Citrix has issued urgent security patches for a critical vulnerability in its NetScaler ADC and NetScaler Gateway products, tracked as CVE-2025-6543, a buffer overflow issue actively exploited in the wild that could lead to denial-of-service or unintended control flow. Another patched vulnerability, CVE-2025-5777, also affects NetScaler ADC. Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) has added three more actively exploited flaws to its Known Exploited Vulnerabilities (KEV) catalog:
-
CVE-2024-54085 – Authentication bypass in AMI MegaRAC allowing full remote control.
-
CVE-2024-0769 – Path traversal flaw in the discontinued D-Link DIR-859 router.
-
CVE-2019-6693 – Hard-coded key vulnerability in Fortinet products, exploited by the Akira ransomware group.
SonicWall has issued a security alert, warning users of a sophisticated campaign distributing a tampered version of its popular NetExtender SSL VPN application. The compromised software is being used to steal sensitive user information, including VPN credentials.
An increase in scanning activity targeting MOVEit Transfer systems has been observed since May 27, 2025, according to threat intelligence firm GreyNoise. The researchers say that the volume of unique IP addresses probing MOVEit Transfer systems has surged from fewer than 10 daily to over 300 in just 24 hours, which may indicate new exploitation campaigns or reconnaissance for future attacks.
Trellix researchers discovered a sophisticated cyber-espionage campaign targeting the global energy, oil, and gas sector. Dubbed ‘OneClik’, the operation leverages phishing emails and abuses Microsoft’s ClickOnce deployment technology to infiltrate enterprise systems.
Fortinet has released a report detailing a variant of the Havoc malware discovered during an investigation into a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East. Havoc is a well-known post-exploitation command and control (C2) backdoor framework, primarily written in C++ and Go.
On the same note, Recorded Future Insikt Group’s investigation into a recent TAG-140 campaign targeting Indian government entities uncovered a new variant of the DRAT remote access trojan, dubbed ‘DRAT V2. TAG-140 has been linked to a Pakistani threat actor SideCopy and is believed to be affiliated with Transparent Tribe (APT36). DRAT V2, now Delphi-compiled instead of .NET-based, comes with improved C2 communication and expanded capabilities like shell command execution and deeper file system access.
IBM X-Force researchers say that China-linked Hive0154 (aka Mustang Panda, Stately Taurus, Camaro Dragon, Twill Typhoon, Polaris and Earth Preta) threat actor has been increasingly targeting Tibetan community. In a recent campaign, the threat actor has deployed the Pubload backdoor delivered via phishing emails tailored to target the Tibetan entities.
A new malware campaign reported by Netskope is targeting users via Chinese-language websites that distribute fake software installers posing as legitimate applications like WPS Office, Sogou, and DeepSeek. The fake installers deliver a variant of Gh0stRAT called Sainbox RAT and the open-source Hidden rootkit. The Sainbox RAT enables remote access, payload delivery, and data theft, while the Hidden rootkit hides the malware’s presence, blocks process termination, and evades detection.
The Canadian Centre for Cyber Security and the US Federal Bureau of Investigation (FBI) have issued a joint advisory warning of an ongoing cyber espionage campaign attributed to China-linked threat actors known as Salt Typhoon. According to the alert, the actors exploited a critical vulnerability in Cisco IOS XE software (CVE-2023-20198) to compromise three network devices operated by a Canadian telecommunications firm in mid-February.
A China-based cyber-espionage group has compromised more than 1,000 networks worldwide in a campaign dubbed ‘LapDogs.’ The campaign has remained active and largely undetected since September 2023. LapDogs exploits vulnerable Internet of Things (IoT) and Small Office/Home Office (SoHo) routers. The campaign employs a sophisticated network of Operational Relay Boxes (ORBs) to discreetly reroute malicious traffic through compromised devices.
Ukraine’s national cybersecurity team CERT-UA has attributed a series of sophisticated cyberattacks against government institutions to UAC-0001 (more commonly known as APT28), a threat actor linked to Russian military intelligence. The incidents, which occurred between March and May 2024, involved advanced malware tools including Beardshell, Slimagent, and components of the Covenant framework.
An Iranian state-sponsored hacking group linked to the Islamic Revolutionary Guard Corps (IRGC) has been targeting Israeli journalists, cybersecurity experts, and computer science professors in a spear-phishing campaign. According to cybersecurity firm Check Point, attackers posed as assistants to tech executives or researchers, using emails and WhatsApp messages to approach victims. The campaign has been attributed to the threat group known as Educated Manticore, associated with several other entities, including APT35, APT42, Charming Kitten, and TA453.
A threat actor, tracked as CL-CRI-1014 by Palo Alto Networks' Unit 42, has been targeting financial institutions across Africa since at least July 2023. The group appears to gain initial access to these organizations and may be selling that access on the dark web. The operations leverage open-source and publicly available tools, including PoshC2 (attack framework), Chisel (tunneling utility), and Classroom Spy (remote administration tool) to establish footholds, create communication tunnels, and enable remote control of compromised systems.
