WhatsApp has addressed a critical "zero-click" security vulnerability (CVE-2025-55177) in its iOS and macOS clients. This flaw, which affects WhatsApp for iOS prior to version 2.25.21.73 and WhatsApp for Mac v2.25.21.78, allowed an attacker to remotely trigger the processing of content from an arbitrary URL on a target's device without any user interaction.
The TAOTH campaign, attributed to a persistent threat actor cluster, represents a significant cyber-espionage effort focused on high-value targets in Eastern Asia and among overseas Taiwanese communities.
Amazon's threat intelligence team has identified and disrupted a sophisticated watering hole campaign conducted by APT29, also known as Midnight Blizzard, a threat actor linked to Russia's Foreign Intelligence Service.
Threat actors are increasingly abusing Microsoft Teams as a social engineering vector, taking advantage of its widespread use and the trust users place in the platform. Instead of relying solely on phishing emails, adversaries have created or compromised Teams accounts impersonating IT support staff to deliver malicious payloads.
A new port from Check Point indicates that cyberattacks on the education are on a rise, making it the most targeted industry worldwide. Between January to July 2025, educational institutes faced an average of 4,356 attacks per week, a 41% rise compared to the previous year.
PRC government-backed cyber actors, employed by the Ministry of State Security (MSS) and People's Liberation Army (PLA), are conducting bulk compromises of global networks in order to facilitate a vast espionage system.
A recent report by DomainTools Investigations (DTI) reveals a resurgence of SpyNote malware, a potent Android Remote Access Trojan (RAT). A persistent threat actor is distributing this malware through fraudulent websites that impersonate the Google Play Store.
A new variant of the Hook Android banking trojan was uncovered by Zimperium's zLabs research team, featuring some of the most advanced capabilities seen to date.
In August 2025, researchers from Sophos analyzed an intrusion where attackers deployed the legitimate open-source Velociraptor digital forensics and incident response tool. Instead of using it for defense, the attackers abused Velociraptor to download and run Visual Studio Code with the tunneling feature enabled, likely to create a connection back to their command-and-control server.
In a recent attack, Storm-0501 infiltrated a large enterprise with multiple subsidiaries and inconsistent Microsoft Defender deployment. After gaining domain administrator access, the group conducted reconnaissance to identify unprotected systems, used tools like Evil-WinRM for lateral movement, and performed a DCSync attack to harvest privileged credentials.
The extent of the BGP vulnerability lies in the potential impact on organizations and users across the globe. BGP attacks can divert traffic via malicious networks unwittingly to the users, allowing for information eavesdropping or service disruption.
Citrix released an urgent patch yesterday to fix three critical vulnerabilities in its NetScaler ADC and NetScaler Gateway products. The most severe of these flaws is a critical RCE vulnerability, tracked as CVE-2025-7775, that was actively exploited as a zero-day.
People's Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks.
In 2024, Group-IB released an in-depth report examining a newly identified cyber-espionage collective known as ShadowSilk. According to the report, the group has been active since at least early 2023 and has primarily targeted government ministries, state institutions, and organizations in Central Asia and the Asia-Pacific region.
Google Threat Intelligence Group has issued an advisory regarding a widespread data theft campaign conducted by the threat actor UNC6395. Active between August 8 and August 18, 2025, the campaign targeted Salesforce customer instances by abusing compromised OAuth tokens associated with the Salesloft Drift third-party application.
Researchers at ESET uncovered what they believe to be is the first known AI-powered ransomware strain. Dubbed, 'PromptLock,' the malware is capable of exfiltrating, encrypting, and even potentially destroying data.
Security intelligence firm GreyNoise has issued a warning regarding a significant and widespread increase in probing activity targeting Microsoft Remote Desktop (RDP) services.
The Federal Communications Commission (FCC) announced that it had removed 1,200 voice providers from U.S. telephone networks in its latest "Operation Robocall Roundup."
A new blog post by Threat Fabric researchers highlights how Android droppers have evolved from deploying complex banking Trojans to becoming delivery tools for a wide range of malicious payloads, including basic spyware and SMS stealers.
Check Point Research identified a sophisticated social-engineering campaign, dubbed ZipLine, targeting U.S.-based manufacturing and supply chain–critical companies. Instead of sending phishing emails directly, the attackers initiate contact through corporate “Contact Us” forms, prompting the victim to respond first, an inversion of the normal phishing flow that enhances legitimacy.
In March 2025, Google Threat Intelligence Group identified a sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384. The campaign primarily targeted diplomats in Southeast Asia but also extended to other organizations worldwide, reflecting the broader strategic interests of the People's Republic of China.
An ongoing cyber-espionage campaign has been attributed to the Pakistan-based threat group APT36 (Transparent Tribe), after being observed actively targeting Indian government entities. The group is using sophisticated and flexible tactics, including spear-phishing emails containing malicious .desktop shortcut files for initial access.
A just-discovered vulnerability that affects Apple devices has prompted an order to government agencies to patch the bug. The Cybersecurity and Infrastructure Security Agency (CISA) ordered civilian federal agencies to install a patch for CVE-2025-43300, a vulnerability that affects Apple iPhones, iPads, and MacBooks, by September 11.
