Cybercrime
-
Over 4,300 Domains Used in Mass Phishing Campaign Targeting Hotel Guests
Researchers say a Russian-speaking threat actor registered more than 4,300 domains this year to run a large phishing campaign impersonating hotel booking services and harvesting payment data and credentials.
-
Washington Post breach exposes personal data of nearly 10,000 workers
The Washington Post notified 9,720 employees and contractors that their personal and financial information was exposed after attackers exploited a zero-day in Oracle E-Business Suite; the flaw (CVE-2025-61884) has been linked to the Clop group and other major organisations were also affected.
-
International police action disrupts Rhadamanthys, VenomRAT and Elysium operations
Authorities in nine countries, coordinated by Europol and Eurojust, dismantled infrastructure for Rhadamanthys, VenomRAT and Elysium by taking down 1,025 servers, seizing 20 domains and arresting a suspect in Greece as part of Operation Endgame.
-
Researchers: npm registry flooded by tens of thousands of fake packages in two‑year spam campaign
Researchers have identified a two‑year spam campaign that has flooded the npm registry with tens of thousands of fake packages using a worm-like mechanism to auto-publish new packages and potentially monetize the effort via the TEA protocol; investigators say attribution is unconfirmed and registry operators have removed the packages.
-
UK introduces Cyber Security and Resilience Bill to bolster critical infrastructure defenses
The UK government has introduced the Cyber Security and Resilience Bill to tighten protections for hospitals, energy, water and transport systems, build on the NIS Regulations, require managed service providers to meet security standards and report major incidents quickly, and impose turnover-based penalties for serious breaches.
-
Researchers detail Android RAT ‘Fantasy Hub’ sold as Malware‑as‑a‑Service on Telegram
Security researchers and industry trackers say an Android remote access trojan named Fantasy Hub is being sold on Russian‑language Telegram channels as a Malware‑as‑a‑Service, offering device takeover, SMS interception, APK trojanising, and subscription pricing while mirroring features seen in other Android RATs and banking trojans.
-
Researchers: Actors abused Triofox antivirus feature to execute code as SYSTEM
Researchers say the UNC6485 cluster exploited CVE-2025-12480 in Gladinet Triofox by spoofing a localhost host header to bypass authentication, then abused the product’s antivirus configuration to run a malicious payload as SYSTEM; vendors have released patches and investigators provided indicators of compromise.
-
Researchers link WhatsApp-propagated Maverick malware to Brazilian banking trojans
Researchers say Maverick, a WhatsApp-propagated malware, shares code and tactics with the Brazilian banking trojan Coyote and is being spread via automated WhatsApp Web sessions, with analysts noting ties to a group called Water Saci.
-
North Korean-linked group used Google device service to wipe South Korean Android phones
South Korean researchers say the North Korean-linked KONNI group abused Google’s device-management features to remotely factory-reset Android phones, using stolen credentials harvested via phishing and RATs spread over KakaoTalk.
-
Proofpoint links new UNK_SmudgedSerpent cluster to targeted phishing of Iran experts
Proofpoint has identified a new threat cluster, UNK_SmudgedSerpent, that used political lures, impersonation and malicious installers to target academics and Iran policy experts between June and August 2025, deploying RMM tools including PDQ Connect and possibly ISL Online.
