Research
-
Firefox patch fixes high-severity WebAssembly bug that lingered for six months
AISLE disclosed a high-severity WebAssembly boundary error in Firefox (CVE-2025-13016) that allowed memory corruption and could enable arbitrary code execution; Mozilla released a patch in Firefox 145 and ESR 140.5 after rapid confirmation and remediation.
-
Malicious Blender .blend files used to deliver StealC V2, researchers say
Researchers at Morphisec say a campaign has used malicious Blender .blend files uploaded to free 3D asset sites to execute embedded Python scripts and deliver the StealC V2 information stealer and a secondary Python stealer; the attack runs when Blender’s Auto Run option is enabled.
-
Researchers: ClickFix variants use fake Windows Update page and steganography to deliver infostealers
Researchers warn that ClickFix attack variants are using a full‑screen fake Windows Update page and steganography in PNG images to hide and deliver infostealer malware, with campaigns employing mshta, PowerShell, a .NET Stego Loader and in‑memory execution techniques.
-
Shai‑Hulud campaign trojanises hundreds of npm packages and leaks CI/CD secrets to GitHub
A renewed Shai‑Hulud campaign has published thousands of trojanised npm packages that steal developer and CI/CD secrets and post them to GitHub; researchers at Aikido and Wiz say the operation modified legitimate packages, used compromised maintainer accounts and is leaking secrets in automatically created GitHub repositories.
-
China-linked APT31 used local cloud services and public tools to target Russian IT sector, Positive Technologies reports
Researchers at Positive Technologies say China-linked APT31 targeted Russian IT firms between 2024 and 2025, using Yandex Cloud and a mix of public and custom tools to maintain long-term access and exfiltrate data.
-
Google: APT24 Used New ‘BADAUDIO’ Malware in Years-Long Espionage Campaign
Google Threat Intelligence Group says a China-nexus actor tracked as APT24 used a previously undocumented downloader called BADAUDIO in a campaign from November 2022 into 2025, employing watering holes, supply-chain compromises and spear-phishing to deliver backdoors and second-stage payloads.
-
Kaspersky flags expanding ‘Tsundere’ botnet that uses Ethereum to host C2 details
Kaspersky researchers have identified an expanding Windows-targeting botnet called Tsundere that deploys a Node.js-based payload via MSI or PowerShell, retrieves C2 details from the Ethereum blockchain and offers a control panel and marketplace for operators; attribution remains unclear.
-
D-Link warns of remote command-execution flaws in end-of-life DIR-878 routers
D-Link has warned that multiple remotely exploitable command-execution vulnerabilities affect the end-of-life DIR-878 router; technical details and proof-of-concept code are publicly available and the company recommends replacing the device because it will not receive security updates.
-
Amazon finds Iran-linked hackers using cyber reconnaissance to aid physical attacks
Amazon’s threat intelligence team reported that Iran-linked hackers conducted digital reconnaissance, including targeting ship AIS and CCTV, to support physical attacks—a trend the company calls cyber-enabled kinetic targeting.
-
Acronis warns of ongoing ‘TamperedChef’ malvertising campaign using signed fake installers
Acronis Threat Research Unit says operators are using signed counterfeit installers in a global malvertising campaign dubbed TamperedChef to deploy a JavaScript backdoor, with infections concentrated in the U.S. and several industries affected; some variants have been used for advertising fraud while broader motives remain unclear.
