The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165. Targets of the campaign include companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine, according to a joint advisory released by agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the bulletin said...

Russian organizations have become the target of a phishing campaign that distributes malware called PureRAT, according to new findings from Kaspersky. "The campaign aimed at Russian business began back in March 2023, but in the first third of 2025 the number of attacks quadrupled compared to the same period in 2024," the cybersecurity vendor said . The attack chains, which have not been attributed to any specific threat actor, commence with a phishing email that contains a RAR file attachment or a link to the archive that masquerades as a Microsoft Word or a PDF document by making use of double extensions ("doc_054_[redacted].pdf.rar"). Present within the archive file is an executable that, when launched, copies itself to the "%AppData%" location of the compromised Windows machine under the name "task.exe" and creates a Visual Basic Script called "Task.vbs" in the Startup VBS folder. The executable then proceeds to unpack another ...

Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence (AI)-powered platform to synthesize images and videos from text and image prompts. Launched in June 2024, it's developed by Kuaishou Technology, which is headquartered in Beijing, China. As of April 2025, the service has a user base of more than 22 million, per data from the company. "The attack used fake Facebook pages and ads to distribute a malicious file which ultimately led to the execution of a remote access Trojan (RAT), granting attackers remote control of the victim's system and the ability to steal sensitive data," Check Point said . First detected in early 2025, the campaign leads unsuspecting users to a spoofed website such as klingaimedia[.]com or klingaistudio[.]com, where they are asked to create AI-genera...

Continuous Integration and Continuous Delivery/Deployment (CI/CD) refers to practices that automate how code is developed and released to different environments. CI/CD pipelines are fundamental in modern software development, ensuring code is consistently tested, built, and deployed quickly and efficiently. While CI/CD automation accelerates software delivery, it can also introduce security risks. Without proper security measures, CI/CD workflows can be vulnerable to supply chain attacks, insecure dependencies, and insider threats. To mitigate these risks, organizations must integrate measures for continuous monitoring and enforcing security best practices at every pipeline stage. Securing CI/CD workflows preserves the software delivery process's confidentiality, integrity, and availability. Security challenges and risks in CI/CD workflows While CI/CD workflows offer benefits in terms of automation and speed, they also bring unique security challenges that must be addressed to ...

It takes just one email to compromise an entire system. A single well-crafted message can bypass filters, trick employees, and give attackers the access they need. Left undetected, these threats can lead to credential theft, unauthorized access, and even full-scale breaches. As phishing techniques become more evasive, they can no longer be reliably caught by automated solutions alone. Let's take a closer look at how SOC teams can ensure fast, accurate detection of even the most evasive phishing attacks, using the example of Tycoon2FA, the number one phishing threat in the corporate environment today. Step 1: Upload a suspicious file or URL to the sandbox Let's consider a typical situation: a suspicious email gets flagged by your detection system, but it's unclear whether it's indeed malicious. The fastest way to check it is to run a quick analysis inside a malware sandbox. A sandbox is an isolated virtual machine where you can safely open files, click links, and observe behavior ...

Cybersecurity researchers have discovered a new campaign that employs malicious JavaScript injections to redirect site visitors on mobile devices to a Chinese adult-content Progressive Web App (PWA) scam. "While the payload itself is nothing new (yet another adult gambling scam), the delivery method stands out," c/side researcher Himanshu Anand said in a Tuesday analysis. "The malicious landing page is a full-blown Progressive Web App ( PWA ), likely aiming to retain users longer and bypass basic browser protections." The campaign is designed to explicitly filter out desktop users, primarily focusing on mobile users. The activity has been described as a client-side attack that uses third-party JavaScript and only triggers on mobile devices. The use of PWAs, a type of application built using web technologies that provide a user experience similar to that of a native app built for a specific platform like Windows, Linux, macOS, Android, or iOS, is seen as an at...

