ransomware | Breaking Cybersecurity News | The Hacker News

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against Russia-based bulletproof hosting (BPH) service provider Aeza Group to assist threat actors in their malicious activities and targeting victims in the country and across the world. The sanctions also extend to its subsidiaries Aeza International Ltd., the U.K. branch of Aeza Group, as well as Aeza Logistic LLC, Cloud Solutions LLC, and four individuals linked to the company - Arsenii Aleksandrovich Penzev, CEO and 33% owner of Aeza Group Yurii Meruzhanovich Bozoyan, general director and 33% owner of Aeza Group Vladimir Vyacheslavovich Gast, technical director who works closely with Penzev and Bozoyan Igor Anatolyevich Knyazev, 33% owner of Aeza Group who manages the operations in the absence of Penzev and Bozoyan It's worth noting that Penzev was arrested in early April 2025 on charges of leading a criminal organization and enabling large-scale drug trafficking ...

Cybersecurity researchers have flagged the tactical similarities between the threat actors behind the RomCom RAT and a cluster that has been observed delivering a loader dubbed TransferLoader . Enterprise security firm Proofpoint is tracking the activity associated with TransferLoader to a group dubbed UNK_GreenSec and the RomCom RAT actors under the moniker TA829 . The latter is also known by the names CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu. The company said it discovered UNK_GreenSec as part of its investigation into TA829, describing it as using an "unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes." TA829 is something of an unusual hacking group in the threat landscape given its ability to conduct both espionage as well as financially motivated attacks. The Russia-aligned hybrid group has also been linked to the zero-day exploitation of security flaws in Mozil...

U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors.  "Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events," the agencies said . "These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices." There is currently no evidence of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) noted. Emphasizing the need for "incr...

Security operations centers (SOCs) are under pressure from both sides: threats are growing more complex and frequent, while security budgets are no longer keeping pace. Today's security leaders are expected to reduce risk and deliver results without relying on larger teams or increased spending. At the same time, SOC inefficiencies are draining resources. Studies show that up to half of all alerts are false positives, with some reports citing false positive rates as high as 99 percent . This means highly trained analysts spend a disproportionate amount of time chasing down harmless activity, wasting effort, increasing fatigue, and raising the chance of missing real threats. In this environment, the business imperative is clear: maximize the impact of every analyst and every dollar by making security operations faster, smarter, and more focused. Enter the Agentic AI SOC Analyst The agentic AI SOC Analyst is a force multiplier that enables organizations to do more with the team an...

The U.S. Federal Bureau of Investigation (FBI) has revealed that it has observed the notorious cybercrime group Scattered Spider broadening its targeting footprint to strike the airline sector. To that end, the agency said it's actively working with aviation and industry partners to combat the activity and help victims. "These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access," the FBI said in a post on X. "These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts." Scattered Spider attacks are also known to target third-party IT providers to obtain access to large organizations, putting trusted vendors and contractors at risk of potential attacks. The attacks typically pave the way for data theft, extortion, and ransomware. In a statement shared ...

