Search results for windows-powershell-commands-list | Breaking Cybersecurity News | The Hacker News

The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency that delivers a trojan capable of targeting Windows, macOS, and Linux systems. Versions 1.14.1 and 0.30.4 of Axios have been found to inject " plain-crypto-js " version 4.2.1 as a fake dependency. According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios maintainer ("jasonsaayman"), allowing the attackers to bypass the project's GitHub Actions CI/CD pipeline. "Its sole purpose is to execute a postinstall script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux," security researcher Ashish Kurmi said . "The dropper contacts a live command and control server and delivers platform-specific second-stage payloads. After execution, the malware deletes itself and replaces its own...

The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX. Zscaler ThreatLabz, which detected the new multi-stage ClickFix campaign earlier this month, described BAITSWITCH as a downloader that ultimately drops SIMPLEFIX, a PowerShell backdoor. COLDRIVER , also tracked as Callisto, Star Blizzard, and UNC4057, is the moniker assigned to a Russia-linked threat actor that's known to target a wide range of sectors since 2019. While early campaign waves were observed using spear-phishing lures to direct targets to credential harvesting pages, the group has been fleshing out its arsenal with custom tools like SPICA and LOSTKEYS , which underscores its technical sophistication. The adversary's use of ClickFix tactics was previously documented by the Google Threat Intelligence Group (GTIG) back in May 2...

The threat actor known as Water Saci is actively evolving its tactics, switching to a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate via WhatsApp a worm that deploys a banking trojan in attacks targeting users in Brazil. The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like manner over WhatsApp Web. "Their new multi-format attack chain and possible use of artificial intelligence (AI) to convert propagation scripts from PowerShell to Python exemplifies a layered approach that has enabled Water Saci to bypass conventional security controls, exploit user trust across multiple channels, and ramp up their infection rates," Trend Micro researchers Jeffrey Francis Bonaobra, Sarah Pearl Camiling, Joe Soares, Byron Gelera, Ian Kenefick, and Emmanuel Panopio said . In these attacks, users receive messages from trusted contacts on WhatsA...

The SolarWinds attack , which succeeded by utilizing the sunburst malware , shocked the cyber-security industry. This attack achieved persistence and was able to evade internal systems long enough to gain access to the source code of the victim. Because of the far-reaching SolarWinds deployments, the perpetrators were also able to infiltrate many other organizations, looking for intellectual property and other assets. Among the co-victims: US government, government contractors, Information Technology companies, and NGOs. An incredible amount of sensitive data was stolen from several customers after a trojanized version of SolarWinds' application was installed on their internal structures. Looking at the technical capabilities of the malware, as you will see, this particular attack was quite impressive. A particular file, named  SolarWinds.Orion.Core.BusinessLayer.dll  is a SolarWinds digitally signed component of the Orion software framework. The threat actors installed a...

A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing software in Russia since September 2025. That's according to a report published by Positive Technologies, which found the threat actors to be leveraging an exploit chain comprising three vulnerabilities to execute commands remotely on susceptible servers.     "Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations," researchers Daniil Grigoryan and Georgy Khandozhko said . PhantomCore , also called Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901, is the name assigned to a politically- and financially-motivated hacking crew that has been active since 2022 following the Russo-Ukrainian war. Attacks   mo...

Details have emerged about a previously undocumented and fully undetectable (FUD) PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process. "The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims," Tomer Bar, director of security research at SafeBreach,  said  in a new report. Attributed to an  unnamed threat actor , attack chains involving the malware commence with a weaponized  Microsoft Word document  that, per the company, was uploaded from Jordan on August 25, 2022. Metadata associated with the lure document indicates that the initial intrusion vector is a LinkedIn-based spear-phishing attack, which ultimately leads to the execution of a PowerShell script via a piece of embedded macro code. "The Macro drops 'updater.vbs,' creates a scheduled task pretending to be part of a Windows update, which will ...

Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp. According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications. More importantly, both include the ability to spread through WhatsApp Web . Maverick was first documented by Trend Micro early last month, attributing it to a threat actor dubbed Water Saci . The campaign involves two components: A self-propagating malware referred to as SORVEPOTEL that's spread via the desktop web version of WhatsApp and is used to deliver a ZIP archive containing the Maverick payload. The malware is designed to monitor active browser window tabs for URLs that match a hard-coded list of financial institutions in Latin America. Should the URLs match, it establishes con...

