Latest Cyber News

Cybersecurity researchers have uncovered Airstalk, a sophisticated Windows malware family available in PowerShell and .NET variants. The malware, linked to a nation-state threat actor, uses legitimate mobile device management infrastructure for covert command-and-control communications. It targets sensitive browser credentials and employs advanced evasion techniques, including the use of a likely stolen certificate. The malware's sophisticated design suggests a well-resourced adversary with advanced capabilities. Organizations utilizing business process outsourcing services are particularly at risk due to the malware's supply chain attack vector.

Gunra ransomware, active since April 2025, poses a significant threat with its dual-platform capability, targeting both Windows and Linux systems. The Windows variant uses ChaCha8 encryption and secure random number generation, making decryption impractical. In contrast, the Linux variant employs ChaCha20 encryption but suffers from a cryptographic flaw due to weak random number generation, allowing potential file recovery through brute-force attacks. Organizations must develop platform-specific threat intelligence and incident response strategies to mitigate risks effectively.

Beast ransomware, a sophisticated Ransomware-as-a-Service (RaaS) operation, has emerged as a significant cybersecurity threat. It employs aggressive network propagation tactics using SMB port scanning to infiltrate and encrypt systems across enterprise environments. The ransomware has targeted organizations worldwide since July 2025, affecting diverse sectors including manufacturing, healthcare, and education. It uses phishing campaigns and the Vidar Infostealer to gain initial access. The malware includes geofencing logic to exclude certain regions, suggesting connections to specific geographical areas. It utilizes the ChaCha20 algorithm for encryption and includes a hidden GUI for manual control. Organizations must prioritize preventive measures and early detection capabilities to defend against this threat.

Researchers developed TEE.Fail, a side-channel attack targeting trusted execution environments (TEEs) in CPUs like Intel SGX and AMD SEV-SNP. The attack exploits DDR5 memory bus interposition to extract cryptographic keys and compromise confidential virtual machines. This method, costing under $1,000, showcases vulnerabilities in modern TEE implementations, emphasizing the need for enhanced security measures.

Coyote malware, initially spread through phishing in 2022, has evolved to use WhatsApp Web for propagation. By 2025, it employed sophisticated techniques like script-driven payloads and browser automation. The malware's latest iteration, Water Saci, features a modular architecture and advanced command-and-control mechanisms, highlighting the increasing sophistication of cyber threats targeting financial and messaging platforms.

Cybersecurity researchers have uncovered a new Android banking trojan called Herodotus, which mimics human behavior to evade detection. The malware, distributed via SMS phishing, targets financial apps and cryptocurrency platforms. Herodotus introduces random delays in text input to appear human-like, making it harder for behavioral biometrics to detect fraud. The trojan is part of a malware-as-a-service model and is under active development, posing new challenges for banks and payment providers.

A new Android malware called GhostGrab is targeting mobile users with a dual-monetization strategy that combines covert cryptocurrency mining with financial data theft. The malware harvests banking credentials, debit card details, and personal information through SMS interception. It also mines Monero cryptocurrency in the background, creating a dual-revenue stream for threat actors. The malware uses advanced persistence techniques and phishing pages to collect sensitive data, which is then transmitted to a Firebase Realtime Database controlled by attackers.

The SideWinder APT group has conducted a sophisticated espionage campaign targeting multiple diplomatic entities. The campaign features a novel PDF and ClickOnce-based infection chain to deliver custom malware for intelligence collection. The phishing waves distributed SideWinder’s signature espionage tools through fake PDF and Word documents. The malware uses geofencing and dynamic URL generation to evade detection, aligning with SideWinder’s historic patterns.

Attackers are using the open-source red-team tool RedTiger to build an infostealer that collects Discord account data, payment information, browser credentials, cryptocurrency wallet data, and game accounts. The malware, distributed through standalone binaries, scans for Discord and browser database files, extracts tokens, and intercepts API calls. It uploads stolen data to GoFile and sends the download link to the attacker via a Discord webhook. Users are advised to avoid downloading executables from unverified sources and enable MFA.

Kaspersky researchers have attributed the first Chrome zero-day of 2025 to Memento Labs, formerly known as the Hacking Team. The vulnerability, CVE-2025-2783, was exploited in a state-sponsored cyber-espionage campaign. The attack involved sophisticated phishing tactics and the use of Dante spyware, which was traced back to 2022. The malware, LeetAgent, supported commands in leetspeak and connected to HTTPS C2s for various malicious activities. Researchers noted code overlaps between Dante and legacy RCS samples, strengthening the attribution to Memento Labs.