Trend Micro researchers have uncovered an active threat campaign exploiting a critical remote code execution (RCE) vulnerability in Langflow to distribute the Flodrix botnet malware. Tracked as CVE-2025-3248, the flaw affects Langflow versions prior to 1.3.0 and allows unauthenticated attackers to execute arbitrary code on exposed servers.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting several TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild. The flaw, tracked as CVE-2023-33538, is a command injection vulnerability that allows attackers to execute arbitrary system commands via a crafted HTTP GET request. The affected models include TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2.
In parallel, the threat intelligence firm GreyNoise reported renewed exploit attempts against CVE-2023-28771, a command injection flaw in Zyxel firewalls. The vulnerability, patched in April 2023, allows unauthenticated attackers to execute commands remotely.
A cyberespionage campaign linked to Russian state-sponsored actors has been observed using a Google account feature, application-specific passwords (ASPs), to infiltrate victims’ email accounts. The attackers employed highly personalized and long-term social engineering tactics, in which victims were tricked into creating and sharing ASPs under the mistaken belief that they are enabling secure communication with the US Department of State.
A new phishing campaign is targeting users in Taiwan, delivering advanced malware strains including HoldingHands RAT and Gh0stCringe. The operation, attributed to the threat actor known as Silver Fox APT, is part of a broader malicious campaign first spotted in January, involving the Winos 4.0 malware framework.
An ongoing sophisticated threat campaign orchestrated by a malicious actor tracked as ‘Water Curse’, is abusing GitHub as a delivery mechanism for malicious software. The group, active since at least March 2023, has been using weaponized repositories to spread multistage malware capable of remote access, data theft, and persistent system compromise. According to Trend Micro’s investigation, at least 76 GitHub accounts are linked to the campaign.
In the meanwhile, cybersecurity researchers at ReversingLabs have uncovered a malicious campaign, dubbed ‘Banana Squad’, involving over 67 GitHub repositories disguised as Python-based hacking tools, which, in reality, deliver malicious payloads. The campaign is believed to be a continuation of a 2023 operation that targeted the Python Package Index (PyPI) with fake packages. The previous packages included information-stealing malware designed to target Windows systems.
Malicious actors are increasingly leveraging a sophisticated social engineering tactic known as ‘ClickFix’ to deliver multi-stage malware campaigns targeting users across various sectors. Elastic Security Labs’ latest telemetry reveals that ClickFix is increasingly being used to distribute updated variants of the GHOSTPULSE loader (aka HIJACKLOADER or IDATLOADER), that downloads the ARECHCLIENT2 remote access trojan (RAT) and infostealer.
Iran’s largest cryptocurrency exchange Nobitex suffered a major hack, with over $90 million sent from Nobitex wallets to hacker addresses. The incident follows a hack targeting Bank Sepah, a state-owned Iranian bank, for which pro-Israel hacker group Gonjeshke Darande (“Predatory Sparrow”) claimed responsibility. The group also promised to publish Nobitex’s source code. The hack appears to be motivated by the recent escalation of tensions between Israel and Iran.
Cisco Talos discovered a new Python-based remote access trojan (RAT) called PylangGhost, linked to the North Korean-aligned threat group Famous Chollima (aka Wagemole). The RAT’s is similar to the earlier GolangGhost version and is used to target Windows systems, while the Go variant continues to target MacOS users. The latest campaigns focus on individuals with cryptocurrency and blockchain experience, using fake skill-testing websites that impersonate companies like Coinbase, Robinhood, and Uniswap. Linux users are not affected, and the impact appears to be limited to a small number of users, mainly in India.
A new Trnd Micro report details a novel attack that leverages misconfigured Docker Remote APIs and the Tor network to mine cryptocurrency. By gaining access to exposed containerized environments, attackers deploy crypto miners while using Tor to conceal their identities and activities. The attackers use the zstd tool, which utilizes the ZStandard algorithm for efficient compression and decompression.
Cybersecurity firm Huntress analyzed a cyber intrusion orchestrated by the North Korean state-sponsored APT group TA444 (also known as BlueNoroff, Sapphire Sleet) known for targeting cryptocurrency entities. The breach began when an employee at a cryptocurrency foundation was contacted on Telegram by an external actor posing as a legitimate contact. The attacker sent a Calendly link that redirected the employee to a fake Zoom domain. Weeks later, during a staged Zoom meeting populated with deepfakes impersonating company leadership and contacts, the employee was tricked into downloading a fake Zoom extension. This extension installed multiple types of malware, including backdoors, info-stealers, and cryptocurrency stealers.
The US Department of Homeland Security has issued a warning about an increase in Chinese-manufactured signal jammers entering the country, presenting serious risks to public safety and civilian aviation. Since 2021, Customs and Border Protection has reported an approximately 830% increase in seizures of such devices, despite efforts by Chinese companies to evade detection. Signal jammers can interfere with various radio frequencies, posing threats to emergency services, law enforcement, and critical infrastructure.
A new report by Recorded Future’s Insikt Group says that China’s People’s Liberation Army (PLA) and intelligence agencies are increasingly integrating generative AI into their operations. The PLA is developing and acquiring AI tools to support intelligence analysis, generate reports, provide recommendations, and enhance early warning systems. Both foreign and domestic AI models are being adapted for military use, with Chinese patent filings showing interest in using AI for open-source intelligence, satellite image analysis, and event extraction.
In a separate report, Insikt Group details a new infrastructure linked to the threat actor GrayAlpha, which overlaps with the financially motivated group FIN7. This includes domains used for payload distribution and associated IP addresses. The group uses two custom loaders, one of which is PowerNet, a PowerShell tool that deploys NetSupport RAT, and the second is MaskBat, an obfuscated loader with ties to FakeBat and GrayAlpha. As infection methods the threat actor uses fake browser updates, fake 7-Zip download sites, and a traffic distribution system (TDS) known as TAG-124.
