windows security | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have shed light on a new campaign that has likely targeted the Russian automobile and e-commerce sectors with a previously undocumented .NET malware dubbed CAPI Backdoor . According to Seqrite Labs , the attack chain involves distributing phishing emails containing a ZIP archive as a way to trigger the infection. The cybersecurity company's analysis is based on the ZIP artifact that was uploaded to the VirusTotal platform on October 3, 2025. Present with the archive is a decoy Russian-language document that purports to be a notification related to income tax legislation and a Windows shortcut (LNK) file. The LNK file, which has the same name as the ZIP archive (i.e., "Перерасчет заработной платы 01.10.2025"), is responsible for the execution of the .NET implant ("adobe.dll") using a legitimate Microsoft binary named " rundll32.exe ," a living-off-the-land (LotL) technique known to be adopted by threat actors. The backd...

Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving "credible reports" in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users' devices. "Threat actors were leveraging basic social engineering techniques alongside unpatched (0-day) exploits in Internet Explorer's JavaScript engine (Chakra) to gain access to victim devices," the Microsoft Browser Vulnerability Research team said in a report published last week. In the attack chain documented by the Windows maker, the threat actors have been found to trick unsuspecting users into visiting an seemingly legitimate website and then employ a flyout on the page to instruct them into reloading the page in IE mode. Once the page is reloaded, the attackers are said to have weaponized an unspecified exploit in the Chakra engine to obtain remote code execution. The infection sequence culminates w...

Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts. "Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, 'serviceaccount,'" eSentire said in a technical report published last week. "Using the compromised account, they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot." The Canadian cybersecurity company said it first detected the malware in late September 2025 within a financial services customer's environment. ChaosBot is noteworthy for its abuse of Discord for command-and-control (C2). It gets its name from a Discord profile maintained by the threat actor behind it, who goes by the online moniker "chaos_00019" and is responsible for issuin...

Cybersecurity researchers have charted the evolution of XWorm malware, turning it into a versatile tool for supporting a wide range of malicious actions on compromised hosts. "XWorm's modular design is built around a core client and an array of specialized components known as plugins," Trellix researchers Niranjan Hegde and Sijo Jacob said in an analysis published last week. "These plugins are essentially additional payloads designed to carry out specific harmful actions once the core malware is active." XWorm, first observed in 2022 and linked to a threat actor named EvilCoder, is a Swiss Army knife of malware that can facilitate data theft, keylogging, screen capture, persistence, and even ransomware operations. It's primarily propagated via phishing emails and bogus sites advertising malicious ScreenConnect installers. Some of the other tools advertised by the developer include a .NET-based malware builder, a remote access trojan called XBinder, a...

Cybersecurity researchers have disclosed details of a new malware family dubbed YiBackdoor that has been found to share "significant" source code overlaps with IcedID and Latrodectus . "The exact connection to YiBackdoor is not yet clear, but it may be used in conjunction with Latrodectus and IcedID during attacks," Zscaler ThreatLabz said in a Tuesday report. "YiBackdoor is able to execute arbitrary commands, collect system information, capture screenshots, and deploy plugins that dynamically expand the malware's functionality." The cybersecurity company said it first identified the malware in June 2025, adding it may be serving as a precursor to follow-on exploitation, such as facilitating initial access for ransomware attacks. Only limited deployments of YiBackdoor have been detected to date, indicating it's currently either under development or being tested. Given the similarities between YiBackdoor, IcedID, and Latrodectus, it's b...

Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2 , and a remote access trojan known as PureHVNC RAT. "CountLoader is being used either as part of an Initial Access Broker's (IAB) toolset or by a ransomware affiliate with ties to the LockBit, Black Basta, and Qilin ransomware groups," Silent Push said in an analysis. Appearing in three different versions – .NET, PowerShell, and JavaScript – the emerging threat has been observed in a campaign targeting individuals in Ukraine using PDF-based phishing lures and impersonating the National Police of Ukraine. Silent Push told The Hacker News that it does not have any insight into the nature of malware that was dropped using CountLoader. It's worth noting that the PowerShell version of the malware was previously flagged by Kaspersky as being distributed using DeepSe...

Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. "SilentSync is capable of remote command execution, file exfiltration, and screen capturing," Zscaler ThreatLabz's Manisha Ramcharan Prajapati and Satyam Singh said . "SilentSync also extracts web browser data, including credentials, history, autofill data, and cookies from web browsers like Chrome, Brave, Edge, and Firefox." The packages, now no longer available for download from PyPI, are listed below. They were both uploaded by a user named "CondeTGAPIS." sisaws (201 Downloads) secmeasure (627 Downloads) Zscaler said the package sisaws mimics the behavior of the legitimate Python package sisa, which is associated with Argentina's national health information system, Sistema Integrado de Información Sanitaria Argentino (SISA). However, ...

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures. CHILLYHELL is the name assigned to a malware that's attributed to an uncategorized threat cluster dubbed UNC4487. The hacking group is assessed to have been active since at least October 2022. According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware. The Apple device management company said it discovered a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. The artifact, notarized ...

Cybersecurity researchers have disclosed details of a phishing campaign that delivers a stealthy banking malware-turned-remote access trojan called MostereRAT . The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said. "These include the use of an Easy Programming Language ( EPL ) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing command-and-control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools," Yurren Wan said . EPL is an obscure visual programming language that supports traditional Chinese, simplified Chinese, English, and Japanese variants. It's chiefly meant for users who may not be proficient in English....

