The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have discerned evidence of two Russian hacking groups Gamaredon and Turla collaborating together to target and co-comprise Ukrainian entities. Slovak cybersecurity company ESET said it observed the Gamaredon tools PteroGraphin and PteroOdd being used to execute Turla group's Kazuar backdoor on an endpoint in Ukraine in February 2025, indicating that Turla is very likely actively collaborating with Gamaredon to gain access to specific machines in Ukraine and deliver the Kazuar backdoor.  "PteroGraphin was used to restart the Kazuar v3 backdoor, possibly after it crashed or was not launched automatically," ESET said in a report shared with The Hacker News. "Thus, PteroGraphin was probably used as a recovery method by Turla." In a separate instance in April and June 2025, ESET said it also detected the deployment of Kazuar v2 through two other Gamaredon malware families tracked as PteroOdd and PteroPaste. Both Gamaredon (aka Aqua B...

Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city's public transportation agency. Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London and Owen Flowers, 18, from Walsall, West Midlands were arrested at their home addresses on Tuesday, the National Crime Agency (NCA) said. They are 19 and 18, respectively. It's worth noting that Flowers was initially arrested for his alleged involvement in the TfL attack in September 2024, but was subsequently released on bail. The agency said it found evidence of Flowers targeting U.S. healthcare companies, and that he has also been charged with conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and Sutter Health. Jubair has also been charged under the Regulation of Investigatory Powers...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization's network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM). "Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server," CISA said in an alert. The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428 , both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025. While CVE-2025-4427 concerns an authentication bypass that allows attackers to access protected resources, CVE-2025-4428 enables remote code execution. As a result, the two flaws could be chained to execute arbitrary code on a vulnerable device without authentication. According to CISA, the threat actors gained access to server running EPMM by combing the two vulner...

SonicWall is urging customers to reset credentials after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts. The company said it recently detected suspicious activity targeting the cloud backup service for firewalls, and that unknown threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers. "While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall," the company said . The network security company said it's not aware of any of these files being leaked online by the threat actors, adding it was not a ransomware event targeting its network. "Rather this was a series of brute-force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors," it noted. It's currently not known who is...

Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2 , and a remote access trojan known as PureHVNC RAT. "CountLoader is being used either as part of an Initial Access Broker's (IAB) toolset or by a ransomware affiliate with ties to the LockBit, Black Basta, and Qilin ransomware groups," Silent Push said in an analysis. Appearing in three different versions – .NET, PowerShell, and JavaScript – the emerging threat has been observed in a campaign targeting individuals in Ukraine using PDF-based phishing lures and impersonating the National Police of Ukraine. Silent Push told The Hacker News that it does not have any insight into the nature of malware that was dropped using CountLoader. It's worth noting that the PowerShell version of the malware was previously flagged by Kaspersky as being distributed using DeepSe...

Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. "SilentSync is capable of remote command execution, file exfiltration, and screen capturing," Zscaler ThreatLabz's Manisha Ramcharan Prajapati and Satyam Singh said . "SilentSync also extracts web browser data, including credentials, history, autofill data, and cookies from web browsers like Chrome, Brave, Edge, and Firefox." The packages, now no longer available for download from PyPI, are listed below. They were both uploaded by a user named "CondeTGAPIS." sisaws (201 Downloads) secmeasure (627 Downloads) Zscaler said the package sisaws mimics the behavior of the legitimate Python package sisa, which is associated with Argentina's national health information system, Sistema Integrado de Información Sanitaria Argentino (SISA). However, ...

AI’s growing role in enterprise environments has heightened the urgency for Chief Information Security Officers (CISOs) to drive effective AI governance. When it comes to any emerging technology, governance is hard – but effective governance is even harder. The first instinct for most organizations is to respond with rigid policies. Write a policy document, circulate a set of restrictions, and hope the risk is contained. However, effective governance doesn’t work that way. It must be a living system that shapes how AI is used every day, guiding organizations through safe transformative change without slowing down the pace of innovation.  For CISOs, finding that balance between security and speed is critical in the age of AI. This technology simultaneously represents the greatest opportunity and greatest risk enterprises have faced since the dawn of the internet. Move too fast without guardrails, and sensitive data leaks into prompts, shadow AI proliferates, or regulatory gaps bec...

Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild. The zero-day vulnerability in question is CVE-2025-10585 , which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine. Type confusion vulnerabilities can have severe consequences as they can be weaponized by bad actors to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes. Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 16, 2025. As is typically the case, the company did not share any additional specifics about how the vulnerability is being abused in real-world attacks, by whom, or the scale of such efforts. This is done to prevent other threat actors from exploiting the issue before users can apply a fix. "Google is aware that an exploit for CVE-2025-10585 exis...

The threat actor known as TA558 has been attributed to a fresh set of attacks delivering various remote access trojans (RATs) like Venom RAT to breach hotels in Brazil and Spanish-speaking markets. Russian cybersecurity vendor Kaspersky is tracking the activity, observed in summer 2025, to a cluster it tracks as RevengeHotels. "The threat actors continue to employ phishing emails with invoice themes to deliver Venom RAT implants via JavaScript loaders and PowerShell downloaders," the company said . "A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents." The findings demonstrate a new trend among cybercriminal groups to leverage artificial intelligence (AI) to bolster their tradecraft. Known to be active since at least 2015, RevengeHotels has a history of hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised syste...