A sophisticated phishing campaign has been targeting US citizens by impersonating multiple state Departments of Motor Vehicles (DMVs). The attackers used SMS-based phishing (smishing) to send messages about unpaid toll violations, directing recipients to fraudulent DMV websites. The websites prompted victims to pay small fines and, in the process, harvested personal and financial information. Technical analysis revealed that the campaign used shared infrastructure, consistent domain naming patterns, and reused frontend components, suggesting a coordinated operation and involvement of a China-based threat actor.
Proofpoint has spotted a rebranded stealer malware named Amatera Stealer based on ACR Stealer. Amatera is delivered through web injects and complex attack chains and is distributed as malware-as-a-service (MaaS). It’s still actively developed, with recent updates introducing advanced anti-analysis features. Also, recent versions have moved away from using Steam/Telegram dead drops for command-and-control (C2).
Orange Cyberdefense CERT has discovered an ongoing malicious campaign targeting organizations across Europe, particularly in Spain, Portugal, Italy, France, Belgium, and the Netherlands. The activity is believed to originate from Brazilian Portuguese-speaking threat actors and involves the Sorillus Remote Access Trojan (RAT), also known as SambaSpy. Sorillus, a malware-as-a-service available since 2019, is delivered via invoice-themed phishing emails containing malicious .jar files.
Prodaft has shared details about AntiDot, an Android malware that has infected over 3,775 devices across 273 distinct campaigns. Operated by the financially driven threat group LARVA-398, AntiDot is sold as a Malware-as-a-Service (MaaS) on underground forums. It offers a "three-in-one" toolkit that exploits Android's accessibility features to record screens, intercept SMS messages, and steal data from third-party apps. The malware is likely distributed through malicious ads and targeted phishing campaigns tailored to victims' language and location.
A recent version of the Godfather Android banking trojan has been found using a built-in sandbox to hijack banking and cryptocurrency apps. It leverages open-source tools like Virtualapp, XposedBridge, XposedInstaller, and Xposed to enable app virtualization and execute overlay attacks. The malware installs hijacked apps on a virtual filesystem through a host app, scans the device for installed applications, and extracts key data from banking apps to create a cache file. This cache is then used to launch the apps within the sandboxed environment for fraudulent activity.
Securonix has discovered a malware campaign named Serpentine#Cloud that exploits Cloudflare Tunnel to host malicious payloads on attacker-controlled subdomains. The attack uses a complex infection chain starting with LNK shortcut files and obfuscated scripts, which ultimately deliver a Python-based loader capable of executing a Donut-packed PE payload directly in memory.
Cloudflare said it blocked the largest DDoS attack ever recorded in mid-May 2025, which peaked at 7.3 terabits per second (Tbps). The new 7.3 Tbps record represents a 12% increase over Cloudflare’s previous high and is 1 Tbps larger than a recent 6.3 Tbps attack.
A new malicious campaign is abusing a loophole in Discord’s invitation system to distribute malware, including the AsyncRAT remote access trojan and a modified variant of the Skuld information stealer. The attackers hijacked expired or deleted vanity invite links on Discord, redirecting users from legitimate communities to malicious servers under their control.
The Anubis ransomware-as-a-service (RaaS) operation has incorporated a wiper module that permanently destroys targeted files, leaving victims unable to recover their data even if they pay the ransom. According to Trend Micro, the wiper function was discovered in the latest malware samples linked to Anubis, which has been gaining traction since it emerged in December 2024 and grew increasingly active in early 2025.
Law enforcement authorities have dismantled ‘Archetyp Market’, one of the world’s most prolific darknet marketplaces for illicit drug trade. The 30-year-old alleged administrator, a German national, was arrested in Barcelona, Spain, by a special unit of the Spanish National Police. As part of the operation, Dutch authorities shut down the server infrastructure hosted in a data center in the Netherlands. Further coordinated raids in Germany and Sweden targeted additional moderators and six of the marketplace’s highest-earning vendors. Seven suspects were arrested in Sweden.
An alleged member of the Ryuk ransomware gang has been arrested in Ukraine and subsequently extradited to the US to face charges for multiple cyber crimes. According to the authorities, the suspect has been involved in multiple attacks that targeted industrial enterprises in France, Norway, Germany, the Netherlands, Canada, and the United States using custom-developed malware, including ransomware such as LockerGoga, MegaCortex, HIVE and Dharma. The suspect allegedly specialized in identifying vulnerabilities in the corporate networks of targeted enterprises. His findings were later used by accomplices to plan and execute the cyberattacks
Aleksei Andriunin, 26, a Russian-Portuguese national and founder of the crypto market-making firm Gotbit, has been sentenced to eight months in US federal prison for leading a major cryptocurrency market manipulation scheme. He pleaded guilty in March to wire fraud and conspiracy to commit market manipulation. From 2018 to 2024, Andriunin's company used wash trading to artificially inflate the price and trading volume of crypto tokens, aiming to secure listings on prominent platforms. After his prison term, he will serve one year of supervised release.
Argentina’s intelligence service has reportedly uncovered a suspected Russian spy ring accused of spreading disinformation to advance Moscow’s interests in the region. According to officials, Russian nationals worked with Argentines to influence domestic affairs through propaganda linked to a Kremlin-backed operation known as Project Lakhta. The group, allegedly called “The Company,” was led by Russian citizens Lev Andriashvili and Irina Iakovenko, who are believed to have received funding to recruit local collaborators. The group aimed to form a pro-Russia network, spread disinformation on social media, sway civil organizations, conduct focus groups, and gather political intelligence.
