social engineering | Breaking Cybersecurity News | The Hacker News

An ongoing data extortion campaign targeting Salesforce customers may soon turn its attention to financial services and technology service providers, as ShinyHunters and Scattered Spider appear to be working hand in hand, new findings show. "This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group's previous credential theft and database exploitation," ReliaQuest said in a report shared with The Hacker News. These include the use of adoption of tactics that mirror those of Scattered Spider , such as highly-targeted vishing (aka voice phishing ) and social engineering attacks, leveraging apps that masquerade as legitimate tools, employing Okta-themed phishing pages to trick victims into entering credentials during vishing, and VPN obfuscation for data exfiltration. ShinyHunters , which first emerged in 2020, is a financially motivated threat group that has orchestrated a series of data breaches targeting major...

This week, cyber attackers are moving quickly, and businesses need to stay alert. They're finding new weaknesses in popular software and coming up with clever ways to get around security. Even one unpatched flaw could let attackers in, leading to data theft or even taking control of your systems. The clock is ticking—if defenses aren't updated regularly, it could lead to serious damage. The message is clear: don't wait for an attack to happen. Take action now to protect your business. Here's a look at some of the biggest stories in cybersecurity this week: from new flaws in WinRAR and NVIDIA Triton to advanced attack techniques you should know about. Let's get into the details. ⚡ Threat of the Week Trend Micro Warns of Actively Exploited 0-Day — Trend Micro has released temporary mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities (CVE-2025-54948 and CVE-2025-54987),...

A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets. The published browser add-ons masquerade as MetaMask, TronLink, Exodus, and Rabby Wallet, among others, Koi Security researcher Tuval Admoni said. What makes the activity notable is the threat actor's use of a technique that the cybersecurity company called Extension Hollowing to bypass safeguards put in place by Mozilla and exploit user trust. It's worth noting that some aspects of the campaign were first documented by security researcher Lukasz Olejnik last week. "Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody's watching," Admoni said in a report published Thursday. To achieve this, the attackers first create ...

A combination of propagation methods, narrative sophistication, and evasion techniques enabled the social engineering tactic known as ClickFix to take off the way it did over the past year, according to new findings from Guardio Labs. "Like a real-world virus variant, this new ' ClickFix ' strain quickly outpaced and ultimately wiped out the infamous fake browser update scam that plagued the web just last year," security researcher Shaked Chen said in a report shared with The Hacker News. "It did so by removing the need for file downloads, using smarter social engineering tactics, and spreading through trusted infrastructure. The result – a wave of infections ranging from mass drive-by attacks to hyper-targeted spear-phishing lures." ClickFix is the name given to a social engineering tactic where prospective targets are deceived into infecting their own machines under the guise of fixing a non-existent issue or a CAPTCHA verification. It was first det...

Cybersecurity researchers have lifted the veil on a widespread malicious campaign that's targeting TikTok Shop users globally with an aim to steal credentials and distribute trojanized apps. "Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users," CTM360 said . "The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking theyʼre interacting with a legitimate affiliate or the real platform." The scam campaign has been codenamed FraudOnTok  by the Bahrain-based cybersecurity company, calling out the threat actor's multi-pronged distribution strategy that involves Meta ads and artificial intelligence (AI)-generated TikTok videos that mimic influencers or official brand ambassadors. Central to the effort is the use of lookalike domains that resemble legitimate TikTok URLs. Over 15,000 such impersonated websites have been identified...

Malware isn't just trying to hide anymore—it's trying to belong. We're seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It's not just about being malicious—it's about being believable. In this week's cybersecurity recap, we explore how today's threats are becoming more social, more automated, and far too sophisticated for yesterday's instincts to catch. ⚡ Threat of the Week Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are abusing local internet service providers' networks to target foreign embassies in Moscow and likely collect intelligence from diplomats' devices. The activity has been attributed to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves using an adversary-...

