social engineering | Breaking Cybersecurity News | The Hacker News

A new malware campaign is exploiting a weakness in Discord's invitation system to deliver an information stealer called Skuld and the AsyncRAT remote access trojan. "Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers," Check Point said in a technical report. "The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets." The issue with Discord's invite mechanism is that it allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to malicious servers under their control. This also means that a Discord invite link that was once trusted and shared on forums or social media platforms could unwittingly lead users to malicious sites. Details of the campaign come a little over a month after the ...

Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks. "Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads," ReliaQuest said in a report shared with The Hacker News. The development is a sign that the threat actors are continuing to pivot and regroup, despite the Black Basta brand suffering a huge blow and a decline after the public leak of its internal chat logs earlier this February. The cybersecurity company said half of the Teams phishing attacks that were observed between February and May 2025 originated from onmicrosoft[.]com domains, and that breached domains accounted for 42% of the attacks during the same period. The latter is a lot more stealthy and allows threat actors to impersonate legitimate traffi...

The financially motivated threat actor known as FIN6 has been observed leveraging fake resumes hosted on Amazon Web Services (AWS) infrastructure to deliver a malware family called More_eggs. "By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware," the DomainTools Investigations (DTI) team said in a report shared with The Hacker News. More_eggs is the work of another cybercrime group called Golden Chickens (aka Venom Spider), which was most recently attributed to new malware families like TerraStealerV2 and TerraLogger. A JavaScript-based backdoor, it's capable of enabling credential theft, system access, and follow-on attacks, including ransomware. One of the malware's known customers is FIN6 (aka Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557), an e-crime crew that originally targeted point-of-s...

Behind every security alert is a bigger story. Sometimes it's a system being tested. Sometimes it's trust being lost in quiet ways—through delays, odd behavior, or subtle gaps in control. This week, we're looking beyond the surface to spot what really matters. Whether it's poor design, hidden access, or silent misuse, knowing where to look can make all the difference. If you're responsible for protecting systems, data, or people—these updates aren't optional. They're essential. These stories reveal how attackers think—and where we're still leaving doors open. ⚡ Threat of the Week Google Releases Patches for Actively Exploited Chrome 0-Day — Google has released Google Chrome versions 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux to address a high-severity out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine that it said has been exploited in the wild. Google credited Clement Lecigne and Benoît Sevens of Google T...

Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer ( AMOS ) on Apple macOS systems. The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum. "macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation," security researcher Koushik Pal said in a report published this week. "The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries." It's believed that the activity is the work of Russian-speaking cybercriminals owing to the presence of Russian language comments in the malware's source code. The starting point of the attack is a web page that impersonates Spectrum ("panel-spectrum[....

India's Central Bureau of Investigation (CBI) has revealed that it has arrested six individuals and dismantled two illegal call centers that were found to be engaging in a sophisticated transnational tech support scam targeting Japanese citizens. The law enforcement agency said it conducted coordinated searches at 19 locations across Delhi, Haryana, and Uttar Pradesh on May 28, 2025, as part of an initiative called Operation Chakra V, which aims to combat cyber-enabled financial crimes. The cybercrime syndicates, per the CBI, defrauded foreign nationals, mainly Japanese citizens, by masquerading as technical support personnel from various multinational corporations, including Microsoft.  "The syndicate operated call centers designed to appear as legitimate customer service centers, through which victims were deceived into believing that their electronic devices were compromised," the agency said . "Under this pretext, victims were coerced into transferring funds ...

Google has disclosed details of a financially motivated threat cluster that it said "specializes" in voice phishing (aka vishing ) campaigns designed to breach organizations' Salesforce instances for large-scale data theft and subsequent extortion. The tech giant's threat intelligence team is tracking the activity under the moniker UNC6040 , which it said exhibits characteristics that align with threat groups with ties to an online cybercrime collective known as The Com . "Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements," the company said in a report shared with The Hacker News. This approach, Google's Threat Intelligence Group (GTIG) added, has had the benefit of tricking English-speaking employees into performing actions that give the threat actors access or lead to the sharing of valua...

Threat hunters are alerting to a new campaign that employs deceptive websites to trick unsuspecting users into executing malicious PowerShell scripts on their machines and infect them with the NetSupport RAT malware. The DomainTools Investigations (DTI) team said it identified "malicious multi-stage downloader Powershell scripts" hosted on lure websites that masquerade as Gitcode and Docusign. "These sites attempt to deceive users into copying and running an initial PowerShell script on their Windows Run command," the company said in a technical report shared with The Hacker News. "Upon doing so, the powershell script downloads another downloader script and executes on the system, which in turn retrieves additional payloads and executes them eventually installing NetSupport RAT on the infected machines." It's believed that these counterfeit sites may be propagated via social engineering attempts over email and/or social media platforms. The Po...

In the wake of high-profile attacks on UK retailers Marks & Spencer and Co-op, Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption caused — currently looking like hundreds of millions in lost profits for M&S alone.  This coverage is extremely valuable for the cybersecurity community as it raises awareness of the battles that security teams are fighting every day. But it's also created a lot of noise that can make it tricky to understand the big picture.  The headline story from the recent campaign against UK retailers is the use of help desk scams. This typically involves the attacker calling up a company's help desk with some level of information — at minimum, PII that allows them to impersonate their victim, and sometimes a password, leaning heavily on their native English-speaking abilities to trick the help desk operator into giving them access to a user account.  Help Des...

A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim's contacts list. "Recent activity reveals multiple campaigns now targeting European countries while continuing Turkish campaigns and expanding globally to South America," the Dutch security company said . Crocodilus was first publicly documented in March 2025 as targeting Android device users in Spain and Turkey by masquerading as legitimate apps like Google Chrome. The malware comes fitted with capabilities to launch overlay attacks against a list of financial apps retrieved from an external server to harvest credentials. It also abuses accessibility services permissions to capture seed phrases as...

If this had been a security drill, someone would've said it went too far. But it wasn't a drill—it was real. The access? Everything looked normal. The tools? Easy to find. The detection? Came too late. This is how attacks happen now—quiet, convincing, and fast. Defenders aren't just chasing hackers anymore—they're struggling to trust what their systems are telling them. The problem isn't too few alerts. It's too many, with no clear meaning. One thing is clear: if your defense still waits for obvious signs, you're not protecting anything. You're just watching it happen. This recap highlights the moments that mattered—and why they're worth your attention. ⚡ Threat of the Week APT41 Exploits Google Calendar for Command-and-Control — The Chinese state-sponsored threat actor known as APT41 deployed a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). Google said it observed the spear-phishing attacks in October 2024 and that the malware was hosted on...

Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia.  "In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard-based remote access tool on the victim's computer," Trellix researcher Srini Seethapathy said in an analysis. The activity, first detected by the cybersecurity company in mid-May 2025, has not been attributed to a known threat actor or group. The starting point of the attack is a phishing email that impersonates a recruiter from Rothschild & Co. and claims to offer a "strategic opportunity" with the company. The email is designed to entice the recipients into opening a purported PDF attachment that, in reality, is a phishin...