Latest Cyber News

Zscaler ThreatLabz discovered CVE-2025-50165, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8 affecting the Windows Graphics Component. The vulnerability in windowscodecs.dll can be exploited through malicious JPEG images, posing a significant threat to all Windows systems. ThreatLabz identified the vulnerable code path, triaged the crash, and developed a Proof-of-Concept (PoC) exploit. The exploit involves heap spraying and Return-Oriented Programming (ROP) to achieve arbitrary code execution. Microsoft released a patch on August 12, 2025, and users are advised to update their systems immediately.

The Android trojan Sturnus targets secure messaging apps like WhatsApp, Telegram, and Signal. It can steal banking credentials, remotely control devices, and bypass encrypted messaging by capturing on-screen content. The malware is still under development but is already targeting financial institutions in certain regions, indicating preparation for a broader campaign. Sturnus uses HTML overlays and accessibility-based keylogging to steal data and monitor user actions in real-time. It also employs screen mirroring and a fallback system for screen capture, ensuring full remote control of infected devices. The malware's sophisticated tactics include device administrator abuse and comprehensive environmental monitoring, making it a significant threat to financial security and privacy.

Cybersecurity researchers have identified an expanding botnet called Tsundere that targets Windows users. Active since mid-2025, the botnet executes arbitrary JavaScript code from a C2 server. The malware is spread through various means, including Remote Monitoring and Management (RMM) tools and lures for popular games. The botnet uses the Ethereum blockchain to fetch C2 server details, making it resilient. The threat actor behind Tsundere is believed to be Russian-speaking and has links to other malicious activities, including the 123 Stealer.

Cybereason Threat Intelligence Team has analyzed the rapidly evolving ransomware group known as The Gentlemen, which surfaced in mid-2025. The group employs a dual-extortion strategy, encrypting sensitive files and exfiltrating critical business data, threatening to publish it unless a ransom is paid. The ransomware combines advanced encryption techniques with dynamic propagation options, including WMI, PowerShell remoting, and ESXi capabilities. It features enhanced automation, stealth, and performance improvements across Windows, Linux, and ESXi variants. The ransomware is promoted as a Ransomware-as-a-Service (RaaS) on cybercrime forums, offering configurable modes, dual-extortion tactics, and strong affiliate support. The group has published 48 victims on their dark web leak site within a short period, highlighting their aggressive pace and technical sophistication.

Trustwave SpiderLabs researchers have identified a banking Trojan dubbed Eternidade Stealer, distributed through WhatsApp hijacking and social engineering lures. The campaign uses a WhatsApp worm written in Python to spread malicious attachments and an MSI installer that deploys a Delphi-based banking trojan. The malware uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses and targets Brazilian victims by checking the OS language. It scans for strings associated with banking portals, payment services, and cryptocurrency platforms, and activates its next-stage payload when a match is found. The malware also uses hardcoded credentials to log into its email account and retrieve its C2 server, allowing it to update its C2, maintain persistence, and evade detections or takedowns.

A new technical deep-dive by malware researcher 0x0d4y reveals the inner workings of ScoringMathTea, a sophisticated remote access Trojan (RAT) attributed to the Lazarus Group. The analysis dissects the RAT’s architecture, C2 protocol, API-hiding techniques, custom encryption routines, and a fully manual reflective plugin loader designed to evade modern detection stacks. The RAT initializes a configuration structure, generates pseudo-random seeds using Windows tick counts, and sets up multiple C2 slots. It conceals its command-and-control URL using stack strings and dynamically resolves all required APIs using a custom hashing algorithm and encrypted string table. The RAT maintains a persistent 60-second beacon interval, with a communication loop that attempts to connect to its C2 using a spoofed browser header. Once connected, ScoringMathTea sends a pseudo-randomized beacon generated using rand() to avoid signature-based detection. The response is processed through several layers, including HTML wrapper removal, Base64 decoding, decryption using TEA/XTEA in CBC mode, optional decompression, and command parsing. The agent’s communication with the C&C server operates over HTTP/HTTPS, encoded, encrypted using the TEA/XTEA algorithm in CBC mode, and optionally compressed. This multi-layered structure makes the traffic appear benign while protecting payload integrity. The most sophisticated feature revealed by the analysis is ScoringMathTea’s modular architecture, centered on a full reflective DLL injection system implemented entirely in the malware’s codebase.

ESET researchers have uncovered a sophisticated attack chain orchestrated by the threat actor PlushDaemon, which leverages a previously undocumented network implant, EdgeStepper, to conduct adversary-in-the-middle attacks. By compromising network devices and redirecting DNS queries to malicious servers, PlushDaemon intercepts legitimate software updates and replaces them with trojanized versions containing the SlowStepper backdoor. This technique has enabled the threat actor to compromise targets across multiple continents since at least 2018. The core of PlushDaemon’s attack infrastructure centers on EdgeStepper, which operates as a DNS proxy that fundamentally alters network traffic patterns within compromised networks. The tool begins by loading encrypted configuration data, decrypting it using AES CBC, and then redirects all DNS traffic to a malicious DNS node controlled by PlushDaemon operators.

The Socket Threat Research Team has uncovered a sophisticated npm malware campaign orchestrated by the threat actor dino_reborn. The campaign uses seven malicious packages to distinguish genuine targets from security researchers before executing payloads. The malware employs traffic cloaking, anti-analysis techniques, and deceptive UI elements, making it difficult for analysts to investigate. The campaign's distinctive feature involves fingerprinting visitor behavior to determine malicious intent, showing security researchers a blank page and potential victims a convincing fake CAPTCHA. The malware targets cryptocurrency platforms, aiming to steal crypto assets. Organizations should monitor for indicators such as /adspect-proxy.php and /adspect-file.php URL patterns.

Security researchers at Oligo Security have uncovered a massive, fast-evolving cyberattack campaign hijacking exposed Ray AI clusters worldwide through the ShadowRay vulnerability (CVE-2023-48022). The campaign, dubbed ShadowRay 2.0, represents one of the world’s first cases of AI-generated malware used to attack AI infrastructure. The threat actor, IronErn440, has transformed Ray’s legitimate orchestration functions into a self-propagating, globally distributed botnet capable of cryptomining, lateral movement, data exfiltration, reverse shell access, DDoS attacks, and automated worm-like propagation. Oligo cautions that this isn’t just another cryptojacking campaign but a multi-purpose botnet capable of significant harm.

The cyber espionage group UNC1549 has significantly expanded its toolkit and attack techniques in an ongoing campaign targeting aerospace, aviation, and defense industries since mid-2024. The group employs sophisticated phishing campaigns and exploits trusted third-party relationships to breach high-security environments. Their custom tools, such as TWOSTROKE and LIGHTRAIL, demonstrate exceptional operational security and persistence mechanisms.