Cybersecurity researchers have discovered a nascent Android remote access trojan (RAT) called PlayPraetor that has infected more than 11,000 devices, primarily across Portugal, Spain, France, Morocco, Peru, and Hong Kong. "The botnet's rapid growth, which now exceeds 2,000 new infections per week, is driven by aggressive campaigns focusing on Spanish and French speakers, indicating a strategic shift away from its previous common victim base," Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini said in an analysis of the malware. PlayPraetor, managed by a Chinese command-and-control (C2) panel, doesn't significantly deviate from other Android trojans in that it abuses accessibility services to gain remote control and can serve fake overlay login screens atop nearly 200 banking apps and cryptocurrency wallets in an attempt to hijack victim accounts. PlayPraetor was first documented by CTM360 in March 2025, detailing the operation's u...

Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report. The ongoing campaign, first detected in early 2025, is designed to use the OAuth applications as a gateway to obtain unauthorized access to users' Microsoft 365 accounts by means of phishing kits like Tycoon and ODx that are capable of conducting multi-factor authentication (MFA) phishing. The enterprise security company said it observed the approach being used in email campaigns with more than 50 impersonated applications. The attacks begin with phishing emails sent from compromised accounts and aim to trick recipients into clicking on URLs under the pretext of sharing requests ...

Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses. "Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click," the Cloudflare Email Security team said . "While this is effective against known threats, attacks can still succeed if the wrapped link hasn't been flagged by the scanner at click time." The activity, observed over the last two months, once again illustrates how threat actors find different ways to leverage legitimate features and trusted tools to their advantage and perform malicious actions, in this case, redirecting victims to Microsoft 365 phishing pages. It's noteworthy that the abuse of link wrapping involves the attackers gaining unauthorized access to em...

The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram. "Under the guise of freelance opportunities for software development work, UNC4899 leveraged social engineering techniques to successfully convince the targeted employees to execute malicious Docker containers in their respective workstations," Google's cloud division said [PDF] in its Cloud Threat Horizons Report for H2 2025. UNC4899 overlaps with activity tracked under the monikers Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. Active since at least 2020, the state-sponsored actor is known for its targeting of cryptocurrency and blockchain industries. Notably, the hacking group has been implicated in significant cryptocurrency heists , including that of Axie Infinity in March 2022 ($625 million), DMM Bitcoin in May 2024 ($308 million), and Bybit in February 2025 ($1.4 billion). ...

Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) malware called JSCEAL that can capture data such as credentials and wallets. The activity leverages thousands of malicious advertisements posted on Facebook in an attempt to redirect unsuspecting victims to counterfeit sites that instruct them to install the bogus apps, according to Check Point. These ads are shared either via stolen accounts or newly created ones. "The actors separate the installer's functionality into different components and most notably move some functionality to the JavaScript files inside the infected websites," the company said in an analysis. "A modular, multi-layered infection flow enables the attackers to adapt new tactics and payloads at every stage of the operation." It's worth noting that some aspects of the activity were previously documented by Microsoft in April 2...

Google Cloud's Mandiant Consulting has revealed that it has witnessed a drop in activity from the notorious Scattered Spider group, but emphasized the need for organizations to take advantage of the lull to shore up their defenses. "Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the U.K., Mandiant Consulting hasn't observed any new intrusions directly attributable to this specific threat actor," Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, told The Hacker News in a statement. "This presents a critical window of opportunity that organizations must capitalize on to thoroughly study the tactics UNC3944 wielded so effectively, assess their systems, and reinforce their security posture accordingly." Carmakal also warned businesses not to "let their guard down entirely," as other threat actors like UNC6040 are employing similar social engineering tactics as Scattered Spider to breach target netwo...