Google has announced a new feature in its Chrome browser that lets its built-in Password Manager automatically change a user's password when it detects the credentials to be compromised. "When Chrome detects a compromised password during sign in, Google Password Manager prompts the user with an option to fix it automatically," Google's Ashima Arora, Chirag Desai, and Eiji Kitamura said . "On supported websites, Chrome can generate a strong replacement and update the password for the user automatically." The feature builds upon Password Manager 's existing capabilities to generate strong passwords during sign-up and flag credentials that have been detected in a data breach. With the automated password change, Google said the idea is to reduce friction and help users keep their accounts secure without having to search for relevant account settings or abandon the process midway. Website owners can support this feature by adopting the following methods...

A threat actor known as Hazy Hawk has been observed hijacking abandoned cloud resources of high-profile organizations, including Amazon S3 buckets and Microsoft Azure endpoints, by leveraging misconfigurations in the Domain Name System (DNS) records. The hijacked domains are then used to host URLs that direct users to scams and malware via traffic distribution systems (TDSes), according to Infoblox. Some of the other resources usurped by the threat actor include those hosted on Akamai, Bunny CDN, Cloudflare CDN, GitHub, and Netlify. The DNS threat intelligence firm said it first discovered the threat actor after it gained control of several sub-domains associated with the U.S. Center for Disease Control (CDC) in February 2025. It has since been determined that other government agencies across the globe, prominent universities, and international corporations such as Deloitte, PricewaterhouseCoopers, and Ernst & Young have been victimized by the same threat actor since at least ...

An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. "The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, crypto, banking and more to direct users to install corresponding malicious extensions on Google's Chrome Web Store (CWS)," the DomainTools Intelligence (DTI) team said in a report shared with The Hacker News. While the browser add-ons appear to offer the advertised features, they also enable credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Another factor that works in the extensions' favor is that they are configured to grant themselves excessive permissions via...

Cybersecurity researchers have discovered risky default identity and access management (IAM) roles impacting Amazon Web Services that could open the door for attackers to escalate privileges, manipulate other AWS services, and, in some cases, even fully compromise AWS accounts. "These roles, often created automatically or recommended during setup, grant overly broad permissions, such as full S3 access," Aqua researchers Yakir Kadkoda and Ofek Itach said in an analysis. "These default roles silently introduce attack paths that allow privilege escalation, cross-service access, and even potential account compromise." The cloud security firm said it identified security issues in default IAM roles created by AWS services like SageMaker, Glue, EMR, and Lightsail. A similar flaw has also been unearthed in a popular open-source framework called Ray, which automatically creates a default IAM role (ray-autoscaler-v1) with the AmazonS3FullAccess policy. What's concer...

In the newly released 2025 State of Pentesting Report , Pentera surveyed 500 CISOs from global enterprises (200 from within the USA) to understand the strategies, tactics, and tools they use to cope with the thousands of security alerts, the persisting breaches and the growing cyber risks they have to handle. The findings reveal a complex picture of progress, challenges, and a shifting mindset about how enterprises approach security testing. More Tools, More Data, More Protection… No Guarantees Over the past year, 45% of enterprises expanded their security technology stacks, with organizations now managing an average of 75 different security solutions​.  Yet despite these layers of security tools, 67% of U.S. enterprises experienced a breach in the past 24 months​. The growing number of deployed tools has a few effects on the daily operation and the overall cyber posture of the organization.  Although it seems obvious, the findings tell a clear story - more security tool...

High-level government institutions in Sri Lanka, Bangladesh, and Pakistan have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder. "The attackers used spear phishing emails paired with geofenced payloads to ensure that only victims in specific countries received the malicious content," Acronis researchers Santiago Pontiroli, Jozsef Gegeny, and Prakas Thevendaran said in a report shared with The Hacker News. The attack chains leverage spear-phishing lures as a starting point to activate the infection process and deploy a known malware referred to as StealerBot. It's worth pointing out that the modus operandi is consistent with recent SideWinder attacks documented by Kaspersky in March 2025. Some of the targets of the campaign, per Acronis, include Bangladesh's Telecommunication Regulatory Commission, Ministry of Defence, and Ministry of Finance; Pakistan's Directorate of Indigenous Technical Development; and Sri Lanka...