script

Jul 30, 2024 Malware / Email Security
Cybersecurity researchers are warning about a new phishing campaign that targets Microsoft OneDrive users with the aim of executing a malicious PowerShell script. "This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems," Trellix security researcher Rafael Pena said in a Monday analysis. The cybersecurity company is tracking the "crafty" phishing and downloader campaign under the name OneDrive Pastejacking. The attack unfolds via an email containing an HTML file that, when opened, displays an image simulating an OneDrive page and includes the error message that says: "Failed to connect to the 'OneDrive' cloud service. To fix the error, you need to update the DNS cache manually." The message also comes with two options, namely "How to fix" and "Details," with the latter directing the email recipient to a legitimate Microsoft Learn pag...
8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining

8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining

Jun 28, 2024 Malware / Cryptocurrency
Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server. "The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms," Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti said in a new analysis published today. The cybersecurity firm is tracking the financially motivated actor under the name Water Sigbin, which is known to weaponize vulnerabilities in Oracle WebLogic Server such as CVE-2017-3506 , CVE- 2017-10271 , and CVE-2023-21839 for initial access and drop the miner payload via a multi-stage loading technique. A successful foothold is followed by the deployment of PowerShell script that's responsible for dropping a first-stage loader ("wireguard2-3.exe") that mimics the legiti...
China-Linked ValleyRAT Malware Resurfaces with Advanced Data Theft Tactics

China-Linked ValleyRAT Malware Resurfaces with Advanced Data Theft Tactics

Jun 11, 2024 Malware / Cyber Attack
Cybersecurity researchers have uncovered an updated version of malware called ValleyRAT that's being distributed as part of a new campaign. "In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs," Zscaler ThreatLabz researchers Muhammed Irfan V A and Manisha Ramcharan Prajapati said . ValleyRAT was previously documented by QiAnXin and Proofpoint in 2023 in connection with a phishing campaign targeting Chinese-speaking users and Japanese organizations that distributed various malware families such as Purple Fox and a variant of the Gh0st RAT trojan known as Sainbox RAT (aka FatalRAT). The malware has been assessed to be the work of a China-based threat actor, boasting of capabilities to harvest sensitive information and drop additional payloads onto compromised hosts. The starting point is a downloader that utilizes an HTTP File Server (HFS) to fetch a file named...
DarkGate Malware Replaces AutoIt with AutoHotkey in Latest Cyber Attacks

DarkGate Malware Replaces AutoIt with AutoHotkey in Latest Cyber Attacks

Jun 04, 2024 Vulnerability / Threat Intelligence
Cyber attacks involving the DarkGate malware-as-a-service (MaaS) operation have shifted away from AutoIt scripts to an AutoHotkey mechanism to deliver the last stages, underscoring continued efforts on the part of the threat actors to continuously stay ahead of the detection curve. The updates have been observed in version 6 of DarkGate released in March 2024 by its developer RastaFarEye, who has been selling the program on a subscription basis to as many as 30 customers. The malware has been active since at least 2018. A fully-featured remote access trojan (RAT), DarkGate is equipped with command-and-control (C2) and rootkit capabilities, and incorporates various modules for credential theft, keylogging, screen capturing, and remote desktop. "DarkGate campaigns tend to adapt really fast, modifying different components to try to stay off security solutions," Trellix security researcher Ernesto Fernández Provecho said in a Monday analysis. "This is the first time...
Expert Insights / Articles Videos
Cybersecurity Resources