The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Mexican organizations are still being targeted by threat actors to deliver a modified version of AllaKore RAT and SystemBC as part of a long-running campaign.  The activity has been attributed by Arctic Wolf Labs to a financially motivated hacking group called Greedy Sponge . It's believed to be active since early 2021, indiscriminately targeting a wide range of sectors, such as retail, agriculture, public sector, entertainment, manufacturing, transportation, commercial services, capital goods, and banking. "The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud," the cybersecurity company said in an analysis published last week. Details of the campaign were first documented by the BlackBerry Research and Intelligence Team (which is now part of Arctic Wolf) in January 2024, with ...

Making the move from managing a security operations center (SOC) to being a chief information security officer (CISO) is a significant career leap. Not only do you need a solid foundation of tech knowledge but also leadership skills and business smarts.  This article will guide you through the practical steps and skills you’ll need to nab an executive cybersecurity job and make the promotion from SOC manager to CISO a reality. Is the CISO role right for you? It's always a good idea to think about how you could move up and grow in your career. Aspiring to be a CISO can be a great career move.  Additionally, certain operational tasks in cybersecurity, especially in a SOC, are becoming increasingly automated, making it vital to develop strategic and leadership skills to stay ahead. Having ambitious goals helps you, as a SOC analyst or lead, stay relevant and valuable in what is a constantly changing field. However, the role of CISO is significantly different from other rol...

The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. Check Point also said the exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances ( CVE-2025-4427 and CVE-2025-4428 ). "We're witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk," Lotem Finkelstein, Director of Threat Intelligence at Chec...

Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX. Mobile security vendor Lookout said it discovered four samples of a surveillanceware tool it tracks as DCHSpy one week after the onset of the Israel-Iran conflict last month. Exactly how many people may have installed these apps is not clear. "DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos," security researchers Alemdar Islamoglu and Justin Albrecht said . First detected in July 2023, DCHSpy is assessed to be the handiwork of MuddyWater , an Iranian nation-state group tied to MOIS. The hacking crew is also called Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Se...

The China-linked cyber espionage group tracked as APT41 has been attributed to a new campaign targeting government IT services in the African region. "The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware," Kaspersky researchers Denis Kulik and Daniil Pogorelov said . "One of the C2s [command-and-control servers] was a captive SharePoint server within the victim's infrastructure." APT41 is the moniker assigned to a prolific Chinese nation-state hacking group that's known for targeting organizations spanning multiple sectors, including telecom and energy providers, educational institutions, healthcare organizations and IT energy companies in more than three dozen countries. What makes the campaign noteworthy is its focus on Africa, which, as the Russian cybersecurity vendor noted, "had experienced the least activity" from this specific threat actor. That said, the findings line u...

Even in well-secured environments, attackers are getting in—not with flashy exploits, but by quietly taking advantage of weak settings, outdated encryption, and trusted tools left unprotected. These attacks don’t depend on zero-days. They work by staying unnoticed—slipping through the cracks in what we monitor and what we assume is safe. What once looked suspicious now blends in, thanks to modular techniques and automation that copy normal behavior. The real concern? Control isn’t just being challenged—it’s being quietly taken. This week’s updates highlight how default settings, blurred trust boundaries, and exposed infrastructure are turning everyday systems into entry points. ⚡ Threat of the Week Critical SharePoint Zero-Day Actively Exploited (Patch Released Today) — Microsoft has released fixes to address two security flaws in SharePoint Server that have come under active exploitation in the wild to breach dozens of organizations across the world. Details of exploitation emer...

By 2025, Zero Trust has evolved from a conceptual framework into an essential pillar of modern security. No longer merely theoretical, it’s now a requirement that organizations must adopt. A robust, defensible architecture built on Zero Trust principles does more than satisfy baseline regulatory mandates. It underpins cyber resilience, secures third-party partnerships, and ensures uninterrupted business operations. In turn, more than 80% of organizations plan to implement Zero Trust strategies by 2026, according to a recent Zscaler report .  In the context of Zero Trust, artificial intelligence (AI) can assist greatly as a tool for implementing automation around adaptive trust and continuous risk evaluation. In a Zero Trust architecture, access decisions must adapt continuously to changing factors such as device posture, user behavior, location, workload sensitivity, and more. This constant evaluation generates massive volumes of data, far beyond what human teams can process alo...

