ransomware | Breaking Cybersecurity News | The Hacker News

Malware isn't just trying to hide anymore—it's trying to belong. We're seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It's not just about being malicious—it's about being believable. In this week's cybersecurity recap, we explore how today's threats are becoming more social, more automated, and far too sophisticated for yesterday's instincts to catch. ⚡ Threat of the Week Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are abusing local internet service providers' networks to target foreign embassies in Moscow and likely collect intelligence from diplomats' devices. The activity has been attributed to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves using an adversary-...

SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. "In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs," Arctic Wolf Labs researcher Julian Tuin said in a report. The cybersecurity company suggested that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meaning a zero-day vulnerability, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn't been ruled out. The uptick in attacks involving SonicWall SSL VPNs was first registered on July 15, 2025, although Arctic Wolf said that it has observed similar malicious VPN logins as far back as October 2024 , suggesting sustained efforts to target the devices. "A short interval was obser...

Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report. The ongoing campaign, first detected in early 2025, is designed to use the OAuth applications as a gateway to obtain unauthorized access to users' Microsoft 365 accounts by means of phishing kits like Tycoon and ODx that are capable of conducting multi-factor authentication (MFA) phishing. The enterprise security company said it observed the approach being used in email campaigns with more than 50 impersonated applications. The attacks begin with phishing emails sent from compromised accounts and aim to trick recipients into clicking on URLs under the pretext of sharing requests ...

The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework called AK47 C2 (also spelled ak47c2) in its operations. The framework includes at least two different types of clients, HTTP-based and Domain Name System ( DNS )-based, which have been dubbed AK47HTTP and AK47DNS, respectively, by Check Point Research. The activity has been attributed to Storm-2603 , which, according to Microsoft, is a suspected China-based threat actor that has leveraged the SharePoint flaws – CVE-2025-49706 and CVE-2025-49704 (aka ToolShell) – to deploy Warlock (aka X2anylock) ransomware. A previously unreported threat cluster, evidence gathered following an analysis of VirusTotal artifacts shows that the group may have been active since at least March 2025, deploying ransomware families like LockBit Black and Warlock together – something that's not observed commonly among established e-c...

Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target. With the rapid expansion and adoption of AI, it is more critical than ever to ensure the endpoint is adequately secured by a platform capable of not just keeping pace, but staying ahead of an ever-evolving threat landscape. SentinelOne's steadfast commitment to delivering AI-powered cybersecurity enables global customers and partners to achieve resiliency and reduce risk with real-time, autonomous protection across the entire enterprise — all from a single agent and console with a robust, rigorously tested platform that keeps the customer in control. Cybersecurity today isn't just about detection—it's about operational continuity under pressure. For example, endpoint solutions must account for encrypted traffic inspection, policy enforcement during identity compromise, and fast containment across distributed environments. ...

Cybersecurity experts have released a decryptor for a ransomware strain called FunkSec, allowing victims to recover access to their files for free. "Because the ransomware is now considered dead, we released the decryptor for public download," Gen Digital researcher Ladislav Zezula said . FunkSec , which emerged towards the end of 2024, has claimed 172 victims , according to data from Ransomware.live. The vast majority of targeted entities are located in the U.S., India, and Brazil, with technology, government, and education being the top three sectors attacked by the group. An analysis of FunkSec by Check Point earlier this January found signs that the encryptor was developed with assistance from artificial intelligence (AI) tools. The group has not added any new victims to its data leak site since March 18, 2025, suggesting that the group may no longer be active. It's also believed that the group consisted of inexperienced hackers seeking visibility and recogniti...

Google Cloud's Mandiant Consulting has revealed that it has witnessed a drop in activity from the notorious Scattered Spider group, but emphasized the need for organizations to take advantage of the lull to shore up their defenses. "Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the U.K., Mandiant Consulting hasn't observed any new intrusions directly attributable to this specific threat actor," Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, told The Hacker News in a statement. "This presents a critical window of opportunity that organizations must capitalize on to thoroughly study the tactics UNC3944 wielded so effectively, assess their systems, and reinforce their security posture accordingly." Carmakal also warned businesses not to "let their guard down entirely," as other threat actors like UNC6040 are employing similar social engineering tactics as Scattered Spider to breach target netwo...

