Search results for ANTI DETECT BROWSERS | Breaking Cybersecurity News | The Hacker News

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it. Why is everyone scared of Emotet? Emotet  is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns. The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory. It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware. The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet...

Stealer malware no longer just steals passwords. In 2025, it steals live sessions—and attackers are moving faster and more efficiently than ever. While many associate account takeovers with personal services, the real threat is unfolding in the enterprise. Flare's latest research, The Account and Session Takeover Economy , analyzed over 20 million stealer logs and tracked attacker activity across Telegram channels and dark web marketplaces. The findings expose how cybercriminals weaponize infected employee endpoints to hijack enterprise sessions—often in less than 24 hours. Here's the real timeline of a modern session hijacking attack. Infection and Data Theft in Under an Hour Once a victim runs a malicious payload—typically disguised as cracked software, fake updates, or phishing attachments—commodity stealers like Redline (44% of logs), Raccoon (25%), and LummaC2 (18%) take over. These malware kits: Extract browser cookies, saved credentials, session tokens, and crypto walle...

A highly popular top-tier app in Apple's Mac App Store that's designed to protect its users from adware and malware threats has been, ironically, found surreptitiously stealing their browsing history without their consent, and sending it to a server in China. What's more concerning? Even after Apple was warned a month ago, the company did not take any action against the app. The app in question is "Adware Doctor," the Mac App Store No. 1 paid utility and also ranked as the fourth most popular paid app on the store, which sells for $4.99 and markets itself to be the "best app" to prevent "malware and malicious files from infecting your Mac." However, a security researcher with the @privacyis1st Twitter handle detected Adware Doctor's suspicious spyware-like behavior almost a month ago and also uploaded a proof-of-concept video demonstration of how the user's browser history is exfiltrated. The researcher informed Apple about...

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation. "Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the world, further developing new malware and establishing new infrastructure," Kaspersky said in an analysis published Tuesday. Some of the other freshly incorporated tricks include the use of a domain generation algorithm (DGA) for command-and-control (C2) communications, ciphertext stealing ( CTS ) encryption, and mouse tracking. Also observed are "lighter, local versions" that are specifically focused on targeting banking customers in Mexico. Grandoreiro , active since 2016, has consistently evolved over time, taking efforts to stay undetected, while also widening its geog...

Attacks that target users in their web browsers have seen an unprecedented rise in recent years. In this article, we'll explore what a "browser-based attack" is, and why they're proving to be so effective.  What is a browser-based attack? First, it's important to establish what a browser-based attack is. In most scenarios, attackers don't think of themselves as attacking your web browser. Their end-goal is to compromise your business apps and data. That means going after the third-party services that are now the backbone of business IT. The most common attack path today sees attackers log into third-party services, dump the data, and monetize it through extortion. You need only look at last year's Snowflake customer breaches or the still-ongoing Salesforce attacks to see the impact.  The most logical way to do this is by targeting users of those apps. And because of the changes to working practices, your users are more accessible than ever to external attackers — and ex...

Some of the biggest security problems start quietly. No alerts. No warnings. Just small actions that seem normal but aren't. Attackers now know how to stay hidden by blending in, and that makes it hard to tell when something's wrong. This week's stories aren't just about what was attacked—but how easily it happened. If we're only looking for the obvious signs, what are we missing right in front of us? Here's a look at the tactics and mistakes that show how much can go unnoticed. ⚡ Threat of the Week Apple Zero-Click Flaw in Messages Exploited to Deliver Paragon Spyware — Apple disclosed that a security flaw in its Messages app was actively exploited in the wild to target civil society members in sophisticated cyber attacks. The vulnerability, CVE-2025-43200, was addressed by the company in February as part of iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. The Citizen Lab said it u...

