Latest Cybersecurity News,Summarized

Huntress has warned of a new vulnerability in Gladinet's CentreStack and Triofox products due to hard-coded cryptographic keys. Threat actors can exploit this to access the web.config file, leading to deserialization and remote code execution. The issue stems from a function that generates static cryptographic keys, allowing attackers to decrypt or forge access tickets. Nine organizations have been affected so far, with attacks originating from a specific IP address. Organizations using these products should update to the latest version and scan logs for indicators of compromise.

An advanced persistent threat (APT) known as Ashen Lepus has been targeting governmental and diplomatic entities in the Middle East. The group has developed a new malware suite called AshTag, which includes enhanced payload encryption, infrastructure obfuscation, and in-memory execution. Ashen Lepus has remained active throughout regional conflicts, deploying new malware variants and engaging in hands-on activity within victim environments. The campaign highlights an evolution in the group's operational security and tactics, techniques, and procedures (TTPs).

Cybersecurity researchers have discovered a new Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control. The malware shares similarities with FINALDRAFT, attributed to a threat cluster known as REF7707. NANOREMOTE includes features for data theft, payload staging, and file transfer capabilities. The backdoor is equipped to perform reconnaissance, execute files and commands, and transfer files using the Google Drive API. It communicates with a hard-coded IP address over HTTP to process requests sent by the operator. The malware's primary functionality is realized through 22 command handlers that allow it to collect host information, perform file operations, and execute commands.

A new Mirai botnet variant, Broadside, is exploiting a vulnerability in TBK DVR devices used in the maritime logistics sector. This botnet poses significant risks, including potential access to CCTV feeds and disruption of satellite communications. The campaign has been active for months, with researchers warning of its sophisticated evasion techniques and capabilities beyond DDoS attacks, such as credential theft and lateral movement.

A new report from Insikt Group reveals the rapid evolution of GrayBravo, a threat actor operating a Malware-as-a-Service (MaaS) network. GrayBravo is behind four distinct activity clusters, each utilizing advanced tools like CastleLoader and CastleRAT. These clusters target various sectors, including logistics and hospitality, using sophisticated tactics such as phishing, ClickFix techniques, and impersonation of legitimate platforms. The report highlights GrayBravo's adaptability and expansive infrastructure, suggesting a tiered criminal enterprise. The investigation also uncovered a potential link to a threat actor known as 'Sparja' on the Exploit Forum.

Threat actors have exploited the React2Shell flaw to deploy EtherRAT, a sophisticated remote access trojan. EtherRAT uses Ethereum smart contracts for command-and-control resolution and employs five Linux persistence mechanisms. The malware's advanced techniques, including blockchain-based C2 and self-updating capabilities, indicate a significant evolution in cyber threats. The attack chain involves initial access via a base64-encoded shell command, deployment of a shell script, and execution of a JavaScript dropper. EtherRAT's persistence and evasion tactics make it a formidable challenge for defenders.

A cybersecurity company, Sophos, investigated nearly 40 intrusions linked to the GOLD BLADE threat group between February 2024 and August 2025. The campaign, known as STAC6565, primarily targeted organizations in a specific region, with 80% of attacks focused on one area. GOLD BLADE, also known as RedCurl and RedWolf, has evolved from cyber espionage to a hybrid operation involving data theft and ransomware deployment using a custom locker named QWCrypt. The group uses phishing emails and weaponized resumes to conduct commercial espionage and ransomware attacks. Recent attacks have seen the group using the RedLoader tool to execute PowerShell scripts and collect Active Directory information. The group's tactics include using a Bring Your Own Vulnerable Driver (BYOVD) approach to evade detection and deploy ransomware.

A new Remote Access Trojan (RAT) called CastleRAT has been identified, blending stealth with powerful data theft capabilities. First spotted in March 2025, it targets enterprise networks with two variants: Python and C. The C-compiled version is more dangerous due to its advanced stealth features and capabilities like keystroke capture and screen grabs. CastleRAT silently infiltrates, harvests data, and maintains persistent access, using a simple RC4 algorithm for encrypted communication. It employs techniques like clipboard hijacking, screen capture, browser session hijacking, and UAC bypass to steal data and evade detection. The malware leverages legitimate services like Steam Community pages to hide its C2 infrastructure.

A new packer-as-a-service, Shanya, has emerged, providing ransomware gangs with tools to bypass security defenses. Shanya offers advanced features like AMSI bypasses and anti-virtual machine capabilities. It employs aggressive obfuscation techniques and manipulates the Windows Process Environment Block to evade detection. Shanya has been used by major ransomware groups and in other cybercrime campaigns, demonstrating a significant shift in the cybercrime ecosystem.

Security researchers have uncovered a sprawling botnet operation run by a college student to pay for education. The operation uses a custom-built PHP webshell, Beima, which has remained undetected by VirusTotal for over a year. The student sells access to compromised government and educational websites, with high-value targets fetching up to $200. The botnet communicates with a Command-and-Control server using encrypted JSON payloads, and the operation is highly organized, with a significant number of websites compromised.

Cybersecurity researchers have uncovered two new Android malware families, FvncBot and SeedSnatcher, along with an upgraded version of ClayRat. FvncBot, masquerading as a security app, targets mobile banking users and is written from scratch, featuring keylogging and screen streaming. SeedSnatcher, distributed via Telegram, steals cryptocurrency wallet seed phrases and intercepts SMS for account takeovers. ClayRat has been updated to abuse accessibility services, enabling full device takeover and screen recording. These malware families use advanced techniques to evade detection and maximize financial theft.

A bioinformatics tool became the latest lure in a software supply chain attack targeting Rust developers. The Socket Threat Research Team discovered two malicious crates on the Crates.io registry masquerading as the finch genomics tool. The threat actor, known as faceless, employed typosquatting to deceive developers into downloading a sophisticated credential stealer. The malware, named finch-rust, acted as a loader for another malicious package, sha-rust, which evolved rapidly through eight versions. The attack used an unpinned dependency trick to automatically deliver the latest malware version. The threat actor also engaged in elaborate identity theft, impersonating a real GitHub developer to build trust. Socket reported the malicious crates, leading to their removal.