Latest Cyber News

A new wave of cyberattacks by the Tomiris group has been discovered, targeting government officials and diplomats across a region. The group, known for focusing on high-value political targets, has shifted to more advanced methods to hide their tracks, including using popular apps like Telegram and Discord to control infected computers. A report by Kaspersky reveals that the threat actor launched a sophisticated campaign in early 2025, using phishing emails disguised as official government correspondence. The emails contain password-protected archives with malicious programs that infect computers when opened. Tomiris uses various programming languages for their tools, making detection harder. They also communicate with infected machines via legitimate public services, blending malicious activity with regular network traffic. The campaign primarily targets a specific language group, with over 50% of phishing emails in that language. Security experts warn of the group's focus on stealth and long-term spying, urging organizations to scrutinize network traffic for subtle signs of compromise.

Threat actors behind the Contagious Interview campaign have inundated the npm registry with 197 malicious packages designed to deliver a variant of OtterCookie. These packages, downloaded over 31,000 times, are crafted to evade detection, profile machines, and establish command-and-control channels. The malware aims to steal sensitive data, including browser credentials and cryptocurrency wallet information. The campaign is notable for its sustained tempo and adaptation to modern JavaScript and crypto-centric development workflows.

Threat actors behind the Contagious Interview campaign have continued to infiltrate the npm registry with 197 more malicious packages since last month. These packages, designed to deliver a variant of OtterCookie, have been downloaded over 31,000 times. The malware evades sandboxes, profiles the machine, and establishes a command-and-control channel to steal sensitive data. The campaign targets blockchain and Web3 developers through fake job interviews and test assignments.

A new Mirai-based botnet, ShadowV2, briefly targeted vulnerable IoT devices during an AWS outage in October. The botnet exploited vulnerabilities in products from DDWRT, D-Link, DigiEver, TBK, and TP-Link, affecting multiple industries. ShadowV2's activity suggests a test run for future attacks, highlighting the ongoing security risks associated with IoT devices. The malware resembles the Mirai LZRD variant and supports various DDoS attack methods. Fortinet emphasizes the importance of maintaining firmware updates and robust security practices to mitigate such threats.

Socket’s Threat Research Team discovered a malicious Chrome extension, Crypto Copilot, published on June 18, 2024. The extension, marketed as a tool to execute trades instantly from social media feeds, secretly injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet. The fee behavior is hidden within heavily obfuscated code and is not disclosed on the Chrome Web Store listing. Users sign what appears to be a single swap, but both instructions execute atomically on-chain. The extension remains available, and a takedown request has been submitted to Google’s Chrome Web Store security team.

The RomCom malware group targeted a civil engineering company using the SocGholish JavaScript loader to deliver the Mythic Agent. This marks the first observed instance of RomCom using SocGholish for distribution. The attack, attributed to a military unit, aimed at entities with ties to a specific region. The infection chain involved fake browser updates and a custom Python backdoor, highlighting the blend of cybercrime and espionage tactics.

Water Gamayun, an advanced persistent threat group, has launched a new multi-stage intrusion campaign exploiting the MSC EvilTwin vulnerability in Windows MMC. The attack begins with a compromised Bing search result leading to a lookalike domain, which offers a double-extension RAR file disguised as a PDF. Opening this file triggers the exploitation of CVE-2025-26633, injecting malicious code into mmc.exe. The attack chain involves heavily obfuscated PowerShell scripts, a .NET class to hide console windows, and the final payload, iTunesC.exe, which installs backdoors or information-stealing malware. The campaign is attributed to Water Gamayun based on their distinctive PowerShell obfuscation patterns, infrastructure design, and social engineering themes.

Cybersecurity firm Morphisec reported that StealC V2 infostealer is being spread through malicious Blender files on 3D model marketplaces. The malware abuses Blender’s ability to run Python scripts for automation and add-ons. The campaign, active for at least six months, involves implanting malicious .blend files on platforms like CGTrader. Users unknowingly download these files, which execute embedded Python scripts upon opening in Blender. The attack chain begins with a tampered Rig_Ui.py script embedded inside the .blend file, which fetches a loader from a remote domain, downloading a PowerShell stage and ZIP archives containing Python-based stealers. The malware creates LNK files to secure persistence and uses Pyramid C2 channels to retrieve encrypted payloads. StealC V2 now targets more than 23 browsers, over 100 plugins, more than 15 desktop wallets, and a range of messaging, VPN, and mail clients.

Cyble Research and Intelligence Labs (CRIL) has identified a new NFC relay malware campaign targeting mobile payment users. The malware, named RelayNFC, turns a victim's Android device into a remote card reader, enabling attackers to perform fraudulent contactless transactions. The malware is distributed through phishing sites and captures card data and PINs, relaying them to an attacker-controlled server. RelayNFC uses a real-time APDU relay channel and has zero detections on VirusTotal, indicating low visibility across security tools.

The ToddyCat APT group has enhanced its cyber-espionage toolkit to infiltrate corporate email systems by stealing browser data, Outlook mail archives, and OAuth 2.0 access tokens from Microsoft 365. The group has developed a new PowerShell-based variant of TomBerBil, which runs on domain controllers and harvests browser files via SMB. Additionally, they use TCSectorCopy to copy OST files and XstReader to extract email contents. The attackers also target OAuth 2.0 tokens stored in the memory of Office apps to access cloud email.