Latest Cyber News

Google’s Threat Intelligence Group (GTIG) has uncovered a significant evolution in the operations of COLDRIVER, a state-sponsored threat actor. Within days of the public disclosure of its LOSTKEYS malware, COLDRIVER deployed a new malware ecosystem dubbed the 'ROBOT' family. This includes NOROBOT, YESROBOT, and MAYBEROBOT, delivered through an updated ClickFix lure disguised as a CAPTCHA test. The group's swift response demonstrates a well-resourced capability to rebuild and rearm after exposure. The new ROBOT-linked malware has been used more aggressively than previous campaigns, highlighting COLDRIVER's persistent effort to evade detection while targeting high-value entities.

The PassiveNeuron cyberespionage campaign has re-emerged after a six-month hiatus, targeting government, financial, and industrial organizations with sophisticated malware implants. The campaign primarily exploits Microsoft SQL servers to gain initial access, leveraging vulnerabilities or brute-forcing credentials. Once inside, attackers deploy ASPX web shells and adapt their techniques to evade detection. The campaign employs custom malware like Neursite and NeuralExecutor, along with the Cobalt Strike framework, demonstrating remarkable adaptability and persistence.

A new supply-chain attack, GlassWorm, is targeting developers on OpenVSX and Microsoft Visual Studio marketplaces. The malware uses invisible Unicode characters to hide its code and spreads using stolen account information. It leverages the Solana blockchain for command-and-control, making takedown difficult. Researchers found that the malware has been installed an estimated 35,800 times and can steal credentials for various platforms and cryptocurrency wallet data.

FortiGuard Labs has uncovered a sophisticated cross-regional campaign by Winos 4.0 hackers, initially targeting users with phishing PDFs disguised as official documents. The campaign has evolved, using custom domains and multi-stage loaders to deliver the HoldingHands payload. The malware employs DLL sideloading and privilege escalation techniques, making detection challenging. The latest variant includes a new C2 task that updates the server IP address via registry entry, showcasing the group's growing sophistication. Analysts have linked the infrastructure to new campaigns, highlighting the threat actors' reliance on phishing lures and layered evasion tactics.

Researchers at SEQRITE Labs have uncovered a targeted spear-phishing campaign aimed at organizations in the automobile and e-commerce sectors. The operation, active since early October 2025, deploys a previously undocumented .NET-based backdoor dubbed CAPI, designed for credential theft, system reconnaissance, and persistent access. The attack chain uses tax-related decoy documents to lure employees and executes the payload through rundll32.exe, a legitimate Windows binary, to evade detection. The infection begins with a malicious ZIP archive named Payroll Recalculation as of October 1, 2025. Inside the ZIP, analysts found both LNK and PDF files, a common spear-phishing tactic to disguise executable payloads as legitimate business documents.

A new report from NTT Security Japan highlights the evolved malware family OtterCandy, attributed to the WaterPlum group. This campaign showcases advanced multi-platform intrusion capabilities, targeting Windows, macOS, and Linux. OtterCandy, built with Node.js, functions as both a Remote Access Trojan (RAT) and an Information Stealer, combining elements from earlier espionage tools. The malware's latest update enhances its persistence and data-theft capabilities, including an anti-forensic module that removes traces after execution.

The threat actors behind Winos 4.0 malware have expanded their targeting to include new regions, utilizing phishing emails with embedded malicious links in PDFs. These attacks deliver the HoldingHands RAT, which is capable of capturing sensitive information and executing arbitrary commands. The malware is distributed through fake websites and SEO poisoning, and is linked to an aggressive cybercrime group. Recent campaigns have used taxation-themed documents and fake landing pages to deceive recipients into downloading the malware.

A new Golang-based Linux rootkit named LinkPro has been discovered following an attack on a cloud-hosted infrastructure. The infection began with the exploitation of a vulnerable Jenkins server, leading to the deployment of malicious Docker images on Kubernetes clusters. LinkPro achieves stealth using advanced eBPF modules to hide its processes and network activity, activating its command-and-control functions only upon receiving a specific 'magic packet'. If kernel restrictions prevent eBPF use, the rootkit utilizes an alternative method to conceal its activities in user space. Once active, the malware grants attackers remote shell access, file operations, and SOCKS5 proxy tunneling capabilities.

The Mysterious Elephant APT group is conducting a sophisticated cyber-espionage campaign targeting government and foreign policy agencies in the Asia-Pacific region. Attackers gain initial access through highly personalized spear-phishing emails, often with diplomatic themes, to deploy their malicious payloads. The group utilizes a custom toolkit, including the BabShell reverse shell and MemLoader modules, which execute malware in memory to evade detection. A primary objective is data exfiltration, with specialized tools designed to steal documents, images, and archives transmitted via WhatsApp and harvest browser data. Mysterious Elephant leverages a dynamic infrastructure with multiple VPS providers and wildcard DNS records, making their persistent and evolving threat difficult to track.

A new campaign dubbed "Operation Zero Disco" is actively exploiting a high-severity SNMP vulnerability (CVE-2025-20352) in older Cisco IOS and IOS XE devices. Attackers leverage the flaw to achieve remote code execution and deploy sophisticated Linux rootkits on unprotected systems. Once compromised, the malware establishes persistent access by creating a universal backdoor password and installing fileless components that disappear after a reboot. The rootkit allows threat actors to hide their activity, bypass access controls, delete logs, and move laterally across segmented networks. While newer hardware offers some protection, detection remains difficult, requiring low-level firmware investigation for suspected compromises.