Two critical security vulnerabilities have been discovered in the popular open-source forum software vBulletin, with one of the flaws confirmed to be actively exploited in the wild. The vulnerabilities, tracked as CVE-2025-48827 and CVE-2025-48828, affect vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or newer. The flaws stem from improper use of PHP’s Reflection API and weaknesses in vBulletin’s template engine.
Security experts have issued a warning about CVE-2025-49113, a critical remote code execution vulnerability in the Roundcube webmail application. The flaw, present in versions 1.1.0 through 1.6.10, has existed for over a decade and was patched on June 1st. Researchers report that an exploit for the vulnerability is already being sold on underground forums, and there is evidence of active exploitation attempts.
Google released an out-of-band security update for its Chrome browser, addressing three vulnerabilities, including a zero-day flaw that is being actively exploited in the wild. The critical vulnerability, tracked as CVE-2025-5419 is described as an out-of-bounds read and write issue in Chrome’s V8 JavaScript and WebAssembly engine. The flaw could allow attackers to corrupt memory.
Cybersecurity researchers at Cisco Talos have uncovered a new destructive malware variant they dubbed “PathWiper,” which was used in a recent cyberattack against a critical infrastructure entity in Ukraine. The attack has been attributed to a Russia-linked state-sponsored hacker group.
ESET researchers uncovered a cyberespionage campaign by the Iran-aligned APT group BladedFeline likely linked to a known Iranian threat actor OilRig. Active since at least 2017, the group initially targeted officials in the Kurdistan Regional Government (KRG) using implants tied to OilRig. In 2023, BladedFeline deployed its custom Shahmaran backdoor against Kurdish diplomatic officials and later expanded its infiltration to high-ranking officials in the Iraqi government (GOI). The group has since advanced its malware capabilities to maintain and broaden access. In 2024, ESET observed BladedFeline’s Whisper and PrimeCache IIS backdoors, along with other post-compromise tools, in the networks of Kurdish and Iraqi officials, as well as a telecommunications provider in Uzbekistan.
Proofpoint and Threatray released a two-part series profiling TA397 (aka Bitter), believed to be an espionage group working on behalf of the Indian government.
Microsoft, CrowdStrike, Palo Alto Networks, and Google announced plans to create a public glossary of state-sponsored hacking groups and cybercriminals. The initiative aims to standardize the confusing and often whimsical nicknames used by cybersecurity firms to track digital adversaries.
Cryptocurrency exchange BitMEX said it thwarted an attempted phishing attack believed to be orchestrated by the North Korean state-backed hacking collective Lazarus Group notorious for its massive cryptocurrency heists. BitMEX revealed that one of its employees was targeted on LinkedIn by a fake recruiter promoting a job at an NFT project. The attacker attempted to trick the employee into executing malicious code, but the threat was flagged and neutralized before any harm was done.
The US FBI has warned that millions of consumer Android devices such as cheap smart TVs, tablets, media players, and other off-brand electronics manufactured in China are shipping globally with the BadBox 2.0 malware preinstalled. Once connected to home networks, the devices form part of a massive BadBox 2.0 botnet, which grants cybercriminals unauthorized access via backdoors, enabling them to install additional malware and exploit home IoT networks. The FBI and CISA have also released a joint advisory on new tactics and indicators of compromise (IOCs) related to the Play (aka Playcrypt) ransomware group.
A new variant of the Chaos Remote Access Trojan (Chaos RAT) has been observed in recent cyberattacks targeting both Windows and Linux systems. According to Acronis, attackers may be distributing the malware under the disguise of a legitimate network troubleshooting utility for Linux.
A sophisticated campaign is using fake websites to trick users into executing malicious PowerShell scripts, ultimately infecting their systems with the NetSupport Remote Access Trojan (RAT). Researchers from the DomainTools Investigations (DTI) team said that the malicious scripts are hosted on fake sites impersonating popular services such as Gitcode and DocuSign.
A cryptojacking campaign dubbed ‘JINX-0132’ is actively targeting publicly accessible DevOps infrastructure to covertly mine cryptocurrency. The threat actors are compromising services like Docker, Gitea, and HashiCorp’s Consul and Nomad platforms by exploiting known misconfigurations and vulnerabilities. The attackers deploy the XMRig miner to hijack compute resources, costing victims tens of thousands of dollars in stolen CPU and RAM power.