A new macOS stealer, dubbed “Mac.c,” is gaining popularity on cybercriminal dark forums, offering lightning-fast data exfiltration for a price tag of $1500 per month. Developed by a threat actor known as “mentalpositive,” Mac.c is a stripped-down version of the notorious AMOS stealer and is designed for quick, high-impact data heists.
Mimecast Threat Research has uncovered an ongoing spear-phishing operation, MCTO3030, that has been active since 2022 and is notable for its persistence and careful operational security. Unlike large-scale phishing blasts, this campaign runs in low volumes of up to 1,000 emails per wave, which allows it to avoid widespread detection and remain under the radar.
FortiGuard Labs recently identified a high-severity phishing campaign aimed at Microsoft Windows users that demonstrates a highly organized and sophisticated delivery system for malware.
Apple recently rolled out security patches to address a zero-day vulnerability that was likely exploited in attacks in the wild. Tracked as CVE-2025-43300, the flaw pertains to an out-of-bounds write weakness in the Image I/O framework, designed to enable applications to read and write most image file formats.
Trellix researchers uncovered a campaign where spam emails delivered RAR archives containing files with filenames that secretly carried Bash code. On extraction the files appeared harmless, but once routine shell operations or automated scripts processed the names, the hidden code executed and began the infection chain.
Darktrace uncovered a sophisticated phishing campaign that relied heavily on the abuse of Virtual Private Servers to compromise SaaS accounts across multiple customer environments.
Proofpoint's Threat Research team has identified a new example of the AI weaponization trend where cybercriminals are exploiting an AI-powered website creation app called Lovable to generate and host malicious sites for credential phishing, malware distribution, and fraud.
The telecommunications sector, per CrowdStrike, has witnessed a 130% increase in nation-state activity over the past year, primarily driven by the fact that they are a treasure trove of intelligence.
Mandiant's investigation, detailed in a Google Cloud blog post, uncovered a collaborative cyber threat campaign involving two financially motivated groups, UNC5518 and UNC5774. The campaign begins with UNC5518, which uses ClickFix techniques after compromising legitimate websites to deploy malware to visitors (potential victims).
Researchers discovered an existing security vulnerability by the title of DOM-based extension clickjacking, that attacks browser extensions like password managers. The method of attack attempts to make users interact with a web page's hidden parts unwittingly.
A new malware loader, dubbed “QuirkyLoader,” is being actively used to deploy next-stage payloads on targeted systems. These next-stage payloads range from information stealers to remote access trojans, including Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger.
A U.S. court sentenced 20-year-old Scattered Spider member Noah Michael Urban to 10 years in federal prison after his April 2025 guilty plea to wire fraud and aggravated identity theft tied to a string of high-impact hacks and cryptocurrency thefts.
In early March 2025, threat actors began actively exploiting CVE-2024-36401, a critical remote code execution vulnerability in the GeoServer geospatial database with a CVSS score of 9.8, to gain covert access to victim environments.
Security analysts at ANY.RUN uncovered details of a new Phishing-as-a-Service (PhaaS) framework, dubbed “Salty 2FA,” which has been used to target victims in the US and EU, residing in various sectors, including finance, telecom, energy, consulting, logistics, and education.
Researchers have reported that the Warlock ransomware gang is exploiting a vulnerability in Microsoft SharePoint using the publicly available ToolShell exploit framework.
Recent research highlights how attackers are evolving their QR code phishing, or “quishing,” tactics to stay ahead of security defenses. While the general concept of using QR codes to lure users to credential-stealing websites is well understood, threat actors are now deploying more advanced techniques that complicate detection and mitigation.
In early 2025, Trellix Advanced Research Center uncovered a sophisticated espionage campaign targeting diplomatic missions in South Korea.
Since at least 2015, a Russian state-sponsored cyber espionage group, named Static Tundra, has been targeting unpatched and end-of-life Cisco networking devices.
Since late July 2025, security researchers have observed a resurgence of Akira ransomware activity linked to SonicWall seventh-generation firewalls with SSL VPN enabled.
Microsoft Threat Intelligence released an in-depth report yesterday on the highly modular backdoor framework, PipeMagic, which they have observed being employed by Storm-2460 in multiple instances.
CyberProof MDR analysts investigated a cryptomining incident that originated from an infected USB device, uncovering a multi-stage attack sequence designed to establish persistence and deliver a miner payload.
The Noodlophile Stealer has evolved into a highly targeted campaign against enterprises with large Facebook presences, using spear-phishing emails disguised as copyright infringement notices.
iiNet, one of Australia's biggest internet service providers operated by TPG Telecom, confirmed an unauthorized third party hacked into its order management system. Employing stolen employee passwords, the attacker was then able to extract about 280,000 active iiNet email addresses and 20,000 active landline phone numbers.
Hack & Cheese and Trend Micro researchers recently reversed engineered the Linux variant of LockBit ransomware, designed to target VMware ESXi servers. Based on the analysis, this variant comes with advanced evasion capabilities and encryption methods that make it a suitable tool for actors to target virtualized environments.