The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack that's targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "[PyPI] Email verification" that are sent from the email address noreply@pypj[.]org (note that the domain is not " pypi[.]org "). "This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI," Mike Fiedler, PyPI Admin, said in a post Monday. The email messages instruct users to follow a link to verify their email address, which leads to a replica phishing site that impersonates PyPI and is designed to harvest their credentials. But in a clever twist, once the login information is entered on the bogus site, the request is routed to the legitimate PyPI site, effectively fooling the victims into thinking that nothing is amiss when, in r...

A newly emerged ransomware-as-a-service (RaaS) gang called Chaos is likely made up of former members of the BlackSuit crew , as the latter's dark web infrastructure has been the subject of a law enforcement seizure. Chaos, which sprang forth in February 2025, is the latest entrant in the ransomware landscape to conduct big-game hunting and double extortion attacks. "Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration," Cisco Talos researchers Anna Bennett, James Nutland, and Chetan Raghuprasad said . "The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery." It's important to note here that the ransomware group is unrelated to the Chaos ransomware ...

Cybersecurity researchers have discovered a new, large-scale mobile malware campaign that's targeting Android and iOS platforms with fake dating, social networking, cloud storage, and car service apps to steal sensitive personal data. The cross-platform threat has been codenamed SarangTrap by Zimperium zLabs. Users in South Korea appear to be the primary focus. "This extensive campaign involved over 250 malicious Android applications and more than 80 malicious domains, all disguised as legitimate dating and social media applications," security researcher Rajat Goyal said . The bogus domains, which impersonate legitimate app store listing pages, are used as a lure to trick users into installing these apps, resulting in the exfiltration of contact lists and images, all while keeping up an illusion of legitimacy. Once installed, the Android apps also prompt the victim to enter an invitation code, after which it's validated against a command-and-control (C2) server. ...

Some risks don't breach the perimeter—they arrive through signed software, clean resumes, or sanctioned vendors still hiding in plain sight. This week, the clearest threats weren't the loudest—they were the most legitimate-looking. In an environment where identity, trust, and tooling are all interlinked, the strongest attack path is often the one that looks like it belongs. Security teams are now challenged to defend systems not just from intrusions—but from trust itself being turned into a weapon. ⚡ Threat of the Week Microsoft SharePoint Attacks Traced to China — The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread a week after the discovery of the zero-day exploits, with more than 400 organizations globally compromised. The attacks have been attributed to two known Chinese hacking groups tracked as Linen Typhoon (aka APT27), Violet Typhoon (aka APT31), and a suspected China-based threat actor codenamed Storm-2603 t...

The notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America. "The group's core tactics have remained consistent and do not rely on software exploits. Instead, they use a proven playbook centered on phone calls to an IT help desk," Google's Mandiant team said in an extensive analysis. "The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs. Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organization's most critical systems and data." Also called 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the threat actors have a history of conducting advanced social engineering attacks to obtain initial access to victim environments and then adopting a "living-off-the-land" (LotL) approach by manipulating trusted ad...

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned a North Korean front company and three associated individuals for their involvement in the fraudulent remote information technology (IT) worker scheme designed to generate illicit revenues for Pyongyang. The sanctions target Korea Sobaeksu Trading Company (aka Sobaeksu United Corporation), and Kim Se Un, Jo Kyong Hun, and Myong Chol Min for evading sanctions imposed by the U.S. and the United Nations against the Democratic People's Republic of Korea (DPRK) government.  "Our commitment is clear: Treasury, as part of a whole-of-government effort, will continue to hold accountable those who seek to infiltrate global supply chains and enable the sanctions evasion activities that further the Kim regime's destabilizing agenda," said Director of OFAC Bradley T. Smith. The latest action marks the U.S. government's continued efforts to dismantle North Korea's wide-ranging r...

The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. "The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems," security researchers Sudeep Singh and Roy Tay said in a Wednesday report. This is not the first time Chinese threat actors have resorted to watering hole attacks (aka strategic web compromises), a technique where adversaries break into websites frequently visited by a specific group to infect their devices with malware. Over the past two years, hacking groups like EvilBamboo , Evasive Panda , and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the u...