The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Microsoft on Tuesday announced an autonomous artificial intelligence (AI) agent that can analyze and classify software without assistance in an effort to advance malware detection efforts. The large language model (LLM)-powered autonomous malware classification system, currently a prototype, has been codenamed Project Ire by the tech giant. The system "automates what is considered the gold standard in malware classification: fully reverse engineering a software file without any clues about its origin or purpose," Microsoft said . "It uses decompilers and other tools, reviews their output, and determines whether the software is malicious or benign." Project Ire, per the Windows maker, is an effort to enable malware classification at scale, accelerate threat response, and reduce the manual efforts that analysts have to undertake in order to examine samples and determine if they are malicious or benign. Specifically, it uses specialized tools to reverse engineer...

Trend Micro has released mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities ( CVE-2025-54948 and CVE-2025-54987 ), both rated 9.4 on the CVSS scoring system, have been described as management console command injection and remote code execution flaws. "A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations," the cybersecurity company said in a Tuesday advisory. While both shortcomings are essentially the same, CVE-2025-54987 targets a different CPU architecture. The Trend Micro Incident Response (IR) Team and Jacky Hsieh at CoreCloud Tech have been credited with reporting the two flaws. According to ZeroPath , CVE-2025-54948 stems from a lack of sufficient input validation in the management console's backend, thereby...

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country. The attacks, which leverage phishing emails as an initial compromise vector, are used to deliver malware families like MATCHBOIL, MATCHWOK, and DRAGSTARE. UAC-0099, first publicly documented by the agency in June 2023, has a history of targeting Ukrainian entities for espionage purposes. Prior attacks have been observed leveraging security flaws in WinRAR software (CVE-2023-38831, CVSS score: 7.8) to propagate a malware called LONEPAGE. The latest infection chain involves using email lures related to court summons to entice recipients into clicking on links that are shortened using URL shortening services like Cuttly. These links, which are sent via UKR.NET email addresses, point to a double archive file containing an HTML Application...

When Technology Resets the Playing Field In 2015 I founded a cybersecurity testing software company with the belief that automated penetration testing was not only possible, but necessary. At the time, the idea was often met with skepticism, but today, with 1200+ of enterprise customers and thousands of users, that vision has proven itself. But I also know that what we’ve built so far is only the foundation of what comes next. We are now witnessing an inflection point with AI in cybersecurity testing that is going to rewrite the rules of what’s possible. You might not see the change in a month’s time, but in five years the domain is going to be unrecognizable.  As the CTO of Pentera, I have a vision for the company: one where any security threat scenario you can imagine, you can test with the speed and intelligence only AI can provide. We have already started to implement the individual pieces of this reality into our platform. This article portrays the full vision I have for...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three old security flaws impacting D-Link Wi-Fi cameras and video recorders to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation in the wild. The high-severity vulnerabilities, which are from 2020 and 2022, are listed below - CVE-2020-25078 (CVSS score: 7.5) - An unspecified vulnerability in D-Link DCS-2530L and DCS-2670L devices that could allow for remote administrator password disclosure CVE-2020-25079 (CVSS score: 8.8) - An authenticated command injection vulnerability in the cgi-bin/ddns_enc.cgi component affecting D-Link DCS-2530L and DCS-2670L devices CVE-2020-40799 (CVSS score: 8.8) - A download of code without an integrity check vulnerability in D-Link DNR-322L that could allow an authenticated attacker to execute operating system-level commands on the device There are currently no details on how these shortcomings are being exploited in th...

A combination of propagation methods, narrative sophistication, and evasion techniques enabled the social engineering tactic known as ClickFix to take off the way it did over the past year, according to new findings from Guardio Labs. "Like a real-world virus variant, this new ' ClickFix ' strain quickly outpaced and ultimately wiped out the infamous fake browser update scam that plagued the web just last year," security researcher Shaked Chen said in a report shared with The Hacker News. "It did so by removing the need for file downloads, using smarter social engineering tactics, and spreading through trusted infrastructure. The result – a wave of infections ranging from mass drive-by attacks to hyper-targeted spear-phishing lures." ClickFix is the name given to a social engineering tactic where prospective targets are deceived into infecting their own machines under the guise of fixing a non-existent issue or a CAPTCHA verification. It was first det...

