Hackers Hijack Microsoft Teams Accounts to Spread ModeloRAT Malware
Hackers are compromising Microsoft Teams accounts and posing as internal IT support to push a new, undocumented version of the Python‑based ModeloRAT. The attackers deliver a PowerShell loader that writes a ZIP archive to %APPDATA%, extracts a portable WinPython environment, and launches pythonw.exe without a console window. This variant evades major endpoint detection and response solutions and adds both a Run‑key and a randomly named scheduled task for persistence. The campaign reflects a broader shift toward abusing collaboration platforms for initial access.
Open WebUI File Upload Vulnerability Enables 1-Click RCE Attack
Researchers disclosed a critical stored XSS flaw in Open WebUI’s profile picture upload that permits 1‑click remote code execution. By uploading a malicious SVG encoded as a base64 data URI, attackers can run JavaScript in a victim’s browser, harvest tokens,...
North Korea Hackers Abuse Git Hooks to Deploy Cross-Platform Malware
North Korean threat actors have expanded their "Contagious Interview" campaign by embedding malicious pre‑commit Git hooks in fake coding‑assessment repositories. The hooks fingerprint the victim’s OS and silently download a platform‑specific payload from a disposable Vercel domain before the developer...
Fake TronLink Chrome Extension Steals Crypto Wallet Credentials
A counterfeit TronLink Chrome extension, masquerading as the official wallet, has been discovered stealing users' private keys and seed phrases. The extension displays inflated user counts and uses Unicode homoglyphs to mimic the brand, while loading a remote interface that...
Fsnotify Maintainer Access Change Sparks Supply Chain Security Concerns
The Go filesystem‑notification library fsnotify, used by over 300,000 projects, faced a governance shock when long‑time contributor Yasuhiro Matsumoto lost access to its GitHub organization. The dispute coincided with the release of versions 1.10.0 and 1.10.1 after a year of inactivity, prompting downstream...
CPanel and WHM Servers Targeted in Attacks Exploiting CVE-2026-41940
A critical authentication‑bypass flaw in cPanel and WHM (CVE‑2026‑41940) is being actively exploited by the sophisticated Mr_Rot13 cyber‑crime group. The vulnerability, rated 9.8 on the CVSS scale, lets unauthenticated attackers gain full admin rights on Linux servers. Since its public...
PHP SOAP Extension Flaw Could Let Attackers Execute Code Remotely
A set of new PHP vulnerabilities, highlighted by a high‑severity Use‑After‑Free flaw in the SOAP extension (CVE‑2026‑6722), enables remote code execution on unpatched servers. Additional moderate bugs expose denial‑of‑service and out‑of‑bounds read issues across core modules. The flaws affect PHP...
Vidar Infostealer Campaign Steals Passwords, Cookies, Crypto Wallets, and Device Data
A new Vidar infostealer campaign, first seen in 2018, uses the MicrosoftToolkit.exe hack‑tool to gain initial access and then stages a multi‑stage payload built with AutoIt. The malware disguises payload files as .dot documents, renames them to .bat, and employs...
Pam Backdoor Targets Linux Systems to Steal SSH Credentials
Researchers at Group‑IB have identified a new Linux backdoor called Pam that abuses the Pluggable Authentication Modules (PAM) framework, specifically the pam_exec module, to capture SSH credentials. By inserting a malicious entry into /etc/pam.d/sshd, the backdoor runs a hidden script...
Modular RAT Campaign Steals Credentials and Captures Screenshots
Seqrite Labs uncovered Operation GriefLure, a spear‑phishing campaign aimed at senior executives of Vietnam’s Viettel Group and the Philippines’ St. Luke’s Medical Center. The attackers delivered a malicious LNK file that leverages the native ftp.exe utility to assemble a modular remote‑access trojan...
Fake OpenClaw Installer Targets Crypto Wallets and Password Managers
A fake OpenClaw installer is being used to deliver a Rust‑based infostealer called Hologram, which targets over 250 crypto‑wallet and password‑manager browser extensions. The 130 MB dropper evades detection with layered anti‑VM checks, a mouse‑gate, and a PowerShell payload that disables...
ZiChatBot Malware Abuses Zulip APIs for Stealthy C2 Operations
Security researchers have uncovered ZiChatBot, a cross‑platform malware family that hijacks legitimate Python Package Index (PyPI) wheel packages to deliver malicious code to Windows and Linux developers. The payloads are dropped via DLL or SO files, achieve persistence through Run‑registry...
