CyberSecurity news

FlagThis

rohansinhacyblecom@cyble.com //
A new Android banking trojan called Crocodilus has been discovered, targeting users in Spain and Turkey. Cybersecurity experts warn that this sophisticated malware employs advanced techniques like remote control, black screen overlays, and data harvesting through accessibility logging. Crocodilus is designed to facilitate device takeover and conduct fraudulent transactions, masquerading as Google Chrome to bypass Android 13+ restrictions.

Once installed, Crocodilus requests access to Android's accessibility services and connects to a remote server for instructions and a list of targeted financial applications. The malware steals banking and crypto credentials by displaying HTML overlays and monitors all accessibility events to capture screen contents, including Google Authenticator details. Crocodilus conceals malicious activities using a black screen overlay and muting sounds to avoid detection.

Recommended read:
References :
  • cyble.com: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
  • thehackernews.com: New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials
  • gbhackers.com: “Crocodilusâ€� A New Malware Targeting Android Devices for Full Takeover
  • securityaffairs.com: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
  • ciso2ciso.com: Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that’s primarily designed to target users in Spain and Turkey.
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • The DefendOps Diaries: Discover how Crocodilus malware exploits Android devices, threatening cryptocurrency security with advanced RAT capabilities and social engineering.
  • cointelegraph.com: Android malware ‘Crocodilus’ can take over phones to steal crypto
  • Talkback Resources: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications

@www.infosecurity-magazine.com //
References: The Hacker News , , ciso2ciso.com ...
Cybersecurity researchers are raising concerns about a new sophisticated malware loader called CoffeeLoader, designed to stealthily download and execute secondary payloads while evading detection. The malware, first observed around September 2024, shares behavioral similarities with SmokeLoader, another known malware loader. CoffeeLoader employs a variety of techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.

CoffeeLoader's infection sequence starts with a dropper that attempts to execute a DLL payload packed by Armoury, impersonating ASUS's Armoury Crate utility. The malware establishes persistence by creating scheduled tasks and uses call stack spoofing and sleep obfuscation to evade antivirus and EDR solutions. Upon successful connection to a command-and-control server, CoffeeLoader receives commands to inject and execute Rhadamanthys shellcode, highlighting the potential for significant harm. While there are notable similarities between CoffeeLoader and SmokeLoader, researchers are still determining the exact relationship between the two malware families.

Recommended read:
References :
  • The Hacker News: Researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
  • : Security firm spots stealthy CoffeeLoader used in attacks
  • www.scworld.com: Windows devices have been targeted with attacks involving the novel CoffeeLoader malware that masquerades as Taiwanese computer hardware firm ASUS's Armoury Crate utility to covertly distribute the Rhadamanthys information-stealing malware and other malicious payloads, Cybernews reports.
  • ciso2ciso.com: Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.

do son@Daily CyberSecurity //
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.

RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.

Recommended read:
References :
  • securityonline.info: CISA Warns of RESURGE Malware: Exploiting Ivanti Vulnerability
  • Cyber Security News: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing the exploitation of a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282).
  • bsky.app: CISA has published a technical report on RESURGE, a web shell installed on Ivanti Connect Secure devices via CVE-2025-0282
  • thehackernews.com: RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features

@itpro.com //
Cybersecurity firm Resecurity successfully infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability on their data leak site (DLS). This vulnerability, a misconfiguration in the site, allowed Resecurity to access the gang's network infrastructure, configuration files, and even account credentials. By gaining access, Resecurity could observe the gang's operations, identify potential victims, and alert both the victims and authorities, providing valuable insights into the gang's modus operandi.

Resecurity's actions have provided law enforcement with crucial information about BlackLock, also known as El Dorado, which had successfully attacked at least 46 organizations worldwide. The compromised DLS revealed that the gang was actively recruiting affiliates to spread the ransomware further. By uncovering the gang's methods and infrastructure, Resecurity has potentially disrupted BlackLock's operations and protected numerous organizations from falling victim to their attacks.