Google has released security updates to address multiple security flaws in Android, including fixes for two Qualcomm bugs that were flagged as actively exploited in the wild. The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6), by the chipmaker back in June 2025. CVE-2025-21479 relates to an incorrect authorization vulnerability in the Graphics component that could lead to memory corruption due to unauthorized command execution in GPU microcode. CVE-2025-27038, on the other hand, use-after-free vulnerability in the Graphics component that could result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome. There are still no details on how these shortcomings have been weaponized in real-world attacks, but Qualcomm noted at the time that "there are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CV...

Cybersecurity researchers have disclosed a high-severity security flaw in the artificial intelligence (AI)-powered code editor Cursor that could result in remote code execution. The vulnerability, tracked as CVE-2025-54136 (CVSS score: 7.2), has been codenamed MCPoison by Check Point Research, owing to the fact that it exploits a quirk in the way the software handles modifications to Model Context Protocol (MCP) server configurations. "A vulnerability in Cursor AI allows an attacker to achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine," Cursor said in an advisory released last week. "Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt." MCP is an open-standard developed by Anthropic that allows large language mode...

In SaaS security conversations, “misconfiguration” and “vulnerability” are often used interchangeably. But they’re not the same thing. And misunderstanding that distinction can quietly create real exposure. This confusion isn’t just semantics. It reflects a deeper misunderstanding of the shared responsibility model, particularly in SaaS environments where the line between vendor and customer responsibility is often unclear. A Quick Breakdown Vulnerabilities are flaws in the codebase of the SaaS platform itself. These are issues only the vendor can patch. Think zero-days and code-level exploits. Misconfigurations , on the other hand, are user-controlled. They result from how the platform is set up—who has access, what integrations are connected, and what policies are enforced (or not). A misconfiguration might look like a third-party app with excessive access, or a sensitive internal site that is accidentally public. A Shared Model, but Split Responsibilities Most SaaS providers...

Why do SOC teams still drown in alerts even after spending big on security tools? False positives pile up, stealthy threats slip through, and critical incidents get buried in the noise. Top CISOs have realized the solution isn’t adding more and more tools to SOC workflows but giving analysts the speed and visibility they need to catch real attacks before they cause damage.  Here’s how they’re breaking the cycle and turning their SOCs into true threat-stopping machines. Starting with Live, Interactive Threat Analysis The first step to staying ahead of attackers is seeing threats as they happen. Static scans and delayed reports just can’t keep up with modern, evasive malware. Interactive sandboxes like ANY.RUN let analysts detonate suspicious files, URLs, and QR codes in a fully isolated, safe environment and actually interact with the sample in real time . Why CISOs give access to interactive sandboxes: Analysts can click links, open files, and mimic real user actions to trig...

Cybersecurity researchers have lifted the veil on a widespread malicious campaign that's targeting TikTok Shop users globally with an aim to steal credentials and distribute trojanized apps. "Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users," CTM360 said . "The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking theyʼre interacting with a legitimate affiliate or the real platform." The scam campaign has been codenamed FraudOnTok  by the Bahrain-based cybersecurity company, calling out the threat actor's multi-pronged distribution strategy that involves Meta ads and artificial intelligence (AI)-generated TikTok videos that mimic influencers or official brand ambassadors. Central to the effort is the use of lookalike domains that resemble legitimate TikTok URLs. Over 15,000 such impersonated websites have been identified...

SonicWall said it's actively investigating reports to determine if there is a new zero-day vulnerability following reports of a spike in Akira ransomware actors in late July 2025. "Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled," the network security vendor said in a statement Monday. "We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible." While SonicWall is digging deeper, organizations using Gen 7 SonicWall firewalls are advised to follow the steps below until further notice - Disable SSL VPN services where practical Limit SSL VPN connectivity to trusted IP addresses Activate services such as Botnet Protection and Geo-IP Filtering Enforce multi-factor authentication Remove inactive or unused local user ac...

A newly disclosed set of security flaws in NVIDIA's Triton Inference Server for Windows and Linux, an open-source platform for running artificial intelligence (AI) models at scale, could be exploited to take over susceptible servers. "When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE)," Wiz researchers Ronen Shustin and Nir Ohfeld said in a report published today. The vulnerabilities are listed below - CVE-2025-23319 (CVSS score: 8.1) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request CVE-2025-23320 (CVSS score: 7.5) - A vulnerability in the Python backend, where an attacker could cause the shared memory limit to be exceeded by sending a very large request CVE-2025-23334 (CVSS score: 5.9) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds rea...

