The Hacker News | #1 Trusted Source for Cybersecurity News

U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber-attacks from Iranian state-sponsored or affiliated threat actors.  "Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events," the agencies said . "These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices." There is currently no evidence of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) noted. Emphasizing the need for "incr...

Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world. The operation, the agency said, was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. Europol said the investigation into the syndicate started in 2023. In addition, the five alleged suspects behind the cryptocurrency scam were arrested on June 25, 2025. Three of the arrests took place in the Canary Islands, while two others were apprehended from Madrid. "To carry out their fraudulent activities, the leaders of the criminal network allegedly used a net of associates spread around the world to raise funds through cash withdrawals, bank transfers, and crypto-transfers," Europol said . These types of scams often follow a pattern known as cryptocurrency confidence or romance baiting (formerly "pig butchering"...

The threat actor known as Blind Eagle has been attributed with high confidence to the use of the Russian bulletproof hosting service Proton66 . Trustwave SpiderLabs, in a report published last week, said it was able to make this connection by pivoting from Proton66-linked digital assets, leading to the discovery of an active threat cluster that leverages Visual Basic Script (VBS) files as its initial attack vector and installs off-the-shelf remote access trojans (RATS). Many threat actors rely on bulletpro While Visual Basic Script (VBS) might seem outdated, it's still a of hosting providers like Proton66 because these services intentionally ignore abuse reports and legal takedown requests. This makes it easier for attackers to run phishing sites, command-and-control servers, and malware delivery systems without interruption. The cybersecurity company said it identified a set of domains with a similar naming pattern (e.g., gfast.duckdns[.]org, njfast.duckdns[.]org) beginning i...

Identity-based attacks are on the rise. Attacks in which malicious actors assume the identity of an entity to easily gain access to resources and sensitive data have been increasing in number and frequency over the last few years. Some recent reports estimate that 83% of attacks involve compromised secrets . According to reports such as the Verizon DBIR , attackers are more commonly using stolen credentials to gain their initial foothold, rather than exploiting a vulnerability or misconfiguration. Attackers are not just after human identities that they can assume, though. More commonly, they are after Non-Human Identities (NHIs), which outnumber human identities in the enterprise by at least 50 to one . Unlike humans, machines have no good way to achieve multi-factor authentication, and we, for the most part, have been relying on credentials alone, in the form of API keys, bearer tokens, and JWTs.  Traditionally, identity and access management (IAM) has been built on the idea of...

Ever wonder what happens when attackers don't break the rules—they just follow them better than we do? When systems work exactly as they're built to, but that "by design" behavior quietly opens the door to risk? This week brings stories that make you stop and rethink what's truly under control. It's not always about a broken firewall or missed patch—it's about the small choices, default settings, and shortcuts that feel harmless until they're not. The real surprise? Sometimes the threat doesn't come from outside—it's baked right into how things are set up. Dive in to see what's quietly shaping today's security challenges. ⚡ Threat of the Week FBI Warns of Scattered Spider's on Airlines — The U.S. Federal Bureau of Investigation (FBI) has warned of a new set of attacks mounted by the notorious cybercrime group Scattered Spider targeting the airline sector using sophisticated social engineering techniques to obtain initial access. Cybersecurity vendors Palo Alto Networks Unit 4...

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn't have asked for a better kickoff panel: three cybersecurity leaders who don't just talk security, they live it. Let me introduce them. Alex Delay , CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead , Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity's targeted RNA therapeutics. Last but not least, Michael Francess , Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments. Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here's the kicker -...

The U.S. Federal Bureau of Investigation (FBI) has revealed that it has observed the notorious cybercrime group Scattered Spider broadening its targeting footprint to strike the airline sector. To that end, the agency said it's actively working with aviation and industry partners to combat the activity and help victims. "These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access," the FBI said in a post on X. "These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts." Scattered Spider attacks are also known to target third-party IT providers to obtain access to large organizations, putting trusted vendors and contractors at risk of potential attacks. The attacks typically pave the way for data theft, extortion, and ransomware. In a statement shared ...