A newly emerged ransomware-as-a-service (RaaS) gang called Chaos is likely made up of former members of the BlackSuit crew , as the latter's dark web infrastructure has been the subject of a law enforcement seizure. Chaos, which sprang forth in February 2025, is the latest entrant in the ransomware landscape to conduct big-game hunting and double extortion attacks. "Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration," Cisco Talos researchers Anna Bennett, James Nutland, and Chetan Raghuprasad said . "The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery." It's important to note here that the ransomware group is unrelated to the Chaos ransomware ...

Until recently, the cyber attacker methodology behind the biggest breaches of the last decade or so has been pretty consistent: Compromise an endpoint via software exploit, or social engineering a user to run malware on their device;  Find ways to move laterally inside the network and compromise privileged identities; Repeat as needed until you can execute your desired attack — usually stealing data from file shares, deploying ransomware, or both.  But attacks have fundamentally changed as networks have evolved. With the SaaS-ification of enterprise IT, core business systems aren't locally deployed and centrally managed in the way they used to be. Instead, they're logged into over the internet, and accessed via a web browser. Attacks have shifted from targeting local networks to SaaS services, accessed through employee web browsers. Under the shared responsibility model, the part that's left to the business consuming a SaaS service is mostly constrained to how they ma...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security vulnerability impacting PaperCutNG/MF print management software to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2023-2533 (CVSS score: 8.4), is a cross-site request forgery (CSRF) bug that could result in remote code execution. "PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code," CISA said in an alert. PaperCut NG/MF is commonly used by schools, businesses, and government offices to manage print jobs and control network printers. Because the admin console typically runs on internal web servers, an exploited vulnerability here could give attackers an easy foothold into broader systems if overlooked. In a potential attack scenar...

Some risks don't breach the perimeter—they arrive through signed software, clean resumes, or sanctioned vendors still hiding in plain sight. This week, the clearest threats weren't the loudest—they were the most legitimate-looking. In an environment where identity, trust, and tooling are all interlinked, the strongest attack path is often the one that looks like it belongs. Security teams are now challenged to defend systems not just from intrusions—but from trust itself being turned into a weapon. ⚡ Threat of the Week Microsoft SharePoint Attacks Traced to China — The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread a week after the discovery of the zero-day exploits, with more than 400 organizations globally compromised. The attacks have been attributed to two known Chinese hacking groups tracked as Linen Typhoon (aka APT27), Violet Typhoon (aka APT31), and a suspected China-based threat actor codenamed Storm-2603 t...

The notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America. "The group's core tactics have remained consistent and do not rely on software exploits. Instead, they use a proven playbook centered on phone calls to an IT help desk," Google's Mandiant team said in an extensive analysis. "The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs. Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organization's most critical systems and data." Also called 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the threat actors have a history of conducting advanced social engineering attacks to obtain initial access to victim environments and then adopting a "living-off-the-land" (LotL) approach by manipulating trusted ad...

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems. The tech giant, in an update shared Wednesday, said the findings are based on an "expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 ." The threat actor attributed to the financially motivated activity is a suspected China-based threat actor that's known to drop Warlock and LockBit ransomware in the past. The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to deploy the spinstall0.aspx web shell payload. "This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint," Microsoft said. "Storm-2603 then initiates a series of discovery commands, incl...

Microsoft has formally tied the exploitation of security flaws in internet-facing SharePoint Server instances to two Chinese hacking groups called Linen Typhoon and Violet Typhoon as early as July 7, 2025 , corroborating earlier reports. The tech giant said it also observed a third China-based threat actor, which it tracks as Storm-2603, weaponizing the flaws as well to obtain initial access to target organizations. "With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems," the tech giant said in a report published today. A brief description of the threat activity clusters is below - Linen Typhoon (aka APT27 , Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), which is active since 2012 and has been previously attributed to malware families like SysUpdate, HyperBro, and PlugX Violet Typhoon (aka ...

The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. "LARVA-208 has evolved its tactics, using fake AI platforms (e.g., Norlax AI, mimicking Teampilot) to lure victims with job offers or portfolio review requests," Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News. While the group has a history of deploying ransomware, the latest findings demonstrate an evolution of its tactics and a diversification of its monetization methods by using stealer malware to harvest data from cryptocurrency wallets. EncryptHub's focus on Web3 developers isn't random—these individuals often manage crypto wallets, access to smart contract repositories, or sensitive test environments. Many operate as freelancers or work across multiple decentralized projects, making them harder to protect wit...