Hackers Weaponize Claude AI in Attacks on Water and Drainage Utilities
Hackers leveraged Anthropic's Claude and OpenAI's GPT models as operational copilots to infiltrate the Mexican water utility Servicios de Agua y Drenaje de Monterrey (SADM). Claude generated a 17,000‑line Python framework that automated reconnaissance, credential harvesting, and lateral movement, accelerating...
Google Chrome 148 Released With Fixes for 127 Security Flaws
Google released Chrome 148 to the stable channel, fixing 127 security flaws on Windows, macOS and Linux. The update patches three critical memory‑management vulnerabilities that could enable arbitrary code execution, along with 31 high‑severity issues in components such as V8,...
SEO Poisoning Attack Uses Microsoft Binary to Install RMM Tool
Researchers uncovered an SEO‑poisoning campaign that tricks users searching for the open‑source recovery tool TestDisk into downloading a trojanized installer. The fake installer is a Microsoft‑signed Setup binary that uses DLL sideloading to load a malicious autorun.dll, which then installs...
Weaponized CVE-2026-39987 Pushes Blockchain Backdoor Through Hugging Face
Attackers are weaponizing CVE‑2026‑39987, a pre‑auth remote code execution flaw in the Marimo Python notebook platform, to drop a blockchain‑backed NKAbuse variant. By exploiting the vulnerability within ten hours of disclosure, they gain shell access, harvest environment variables, and pivot...
BPFDoor Variants Hide with Stateless C2 and ICMP Relay Tactics
Rapid7 Labs identified seven new BPFDoor variants that embed Berkeley Packet Filter code in the Linux kernel, allowing the backdoor to remain hidden in telecom environments. The malware now employs a stateless command‑and‑control model, treating the source of a specially...
Fake Gemini Npm Package Steals AI Tool Tokens
Hackers published a counterfeit npm package named gemini‑ai‑checker, posing as a Google Gemini token verifier, to hijack developers' AI coding environments. The package contacts a Vercel‑hosted endpoint during installation, retrieves an obfuscated JavaScript backdoor, and executes it in memory, stealing...
Tor-Backed ClickFix Campaign Drops Node.js RAT on Windows
Hackers have revived the ClickFix social‑engineering scheme to drop a sophisticated Node.js‑based remote access Trojan on Windows machines. The campaign uses a fake CAPTCHA page to execute a Base64‑encoded PowerShell command that silently installs a malicious MSI containing a full...
CrystalX Malware-as-a-Service Spreads via Telegram With Stealer, RAT Tools
Hackers are marketing a new Malware‑as‑a‑Service platform called CrystalX RAT through private Telegram channels, offering a subscription‑based toolkit that blends remote‑access, data‑stealing, keylogging, crypto‑clipping, and prankware capabilities. The service provides an automated builder with geofencing, anti‑analysis, and ChaCha20‑encrypted payloads, while...
Hackers Exploit Hotel Booking Systems to Send Fake Payment Requests to Guests
Hackers are weaponizing compromised hotel staff credentials to infiltrate booking management systems and send personalized payment requests to guests. By blending real reservation details with urgent language, the "Reservation Hijack Scam" tricks travelers into entering card information on counterfeit pages....
Open VSX Scanner Vulnerability Lets Malicious Extensions Go Live
Open VSX, the extension marketplace for VS Code forks, patched a critical “Open Sesame” vulnerability that let malicious extensions bypass its pre‑publish scanning pipeline. The flaw stemmed from a Boolean logic error that treated scanner failures as a “no scanners configured”...
Hackers Target South Asian Financial Firm with BRUSHWORM and BRUSHLOGGER Attacks
A South Asian financial institution was compromised by a custom malware suite that pairs the BRUSHWORM backdoor with the BRUSHLOGGER DLL side‑loader. BRUSHWORM provides persistence, modular payload loading, USB‑based worming and bulk file theft, while BRUSHLOGGER captures keystrokes with per‑window...
New ClickFix Attack Exploits Windows Run Dialog and macOS Terminal to Deploy Malware
Threat actors are standardizing a ClickFix social‑engineering attack that lures victims into running malicious commands via the Windows Run dialog, PowerShell, or macOS Terminal. Insikt Group identified five active clusters since May 2024, impersonating brands like QuickBooks, Booking.com, and Zillow. The...
Leak Bazaar Converts Stolen Corporate Data Into Organized Criminal Marketplace
Leak Bazaar, a new Russian‑speaking cyber‑crime service, debuted on March 25, 2026, offering a structured marketplace that transforms raw stolen corporate data into refined, buyer‑ready datasets. The platform combines automated filtering, machine‑learning analysis, and human validation to repackage information into...