Cybersecurity researchers have discovered a cybercrime campaign that's using malvertising tricks to direct victims to fraudulent sites to deliver a new information stealer called TamperedChef . "The objective is to lure victims into downloading and installing a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef," Truesec researchers Mattias Wåhlén, Nicklas Keijser, and Oscar Lejerbäck Wolf said in a report published Wednesday. "The malware is designed to harvest sensitive data, including credentials and web cookies." At the heart of the campaign is the use of several bogus sites to promote an installer for a free PDF editor called AppSuite PDF Editor that, once installed and launched, displays to the user a prompt to agree to the software's terms of service and privacy policy. In the background, however, the setup program makes covert requests to an external server to drop the PDF editor program, while also setting...

Docker has released fixes to address a critical security flaw affecting the Docker Desktop app for Windows and macOS that could potentially allow an attacker to break out of the confines of a container. The vulnerability, tracked as CVE-2025-9074 , carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3. "A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted," Docker said in an advisory released last week. "This could allow unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not mitigate this vulnerability." According to security researcher Felix Boulet, the vulnerability has to do with how it's possible for a container to connect to the Docker Engine API at 192.168.65[.]7:2375 without requiring any authentication, thereby opening the door to a scenario where a privileged container c...

A previously undocumented threat actor dubbed Curly COMrades has been observed targeting entities in Georgia and Moldova as part of a cyber espionage campaign designed to facilitate long-term access to target networks. "They repeatedly tried to extract the NTDS database from domain controllers -- the primary repository for user password hashes and authentication data in a Windows network," Bitdefender said in a report shared with The Hacker News. "Additionally, they attempted to dump LSASS memory from specific systems to recover active user credentials, potentially plain-text passwords, from machines where users were logged on." The activity, tracked by the Romanian cybersecurity company since mid-2024, has singled out judicial and government bodies in Georgia, as well as an energy distribution company in Moldova. "Regarding the timeline, while we have been tracking the campaign since mid-2024, our analysis of the artifacts indicates that activity began e...

A novel attack technique could be weaponized to rope thousands of public domain controllers (DCs) around the world to create a malicious botnet and use it to conduct powerful distributed denial-of-service (DDoS) attacks. The approach has been codenamed Win-DDoS by SafeBreach researchers Or Yair and Shahak Morag, who presented their findings at the DEF CON 33 security conference today. "As we explored the intricacies of the Windows LDAP client code, we discovered a significant flaw that allowed us to manipulate the URL referral process to point DCs at a victim server to overwhelm it," Yair and Morag said in a report shared with The Hacker News. "As a result, we were able to create Win-DDoS, a technique that would enable an attacker to harness the power of tens of thousands of public DCs around the world to create a malicious botnet with vast resources and upload rates. All without purchasing anything and without leaving a traceable footprint." In transforming...

Cybersecurity researchers have uncovered multiple security flaws in Dell's ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware. The vulnerabilities have been codenamed ReVault by Cisco Talos. More than 100 models of Dell laptops running Broadcom BCM5820X series chips are affected. There is no evidence that the vulnerabilities have been exploited in the wild. Industries that require heightened security when logging in, via smart card readers or near-field communication (NFC) readers, are likely to use ControlVault devices in their settings. ControlVault is a hardware-based security solution that offers a secure way to store passwords, biometric templates, and security codes within the firmware. Attackers can chain the vulnerabilities, which were pres...

The Russian nation-state threat actor known as Secret Blizzard has been observed orchestrating a new cyber espionage campaign targeting foreign embassies located in Moscow by means of an adversary-in-the-middle ( AitM ) attack at the Internet Service Provider (ISP) level and delivering a custom malware dubbed ApolloShadow. "ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection," the Microsoft Threat Intelligence team said in a report shared with The Hacker News. The activity is assessed to be ongoing since at least 2024, with the campaign posing a security risk to diplomatic personnel relying on local ISPs or telecommunications services in Russia. Secret Blizzard (formerly Krypton), affiliated with the Russian Federal Security Service, is also tracked by the broader cybersecurity commu...

Google has announced that it's making available a security feature called Device Bound Session Credentials (DBSC) in open beta to ensure that users are safeguarded against session cookie theft attacks. DBSC, first introduced as a prototype in April 2024, is designed to bind authentication sessions to a device so as to prevent threat actors from using stolen cookies to sign-in to victims' accounts and gain unauthorized access from a separate device under their control. "Available in the Chrome browser on Windows, DBSC strengthens security after you are logged in and helps bind a session cookie – small files used by websites to remember user information – to the device a user authenticated from," Andy Wen, senior director of product management at Google Workspace, said . DBSC is not only meant to secure user accounts post-authentication. It makes it a lot more difficult for bad actors to reuse session cookies and improves session integrity. The company also note...

A newly emerged ransomware-as-a-service (RaaS) gang called Chaos is likely made up of former members of the BlackSuit crew , as the latter's dark web infrastructure has been the subject of a law enforcement seizure. Chaos, which sprang forth in February 2025, is the latest entrant in the ransomware landscape to conduct big-game hunting and double extortion attacks. "Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration," Cisco Talos researchers Anna Bennett, James Nutland, and Chetan Raghuprasad said . "The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery." It's important to note here that the ransomware group is unrelated to the Chaos ransomware ...