Cybersecurity firm Expel, in an update shared on July 25, 2025, said it's retracting its findings about a phishing attack that it said leveraged cross-device sign-in to get around FIDO account protections despite being not in physical proximity to the authenticating client device. "The evidence does show the targeted user's credentials (username and password) being phished and that the attacker successfully passed password authentication for the targeted user," the company said . "It also shows the user received a QR code from the attacker. This QR code, when scanned by a mobile device, initiates a FIDO Cross-Device Authentication flow, which according to FIDO specification requires local proximity to the device which generated the QR code (the WebAuthn client). When properly implemented, without proximity, the request will time out and fail." The company further said that while the attackers managed to breach the password barrier, further analysis of t...

Microsoft on Sunday released security patches for an actively exploited security flaw in SharePoint and also disclosed details of another vulnerability that it said has been addressed with "more robust protections." The tech giant acknowledged it's "aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update." CVE-2025-53770 (CVSS score: 9.8), as the exploited vulnerability is tracked, concerns a case of remote code execution that arises due to the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server. The newly disclosed shortcoming is a spoofing flaw in SharePoint ( CVE-2025-53771 , CVSS score: 7.1). Viettel Cyber Security and an anonymous researcher has been credited with discovering and reporting the bug. "Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint...

Hewlett-Packard Enterprise (HPE) has released security updates to address a critical security flaw affecting Instant On Access Points that could allow an attacker to bypass authentication and gain administrative access to susceptible systems. The vulnerability, tracked as CVE-2025-37103, carries a CVSS score of 9.8 out of a maximum of 10.0. "Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication," the company said in an advisory. "Successful exploitation could allow a remote attacker to gain administrative access to the system." Also patched by HPE is an authenticated command injection flaw in the command-line interface of the HPE Networking Instant On Access Points (CVE-2025-37102, CVSS score: 7.2) that a remote attacker could exploit with elevated permissions to run arbitrary commands on the underlying operating system as a privileged user. This also me...

A new attack campaign has compromised more than 3,500 websites worldwide with JavaScript cryptocurrency miners, marking the return of browser-based cryptojacking attacks once popularized by the likes of CoinHive .  Although the service has since shuttered after browser makers took steps to ban miner-related apps and add-ons, researchers from the c/side said they found evidence of a stealthy miner packed within obfuscated JavaScript that assesses the computational power of a device and spawns background Web Workers to execute mining tasks in parallel without raising any alarm. More importantly, the activity has been found to leverage WebSockets to fetch mining tasks from an external server, so as to dynamically adjust the mining intensity based on the device capabilities and accordingly throttle resource consumption to maintain stealth. "This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools," security researcher ...

The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. "LARVA-208 has evolved its tactics, using fake AI platforms (e.g., Norlax AI, mimicking Teampilot) to lure victims with job offers or portfolio review requests," Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News. While the group has a history of deploying ransomware, the latest findings demonstrate an evolution of its tactics and a diversification of its monetization methods by using stealer malware to harvest data from cryptocurrency wallets. EncryptHub's focus on Web3 developers isn't random—these individuals often manage crypto wallets, access to smart contract repositories, or sensitive test environments. Many operate as freelancers or work across multiple decentralized projects, making them harder to protect wit...

A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an "active, large-scale" exploitation campaign. The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49704 (CVSS score: 8.8), a code injection and remote code execution bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates. "Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network," Microsoft said in an advisory released on July 19, 2025. The Windows maker further noted that it's preparing and fully testing a comprehensive update to resolve the issue. It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro's Zero Day Initiative (ZDI). In a separate alert issued Saturday, Redmond said it's aware of active attacks ta...

