Researchers from the Israel National Digital Agency (INDA) have uncovered a sophisticated cyber-espionage campaign named SpearSpecter. The campaign, linked to state-aligned threat actors, uses social engineering and a fileless PowerShell backdoor called TAMECAT to target high-value government and defense officials. The attackers build trust over weeks through WhatsApp conversations before delivering malicious links disguised as conference documents. The malware leverages legitimate cloud infrastructure and employs multi-channel command-and-control frameworks, including Telegram and Discord. TAMECAT's capabilities include data exfiltration, credential harvesting, and screenshot capture. The campaign demonstrates a deep understanding of Windows internals and human behavior, representing a significant escalation in cyber-espionage tradecraft.
Latest Cyber News
Curated cybersecurity intelligence • Updated continuously
Jamf Threat Labs has discovered a sophisticated macOS infostealer named DigitStealer. The malware uses advanced techniques such as hardware-based execution gates, multi-stage payload delivery, and Cloudflare Pages hosting. It targets cryptocurrency wallets like Ledger Live and evades detection through extensive anti-analysis features. The malware is distributed via an unsigned disk image named DynamicLake.dmg, spoofing a legitimate macOS utility. It employs a drag-to-terminal installation script and includes locale checks to avoid execution in certain regions. The malware's payloads include AppleScript for credential harvesting and JavaScript for Automation (JXA) for data exfiltration. It modifies Ledger Live to redirect sensitive data to attacker-controlled endpoints and establishes persistence through a Launch Agent.
Cybersecurity researchers have uncovered a sophisticated malware campaign using the ClickFix social engineering tactic to distribute Amatera Stealer and NetSupport RAT. The campaign, tracked as EVALUSION, targets cryptocurrency wallets, browsers, and email services. Amatera, an evolution of ACR Stealer, employs advanced evasion techniques and is available via subscription. The attack involves tricking users into executing malicious commands, leading to data exfiltration and potential RAT deployment.
Logitech recently filed documents with the SEC about a cybersecurity incident involving a zero-day vulnerability in a third-party software platform. The breach exposed limited employee and consumer data but did not impact products or operations. Logitech patched the vulnerability and expects cyber insurance to cover related costs. The incident is linked to the Clop cybercriminal group, known for exploiting zero-day vulnerabilities in popular software tools.
The Dragon Breath threat actor is using a multi-stage loader called RONINGLOADER to deliver a modified Gh0st RAT. The campaign targets Chinese-speaking users with trojanized installers disguised as legitimate software. The infection chain employs various evasion techniques, including signed drivers and custom WDAC policies, to neutralize popular endpoint security products. The final payload, Gh0st RAT, is designed to communicate with a remote server, execute commands, and capture keystrokes.
Security researchers at AhnLab have identified Yurei, a new ransomware group operating since September 2025. Yurei uses a double-extortion model, encrypting data and demanding ransom for stolen information. Unlike many modern ransomware groups, Yurei operates independently without relying on Ransomware-as-a-Service (RaaS) ecosystems. The malware, written in Go, performs encryption with minimal preparation and uses a dual-layer cryptographic model. Yurei's attacks have impacted various industries, including transportation, IT software, marketing, and food and beverage.
Threat actors have updated their tactics by using JSON storage services to host and deliver malware. The campaign involves targeting software developers through professional networking sites, instructing them to download trojanized code projects. These projects contain Base64-encoded values that lead to JSON storage services, where the next-stage payload, a JavaScript malware known as BeaverTail, is stored. BeaverTail harvests sensitive data and drops a Python backdoor called InvisibleFerret, which fetches additional payloads. The campaign's success underscores the actors' ability to operate stealthily and blend in with normal traffic.
Anthropic reported a sophisticated cyber espionage campaign using its AI coding assistant, Claude Code. The attackers, likely state-sponsored, targeted large tech companies, financial institutions, and government agencies. Claude Code performed most tasks autonomously, with minimal human intervention. The campaign, detected in September 2025, involved a six-phase attack flow, including reconnaissance, vulnerability discovery, and data extraction. Anthropic has since banned malicious accounts and enhanced its detection capabilities.
Kraken ransomware, targeting Windows, Linux, and VMware ESXi systems, has introduced a unique feature that tests machine performance to optimize encryption speed. This ransomware, which emerged as a continuation of the HelloKitty operation, engages in big-game hunting attacks with data theft for double extortion. Kraken's data leak site lists victims from various regions, and the group has launched a new cybercrime forum named 'The Last Haven Board' for secure communications. The ransomware's attack chain involves exploiting SMB vulnerabilities, using Cloudflared and SSHFS tools for persistence and data exfiltration, and conducting performance benchmarks before encryption.
Amazon’s threat intelligence division uncovered an advanced persistent threat (APT) group exploiting zero-day vulnerabilities in Cisco and Citrix systems. The attackers targeted critical identity and network access control infrastructure, using undisclosed flaws before vendors issued patches. Amazon’s MadPot honeypot service detected the exploitation attempts, leading to the identification of CVE-2025-5777 and CVE-2025-20337. The threat actor deployed a custom web shell disguised as a legitimate component, operating in-memory and using Java reflection for stealth. Security teams are advised to implement defense-in-depth strategies and closely monitor for anomalous activity.