Research
-
Researchers disclose Sturnus Android banking trojan that can capture messages and take over devices
Security researchers say a new Android banking trojan called Sturnus can capture decrypted messages from apps like WhatsApp, Telegram and Signal, present fake bank login screens, and allow remote control of infected devices; ThreatFabric reports the campaign so far is limited to Southern and Central Europe.
-
Active exploitation reported for 7‑Zip ZIP symbolic link vulnerability
NHS England Digital warned that CVE-2025-11001, a 7‑Zip vulnerability affecting symbolic link handling and allowing remote code execution, is being actively exploited; 7‑Zip 25.00 released in July 2025 contains fixes and users are urged to update.
-
China-linked PlushDaemon hijacks software updates with new EdgeStepper implant, ESET says
ESET researchers say a China-linked group called PlushDaemon is hijacking software-update traffic using an EdgeStepper network implant that redirects update domains to attacker servers and delivers a chain of malware including LittleDaemon, DaemonicLogistics and the SlowStepper backdoor.
-
Researchers report WhatsApp-based worm distributing Delphi banking trojan in Brazil
Trustwave SpiderLabs reported a WhatsApp-propagated campaign in Brazil that uses a Python-based worm and an MSI installer to deploy the Delphi credential stealer Eternidade, which retrieves C2 addresses via IMAP and targets banking and crypto apps.
-
Meta gives researchers a WhatsApp Research Proxy and tightens anti-scraping protections
Meta has given selected bug bounty researchers access to a WhatsApp Research Proxy and launched a pilot to study platform abuse, while adding anti‑scraping protections after a public report showed how contact discovery could be abused to enumerate accounts at scale. Meta also patched a Unity‑related vulnerability affecting Quest devices and said it has paid…
-
Researchers detail use of Tuoni C2 in attack on U.S. real-estate firm
Researchers said attackers used the Tuoni C2 framework in a mid-October 2025 intrusion attempt against a U.S. real-estate firm, employing social engineering, PowerShell downloaders, BMP steganography and in-memory execution; the campaign was detected and blocked.
-
Mandiant ties UNC1549 to long-running campaign using TWOSTROKE and DEEPROOT against aerospace and defence
Google-owned Mandiant linked a cluster it tracks as UNC1549 to a campaign from late 2023 through 2025 in which suspected Iranian espionage actors used backdoors including TWOSTROKE and DEEPROOT to target aerospace, aviation and defence organisations by exploiting third-party credentials, VDI breakouts and targeted phishing.
-
Malicious npm packages use Adspect redirects and fingerprinting to cloak crypto scams
Seven npm packages published under the name ‘dino_reborn’ used Adspect redirects and browser fingerprinting to route real visitors to fake cryptocurrency CAPTCHA scams while showing decoys to likely researchers, Socket researchers found.
-
Researchers: ClickFix social‑engineering used to deliver Amatera stealer and NetSupport RAT
Researchers say operators are using ClickFix social‑engineering to install the Amatera stealer and, conditionally, NetSupport RAT; eSentire and other vendors have published analyses and indicators tied to multiple concurrent phishing campaigns.
-
Dragon Breath uses RONINGLOADER to deliver modified Gh0st RAT to Chinese-speaking users
Researchers say the Dragon Breath group used a multi-stage loader called RONINGLOADER to deliver a modified Gh0st RAT to Chinese-speaking users, employing signed drivers, WDAC policy changes, PPL abuse and multi-stage NSIS installers to evade security products and deploy remote access capabilities.
