Latest Cyber News

The WARMCOOKIE backdoor malware is undergoing active development, introducing significant new capabilities despite law enforcement disruptions. Recent variants feature enhanced execution handlers and a sophisticated "string bank" evasion technique that uses legitimate company names to disguise its presence on infected systems. The malware's infrastructure remains resilient, reusing expired SSL certificates and shifting towards domain-based command-and-control servers. Analysis of campaign IDs and encryption keys suggests a complex operational structure, possibly a malware-as-a-service model with customized builds for different operators. These continuous updates indicate WARMCOOKIE will remain a persistent and evolving threat, requiring adaptive defense strategies.

Researchers have developed XRayC2, a new command-and-control framework that weaponizes the AWS X-Ray service. This technique allows attackers to establish covert communication channels by abusing the legitimate cloud monitoring infrastructure. Malicious traffic is blended with normal application data by using X-Ray's annotation feature to send commands and exfiltrate results. All communications are routed through legitimate AWS domains and authenticated with standard protocols, making detection extremely difficult. This development underscores the growing trend of attackers abusing trusted cloud services to bypass traditional security controls.

A critical remote code execution vulnerability, tracked as CVE-2025-10547, affects numerous DrayTek Vigor router models popular with small and medium-sized businesses. The flaw allows an unauthenticated attacker to gain complete control of a device by sending specially crafted HTTP requests to its web administration interface. This vulnerability is especially dangerous if remote management or EasyVPN features are enabled, as it can be exploited over the internet without credentials. A successful attack could allow threat actors to install backdoors, reconfigure network settings, or pivot to other devices on the internal network. The device manufacturer has released security patches and is urging all users to update their firmware immediately to mitigate the threat.

A sophisticated malware campaign dubbed "TamperedChef" is infiltrating corporate networks using malicious advertising to promote trojanized productivity tools. The primary decoy, a fully functional PDF editor, operates undetected for months before activating to steal browser-stored credentials. This malware uses advanced evasion techniques, including valid digital signatures and hidden code, to bypass security controls and establish persistence on infected systems. After exfiltrating sensitive data, the attackers attempt to cover their tracks by releasing "clean" versions of the app. Researchers warn that the threat actors are already developing new decoy tools, continuing the campaign under a different guise.

Cybersecurity firm GreyNoise reported a 500% surge in scanning activity targeting Palo Alto Networks login portals, marking the highest level in three months. The reconnaissance involved over 1,200 IP addresses, with 93% classified as suspicious, originating from various international locations. This activity shares characteristics with recent scanning campaigns against other network hardware, including overlapping tools and infrastructure tied to a specific region. The similarity suggests a potential connection between the operators behind the campaigns. Such significant spikes in scanning can often precede the public disclosure of new zero-day vulnerabilities, prompting close monitoring of the situation.

A new attack method called CometJacking targets agentic AI browsers by embedding malicious prompts within a single URL. When a user clicks the crafted link, it secretly instructs the AI agent to access and collect sensitive data from connected services like email and calendars. The attack bypasses built-in security protections by obfuscating the stolen data using simple encoding before exfiltrating it to an attacker-controlled server. This prompt injection technique effectively turns the trusted AI assistant into an insider threat, capable of siphoning information without requiring credentials or further user interaction. Despite researchers demonstrating the risk, the AI browser's developer reportedly dismissed the findings as having no security impact.

Discord has disclosed a data breach after an unauthorized party compromised one of its third-party customer service providers. The incident impacted a limited number of users who had communicated with the platform's Customer Support or Trust & Safety teams. Exposed data includes names, email addresses, IP addresses, partial payment information, and the content of support messages. For a small number of users, government-issued ID images were also accessed by the attackers, who reportedly demanded a ransom. Discord has revoked the provider's access, launched an investigation, and is notifying affected users.

A recently disclosed DLL hijacking vulnerability in the popular Notepad++ editor, tracked as CVE-2025-56383, has been detailed with a proof-of-concept exploit. The flaw allows an attacker to replace a plugin's DLL file with a malicious version, leading to arbitrary code execution when the application starts. However, the legitimacy of this vulnerability is heavily disputed within the security community and by the application's developers. Critics argue that exploiting the flaw requires an attacker to already have write access to the protected application directory, a level of privilege that would allow them to compromise the system in other ways. Due to this prerequisite, the development team does not consider it a true vulnerability and has no plans to issue a patch.

A critical vulnerability has been discovered in numerous DrayTek routers running DrayOS, allowing for potential remote code execution. The flaw can be exploited by an unauthenticated attacker sending a specially crafted request to the device's web interface. Successful exploitation can cause memory corruption, leading to a system crash or allowing an attacker to run arbitrary code. While routers with remote access disabled are protected from external threats, attackers on the local network can still exploit the vulnerability. The manufacturer has released firmware updates to patch the issue and strongly advises all users to upgrade their devices immediately.

A major medical center was targeted in a cyberattack, resulting in the exposure of sensitive patient information from email communications. While the hospital's core medical record system remained secure, the attackers managed to access and leak some confidential data. A cybercrime organization has claimed responsibility, alleging the theft of terabytes of data and demanding a substantial ransom to prevent its public release. Hospital officials have assured the public that clinical operations were not affected and patient care continued without interruption. This incident highlights a concerning trend of cyberattacks targeting vulnerable healthcare infrastructure.