Oblivion RAT Masquerades as Play Store Update to Spy on Android Users
Oblivion RAT, a new Android remote access trojan, is sold as a malware‑as‑service platform for as little as $300 per month. It uses a two‑stage infection chain that mimics Google Play Store updates to trick users into sideloading a malicious...
LeakNet Boosts Ransomware with ClickFix Lures, Stealthy Deno Loader
LeakNet is expanding its ransomware campaign by deploying mass‑market ClickFix lures on compromised legitimate websites and coupling them with a stealthy Deno‑based loader that runs malicious code almost entirely in memory. The ClickFix technique tricks users into executing an msiexec...
Handala Hackers Exploit RDP and NetBird in Coordinated Wiper Attacks
Handala Hack, an Iranian state‑linked group known as Void Manticore, has been conducting coordinated wiper attacks using compromised RDP sessions and the legitimate mesh‑networking tool NetBird. The actors gain initial access via stolen VPN credentials, dwell for months, harvest domain admin...
CamelClone Uses Public File-Sharing Sites in Government Cyberattacks
Operation CamelClone targets government, defense, diplomatic and energy agencies in Algeria, Mongolia, Ukraine and Kuwait, using spear‑phishing ZIP archives that contain LNK shortcuts to launch PowerShell commands. The shortcuts download a JavaScript loader, HOPPINGANT, from the public file‑sharing site filebulldogs.com,...
Google Unveils Android 17 Advanced Protection Mode to Stop Malicious Services
Google announced Android 17, featuring Android Advanced Protection Mode (AAPM) to harden mobile security for high‑risk users. AAPM blocks app sideloading, disables USB data signaling, restricts non‑accessibility services, and enforces always‑on Play Protect. The release also adds a privacy‑focused Contact Picker...
.webp?ssl=1)
Fake FileZilla Downloads Spread RAT via Stealthy Multi-Stage Loader
Cybercriminals are distributing a counterfeit FileZilla installer that bundles a malicious DLL, turning the popular FTP client into a delivery vehicle for a sophisticated Remote Access Trojan. The DLL leverages Windows DLL search order to sideload, then launches a multi‑stage,...
OpenClaw Advisory Surge Highlights Blind Spot Between GitHub and CVE Vulnerability Tracking
OpenClaw’s AI‑agent platform released roughly 255 GitHub Security Advisories (GHSAs) within three weeks, yet only a fraction received CVE identifiers, exposing a visibility gap between GitHub’s advisory stream and traditional CVE feeds. Vulnerability‑intelligence firm VulnCheck asked the CVE Project to...
Malicious Browser Add‑on Targets imToken Users’ Private Keys
Socket’s Threat Research Team discovered a deceptive Chrome extension called “lmΤoken Chromophore” that masquerades as an imToken visualizer to steal private keys and seed phrases. The add‑on silently redirects users to a phishing site via a hard‑coded JSONKeeper endpoint, where...
RMM Tools Crucial for IT Operations, But Growing Threat as Attackers Weaponize Them
Remote Monitoring and Management (RMM) platforms are essential for modern IT operations, but attackers are increasingly weaponizing them to bypass defenses. The Huntress 2026 Cyber Threat Report shows a 277% surge in RMM abuse in 2025, with over half of...
DPRK Hackers Target Crypto Firms, Steal Keys and Cloud Assets in Coordinated Attacks
Suspected North Korean‑linked threat actors launched a coordinated campaign against cryptocurrency firms, exploiting the critical React2Shell (CVE‑2025‑55182) remote code execution flaw in React Server Components and Next.js. After gaining initial web‑app access, they leveraged stolen AWS tokens to enumerate and...
VoidLink Malware Framework Targets Kubernetes and AI Workloads in New Cyber Attack Wave
VoidLink is a new Linux‑based malware framework that specifically targets Kubernetes clusters and AI workloads, using fileless, in‑memory techniques to remain invisible. The framework fingerprints cloud environments, harvests credentials and metadata, and can compile payloads on demand for AI‑enabled attacks....
AzCopy Utility Misused for Data Exfiltration in Ongoing Ransomware Attacks
Ransomware groups are weaponizing Microsoft’s Azure data‑transfer tool AzCopy to steal large volumes of data before encrypting victims’ systems. By leveraging valid Azure credentials and Shared Access Signature tokens, attackers can silently upload files to attacker‑controlled Blob storage using standard...
IPVanish VPN for macOS Flaw Enables Privilege Escalation and Code Execution
A critical privilege‑escalation flaw was found in IPVanish VPN for macOS, allowing any local, unprivileged user to execute arbitrary code as root. The vulnerability resides in the helper tool "com.ipvanish.osx.vpnhelper," which accepts unauthenticated XPC connections and skips code‑signature verification for...
