The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. The DOS (Disk Operating System) and PE (Portable Executable) headers are essential parts of a Windows PE file , providing information about the executable. While the DOS header makes the executable file backward compatible with MS-DOS and allows it to be recognized as a valid executable by the operating system, the PE header contains the metadata and information necessary for Windows to load and execute the program. "We discovered malware that had been running on a compromised machine for several weeks," researchers Xiaopeng Zhang and John Simmons from the FortiGuard Incident Response Team said in a report shared with The Hacker News. "The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process." Fortinet said while it was unable to extract th...

The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider's (MSP) SimpleHelp remote monitoring and management (RMM) tool, and then leveraged it to exfiltrate data and drop the locker on multiple endpoints. It's believed that the attackers exploited a trio of security flaws in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that were disclosed in January 2025 to access the MSP's SimpleHelp deployment, according to an analysis from Sophos. The cybersecurity company said it was alerted to the incident following a suspicious installation of a SimpleHelp installer file, pushed via a legitimate SimpleHelp RMM instance that's hosted and operated by the MSP for their customers. The threat actors have also been found to leverage their access through the MSP's RMM instance to collect information from different customer environments about device names and configuration, users, and network connections. Altho...

Google on Wednesday disclosed that the Chinese state-sponsored threat actor known as APT41 leveraged a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). The tech giant, which discovered the activity in late October 2024, said the malware was hosted on a compromised government website and was used to target multiple other government entities. "Misuse of cloud services for C2 is a technique that many threat actors leverage in order to blend in with legitimate activity," Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said . APT41, also tracked as Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, RedGolf, Red Kelpie, TA415, Wicked Panda, and Winnti, is the name assigned to a prolific nation-state group known for its targeting of governments and organizations within the global shipping and logistics, media and entertainment, technology, and automotive sectors. In July 2024, Google reve...

Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files. TI WooCommerce Wishlist, which has over 100,000 active installations , is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on social media platforms. "The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication," Patchstack researcher John Castro said . Tracked as CVE-2025-47577, the vulnerability carries a CVSS score of 10.0. It affects all versions of the plugin below and including 2.9.2 released on November 29, 2024. There is currently no patch available. The website security company said the issue lies in a function named "tinvwl_upload_file_wc_fields_factory," which, in turn, uses another native WordPres...

An Iranian national has pleaded guilty in the U.S. over his involvement in an international ransomware and extortion scheme involving the Robbinhood ransomware. Sina Gholinejad (aka Sina Ghaaf), 37, and his co-conspirators are said to have breached the computer networks of various organizations in the United States and encrypted files with Robbinhood ransomware to demand Bitcoin ransom payments. Gholinejad, who was arrested in North Carolina in early January, pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud. He faces a maximum penalty of 30 years in prison. He is scheduled for sentencing in August 2025. "These cyber attacks caused significant disruptions and tens of millions in losses, including to the City of Greenville, North Carolina, and the City of Baltimore, Maryland," the U.S. Department of Justice (DoJ) said . "Baltimore lost more than $19 million from the damage caused to their computer networks and t...

The Czech Republic on Wednesday formally accused a threat actor associated with the People's Republic of China (PRC) of targeting its Ministry of Foreign Affairs. In a public statement, the government said it identified China as the culprit behind a malicious campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs. The extent of the breach is presently not known. "The malicious activity [...] lasted from 2022 and affected an institution designated as Czech critical infrastructure," it added . The attack has been attributed to a state-sponsored threat actor tracked as APT31 , which also overlaps with threat clusters known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium). The hacking group, publicly associated with the Ministry of State Security (MSS) and the Hubei State Security Department, is assessed to be active since at least 2010, per the U.S. Departme...

