The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR) detailing an active malware campaign exploiting Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities CVE-2025-4427 and CVE-2025-4428.
Emerging in June 2025, the new ransomware group Kawa4096 is quickly becoming a significant threat, targeting large multinational corporations in the finance, education, and services industries across countries such as Japan and the United States.
Fortra recently issued security updates to address a maximum severity vulnerability in GoAnywhere MFT's License Servlet. Tracked as CVE-2025-10035, the vulnerability pertains to a deserialization of untrusted data weakness and can be exploited in low-complexity attacks.
Researchers uncovered a zero-click vulnerability in ChatGPT's Deep Research agent that enabled attackers to exfiltrate sensitive Gmail inbox data without any user action or visible indication. The flaw arose from a service-side prompt injection hidden in a crafted email.
Trend Micro has reported a notable rise in phishing campaigns that exploit AI-powered platforms such as Lovable, Netlify, and Vercel to host fake CAPTCHA challenge pages. These attacks have been tracked since January and represent a significant evolution in phishing tactics.
Two teenagers, allegedly affiliated with the hacking group known as "Scattered Spider," have been charged in connection with a cyberattack on London's transportation network.
The threat actor GOLD SALEM, also known as Warlock Group and by Microsoft as Storm-2603, has been deploying its custom Warlock ransomware against enterprise networks since March 2025.
Yesterday, Google released rolled out emergency security updates to address a zero-day vulnerability in its Chrome browser. Tracked as CVE-2025-10585, the flaw pertains to a type confusion bug in the browser's V8 JavaScript engine.
In mid-2025, Zscaler ThreatLabz uncovered a series of malicious Python packages on the PyPI repository, further underscoring the persistent threat of supply chain attacks in open-source software ecosystems.
Sekoia.io's research team has been closely monitoring APT28, a Russian state-backed threat actor linked to the GRU, throughout 2025. In early 2025, they received two previously unseen malware samples from a trusted partner that were later confirmed by CERT-UA to be tied to the BeardShell backdoor and the Covenant framework.
WatchGuard has released security updates to address a remote code execution vulnerability impacting the company's Firebox firewalls. Tracked as CVE-2025-9242, this critical security flaw is caused by an out-of-bounds write weakness that can allow attackers to execute malicious code remotely on vulnerable devices following successful exploitation.
SonicWall has disclosed a security incident involving unauthorized access to its MySonicWall cloud backup configuration files. The breach primarily affects backup configurations stored in the cloud, but there is no indication that customer data or other sensitive information was compromised.
Between July and August 2025, TA415, a Chinese state-sponsored threat actor also tracked as APT41, Brass Typhoon, and Wicked Panda, carried out an extensive series of spearphishing campaigns targeting government, think tank, and academic organizations in the United States.
Researchers at Infoblox have uncovered a sprawling malvertising ecosystem referred to as Vane Viper, which they assess is deeply intertwined with the Cypriot firm AdTech Holding and its well-known subsidiary PropellerAds.
On September 15, ReversingLabs researchers discovered the Shai-hulud worm on the npm open-source registry, a self-replicating piece of malware that compromises npm accounts. This worm spreads by injecting its malicious code into legitimate public and private npm packages maintained by the compromised developer accounts.
Huntress's Security Operations Center (SOC) responded to an Akira ransomware attack after detecting several administrative users executing commands to delete shadow volume copies across multiple hosts within an organization.
A massive leak of internal documents from Chinese technology companies Geedge and MESA has provided unprecedented insight into the inner workings of the Great Firewall and the surveillance infrastructure that underpins it.
Fifteen well-known ransomware groups, including Scattered Spider, ShinyHunters, and Lapsus$, have collectively announced on Breachforums that they are ceasing operations.
The cybercriminal group, "Scattered Lapsus$ Hunters," recently claimed on Telegram to have gained access to both the FBI's eCheck background check system and Google's Law Enforcement Request System (LERS) platform, which is used by law enforcement agencies to submit legal requests for user data.
Acronis' Threat Research Unit has identified the first sophisticated in-the-wild use of FileFix, marking a notable evolution of the Fix attack family that includes ClickFix and PromptFix.
Huntress researchers reported on an Akira ransomware intrusion that originated from the exploitation of a SonicWall VPN. The adversary leveraged DHCP-assigned VPN IP addresses without Huntress agents installed, enabling them to bypass endpoint detection and response visibility.
Red Canary and Zscaler researchers observed multiple campaigns abusing legitimate Remote Monitoring and Management tools, including ITarian, PDQ Connect, SimpleHelp, and Atera for covert remote access.
Researchers at CyberProof have observed a recent uptick in DarkCloud Stealer attacks targeting financial companies. These attacks initiate with payment invoice-related phishing emails containing malicious RAR attachments, which, once opened, execute a VBScript file that further initiates a PowerShell command.
According to a new report from Hunt[.]io Intelligence, critical sectors continue to be heavily impacted by phishing, and the US energy sector has become a significant target for large-scale phishing operations in 2025.