New Starkiller Phishing Framework Uses Real Login Pages to Bypass MFA Security
A new phishing‑as‑a‑service framework called Starkiller proxies real login pages of major brands, delivering authentic HTML, CSS, and JavaScript to victims. By running a headless Chrome instance inside Docker, it captures credentials and, crucially, steals MFA session cookies after users...
Malvertising Actor ‘D-Shortiez’ Exploits WebKit Back-Button Hijack in Forced-Redirect Campaign
A threat group known as D‑Shortiez has launched a malvertising campaign that exploits a WebKit flaw to hijack the back button in Safari and other iOS browsers. The malicious JavaScript injects a fake history entry and binds a redirect to...
Zerobot Malware Exploits Tenda Command Injection Vulnerabilities to Deploy Malicious Payloads
A new Zerobot campaign is weaponizing two critical flaws – CVE‑2025‑7544 in Tenda AC1206 routers and CVE‑2025‑68613 in the n8n workflow‑automation platform – to deliver a Mirai‑derived payload called Zerobotv9. The exploit chain uses simple HTTP requests or malicious workflow...
Hackers Exploit Telegram for Initial Access to Corporate VPN, RDP, and Cloud Systems
Hackers are turning Telegram into a live marketplace for stolen VPN, RDP and cloud credentials, accelerating initial access to corporate networks. Threat actors harvest stealer logs, post searchable credential feeds, and negotiate sales in private chats, cutting the gap between...
Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor in Developer Environments
Security researchers discovered a malicious Go module, github.com/xinfeisoft/crypto, that masquerades as the legitimate golang.org/x/crypto library. The backdoored ReadPassword function captures plaintext credentials, writes them to /usr/share/nano/.lock, and exfiltrates them via a dynamically supplied GitHub Raw URL. After exfiltration, the module pulls and...
Infostealers Drive Massive Brute-Force Attacks on Corporate SSO Gateways with Stolen Credentials
Defused Cyber uncovered a credential‑stuffing campaign that uses passwords harvested by Infostealers to brute‑force corporate SSO gateways, notably targeting F5 BIG‑IP devices. Analysis of 70 credential pairs showed 77 % originated from known Infostealer infections, confirming a direct supply chain from malware‑infected employee...
Phishing‑Led Agent Tesla Campaign Uses Process Hollowing and Anti‑Analysis to Evade Detection
Agent Tesla’s newest campaign leverages a multi‑stage, fileless delivery chain that begins with a phishing email containing a RAR‑packed JSE loader. The loader fetches an AES‑encrypted PowerShell script, which executes entirely in memory and uses process hollowing to inject malicious...
ResidentBat Android Malware Grants Belarusian KGB Ongoing Mobile Access
ResidentBat is a custom Android spyware implant deployed by the Belarusian KGB to turn seized smartphones into persistent surveillance tools. The malware is sideloaded via Android Debug Bridge after physical access, granting extensive data collection and remote‑wipe capabilities. First disclosed...
Threat Actors Exploit Apache ActiveMQ Vulnerability to Gain RDP Access, Deploy LockBit Ransomware
Threat actors leveraged the critical Apache ActiveMQ flaw CVE‑2023‑46604 to achieve remote code execution, download a Metasploit stager via CertUtil, and gain SYSTEM privileges on a Windows host. After dumping LSASS credentials, they moved laterally using a harvested domain‑admin account,...
OAuth Vulnerabilities in Entra ID Could Exploit ChatGPT to Breach User Email Accounts
Security researchers have identified a new OAuth consent attack vector in Microsoft Entra ID where a legitimate service principal such as ChatGPT is granted high‑risk Graph permissions like Mail.Read. By tricking users into approving a consent screen, attackers obtain persistent...
Microsoft Alerts Developers of Malicious Next.js Repositories Used in Ongoing Hacker Attacks
Microsoft Defender has identified a coordinated campaign that weaponizes seemingly legitimate Next.js repositories to compromise developers. The malicious projects, often presented as interview assessments, exploit Visual Studio Code workspace automation, build‑time scripts, and server startup routines to fetch and execute...
.webp?ssl=1)
Malicious NuGet Packages Target ASP.NET Developers to Steal Login Credentials
A coordinated supply‑chain campaign published four malicious NuGet packages between August 2024, amassing over 4,500 downloads before removal. The lead package, NCryptYo, typosquats the legitimate NCrypto library and installs JIT hooks that drop a hidden payload establishing a localhost proxy....