The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have disclosed details of a new campaign that leverages a combination of social engineering and WhatsApp hijacking to distribute a Delphi-based banking trojan named Eternidade Stealer as part of attacks targeting users in Brazil. "It uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the threat actor to update its C2 server," Trustwave SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi said in a technical breakdown of the campaign shared with The Hacker News. "It is distributed through a WhatsApp worm campaign, with the actor now deploying a Python script, a shift from previous PowerShell-based scripts to hijack WhatsApp and spread malicious attachments. The findings come close on the heels of another campaign dubbed Water Saci that has targeted Brazilian users with a worm that propagates via WhatsApp Web known as SORVEPOTEL, which then acts as a c...

A newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network. The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard's STRIKE team. Southeast Asia and European countries are some of the other regions where infections have been recorded. Over the past six months, more than 50,000 unique IP addresses belonging to these compromised devices around the globe have been identified. The attacks likely involve the exploitation of six known security flaws in end-of-life ASUS WRT routers to take control of susceptible devices. All the infected routers have been found to share a unique self-signed TLS certificate with an expiration date set for 100 years from April 2022. SecurityScorecard said 99% of the services presenting the certificate are ASUS AiCloud, a proprietary service designed to enable access to local stora...

The challenge facing security leaders is monumental: Securing environments where failure is not an option. Reliance on traditional security postures, such as Endpoint Detection and Response (EDR) to chase threats after they have already entered the network, is fundamentally risky and contributes significantly to the half-trillion-dollar annual cost of cybercrime. Zero Trust fundamentally shifts this approach, transitioning from reacting to symptoms to proactively solving the underlying problem. Application Control, the ability to rigorously define what software is allowed to execute, is the foundation of this strategy. However, even once an application is trusted, it can be misused. This is where ThreatLocker Ringfencing™, or granular application containment , becomes indispensable, enforcing the ultimate standard of least privilege on all authorized applications. Defining Ringfencing: Security Beyond Allowlisting Ringfencing is an advanced containment strategy applied to applicat...

The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks. EdgeStepper "redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure," ESET security researcher Facundo Muñoz said in a report shared with The Hacker News. Known to be active since at least 2018, PlushDaemon is assessed to be a China-aligned group that has attacked entities in the U.S., New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. It was first documented by the Slovak cybersecurity company earlier this January, detailing a supply chain attack aimed at a South Korean virtual private network (VPN) provider named IPany to target a semiconductor company and an unidentified software development company in South Korea wi...

Malicious actors can exploit default configurations in ServiceNow's Now Assist generative artificial intelligence (AI) platform and leverage its agentic capabilities to conduct prompt injection attacks. The second-order prompt injection, according to AppOmni, makes use of Now Assist's agent-to-agent discovery to execute unauthorized actions, enabling attackers to copy and exfiltrate sensitive corporate data, modify records, and escalate privileges. "This discovery is alarming because it isn't a bug in the AI; it's expected behavior as defined by certain default configuration options," said Aaron Costello, chief of SaaS Security Research at AppOmni. "When agents can discover and recruit each other, a harmless request can quietly turn into an attack, with criminals stealing sensitive data or gaining more access to internal company systems. These settings are easy to overlook." The attack is made possible because of agent discovery and agent-to-a...

Fortinet has warned of a new security flaw in FortiWeb that it said has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034 , carries a CVSS score of 6.7 out of a maximum of 10.0. "An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands," the company said in a Tuesday advisory. In other words, successful attacks require an attacker to first authenticate themselves through some other means and chain it with CVE-2025-58034 to execute arbitrary operating system commands. It has been addressed in the following versions - FortiWeb 8.0.0 through 8.0.1 (Upgrade to 8.0.2 or above) FortiWeb 7.6.0 through 7.6.5 (Upgrade to 7.6.6 or above) FortiWeb 7.4.0 through 7.4.10 (Upgrade to 7.4.11 or above) FortiWeb 7.2.0 through 7.2.11 (U...

