Latest Cyber News

A hacking collective known as Scattered LAPSUS$ Hunters has launched a data leak site to extort dozens of companies. The group is threatening to release approximately one billion records stolen from victims' Salesforce instances if ransoms are not paid. High-profile organizations are listed on the site with samples of their stolen data, which includes sensitive customer and employee information. The threat actors are also pressuring Salesforce directly to pay a ransom to prevent the data of all its affected customers from being leaked. While the attacks targeted individual customer accounts, the cloud service provider states its core platform was not compromised.

A new self-propagating malware, codenamed SORVEPOTEL, is targeting users through the popular messaging app WhatsApp. The campaign spreads via phishing messages containing malicious ZIP files, primarily affecting Windows systems in a specific country. Engineered for rapid propagation rather than data theft, the malware hijacks the desktop version of WhatsApp to spam all of the user's contacts and groups. This automated spreading often results in the compromised account being banned for violating the platform's terms of service. The attack begins with a message from an already compromised contact, lending it credibility to trick users into opening the malicious attachment.

Security researchers have detected a sudden and coordinated surge in exploitation attempts targeting a known Grafana path traversal vulnerability, CVE-2021-43798. Over a single day, 110 unique malicious IP addresses were observed scanning for vulnerable servers, with attacks focused on endpoints in just three geographic areas. The majority of the attack traffic originated from a single region, with most of the source IPs appearing for the first time on the day of the attack. The uniform targeting patterns and shared network fingerprints suggest a coordinated campaign using a common exploit kit rather than random scans. This activity highlights the ongoing risk posed by unpatched, older vulnerabilities, which are often used as an initial entry point in multi-stage attacks.

A cybercrime group identified as UAT-8099 is compromising Internet Information Services (IIS) servers in several regions to manipulate search results and steal sensitive data. The attackers use custom malware like BadIIS to gain and maintain persistent access, often going undetected for long periods. Their objectives include both financial gain from search engine optimization manipulation and espionage through the theft of credentials and certificates. The group also takes steps to secure its access, preventing other threat actors from taking over the compromised servers. Security teams should audit IIS environments for unauthorized web shells, suspicious remote access, and other indicators of compromise.

A threat actor tracked as Cavalry Werewolf is actively targeting public sector agencies and enterprises in the energy and manufacturing sectors. The group initiates attacks using targeted phishing emails that impersonate government officials to deliver malicious archives. These archives contain custom malware families such as FoalShell and StallionRAT, which provide attackers with remote access and command execution capabilities. StallionRAT notably uses a Telegram bot for its command-and-control infrastructure, allowing operators to exfiltrate data and upload additional tools. Evidence suggests the group is expanding its operations, with artifacts indicating a broader geographic focus.

The notorious XWorm malware has resurfaced as version 6.0, despite being considered retired after its previous version was compromised. This new iteration is distributed through phishing emails and uses a multi-stage infection chain to inject itself into legitimate system processes. Its modular architecture allows attackers to deploy over 35 specialized plugins for activities ranging from data theft and remote control to ransomware deployment. XWorm V6.0 also introduces advanced persistence methods to survive system resets and fixes critical vulnerabilities found in its predecessor. A multi-layered, behavior-focused security posture is essential to defend against this evolving threat.

A major automaker is notifying customers of a data breach that occurred after a third-party supplier was hacked. The incident exposed personal details such as names, contact information, and vehicle identification numbers, although no financial data was compromised. The company has clarified that its own internal systems were not breached and that the security flaw at the vendor has been contained. Customers are being advised to remain vigilant for potential phishing attacks that could leverage their stolen information. This breach underscores a rising trend of cyberattacks targeting the automotive sector's supply chain to access valuable customer data.

A sophisticated information stealer named Rhadamanthys is being sold on underground markets as a professional Malware-as-a-Service. The operators use a subscription-based model with tiered pricing, mimicking legitimate software businesses to attract serious cybercriminals. Its latest version introduces advanced features, including custom executable formats, strong obfuscation, and payload delivery hidden within PNG image files. The malware also employs enhanced evasion techniques to bypass security analysis and sandbox environments. Rhadamanthys is designed to steal a wide range of sensitive data, including credentials, cryptocurrency wallets, browser information, and VPN configurations.

A cybercrime group is compromising high-value Internet Information Services (IIS) servers across multiple regions to conduct search engine optimization (SEO) fraud and steal sensitive data. The attackers exploit weak file upload settings to install web shells, escalate privileges, and establish persistent access using RDP and various VPN tools. Their primary goal is to deploy custom "BadIIS" malware, which manipulates search results and redirects users to malicious sites like gambling platforms. In addition to SEO manipulation, the group actively steals credentials, configuration files, and certificates from compromised organizations. For deeper persistence, the campaign also utilizes heavily obfuscated Cobalt Strike beacons deployed via DLL sideloading.

Researchers have uncovered a coordinated influence operation, dubbed "PRISONBREAK," involving over 50 inauthentic social media profiles using AI to incite a popular revolt against a national government. The network extensively used AI-generated content, including a deepfake video of a military strike on a notorious prison, which was timed to coincide with a real-world military campaign conducted by a foreign power. Operators also impersonated legitimate news outlets, recycled misleading footage of protests, and artificially amplified their messages by seeding content into large online communities. The campaign's primary narrative focused on promoting regime change by creating a perception of widespread instability and civil unrest. Evidence, such as the precise synchronization with military actions, suggests the operation was most likely conducted by a foreign state actor or a contractor working under its close supervision.