Recommended read:
References :
  • PCMag UK security: Cybersecurity Firm Hacks Ransomware Group, Alerts Potential Victims
  • www.itpro.com: Security researchers hack BlackLock ransomware gang in push back against rising threat actor
  • securityaffairs.com: BlackLock Ransomware Targeted by Cybersecurity Firm
  • The Hacker News: BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability
  • thehackernews.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • securityaffairs.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • www.cybersecurity-insiders.com: For the first time, a team of security researchers has successfully infiltrated the network of a ransomware operation

info@thehackernews.com (The@The Hacker News //
A new Android malware campaign, potentially linked to previous attacks targeting Indian military personnel, has been identified focusing on users in Taiwan. The malware, known as PJobRAT, is an Android Remote Access Trojan (RAT) that steals sensitive data. It operates by disguising itself as legitimate chat applications, tricking users into installation. Once installed, PJobRAT can extract SMS messages, phone contacts, device information, documents, and media files from infected devices, enabling deep surveillance and remote control.

Researchers at Sophos X-Ops uncovered this recent campaign, observing activity from January 2023 to October 2024. The malicious chat apps, named SangaalLite and CChat, were distributed through compromised WordPress sites. While this particular campaign may be paused, it illustrates that threat actors often retool and retarget after an initial campaign, improving their malware and adjusting their approach before striking again. Users are advised to avoid installing apps from untrusted sources and employ mobile security solutions for protection.

Recommended read:
References :
  • ciso2ciso.com: PJobRAT Malware Campaign Targeted Taiwanese Users via Fake Chat Apps – Source:thehackernews.com
  • The Hacker News: An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps.
  • www.infosecurity-magazine.com: PJobRAT malware targets Taiwan Android users, stealing data through fake messaging platforms
  • Sophos X-Ops: Back in 2021, researchers reported on PJobRAT, an Android RAT targeting Indian military personnel by imitating various dating and instant messaging apps. After that, everything seemed to go quiet. But during a recent threat hunt, Sophos X-Ops researchers uncovered a more recent PJobRAT campaign appearing to target users in Taiwan – the earliest sample being Jan 2023, and the most recent in October 2024.
  • Cyber Security News: Sophos X-Ops researchers have uncovered a new campaign involving PJobRAT, an Android Remote Access Trojan (RAT) first observed in 2019. This latest iteration, which appeared to target users in Taiwan, disguised itself as instant messaging apps such as ‘SangaalLite’ and ‘CChat’.
  • gbhackers.com: PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a new campaign targeting users in Taiwan.
  • Sophos News: PJobRAT makes a comeback, takes another crack at chat apps
  • Sophos X-Ops: We can’t confirm how users were directed to these sites, but PJobRAT previously used a variety of tricks, including third-party app stores, link shortening, phishing pages, fictitious personae, and posting links on forums. Once on a user’s device, the malware requests various permissions, and can steal SMS messages, phone contacts, device and app info, documents, and media files. The latest variant does not have a built-in function for stealing WhatsApp messages. But it does have a new functionality – running shell commands. This greatly increases the malware’s capabilities.

@www.silentpush.com //
A sophisticated phishing campaign, suspected to be backed by Russian Intelligence Services, has been uncovered targeting individuals sympathetic to Ukraine, including Russian citizens and informants. The operation involves creating fake websites impersonating organizations such as the CIA, the Russian Volunteer Corps (RVC), Legion Liberty, and "Hochuzhit" ("I Want to Live"), an appeals hotline for Russian service members operated by Ukrainian intelligence. These deceptive sites aim to collect personal information from unsuspecting visitors, exploiting anti-war sentiment within Russia, where such activities are illegal and punishable by law.

Researchers at Silent Push discovered four distinct phishing clusters using tactics such as static HTML, JavaScript, and Google Forms to steal data. The threat actors are utilizing a bulletproof hosting provider, Nybula LLC, to host the fake websites, which are designed to mimic legitimate organizations. The goal is to gather intelligence and potentially identify dissidents within Russia. The campaign highlights the ongoing digital dimension of the Russia-Ukraine conflict and underscores the need for increased vigilance and improved digital hygiene among potential targets.

