Security News

Security News Security Uncategorized

Security Highlights Of The Day [29/10/25]

New Herodotus Android Malware Fakes Human Typing to Avoid Detection
A new Android malware family, Herodotus, uses random delay injection in its input routines to mimic human behavior on mobile devices and evade timing-based detection by security software. Herodotus, according to Threat Fabric, is offered as a malware-as-a-service (MaaS) to financially motivated cybercriminals, believed to be the same operators behind Brokewell. Although the malware is still in development, clients of the new MaaS platform are currently deploying it against Italian and Brazilian users through SMS phishing (smishing) text messages. The malicious SMS contains a link to a custom dropper that installs the primary payload and attempts to bypass Accessibility permission restrictions present in Android 13 and later.
Source: BleepingComputer

Google Disputes False Claims of Massive Gmail Data Breach
Google was once again forced to announce that it had not suffered a data breach after numerous news outlets published sensational stories about a fake breach that purportedly exposed 183 million accounts. This claim began over the weekend and into today, with news stories claiming that millions of Gmail accounts were breached, with some outlets saying it affected the full 183 million accounts. However, as the company explained in a series of posts on Monday, Gmail did not suffer a breach, and the compromised accounts were actually from a compilation of credentials stolen by information-stealing malware and other attacks over the years. “Reports of a ‘Gmail security breach impacting millions of users’ are false. Gmail’s defenses are strong, and users remain protected,” reads a post on X. “The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform.” “Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false,” Google added.
Source: BleepingComputer

SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats
A European embassy located in the Indian capital of New Delhi, as well as multiple organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder in September 2025. The activity “reveals a notable evolution in SideWinder’s TTPs, particularly the adoption of a novel PDF and ClickOnce-based infection chain, in addition to their previously documented Microsoft Word exploit vectors,” Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc said in a report published last week. The attacks, which involved sending spear-phishing emails in four waves from March through September 2025, are designed to drop malware families such as ModuleInstaller and StealerBot to gather sensitive information from compromised hosts.
Source: TheHackerNews

New ChatGPT Atlas Browser Exploit Lets Attackers Plant Persistent Hidden Commands
Cybersecurity researchers have discovered a new vulnerability in OpenAI’s ChatGPT Atlas web browser that could allow malicious actors to inject nefarious instructions into the artificial intelligence (AI)-powered assistant’s memory and run arbitrary code. “This exploit can allow attackers to infect systems with malicious code, grant themselves access privileges, or deploy malware,” LayerX Security Co-Founder and CEO, Or Eshed, said in a report shared with The Hacker News. The attack, at its core, leverages a cross-site request forgery (CSRF) flaw that could be exploited to inject malicious instructions into ChatGPT’s persistent memory. The corrupted memory can then persist across devices and sessions, permitting an attacker to conduct various actions, including seizing control of a user’s account, browser, or connected systems, when a logged-in user attempts to use ChatGPT for legitimate purposes.
Source: TheHackerNews

Massive China-Linked Smishing Campaign Leveraged 194,000 Domains
Threat actors are impersonating critical and general services, online platforms, and cryptocurrency exchanges in a massive smishing campaign that has been ongoing since April 2024, Palo Alto Networks warns. The cybersecurity firm first warned of the campaign in early March, when it identified over 10,000 domains linked to the impersonation of toll and package delivery services. Roughly a month later, it warned of over 91,500 root domains employed in these attacks. Subsequent analysis revealed that the campaign is much more extensive, with over 194,000 malicious domains used in these attacks since January 1, 2024. In addition to toll and package delivery services, the attacks also impersonate healthcare organizations, banks, cryptocurrency platforms, ecommerce and online payment platforms, law enforcement, and social media platforms.
Source: SecurityWeek

Security Security News Uncategorized

Security Highlights Of The Day [28/10/25]

Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack
The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups, accounting for 84 victims each in the months of August and September 2025. Qilin is known to be active since around July 2022. According to data compiled by Cisco Talos, the U.S., Canada, the U.K., France, and Germany are some of the countries most impacted by Qilin. The attacks have primarily singled out manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors.
Source: TheHackerNews

Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation
Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH, have been acknowledged for discovering and reporting the bug. The shortcoming concerns a case of deserialization of untrusted data in WSUS that allows an unauthorized attacker to execute code over a network. It’s worth noting that the vulnerability does not impact Windows servers that do not have the WSUS Server Role enabled.
Source: TheHackerNews

Hackers Launch Mass Attacks Exploiting Outdated WordPress Plugins
A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE). WordPress security firm Wordfence says that it blocked 8.7 million attack attempts against its customers in just two days, October 8 and 9. The campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated critical (CVSS 9.8). CVE-2024-9234 is an unauthenticated REST-endpoint flaw in the GutenKit plugin with 40,000 installs that allows installing arbitrary plugins without authentication.
Source: BleepingComputer

Hackers Steal Discord Accounts With RedTiger-based Infostealer
Attackers are using the open-source red-team tool RedTiger to build an infostealer that collects Discord account data and payment information. The malware can also steal credentials stored in the browser, cryptocurrency wallet data, and game accounts. RedTiger is a Python-based penetration testing suite for Windows and Linux that bundles options for scanning networks and cracking passwords, OSINT-related utilities, Discord-focused tools, and a malware builder. RedTiger’s info-stealer component offers the standard capabilities of snatching system info, browser cookies and passwords, crypto wallet files, game files, and Roblox and Discord data. It can also capture webcam snapshots and screenshots of the victim’s screen.
Source: BleepingComputer

Ransomware Payments Dropped in Q3 2025: Analysis
Ransomware payments dropped significantly in the third quarter of 2025, according to an analysis conducted by ransomware incident response firm Coveware. According to Coveware, ransomware payment rates dropped to a historical low of 23% in Q3 2025, indicating that “cyber extortion’s overall success rate is contracting”, which should be viewed as a success of the efforts of law enforcement, cyber defenders and legal specialists. Coveware reported that the average ransom payment in Q3 2025 was roughly $377,000, a 66% decrease compared to the previous quarter. The median ransom payment dropped by 65%, to $140,000. The company has largely attributed the drop in payment amounts to a couple of trends. The first is large enterprises increasingly refusing to pay ransoms after being targeted in a ransomware attack.
Source: SecurityWeek

Security Security News Uncategorized

Security Highlights Of The Day [27/10/25]

Windows Server Emergency Patches Fix WSUS Bug With PoC Exploit
Microsoft has released out-of-band (OOB) security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code. WSUS is a Microsoft product that enables IT administrators to manage and deliver Windows updates to computers within their network. Tracked as CVE-2025-59287 and patched during this month’s Patch Tuesday, this remote code execution (RCE) security flaw affects only Windows servers with the WSUS Server Role enabled, a feature that isn’t enabled by default. The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. This makes it potentially wormable between WSUS servers.
Source: BleepingComputer

Zero Trust Has a Blind Spot—Your AI Agents
Agentic AI has arrived. From custom GPTs to autonomous copilots, AI agents now act on behalf of users and organizations, or even act as just another teammate, making decisions, accessing systems, and invoking other agents without direct human intervention. But, with this new level of autonomy comes an urgent security question: If AI is doing the work, how do we know when to trust it? In traditional systems, Zero Trust architecture assumes no implicit trust, where every user, endpoint, workload, and service must continuously prove who they are and what they’re authorized to do. However, in the agentic AI world, these principles break down fast. AI agents often operate under inherited credentials, with no registered owner or identity governance. The result is a growing population of agents that may look trusted but actually are not, one of many risks of autonomous AI agents in your infrastructure.
Source: BleepingComputer

3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation
A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads. Active since 2021, the network has published more than 3,000 malicious videos to date, with the volume of such videos tripling since the start of the year. It has been codenamed the YouTube Ghost Network by Check Point. Google has since stepped in to remove a majority of these videos. The campaign leverages hacked accounts and replaces their content with “malicious” videos that are centred around pirated software and Roblox game cheats to infect unsuspecting users searching for them with stealer malware. Some of these videos have racked up hundreds of thousands of views, ranging from 147,000 to 293,000.
Source: TheHackerNews