Okta Threat Intelligence has detailed a newly uncovered Phishing-as-a-Service (PhaaS) platform called VoidProxy, which uses advanced adversary-in-the-middle techniques to target Microsoft, Google, and single sign-on accounts, including those federated through Okta.
FastNetMon, a company that specializes in defending against distributed denial-of-service (DDoS) attacks, was itself targeted by what it described as the largest packet flood it has ever recorded.
According to an advisory from the French National Computer Emergency Response Team (CERT-FR), Apple has sent out several notification alerts since the beginning of the year, regarding mercenary spyware attacks targeting its users.
Threat actors are increasingly combining credential phishing and malware delivery in a single attack, which is not typically the case. This new approach, observed in several recent high-impact campaigns, allows attackers to bypass security measures that may be strong in one area but weaker in another.
ESET Research has discovered HybridPetya, a modern copycat of the destructive Petya/NotPetya malware family. The samples, first uploaded to VirusTotal in early 2025, mimic many of the techniques used in prior outbreaks but introduce several new capabilities.
First observed on September 5, Yurei is a newly emerged ransomware group that quickly established itself by listing a Sri Lankan food manufacturing company as its first victim.
Cybereason Security Services has identified a malicious Chrome extension campaign, dubbed "Madgicx Plus," that is actively targeting advertisers on Meta's platforms, Facebook and Instagram.
In May 2025, Unit 42 researchers observed threat actors deploying AdaptixC2, an open-source post-exploitation and adversarial emulation framework originally designed for penetration testers.
The FBI is adapting its strategies to counter increasingly sophisticated Chinese cyber-espionage campaigns, particularly groups known collectively as “Typhoons.”
EvilAI is a newly identified malware family that disguises itself as legitimate AI-driven or productivity tools, often equipped with professional-looking interfaces and valid digital signatures to bypass suspicion.
Back in August 2024, SonicWall issued a security advisory for an improper access control vulnerability affecting Gen5, Gen6, and Gen7 firewall appliances. Tracked as CVE-2024-40766, the flaw can be exploited to gain unauthorized access to SonicWall in certain conditions.
A newly disclosed security flaw in Cursor, an AI-powered code editor, allows repositories to automatically execute code without user consent.
Salat Stealer is a go-based infostealer that was first spotted in August 2025. The malware has been observed by CYFIRMA targeting Windows systems and is capable of exfiltrating browser credentials, cryptocurrency wallet data, and session information from platforms like Telegram and Steam.
The Gentlemen ransomware group has surfaced as a sophisticated and well-resourced threat actor, conducting campaigns across at least 17 countries and multiple industries, with a strong focus on manufacturing, construction, healthcare, and insurance.
A recent espionage campaign attributed to the Russian state-sponsored group KTA007 (also known as Fancy Bear or APT28) has been identified by Kroll and is utilizing a new malware named GONEPOSTAL. The malware is delivered via a malicious DLL file, which uses DLL side-loading to disguise itself as a legitimate Microsoft file.
The House Select Committee on China has issued a formal advisory warning of an ongoing series of cyber espionage operations linked to the People's Republic of China during the current period of tense U.S.–China trade negotiations.
Security researchers at Akamai have uncovered a new malware campaign that specifically targets exposed Docker Engine APIs. Attackers are using automated scanning to find publicly accessible instances and then deploy malicious containers designed for cryptomining and persistence.
Today, as part of its September 2025 Patch Tuesday, Microsoft released security updates for 81 vulnerabilities. This total includes fixes for two publicly disclosed zero-day vulnerabilities and nine critical flaws, with five of these being remote code execution (RCE) vulnerabilities.
Security researchers are warning of a surge in network scans targeting Cisco ASA devices, with GreyNoise recording two significant scanning spikes in late August. In the first wave, 25,000 unique IPs scanned ASA login portals and Cisco IOS Telnet/SSH.
Threat hunters have uncovered 45 domains linked to Chinese cyber espionage activity, with registrations stretching back more than five years. The infrastructure, tied to Salt Typhoon and UNC4841, demonstrates that Chinese state-backed operators have been quietly maintaining resources well before the high-profile 2024 campaigns targeting U.S. telecommunications providers.
Salesloft has disclosed that the recent Salesforce data theft campaign tied to its Drift environments traces back to a GitHub breach earlier in 2025. Investigators found that attackers accessed Salesloft's GitHub environment between March and June 2025, where they downloaded code,
The Czech cybersecurity agency NUKIB issued a warning highlighting the risks posed by Chinese-linked cyber activity, particularly from the espionage group APT31.
On August 19, 2025, the Arctic Wolf Cybersecurity Operations Center discovered a new and unique cyberattack campaign that uses paid advertisements and a malicious GitHub repository to deceive users. The attackers leveraged paid Google Ads to funnel users to a counterfeit GitHub domain, making the malicious download appear to be from a legitimate source.