The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new targeted cyber attacks in the country using a backdoor called CABINETRAT. The activity, observed in September 2025, has been attributed to a threat cluster it tracks as UAC-0245 . The agency said it spotted the attack following the discovery of software tools taking the form of XLL files , which refer to Microsoft Excel add-ins that are typically used to extend the functionality of Excel with custom functions. Further investigation has uncovered that the XLL files are distributed within ZIP archives shared on the Signal messaging app, disguised as a document concerning the detention of individuals who had attempted to cross the Ukrainian border. The XLL, once launched, is designed to create a number of executables on the compromised host, namely an EXE file in the Startup folder, an XLL file named "BasicExcelMath.xll" in the "%APPDATA%\Microsoft\Excel\XLSTART\" directory, and a PNG ima...

A group of academics from KU Leuven and the University of Birmingham has demonstrated a new vulnerability called Battering RAM to bypass the latest defenses on Intel and AMD cloud processors. "We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks," researchers Jesse De Meulemeester, David Oswald, Ingrid Verbauwhede, and Jo Van Bulck said on a website publicizing the findings. "Later, with just a flip of a switch, our interposer turns malicious and silently redirects protected addresses to attacker-controlled locations, allowing corruption or replay of encrypted memory." Battering RAM compromises Intel's Software Guard Extensions ( SGX ) and AMD's Secure Encrypted Virtualization with Secure Nested Paging ( SEV-SNP ) hardware security features, which ensure that customer data remains encrypted in memory and protected during use. It affects all systems using DDR4 memory...

Government and telecommunications organizations across Africa, the Middle East, and Asia have emerged as the target of a previously undocumented China-aligned nation-state actor dubbed Phantom Taurus over the past two-and-a-half years. "Phantom Taurus' main focus areas include ministries of foreign affairs, embassies, geopolitical events, and military operations," Palo Alto Networks Unit 42 researcher Lior Rochberger said . "The group's primary objective is espionage. Its attacks demonstrate stealth, persistence, and an ability to quickly adapt their tactics, techniques, and procedures (TTPs)." It's worth pointing out that the hacking group was first detailed by the cybersecurity company back in June 2023 under the moniker CL-STA-0043 . Then last May, the threat cluster was graduated to a temporary group, TGR-STA-0043 , following revelations about its sustained cyber espionage efforts aimed at governmental entities since at least late 2022 as part of...

Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Google's Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft. "They made Gemini vulnerable to search-injection attacks on its Search Personalization Model; log-to-prompt injection attacks against Gemini Cloud Assist; and exfiltration of the user's saved information and location data via the Gemini Browsing Tool," Tenable security researcher Liv Matan said in a report shared with The Hacker News. The vulnerabilities have been collectively codenamed the Gemini Trifecta by the cybersecurity company. They reside in three distinct components of the Gemini suite - A prompt injection flaw in Gemini Cloud Assist that could allow attackers to exploit cloud-based services and compromise cloud resources by taking advantage of the fact that the tool is capable of summarizing logs pulled dir...

Microsoft on Tuesday unveiled the expansion of its Sentinel Security Incidents and Event Management solution (SIEM) as a unified agentic platform with the general availability of the Sentinel data lake. In addition, the tech giant said it's also releasing a public preview of Sentinel Graph and Sentinel Model Context Protocol ( MCP ) server to turn telemetry into a security graph and allow AI agents access an organization's security context in a standardized manner. "With graph-based context, semantic access, and agentic orchestration, Sentinel gives defenders a single platform to ingest signals, correlate across domains, and empower AI agents built in Security Copilot, VS Code using GitHub Copilot, or other developer platforms," Vasu Jakkal, corporate vice president at Microsoft Security, said in a post shared with The Hacker News. Microsoft released Sentinel data lake in public preview earlier this July as a purpose-built, cloud-native tool to ingest, manage...

The Problem: Legacy SOCs and Endless Alert Noise Every SOC leader knows the feeling: hundreds of alerts pouring in, dashboards lighting up like a slot machine, analysts scrambling to keep pace. The harder they try to scale people or buy new tools, the faster the chaos multiplies. The problem is not just volume; it is the model itself. Traditional SOCs start with rules, wait for alerts to fire, and then dump raw signals on analysts. By the time someone pieces together what is really happening, the attacker has already moved on, or moved in. It is a broken loop of noise chasing noise. Flipping the Model: Context Over Chaos Instead of drowning in raw events, treat every incoming signal as a potential opening move in a bigger story. Logs from identity systems, endpoints, cloud workloads, and SIEMs do not just land in separate dashboards; they are normalized, connected, and enriched to form a coherent investigation. A brute-force login attempt on its own is easy to dismiss. But when enh...