Toys ‘R’ Us Canada Customer Information Leaked Online
Toy store Toys “R” Us Canada this week notified its customers that a threat actor stole their personal information and leaked it on the dark web. The incident, the company said in notification emails to customers, copies of which have been shared on social media platforms, was discovered on July 30, after the information was posted on “the unindexed internet”. “We immediately hired third-party cybersecurity experts to assist with containment and to investigate the incident. The investigation revealed that the unauthorized third party copied certain records from our customer database which contains personal information,” the notification reads. The compromised information, the company told shoppers, includes names, addresses, email addresses, and phone numbers. It also said it was in the process of notifying the relevant authorities.
Source: SecurityWeek

Pwn2Own WhatsApp Hacker Says Exploit Privately Disclosed to Meta
A total of $1,024,750 has been paid out at the Pwn2Own Ireland 2025 hacking contest organized by Trend Micro’s Zero Day Initiative (ZDI), but the event has been overshadowed by the last-minute withdrawal of a researcher who was scheduled to demonstrate a WhatsApp exploit worth $1 million. The highest reward at Pwn2Own Ireland 2025, $100,000, was paid out for an exploit chain targeting the QNAP Qhora-322 router and the QNAP TS-453E NAS device. Two Samsung Galaxy S25 exploit chains were each rewarded with $50,000, and the same amount was earned for vulnerabilities in Synology ActiveProtect Appliance DP320 and the Sonos Era 300 smart speaker. Participants received up to $40,000 for hacking Ubiquiti cameras, QNAP and Synology NAS devices, Lexmark and Canon printers, and smart home systems such as Phillips Hue Bridge, Amazon Smart Plug, and Home Automation Green.
Source: SecurityWeek

Security Security News Uncategorized

Security Highlights Of The Day [22/10/25]

Over 75,000 WatchGuard Security Devices Vulnerable to Critical RCE

Nearly 76,000 WatchGuard Firebox network security appliances are exposed on the public web and remain vulnerable to a critical flaw (CVE-2025-9242) that allows unauthenticated remote code execution. Most affected devices are located in Europe and North America, with the U.S. leading (24,500 devices), followed by Germany, Italy, the U.K., Canada, and France.

Source: BleepingComputer

Self-Spreading GlassWorm Malware Hits OpenVSX, VS Code Registries

A new supply-chain attack targets developers on OpenVSX and Microsoft Visual Studio marketplaces using self-spreading malware called GlassWorm, installed an estimated 35,800 times. It hides malicious code with invisible characters and spreads via stolen accounts. The malware’s operators use Solana blockchain for C2, with Google Calendar as backup.

Source: BleepingComputer

To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER

Google Threat Intelligence Group (GTIG) reports that COLDRIVER, a Russian state-sponsored group, has deployed new malware families following the public exposure of its LOSTKEYS malware in May 2025. The new malware shows a rapid increase in development and aggressive deployment, replacing LOSTKEYS entirely in recent operations.

Source: Google Cloud

Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets

CISA added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including two actively exploited Oracle E-Business Suite flaws (CVE-2025-61884 and CVE-2025-61882). The vulnerabilities allow unauthenticated remote code execution and unauthorized data access. Oracle and Microsoft systems are among those impacted.

Source: TheHackerNews

Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities

Vidar Stealer v2.0 has been released, transitioning from C++ to C for improved speed and efficiency. The new version adds anti-analysis features, multithreaded data theft, and advanced credential extraction methods. It maintains a $300 lifetime price and continues to compete with other major infostealers like Lumma and StealC.

Source: TrendMicro

Security Security News Uncategorized

Security Highlights Of The Day [21/10/25]

TikTok Videos Continue to Push Infostealers in ClickFix Attacks

Cybercriminals are using TikTok videos disguised as free activation guides for popular software (Windows, Spotify, Netflix, Microsoft 365, Adobe, CapCut Pro, Discord Nitro and others) to spread information-stealing malware. The videos perform ClickFix attacks — social-engineering “fixes” that trick users into executing malicious PowerShell commands or other scripts that infect their machines with infostealers.

Source: BleepingComputer

Google Ads for Fake Homebrew, LogMeIn Sites Push Infostealers

A malicious campaign targets macOS developers with fake Homebrew, LogMeIn and TradingView sites promoted via ads to deliver infostealers such as AMOS (Atomic macOS Stealer) and Odyssey. The campaign uses ClickFix techniques to trick targets into running commands in Terminal, causing them to self-install malware.

