The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Threat actors with ties to the Democratic People's Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December. The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole $1.3 billion, according to Chainalysis' Crypto Crime Report shared with The Hacker News. "This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises," the blockchain intelligence company said . "Overall, 2025's numbers bring the lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK to $6.75 billion." The February compromise of cryptocurrency exchange Bybit alone is responsible for $1.5 billion of the $2.02 billion plundered by North ...

Within the past year, artificial intelligence copilots and agents have quietly permeated the SaaS applications businesses use every day. Tools like Zoom, Slack, Microsoft 365, Salesforce, and ServiceNow now come with built-in AI assistants or agent-like features. Virtually every major SaaS vendor has rushed to embed AI into their offerings. The result is an explosion of AI capabilities across the SaaS stack, a phenomenon of AI sprawl where AI tools proliferate without centralized oversight. For security teams, this represents a shift. As these AI copilots scale up in use, they are changing how data moves through SaaS. An AI agent can connect multiple apps and automate tasks across them, effectively creating new integration pathways on the fly. An AI meeting assistant might automatically pull in documents from SharePoint to summarize in an email, or a sales AI might cross-reference CRM data with financial records in real time. These AI data connections form complex, dynamic pathways...

The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). "The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices," ENKI said . "The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities." "Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware." According to the South Korean cybersecurity company, some of these artifacts masquerade as package delivery service apps. It's being assessed that the threat actors are using smishing texts or phi...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an "embedded malicious code vulnerability" introduced by means of a supply chain compromise that could allow attackers to perform unintended actions. "Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise," according to a description of the flaw published in CVE.org. "The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected." It's worth noting that the vulnerability refers to a supply chain attack that came to ligh...

Cisco has alerted users to a maximum-severity zero-day flaw in Cisco AsyncOS software that has been actively exploited by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The networking equipment major said it became aware of the intrusion campaign on December 10, 2025, and that it has singled out a "limited subset of appliances" with certain ports open to the internet. It's currently not known how many customers are affected. "This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," Cisco said in an advisory. "The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances." The as-yet-unpatched vulnerability is being tracked as CVE-2025-20393 , ...

SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC). It affects the following versions - 12.4.3-03093 (platform-hotfix) and earlier versions - Fixed in 12.4.3-03245 (platform-hotfix) 12.5.0-02002 (platform-hotfix) and earlier versions - Fixed in 12.5.0-02283 (platform-hotfix) "This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges," SonicWall said. It's worth noting that CVE-2025-23006 was patched by the company in late January 2025 in version 12.4.3-02854 (platform-hotfix). Clément Lecigne and Zander Work of Google Threat Intelligen...

A new distributed denial-of-service (DDoS) botnet known as Kimwolf has enlisted a massive army of no less than 1.8 million infected devices comprising Android-based TVs, set-top boxes, and tablets, and may be associated with another botnet known as AISURU , according to findings from QiAnXin XLab. "Kimwolf is a botnet compiled using the NDK [Native Development Kit]," the company said in a report published today. "In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management functions." The hyper-scale botnet is estimated to have issued 1.7 billion DDoS attack commands within a three-day period between November 19 and 22, 2025, around the same time one of its command-and-control (C2) domains – 14emeliaterracewestroxburyma02132[.]su – came first in Cloudflare's list of top 100 domains, briefly even surpassing Google. Kimwolf's primary infection targets are TV boxes deployed in residential network en...

The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a "sustained" credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The activity, observed by Recorded Future's Insikt Group between June 2024 and April 2025, builds upon prior findings from the cybersecurity company in May 2024 that detailed the hacking group's attacks targeting European networks with the HeadLace malware and credential-harvesting web pages. APT28 is also tracked as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. It's assessed to be affiliated with Russia's Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU). The latest attacks are characterized by the deployment of UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credential...

The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky. The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown. "While the spring cyberattacks focused on organizations, the fall campaign honed in on specific individuals: scholars in the field of political science, international relations, and global economics, working at major Russian universities and research institutions," security researcher Georgy Kucherin said . Operation ForumTroll refers to a series of sophisticated phishing attacks exploiting a then-zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver the LeetAgent backdoor and a spyware implant known as Dante. The latest attack wave also commences with emails that claimed to be from eLibrary, a Russian scientific electronic library, with the messages sent f...