The Hacker News | #1 Trusted Source for Cybersecurity News

Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck . According to Secure Annex's John Tuckner, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published on October 31, 2025, as a completely benign library that was subsequently updated to version 0.0.8 on November 1 to include new malicious capabilities after reaching 14,000 downloads. "The malware includes sandbox evasion techniques and utilizes an Ethereum contract to update its command and control address in case the original address is taken down," Tuckner added . Campaigns distributing rogue extensions targeting Solidity developers have been repeatedly detected across both the Visual Studio Extension Marketplace and Open VSX. In July 2025, Kaspersky disclosed that a Russian developer lost $500,000 in cryptocurrency assets after installing one such extension through Cursor. In the latest...

Bad actors are increasingly training their sights on trucking and logistics companies with an aim to infect them with remote monitoring and management (RMM) software for financial gain and ultimately steal cargo freight. The threat cluster, believed to be active since at least June 2025 according to Proofpoint, is said to be collaborating with organized crime groups to break into entities in the surface transportation industry with the end goal of plundering physical goods. The most targeted commodities of the cyber-enabled heists are food and beverage products. "The stolen cargo most likely is sold online or shipped overseas," researchers Ole Villadsen and Selena Larson said in a report shared with The Hacker News. "In the observed campaigns, threat actors aim to infiltrate companies and use their fraudulent access to bid on real shipments of goods to ultimately steal them." The campaigns share similarities with a previous set of attacks disclosed in Septemb...

Cyberattacks are getting smarter and harder to stop. This week, hackers used sneaky tools, tricked trusted systems, and quickly took advantage of new security problems—some just hours after being found. No system was fully safe. From spying and fake job scams to strong ransomware and tricky phishing, the attacks came from all sides. Even encrypted backups and secure areas were put to the test. Keep reading for the full list of the biggest cyber news from this week—clearly explained and easy to follow. ⚡ Threat of the Week Motex Lanscope Flaw Exploited to Drop Gokcpdoor — A suspected Chinese cyber espionage actor known as Tick has been attributed to a target campaign that has leveraged a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager (CVE-2025-61932, CVSS score: 9.3) to infiltrate target networks and deploy a backdoor called Gokcpdoor. Sophos, which disclosed details of the activity, said it was "limited to sectors aligned with their intelligence...

Security Operations Centers (SOC) today are overwhelmed. Analysts handle thousands of alerts every day, spending much time chasing false positives and adjusting detection rules reactively. SOCs often lack the environmental context and relevant threat intelligence needed to quickly verify which alerts are truly malicious. As a result, analysts spend excessive time manually triaging alerts, the majority of which are classified as benign. Addressing the root cause of these blind spots and alert fatigue isn't as simple as implementing more accurate tools. Many of these traditional tools are very accurate, but their fatal flaw is a lack of context and a narrow focus - missing the forest for the trees. Meanwhile, sophisticated attackers exploit exposures invisible to traditional reactive tools, often evading detection using widely-available bypass kits .  While all of these tools are effective in their own right, they often fail because of the reality that attackers don't employ just ...

Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices. According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it's being executed on a real device. BankBot-YNRK also checks if the device is manufactured by Oppo, or is running on ColorOS, a version of the Android operating system that's used on devices made by the Chinese original equipment manufacturer (OEM). "The malware also includes logic to identify specific devices," CYFIRMA said. "It verifies whether the device is a Google Pixel or a Samsung device and checks if its model is included in a predefined list of recognized or suppo...

The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea. Gen Digital, which disclosed details of the activity, did not reveal any details on when the incident occurred, but noted that the phishing email contained a ZIP file ("250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip"), which masqueraded as a VPN invoice to distribute malware capable of file transfer, capturing screenshots, and executing arbitrary commands. "The chain has three steps: a small dropper, a loader called MemLoad, and the final backdoor, named 'HttpTroy,'" security researcher Alexandru-Cristian Bardaș said. Present within the ZIP archive is a SCR file of the same name, opening which triggered the execution chain, starting with a Golang binary containing three embedded files, including a decoy PDF document that's displayed...

The Australian Signals Directorate (ASD) has issued a bulletin about ongoing cyber attacks targeting unpatched Cisco IOS XE devices in the country with a previously undocumented implant known as BADCANDY . The activity, per the intelligence agency, involves the exploitation of CVE-2023-20198 (CVSS score: 10.0), a critical vulnerability that allows a remote, unauthenticated attacker to create an account with elevated privileges and use it to seize control of susceptible systems. The security defect has come under active exploitation in the wild since last 2023, with China-linked threat actors like Salt Typhoon weaponizing it in recent months to breach telecommunications providers. ASD noted that variations of BADCANDY have been detected since October 2023, with a fresh set of attacks continuing to be recorded in 2024 and 2025. As many as 400 devices in Australia are estimated to have been compromised with the malware since July 2025, out of which 150 devices were infected in Oct...

OpenAI has announced the launch of an "agentic security researcher" that's powered by its GPT-5 large language model (LLM) and is programmed to emulate a human expert capable of scanning, understanding, and patching code. Called Aardvark , the artificial intelligence (AI) company said the autonomous agent is designed to help developers and security teams flag and fix security vulnerabilities at scale. It's currently available in private beta. "Aardvark continuously analyzes source code repositories to identify vulnerabilities, assess exploitability, prioritize severity, and propose targeted patches," OpenAI noted . It works by embedding itself into the software development pipeline, monitoring commits and changes to codebases, detecting security issues and how they might be exploited, and proposing fixes to address them using LLM-based reasoning and tool-use. Powering the agent is GPT‑5 , which OpenAI introduced in August 2025. The company describes it...

A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack. Palo Alto Networks Unit 42 said it's tracking the cluster under the moniker CL-STA-1009 , where "CL" stands for cluster and "STA" refers to state-backed motivation. "Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management," security researchers Kristopher Russo and Chema Garcia said in an analysis. "It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads." The malware, which appears in PowerShell and .NET variants, makes use of a multi-threaded command-and-control (C2) communication protocol and is capable of capturing screenshots and harvesting cookies, browser history, bookmarks, and screenshots from web browse...

A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025. The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday. "The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events," the cybersecurity company said. The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that's also referred to as Destroy...

The exploitation of a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager has been attributed to a cyber espionage group known as Tick . The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program. JPCERT/CC, in an alert issued this month, said that it has confirmed reports of active abuse of the security defect to drop a backdoor on compromised systems. Tick, also known as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon (formerly Tellurium), is a suspected Chinese cyber espionage actor known for its extensive targeting of East Asia, specifically Japan. It's assessed to be active since at least 2006. "We're aware of very targeted activity in Japan and believe the exploitation by Bronze Butler was limited to sectors aligned with their intelligence objectives," Rafe Pilling, directo...

MSPs are facing rising client expectations for strong cybersecurity and compliance outcomes, while threats grow more complex and regulatory demands evolve. Meanwhile, clients are increasingly seeking comprehensive protection without taking on the burden of managing security themselves. This shift represents a major growth opportunity. By delivering advanced cybersecurity and compliance services, MSPs can build deeper relationships, generate higher-value recurring revenue streams, and stand out in a competitive market. However, the move from basic IT and security services to strategic cybersecurity offerings requires more than technical expertise. It demands a clear service strategy, the right internal resources, and the ability to communicate security value in business terms. Without this foundation, MSPs risk inconsistent service delivery, missed opportunities, and stalled growth. We created the guide Turn Security Into Growth: Is Your MSP Ready to Expand? to help providers pin...