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. The list of affected packages and their rogue versions, according to Socket, is listed below - eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) eslint-plugin-prettier (versions 4.2.2 and 4.2.3) synckit (version 0.11.9) @pkgr/core (version 0.2.8) napi-postinstall (version 0.3.1) got-fetch (versions 5.1.11 and 5.1.12) is (versions 3.3.1 and 5.0.0) "The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution," the software supply chain security firm said. The development comes in the aftermath of a phishing campaign that...

A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309 , the vulnerability carries a CVSS score of 9.0. "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS," according to a description of the vulnerability in the NIST's National Vulnerability Database (NVD). CrushFTP, in an advisory, said it first detected the zero-day exploitation of the vulnerability in the wild on July 18, 2025, 9 a.m. CST, although it acknowledged that it may have been weaponized much earlier. "The attack vector was HTTP(S) for how they could exploit the server," the company said . "We had fixed a different issue related to AS2 in HTTP(S) not realizing that a prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured...

Cybersecurity researchers have shed light on a mobile forensics tool called Massistant that's used by law enforcement authorities in China to gather information from seized mobile devices. The hacking tool, believed to be a successor of MFSocket , is developed by a Chinese company named SDIC Intelligence Xiamen Information Co., Ltd. , which was formerly known as Meiya Pico. It specializes in the research, development, and sale of electronic data forensics and network information security technology products. According to a report published by Lookout, Massistant works in conjunction with a corresponding desktop software, allowing for access to the device's GPS location data, SMS messages, images, audio, contacts, and phone services. "Meiya Pico maintains partnerships with domestic and international law enforcement partners, both as a surveillance hardware and software provider, as well as through training programs for law enforcement personnel," security resear...

Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. "This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims," Seqrite Labs researcher Subhajeet Singha said in a report published this week. The activity encompasses two major campaigns, one called Operation Cobalt Whisper which took place between May and September 2024, and Operation AmberMist that occurred between January and May 2025. Targets of these campaigns include defense, electrotechnical engineering, energy, civil aviation, academia, medical institutions, cybersecurity, gaming, and software development sectors. Operation Cobalt Whisper was first documented by Seqrite Labs in late October 2024, detai...

Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory. CVE-2025-0282 is a critical security flaw in ICS that could permit unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457, patched in February 2025, concerns a stack-based buffer overflow that could be exploited to execute arbitrary code. Previous findings from JPCERT/CC have revealed that CVE-2025-0282, which was weaponized in the wild as a zero-day beginning mid-December 2024, has been leveraged to deliver malware families like...

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a phishing campaign that's designed to deliver a malware codenamed LAMEHUG . "An obvious feature of LAMEHUG is the use of LLM (large language model), used to generate commands based on their textual representation (description)," CERT-UA said in a Thursday advisory. The activity has been attributed with medium confidence to a Russian state-sponsored hacking group tracked as APT28 , which is also known as Fancy Bear, Forest Blizzard, Sednit, Sofacy, and UAC-0001. The cybersecurity agency said it found the malware after receiving reports on July 10, 2025, about suspicious emails sent from compromised accounts and impersonating ministry officials. The emails targeted executive government authorities. Present within these emails was a ZIP archive that, in turn, contained the LAMEHUG payload in the form of three different variants named "Додаток.pif, "AI_generator_uncensored_Can...

Cybersecurity researchers have disclosed a critical container escape vulnerability in the NVIDIA Container Toolkit that could pose a severe threat to managed AI cloud services. The vulnerability, tracked as CVE-2025-23266, carries a CVSS score of 9.0 out of 10.0. It has been codenamed NVIDIAScape by Google-owned cloud security company Wiz. "NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions," NVIDIA said in an advisory for the bug. "A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial-of-service." The shortcoming impacts all versions of NVIDIA Container Toolkit up to and including 1.17.7 and NVIDIA GPU Operator up to and including 25.3.0. It has been addressed by the GPU maker in versions 1.17.8 and 25.3.1, respectively. The NVIDIA Container...