#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Paper Werewolf Deploys PowerModul Implant in Targeted Cyberattacks on Russian Sectors

Paper Werewolf Deploys PowerModul Implant in Targeted Cyberattacks on Russian Sectors

Apr 11, 2025 Malware / Vulnerability
The threat actor known as Paper Werewolf has been observed exclusively targeting Russian entities with a new implant called PowerModul . The activity, which took place between July and December 2024, singled out organizations in the mass media, telecommunications, construction, government entities, and energy sectors, Kaspersky said in a new report published Thursday. Paper Werewolf, also known as GOFFEE, is assessed to have conducted at least seven campaigns since 2022, according to BI.ZONE, with the attacks mainly aimed at government, energy, financial, media, and other organizations. Attack chains mounted by the threat actor have also been observed incorporating a disruptive component, wherein the intrusions go beyond distributing malware for espionage purposes to also change passwords belonging to employee accounts. The attacks themselves are initiated via phishing emails that contain a macro-laced lure document, which, upon opening and enabling macros, paves the way for th...
Initial Access Brokers Shift Tactics, Selling More for Less

Initial Access Brokers Shift Tactics, Selling More for Less

Apr 11, 2025 Cybercrime / Security Breach
What are IABs? Initial Access Brokers (IABs) specialize in gaining unauthorized entry into computer systems and networks, then selling that access to other cybercriminals. This division of labor allows IABs to concentrate on their core expertise: exploiting vulnerabilities through methods like social engineering and brute-force attacks.  By selling access, they significantly mitigate the risks associated with directly executing ransomware attacks or other complex operations. Instead, they capitalize on their skill in breaching networks, effectively streamlining the attack process for their clients. This business model enables IABs to operate with a lower profile and reduced risk, while still profiting from their technical skills. Operating primarily on dark web forums and underground markets, IABs can function independently or as part of larger organizations like Ransomware-as-a-Service (RaaS) gangs.  They act as a crucial link in the cybercrime ecosystem, providing the i...
The Identities Behind AI Agents: A Deep Dive Into AI and NHI

The Identities Behind AI Agents: A Deep Dive Into AI and NHI

Apr 10, 2025AI Security / Enterprise Security
AI agents have rapidly evolved from experimental technology to essential business tools. The OWASP framework explicitly recognizes that Non-Human Identities play a key role in agentic AI security. Their analysis highlights how these autonomous software entities can make decisions, chain complex actions together, and operate continuously without human intervention. They're no longer just tools, but an integral and significant part of your organization's workforce. Consider this reality: Today's AI agents can analyze customer data, generate reports, manage system resources, and even deploy code, all without a human clicking a single button. This shift represents both tremendous opportunity and unprecedented risk. AI Agents are only as secure as their NHIs Here's what security leaders are not necessarily considering: AI agents don't operate in isolation . To function, they need access to data, systems, and resources. This highly privileged, often overlooked acces...
Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways

Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways

Apr 11, 2025 Vulnerability / Network Security
Palo Alto Networks has revealed that it's observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat hunters warned of a surge in suspicious login scanning activity targeting its appliances. "Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability," a spokesperson for the company told The Hacker News. "We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary." The development comes after threat intelligence firm GreyNoise alerted of a spike in suspicious login scanning activity aimed at PAN-OS GlobalProtect portals. The company further noted that the activity commenced on March 17, 2025, hitting a peak of 23,958 unique IP addresses before dropping off towards the end of last month. The pattern indicates...
cyber security

SANS Institute Complimentary Cyber Bundle ($3240 Value) at SANSFIRE 2025

websiteSANSCyber Security Training
Register to attend in-person training at SANSFIRE 2025 and receive a complimentary cyber-pro pass! Pass includes OnDemand bundle, AND free pass to play in the NetWars Tournament!
SpyNote, BadBazaar, MOONSHINE Malware Target Android and iOS Users via Fake Apps

SpyNote, BadBazaar, MOONSHINE Malware Target Android and iOS Users via Fake Apps

Apr 11, 2025 Spyware / Mobile Security
Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote . These bogus websites masquerade as Google Play Store install pages for apps like the Chrome web browser, indicating an attempt to deceive unsuspecting users into installing the malware instead. "The threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware itself," the DomainTools Investigations (DTI) team said in a report shared with The Hacker News. SpyNote (aka SpyMax) is a remote access trojan long known for its ability to harvest sensitive data from compromised Android devices by abusing accessibility services. In May 2024, the malware was propagated via another bogus site impersonating a legitimate antivirus solution known as Avast. Subsequent analysis by mobile security firm Zimperium h...
OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation

OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation

Apr 11, 2025 Website Security / Vulnerability
A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites. "The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78," Wordfence's István Márton said . "This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key." Successful exploitation of the vulnerabilit...
Incomplete Patch in NVIDIA Toolkit Leaves CVE-2024-0132 Open to Container Escapes

Incomplete Patch in NVIDIA Toolkit Leaves CVE-2024-0132 Open to Container Escapes

Apr 10, 2025 Container Security / Vulnerability
Cybersecurity researchers have detailed a case of an incomplete patch for a previously addressed security flaw impacting the NVIDIA Container Toolkit that, if successfully exploited, could put sensitive data at risk. The original vulnerability CVE-2024-0132 (CVSS score: 9.0) is a Time-of-Check Time-of-Use (TOCTOU) vulnerability that could lead to a container escape attack and allow for unauthorized access to the underlying host. While this flaw was resolved by NVIDIA in September 2024, a new analysis by Trend Micro has revealed the fix to be incomplete and that there also exists a related performance flaw affecting Docker on Linux that could result in a denial-of-service (DoS) condition. "These issues could enable attackers to escape container isolation, access sensitive host resources, and cause severe operational disruptions," Trend Micro researcher Abdelrahman Esmail said in a new report published today. The fact that the TOCTOU vulnerability persists means that a ...
Malicious npm Package Targets Atomic Wallet, Exodus Users by Swapping Crypto Addresses

Malicious npm Package Targets Atomic Wallet, Exodus Users by Swapping Crypto Addresses

Apr 10, 2025 Malware / Cryptocurrency
Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack. The newly discovered package, named pdf-to-office , masquerades as a utility for converting PDF files to Microsoft Word documents. But, in reality, it harbors features to inject malicious code into cryptocurrency wallet software associated with Atomic Wallet and Exodus. "Effectively, a victim who tried to send crypto funds to another crypto wallet would have the intended wallet destination address swapped out for one belonging to the malicious actor," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. The npm package in question was first published on March 24, 2025, and has received three updates since then but not before the previous versions were likely removed by the a...
PlayPraetor Reloaded: CTM360 Uncovers a Play Masquerading Party

PlayPraetor Reloaded: CTM360 Uncovers a Play Masquerading Party

Apr 10, 2025 Financial Fraud / Mobile Security
Overview of the PlayPraetor Masquerading Party Variants CTM360 has now identified a much larger extent of the ongoing Play Praetor campaign. What started with 6000+ URLs of a very specific banking attack has now grown to 16,000+ with multiple variants. This research is ongoing, and much more is expected to be discovered in the coming days.  As before, all the newly discovered play impersonations are mimicking legitimate app listings, deceiving users into installing malicious Android applications or exposing sensitive personal information. While these incidents initially appeared to be isolated, further investigation has revealed a globally coordinated campaign that poses a significant threat to the integrity of the Play Store ecosystem. Evolution of the Threat This report expands on the earlier research into PlayPraetor, highlighting the discovery of five newly identified variants. These variants reveal the campaign's increasing sophistication in terms of attack techniques, ...
The Identities Behind AI Agents: A Deep Dive Into AI & NHI

The Identities Behind AI Agents: A Deep Dive Into AI & NHI

Apr 10, 2025 AI Security / Enterprise Security
AI agents have rapidly evolved from experimental technology to essential business tools. The OWASP framework explicitly recognizes that Non-Human Identities play a key role in agentic AI security. Their analysis highlights how these autonomous software entities can make decisions, chain complex actions together, and operate continuously without human intervention. They're no longer just tools, but an integral and significant part of your organization's workforce. Consider this reality: Today's AI agents can analyze customer data, generate reports, manage system resources, and even deploy code, all without a human clicking a single button. This shift represents both tremendous opportunity and unprecedented risk. AI Agents are only as secure as their NHIs Here's what security leaders are not necessarily considering: AI agents don't operate in isolation . To function, they need access to data, systems, and resources. This highly privileged, often overlooked acces...
Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine

Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine

Apr 10, 2025 Cyber Espionage / Malware
The Russia-linked threat actor known as Gamaredon (aka Shuckworm) has been attributed to a cyber attack targeting a foreign military mission based in Ukraine with an aim to deliver an updated version of a known malware called GammaSteel. The group targeted the military mission of a Western country, per the Symantec Threat Hunter team, with first signs of the malicious activity detected on February 26, 2025. "The initial infection vector used by the attackers appears to have been an infected removable drive," the Broadcom-owned threat intelligence division said in a report shared with The Hacker News. The attack started with the creation of a Windows Registry value under the UserAssist key, followed by launching "mshta.exe" using "explorer.exe" to initiate a multi-stage infection chain and launch two files. The first file, named "NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms," is used to establish communications with a command-and...
Expert Insights / Articles Videos
Cybersecurity Resources