Search results for remote server tools | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a critical vulnerability in the open-source mcp-remote project that could result in the execution of arbitrary operating system (OS) commands. The vulnerability, tracked as CVE-2025-6514 , carries a CVSS score of 9.6 out of 10.0. "The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted MCP server, posing a significant risk to users – a full system compromise," Or Peles, JFrog Vulnerability Research Team Leader, said . Mcp-remote is a tool that sprang forth following Anthropic's release of Model Context Protocol (MCP), an open-source framework that standardizes the way large language model (LLM) applications integrate and share data with external data sources and services. It acts as a local proxy, enabling MCP clients like Claude Desktop to communicate with remote MCP servers, as opposed to running them locally on the same...

Two known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal. "Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents," the company said . "This suggests potential collaboration and joint campaigns between the two groups." Both Head Mare and Twelve were previously documented by Kaspersky in September 2024, with the former leveraging a now-patched vulnerability in WinRAR (CVE-2023-38831) to obtain initial access and deliver malware and in some cases, even deploy ransomware families like LockBit for Windows and Babuk for Linux (ESXi) in exchange for a ransom. Twelve, on the other hand, has been observed staging destructive attacks, taking advantage of various publicly available tools to encrypt victims' data and irrevocably d...

The capillary diffusion of mobile devices, the lack of security systems on these platforms and low level of awareness on principal cyber threats made them a privileged target for cybercrime. We have assisted in the recent year to an explosion of malware designed to hit principal mobile OSs, in a recent report Sophos security firm revealed that in Australia and the U.S. Android threat exposure rates exceeding those of PCs showing the urgency to implement proper countermeasures. The situation appears really critical that why I asked to the expert of Group-IB Forensics Lab to show me how these agents work with a really case study. Several month ago Group-IB Forensics Lab detected mobile-banking malware through Google Play by Sberbank request (Russian leading national bank).  The File associated to the malware was named sber.apk , it was an Android Package having size of 225,905 bytes and digest md5: F27D43DFEEDFFAC2EC7E4A069B3C9516 . Analyzing the functionality of th...

The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups , accounting for 84 victims each in the months of August and September 2025. The Russian-speaking threat group emerged around July 2022. According to data compiled by Cisco Talos, the U.S., Canada, the U.K., France, and Germany are some of the countries most impacted by Qilin. The attacks have primarily singled out manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors. Attacks mounted by Qilin affiliates have likely leveraged leaked administrative credentials on the dark web for initial access using a VPN interface, followed by performing RDP connections to th...

Threat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called ROMCOM RAT on compromised systems. The  new findings  come from Palo Alto Networks' Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under the  constellation-themed moniker   Tropical Scorpius . Cuba ransomware (aka  COLDDRAW ), which was first detected in December 2019, reemerged on the threat landscape in November 2021 and has been attributed to attacks against 60 entities in five critical infrastructure sectors, amassing at least $43.9 million in ransom payments. Of the 60 victims listed on its data leak site, 40 are located in the U.S., indicating a not as global distribution of targeted organizations as other ransomware gangs. "Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers,...

Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol ( MCP ) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can send arbitrary system commands. "The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.)," according to a GitHub advisory for the flaw. "Successful exploitation can lead to remote code execution under the server process's privileges." Given that the Framelink Figma MCP server exposes various tools to perform operations in Figma using artificial intelligence (AI)-powered coding agents like Cursor, an attacker co...

Several ransomware actors are using a malware called Skitnet as part of their post-exploitation efforts to steal sensitive data and establish remote control over compromised hosts. "Skitnet has been sold on underground forums like RAMP since April 2024," Swiss cybersecurity company PRODAFT told The Hacker News. "However, since early 2025, we have observed multiple ransomware operators using it in real-world attacks."  "For example, in April 2025, Black Basta leveraged Skitnet in Teams-themed phishing campaigns targeting enterprise environments. With its stealth features and flexible architecture, Skitnet appears to be gaining traction rapidly within the ransomware ecosystem." Skitnet , also called Bossnet , is a multi-stage malware developed by a threat actor tracked by the company under the name LARVA-306. A notable aspect of the malicious tool is that it uses programming languages like Rust and Nim to launch a reverse shell over DNS and evade detecti...

Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor , illustrating ongoing abuse of legitimate software for malicious purposes. "In this incident, the threat actor used the tool to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command-and-control (C2) server," the Sophos Counter Threat Unit Research Team said in a report published this week.  While threat actors are known to adopt living-off-the-land (LotL) techniques or take advantage of legitimate remote monitoring and management (RMM) tools in their attacks, the use of Velociraptor signals a tactical evolution, where incident response programs are being used to obtain a foothold and minimize the need for having to deploy their own malware.  Further analysis of the incident has revealed that the attackers used the Wind...

A hacking group with ties other than Pakistan has been found targeting Indian government organizations with a modified variant of a remote access trojan (RAT) called DRAT. The activity has been attributed by Recorded Future's Insikt Group to a threat actor tracked as TAG-140, which it said overlaps with SideCopy , an adversarial collective assessed to be an operational sub-cluster within Transparent Tribe (aka APT-C-56, APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM). "TAG-140 has consistently demonstrated iterative advancement and variety in its malware arsenal and delivery techniques," the Mastercard-owned company said in an analysis published last month. "This latest campaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but notable shift in both malware architecture and command-and-control (C2) functionality." The updated version of DRAT, called DRAT V2, is the latest a...

The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset. That's according to new findings from Cisco Talos, which said recent campaigns undertaken by the hacking group have seen the functions of BeaverTail and OtterCookie coming closer to each other more than ever, even as the latter has been fitted with a new module for keylogging and taking screenshots.  The activity is attributed to a threat cluster that's tracked by the cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum. The development comes as Google Threat Intelligence Group (GTIG) and Mandiant revealed the threat actor's use of a stealthy technique known as EtherHiding to fetch next-stage payloads from the...

If you are a hacker, you might have enjoyed the NSA's private zero-day exploits , malware and hacking tools that were leaked last month. But the question is: How these hacking tools ended up into the hands of hackers? It has been found that the NSA itself was not directly hacked, but a former NSA employee carelessly left those hacking tools on a remote server three years ago after an operation and a group of Russian hackers found them, sources close to the investigation told Reuters . The leaked hacking tools, which enable hackers to exploit vulnerabilities in systems from big vendors like Cisco Systems, Juniper, and Fortinet, were dumped publicly online by the group calling itself " The Shadow Brokers ." NSA officials have also admitted to the FBI that their careless employee acknowledged the error shortly afterward, and hence the agency was aware of its operative's mistake from last three years. But instead of warning the affected companies that their c...

Threat actors with ties to North Korea have been observed targeting Web3 and cryptocurrency-related businesses with malware written in the Nim programming language, underscoring a constant evolution of their tactics. "Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol," SentinelOne researchers Phil Stokes and Raffaele Sabato said in a report shared with The Hacker News. "A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted." The cybersecurity company is tracking the malware components collectively under the name NimDoor. It's worth noting that some aspects of the campaign were previously documented by Huntabil.IT and later by Huntress and Validin , but with differences in the payloads deployed. The attack chains involve social enginee...

Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts. The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707 . Some of the other targets include a telecommunications entity and a university, both located in Southeast Asia. "While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices," security researchers Andrew Pease and Seth Goodwin said in a technical analysis. The exact initial access vector used in the attacks is currently not clear, although it has been observed that Microsoft's certutil application is used to download additional payloads from a web server associated with the Foreign Ministry. The certutil commands used to ...

Cybersecurity researchers have discovered a critical security vulnerability in artificial intelligence (AI) company Anthropic's Model Context Protocol ( MCP ) Inspector project that could result in remote code execution (RCE) and allow an attacker to gain complete access to the hosts. The vulnerability, tracked as CVE-2025-49596 , carries a CVSS score of 9.4 out of a maximum of 10.0. "This is one of the first critical RCEs in Anthropic's MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools," Oligo Security's Avi Lumelsky said in a report published last week. "With code execution on a developer's machine, attackers can steal data, install backdoors, and move laterally across networks - highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP." MCP, introduced by Anthropic in November 2024, is an open protocol that standardizes the way large language model (LLM) appli...