Latest Cyber News

Researchers have discovered a critical vulnerability, dubbed RMPocalypse (CVE-2025-0033), affecting multiple AMD EPYC processors. The flaw exploits a race condition during the initialization of the Reverse Map Paging (RMP) table, a core component of the Secure Encrypted Virtualization (SEV-SNP) technology. This allows a malicious hypervisor to corrupt the RMP, completely bypassing the confidentiality and integrity guarantees of SEV-SNP. Successful exploitation enables attackers to tamper with isolated virtual machines, forge security attestations, and exfiltrate all secrets with a 100% success rate. In response, the chipmaker has released firmware updates to mitigate the issue and protect confidential computing environments.

A newly identified threat actor, TA585, is notable for managing its entire attack chain in-house, from infrastructure to payload delivery. The group deploys the sophisticated MonsterV2 malware, a feature-rich remote access trojan, stealer, and loader sold as a high-priced service on criminal forums. TA585 uses innovative tactics like government-themed phishing and web injects that employ a "ClickFix" technique, tricking victims into manually executing malicious PowerShell commands via fake CAPTCHA prompts. MonsterV2 itself boasts advanced capabilities, including remote desktop control, comprehensive data theft, and anti-detection mechanisms to evade security analysis. This actor's self-sufficient and advanced operational model highlights a significant shift in the cybercrime ecosystem, demanding more adaptive defense strategies.

A resurgent Akira ransomware campaign is actively exploiting a year-old vulnerability in unpatched SonicWall SSL VPN appliances to gain initial network access. Attackers move laterally, harvest credentials using advanced techniques like "UnPAC the Hash," and exfiltrate data before deploying the ransomware. The attacks, which often target VMware ESXi environments, have been observed globally across multiple sectors. This activity coincides with a separate security incident where SonicWall firewall configuration backups were exposed, potentially providing threat actors with valid credentials. Security experts urge organizations to immediately patch vulnerable devices, reset all credentials, and enforce multi-factor authentication.

A nascent pro-state hacktivist group known as TwoNet was recently lured into attacking a honeypot disguised as a water treatment utility. The attackers gained initial access using default credentials, performed SQL reconnaissance, and proceeded to deface the human-machine interface (HMI) and disrupt simulated industrial processes. Following the intrusion, the group falsely claimed responsibility for a real-world critical infrastructure attack on their public channels to inflate their reputation. This incident highlights a dangerous trend of hacktivists pivoting from simple DDoS attacks to targeting operational technology (OT) and industrial control systems (ICS). The event underscores the ephemeral nature of these groups, as TwoNet disbanded shortly after, and demonstrates the value of honeypots in distinguishing genuine threats from propaganda.

State-sponsored threat actors are targeting cryptocurrency and blockchain developers in a sophisticated supply chain attack dubbed the "Contagious Interview" campaign. The operation uses fake job offers on professional networking sites to trick developers into installing malicious npm packages disguised as coding assignments. Over 338 typosquatted and malicious packages have been deployed, leading to more than 50,000 downloads by unsuspecting victims. Once installed, the malware deploys backdoors like BeaverTail and InvisibleFerret to steal credentials and cryptocurrency assets. This persistent, factory-style operation highlights a significant and evolving threat to the open-source software ecosystem.

A new Astaroth banking trojan campaign is using GitHub as a resilient backbone for its operations. Instead of relying on traditional command-and-control (C2) servers that can be shut down, the malware hosts its configurations within image files on the platform using steganography. The attack begins with phishing emails that trick users into downloading a malicious shortcut file, which installs the malware. Astaroth then monitors for visits to banking and cryptocurrency websites, using keylogging to steal credentials. This innovative use of a legitimate service makes the malware's infrastructure significantly harder to disrupt.

Threat actors are weaponizing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in sophisticated multi-variant ransomware campaigns. A group tracked as Storm-2603 reportedly exploits SharePoint vulnerabilities to gain initial access, then deploys an outdated and vulnerable version of Velociraptor to maintain persistence and escalate privileges. The attackers proceed to move laterally, disable security defenses by modifying Group Policy Objects, and exfiltrate data. Subsequently, they encrypt Windows servers and VMware ESXi virtual machines using a combination of Warlock, LockBit, and Babuk ransomware. This campaign is notable for being the first time this actor has been linked to Babuk and for confirming the abuse of Velociraptor in live ransomware incidents.

A critical vulnerability in GitHub Copilot Chat allowed attackers to silently exfiltrate private source code and secrets from repositories. The attack involved remote prompt injection, where malicious instructions were hidden within pull request descriptions. When a user viewed the pull request, their Copilot instance would execute the hidden prompt with their permissions. Attackers bypassed GitHub's Content Security Policy using the platform's own Camo image proxy to leak the stolen data. GitHub has since patched the flaw by disabling image rendering in Copilot Chat to prevent this exfiltration vector.

A widespread phishing campaign, dubbed "Beamglea," has been discovered leveraging 175 malicious npm packages to target over 135 companies globally. These packages, downloaded over 26,000 times, do not execute malicious code upon installation but instead use npm and the unpkg.com CDN to host redirect scripts. Attackers distribute HTML lures, likely via email, which, when opened, run a script that sends victims to a credential harvesting page. The script cleverly pre-fills the victim's email address on the phishing page to increase its legitimacy and the attack's success rate. This automated campaign highlights a novel abuse of legitimate open-source infrastructure for resilient and low-cost phishing operations.

State-sponsored hackers are now using artificial intelligence to create malware, marking a significant escalation in their cyber operations against a specific nation, according to a new government report. The report, which documented over 3,000 incidents in the first half of 2025, highlights that AI is being used not just for phishing but for generating malicious code itself, such as the WRECKSTEEL data-stealing malware. As the target's cyber defenses improve, attackers are shifting tactics to include zero-click exploits in webmail software and short-term "Steal & Go" data theft operations. These threat actors also continue to engage in hybrid warfare, synchronizing their cyberattacks with kinetic military actions to maximize disruption. Furthermore, attackers are increasingly abusing legitimate cloud services for hosting malware and exfiltrating stolen data, adapting their methods to bypass security measures.