The threat actor behind the GIFTEDCROOK malware has made significant updates to turn the malicious program from a basic browser data stealer to a potent intelligence-gathering tool. "Recent campaigns in June 2025 demonstrate GIFTEDCROOK's enhanced ability to exfiltrate a broad range of sensitive documents from the devices of targeted individuals, including potentially proprietary files and browser secrets," Arctic Wolf Labs said in a report published this week. "This shift in functionality, combined with the content of its phishing lures, [...] suggests a strategic focus on intelligence gathering from Ukrainian governmental and military entities." GIFTEDCROOK was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in early April 2025 in connection with a campaign targeting military entities, law enforcement agencies, and local self-government bodies. The activity, attributed to a hacking group it tracks as UAC-0226, involves th...

Facebook, the social network platform owned by Meta, is asking for users to upload pictures from their phones to suggest collages, recaps, and other ideas using artificial intelligence (AI), including those that have not been directly uploaded to the service. According to TechCrunch, which first reported the feature, users are being served a new pop-up message asking for permission to "allow cloud processing" when they are attempting to create a new Story on Facebook. "To create ideas for you, we'll select media from your camera roll and upload it to our cloud on an ongoing basis, based on info like time, location or themes," the company notes in the pop-up. "Only you can see suggestions. Your media won't be used for ads targeting. We'll check it for safety and integrity purposes." Should users consent to their photos being processed on the cloud, Meta also states that they are agreeing to its AI terms , which allow it to analyze their med...

Threat hunters have discovered a network of more than 1,000 compromised small office and home office (SOHO) devices that have been used to facilitate a prolonged cyber espionage infrastructure campaign for China-nexus hacking groups. The Operational Relay Box (ORB) network has been codenamed LapDogs by SecurityScorecard's STRIKE team. "The LapDogs network has a high concentration of victims across the United States and Southeast Asia, and is slowly but steadily growing in size," the cybersecurity company said in a technical report published this week. Other regions where the infections are prevalent include Japan, South Korea, Hong Kong, and Taiwan, with victims spanning IT, networking, real estate, and media sectors. Active infections span devices and services from Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology.  LapDogs' beating heart is a custom backdoor called ShortLeash that's engineered...

A China-linked threat actor known as Mustang Panda has been attributed to a new cyber espionage campaign directed against the Tibetan community. The spear-phishing attacks leveraged topics related to Tibet, such as the 9th World Parliamentarians' Convention on Tibet (WPCT), China's education policy in the Tibet Autonomous Region (TAR), and a recently published book by the 14th Dalai Lama, according to IBM X-Force. The cybersecurity division of the technology company said it observed the campaign earlier this month, with the attacks leading to the deployment of a known Mustang Panda malware called PUBLOAD . It's tracking the threat actor under the name Hive0154. The attack chains employ Tibet-themed lures to distribute a malicious archive containing a benign Microsoft Word file, along with articles reproduced by Tibetan websites and photos from WPCT, into opening an executable that's disguised as a document. The executable, as observed in prior Mustang Panda atta...

Security operations centers (SOCs) are under pressure from both sides: threats are growing more complex and frequent, while security budgets are no longer keeping pace. Today's security leaders are expected to reduce risk and deliver results without relying on larger teams or increased spending. At the same time, SOC inefficiencies are draining resources. Studies show that up to half of all alerts are false positives, with some reports citing false positive rates as high as 99 percent . This means highly trained analysts spend a disproportionate amount of time chasing down harmless activity, wasting effort, increasing fatigue, and raising the chance of missing real threats. In this environment, the business imperative is clear: maximize the impact of every analyst and every dollar by making security operations faster, smarter, and more focused. Enter the Agentic AI SOC Analyst The agentic AI SOC Analyst is a force multiplier that enables organizations to do more with the team an...

A new campaign has been observed leveraging fake websites advertising popular software such as WPS Office, Sogou, and DeepSeek to deliver Sainbox RAT and the open-source Hidden rootkit. The activity has been attributed with medium confidence to a Chinese hacking group called Silver Fox (aka Void Arachne), citing similarities in tradecraft with previous campaigns attributed to the threat actor. The phishing websites ("wpsice[.]com") have been found to distribute malicious MSI installers in the Chinese language, indicating that the targets of the campaign are Chinese speakers. "The malware payloads include the Sainbox RAT, a variant of Gh0st RAT, and a variant of the open-source Hidden rootkit," Netskope Threat Labs researcher Leandro Fróes said . This is not the first time the threat actor has resorted to this modus operandi. In July 2024, eSentire detailed a campaign that targeted Chinese-speaking Windows users with fake Google Chrome sites to deliver Gh0st...