Cybersecurity researchers have discovered a security flaw in Microsoft's OneDrive File Picker that, if successfully exploited, could allow websites to access a user's entire cloud storage content, as opposed to just the files selected for upload via the tool. "This stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted," the Oasis Research Team said in a report shared with The Hacker News. "This flaw could have severe consequences, including customer data leakage and violation of compliance regulations." It's assessed that several apps are affected, such as ChatGPT, Slack, Trello, and ClickUp, given their integration with Microsoft's cloud service. The problem, Oasis said, is the result of excessive permissions requested by the OneDrive File Picker, which seeks read access to the entire drive, even in cases only a single file is uploaded due to the absence of fine-grai...

Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot . Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts. "Rather than scanning the internet, the malware retrieves a list of targets from a command-and-control (C2) server and attempts to brute force SSH credentials," Darktrace said in an analysis shared with The Hacker News. "Upon gaining access, it receives remote commands and establishes persistence using system service files." The botnet malware is designed to obtain initial access via successfully brute-forcing SSH credentials across a list of harvested IP addresses with open SSH ports. The list of IP addresses to target is retrieved from an external server ("ssh.ddos-cc[.]org"). As part of its brute-force attempts, the malware also performs various checks to determine if...

Stealer malware no longer just steals passwords. In 2025, it steals live sessions—and attackers are moving faster and more efficiently than ever. While many associate account takeovers with personal services, the real threat is unfolding in the enterprise. Flare's latest research, The Account and Session Takeover Economy , analyzed over 20 million stealer logs and tracked attacker activity across Telegram channels and dark web marketplaces. The findings expose how cybercriminals weaponize infected employee endpoints to hijack enterprise sessions—often in less than 24 hours. Here's the real timeline of a modern session hijacking attack. Infection and Data Theft in Under an Hour Once a victim runs a malicious payload—typically disguised as cracked software, fake updates, or phishing attachments—commodity stealers like Redline (44% of logs), Raccoon (25%), and LummaC2 (18%) take over. These malware kits: Extract browser cookies, saved credentials, session tokens, and crypto walle...

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution flaw affecting the Craft Content Management System (CMS) to deploy multiple payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware. The vulnerability in question is CVE-2025-32432 , a maximum severity flaw in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The existence of the security defect was first disclosed in April 2025 by Orange Cyberdefense SensePost after it was observed in attacks earlier this February. According to a new report published by Sekoia, the threat actors behind the campaign weaponized CVE-2025-32432 to obtain unauthorized access to the target systems and then deploy a web shell to enable persistent remote access. The web shell is then used to download and execute a shell script ("4l4md4r.sh") from a remote server using curl, wget, or the Python library urllib2. "Regarding ...

Would you expect an end user to log on to a cybercriminal's computer, open their browser, and type in their usernames and passwords? Hopefully not! But that's essentially what happens if they fall victim to a Browser-in-the-Middle (BitM) attack. Like Man-in-the-Middle (MitM) attacks, BiTM sees criminals look to control the data flow between the victim's computer and the target service , as University of Salento researchers Franco Tommasi, Christian Catalano, and Ivan Taurino have outlined in a paper for the International Journal of Information Security. However, there are several key differences. Man-in-the-Middle vs Browser-in-the-Middle A MiTM attack utilizes a proxy server that places itself between the victim's browser and the legitimate target service at the application layer. It needs some kind of malware to be placed and run on the victim's computer.  But a BiTM attack is different. Instead, the victim thinks they're using their own browser – conducting their normal on...

Cybersecurity researchers have disclosed details of a coordinated cloud-based scanning activity that targeted 75 distinct "exposure points" earlier this month. The activity, observed by GreyNoise on May 8, 2025, involved as many as 251 malicious IP addresses that are all geolocated to Japan and hosted by Amazon. "These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity," the threat intelligence firm said . "All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation." The scanning efforts have been found to have targeted a wide array of technologies from Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic, among others. The opportunistic operation ranged from exploitation attempts for known CVEs to probes for misconfigurations and other weak points in web infrastructure, indicating that the threat actors ...