Cybersecurity researchers are calling attention to a new wave of campaigns distributing a Python-based information stealer called PXA Stealer. The malicious activity has been assessed to be the work of Vietnamese-speaking cybercriminals who monetize the stolen data through a subscription-based underground ecosystem that automates the resale and reuse via Telegram APIs, according to a joint report published by Beazley Security and SentinelOne and shared with The Hacker News. "This discovery showcases a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts to delay detection," security researchers Jim Walter, Alex Delamotte, Francisco Donoso, Sam Mayers, Tell Hause, and Bobby Venal said . The campaigns have infected over 4,000 unique IP addresses spanning 62 countries, including South Korea, the United States, the Netherlands, Hungary, and Austria...

Malware isn’t just trying to hide anymore—it’s trying to belong. We’re seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It’s not just about being malicious—it’s about being believable. In this week’s cybersecurity recap, we explore how today’s threats are becoming more social, more automated, and far too sophisticated for yesterday’s instincts to catch. ⚡ Threat of the Week Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are abusing local internet service providers' networks to target foreign embassies in Moscow and likely collect intelligence from diplomats' devices. The activity has been attributed to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves using an adversary-...

Some of the most devastating cyberattacks don’t rely on brute force, but instead succeed through stealth. These quiet intrusions often go unnoticed until long after the attacker has disappeared. Among the most insidious are man-in-the-middle (MITM) attacks, where criminals exploit weaknesses in communication protocols to silently position themselves between two unsuspecting parties Fortunately, protecting your communications from MITM attacks doesn’t require complex measures. By taking a few simple steps, your security team can go a long way in securing users’ data and keeping silent attackers at bay. Know your enemy In a MITM attack , a malicious actor intercepts communications between two parties (such as a user and a web app) to steal sensitive information. By secretly positioning themselves between the two ends of the conversation, MITM attackers can capture data like credit card numbers,  login credentials , and account details. This stolen information o...

Cybersecurity researchers have flagged a previously undocumented Linux backdoor dubbed Plague that has managed to evade detection for a year. "The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access," Nextron Systems researcher Pierre-Henri Pezier said . Pluggable Authentication Modules refers to a suite of shared libraries used to manage user authentication to applications and services in Linux and UNIX-based systems. Given that PAM modules are loaded into privileged authentication processes, a rogue PAM can enable theft of user credentials, bypass authentication checks, and remain undetected by security tools. The cybersecurity company said it uncovered multiple Plague artifacts uploaded to VirusTotal since July 29, 2024, with none of them detected by antimalware engines as malicious. What's more, the presence of several samples signals active developme...

Everyone’s an IT decision-maker now. The employees in your organization can install a plugin with just one click, and they don’t need to clear it with your team first. It’s great for productivity, but it’s a serious problem for your security posture. When the floodgates of SaaS and AI opened, IT didn’t just get democratized, its security got outpaced. Employees are onboarding apps faster than security teams can say, “We need to check this out first.” The result is a sprawling mess of shadow IT, embedded AI, and OAuth permissions that would make any CISO break into a cold sweat. Here are five ways IT democratization can undermine your organization’s security posture and how to prevent it from doing so. 1. You can’t secure what you can’t see Remember when IT security used to control what was allowed to pass the firewall? Good times. Today, anyone can find an app to do the heavy lifting for them. They won’t notice or care when the app requires access to your company’s Google Drive or...

Cybersecurity researchers have discovered a nascent Android remote access trojan (RAT) called PlayPraetor that has infected more than 11,000 devices, primarily across Portugal, Spain, France, Morocco, Peru, and Hong Kong. "The botnet's rapid growth, which now exceeds 2,000 new infections per week, is driven by aggressive campaigns focusing on Spanish and French speakers, indicating a strategic shift away from its previous common victim base," Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini said in an analysis of the malware. PlayPraetor, managed by a Chinese command-and-control (C2) panel, doesn't significantly deviate from other Android trojans in that it abuses accessibility services to gain remote control and can serve fake overlay login screens atop nearly 200 banking apps and cryptocurrency wallets in an attempt to hijack victim accounts. PlayPraetor was first documented by CTM360 in March 2025, detailing the operation's u...