Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics
“Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks. The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week. The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time. “The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities,” the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News.”
Source: TheHackerNews

10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux
“Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems. “The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS,” Socket security researcher Kush Pandya said.”
Source: TheHackerNews

Qilin Ransomware Abuses WSL to Run Linux Encryptors in Windows
“The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools. The ransomware first launched as “Agenda” in August 2022, rebranding to Qilin by September and continuing to operate under that name to this day. Qilin has become one of the most active ransomware operations, with new research from Trend Micro and Cisco Talos stating that the cybercrime gang has attacked more than 700 victims across 62 countries this year. Both firms say the group has become one of the most active ransomware threats worldwide, publishing over 40 new victims per month in the second half of 2025.”
Source: BleepingComputer

CISA Warns of Two More Actively Exploited Dassault Vulnerabilities
“The Cybersecurity & Infrastructure Security Agency (CISA) warned today that attackers are actively exploiting two vulnerabilities in Dassault Systèmes’ DELMIA Apriso, a manufacturing operations management (MOM) and execution (MES) solution. The first one (CVE-2025-6205) is a critical-severity missing authorization security flaw that can allow unauthenticated threat actors to remotely gain privileged access to an unpatched application, while the second (CVE-2025-6204) is a high-severity code injection vulnerability that lets attackers with high privileges execute arbitrary code on vulnerable systems.”
Source: BleepingComputer

YouTube Ghost Network Utilizes Spooky Tactics to Target Users
“Threat actors are haunting YouTube, lurking in compromised accounts and using videos to trick unsuspecting users in downloading malware. In a recent investigation, Check Point Research discovered a collection of malicious YouTube accounts, known as YouTube Ghost Network, promoting malicious links and distributing a wide variety of malware. Though Ghost Network operates across multiple platforms, including GitHub, Checkpoint researchers identified at least 3,000 malicious videos on YouTube associated with the network, most of which have since been taken down. The group, which has been active since 2021, has been producing more and more content over the years, tripling its output in 2025.”
Source: SecurityWeek