windows security | Breaking Cybersecurity News | The Hacker News

Russian organizations have become the target of a phishing campaign that distributes malware called PureRAT, according to new findings from Kaspersky. "The campaign aimed at Russian business began back in March 2023, but in the first third of 2025 the number of attacks quadrupled compared to the same period in 2024," the cybersecurity vendor said . The attack chains, which have not been attributed to any specific threat actor, commence with a phishing email that contains a RAR file attachment or a link to the archive that masquerades as a Microsoft Word or a PDF document by making use of double extensions ("doc_054_[redacted].pdf.rar"). Present within the archive file is an executable that, when launched, copies itself to the "%AppData%" location of the compromised Windows machine under the name "task.exe" and creates a Visual Basic Script called "Task.vbs" in the Startup VBS folder. The executable then proceeds to unpack another ...

Cybersecurity researchers are calling attention to a new botnet malware called HTTPBot that has been used to primarily single out the gaming industry, as well as technology companies and educational institutions in China. "Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks," NSFOCUS said in a report published this week. "By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms." HTTPBot, first spotted in the wild in August 2024, gets its name from the use of HTTP protocols to launch distributed denial-of-service attacks. Written in Golang, it's something of an anomaly given its targeting of Windows systems. The Windows-based botnet trojan is noteworthy for its use in precisely targeted attacks aimed at high-value business interfaces such as game login and payment systems. "This attack ...

Cybersecurity researchers have discovered a new phishing campaign that's being used to distribute malware called Horabot targeting Windows users in Latin American countries like Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. The campaign is "using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email credentials, harvest contact lists, and install banking trojans," Fortinet FortiGuard Labs researcher Cara Lin said . The activity, observed by the network security company in April 2025, has primarily singled out Spanish-speaking users. The attacks have also been found to send phishing messages from victims' mailboxes using Outlook COM automation, effectively propagating the malware laterally within corporate or personal networks. In addition, the threat actors behind the campaign execute various VBScript, AutoIt, and PowerShell scripts to conduct system reconnaissance, stea...

Cybersecurity researchers have shed light on a Russian-speaking cyber espionage group called Nebulous Mantis that has deployed a remote access trojan called RomCom RAT since mid-2022. RomCom "employs advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications, while continuously evolving its infrastructure – leveraging bulletproof hosting to maintain persistence and evade detection," Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. Nebulous Mantis, also tracked by the cybersecurity community under the names CIGAR , Cuba , Storm-0978, Tropical Scorpius, UAC-0180, UNC2596 , and Void Rabisu , is known to target critical infrastructure, government agencies, political leaders, and NATO-related defense organizations. Attack chains mounted by the group typically involve the use of spear-phishing emails with weaponized document links to distribute RomCom RAT. The domains and com...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a medium-severity security flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports of active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2025-24054 (CVSS score: 6.5), is a Windows New Technology LAN Manager ( NTLM ) hash disclosure spoofing bug that was patched by Microsoft last month as part of its Patch Tuesday updates. NTLM is a legacy authentication protocol that Microsoft officially deprecated last year in favor of Kerberos. In recent years, threat actors have found various methods to exploit the technology, such as pass-the-hash and relay attacks, to extract NTLM hashes for follow-on attacks. "Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network," CISA said. In a bulletin published in March, Mi...

Cybersecurity researchers have detailed four different vulnerabilities in a core component of the Windows task scheduling service that could be exploited by local attackers to achieve privilege escalation and erase logs to cover up evidence of malicious activities. The issues have been uncovered in a binary named " schtasks.exe ," which enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. "A [User Account Control] bypass vulnerability has been found in Microsoft Windows, enabling attackers to bypass the User Account Control prompt, allowing them to execute high-privilege (SYSTEM) commands without user approval," Cymulate security researcher Ruben Enkaoua said in a report shared with The Hacker News. "By exploiting this weakness, attackers can elevate their privileges and run malicious payloads with Administrators' rights, leading to unauthorized access, data theft, or further system c...

A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB . "Previously unseen in ToddyCat attacks, [TCESB] is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device," Kaspersky said in an analysis published this week. ToddyCat is the name given to a threat activity cluster that has targeted several entities in Asia, with attacks dating all the way back to at least December 2020. Last year, the Russian cybersecurity vendor detailed the hacking group's use of various tools to maintain persistent access to compromised environments and harvest data on an "industrial scale" from organizations located in the Asia-Pacific region. Kaspersky said its investigation into ToddyCat-related incidents in early 2024 unearthed a suspicious DLL file ("version...

Microsoft has revealed that a now-patched security flaw impacting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," the tech giant said . The vulnerability in question is CVE-2025-29824, a privilege escalation bug in CLFS that could be exploited to achieve SYSTEM privileges. It was fixed by Redmond as part of its Patch Tuesday update for April 2025. Microsoft is tracking the activity and the post-compromise exploitation of CVE-2025-29824 under the moniker Storm-2460, with the threat actors also leveraging a malware named PipeMagic to deliver the exploit as well as ransomware payloads. The exact initial access vector used in the attacks is currently not known. However, the threa...

