Security News

A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector. The reliance on infected USB drives to propagate the malware is unusual if not new.

The cyber espionage group known as Bahamut has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information. The activity, which has been active since January 2022, entails distributing rogue VPN apps through a fake SecureVPN website set up for this purpose, Slovak cybersecurity firm ESET said in a new report shared with The Hacker News.

A recently discovered hacking group known for targeting employees dealing with corporate transactions has been linked to a new backdoor called Danfuan. This hitherto undocumented malware is delivered via another dropper called Geppei, researchers from Symantec, by Broadcom Software, said in a report shared with The Hacker News.

An advanced persistent threat actor known as Budworm targeted a U.S.-based entity for the first time in more than six years, according to latest research. The attack was aimed at an unnamed U.S. state legislature, the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News.

A new piece of research has detailed the increasingly sophisticated nature of the malware toolset employed by an advanced persistent threat group named Earth Aughisky. "Over the last decade, the group has continued to make adjustments in the tools and malware deployments on specific targets located in Taiwan and, more recently, Japan," Trend Micro disclosed in a technical profile last week.

An ex-NSA employee has been charged with trying to sell classified data to the Russians. It's a weird story, and the FBI affidavit raises more questions than it answers.

Emerging covert malware families that target VMware environments could allow criminals to gain persistent administrative access to the hypervisor, transfer files, and execute arbitrary commands between virtual machines, according to VMware and Mandiant, which discovered the software nasty earlier this year. Prior to this discovery, both VMware and Mandiant say they hadn't seen persistent malware with these capabilities deployed on VMware hypervisors or guest systems in the wild.

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.

A threat actor tracked under the moniker Webworm has been linked to bespoke Windows-based remote access trojans, some of which are said to be in pre-deployment or testing phases. "The group has developed customized versions of three older remote access trojans, including Trochilus RAT, Gh0st RAT, and 9002 RAT," the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News.

"A notable feature of these attacks is that the attackers leveraged a wide range of legitimate software packages in order to load their malware payloads using a technique known as DLL side-loading," the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News. The attacks entail the use of old and outdated versions of security solutions, graphics software, and web browsers that are bound to lack mitigations for DLL side-loading, using them as a conduit to load arbitrary shellcode designed to execute additional payloads.