Until recently, the cyber attacker methodology behind the biggest breaches of the last decade or so has been pretty consistent: Compromise an endpoint via software exploit, or social engineering a user to run malware on their device;  Find ways to move laterally inside the network and compromise privileged identities; Repeat as needed until you can execute your desired attack — usually stealing data from file shares, deploying ransomware, or both.  But attacks have fundamentally changed as networks have evolved. With the SaaS-ification of enterprise IT, core business systems aren't locally deployed and centrally managed in the way they used to be. Instead, they're logged into over the internet, and accessed via a web browser. Attacks have shifted from targeting local networks to SaaS services, accessed through employee web browsers. Under the shared responsibility model, the part that's left to the business consuming a SaaS service is mostly constrained to how they ma...

It's no secret that expecting security controls to block every infection vector is unrealistic. For most organizations, the chances are very high that threats have already penetrated their defenses and are lurking in their network. Pinpointing such threats quickly is essential, but traditional approaches to finding these needles in the haystack often fall short. Now there is a unique opportunity for more feasible, more effective threat hunting capabilities, and it stems from a most unusual effort: rethinking the approach to wide area networking. When we look at the cyber kill-chain today, there are two major phases—infection and post-infection. Security experts acknowledge that organizations can get infected no matter how good their security controls are. The simple fact is, infection vectors change rapidly and continuously. Attackers use new delivery methods – everything from social engineering to zero-day exploits – and they often are effective. In most cases, an infecti...

Cybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that's capable of Microsoft 365 accounts with an aim to steal credentials and two-factor authentication (2FA) codes since at least October 2024. The nascent phishing kit has been dubbed Sneaky 2FA by French cybersecurity company Sekoia, which detected it in the wild in December. Nearly 100 domains hosting Sneaky 2FA phishing pages have been identified as of this month, suggesting moderate adoption by threat actors. "This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service 'Sneaky Log,' which operates through a fully-featured bot on Telegram," the company said in an analysis. "Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently." Phishing campaigns have been observed sending payment receipt-related emails to entice recipients into opening bogus PDF documents containing QR co...

A new Golang-based information stealer called  Skuld  has compromised Windows systems across Europe, Southeast Asia, and the U.S. "This new malware strain tries to steal sensitive information from its victims," Trellix researcher Ernesto Fernández Provecho  said  in a Tuesday analysis. "To accomplish this task, it searches for data stored in applications such as Discord and web browsers; information from the system and files stored in the victim's folders." Skuld, which shares overlaps with publicly available stealers like  Creal Stealer ,  Luna Grabber , and  BlackCap Grabber , is the handiwork of a developer who goes by the online alias Deathined on various social media platforms like GitHub, Twitter, Reddit, and Tumblr. Also spotted by Trellix is a Telegram group named deathinews, indicating that these online avenues could be used to promote the offering in the future as a service for other threat actors. The malware, upon execution, checks if...

Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022. "This malware is unique in its utilization of  WebSockets  to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix  said  in a report shared with The Hacker News. The malware, dubbed PY#RATION by the cybersecurity firm, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it's being actively developed and maintained. The attack commences with a phishing email containing a ZIP archive, which, in turn, harbors two shortcut (.LNK) files that masquerade as front and back side images of a seemingly legitimate U.K. driver's license. Opening each of the .LNK files retrieves two text files from a remote server that ...

The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security tools to detect or block the malware." Latrodectus, believed to be a successor to IcedID, is the name given to a malware that acts as a downloader for other payloads, such as ransomware. It was first documented by Proofpoint and Team Cymru in April 2024.

The Racoon Stealer malware as a service platform gained notoriety several years ago for its ability to extract data that is stored within a Web browser. This data initially included passwords and cookies, which sometimes allow a recognized device to be authenticated without a password being entered. Racoon Stealer was also designed to steal auto-fill data, which can include a vast trove of personal information ranging from basic contact data to credit card numbers. As if all of that were not enough, Racoon Stealer also had the ability to steal cryptocurrency and to steal (or drop) files on an infected system. As bad as Racoon Stealer might have been, its developers have recently created a new version that is designed to be far more damaging than the version that previously existed.  New Racoon Stealer Capabilities The new version of Raccoon Stealer  still has the ability to steal browser passwords, cookies, and auto-fill data. It also has the ability to steal any credit c...

