social engineering | Breaking Cybersecurity News | The Hacker News

The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security tools to detect or block the malware." Latrodectus, believed to be a successor to IcedID, is the name given to a malware that acts as a downloader for other payloads, such as ransomware. It was first documented by Proofpoint and Team Cymru in April 2024. Incidentally, the malware is one among the many malicious software to suffer an operational setback as part of Operation Endgame, which took down 300 servers worldwide and neutralized 650 domains related to Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE between May 19 and 22, 2025. I...

Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence (AI)-powered platform to synthesize images and videos from text and image prompts. Launched in June 2024, it's developed by Kuaishou Technology, which is headquartered in Beijing, China. As of April 2025, the service has a user base of more than 22 million, per data from the company. "The attack used fake Facebook pages and ads to distribute a malicious file which ultimately led to the execution of a remote access Trojan (RAT), granting attackers remote control of the victim's system and the ability to steal sensitive data," Check Point said . First detected in early 2025, the campaign leads unsuspecting users to a spoofed website such as klingaimedia[.]com or klingaistudio[.]com, where they are asked to create AI-genera...

An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. "The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, crypto, banking and more to direct users to install corresponding malicious extensions on Google's Chrome Web Store (CWS)," the DomainTools Intelligence (DTI) team said in a report shared with The Hacker News. While the browser add-ons appear to offer the advertised features, they also enable credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Another factor that works in the extensions' favor is that they are configured to grant themselves excessive permissions via...

Cybersecurity leaders aren't just dealing with attacks—they're also protecting trust, keeping systems running, and maintaining their organization's reputation. This week's developments highlight a bigger issue: as we rely more on digital tools, hidden weaknesses can quietly grow.  Just fixing problems isn't enough anymore—resilience needs to be built into everything from the ground up. That means better systems, stronger teams, and clearer visibility across the entire organization. What's showing up now isn't just risk—it's a clear signal that acting fast and making smart decisions matters more than being perfect. Here's what surfaced—and what security teams can't afford to overlook. ⚡ Threat of the Week Microsoft Fixes 5 Actively Exploited 0-Days — Microsoft addressed a total of 78 security flaws in its Patch Tuesday update for May 2025 last week, out of which five of them have come under active exploitation in the wild. The vulnerabilities include CVE-2025-30397, CVE-2025-...

A new global phishing threat called " Meta Mirage " has been uncovered, targeting businesses using Meta's Business Suite. This campaign specifically aims at hijacking high-value accounts, including those managing advertising and official brand pages. Cybersecurity researchers at CTM360 revealed that attackers behind Meta Mirage impersonate official Meta communications, tricking users into handing over sensitive details like passwords and security codes (OTP). The scale of this operation is alarming. Researchers have already identified over 14,000 malicious URLs , a concerning majority of which —nearly 78%— were not blocked by browsers at the time the report was published. Cybercriminals cleverly hosted fake pages leveraging trusted cloud platforms like GitHub, Firebase, and Vercel, making it harder to spot the scams. This method aligns closely with recent findings from Microsoft, which highlighted similar abuse of cloud hosting services to compromise Kubernetes appli...

The cybersecurity landscape has been dramatically reshaped by the advent of generative AI. Attackers now leverage large language models (LLMs) to impersonate trusted individuals and automate these social engineering tactics at scale.  Let's review the status of these rising attacks, what's fueling them, and how to actually prevent, not detect, them.  The Most Powerful Person on the Call Might Not Be Real Recent threat intelligence reports highlight the growing sophistication and prevalence of AI-driven attacks: Voice Phishing Surge: According to CrowdStrike's 2025 Global Threat Report , there was a 442% increase in voice phishing (vishing) attacks between the first and second halves of 2024, driven by AI-generated phishing and impersonation tactics. Social Engineering Prevalence: Verizon's 2025 Data Breach Investigations Report indicates that social engineering remains a top pattern in breaches, with phishing and pretexting accounting for a significant portion of inc...

Threat actors have been observed leveraging fake artificial intelligence (AI)-powered tools as a lure to entice users into downloading an information stealer malware dubbed Noodlophile . "Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms – often advertised via legitimate-looking Facebook groups and viral social media campaigns," Morphisec researcher Shmuel Uzan said in a report published last week. Posts shared on these pages have been found to attract over 62,000 views on a single post, indicating that users looking for AI tools for video and image editing are the target of this campaign. Some of the fake social media pages identified include Luma Dreammachine Al, Luma Dreammachine, and gratistuslibros. Users who land on the social media posts are urged to click on links that advertise AI-powered content creation services, including videos, logos, images, and even websites. One of the bogus websites masquerad...