With IT outages and disruptions escalating, IT teams are shifting their focus beyond simply backing up data to maintaining operations during an incident. One of the key drivers behind this shift is the growing threat of ransomware, which continues to evolve in both frequency and complexity. Ransomware-as-a-Service (RaaS) platforms have made it possible for even inexperienced threat actors with less or no technical expertise to launch large-scale, damaging attacks. And these attacks don't just encrypt data now. They exfiltrate sensitive information for double and triple extortion, alter or delete backups, and disable recovery infrastructure to block restoration efforts. This is especially critical for small and midsize businesses (SMBs), which are increasingly targeted due to their leaner defenses. For an SMB generating $10 million in annual revenue, even a single day of downtime can cost $55,076 , without factoring in the long-term impact on customer trust and brand reputation. While...

Cybersecurity researchers have flagged a new variant of a known malware loader called Matanbuchus that packs in significant features to enhance its stealth and evade detection. Matanbuchus is the name given to a malware-as-a-service (MaaS) offering that can act as a conduit for next-stage payloads , including Cobalt Strike beacons and ransomware. First advertised in February 2021 on Russian-speaking cybercrime forums for a rental price of $2,500, the malware has been put to use as part of ClickFix-like lures to trick users visiting legitimate-but-compromised sites not running it. Matanbuchus's delivery methods have evolved over time, leveraging phishing emails pointing to booby-trapped Google Drive links, drive-by downloads from compromised sites, malicious MSI installers , and malvertising . It has been used to deploy a variety of secondary payloads including DanaBot, QakBot, and Cobalt Strike, all known precursors to ransomware deployment.

A threat activity cluster has been observed targeting fully-patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances as part of a campaign designed to drop a backdoor called OVERSTEP . The malicious activity, dating back to at least October 2024, has been attributed by the Google Threat Intelligence Group (GTIG) to a hacking crew it tracks as UNC6148 . The number of known victims is "limited" at this stage. The tech giant assessed with high confidence that the threat actor is "leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates." "Analysis of network traffic metadata records suggests that UNC6148 may have initially exfiltrated these credentials from the SMA appliance as early as January 2025." The exact initial access vector used to deliver the malware is currently not known due to the steps taken by the...

Cloudflare on Tuesday said it mitigated 7.3 million distributed denial-of-service (DDoS) attacks in the second quarter of 2025, a significant drop from 20.5 million DDoS attacks it fended off the previous quarter. "Overall, in Q2 2025, hyper-volumetric DDoS attacks skyrocketed," Omer Yoachimik and Jorge Pacheco said . "Cloudflare blocked over 6,500 hyper-volumetric DDoS attacks, an average of 71 per day." In Q1 2025, the company said an 18-day sustained campaign against its own and other critical infrastructure protected by Cloudflare was responsible for 13.5 million of the attacks observed during the time period. Cumulatively, Cloudflare has blocked nearly 28 million DDoS attacks, surpassing the number of attacks it mitigated in all of 2024. The notable of the attacks in Q2 2025 is a staggering DDoS attack that peaked at 7.3 terabits per second (Tbps) and 4.8 billion packets per second (Bpps) within a span of 45 seconds. Big traffic spikes like these make he...

Cybersecurity researchers have shed light on a new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP that has targeted a wide range of sectors in Australia, Brazil, Europe, and the United States since its emergence in early June 2025. GLOBAL GROUP was "promoted on the Ramp4u forum by the threat actor known as '$$$,'" EclecticIQ researcher Arda Büyükkaya said . "The same actor controls the BlackLock RaaS and previously managed Mamona ransomware operations." It's believed that GLOBAL GROUP is a rebranding of BlackLock after the latter's data leak site was defaced by the DragonForce ransomware cartel back in March. It's worth mentioning that BlackLock in itself is a rebrand of another RaaS scheme known as Eldorado. The financially motivated group has been found to lean heavily on initial access brokers (IABs) to deploy the ransomware by weaponizing access to vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks. Al...