Cybersecurity researchers on Tuesday detailed as many as four different families of Brazilian banking trojans that have targeted financial institutions in Brazil, Latin America, and Europe. Collectively called the "Tetrade" by Kaspersky researchers, the malware families — comprising Guildma, Javali, Melcoz, and Grandoreiro — have evolved their capabilities to function as a backdoor and adopt a variety of obfuscation techniques to hide its malicious activities from security software. "Guildma, Javali, Melcoz and Grandoreiro are examples of yet another Brazilian banking group/operation that has decided to expand its attacks abroad, targeting banks in other countries," Kaspersky said in an analysis . "They benefit from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and Europe, making it easy to extend their attacks against customers of these financial institutions." A Multi-Stage Malware Deployment Process...

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it's knowing which risks matter most right now. That's what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the Salesloft–Drift breach, where attackers stole OAuth tokens and accessed Salesforce data from some of the biggest names in tech. It's a sharp reminder of how fragile integrations can become the weak link in enterprise defenses. Alongside this, we'll also walk through several high-risk CVEs under active exploitation, the latest moves by advanced threat actors, and fresh insights on making security workflows smarter, not noisier. Each section is designed to give you the essentials—enough to stay informed and prepared, without getting lost in the noise. ⚡ Threat of the Week Salesloft to Take Drift Of...

If this had been a security drill, someone would've said it went too far. But it wasn't a drill—it was real. The access? Everything looked normal. The tools? Easy to find. The detection? Came too late. This is how attacks happen now—quiet, convincing, and fast. Defenders aren't just chasing hackers anymore—they're struggling to trust what their systems are telling them. The problem isn't too few alerts. It's too many, with no clear meaning. One thing is clear: if your defense still waits for obvious signs, you're not protecting anything. You're just watching it happen. This recap highlights the moments that mattered—and why they're worth your attention. ⚡ Threat of the Week APT41 Exploits Google Calendar for Command-and-Control — The Chinese state-sponsored threat actor known as APT41 deployed a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). Google said it observed the spear-phishing attacks in October 2024 and that the malware was hosted on...

Behind every security alert is a bigger story. Sometimes it's a system being tested. Sometimes it's trust being lost in quiet ways—through delays, odd behavior, or subtle gaps in control. This week, we're looking beyond the surface to spot what really matters. Whether it's poor design, hidden access, or silent misuse, knowing where to look can make all the difference. If you're responsible for protecting systems, data, or people—these updates aren't optional. They're essential. These stories reveal how attackers think—and where we're still leaving doors open. ⚡ Threat of the Week Google Releases Patches for Actively Exploited Chrome 0-Day — Google has released Google Chrome versions 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux to address a high-severity out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine that it said has been exploited in the wild. Google credited Clement Lecigne and Benoît Sevens of Google T...

From unpatched cars to hijacked clouds, this week's Threatsday headlines remind us of one thing — no corner of technology is safe. Attackers are scanning firewalls for critical flaws, bending vulnerable SQL servers into powerful command centers, and even finding ways to poison Chrome's settings to sneak in malicious extensions. On the defense side, AI is stepping up to block ransomware in real time, but privacy fights over data access and surveillance are heating up just as fast. It's a week that shows how wide the battlefield has become — from the apps on our phones to the cars we drive. Don't keep this knowledge to yourself: share this bulletin to protect others, and add The Hacker News to your Google News list so you never miss the updates that could make the difference. Claude Now Finds Your Bugs Anthropic Touts Safety Protections Built Into Claude Sonnet 4.6 Anthropic said it has rolled out a number of safety and security improve...