The North Korean threat actors behind the Contagious Interview campaign have been observed using updated versions of a cross-platform malware called OtterCookie with capabilities to steal credentials from web browsers and other files. NTT Security Holdings, which detailed the new findings, said the attackers have "actively and continuously" updated the malware, introducing versions v3 and v4 in February and April 2025, respectively. The Japanese cybersecurity company is tracking the cluster under the name WaterPlum , which is also known as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan. OtterCookie was first documented by NTT last year after having observed it in attacks since September 2024. Delivered by means of a JavaScript payload via a malicious npm package, trojanized GitHub or Bitbucket repository, or a bogus videoconferencing app, it's designed to contact an external server to execute commands on compromis...

The Russia-linked threat actor known as COLDRIVER has been observed distributing a new malware called LOSTKEYS as part of an espionage-focused campaign using ClickFix-like social engineering lures. "LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker," the Google Threat Intelligence Group (GTIG) said . The malware, the company said, was observed in January, March, and April 2025 in attacks on current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. In addition, individuals connected to Ukraine have also been singled out. LOSTKEYS is the second custom malware attributed to COLDRIVER after SPICA , marking a continued departure from the credential phishing campaigns the threat actor has been known for. The hacking group is also tracked under the names Callisto, Star Blizzard, and UNC4057. "They ar...

What if attackers aren't breaking in—they're already inside, watching, and adapting? This week showed a sharp rise in stealth tactics built for long-term access and silent control. AI is being used to shape opinions. Malware is hiding inside software we trust. And old threats are returning under new names. The real danger isn't just the breach—it's not knowing who's still lurking in your systems. If your defenses can't adapt quickly, you're already at risk. Here are the key cyber events you need to pay attention to this week. ⚡ Threat of the Week Lemon Sandstorm Targets Middle East Critical Infra — The Iranian state-sponsored threat group tracked as Lemon Sandstorm targeted an unnamed critical national infrastructure (CNI) in the Middle East and maintained long-term access that lasted for nearly two years using custom backdoors like HanifNet, HXLibrary, and NeoExpressRAT. The activity, which lasted from at least May 2023 to February 2025, entailed "extensive es...

The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. "MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts," Recorded Future's Insikt Group said in a report shared with The Hacker News. "The malware employs sandbox and virtual machine evasion techniques, a domain generation algorithm (DGA), and HTTP-based command-and-control (C2) communications." Phishing and drive-by download campaigns distributing MintsLoader have been detected in the wild since early 2023, per Orange Cyberdefense . The loader has been observed delivering various follow-on payloads like StealC and a modified version of the Berkeley Open Infrastructure for Network Computing (BOINC) client. The malware has also been put to use by threat actors operating e-crime services like SocGholish (aka FakeUpdates) and LandUpdate808 (aka TAG-124), distributing via p...

How Many Gaps Are Hiding in Your Identity System? It's not just about logins anymore. Today's attackers don't need to "hack" in—they can trick their way in. Deepfakes, impersonation scams, and AI-powered social engineering are helping them bypass traditional defenses and slip through unnoticed. Once inside, they can take over accounts, move laterally, and cause long-term damage—all without triggering alarms. But here's the catch: most organizations only focus on parts of the identity lifecycle—usually authentication. That leaves critical gaps wide open during enrollment, recovery, and even routine access. This upcoming webinar from Beyond Identity and Nametag breaks down what it really takes to protect your entire identity lifecycle —from the first time a user joins, to every login, to the moment they forget their credentials. 🔐 What's Covered: AI Threats Are Already Here – Learn how attackers are using deepfakes to impersonate real users Phishing-Resistant MFA – Go beyond...

Cybersecurity researchers have revealed that RansomHub 's online infrastructure has "inexplicably" gone offline as of April 1, 2025, prompting concerns among affiliates of the ransomware-as-a-service (RaaS) operation. Singaporean cybersecurity company Group-IB said that this may have caused affiliates to migrate to Qilin, given that "disclosures on its DLS [data leak site] have doubled since February."  RansomHub, which first emerged in February 2024, is estimated to have stolen data from over 200 victims. It replaced two high-profile RaaS groups, LockBit and BlackCat, to become a frontrunner, courting their affiliates, including Scattered Spider and Evil Corp , with lucrative payment splits. "Following a possible acquisition of the web application and ransomware source code of Knight (formerly Cyclops), RansomHub quickly rose in the ransomware scene, thanks to the dynamic features of its multi-platform encryptor and an aggressive, affiliate-friendly ...