Recommended read:
References :
  • gbhackers.com: reports on the Russian attempts to steal Ukraine Defense Intelligence data
  • hackread.com: Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters
  • www.silentpush.com: Russian Intelligence Service-backed Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants
  • Cyber Security News: In a sophisticated cyber espionage campaign recently uncovered, Russian hackers have been impersonating the U.S. Central Intelligence Agency (CIA) and other organizations to harvest sensitive information from Ukrainian sympathizers and potential Russian defectors.
  • securityonline.info: Silent Push Threat Analysts uncover a multi-cluster phishing operation leveraging fake CIA and anti-Putin group websites to harvest

info@thehackernews.com (The@The Hacker News //
A massive malware campaign, identified as ZuizhongJS, has compromised over 150,000 websites through JavaScript injection to promote Chinese gambling platforms. Threat actors are breaching websites to drive traffic to illicit gambling sites. This campaign which injects obfuscated JavaScript and PHP code into the compromised sites hijacks browser windows. The primary goal is to generate revenue by redirecting users to full-screen overlays of fake betting websites, including impersonations of legitimate platforms like Bet365.

The attackers are believed to be linked to the Megalayer exploit, known for distributing Chinese-language malware and employing similar domain patterns and obfuscation tactics. The injected code is often hidden using HTML entity encoding and hexadecimal to evade detection. This campaign underscores the growing threat of client-side attacks and the need for robust website security measures, including regular script audits and strict Content Security Policies, to protect users from malicious redirects and potential financial harm.

Recommended read:
References :
  • Cyber Security News: Hackers Breach 150,000 Websites to Drive Traffic to Chinese Gambling Sites
  • gbhackers.com: Threat Actors Compromise 150,000 Websites to Promote Chinese Gambling Platforms
  • The Hacker News: 150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms
  • www.techradar.com: Thousands of websites have now been hijacked by this devious, and growing, malicious scheme

Anna Ribeiro@Industrial Cyber //
Cybersecurity researchers have uncovered 46 new vulnerabilities in solar inverters from leading vendors Sungrow, Growatt, and SMA. These flaws could be exploited by malicious actors to seize control of the devices remotely, posing severe risks to electrical grids. The vulnerabilities, collectively named SUN:DOWN by Forescout Vedere Labs, can enable attackers to execute arbitrary commands, take over accounts, and gain a foothold in vendor infrastructure, potentially leading to control of inverter owners' devices.

Researchers found that these flaws could be used to conduct coordinated large-scale cyber-attacks that target power generation and ultimately, grid failures. The vulnerabilities impact various components within solar power systems, including panels, PV inverters, and communication dongles. While Sungrow and SMA have patched the reported issues, Growatt's response was slower, and the researchers believe an attacker gaining control of a large number of inverters could cause instability to power grids, leading to potential blackouts.

Recommended read:
References :
  • ciso2ciso.com: Researchers Uncover 46 Critical Flaws in Solar Inverters From Sungrow, Growatt, and SMA – Source:thehackernews.com
  • The Hacker News: Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids.
  • : Solar Power System Vulnerabilities Could Result in Blackouts
  • www.scworld.com: 46 new bugs in solar power inverters raise concerns over power grid stability
  • Industrial Cyber: Forescout SUN:DOWN research uncovers critical vulnerabilities in solar inverters that threaten power grid stability
  • www.cybersecuritydive.com: Solar power gear vulnerable to remote sabotage
  • www.techradar.com: Several top solar invertor products were found to have vulnerabilities that could lead to device takeover.
  • The DefendOps Diaries: Securing Solar Inverters: Addressing Vulnerabilities in Renewable Energy Systems
  • Cyber Security News: Critical security flaws in global solar power infrastructure could potentially allow malicious actors to seize control of solar inverters and manipulate power generation at scale.
  • Cyber Security News: 46 New Vulnerabilities in Solar Inverters Let Attackers Manipulate Settings

Dissent@DataBreaches.Net //
A data breach at Oracle Health has impacted multiple healthcare organizations and hospitals across the United States. The breach involved a threat actor gaining unauthorized access to legacy servers and stealing patient data. The incident, which occurred on February 20, 2025, was initially discovered by Oracle Health, formerly known as Cerner, but has only recently been publicly disclosed by BleepingComputer on March 28, 2025, after Oracle Health failed to respond to requests for comments.

