Linux io_uring PoC Rootkit Bypasses System Call-Based Threat Detection Tools

Cybersecurity researchers have demonstrated a proof-of-concept PoC rootkit dubbed Curing that leverages a Linux asynchronous I/O mechanism called iouring to bypass traditional system call monitoring. This causes a "major blind spot in Linux runtime security tools," ARMO said. "This mechanism allo...

Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service DDoS malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States. "From 2020 to 2023, the XorDDoS trojan has increased significantly...

Unmasking the new XorDDoS controller and infrastructure

Cisco Talos observed an existing distributed denial-of-service DDoS malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. Th...

Node.js Malware Campaign Targets Crypto Users with Fake Binance and TradingView Installers

Microsoft is calling attention to an ongoing malvertising campaign that makes use of Node.js to deliver malicious payloads capable of information theft and data exfiltration. The activity, first detected in October 2024, uses lures related to cryptocurrency trading to trick users into installing ...

LRQA Nettitude PoshC2 安全漏洞

LRQA Nettitude PoshC2 is an agent-aware C2 framework from LRQA used to help penetration testers with red teaming, late exploits, and lateral movement. A security vulnerability exists in LRQA Nettitude PoshC2 that stems from allowing an unauthenticated attacker to connect to the C2 server and...

Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine

The Russia-linked threat actor known as Gamaredon aka Shuckworm has been attributed to a cyber attack targeting a foreign military mission based in Ukraine with an aim to deliver an updated version of a known malware called GammaSteel. The group targeted the military mission of a Western country,...

CISA and FBI Warn Fast Flux is Powering Resilient Malware, C2, and Phishing Networks

Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control C2 channel. "'Fast flux' is a technique used to...

North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages

The North Korean threat actors behind the ongoing Contagious Interview campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan RAT loader. "These latest samples employ hexadecimal...

CoffeeLoader Uses GPU-Based Armoury Packer to Evade EDR and Antivirus Detection

Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads. The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader. "The...

Researchers Uncover ~200 Unique C2 Domains Linked to Raspberry Robin Access Broker

A new investigation has unearthed nearly 200 unique command-and-control C2 domains associated with a malware called Raspberry Robin. "Raspberry Robin also known as Roshtyak or Storm-0856 is a complex and evolving threat actor that provides initial access broker IAB services to numerous criminal...

Kaspersky Links Head Mare to Twelve, Targeting Russian Entities via Shared C2 Servers

Two known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal. "Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control C2 servers...

BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse

At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX, painting a picture of an interconnected cybercrime ecosystem. This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV,...

MAL-2025-191688 Malicious code in axonify (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 22991c04631c7553b040a72573bc7d0ad80886ab6bc834ac43f1e1611f85ea02 The package is capable of installing malware from a hardcoded URL. The malware is well-recognized and acts as infostealer. Interestingly, it uses Steam profile...

Android botnet BadBox largely disrupted

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox. The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs. The German BSI Federal Office...

Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites

Cybersecurity researchers are calling attention to a new phishing campaign that employs the ClickFix technique to deliver an open-source command-and-control C2 framework called Havoc. "The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in...

New TgToxic Banking Trojan Variant Evolves with Anti-Analysis Upgrades

Cybersecurity researchers have discovered an updated version of an Android malware called TgToxic aka ToxicPanda, indicating that the threat actors behind it are continuously making changes in response to public reporting. "The modifications seen in the TgToxic payloads reflect the actors' ongoin...

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Cisco Talos discovered multiple cyber espionage campaigns that target government, manufacturing, telecommunications and media, delivering Sagerunex and other hacking tools for post-compromise activities. Talos attributes these attacks to the threat actor known as Lotus Blossom. Lotus Blossom has...

Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads

Cybersecurity researchers have flagged a malicious Python library on the Python Package Index PyPI repository that facilitates unauthorized music downloads from music streaming service Deezer. The package in question is automslc, which has been downloaded over 104,000 times to date. First publish...

New Malware Campaign Uses Cracked Software to Spread Lumma and ACR Stealer

Cybersecurity researchers are warning of a new campaign that leverages cracked versions of software as a lure to distribute information stealers like Lumma and ACR Stealer. The AhnLab Security Intelligence Center ASEC said it has observed a spike in the distribution volume of ACR Stealer since...

Google Docs used by infostealer ACRStealer as part of attack

An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack, according to researchers. ACRStealer is often distributed via the tried and tested method of download as cracks and keygens, which are used in software piracy. The infostealer has bee...