Latest Cyber News

Security researchers at ENKI have uncovered a sophisticated espionage campaign by the Lazarus Group targeting aerospace and defense organizations. The campaign, active since March 2025, uses phishing operations with malicious Word documents disguised as legitimate communications. The new Comebacker backdoor variant demonstrates significant technical evolution, including encrypted command-and-control communications and sophisticated persistence mechanisms. The campaign's focus on specific organizations indicates strategic targeting aligned with espionage objectives.

Threat hunters have uncovered similarities between banking malware Coyote and Maverick, both targeting users and banks in a specific region. Both malware strains are written in .NET and feature identical functionality to decrypt banking URLs and monitor banking applications. Maverick, attributed to a threat actor dubbed Water Saci, spreads through WhatsApp Web and monitors active browser tabs for financial institution URLs. The malware establishes contact with a remote server to fetch commands and steal credentials. Cybersecurity firms have noted code overlaps between Maverick and Coyote, suggesting a possible evolution or shared development.

A new cyber-attack has been discovered exploiting Google’s Find Hub service to remotely wipe data from Android devices. The attack, linked to a long-running APT campaign, involved distributing malicious files disguised as stress-relief programs through a popular messenger. Attackers impersonated psychological counselors and human rights activists to gain trust. Once executed, the infected files obtained Google account credentials and triggered the Find Hub remote-wipe function, deleting all data on targeted smartphones and tablets. This marks the first confirmed case of a state-sponsored group abusing Google’s device management feature for destructive operations.

Hackers exploited a critical Triofox flaw, CVE-2025-12480, to bypass authentication and install remote access tools via the platform’s antivirus feature. Google’s Mandiant researchers spotted the threat actors exploiting the vulnerability, which allowed them to upload and run remote access tools. The attackers used a newly created admin account to execute malicious scripts with SYSTEM privileges, deploying tools like Zoho Assist and AnyDesk for remote access. Mandiant recommends upgrading to the latest Triofox release and auditing admin accounts to mitigate the risk.

The Acronis Threat Research Unit has identified a new DragonForce ransomware variant showcasing advanced technical sophistication and organizational structure. The updated malware leverages Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software and terminate protected processes, addressing previous encryption flaws. Originally emerging in 2023, DragonForce rebranded itself as a 'cartel' in early 2025, attracting affiliates with customizable encryptors and infrastructure access. The group has become more aggressive, increasing global victim postings and expanding collaborations, notably in a joint attack with the Scattered Spider intrusion group. Acronis analysts observed that the latest DragonForce binaries are significantly larger, suggesting a change in the development toolchain. The new builds, compiled using MinGW, consolidate the group’s multi-platform ransomware codebase. Despite its updated framework, the codebase remains rooted in Conti’s leaked source, reusing functions like InitializeApiModule and DisableHooks. The ransomware’s configuration file allows affiliates to define custom extensions, blacklists, and process kill lists, including Microsoft Defender and SQL services. Most notably, the use_sys flag activates BYOVD process termination, using Truesight and BadRentdrv2 drivers to forcibly kill antivirus and EDR software. Acronis TRU identified links between DragonForce and a new ransomware family known as Devman, whose samples were built using DragonForce’s builder and infrastructure.

Cybersecurity researchers at Zensec have uncovered a supply-chain attack campaign where ransomware groups exploited vulnerabilities in SimpleHelp RMM software to deploy ransomware across multiple organisations. The attacks, conducted by Medusa and DragonForce groups, leveraged unpatched vulnerabilities to gain SYSTEM-level privileges and move laterally within victim networks. Both groups used legitimate IT management tools to execute ransomware payloads and exfiltrate data, highlighting the critical need for supply chain security and patch management.

Researchers at zLabs have discovered Fantasy Hub, a sophisticated Android Remote Access Trojan (RAT) sold as Malware-as-a-Service (MaaS) on cybercrime channels. The spyware, advertised with extensive documentation and Telegram-based subscriptions, enables full device control, data exfiltration, and banking credential theft. Its advanced features, including SMS interception and live streaming, rival nation-state spyware. The malware uses phishing overlays to target major banks and employs sophisticated evasion techniques to avoid detection.

Microsoft researchers have identified a sophisticated side-channel attack called Whisper Leak that can infer conversation topics from encrypted AI chatbot traffic. Despite TLS encryption, the attack exploits patterns in packet sizes and timing to classify user prompts. Mitigations have been implemented by multiple vendors, but the risk remains significant, especially in regions with oppressive surveillance. The attack's effectiveness improves with more data, posing a threat to conversation confidentiality in sensitive contexts.

Researchers at Socket identified nine malicious NuGet packages designed to sabotage database implementations and Siemens S7 industrial control devices. These packages, published under the developer name shanhai666, contain legitimate functionality alongside harmful code scheduled to activate between 2027 and 2028. The most dangerous package, Sharp7Extend, targets users of the legitimate Sharp7 library, exploiting developers searching for extensions. The packages use a probabilistic trigger, making activation uncertain and complicating incident response.

A new ransomware strain, Midnight, has been discovered by Gen researchers, echoing the tactics of its predecessor, Babuk. Midnight introduces novel cryptographic modifications that inadvertently allow for file recovery. The ransomware typically appends the .Midnight or .endpoint extension to encrypted files and uses ChaCha20 and RSA encryption. Security vendors have released decryption tools to help victims reclaim their data without paying a ransom.