The compromised data includes sensitive information from electronic health records, single sign-on credentials, Lightweight Directory Access Protocol passwords, OAuth2 keys, and tenant data. It is believed that the breach was facilitated through the use of compromised customer credentials, aligning with known attack techniques. The implications for healthcare organizations are substantial, particularly concerning compliance with HIPAA regulations, and could lead to legal repercussions and financial penalties for affected entities.

Oracle Health is facing criticism for its lack of transparency regarding the incident. The company is reportedly telling hospitals that they will not notify patients directly, placing the responsibility on them to determine if the stolen data violates HIPPA laws. However, Oracle Health has committed to assisting in identifying impacted individuals and providing notification templates to help with notifications.

Recommended read:
References :
  • bsky.app: Oracle Health breach compromises patient data at US hospitals
  • BleepingComputer: A breach at Oracle Health impacts multiple U.S. healthcare organizations and hospitals after patient data was stolen from legacy servers.
  • Rescana: Executive Summary: The Oracle Health data breach significantly impacted multiple US healthcare organizations and hospitals by...
  • DataBreaches.Net: Oracle Health breach compromises patient data at US hospitals
  • The DefendOps Diaries: The Oracle Health breach highlights urgent need for healthcare IT modernization to protect patient data and comply with regulations.
  • Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
  • bsky.app: A breach at Oracle Health impacts multiple U.S. healthcare organizations and hospitals after patient data was stolen from legacy servers.
  • DataBreaches.Net: Oracle customers confirm data stolen in alleged cloud breach is valid
  • BleepingComputer: A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers.
  • SecureWorld News: Alleged Oracle Cloud Breach Triggers Industry Scrutiny, Supply Chain Concerns
  • BleepingComputer: A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. This is not related to the alleged Oracle Cloud breach.
  • aboutdfir.com: Oracle customers confirm data stolen in alleged cloud breach is valid Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
  • www.cybersecuritydive.com: Cybersecurity firms brace for impact of potential Oracle Cloud breach
  • Rescana: The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services,...
  • bsky.app: A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. This is not related to the alleged Oracle Cloud breach.
  • Risky Business Media: Oracle’s Health Tech division gets hacked and its customers extorted, the Italian government admits it used Paragon to spy on an NGO, a WordPress feature is being abused to silently install malicious plugins, and the Dutch public prosecutor pulls systems offline after a cyber incident.

Alex Lekander@CyberInsider //
Amnesty International's Security Lab has uncovered evidence that two investigative journalists from the Serbia-based Balkan Investigative Reporting Network (BIRN) were targeted with NSO Group’s Pegasus spyware in February 2025. This marks the third time in two years that Amnesty International has found Pegasus being used against civil society members in Serbia, building upon previous findings detailed in their December 2024 report, "A Digital Prison." The journalists received suspicious text messages, and research confirmed the links led to a domain previously identified as part of NSO Group's infrastructure.

These latest findings reinforce concerns about Serbian authorities abusing invasive spyware to target journalists, activists, and other members of civil society. NSO Group responded to Amnesty International's findings by stating they cannot comment on specific customers or disclose technical information, while reiterating their commitment to respecting human rights and upholding the UN Guiding Principles on Business and Human Rights. Despite this commitment, security researchers are increasingly able to detect Pegasus attacks, suggesting challenges for NSO Group in maintaining operational security and concealing their activities.