A new wave of North Korea's “Contagious Interview” malicious campaign is targeting software developers and job seekers through malicious npm packages. The campaign involves 35 rogue packages that mimic trusted libraries, tricking victims into downloading them. Once installed, the packages deploy the BeaverTail infostealer and InvisibleFerret backdoor, both tools have been previously linked to North Korean threat actors. Victims are typically approached by operatives posing as recruiters who request participation in fake coding tests.
Cybersecurity researchers at French firm HarfangLab have uncovered a sophisticated malware strain, dubbed 'XDigo', developed in the Go programming language. The malware was deployed in targeted attacks against government entities in Eastern Europe during March 2025. The attack leveraged Windows shortcut (LNK) files in a multi-stage infection chain to deliver the XDigo payload. The LNK files exploited a vulnerability in Microsoft Windows (ZDI-CAN-25373), which was disclosed by Trend Micro earlier this year. The flaw allows crafted LNK files to execute code without the user's knowledge, by hiding malicious commands from both the Windows interface and third-party parsers.
Zscaler ThreatLabz researchers have discovered a new malware campaign leveraging the popularity of AI tools like ChatGPT and Luma AI. Threat actors are creating AI-themed websites, often hosted on platforms like WordPress, to manipulate search engine results using Black Hat SEO techniques. When users visit these sites, JavaScript triggers redirection chains that ultimately deliver malware such as Vidar, Lumma, and Legion Loader. The websites use browser fingerprinting to identify victims and employ large installer files to hide from antimalware tools.
Popular AI models from Mistral and xAI have recently been jailbroken and repurposed by cybercriminals to generate phishing emails, malicious code, and hacking tutorials, Cato Networks has warned. According to the report, threat actors are offering customized, “uncensored” versions of the large language models (LLMs) on BreachForums, an underground forum known for selling illicit digital tools and data.
Speaking of BreachForums, four alleged forum’s operators, “ShinyHunters,” “Hollow,” “Noct,” and “Depressed,” were arrested in France this week. Another BreachForums’ administrator Kai West, aka “IntelBroker” and “Kyle Northern,” was arrested in February in France. The US authorities have charged West, who is a British national, with multiple offences, including breaching and stealing sensitive data from a telecommunications company, a municipal healthcare provider, an Internet service provider, and over 40 other entities.
The FBI was able to identify West after undercover agents purchased a stolen API key from IntelBroker, which led them to a Bitcoin wallet. This wallet was previously linked to a Ramp account registered with a UK driver’s license in West’s name, and that same license was used to open a Coinbase account under the alias ‘Kyle Northern.’ Both accounts, along with activity on YouTube, where West watched and later posted videos as IntelBroker, were tied to his personal email address.
West is accused of offering the stolen data for sale approximately 41 times, and distributing it for free or for online forum credits approximately 117 times. The stolen data was allegedly marketed online for more than $2 million, resulting in an estimated $25 million in damages to victims. The US is currently seeking his extradition to face charges.
Meanwhile in Russia, four members of the notorious REvil ransomware gang, arrested in January 2022, have been released by Russian authorities after pleading guilty to charges of carding and malware distribution. The defendants, Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev, were sentenced to five years in prison but were credited for time already served in pre-trial detention.
A criminal group defrauded customers of over EUR 400,000 by hacking into over 400 trusted seller accounts on a major online platform and advertising fake goods. Using phishing techniques, the criminals stole login credentials, locked out legitimate sellers, and tricked customers into placing orders that were never fulfilled. Romanian and German authorities, supported by Eurojust, launched a joint investigation, leading to the arrest of seven suspects in December 2024 after coordinated raids in Romania, Germany, and Austria. However, the three members continued activity; they were later detained in Romania on 24 June 2025 under a European Arrest Warrant. Authorities also seized IT evidence during eight additional house searches.
A 27-year-old former Western Sydney University (WSU) student, identified by local media as Birdie Kingston, has been arrested by New South Wales police for allegedly hacking into the university’s systems multiple times since 2021. The cyber intrusions reportedly began as an attempt to obtain cheaper parking but escalated to unauthorized access, data theft, and system compromise. The attacks are believed to have affected hundreds of staff and students, including the attempted sale of stolen student information on the dark web.
Nicholas Michael Kloster, a 32-year-old man from Kansas City, The US, has pleaded guilty to hacking multiple organizations in an attempt to promote his cybersecurity services. Kloster is said to have breached the systems of a health club that operates multiple gyms, as well as the systems of a nonprofit organization, where he used a boot disk to bypass protection, change passwords and steal sensitive information from a “protected computer.” Kloster also used stolen credit card information from a former employer to purchase hacking tools. He faces up to five years in prison, a $250,000 fine, and other penalties.
Popular cryptocurrency tracking site CoinMarketCap suffered a website supply chain attack that exposed its users to a malicious wallet drainer campaign, resulting in the theft of over $43,000 in crypto. CoinMarketCap explained that the attackers exploited a vulnerability in a “doodle” image displayed on the site's homepage.
