The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The threat actor known as Dark Caracal has been attributed to a campaign that deployed a remote access trojan called Poco RAT in attacks targeting Spanish-speaking targets in Latin America in 2024. The findings come from Russian cybersecurity company Positive Technologies, which described the malware as loaded with a "full suite of espionage features." "It could upload files, capture screenshots, execute commands, and manipulate system processes," researchers Denis Kazakov and Sergey Samokhin said in a technical report published last week. Poco RAT was previously documented by Cofense in July 2024, detailing the phishing attacks aimed at mining, manufacturing, hospitality, and utilities sectors. The infection chains are characterized by the use of finance-themed lures that trigger a multi-step process to deploy the malware. While the campaign was not attributed to any threat at that time, Positive Technologies said it identified tradecraft overlaps with Dar...

Google has announced the rollout of artificial intelligence (AI)-powered scam detection features to secure Android device users and their personal information. "These features specifically target conversational scams, which can often appear initially harmless before evolving into harmful situations," Google said . "And more phone calling scammers are using spoofing techniques to hide their real numbers and pretend to be trusted companies." The company said it has partnered with financial institutions to better understand the nature of scams customers are encountering, thereby allowing it to devise AI models that can flag suspicious patterns and deliver real-time warnings over the course of a conversation without sacrificing user privacy. These models run completely on-device , alerting users in the event of a likely scam. Users then have an option to either dismiss or report and block the sender. The setting is enabled by default and applies only to conversatio...

The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with updated versions of a known backdoor called Sagerunex . "Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite," Cisco Talos researcher Joey Chen said in an analysis published last week. Lotus Panda, also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, is a suspected Chinese hacking crew that's active since at least 2009. The threat actor was first exposed by Palo Alto Networks Unit 42 in June 2015 and later by Broadcom-owned Symantec three years later. In late 2022, Symantec detailed the threat actor's attack on a digital certificate authority as well as government and defense agencies located in different c...

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn't have asked for a better kickoff panel: three cybersecurity leaders who don't just talk security, they live it. Let me introduce them. Alex Delay , CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead , Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity's targeted RNA therapeutics. Last but not least, Michael Francess , Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments. Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here's the kicker -...

The rapid adoption of cloud services, SaaS applications, and the shift to remote work have fundamentally reshaped how enterprises operate. These technological advances have created a world of opportunity but also brought about complexities that pose significant security threats. At the core of these vulnerabilities lies Identity —the gateway to enterprise security and the number one attack vector for bad actors. Explore the importance of modernizing Identity strategies and the benefits of centralizing Identity within your security ecosystem to safeguard your organization from costly breaches while enhancing operational efficiency. The rise of fragmented tech stacks Gone are the days when enterprises relied on a single solution tied to a comprehensive license agreement. Businesses today prioritize agility and performance, opting for "best-in-breed" solutions that patch together fragmented tech ecosystems. While these advanced tech stacks provide flexibility, they also create signif...

Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to deploy loader malware on Linux and Apple macOS systems. "The threat actor has published at least seven packages impersonating widely used Go libraries, including one (github[.]com/shallowmulti/hypert) that appears to target financial-sector developers," Socket researcher Kirill Boychenko said in a new report. "These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly." While all of them continue to be available on the official package repository, their corresponding GitHub repositories barring "github[.]com/ornatedoctrin/layout" are no longer accessible. The list of offending Go packages is below - shallowmulti/hypert (github.com/shallowmulti/hypert) shadowybulk/hypert (github.com/shadowybulk/hypert) belate...

Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS. "Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine," Trend Micro said in a Monday analysis. "This enables them to steal sensitive data, such as login credentials, financial information, and personal files." It's worth noting that details of the BC module, which the cybersecurity company is tracking as QBACKCONNECT owing to overlaps with the QakBot loader, was first documented in late January 2025 by both Walmart's Cyber Intelligence team and Sophos, the latter of which has designated the cluster the name STAC5777.  Over the past year, Black Basta attack chains have increasingly leve...

Broadcom has released security updates to address three actively exploited security flaws in VMware ESXi, Workstation, and Fusion products that could lead to code execution and information disclosure. The list of vulnerabilities is as follows - CVE-2025-22224 (CVSS score: 9.3) - A Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write, which a malicious actor with local administrative privileges on a virtual machine could exploit to execute code as the virtual machine's VMX process running on the host CVE-2025-22225 (CVSS score: 8.2) - An arbitrary write vulnerability that a malicious actor with privileges within the VMX process could exploit to result in a sandbox escape CVE-2025-22226 (CVSS score: 7.1) - An information disclosure vulnerability due to an out-of-bounds read in HGFS that a malicious actor with administrative privileges to a virtual machine could exploit to leak memory from the vmx process The shortcomings impact the below ...

Credential stuffing attacks had a huge impact in 2024, fueled by a vicious circle of infostealer infections and data breaches . But things could be about to get worse still with Computer-Using Agents, a new kind of AI agent that enables low-cost, low-effort automation of common web tasks — including those frequently performed by attackers. Stolen credentials: The cyber criminal's weapon of choice in 2024 Stolen credentials were the #1 attacker action in 2023/24 , and the breach vector for 80% of web app attacks. Not surprising when you consider the fact that billions of leaked credentials are in circulation online, and attackers can pick up the latest drop for as little as $10 on criminal forums.  The criminal marketplace for stolen credentials is benefitting from the publicity of high-profile breaches in 2024 such as the attacks on Snowflake customers using credentials found in data breach dumps and compromised credential feeds from infostealer and mass phishing campaigns, r...

Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out "fewer than five" entities in the United Arab Emirates (U.A.E.) to deliver a previously undocumented Golang backdoor dubbed Sosano. The malicious activity was specifically directed against aviation and satellite communications organizations, according to Proofpoint, which detected it in late October 2024. The enterprise security firm is tracking the emerging cluster under the moniker UNK_CraftyCamel . A noteworthy aspect of the attack chain is the fact that the adversary took advantage of its access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send phishing messages. The entity is said to have been in a trusted business relationship with all the targets, with the lures tailored to each of them. "UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab E...

Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts. The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer ways to establish persistence on the systems. The unidentified threat actors performed "minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised," the Cisco-owned company said in a technical report published last week. "This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for C2 [command-and-control] operations." The attacks have been ob...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-20118 (CVSS score: 6.5) - A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status) CVE-2022-43939 (CVSS score: 8.6) - An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1) CVE-2022-43769 (CVSS score: 8.8) - A special element injection vulnerability in Hitachi Vantara...