The ClickFix social engineering tactic as an initial access vector using fake CAPTCHA verifications increased by 517% between the second half of 2024 and the first half of this year, according to data from ESET. "The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors," Jiří Kropáč, Director of Threat Prevention Labs at ESET, said . ClickFix has become a widely popular and deceptive method that employs bogus error messages or CAPTCHA verification checks to entice victims into copying and pasting a malicious script into either the Windows Run dialog or the Apple macOS Terminal app, and running it. The Slovak cybersecurity company said the highest volume of ClickFix detections are concentrated around Japan, Peru, Poland, Spain, and Slovakia. The prevalence and effectiveness of this attack meth...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Cybersecurity researchers are calling attention to a series of cyber attacks targeting financial organizations across Africa since at least July 2023 using a mix of open-source and publicly available tools to maintain access. Palo Alto Networks Unit 42 is tracking the activity under the moniker CL-CRI-1014 , where "CL" refers to "cluster" and "CRI" stands for "criminal motivation." It's suspected that the end goal of the attacks is to obtain initial access and then sell it to other criminal actors on underground forums, making the threat actor an initial access broker (IAB). "The threat actor copies signatures from legitimate applications to forge file signatures , to disguise their toolset and mask their malicious activities," researchers Tom Fakterman and Guy Levi said . "Threat actors often spoof legitimate products for malicious purposes." The attacks are characterized by the deployment of tools like PoshC2 fo...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added three security flaws, each impacting AMI MegaRAC, D-Link DIR-859 router, and Fortinet FortiOS, to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2024-54085 (CVSS score: 10.0) - An authentication bypass by spoofing vulnerability in the Redfish Host Interface of AMI MegaRAC SPx that could allow a remote attacker to take control CVE-2024-0769 (CVSS score: 5.3) - A path traversal vulnerability in D-Link DIR-859 routers that allows for privilege escalation and unauthorized control (Unpatched) CVE-2019-6693 (CVSS score: 4.2) - A hard-coded cryptographic key vulnerability in FortiOS, FortiManager and FortiAnalyzer that's used to encrypt password data in CLI configuration, potentially allowing an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data Firmwar...

Unidentified threat actors have been observed targeting publicly exposed Microsoft Exchange servers to inject malicious code into the login pages that harvest their credentials. Positive Technologies, in a new analysis published last week, said it identified two different kinds of keylogger code written in JavaScript on the Outlook login page - Those that save collected data to a local file accessible over the internet Those that immediately send the collected data to an external server The Russian cybersecurity vendor said the attacks have targeted 65 victims in 26 countries worldwide, and marks a continuation of a campaign that was first documented in May 2024 as targeting entities in Africa and the Middle East. At that time, the company said it had detected no less than 30 victims spanning government agencies, banks, IT companies, and educational institutions, with evidence of the first compromise dating back to 2021. The attack chains involve exploiting known flaws in M...

Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut ( LNK ) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said . XDSpy is the name assigned to a cyber espionage that's known to target government agencies in Eastern Europe and the Balkans since 2011. It was first documented by the Belarusian CERT in early 2020.  In recent years, companies in Russia and Moldova have been targeted by various campaigns to deliver malware families like UTask, XDDown, and DSDownloader that can download additional payloads and steal sensitive information from compromised hosts. HarfangLab said it observed the threat actor leveraging a remote code execution flaw in Microsoft Windows that's triggered when processing specially crafted LNK files. The v...

The April 2025 cyber attacks targeting U.K. retailers Marks & Spencer and Co-op have been classified as a "single combined cyber event." That's according to an assessment from the Cyber Monitoring Centre (CMC), a U.K.-based independent, non-profit body set up by the insurance industry to categorize major cyber events. "Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and the similar tactics, techniques, and procedures (TTPs), CMC has assessed the incidents as a single combined cyber event," the CMC said . The organization has categorized the disruption of the retailers as a "Category 2 systemic event." It's estimated that the security breaches will have a total financial impact of £270 million ($363 million) to £440 million ($592 million). However, the cyber attack on Harrods around the same time has not been included at this stage, citing a lack of adequate information about the cause and...

The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals. The new feature takes the form of a "Call Lawyer" feature on the affiliate panel, per Israeli cybersecurity company Cybereason. The development represents a newfound resurgence of the e-crime group as once-popular ransomware groups like LockBit, Black Cat, RansomHub, Everest, and BlackLock have suffered abrupt cessations, operational failures, and defacements. The group, also tracked as Gold Feather and Water Galura, has been active since October 2022. Data compiled from the dark web leak sites run by ransomware groups shows that Qilin led with 72 victims in April 2025. In May, it is estimated to be behind 55 attacks , putting it behind Safepay (72) and Luna Moth (67). It's also the third most active group after...

The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG). "Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity," John Hultquist, chief analyst at GTIG, said in an email Monday. "We are now seeing incidents in the insurance industry. Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers." Scattered Spider is the name assigned to an amorphous collective that's known for its use of advanced social engineering tactics to breach organizations. In recent months, the threat actors are believed to have forged an alliance with the DragonForce ransomware cartel in the ...