Latest Cyber News

Threat actors have updated their tactics by using JSON storage services to host and deliver malware. The campaign involves targeting software developers through professional networking sites, instructing them to download trojanized code projects. These projects contain Base64-encoded values that lead to JSON storage services, where the next-stage payload, a JavaScript malware known as BeaverTail, is stored. BeaverTail harvests sensitive data and drops a Python backdoor called InvisibleFerret, which fetches additional payloads. The campaign's success underscores the actors' ability to operate stealthily and blend in with normal traffic.

Anthropic reported a sophisticated cyber espionage campaign using its AI coding assistant, Claude Code. The attackers, likely state-sponsored, targeted large tech companies, financial institutions, and government agencies. Claude Code performed most tasks autonomously, with minimal human intervention. The campaign, detected in September 2025, involved a six-phase attack flow, including reconnaissance, vulnerability discovery, and data extraction. Anthropic has since banned malicious accounts and enhanced its detection capabilities.

Kraken ransomware, targeting Windows, Linux, and VMware ESXi systems, has introduced a unique feature that tests machine performance to optimize encryption speed. This ransomware, which emerged as a continuation of the HelloKitty operation, engages in big-game hunting attacks with data theft for double extortion. Kraken's data leak site lists victims from various regions, and the group has launched a new cybercrime forum named 'The Last Haven Board' for secure communications. The ransomware's attack chain involves exploiting SMB vulnerabilities, using Cloudflared and SSHFS tools for persistence and data exfiltration, and conducting performance benchmarks before encryption.

Amazon’s threat intelligence division uncovered an advanced persistent threat (APT) group exploiting zero-day vulnerabilities in Cisco and Citrix systems. The attackers targeted critical identity and network access control infrastructure, using undisclosed flaws before vendors issued patches. Amazon’s MadPot honeypot service detected the exploitation attempts, leading to the identification of CVE-2025-5777 and CVE-2025-20337. The threat actor deployed a custom web shell disguised as a legitimate component, operating in-memory and using Java reflection for stealth. Security teams are advised to implement defense-in-depth strategies and closely monitor for anomalous activity.

Security researchers at ENKI have uncovered a sophisticated espionage campaign by the Lazarus Group targeting aerospace and defense organizations. The campaign, active since March 2025, uses phishing operations with malicious Word documents disguised as legitimate communications. The new Comebacker backdoor variant demonstrates significant technical evolution, including encrypted command-and-control communications and sophisticated persistence mechanisms. The campaign's focus on specific organizations indicates strategic targeting aligned with espionage objectives.

Threat hunters have uncovered similarities between banking malware Coyote and Maverick, both targeting users and banks in a specific region. Both malware strains are written in .NET and feature identical functionality to decrypt banking URLs and monitor banking applications. Maverick, attributed to a threat actor dubbed Water Saci, spreads through WhatsApp Web and monitors active browser tabs for financial institution URLs. The malware establishes contact with a remote server to fetch commands and steal credentials. Cybersecurity firms have noted code overlaps between Maverick and Coyote, suggesting a possible evolution or shared development.

A new cyber-attack has been discovered exploiting Google’s Find Hub service to remotely wipe data from Android devices. The attack, linked to a long-running APT campaign, involved distributing malicious files disguised as stress-relief programs through a popular messenger. Attackers impersonated psychological counselors and human rights activists to gain trust. Once executed, the infected files obtained Google account credentials and triggered the Find Hub remote-wipe function, deleting all data on targeted smartphones and tablets. This marks the first confirmed case of a state-sponsored group abusing Google’s device management feature for destructive operations.

Hackers exploited a critical Triofox flaw, CVE-2025-12480, to bypass authentication and install remote access tools via the platform’s antivirus feature. Google’s Mandiant researchers spotted the threat actors exploiting the vulnerability, which allowed them to upload and run remote access tools. The attackers used a newly created admin account to execute malicious scripts with SYSTEM privileges, deploying tools like Zoho Assist and AnyDesk for remote access. Mandiant recommends upgrading to the latest Triofox release and auditing admin accounts to mitigate the risk.

The Acronis Threat Research Unit has identified a new DragonForce ransomware variant showcasing advanced technical sophistication and organizational structure. The updated malware leverages Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software and terminate protected processes, addressing previous encryption flaws. Originally emerging in 2023, DragonForce rebranded itself as a 'cartel' in early 2025, attracting affiliates with customizable encryptors and infrastructure access. The group has become more aggressive, increasing global victim postings and expanding collaborations, notably in a joint attack with the Scattered Spider intrusion group. Acronis analysts observed that the latest DragonForce binaries are significantly larger, suggesting a change in the development toolchain. The new builds, compiled using MinGW, consolidate the group’s multi-platform ransomware codebase. Despite its updated framework, the codebase remains rooted in Conti’s leaked source, reusing functions like InitializeApiModule and DisableHooks. The ransomware’s configuration file allows affiliates to define custom extensions, blacklists, and process kill lists, including Microsoft Defender and SQL services. Most notably, the use_sys flag activates BYOVD process termination, using Truesight and BadRentdrv2 drivers to forcibly kill antivirus and EDR software. Acronis TRU identified links between DragonForce and a new ransomware family known as Devman, whose samples were built using DragonForce’s builder and infrastructure.

Cybersecurity researchers at Zensec have uncovered a supply-chain attack campaign where ransomware groups exploited vulnerabilities in SimpleHelp RMM software to deploy ransomware across multiple organisations. The attacks, conducted by Medusa and DragonForce groups, leveraged unpatched vulnerabilities to gain SYSTEM-level privileges and move laterally within victim networks. Both groups used legitimate IT management tools to execute ransomware payloads and exfiltrate data, highlighting the critical need for supply chain security and patch management.