Recommended read:
References :
  • securitylab.amnesty.org: Journalists targeted with Pegasus spyware - Amnesty International Security Lab
  • CyberInsider: Viber Messenger Abused for Delivering Pegasus Spyware on Targets
  • thecyberexpress.com: Investigative Journalists in Serbia Hit by Advanced Spyware Attack
  • techcrunch.com: Again and again, NSO Group’s customers keep getting their spyware operations caught
  • infosec.exchange: NEW: Despite its lofty promises of invisibility, NSO Group customers keep getting their spyware operations against journalists and dissidents caught. “NSO has a basic problem: they are not as good at hiding as their customers think,” said John Scott-Railton, who has investigated spyware for 10+ years. This week, it was the turn of the Serbian government, who allegedly targeted two journalists with NSO Group's spyware Pegasus, according to Amnesty International.
  • PrivacyDigest: Again and again, Group’s customers keep getting their operations caught | TechCrunch On Thursday, published a new report detailing attempted against two , allegedly carried out with NSO Group’s spyware .
  • ESET Research: NEW: Despite its lofty promises of invisibility, NSO Group customers keep getting their spyware operations against journalists and dissidents caught. “NSO has a basic problem: they are not as good at hiding as their customers think,â€� said John Scott-Railton, who has investigated spyware for 10+ years. This week, it was the turn of the Serbian government, who allegedly targeted two journalists with NSO Group's spyware Pegasus, according to Amnesty International.
  • The420.in: The murky world of cyber surveillance has once again been thrust into the spotlight as Amnesty International uncovered an attempt to hack two Serbian journalists using Pegasus, the notorious spyware developed by Israeli firm NSO Group.

@itpro.com //
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.

The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025.

Recommended read:
References :
  • Full Disclosure: Qualys Security Advisory Three bypasses of Ubuntu's unprivileged user namespace restrictions.
  • The DefendOps Diaries: Understanding Security Bypasses in Ubuntu's Unprivileged User Namespaces
  • www.itpro.com: Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
  • www.networkworld.com: Ubuntu namespace vulnerability should be addressed quickly: Expert
  • BleepingComputer: New Ubuntu Linux security bypasses require manual mitigations
  • bsky.app: Details of how Qualys identifies security byasses on Ubuntu

info@thehackernews.com (The@The Hacker News //
References: The Hacker News , , Cyber Security News ...
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.

Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
  • : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
  • www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
  • Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
  • The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
  • www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
  • Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
  • hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
  • Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Cyber Security News: A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers.
  • gbhackers.com: Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed “Morphing Meerkat,â€� that leverages DNS mail exchange (MX) records to dynamically serve tailored phishing pages mimicking over 100 brands.
  • Security Affairs: A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Blog: Cybersecurity researchers are tracking a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that employs DNS over HTTPS (DoH) to avoid detection.

@The DefendOps Diaries //
Mozilla has issued an urgent security update for its Firefox browser on Windows to address a critical sandbox escape vulnerability, identified as CVE-2025-2857. This flaw allows attackers to bypass the browser's security sandbox, posing significant risks to Windows users. Mozilla is releasing security updates for Firefox versions 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1 to patch this vulnerability.

The vulnerability, reported by Mozilla developer Andrew McCreight, involves an incorrect handle that could lead to sandbox escapes, potentially enabling attackers to execute arbitrary code on affected systems. This comes after a similar exploit, CVE-2025-2783, was identified in Google Chrome. Windows users are advised to update their browsers to the latest version as soon as possible to mitigate this risk.

