WhatsApp has warned that hackers may have exploited a security flaw in its apps for Apple devices to launch a targeted spyware campaign. The flaw, tracked as CVE-2025-55177, affects certain versions of WhatsApp for iOS and macOS. It could have allowed attackers to deliver malicious code via hidden links inside regular-looking messages. The company believes that the flaw may have been used in tandem with another Apple vulnerability (CVE-2025-43300) to target specific users.
Threat actors are exploiting a legacy configuration error in outdated Sitecore deployments. The flaw, now tracked as CVE-2025-53690, stems from the use of a sample machine key included in Sitecore’s pre-2017 deployment guides. Attackers are leveraging the key to perform remote code execution (RCE) through ViewState deserialization attacks on publicly exposed Sitecore XM and XP versions prior to 9.0. According to Google’s Mandiant, the attackers deploy WeepSteel, a .NET-based malware that steals sensitive data and exfiltrates it via crafted ViewState responses. Sitecore has since released patches and guidance to help organizations address the issue.
Cybersecurity firm ESET has uncovered a previously unknown threat actor, dubbed “GhostRedirector,” that has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam since late 2024. GhostRedirector uses two previously unknown tools - a C++ backdoor named Rungan, and a malicious Internet Information Services (IIS) module named Gamshen. The operation appears to be opportunistic, targeting vulnerable servers across sectors including insurance, healthcare, retail, transportation, technology, and education.
A sophisticated spear-phishing campaign linked to an Iran-aligned group has targeted embassies, consulates, and international organizations across the globe. The campaign, described as “coordinated” and “multi-wave,” has been attributed to actors connected to Homeland Justice, a group known for cyber operations aligned with Iranian interests.
A threat actor known as Silver Fox has been observed leveraging a previously undocumented, signed driver associated with WatchDog Anti-malware to disable endpoint protection solutions and deploy remote access tools. While the exact infection method remains unclear, the researchers have observed the malware being delivered via .rar archives containing either a single executable (.exe) or a dynamic-link library (.dll) that is side-loaded through a legitimate application.
Threat actors have hijacked an abandoned update server tied to the Sogou Zhuyin input method editor (IME) to deliver multiple malware strains to high-value targets across East Asia and beyond. The operation, dubbed 'TAOTH', was first spotted in June 2025 and involves an abandoned domain once linked to Sogou Zhuyin, a legitimate IME tool that stopped receiving updates in 2019. The attackers re-registered the domain sogouzhuyin[.]com in October 2024 and began using it the following month to serve malicious payloads through fake software updates. Victims primarily include dissidents, journalists, researchers, and tech and business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities.
Cybersecurity researchers have uncovered a new cyberattack in which hackers used the Velociraptor open-source security toolto carry out malicious activities. According to a report from the Sophos Counter Threat Unit, the unknown threat actors used Velociraptor to download and run widely-used code editor Visual Studio Code likely to create a secret communication tunnel to a command-and-control (C2) server.
Victims of last month’s Salesloft breach are now notifying customers after attackers exploited a vulnerability in the company’s Drift AI chat integration to steal sensitive data from Salesforce and other platforms. The breach, which occurred between August 8–18, was caused by compromised OAuth credentials used in the Drift-Salesforce connection. Over 700 organizations were affected, including major infosec vendors like Cloudflare, Zscaler, Palo Alto Networks, Tenable, SpyCloud, Tanium, and others such as PagerDuty, Exclaimer, and Cloudinary. Email security company Proofpoint has also confirmed impact from the incident.
Malicious actors are increasingly using dropper apps not only to install banking trojans but also simpler malware like SMS stealers and spyware, ThreatFabric warns. When users click "Update," the real malware is downloaded and begins requesting dangerous permissions. The trend is believed to be a response to Google’s new security initiatives in countries like Singapore, Thailand, Brazil, and India, which aim to block apps that ask high-risk permissions such as SMS access and accessibility services.
Cybersecurity firm Truesec has spotted a malware campaign using fake PDF editing software, promoted via Google ads, to spread the TamperedChef info-stealer. The malicious app, called AppSuite PDF Editor, appears legitimate but installs TamperedChef upon use. Advertised through over 50 deceptive domains, the malware steals sensitive data like credentials and browser cookies, checks for security software, and leverages Windows DPAPI to access encrypted browser data.