The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, underscoring the continued evolution of such offerings and further making it easier for less-skilled threat actors to mount attacks at scale. Push Security, in a report shared with The Hacker News, said it observed the use of the technique in phishing attacks designed to steal victims' Microsoft account credentials. BitB was first documented by security researcher mr.d0x in March 2022, detailing how it's possible to leverage a combination of HTML and CSS code to create fake browser windows that can masquerade as login pages for legitimate services in order to facilitate credential theft . "BitB is principally designed to mask suspicious phishing URLs by simulating a pretty normal function of in-browser authentication – a pop-up login form," Push Security said. "BitB phishing pages repl...

Meta on Tuesday said it has made available a tool called WhatsApp Research Proxy to some of its long-time bug bounty researchers to help improve the program and more effectively research the messaging platform's network protocol. The idea is to make it easier to delve into WhatsApp-specific technologies as the application continues to be a lucrative attack surface for state-sponsored actors and commercial spyware vendors. The company also noted that it's setting up a pilot initiative where it's inviting research teams to focus on platform abuse with support for internal engineering and tooling. "Our goal is to lower the barrier of entry for academics and other researchers who might not be as familiar with bug bounties to join our program," it added . The development comes as the social media giant said it has awarded more than $25 million in bug bounties to over 1,400 researchers from 88 countries in the last 15 years, out of which more than $4 million were...

You've probably already moved some of your business to the cloud—or you're planning to. That's a smart move. It helps you work faster, serve your customers better, and stay ahead. But as your cloud setup grows, it gets harder to control who can access what. Even one small mistake—like the wrong person getting access—can lead to big problems. We're talking data leaks, legal trouble, and serious damage. And with different rules in different regions like the US, UK, EU, APAC, and more, keeping up is tough. Join our free webinar: " Securing Cloud Workloads and Infrastructure: Balancing Innovation with Identity and Access Control " with experts from CyberArk. You'll learn simple, practical ways to stay secure and move fast. Cloud tools today aren't all the same. Most companies use several cloud platforms at once—each with its own setup, rules, and risks. You want your team to stay fast and flexible, but you also need to keep everything safe. That's a tricky balance. That's why we'...

Cybersecurity researchers have disclosed details of a cyber attack targeting a major U.S.-based real-estate company that involved the use of a nascent command-and-control (C2) and red teaming framework known as Tuoni . "The campaign leveraged the emerging Tuoni C2 framework, a relatively new, command-and-control (C2) tool (with a free license) that delivers stealthy, in-memory payloads," Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News. Tuoni is advertised as an advanced C2 framework designed for security professionals, facilitating penetration testing operations, red team engagements, and security assessments. A "Community Edition" of the software is freely available for download from GitHub. It was first released in early 2024. The attack, per Morphisec, unfolded in mid-October 2025, with the unknown threat actor likely leveraging social engineering via Microsoft Teams impersonation for initial access. It's suspected that t...

Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East. The activity has been attributed by Google-owned Mandiant to a threat cluster tracked as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Subtle Snail), which was first documented by the threat intelligence firm early last year. "Operating in late 2023 through 2025, UNC1549 employed sophisticated initial access vectors, including abuse of third-party relationships to gain entry (pivoting from service providers to their customers), VDI breakouts from third-parties, and highly targeted, role-relevant phishing," researchers Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard said. The disclosure comes about two months after Swiss cybersecurity company PRODAFT tied the hacking group to a campaign targeting European telecommunications companies, succes...

Identity security fabric (ISF) is a unified architectural framework that brings together disparate identity capabilities. Through ISF, identity governance and administration (IGA), access management (AM), privileged access management (PAM), and identity threat detection and response (ITDR) are all integrated into a single, cohesive control plane. Building on Gartner's definition of " identity fabric ," identity security fabric takes a more proactive approach, securing all identity types (human, machine, and AI agents) across on-prem, hybrid, multi-cloud, and complex IT environments. Why identity security fabric matters now As cyberattacks become more prevalent and sophisticated, traditional approaches characterized by siloed identity tools can't keep pace with evolving threats. Today's rapidly expanding attack surface is driven primarily by non-human identities (NHIs), including service accounts, API keys, and AI agents. Fragmented point solutions weaken an organization's overall ...