Recommended read:
References :
  • securityonline.info: Mozilla releases urgent security patch for Windows users as researchers uncover another IPC vulnerability echoing a recently exploited
  • The DefendOps Diaries: Mozilla warns of a critical Firefox vulnerability allowing sandbox escapes, posing significant security risks to Windows users.
  • The Hacker News: Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.
  • BleepingComputer: Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems.
  • CyberInsider: Firefox Says It’s Vulnerable to Chrome’s Zero-Day Used in Espionage Attacks
  • The Register - Security: After Chrome patches zero-day used to target Russians, Firefox splats similar bug
  • Security Affairs: Mozilla fixed critical Firefox vulnerability CVE-2025-2857
  • PCMag UK security: Chrome Zero-Day Flaw Also Affects Firefox
  • gbhackers.com: Mozilla is working to patch the vulnerability, tracked as CVE-2025-2857, with security updates for Firefox 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1.
  • MSPoweruser: Google patches a Chrome zero-day vulnerability used in espionage
  • thecyberexpress.com: Mozilla has issued an urgent update for Firefox on Windows to patch a critical security vulnerability.
  • Blog: Critical sandbox escape flaws in Firefox and Chrome patched
  • techcrunch.com: Mozilla patches Firefox bug ‘exploited in the wild,’ similar to bug attacking Chrome
  • www.scworld.com: Firefox patches flaw similar to exploited Chrome zero-day
  • discuss.privacyguides.net: Developers of Mozilla's Firefox say that reports on a Google Chrome zero-day vulnerability led them to find a similar bug for the Windows version of their browser.
  • Help Net Security: Google’s fixing of CVE-2025-2783, a Chrome zero-day vulnerability exploited by state-sponsored attackers, has spurred Firefox developers to check whether the browser might have a similar flaw – and they found it.
  • www.techradar.com: Firefox patches zero-day security flaw days after Chrome fixes the same issue

Pierluigi Paganini@securityaffairs.com //
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.



The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems.

Recommended read:
References :
  • Cyber Security News: The largest US internet provider, WideOpenWest (WOW!), is allegedly compromised by Arkana Security, a recently discovered ransomware group.
  • securityaffairs.com: Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!), stealing customer data.
  • www.scworld.com: WideOpenWest purportedly breached by nascent ransomware gang
  • CyberInsider: Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
  • BleepingComputer: The new ransomware group Arkana Security claims to have hacked US telecom provider WOW!, stealing customer data.
  • Information Security Buzz: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US. The malicious actors boasted they had full backend control and even put a music video montage together to illustrate exactly how much access they had.
  • DataBreaches.Net: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
  • PCMag UK security: Hacking group Arkana Security gives WideOpenWest (WOW!) until 5 p.m. PST today to pay a ransom, or it will sell customer data to the highest bidder. WOW! says it's investigating.
  • The Register - Security: Cyber-crew claims it cracked American cableco, releases terrible music video to prove it
  • www.csoonline.com: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US.
  • Talkback Resources: Arkana Security group claims the hack of US telco provider WideOpenWest (WOW!)
  • www.pcmag.com: Cybercrime Gang Says It Hacked This US ISP, Stole Info on 403K Customers

do son@Daily CyberSecurity //
A use-after-free vulnerability, tracked as CVE-2025-30232, has been discovered in the Exim mail transfer agent (MTA), a popular choice for Unix systems. The vulnerability affects Exim versions 4.96 through 4.98.1 and could allow attackers with command-line access to escalate privileges on affected systems. This could potentially lead to unauthorized access to system resources and the execution of arbitrary commands with elevated privileges, compromising the entire server.

It's crucial that systems run one of the vulnerable versions (4.96, 4.97, 4.98, or 4.98.1) and that the attacker has command-line access for exploitation. The Exim project has already released a patch in version 4.98.2 to address this flaw. System administrators are strongly advised to update to this latest version as soon as possible. The vulnerability was reported to Exim on March 13, 2025, by Trend Micro, with a security release made available to distribution maintainers on March 21 and public notification on March 25.

Recommended read:
References :

Aman Mishra@gbhackers.com //
ESET researchers have uncovered connections between RansomHub affiliates and other ransomware groups, including Medusa, BianLian, and Play. This link is established through the shared use of EDRKillShifter, a custom tool designed to disable endpoint detection and response (EDR) software on compromised systems. EDRKillShifter utilizes a "Bring Your Own Vulnerable Driver" (BYOVD) tactic, leveraging a legitimate but vulnerable driver to terminate security solutions, ensuring the smooth execution of ransomware encryptors without detection.

This sharing of tools highlights an evolving trend in the ransomware landscape, where groups collaborate and repurpose tooling from rivals. ESET's analysis reveals that even closed ransomware-as-a-service (RaaS) operations like Play and BianLian, known for their consistent use of core tools, have members utilizing EDRKillShifter in their attacks. RansomHub, a relatively new player, quickly rose to prominence in the ransomware scene after emerging in February 2024, dominating the landscape by recruiting affiliates from disrupted groups such as LockBit and BlackCat. The tool, custom-developed by RansomHub, is offered to its affiliates as part of its RaaS program.

