Latest Cyber News

In the second half of 2025, the Qilin ransomware group has continued to publish victim information on its leak site, impacting over 40 cases per month. The manufacturing sector has been the most affected, followed by professional and scientific services, and wholesale trade. The attackers have used tools like Cyberduck for data exfiltration and legitimate Windows applications like mspaint.exe and notepad.exe to inspect sensitive information. The group employs a double-extortion strategy, combining file encryption with the threat of public data exposure.

The Qilin ransomware group has been using Linux binaries on Windows systems to evade detection and disable defenses. This cross-platform attack method involves deploying ransomware through legitimate remote management tools like WinSCP and Splashtop Remote. The attackers also steal Veeam backup credentials to block recovery options. This sophisticated tactic has made Qilin one of the most active RaaS groups in 2025, with over 40 victims monthly and a peak of 100 in June. The group relies on global bulletproof hosting networks to support its operations.

Security researchers at Doctor Web have uncovered a sophisticated Android backdoor, Android.Backdoor.Baohuo.1.origin, disguised as Telegram X. This malware grants cybercriminals complete control over victims’ accounts and devices, affecting over 58,000 devices globally. The backdoor spreads through malicious websites and third-party app stores, using unprecedented control mechanisms via Redis database integration. It can steal credentials, chat histories, and personal data, while concealing evidence of compromise. The malware operates through three distinct modification variants, ensuring full functionality to prevent user suspicion. Doctor Web’s analysis reveals that the attack is tailored for specific markets, with the potential to expand to additional regions.

The Lazarus APT group has been attributed to a series of cyberattacks targeting defense contractors specializing in unmanned aerial vehicle (UAV) technology. The campaign, known as Operation DreamJob, utilized social engineering tactics to deliver malware disguised as job offers. The attacks, which occurred between March and August 2025, aimed to steal proprietary manufacturing data and design specifications. The group employed sophisticated techniques, including DLL side-loading and trojanized open-source projects, to evade detection. The campaign's success highlights the need for enhanced employee awareness and security training in sensitive sectors.

Check Point Research uncovered the YouTube Ghost Network, a sophisticated malware distribution operation featuring over 3,000 malicious videos. This network, active since 2021, tripled its activity in 2025, targeting users seeking game hacks, cheats, and software cracks. The network uses compromised accounts to upload malicious content, share download links, and create false legitimacy through positive comments. The most successful video targeted Adobe Photoshop, accumulating 293,000 views. The network primarily distributes infostealers like Rhadamanthys, adapting tactics to evade detection and maintain persistence. The operation highlights the evolving threat landscape where trusted platforms are exploited for malware distribution.

Socket’s Threat Research Team discovered a sophisticated supply chain attack on the NuGet package registry targeting cryptocurrency developers. The malicious package, Netherеum.All, exploited a homoglyph attack by using a Cyrillic 'e' to impersonate the legitimate Nethereum library. This package exfiltrated sensitive wallet data, including private keys and mnemonics. The attack leveraged NuGet’s permissive Unicode naming rules, which do not restrict identifiers to ASCII characters. The malicious package was published on October 16, 2025, and removed by NuGet on October 20, 2025. The attackers also inflated download counts to make the package appear legitimate. Researchers linked this attack to an earlier typosquat named NethereumNet, indicating a persistent threat.

A cyber-espionage campaign targeting government entities running Linux systems has been uncovered. The campaign, attributed to the group TransparentTribe, involves a new remote access tool called DeskRAT. Researchers found that phishing emails were used to deliver malicious ZIP archives containing deceptive documents. The campaign used dedicated staging servers to distribute malware, which executed a Bash command sequence to download and run a binary payload. DeskRAT is capable of establishing command-and-control communications, uploading and executing files remotely, and maintaining persistence through multiple Linux-specific techniques.

Cybersecurity researchers have identified a new threat called Caminho, a Loader-as-a-Service (LaaS) that hides .NET payloads in images using Least Significant Bit (LSB) steganography. Active since March 2025, this operation targets businesses through spear-phishing emails with social engineering bait. The attack involves JavaScript or VBScript files that fetch obfuscated PowerShell code, which then extracts the malicious payload from images hosted on trusted sites. This fileless approach, combined with anti-analysis tricks, makes Caminho hard to detect. The loader injects final malware into benign processes and sets up persistence through scheduled tasks.

Vidar 2.0, an upgraded version of the Vidar infostealer, has been released with enhanced data exfiltration and evasion capabilities. The new version, rewritten in C language, features multithreaded architecture for faster data collection and new techniques to bypass browser security measures. This upgrade coincides with the decline of Lumma Stealer, making Vidar a top contender in the infostealer market. Security teams should anticipate increased Vidar 2.0 activity in the coming months.

A highly coordinated cyberattack, codenamed PhantomCaptcha, targeted major humanitarian and government groups supporting war relief efforts. The attack, which lasted only 24 hours, involved fake emails and a tricky captcha trap to deploy a remote access trojan. Researchers noted similarities with the COLDRIVER threat group, known for sophisticated operations. The attackers spent six months preparing, indicating a high level of planning and evasion techniques.