MostereRAT is a sophisticated remote access Trojan that employs novel evasion techniques and an obscure programming language to achieve covert, long-term system control, gaining high privileges and disabling security products. It utilizes legitimate remote access tools and phishing campaigns to gain initial access and maintain persistence, hindering detection and analysis by standard security tools.

A novel cryptojacking campaign exploits Windows' charmap.exe to covertly mine cryptocurrency, initiating via spear-phishing and deploying a custom miner that bypasses traditional antivirus detection, resulting in severe system performance degradation. The attack maintains persistence through scheduled tasks and DLL side-loading, significantly impacting healthcare and education sectors.

Researchers identified 45 previously unreported domains linked to Salt Typhoon and UNC4841, revealing shared infrastructure and persistent cyberespionage efforts, with some domains active since 2020 and facilitating long-term, stealthy access to targeted networks. Organizations are urged to check DNS logs for potential compromise, as one domain registered in April 2025 suggests potential renewed UNC4841 activity.

A significant npm supply chain attack compromised 18 widely used packages to hijack cryptocurrency wallets at the browser level, affecting over 2 billion weekly downloads and potentially exposing Web3 application users to wallet hijacking. The malicious code targets browser-level crypto transactions, intercepting network traffic and rewriting addresses to make fraudulent transfers appear legitimate.

North Korean actors are exploiting cyber threat intelligence platforms to monitor their infrastructure exposure and refine operations, rapidly deploying new assets to replace disrupted ones and compromising numerous victims in the cryptocurrency and blockchain sectors. The campaign has delivered OS-specific payloads to over 230 victims within three months, leveraging social engineering tactics and exposing critical operational details through OPSEC failures.

Wealthsimple experienced a data breach, likely linked to the ShinyHunters group's ongoing Salesloft supply-chain campaign, resulting in unauthorized access to personal and financial data for a small percentage of clients, with the breach originating from a compromised third-party software package. The incident highlights ShinyHunters' evolving tactics, shifting from voice phishing to exploiting stolen OAuth tokens for cloud environment exploitation.

A supply-chain breach originated from Salesloft's GitHub account, leading to the theft of Drift OAuth tokens and subsequent widespread Salesforce data theft attacks targeting customer credentials, with attackers gaining initial access to GitHub and downloading code, adding guest accounts, and creating rogue workflows. The breach has been contained, with credentials rotated and Salesforce integration restored.

Silver Fox is exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware, using a dual-driver strategy to neutralize endpoint protection products and allowing for malware deployment and persistence. The attackers have adapted to a patch by Watchdog, altering a single byte to bypass hash-based blocklists while preserving the driver's valid Microsoft signature.

A critical zero-day vulnerability in Sitecore is being actively exploited, leveraging publicly known ViewState keys for Remote Code Execution, with the multi-stage attack involving initial probing, deploying reconnaissance tools, and using open-source tools for lateral movement and credential theft. The vulnerability stems from insecure ViewState deserialization due to users failing to generate unique keys.

A China-aligned threat actor has compromised at least 65 Windows servers globally, deploying custom tools for remote access and SEO fraud, with initial access likely leveraging SQL injection and privilege escalation via custom tools. The actor maintains operational resilience through multiple backdoors, rogue administrator accounts, and legitimate remote access software.