Latest Cyber News

A state-aligned threat actor is using AI platforms like ChatGPT to enhance sophisticated cyberattacks against global organizations. The group conducts advanced spear-phishing campaigns, using AI to craft fluent, multilingual emails to build rapport with targets before deploying malware. Technical analysis of their custom malware, GOVERSHELL, reveals unusual development patterns and artifacts suggesting AI-assisted creation. The attackers create fabricated personas and organizations to socially engineer victims into downloading malicious payloads. This activity represents a significant evolution in automated social engineering and espionage threats.

A prominent law firm announced it was breached by suspected nation-state hackers who exploited a previously unknown zero-day vulnerability. The attack specifically targeted the email accounts of a select group of attorneys to gather intelligence. The threat actor is believed to be part of a broader espionage campaign targeting the legal sector for information on national security and trade. While the firm has taken steps to block the threat, the incident is under investigation by federal authorities. The firm stated there is no evidence that confidential client data was taken from its central file databases.

A critical authentication bypass vulnerability in the Service Finder WordPress theme is being actively exploited by threat actors. Tracked as CVE-2025-5947, the flaw allows unauthenticated attackers to gain full administrator privileges on affected websites without a password. The vulnerability stems from an insecure account-switching feature that can be triggered with a simple crafted request. Security researchers have detected over 13,800 exploitation attempts targeting the flaw, which affects the theme's 6,000+ users. Administrators using Service Finder versions 6.0 or older are urged to update to the patched version immediately to prevent a complete site takeover.

Suspected state-sponsored hackers are weaponizing a legitimate open-source monitoring tool called Nezha to compromise systems across multiple regions. Attackers gain initial access by exploiting vulnerable web applications, using a creative log poisoning technique to install a web shell. The Nezha tool is then deployed to maintain control over infected machines and deliver secondary payloads, including the Ghost RAT malware. The campaign has impacted over 100 victims, with evidence suggesting a coordinated effort by a sophisticated threat actor. This incident highlights a growing trend of attackers abusing legitimate software to evade detection and carry out espionage operations.

A new C++ variant of Chaos ransomware has been identified, marking a significant evolution from its previous .NET versions. This updated malware employs a destructive strategy, encrypting small files, skipping medium ones, and permanently deleting the content of large files. It introduces a novel clipboard hijacking feature designed to steal cryptocurrency by replacing wallet addresses copied by the user. The ransomware masquerades as a system utility to trick users while silently executing its payload. This shift in tactics indicates Chaos is becoming more of a destructive wiper, prioritizing speed and irreversible data loss over traditional encryption.

Two significant vulnerabilities have been discovered in Nagios Log Server, affecting versions prior to 2024R1.3.2. The most critical flaw, CVE-2025-44823, allows any authenticated user to retrieve administrative API keys in cleartext, potentially leading to a full system compromise. A second high-severity vulnerability, CVE-2025-44824, enables users with only read-only access to shut down the Elasticsearch service, causing a denial of service. These flaws expose critical monitoring infrastructure to unauthorized access and disruption. Administrators are urged to upgrade to the patched version immediately and rotate all API keys as a precaution.

A critical vulnerability has been discovered in the AWS Client VPN software for macOS, tracked as CVE-2025-11462. The flaw allows a local, non-administrative user to gain full root privileges on a device through a symlink manipulation attack. The issue stems from the client's failure to properly validate log file destinations during log rotation, enabling an attacker to write to sensitive system files. Successful exploitation could lead to complete system compromise, malware installation, or data theft. AWS has released a patch in version 5.2.1, and all macOS users are urged to update immediately as no other workarounds are available.

The sports gambling company DraftKings has been targeted by a credential stuffing campaign where attackers used stolen logins from other data breaches. While the company found no evidence its own systems were breached, unauthorized access to some user accounts may have exposed data like names, addresses, and transaction details. In response, DraftKings is forcing password resets for affected users and has implemented additional security safeguards. The incident was contained quickly, but it underscores the risks of password reuse across different services. All users are strongly urged to reset their passwords and enable multi-factor authentication to protect their accounts.

A new phishing kit, the IUAM ClickFix Generator, is automating sophisticated social engineering attacks by creating fake browser verification pages. The tool tricks victims into manually running malicious commands, using clipboard injection to deliver malware like the DeerStealer and Odyssey infostealers across multiple operating systems. By commoditizing this "ClickFix" attack method, the kit lowers the barrier for cybercriminals of all skill levels to launch effective campaigns. This trend highlights the growing threat of phishing-as-a-service, where complex attack tools are made easily accessible. Users are warned to never manually execute commands prompted by a website to prove they are human.

A new malware strain named Shuyal Stealer has been identified, designed to steal login credentials from over 17 different web browsers. Beyond credential theft, the infostealer performs deep system profiling, captures screenshots, records clipboard contents, and extracts Discord authentication tokens. To remain hidden, Shuyal Stealer disables the Windows Task Manager and ensures its persistence by copying itself into the Startup folder. The stolen data is compressed and exfiltrated to attackers using a hardcoded Telegram bot for stealthy communication. After successfully sending the data, the malware executes a self-deletion routine to erase its tracks and complicate forensic analysis.