AhnLab Security Intelligence Center (ASEC) has uncovered a series of cyberattacks targeting Korean internet cafés, involving remote access trojans (RATs) and cryptocurrency mining malware. The attacks began in the second half of 2024 and are believed to be carried out by a threat actor active since 2022. The attackers focused on internet café systems running specialized management software used to track customer usage and automate billing. The systems, typically equipped with powerful GPUs for gaming, were infected with the Gh0st RAT malware.
Google's Threat Intelligence Group (GTIG) has discovered a series of targeted cyberattacks orchestrated by a financially motivated threat cluster it tracks as “UNC6040,” with hackers posing as the ShinyHunters extortion group. The attackers are using advanced social engineering tactics, including voice phishing (vishing), to steal sensitive data from multinational companies via their Salesforce platforms.
A hacker is targeting fellow hackers, gamers, and researchers by uploading malicious code to GitHub that installs backdoors and remote access malware. The GitHub account behind it, 'ischhfd83,' was linked to 141 repositories, with 133 containing similar covert backdoors. The attack used various methods, including obfuscated Python scripts, malicious JavaScript files, Windows screensavers, and tampered Visual Studio projects.
Several popular Google Chrome extensions, including SEMRush Rank, PI Rank, MSN New Tab/Homepage, DualSafe Password Manager, and Browsec VPN, have been found to transmit sensitive user data over unencrypted HTTP connections and embed hard-coded secrets within their code. Since the data is not encrypted, it is vulnerable to Man-in-the-Middle (MITM) attacks, Symantec warns.
A recent data breach at cryptocurrency exchange Coinbase has been traced to bribed customer support agents working for TaskUs, a US-based outsourcing firm with operations in India, according to a Reuters investigation. The breach, first detected in January 2025, came to light when a TaskUs employee was caught photographing her computer screen with a personal device. An internal probe revealed that two employees had been leaking sensitive Coinbase user data to external hackers in exchange for bribes.
Security researchers have discovered a tracking method used by Meta and Yandex that can de-anonymize billions of Android users even when browsing in Incognito Mode. The researchers found that native Android apps, including Facebook, Instagram, and Yandex apps like Maps and Browser, silently listen on fixed local ports for tracking purposes.
US law enforcement has seized multiple domains belonging to BidenCash, a well-known dark web marketplace used for selling stolen credit card data, personally identifiable information (PII), and unauthorized server access.
In a separate move, the US Justice Department has seized over $7.74 million in cryptocurrency linked to North Korean money laundering schemes. The funds are tied to Sim Hyon Sop, a representative of North Korea’s Foreign Trade Bank, who was charged in April 2023 for facilitating IT worker scams. According to officials, the crypto was earned through remote work performed by North Korean IT workers operating internationally, including in China and Russia, to funnel money back to the regime.
European and American law enforcement agencies have dismantled AVCheck, an underground counter-antivirus (CAV) service used by cybercriminals to test malware against commercial antivirus software. AVCheck allowed attackers to verify if their malicious code could bypass detection before launching real-world cyberattacks. Authorities seized four domains and related server infrastructure as part of the international crackdown.
Two members of the ViLE cybercriminal group were sentenced for hacking a US law enforcement web portal as part of an extortion scheme involving doxing. Sagar Steven Singh received a 27-month prison sentence, while Nicholas Ceraolo was sentenced to 25 months. Both were convicted of aggravated identity theft and conspiracy to commit computer intrusion.
Romanian national Thomasz Szabo, known online as “Plank,” “Jonah,” and “Cypher,” pleaded guilty to leading a criminal group that targeted US officials, lawmakers, and religious institutions with bomb threats and swatting hoaxes. He faces up to 15 years in prison and is scheduled for sentencing on October 23, following his extradition from Romania in November 2024.
The US Department of State is offering a reward of up to $10 million for information leading to government-backed hackers connected to the RedLine infostealer malware operation and its alleged creator, Maxim Alexandrovich Rudometov aka “dendimirror”, “alinchok”, “ghackihg”, “makc1901”, “navi_ghacking”, and “bloodzz.fenix.”
Ukrainian police have arrested a 35-year-old man suspected of hacking into over 5,000 user accounts at a major international hosting company. The suspect allegedly used the company’s server infrastructure to illegally deploy virtual machines and mine cryptocurrency without authorization. The hosting provider, which remains unnamed, rents servers to businesses running websites and online services.
India’s Central Bureau of Investigation (CBI) conducted raids at 19 locations nationwide to dismantle cyber-enabled financial fraud networks, including tech support scams. The operation targeted a criminal enterprise that impersonated Microsoft and defrauded older adults in Japan. It led to the arrest of six key individuals, the shutdown of two illegal call centers, and the seizure of digital and physical equipment used in the scams.
