Apple has released emergency security updates to patch a critical zero-day vulnerability (CVE-2025-43300) found in its Image I/O framework. The flaw, caused by an out-of-bounds write issue, allows remote attackers to execute arbitrary code by tricking victims into opening a specially crafted image file. Apple confirmed the vulnerability was exploited in ‘an extremely sophisticated attack’ targeting specific individuals but did not disclose details about the attackers or the nature of the incidents.
A Russian state-sponsored hacking group known as Static Tundra, linked to the FSB’s Center 16 and possibly part of the Energetic Bear group, has been exploiting a known Cisco vulnerability (CVE-2018-0171) in a long-running cyber espionage campaign. The group targets outdated Cisco devices in industries like telecommunications, education, and manufacturing across North America, Europe, Asia, and Africa. Static Tundra uses the flaw to steal data and maintain access to internal networks, especially increasing attacks on Ukrainian organizations since the Russia-Ukraine war began.
A Russian cybercriminal group known as EncryptHub, also tracked as LARVA-208 and Water Gamayun, is actively targeting a now-patched vulnerability in Microsoft Windows (CVE-2025-26633, nicknamed “MSC EvilTwin”) to spread malware. The hackers combine social engineering and technical methods to bypass security systems. In the latest campaign, the treat actors have been sending Microsoft Teams requests to victims posing as IT staff. Once contact is made, a malicious Microsoft Console (MSC) file is delivered onto the victim’s system that installs malware.
Malicious actors are exploiting a critical two-year-old vulnerability (CVE-2023-46604) in Apache ActiveMQ to breach cloud-based Linux systems. After gaining access, they patch the flaw to avoid detection and block other attackers. The hackers deploy a new malware called DripDropper, which uses Dropbox as its command-and-control system.
A threat actor, tracked as UAT-7237, has been observed targeting web infrastructure entities in Taiwan using tailored versions of open-source tools. The threat actor is believed to be a subgroup of UAT-5918, which has been active against Taiwanese critical infrastructure since at least 2023.
Microsoft has released a deep dive into threat campaigns leveraging the ClickFix social engineering technique, which attempts to trick users into running malicious commands on their devices by taking advantage of their target’s tendency to solve minor technical issues and other seemingly benign interactions, such as human verification and CAPTCHA checks.
On the same topic, Mandiant has analyzed UNC5518, a financially driven threat group that compromises legitimate websites to display fake CAPTCHA verification pages. UNC5518 manages the initial compromise and CAPTCHA setup but does not deliver the final malware; instead, it provides access to other threat actors through downloader scripts functioning as an access-as-a-service. Groups known to leverage this access include UNC5774 (deploys the CORNFLAKE backdoor and various payloads), and UNC4108, which uses PowerShell-based tools for reconnaissance and further malware deployment.
PAN’s Unit42 has detected a malicious campaign that exploits a remote code execution flaw in GeoServer (CVE-2024-36401) to gain access to victims’ machines and monetize access to their bandwidth. Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies.
StrikereadyLabs published technical analysis of an APT campaign that targets military personnel in Sri Lanka, Bangladesh, Pakistan, and Turkey.
The Pakistan-linked APT group Transparent Tribe (aka APT36) launched a new cyber espionage campaign targeting Indian government and defense organizations. The attackers used phishing emails with ZIP file attachments containing malicious Linux “.desktop” shortcut files. Once executed, the shortcuts downloaded additional payloads from Google Drive, which allowed the group to breach systems and steal sensitive information.
CrowdStrike warns of an increased cyber activity from Murky Panda, a China-linked hacking group targeting government, tech, academic, legal, and professional services in North America. The group exploits cloud environments, using known and new vulnerabilities to gain access through internet-facing systems. The threat actor uses tools like Neo-reGeorg web shells and a rare malware called CloudedHope. The main goal appears to be stealing sensitive data, including emails and important documents, for intelligence purposes.
A new phishing-as-a-service (PhaaS) framework has been discovered, which appears to have some overlaps with known threat actors Storm-1575 and Storm-1747, although it uses different tactics and infrastructure. Dubbed ‘Salty 2FA,’ the service uses a unique domain structure combining .com subdomains with .ru domains and leverages a multi-stage execution process specifically designed to evade detection. The kit can bypass various two-factor authentication methods, including push notifications, SMS, and voice calls, allowing attackers to gain access even when credentials alone are not enough.
A recent IBM X-Force’s report examines a novel loader, called ‘QuirkyLoader’, used to deliver additional payloads to infected systems, including Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos, Rhadamanthys, and Snake Keylogger.
Insikt Group has published an in-depth analysis of the Lumma infostealer, active since 2022, along with insights into the affiliates operating it. The report says that Lumma affiliates often run multiple schemes at once to increase success rates and avoid detection, including rental scams, various malware-as-a-service (MaaS) platforms like Vidar, Stealc, and Meduza Stealer.
The UK has imposed new sanctions on financial institutions and cryptocurrency networks in Kyrgyzstan for helping Russia evade international sanctions. Targets include the crypto token A7A5, issued by Kyrgyz company Old Vector, which has processed over $51 billion, and Capital Bank along with its director, Kantemir Chalbayev. Assets linked to these entities in the UK are now frozen. The move follows similar US measures aimed at disrupting financial support for Russia's war in Ukraine and other hostile activities.
In an INTERPOL-led operation, African authorities arrested 1,209 cybercriminals targeting 88,000 victims. The crackdown recovered $97.4 million and took down 11,432 malicious networks.
A 22-year-old hacker named Ethan Foltz has been charged in the US for allegedly creating and running a botnet-for-hire service called “Rapper Bot.” Authorities say the botnet, also known as “Eleven Eleven Botnet” and “CowBot,” was used in over 370,000 cyberattacks worldwide since 2021.
Noah Michael Urban, a 20-year-old member of the cybercriminal group Scattered Spider, was sentenced to 10 years in prison and ordered to pay $13 million in restitution to over 30 victims. He pleaded guilty to charges related to stealing cryptocurrency and sensitive corporate data through phishing and SIM-swapping attacks. From August 2022 to March 2023, Urban and his group used stolen identities and fake messages to hack into company systems. Authorities seized nearly $2.9 million in cryptocurrency from his home, which he has forfeited.
A 55-year-old Chinese national, Davis Lu, was sentenced to four years in prison for planting malicious code in his employer's computer systems. Lu, who reportedly worked for Eaton Corporation since 2007, sabotaged the systems in 2018 and 2019 after his role was reduced during a corporate restructuring. He created infinite loops to crash servers by endlessly spawning threads, deleted coworkers’ profile files, and built a “kill switch” that locked out all users if his Active Directory account was disabled. The kill switch activated automatically when he was placed on leave and surrendered his laptop on September 9, 2019, affecting thousands of users worldwide. In addition to the prison time, Lu will serve three years of supervised release.
Europol has confirmed that a fake Telegram channel offering a $50,000 reward for information on two Qilin ransomware admins known as ‘Haise’ and ‘XORacle’ is a hoax. The impersonator later admitted it was a prank targeting researchers and journalists. The post was signed by Rey, an individual previously linked to breaches at Telefonica and Orange Group.