Latest Cyber News

The threat actors behind Winos 4.0 malware have expanded their targeting to include new regions, utilizing phishing emails with embedded malicious links in PDFs. These attacks deliver the HoldingHands RAT, which is capable of capturing sensitive information and executing arbitrary commands. The malware is distributed through fake websites and SEO poisoning, and is linked to an aggressive cybercrime group. Recent campaigns have used taxation-themed documents and fake landing pages to deceive recipients into downloading the malware.

A new Golang-based Linux rootkit named LinkPro has been discovered following an attack on a cloud-hosted infrastructure. The infection began with the exploitation of a vulnerable Jenkins server, leading to the deployment of malicious Docker images on Kubernetes clusters. LinkPro achieves stealth using advanced eBPF modules to hide its processes and network activity, activating its command-and-control functions only upon receiving a specific 'magic packet'. If kernel restrictions prevent eBPF use, the rootkit utilizes an alternative method to conceal its activities in user space. Once active, the malware grants attackers remote shell access, file operations, and SOCKS5 proxy tunneling capabilities.

The Mysterious Elephant APT group is conducting a sophisticated cyber-espionage campaign targeting government and foreign policy agencies in the Asia-Pacific region. Attackers gain initial access through highly personalized spear-phishing emails, often with diplomatic themes, to deploy their malicious payloads. The group utilizes a custom toolkit, including the BabShell reverse shell and MemLoader modules, which execute malware in memory to evade detection. A primary objective is data exfiltration, with specialized tools designed to steal documents, images, and archives transmitted via WhatsApp and harvest browser data. Mysterious Elephant leverages a dynamic infrastructure with multiple VPS providers and wildcard DNS records, making their persistent and evolving threat difficult to track.

A new campaign dubbed "Operation Zero Disco" is actively exploiting a high-severity SNMP vulnerability (CVE-2025-20352) in older Cisco IOS and IOS XE devices. Attackers leverage the flaw to achieve remote code execution and deploy sophisticated Linux rootkits on unprotected systems. Once compromised, the malware establishes persistent access by creating a universal backdoor password and installing fileless components that disappear after a reboot. The rootkit allows threat actors to hide their activity, bypass access controls, delete logs, and move laterally across segmented networks. While newer hardware offers some protection, detection remains difficult, requiring low-level firmware investigation for suspected compromises.

A new multi-stage malware loader, dubbed PhantomVAI Loader, is being distributed through widespread phishing campaigns to deliver various information-stealing malware. The attack begins with a malicious script in a phishing email, which then uses steganography to download the loader by hiding it within a seemingly harmless image file. Once active, the .NET-based loader performs virtual machine checks to evade analysis before establishing persistence on the compromised system. It then downloads and injects its final payload, such as AsyncRAT, XWorm, or Katz Stealer, into a legitimate system process to bypass security defenses. This malware-as-a-service tool targets a wide range of industries globally, demonstrating a sophisticated and evasive infection chain used by threat actors.

A state-linked threat actor, tracked as Jewelbug, has been attributed to a five-month-long intrusion against an IT service provider in a partner nation. The espionage campaign gave the attackers access to code repositories and software build systems, creating the potential for a widespread supply chain attack against the firm's customers. To remain undetected, the group exfiltrated data to a popular local cloud service and utilized legitimate system tools like the Microsoft Console Debugger. This incident is part of a broader campaign by Jewelbug, which has also targeted government and technology entities in other regions with an evolving toolset, including a new backdoor that uses Microsoft Graph API for command-and-control. The group's focus on IT service providers and its use of stealthy techniques highlight its sophisticated capabilities and long-term espionage objectives.

A new Android malware campaign, dubbed GhostBat RAT, is spreading through fake government transport applications. Distributed via messaging apps and malicious links, the malware uses sophisticated techniques like multi-stage droppers and heavy obfuscation to evade detection. Once installed, it presents phishing pages to steal banking credentials and UPI PINs from unsuspecting victims. The malware also exfiltrates SMS messages, targeting OTPs to facilitate unauthorized transactions, and includes a cryptocurrency mining module. Attackers manage compromised devices using a Telegram bot, which establishes a command-and-control channel for real-time monitoring.

A sophisticated threat actor has compromised over 17,000 developers by distributing malicious Visual Studio Code extensions that appear to be legitimate, functional tools. These trojanized extensions secretly steal source code, hijack computer resources for cryptocurrency mining, and install persistent backdoors for remote control. While Microsoft removed some of the offending extensions from its marketplace, they remain active on alternative platforms like OpenVSX. The threat actor continues to republish the same malicious code under new names, demonstrating a persistent threat to the developer community. This operation exposes significant security gaps in the extension marketplace ecosystem, leaving developers unknowingly vulnerable to attack.

A new side-channel attack named Pixnapping allows malicious Android apps to steal sensitive data directly from a device's screen. The attack requires no special permissions and exploits a GPU hardware vulnerability to covertly reconstruct visual information from other applications, pixel by pixel. Researchers demonstrated that it can extract two-factor authentication codes in under 30 seconds, as well as private messages and financial details from popular apps. This vulnerability affects a wide range of modern smartphones running recent versions of the Android operating system. While an initial patch was released for the high-severity flaw, a bypass was quickly developed, with a more comprehensive fix expected in a future security update.

Security researchers have uncovered a sophisticated botnet implant named PolarEdge targeting various IoT and NAS devices. The malware exploits a known vulnerability to deploy a backdoor that establishes a custom TLS server for command-and-control operations. Its proprietary binary protocol allows unauthenticated attackers to execute arbitrary shell commands on compromised systems. PolarEdge employs advanced evasion tactics, including multiple layers of encryption and anti-analysis techniques like process masquerading to remain hidden. The implant sends daily device fingerprints to its C2 server and features flexible modes for file retrieval and on-the-fly configuration updates.