Source: BleepingComputer

131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign

Researchers uncovered a coordinated campaign using 131 rebranded clones of a WhatsApp Web automation Chrome extension to spam Brazilian users at scale. The extensions share code, design patterns, and infrastructure, collectively serving ~20,905 active users and automating bulk outreach to bypass WhatsApp’s anti-spam controls.

Source: TheHackerNews

Amazon’s AWS Recovering After Major Outage Disrupts Apps, Services Worldwide

Amazon Web Services reported recovery after a widespread outage that knocked out thousands of websites and disrupted major apps (including Snapchat and Reddit), causing global service interruptions. Systems began returning online after roughly three hours, with AWS reporting significant signs of recovery while working through a backlog of queued requests.

Source: Reuters

Salt Typhoon Uses Citrix Flaw in Global Cyber-Attack

Researchers linked an intrusion to China-based group Salt Typhoon (aka Earth Estries/GhostEmperor/UNC2286) that exploited a Citrix NetScaler Gateway vulnerability, using DLL sideloading and zero-day techniques to infiltrate systems. The group has targeted critical sectors (telecom, energy, government) across 80+ countries, employing advanced tactics to evade detection.

Source: Infosecurity Magazine

Security Security News Uncategorized

Security Highlights Of The Day [20/10/25]

Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities

On Oct. 15, 2025, F5 disclosed a long-term compromise of their corporate networks in which a nation-state actor exfiltrated files from BIG-IP product development and engineering knowledge platforms, including some source code and information about undisclosed vulnerabilities. F5 stated it has no evidence of active exploitation of undisclosed critical or remote code vulnerabilities and found no indication of access to CRM, financial, support case management, or iHealth systems; some exfiltrated files contained configuration or implementation information for a small percentage of customers.

Source: Unit42 (Palo Alto Networks)

Over 266,000 F5 BIG-IP Instances Exposed to Remote Attacks

Shadowserver Foundation found more than 266,000 F5 BIG-IP instances exposed online following F5’s disclosure of a network breach and stolen source code. F5 released patches addressing 44 vulnerabilities (including ones referenced in the incident) and urged customers to update BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients immediately, while noting there is no current knowledge of undisclosed critical remote code execution vulnerabilities being exploited.

Source: BleepingComputer

Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

Microsoft revoked more than 200 certificates used by an actor tracked as Vanilla Tempest to fraudulently sign malicious binaries distributed in fake Teams setup files that delivered the Oyster backdoor and deployed Rhysida ransomware. The activity was detected in late September 2025 and disrupted earlier in October; Microsoft updated security solutions to flag signatures associated with the fake setup files, the Oyster backdoor, and Rhysida ransomware.

Source: TheHackerNews

Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices

A critical out-of-bounds write vulnerability in WatchGuard Fireware, tracked as CVE-2025-9242 (CVSS 9.3), affects multiple Fireware OS versions and may allow unauthenticated remote attackers to execute arbitrary code on perimeter appliances. WatchTowr Labs notes the flaw has characteristics attractive to ransomware groups—affecting an internet-exposed service and being exploitable without authentication—prompting advisories and patches from WatchGuard.

Source: TheHackerNews

‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability

Microsoft assigned a CVSS score of 9.9 to an HTTP request smuggling vulnerability in Kestrel (ASP.NET Core’s web server), tracked as CVE-2025-55315—the highest severity score assigned by Microsoft to date. The flaw could allow an attacker to smuggle an HTTP request inside another request to bypass front-end security controls or hijack user credentials, prompting urgent mitigation and updates.

Source: SecurityWeek

Security Security News Uncategorized

Security Highlights Of The Day [16/10/25]

Defrosting PolarEdge’s Backdoor

Researchers at Sekoia.io analyzed a botnet dubbed PolarEdge, first detected in January 2025, which exploits CVE-2023-20118 to achieve remote code execution (RCE) and deploy a web shell on target routers. A subsequent attack in February 2025 involved a remote command that installed a TLS-based backdoor implant. The campaign also includes related payloads targeting Asus, QNAP, and Synology routers, revealing a broader family of attacks.

Source: Sekoia

Mysterious Elephant: A Growing Threat

Kaspersky GReAT researchers have detailed activity from Mysterious Elephant, an APT group targeting government and foreign affairs organizations in the Asia-Pacific region. Active since 2023, the group adapts its tactics, using WhatsApp exploitation to exfiltrate documents and other sensitive data. Its 2025 campaigns rely on new custom-made and modified open-source tools like BabShell and MemLoader to enhance stealth and effectiveness.