The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems. The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by French cybersecurity company Sekoia. Contagious Interview , also tracked as DeceptiveDevelopment, DEV#POPPER, and Famous Chollima, is known to be active since at least December 2022, although it was only publicly documented for the first time in late 2023. "It uses legitimate job interview websites to leverage the ClickFix tactic and install Windows and macOS backdoors," Sekoia researchers Amaury G., Coline Chavane, and Felix Aimé said , attributing the effort to the infamous Lazarus Group , a prolific adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic Pe...

The financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis (not to be confused with an Android banking trojan of the same name) that can grant them remote access to compromised Windows systems. "This malware allows attackers to execute remote shell commands and other system operations, giving them full control over an infected machine," Swiss cybersecurity company PRODAFT said in a technical report of the malware. FIN7, also called Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug, is a Russian cybercrime group known for its ever-evolving and expanding set of malware families for obtaining initial access and data exfiltration. In recent years, the threat actor is said to have transitioned to a ransomware affiliate. In July 2024, the group was observed using various online aliases to advertise a tool called AuKill (aka AvNeutralizer) that's capable of terminating security tools in a likely ...

Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads. The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader .  "The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products," Brett Stone-Gross, senior director of threat intelligence at Zscaler, said in a technical write-up published this week. "The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers." CoffeeLoader, which originated around September 2024, leverages a domain generation algorithm (DGA) as a fallback mechanism in case the primary command-and-control (C2) channels become unreachable. Central to the malwar...

An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country. Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36 , which is also known as Transparent Tribe.  The fraudulent website mimicking India Post is named "postindia[.]site." Users who land on the site from Windows systems are prompted to download a PDF document, whereas those visiting from an Android device are served a malicious application package ("indiapost.apk") file. "When accessed from a desktop, the site delivers a malicious PDF file containing ' ClickFix ' tactics," CYFIRMA said . "The document instructs users to press the Win + R keys, paste a provided PowerShell command into the Run dialog, and execute it – potentia...

The threat actor known as EncryptHub exploited a recently-patched security vulnerability in Microsoft Windows as a zero-day to deliver a wide range of malware families, including backdoors and information stealers such as Rhadamanthys and StealC. "In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems," Trend Micro researcher Aliakbar Zahravi said in an analysis. The vulnerability in question is CVE-2025-26633 (CVSS score: 7.0), described by Microsoft as an improper neutralization vulnerability in Microsoft Management Console ( MMC ) that could allow an attacker to bypass a security feature locally. It was fixed by the company earlier this month as part of its Patch Tuesday update. Trend Micro has given the exploit the moniker MSC EvilTwin, tracking the suspected Russian activity cluster under the name Water...

Threat actors are exploiting a severe security flaw in PHP to deliver cryptocurrency miners and remote access trojans (RATs) like Quasar RAT. The vulnerability, assigned the CVE identifier CVE-2024-4577 , refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code. Cybersecurity company Bitdefender said it has observed a surge in exploitation attempts against CVE-2024-4577 since late last year, with a significant concentration reported in Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%). About 15% of the detected exploitation attempts involve basic vulnerability checks using commands like "whoami" and "echo <test_string>." Another 15% revolve around commands used for system reconnaissance, such as process enumeration, network discovery, user and domain information, and system metadata gathering. Martin Zugec, technic...

An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017. The zero-day vulnerability, tracked by Trend Micro's Zero Day Initiative (ZDI) as ZDI-CAN-25373 , refers to an issue that allows bad actors to execute hidden malicious commands on a victim's machine by leveraging crafted Windows Shortcut or Shell Link (.LNK) files. "The attacks leverage hidden command line arguments within .LNK files to execute malicious payloads, complicating detection," security researchers Peter Girnus and Aliakbar Zahravi said in an analysis shared with The Hacker News. "The exploitation of ZDI-CAN-25373 exposes organizations to significant risks of data theft and cyber espionage." Specifically, this involves the padding of the arguments with Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A),...

Microsoft is calling attention to a novel remote access trojan (RAT) named StilachiRAT that it said employs advanced techniques to sidestep detection and persist within target environments with an ultimate aim to steal sensitive data. The malware contains capabilities to "steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information," the Microsoft Incident Response team said in an analysis. The tech giant said it discovered StilachiRAT in November 2024, with its RAT features present in a DLL module named "WWStartupCtrl64.dll." The malware has not been attributed to any specific threat actor or country. It's currently not clear how the malware is delivered to targets, but Microsoft noted that such trojans can be installed via various initial access routes, making it crucial for organizations to implement adequate security measures. StilachiRAT i...

A new malware campaign has been observed leveraging social engineering tactics to deliver an open-source rootkit called r77 . The activity, condemned OBSCURE#BAT by Securonix, enables threat actors to establish persistence and evade detection on compromised systems. It's currently not known who is behind the campaign. The rootkit "has the ability to cloak or mask any file, registry key or task beginning with a specific prefix," security researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker News. "It has been targeting users by either masquerading as legitimate software downloads or via fake captcha social engineering scams." The campaign is designed to mainly target English-speaking individuals, particularly the United States, Canada, Germany, and the United Kingdom. OBSCURE#BAT gets its name from the fact that the starting point of the attack is an obfuscated Windows batch script that, in turn, executes PowerShell commands to activ...