Brazilian Windows users are the target of a campaign that delivers a banking malware known as Coyote . "Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials," Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published last week. The cybersecurity company said it discovered over the past month several Windows Shortcut (LNK) file artifacts that contain PowerShell commands responsible for delivering the malware. Coyote was first documented by Kaspersky in early 2024, detailing its attacks targeting users in the South American nation. It's capable of harvesting sensitive information from over 70 financial applications. In the previous attack chain documented by the Russian cybersecurity firm, a Squirrel installer executable is used to trigger a Node.js application compiled with Electron, that, for its part, runs a...

Threat actors with ties to North Korea have been observed targeting Web3 and cryptocurrency-related businesses with malware written in the Nim programming language, underscoring a constant evolution of their tactics. "Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol," SentinelOne researchers Phil Stokes and Raffaele Sabato said in a report shared with The Hacker News. "A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted." The cybersecurity company is tracking the malware components collectively under the name NimDoor. It's worth noting that some aspects of the campaign were previously documented by Huntabil.IT and later by Huntress and Validin , but with differences in the payloads deployed. The attack chains involve social enginee...

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild. Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities. In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable's Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It's the third time it has done so since Patch Tuesday's inception. The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update . This also consists of a s...

Cybersecurity researchers have charted the evolution of XWorm malware, turning it into a versatile tool for supporting a wide range of malicious actions on compromised hosts. "XWorm's modular design is built around a core client and an array of specialized components known as plugins," Trellix researchers Niranjan Hegde and Sijo Jacob said in an analysis published last week. "These plugins are essentially additional payloads designed to carry out specific harmful actions once the core malware is active." XWorm, first observed in 2022 and linked to a threat actor named EvilCoder, is a Swiss Army knife of malware that can facilitate data theft, keylogging, screen capture, persistence, and even ransomware operations. It's primarily propagated via phishing emails and bogus sites advertising malicious ScreenConnect installers. Some of the other tools advertised by the developer include a .NET-based malware builder, a remote access trojan called XBinder, a...

Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks. The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week. The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time. "The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities," the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News. One of the web shells used in the attack was Localolive, which was previously flagged by Microsoft as put to use by a sub-group of the ...

A threat actor tracked as Polonium has been linked to over a dozen highly targeted attacks aimed at Israelian entities with seven different custom backdoors since at least September 2021. The intrusions were aimed at organizations in various verticals, such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services, cybersecurity firm ESET said. Polonium  is the chemical element-themed moniker given by Microsoft to a sophisticated operational group that's believed to be based in Lebanon and is known to exclusively strike Israeli targets. Activities undertaken by the group first came to light earlier this June when the Windows maker disclosed it suspended more than 20 malicious OneDrive accounts created by the adversary for command-and-control (C2) purposes. Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive ...

Cybersecurity researchers have disclosed details of an advanced persistent threat (APT) group dubbed Silver Dragon that has been linked to cyber attacks targeting entities in Europe and Southeast Asia since at least mid-2024. "Silver Dragon gains its initial access by exploiting public-facing internet servers and by delivering phishing emails that contain malicious attachments," Check Point said in a technical report. "To maintain persistence, the group hijacks legitimate Windows services, which allows the malware processes to blend into normal system activity." Silver Dragon is assessed to be operating within the APT41 umbrella . APT41 is the cryptonym assigned to a prolific Chinese hacking group known for its targeting of healthcare, telecoms, high-tech, education, travel services, and media sectors for cyber espionage as early as 2012. It's also believed to engage in financially motivated activity potentially outside of state control. Attacks mounted by...

Brazilian users have emerged as the target of a new self-propagating malware dubbed SORVEPOTEL that spreads via the popular messaging app WhatsApp. The campaign, codenamed Water Saci by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is "engineered for speed and propagation" rather than data theft or ransomware. "SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments," researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon said . "Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers." Once the attachment is opened, the malware automatically propagates via the deskt...

Cybersecurity researchers have shed light on a new campaign targeting Brazilian users since the start of 2025 to infect users with a malicious extension for Chromium-based web browsers and siphon user authentication data. "Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of a successful attack," Positive Technologies security researcher Klimentiy Galkin said in a report. "The attackers used a malicious extension for Google Chrome, Microsoft Edge, and Brave browsers, as well as Mesh Agent and PDQ Connect Agent." The Russian cybersecurity company, which is tracking the activity under the name Operation Phantom Enigma , said the malicious extension was downloaded 722 times from across Brazil, Colombia, the Czech Republic, Mexico, Russia, and Vietnam, among others. As many as 70 unique victim companies have been identified. Some aspects of the campaign were disclosed in early April by a researcher who goes by th...