Recommended read:
References :
  • DataBreaches.Net: The RansomHub ransomware-as-a-service (RaaS) operation affiliates were linked to established gangs Medusa, BianLian, and Play, which share the use of RansomHub’s custom-developed EDRKillShifter.
  • The Hacker News: Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks
  • hackread.com: Cybercriminals exploit AbyssWorker driver to disable EDR systems, deploying MEDUSA ransomware with revoked certificates for stealthy attacks.
  • gbhackers.com: New Research Links RansomHub’s EDRKillShifter to Established Ransomware Gangs
  • Cyber Security News: New Research Reveals RansomHub’s EDRKillShifter Connected to Major Ransomware Gangs
  • www.cybersecuritydive.com: Custom tool developed by RansomHub, dubbed “EDRKillShifter,â€� is used by several other rival ransomware gangs.

@The DefendOps Diaries //
References: CyberInsider , Sam Bent , BleepingComputer ...
Vivaldi browser has integrated Proton VPN directly into its system, offering users a seamless way to protect their data from 'Big Tech' surveillance. The integration means users can now access VPN services without the need for external downloads or plugin activations. This move signifies a commitment to enhancing user privacy and challenging the data collection practices of major tech firms. The VPN button is available directly in the toolbar to improve user experience.

Vivaldi's partnership with Proton VPN brings browser-level privacy tools to users, allowing them to encrypt all internet traffic and protect them from persistent tracking. When enabled, browsing activity is transmitted through Proton VPN's encrypted tunnels, which obfuscates the user's IP address. The integration aims to provide enhanced protection against tracking and surveillance and sets new standards in digital security.

Recommended read:
References :
  • CyberInsider: Privacy-focused browser Vivaldi has announced the direct integration of Proton VPN, offering users seamless VPN access without external downloads or plug-ins.
  • Sam Bent: Vivaldi's new partnership with Proton VPN brings browser-level privacy tools into the hands of users, but it's crucial to understand where privacy ends and anonymity begins. This move is a strong statement against Big Tech surveillance, yet the protection it offers is not a blanket solution.
  • The DefendOps Diaries: Discover how Vivaldi's integration of Proton VPN enhances browser privacy and user control, setting new standards in digital security.
  • BleepingComputer: Vivaldi has announced the integration of Proton VPN directly into its browser without requiring add-on downloads or plugin activations, allowing users to protect their data against 'Big Tech' surveillance for free.
  • bsky.app: Vivaldi has released a new version of its browser with built-in support for ProtonVPN, now available as a VPN button in the toolbar https://vivaldi.com/blog/privacy-without-compromise-proton-vpn-is-now-built-into-vivaldi/
  • BleepingComputer: Vivaldi has announced the integration of Proton VPN directly into its browser without requiring add-on downloads or plugin activations, allowing users to protect their data against 'Big Tech' surveillance for free.

Michael Nuñez@AI News | VentureBeat //
AI security startup Hakimo has secured $10.5 million in Series A funding to expand its autonomous security monitoring platform. The funding round was led by Vertex Ventures and Zigg Capital, with participation from RXR Arden Digital Ventures, Defy.vc, and Gokul Rajaram. This brings the company’s total funding to $20.5 million. Hakimo's platform addresses the challenges of rising crime rates, understaffed security teams, and overwhelming false alarms in traditional security systems.

The company’s flagship product, AI Operator, monitors existing security systems, detects threats in real-time, and executes response protocols with minimal human intervention. Hakimo's AI Operator utilizes computer vision and generative AI to detect any anomaly or threat that can be described in words. Companies using Hakimo can save approximately $125,000 per year compared to using traditional security guards.

