Latest Cyber News

Security researchers at Palo Alto Networks’ Unit 42 discovered an Android spyware called Landfall, which exploited a zero-day vulnerability in Samsung Galaxy phones. The spyware, first detected in July 2024, relied on a security flaw patched in April 2025. The attacks likely targeted individuals in a specific region and were delivered through maliciously crafted images, possibly via WhatsApp. The spyware shares overlapping digital infrastructure with a known surveillance vendor, Stealth Falcon. Landfall is capable of broad device surveillance, including accessing photos, messages, contacts, call logs, and tracking location. The spyware's source code referenced five specific Galaxy phone models as targets.

Datadog Security Research uncovered a sophisticated supply chain attack targeting the npm ecosystem, involving 17 malicious packages designed to deliver the Vidar infostealer malware to Windows systems. The campaign, attributed to threat actor cluster MUT-4831, represents a significant escalation in npm-based threats. The malicious packages masqueraded as legitimate software development kits and libraries, executing destructive payloads through postinstall scripts. Despite their benign presentation, these packages accumulated at least 2,240 downloads before removal. The attack chain involved downloading an encrypted ZIP archive, decrypting it, and executing a Windows PE binary named bridle.exe. The Vidar v2 infostealer malware aggressively harvests sensitive data, packages it into ZIP archives, and exfiltrates it to command-and-control servers. The malware uses hardcoded Telegram and Steam accounts to retrieve active C2 domains dynamically, complicating post-compromise detection and incident response efforts.

Cybersecurity researchers have uncovered a sophisticated phishing campaign exploiting compromised hotel booking accounts to defraud travellers. The operation, active since April 2025, uses stolen credentials from hotel administrators to impersonate legitimate communications and direct customers to fraudulent billing pages. The attack begins with spear-phishing emails targeting hotel staff, leading to the installation of PureRAT malware. Once in control, attackers use compromised accounts to execute banking fraud against guests, resulting in significant financial losses.

Researchers have identified a new ransomware group named Cephalus, which surfaced in mid-June 2025. The group uses custom-built Go-based ransomware and sophisticated anti-analysis mechanisms. Cephalus targets organizations by brute-forcing or purchasing compromised RDP credentials, particularly those without MFA. Once inside, they exfiltrate sensitive data before encryption, applying additional pressure through public leaks. The group operates independently, with no clear ties to existing ransomware operations. Their ransomware includes mechanisms to thwart dynamic analysis and forensic recovery, such as creating fake AES keys and using a custom SecureMemory structure to manage encryption keys.

A cyber-espionage group known as Curly COMrades has been leveraging Microsoft Hyper-V virtualization to establish stealthy, persistent access within compromised networks. The group uses a lightweight Alpine Linux virtual machine to host custom malware, CurlyShell and CurlCat, which operate within a virtualized enclave invisible to host-based endpoint detection and response (EDR) tools. The attackers also rely on PowerShell scripts for persistence and lateral movement, including a custom Kerberos Ticket Injector script. The investigation was conducted in collaboration with a national CERT, which provided critical evidence from a compromised web server used as a proxy for the attacker's C2 infrastructure.

State-backed hackers are deploying malware that uses large language models to dynamically generate malicious scripts and evade detection. Google researchers observed malware employing AI capabilities mid-execution to alter its behavior, marking a significant step towards more autonomous malware. Experimental malware like PROMPTFLUX and PROMPTSTEAL have been identified, with the latter used in live operations to generate commands. The trend highlights how threat actors are integrating AI into future intrusion activities, with a growing marketplace for AI tools fueling criminal behavior.

Seqrite Labs’ APT Team has documented new campaigns from Silent Lynx, a sophisticated threat actor group known for spear-phishing operations targeting diplomatic and governmental employees. The group, also known as YoroTrooper and Sturgeon Phisher, continues its espionage activities with minimal operational security improvements. The latest campaigns, dubbed Operation Peek-A-Baku, focus on monitoring geopolitically sensitive events and targeting entities involved in strategic cooperation agreements and infrastructure projects. The group uses malicious RAR archives and PowerShell-based reverse shells hosted on GitHub repositories to maintain persistence. Researchers believe the group’s primary objective is gathering intelligence related to high-level diplomatic engagements.

Balancer V2, a prominent automated market maker, experienced a significant data breach resulting in the loss of $128 million in digital assets. The vulnerability in the V2 vault allowed an attacker to manipulate internal calls and drain funds from liquidity pools. Despite multiple audits, the exploit occurred, highlighting the challenges in securing composable DeFi systems. Users are urged to withdraw funds from affected pools and revoke smart contract approvals. The BAL token value dropped, and the total value locked decreased sharply.

NGate, a sophisticated Android-based malware, exploits NFC technology to enable unauthorized ATM cash withdrawals without physically stealing payment cards. The attack begins with social engineering tactics, tricking victims into installing a malicious app that captures card data and PINs. The malware then relays this information to an attacker-controlled device at an ATM, bypassing security measures. Users are advised to download banking apps only from official app stores and be cautious of unsolicited phone calls.

A new threat group, UNK_SmudgedSerpent, has been identified as the perpetrator behind a series of cyber attacks targeting academics and foreign policy experts. The campaign, which occurred between June and August 2025, leveraged political lures and impersonated prominent figures to phish for credentials. The tactics resemble those of known cyber espionage groups, including the use of malicious URLs and Remote Monitoring and Management (RMM) software. The attacks aimed to gather intelligence on policy matters and academic research, hinting at evolving cooperation within the espionage ecosystem.