A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor called UNC5174, according to NVISO Labs . The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting the following versions - VMware Cloud Foundation 4.x and 5.x VMware Cloud Foundation 9.x.x.x VMware Cloud Foundation 13.x.x.x (Windows, Linux) VMware vSphere Foundation 9.x.x.x VMware vSphere Foundation 13.x.x.x (Windows, Linux) VMware Aria Operations 8.x VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux) VMware Telco Cloud Platform 4.x and 5.x VMware Telco Cloud Infrastructure 2.x and 3.x "A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM," VMware sai...

Cybersecurity researchers have flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover ( DTO ) attacks and perform fraudulent transactions by preying on the elderly. Dutch mobile security company ThreatFabric said it discovered the campaign in August 2025 after users in Australia reported scammers managing Facebook groups promoting "active senior trips." Some of the other territories targeted by the threat actors include Singapore, Malaysia, Canada, South Africa, and the U.K. The campaigns, it added, specifically focused on elderly people looking for social activities, trips, in-person meetings, and similar events. These Facebook groups have been found to share artificial intelligence (AI)-generated content, claiming to organize various activities for seniors. Should prospective targets express willingness to participate in these events, they are subsequently approached via Facebook Messenger or WhatsApp, where they are as...

The world of enterprise technology is undergoing a dramatic shift. Gen-AI adoption is accelerating at an unprecedented pace, and SaaS vendors are embedding powerful LLMs directly into their platforms. Organizations are embracing AI-powered applications across every function, from marketing and development to finance and HR. This transformation unlocks innovation and efficiency, but it also introduces new risks. Enterprises must balance the promise of AI with the responsibility to protect their data, maintain compliance, and secure their expanding application supply chain. The New Risk Landscape With AI adoption comes a new set of challenges: AI Sprawl : Employees adopt AI tools independently, often without security oversight, creating blind spots and unmanaged risks. Supply Chain Vulnerabilities : interapplication integrations between AI tools and enterprise resources expand the attack surface and introduce dependencies and access paths enterprises can't easily control. Data Exp...

A Chinese national has been convicted for her role in a fraudulent cryptocurrency scheme after law enforcement authorities in the U.K. confiscated £5.5 billion (about $7.39 billion) during a raid of her home in London. The cryptocurrency seizure, amounting to 61,000 Bitcoin, is believed to be the single largest such effort in the world, the Metropolitan Police said. Zhimin Qian (aka Yadi Zhang), 47, pleaded guilty at Southwark Crown Court on Monday to offenses related to acquiring and possessing criminal property (i.e., cryptocurrency). She is expected to be sentenced at a later date. The Met Police said the seizure was the result of a probe launched in 2018 after it received a tip-off about the transfer of criminal assets, with the agency accusing Zhang of orchestrating a large-scale fraud in China between 2014 and 2017 that defrauded more than 128,000 victims. According to Sky News , Zhang was arrested in April 2024. The scheme essentially duping victims , mostly between 50 and...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting the Sudo command-line utility for Linux and Unix-like operating systems to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerability in question is CVE-2025-32463 (CVSS score: 9.3), which affects Sudo versions prior to 1.9.17p1. It was disclosed by Stratascale researcher Rich Mirch back in July 2025. "Sudo contains an inclusion of functionality from an untrusted control sphere vulnerability," CISA said. "This vulnerability could allow a local attacker to leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file." It's currently not known how the shortcoming is being exploited in real-world attacks, and who may be behind such efforts. Also added to the KEV catalog are four other flaws - CVE-2021-21311 - Adminer...

Threat actors have been observed using seemingly legitimate artificial intelligence (AI) tools and software to sneakily slip malware for future attacks on organizations worldwide. According to Trend Micro, the campaign is using productivity or AI-enhanced tools to deliver malware targeting various regions, including Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region. Manufacturing, government, healthcare, technology, and retail are some of the top sectors affected by the attacks, with India, the U.S., France, Italy, Brazil, Germany, the U.K., Norway, Spain, and Canada emerging as the regions with the most infections, indicating a global spread. "This swift, widespread distribution across multiple regions strongly indicates that EvilAI is not an isolated incident but rather an active and evolving campaign currently circulating in the wild," security researchers Jeffrey Francis Bonaobra, Joshua Aquino, Emmanuel Panopio, Emmanuel Roll, Joshua Lijandro ...