Recommended read:
References :
  • AiThority: Hakimo Secures $10.5Million to Transform Physical Security With Human-Like Autonomous Security Agent
  • AI News | VentureBeat: The watchful AI that never sleeps: Hakimo’s $10.5M bet on autonomous security
  • Unite.AI: Hakimo Raises $10.5M to Revolutionize Physical Security with Autonomous AI Agent

@itpro.com //
Advanced Computer Software Group, an NHS software supplier, has been fined £3 million by the Information Commissioner's Office (ICO) for security failures that led to a disruptive ransomware attack in 2022. The ICO determined that Advanced Computer Software Group failed to implement appropriate security measures prior to the attack, which compromised the personal information of tens of thousands of NHS patients. The LockBit ransomware group was identified as the perpetrator, gaining access through a customer account lacking multi-factor authentication (MFA).

Personal information belonging to 79,404 people was taken in the attack, including instructions for carers on how to gain entry into the properties of 890 people who were receiving care at home. The stolen data included checklists for medics on how to get into vulnerable people's homes. The ICO cited gaps in applying MFA policies across the organization, a lack of vulnerability scanning, and inadequate patch management as the primary facilitators of the attack.

Recommended read:
References :
  • bsky.app: NHS provider Advanced has been fined £3m by ICO for security failures that led to the hugely disruptive ransomware hack in 2022. One shocking new detail - not only was personal info of 79k people taken - it included instructions for carers on how to gain entry into 890 patient's homes.
  • The Register - Security: Data stolen included checklist for medics on how to get into vulnerable people's homes The UK's data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary's security failings led to a ransomware attack affecting NHS care.
  • techcrunch.com: NHS vendor Advanced will pay just over £3 million ($3.8 million) in fines for not implementing basic security measures before it suffered a ransomware attack in 2022, the U.K.’s data protection regulator has confirmed.
  • www.itpro.com: The Information Commissioner's Office (ICO) said Advanced Computer Software Group failed to use appropriate security measures before the 2022 attack, which put the personal information of tens of thousands of NHS patients at risk.
  • DataBreaches.Net: The UK’s data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary’s security failings led to a ransomware attack affecting NHS care. This is nearly half the fine the Information Commissioner’s Office provisionally floated...
  • www.cybersecurity-insiders.com: NHS LockBit ransomware attack yields £3.07 million penalty on tech provider
  • www.bleepingcomputer.com: UK fines software provider £3.07 million for 2022 ransomware breach
  • The DefendOps Diaries: Understanding the 2022 NHS Ransomware Attack: Lessons and Future Preparedness
  • Tech Monitor: UK ICO fines Advanced Computer Software £3m after NHS data breach
  • www.scworld.com: Advanced slapped with almost $4M fine after LockBit hack

lucija.valentic@reversinglabs.com (Lucija@Blog (Main) //
References: , Blog (Main) , hackread.com ...
A new malware campaign has been discovered targeting developers through malicious npm packages. Researchers at ReversingLabs identified two packages, ethers-provider2 and ethers-providerz, designed to inject reverse shells into locally installed instances of the popular 'ethers' library. This allows attackers to gain remote access to compromised systems. The attack cleverly hides its malicious payload, modifying legitimate files to ensure persistence even after the initial packages are removed.

This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future.

Recommended read:
References :
  • : Malicious npm Packages Deliver Sophisticated Reverse Shells
  • Blog (Main): Malware found on npm infecting local package with reverse shell
  • thehackernews.com: Malicious npm Package Modifies Local 'ethers' Library to Launch Reverse Shell Attacks
  • hackread.com: New npm Malware Attack Infects Popular Ethereum Library with Backdoor
  • www.bleepingcomputer.com: Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor.
  • The DefendOps Diaries: Explore a sophisticated npm attack revealing software supply chain vulnerabilities and the need for enhanced security measures.
  • Datadog Security Labs: Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
  • www.csoonline.com: Malicious npm packages found to create a backdoor in legitimate code
  • BleepingComputer: Infostealer campaign compromises 10 npm packages, targets devs
  • www.scworld.com: reports on NPM related infostealer campaigns
  • securityonline.info: A recent report by ReversingLabs (RL) has uncovered malicious packages on the npm repository that employ sophisticated techniques
  • www.techradar.com: Malicious npm packages use devious backdoors to target users