Cybersecurity researchers have identified a new ClickFix campaign that uses fake adult websites to trick users into running malicious commands disguised as Windows security updates. The campaign, codenamed JackFix, leverages malvertising and social engineering to distribute malware. The attack hijacks the entire screen, instructing victims to open the Windows Run dialog and execute a command, triggering the infection sequence. The malware uses obfuscation techniques and blocks users from escaping the full-screen alert. The initial command executed is an MSHTA payload that runs a PowerShell command to retrieve another script from a remote server. This script attempts to elevate privileges and creates Microsoft Defender Antivirus exclusions for command-and-control addresses. The PowerShell script can drop multiple payloads, including Rhadamanthys Stealer, Vidar Stealer 2.0, and RedLine Stealer.
Latest Cyber News
Curated cybersecurity intelligence • Updated continuously
The Shai-Hulud worm has compromised over 800 npm packages, affecting 132 million monthly downloads. This sophisticated attack occurred just before npm's deadline to revoke classic tokens, targeting developers unprepared for the transition. The worm uses TruffleHog to scan for exposed secrets and publishes them to a public GitHub repository. It also attempts to propagate itself by publishing malicious copies to npm, potentially causing widespread damage. Major technology organizations, including AsyncAPI and PostHog, have been affected, highlighting the need for better secret management and active threat monitoring.
Orange Cyberdefense’s CyberSOC and CSIRT teams have identified a new wave of Operation DreamJob attacks, featuring updated and highly evasive malware variants linked to a known threat actor. The campaign, observed in August 2025, targeted a subsidiary of a major manufacturing company using a fraudulent job offer delivered over WhatsApp. The attack involved sophisticated malware families like BURNBOOK and MISTPEN, showcasing significant evolution in their tactics. The intrusion began with a WhatsApp message leading to a malicious PDF and a trojanized DLL, initiating an attack chain consistent with previous DreamJob activity. The threat actors performed extensive hands-on-keyboard activities, compromising administrative accounts and deploying advanced malware for data exfiltration.
Security researchers have identified a new wave of supply-chain attacks linked to a self-replicating worm, Shai-Hulud, which has infected nearly 500 npm packages and exposed over 26,000 open-source repositories on GitHub. The malware, discovered by Charlie Eriksen of Aikido Security, was uploaded over a three-day period and is rapidly propagating using stolen npm tokens. Major packages like Zapier, ENS Domains, PostHog, and Postman were compromised, allowing attackers to populate GitHub repositories with stolen data. Researchers warn of potential downstream exploitation due to the public exposure of credentials.
Cybersecurity researchers have discovered a sophisticated supply-chain attack targeting Python developers through a malicious package on the Python Package Index (PyPI). The package, named 'spellcheckers,' contains a multi-layered encrypted backdoor designed to steal cryptocurrency information and establish remote access. The attackers have expanded their operations to the PyPI repository, targeting developers who unknowingly install the compromised package. The malicious package mimics the legitimate 'pyspellchecker' library and has been downloaded over 950 times, potentially compromising hundreds of developer systems.
Acronis’ Threat Research Unit has exposed a global malvertising campaign, TamperedChef, distributing trojanized applications through malvertising and SEO-poisoning. These fake applications, signed with certificates from shell companies, deploy scheduled tasks and JavaScript backdoors for remote access and long-term control. The campaign targets multiple industries, including healthcare, construction, and manufacturing, with a significant number of victims in the Americas. The threat actors operate with a highly organized infrastructure, using a network of shell companies to acquire and rotate code-signing certificates.
Darktrace analysts warn about the rapidly evolving Xillen Stealer malware, which now includes advanced evasion mechanisms and multiple modern C2 techniques. The malware targets over 100 browsers, 70+ cryptocurrency wallets, password managers, developer environments, and cloud credentials. Notable updates include the AI Target Detection module, which prioritizes high-value targets based on rule-based pattern matching. The malware also features a Rust-based polymorphic engine and steganographic methods to hide stolen data. Xillen Stealer is marketed openly on Telegram, with licenses offered through a professional dashboard.
Cox Enterprises has notified 9,479 individuals of a data breach due to a zero-day flaw in Oracle E-Business Suite. The breach, detected in late September, was exploited by the Cl0p ransomware group. The company is offering identity theft protection and credit monitoring services to affected individuals. Cl0p has a history of exploiting zero-day vulnerabilities in popular software products.
Security researchers have uncovered a sophisticated cyberattack targeting Microsoft Windows Server Update Services (WSUS) infrastructure. The attackers exploited a critical remote code execution vulnerability, CVE-2025-59287, to deploy ShadowPad, a backdoor malware linked to state-sponsored APT groups. The vulnerability allows remote code execution with system-level privileges, making WSUS servers high-value targets. The attackers rapidly weaponized the vulnerability after proof-of-concept exploit code became publicly available, using legitimate Windows utilities to install the malware. Organizations are urged to apply the security update from Microsoft and audit their WSUS server exposure.
A threat actor known as APT24 has been using a previously undocumented malware called BADAUDIO to establish persistent remote access to compromised networks. The campaign, which has been ongoing for nearly three years, initially relied on broad strategic web compromises but has recently shifted to more sophisticated vectors, including supply chain attacks and targeted phishing campaigns. The malware is highly obfuscated and uses control flow flattening to resist reverse engineering. APT24 has compromised over 20 legitimate websites and a regional digital marketing firm to deliver BADAUDIO, which acts as a first-stage downloader capable of executing encrypted payloads from command and control servers.