Source: Securelist (Kaspersky)

Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trend Micro discovered an operation exploiting Cisco’s SNMP vulnerability (CVE-2025-20352) to deploy Linux rootkits on vulnerable network devices. Attackers used spoofed IPs and Mac email addresses, with the malware setting a universal password containing the word “disco.” Once implanted, it hooks into IOSd components, achieving fileless persistence. While newer Cisco switch models use ASLR for protection, repeated attempts can still succeed.

Source: TrendMicro

PhantomVAI Loader Delivers a Range of Infostealers

Palo Alto Networks’ Unit 42 team reported phishing campaigns using PhantomVAI Loader to deliver various information-stealing malware through multi-stage infection chains. Originally linked to Katz Stealer, the loader now distributes AsyncRAT, XWorm, FormBook, and DCRat. Sold as malware-as-a-service, PhantomVAI Loader employs steganography and obfuscation to conceal payloads and evade detection.

Source: Unit42 (Palo Alto Networks)

New Android Pixnapping Attack Steals MFA Codes Pixel-By-Pixel

A newly discovered side-channel attack named Pixnapping allows a malicious Android app to capture pixels displayed by other apps or websites and reconstruct sensitive data, including chat messages, emails, and two-factor authentication codes. Developed by researchers from seven U.S. universities, the attack works on fully patched modern Android devices and can steal 2FA codes in under 30 seconds.

Source: BleepingComputer

Security Security News Uncategorized

Security Highlights Of The Day [15/10/25]

New Stealit Campaign Abuses Node.js Single Executable Application

FortiGuard Labs has identified a new and active Stealit malware campaign leveraging Node.js’ Single Executable Application (SEA) feature to distribute payloads. The campaign began after a spike in detections of a Visual Basic script later confirmed to serve persistence purposes. Unlike earlier Stealit campaigns built with Electron, this version uses Node.js’ SEA to bundle scripts and assets into standalone binaries, enabling execution without a pre-installed Node.js runtime.

Source: Fortinet

GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware

Cyble Research and Intelligence Labs (CRIL) observed a surge in Android malware campaigns disguised as Indian RTO applications. Distributed via WhatsApp messages, SMS, and compromised websites, these fake apps capture banking credentials, UPI PINs, and exfiltrate SMS messages with financial keywords. Some variants even include cryptocurrency mining features. Infected devices are registered through a Telegram bot named GhostBatRat_bot, linking the campaign to the GhostBat RAT malware.

Source: Cyble

When the Monster Bytes: Tracking TA585 and Its Arsenal

Proofpoint researchers have uncovered a new cybercriminal actor, TA585, operating with high sophistication and distributing malware like MonsterV2, a remote access trojan, stealer, and loader. MonsterV2 is sold on hacking forums and used by a small number of actors. TA585 stands out for managing its own infrastructure, delivery, and malware deployment without relying on third-party services or brokers.

Source: Proofpoint

Chinese Hackers Abuse Geo-Mapping Tool for Year-Long Persistence

Chinese state-sponsored hackers remained undetected for over a year by exploiting a component in Esri’s ArcGIS geo-mapping tool, converting it into a web shell. ArcGIS, widely used by municipalities and infrastructure operators, supports server object extensions that extend its functionality. ReliaQuest researchers attribute the attack to a Chinese APT group, likely Flax Typhoon, based on operational similarities.

Source: BleepingComputer

npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels

Researchers have discovered malicious packages across npm, Python, and Ruby ecosystems using Discord as a command-and-control channel. Attackers exploit Discord webhooks to transmit stolen data to actor-controlled channels, as webhooks can post messages without authentication and are write-only, preventing defenders from reviewing prior posts. This approach shifts the economics of supply chain attacks by leveraging widely accessible cloud-based tools.

Source: TheHackerNews

AresISEC d.o.o. · Zagreb, Croatia · OIB: 49411602130 · info@aresisec.hr

Privacy Policy  | Terms of Service Responsible Disclosure

© 2026 AresISEC

Facebook-f Linkedin Wpforms
Scroll to top