Latest Cyber News

Microsoft researchers discovered SesameOp, a new backdoor malware using the OpenAI Assistants API for command-and-control. The malware, found in July 2025, allowed attackers to maintain long-term persistence for espionage. It used a heavily obfuscated loader and a .NET-based backdoor, leveraging legitimate cloud services to avoid detection. Microsoft and OpenAI collaborated to disable the misused API key and account.

The Kimsuky group has been found using a new backdoor called HttpTroy, while the Lazarus Group has deployed an upgraded BLINDINGCAN RAT. Both campaigns show advanced obfuscation and persistence techniques, targeting victims in multiple regions. The Kimsuky attack used a phishing email with a VPN invoice lure, leading to a multi-stage infection. The Lazarus Group's attack, detected mid-chain, involved a new Comebacker variant and targeted two victims in a country.

Researchers at SEQRITE Labs have uncovered Operation SkyCloak, a sophisticated cyber espionage campaign targeting military personnel. The operation uses a multi-stage PowerShell-based intrusion chain for persistent, covert remote access within military and defense networks. SkyCloak stands out due to its unusual targeting pattern, focusing on multiple military units and utilizing Tor-based communication for anonymity. The campaign employs advanced evasion techniques, including anti-sandbox checks and obfuscated PowerShell execution, to maintain stealth.

A threat actor known as UNC6384 has been targeting European diplomatic entities in a cyber-espionage campaign since September. The group exploits a high-severity Windows vulnerability and uses refined social engineering tactics to deliver PlugX malware. The campaign, which initially targeted entities in specific regions, is expanding across the broader diplomatic community. The attack chain involves spear-phishing emails leading to malicious LNK files that exploit the vulnerability and execute obfuscated PowerShell commands. Researchers recommend organizations review and block command-and-control infrastructures and conduct security awareness training to mitigate such attacks.

The Wordfence Threat Intelligence Team has discovered a complex malware campaign targeting WordPress e-commerce sites using the WooCommerce plugin. The malware, disguised as a rogue plugin, employs advanced encryption, fake images, and remote command access for persistent exploitation. It logs user credentials, establishes backdoors, and injects JavaScript skimmers into checkout pages to steal credit card data. The campaign is attributed to Magecart Group 12, known for their persistent credit card skimming activities.

In mid-2025, Secureworks CTU researchers uncovered a sophisticated cyber campaign by the BRONZE BUTLER group, exploiting a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. This group, active since 2010, has a history of targeting specific organizations and government entities. The vulnerability, CVE-2025-61932, allows remote attackers to execute arbitrary commands with SYSTEM privileges. The campaign involved deploying Gokcpdoor and Havoc C2 frameworks, using legitimate tools like goddi and 7-Zip for data exfiltration. International cybersecurity authorities quickly responded, highlighting the severity of the threat.

Koi Security has discovered a massive supply-chain attack called PhantomRaven, which has infected the npm ecosystem with 126 malicious packages downloaded over 86,000 times. The campaign, active since August 2025, steals npm authentication tokens, GitHub credentials, and CI/CD secrets by concealing malicious code in dependencies. The attackers used Remote Dynamic Dependencies (RDD) to bypass security scanners, making the packages appear harmless. The malware executed automatically during installation, performing aggressive reconnaissance and exfiltration. Koi Security noted the use of AI-driven slopsquatting to create plausible-sounding package names, tricking developers into trusting malicious packages.

A cybercriminal group has refined its malware campaign by incorporating innovative social engineering techniques and multi-stage infection chains to deliver the Lampion banking trojan. The campaign, active since 2019, targets Portuguese-speaking banks and uses complex infection methods to evade detection. Researchers have documented significant tactical evolution, including the use of ClickFix lures and compromised email accounts. The phishing emails employ convincing banking themes, and the infection chain comprises multiple obfuscated Visual Basic script stages. The Lampion stealer has evolved into a single 700MB DLL file, incorporating encrypted ZIP files to hinder detection.

The Wordfence Threat Intelligence Team has uncovered a sophisticated malware campaign targeting WordPress e-commerce sites using the WooCommerce plugin. The malware, disguised as legitimate plugins like 'jwt-log-pro' and 'cron-environment-advanced,' hides malicious payloads inside fake images and evades detection through custom encryption. It logs users with high privileges, intercepts login credentials, and establishes a backdoor for remote command access. The malware is attributed to Magecart Group 12, known for credit card skimming operations. The campaign has compromised over 25,000 IP addresses, primarily in Southeast Asia and North America, with a focus on network video recorders and routers.

XLab has discovered RPX_Client, a new module in the PolarEdge ORB network, which hijacks IoT devices for global proxy operations. The malware, distributed via IP address 111.119.223.196, onboards infected devices into the PolarEdge proxy pool, providing relay services and executing remote commands. Over 25,000 devices have been compromised, primarily network video recorders and routers. The command-and-control infrastructure includes 140 active RPX_Server nodes, using a PolarSSL test certificate and listening on port 55555. The RPX_Client module functions as a relay agent, disguising its process name and maintaining configuration data encrypted via XOR. The malware maintains two persistent C2 channels for registration, proxy services, and remote command execution.