Palo Alto Networks' Unit 42 have detailed a weakness, referred to as Model Namespace Reuse, in the AI supply chain related to the Hugging Face platform that enables AI developers to build, share and deploy models and datasets. When a model author deletes their account, their namespace (Author/ModelName) becomes available for reuse. This allows malicious actors to re-register the same username and potentially upload harmful models under trusted names.
Cybercriminals devised a new technique, dubbed ‘Grokking,’ to bypass malvertising protections on social media platform X. As per Guardio Labs, the method involves promoting adult-themed video posts with hidden malicious links embedded in the "From:" metadata field, which X doesn't appear to scan. The attackers then tag Grok (X’s AI tool) in comments asking about the video and assistant helpfully retrieves and displays the hidden link in its response.
Amazon’s threat intelligence team said it detected and disrupted a watering hole attack carried out by APT29 aka Midnight Blizzard, Cozy Bear, and Nobelium, a threat actor linked to Russia’s Foreign Intelligence Service (SVR). The investigation revealed that the group was running an opportunistic campaign by compromising legitimate websites to redirect visitors to malicious infrastructure in order to trick users into authorizing attacker-controlled devices via Microsoft’s device code authentication process.
S2 Grupo’s intelligence team LAB52 has discovered a new Outlook backdoor named NotDoor, attributed to the Russian-linked APT28 threat group. This VBA macro monitors incoming emails for a specific trigger word. Once triggered, it allows attackers to exfiltrate data, upload files, and execute commands on the infected system. The malware has been used to target various organizations across NATO member countries.
Recorded Future's Insikt Group has uncovered five distinct activity clusters linked to TAG-144 (aka Blind Eagle and APT-C-36), a suspected South American espionage group primarily targeting Colombian government entities. While sharing common TTPs, such as using cracked RATs, dynamic domain providers, and legitimate internet services, the clusters differ in infrastructure and modus operandi. The investigation also uncovered links between TAG-144 and Red Akodon, along with evidence of compromised Colombian government email accounts used for spearphishing.
A new Sekoia’s report takes an in-depth look into the commercial surveillance vendor ecosystem from 2010 to 2025, analyzing spyware products, business models, clientele, target profiles, and methods of infection.
The North Korea-associated Lazarus Group has been linked to a social engineering attack that delivered three types of cross-platform malware, including PondRAT, ThemeForestRAT, and RemotePE. According to NCC Group's Fox-IT, the attack took place in 2024 and targeted a company in the decentralized finance (DeFi) sector, resulting in the compromise of an employee's computer.
Seqrite Labs has uncovered a cyber-espionage campaign in which North Korean APT37 is targeting South Korean organizations. The attacks involve a malicious LNK (Windows shortcut) file, which, when executed, triggers a payload download or command execution, leading to system compromise. The campaign, dubbed ‘Operation HanKook Phantom,’ primarily targets individuals linked to the National Intelligence Research Association, such as academics, former officials, and researchers, likely for data theft, persistence, or espionage.
The US State Department has offered a $10 million reward for information on three Russian nationals accused of working as intelligence agents for the FSB’s Center 16 (also known as Berserk Bear, Dragonfly, Energetic Bear, and Crouching Yeti). Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov allegedly exploited a known Cisco vulnerability (CVE-2018-0171) to hack into over 500 energy companies across 135 countries. The attacks involved hijacking outdated Cisco networking devices to steal data and deploy malware.
Egyptian authorities have shut down Streameast, the world’s largest illegal live sports streaming network. Two individuals were arrested in El-Sheikh Zaid, Egypt, with authorities seizing electronic devices, cash, and credit cards. Streameast operated 80 domains and attracted 136 million monthly visits, with 1.6 billion visits in the past year, mainly from the US, Canada, the UK, the Philippines, and Germany. The site streamed unauthorized broadcasts of major soccer leagues and international tournaments. Investigators traced the operation to a UAE shell company used to launder over $6.2 million in ad revenue and $200,000 in cryptocurrency.
Silent Push has uncovered a large-scale IPTV-based piracy network that has operated for several years, spanning over 1,000 domains and 10,000 IP addresses. The network is linked to two companies, XuiOne and Tiyansoft, according to the researchers. Over 20 major entertainment and sports brands, including Netflix, Disney Plus, HBO, and the Premier League, have been affected. Additionally, the firm identified a key player in the piracy operation based in Herat, Afghanistan.
Ukrainian law enforcement has dismantled an international criminal group responsible for a sophisticated fraud scheme targeting citizens of the Czech Republic. The group illegally gained access to victims’ financial accounts, causing losses equivalent to over 12 million UAH (~$290000).