Research
-
APT36 uses Golang DeskRAT in spear‑phishing campaign against Indian government targets
Security researchers reported that APT36 (Transparent Tribe) used spear‑phishing to deliver a Golang remote access trojan called DeskRAT against Indian government targets, with the campaign targeting BOSS Linux, using multiple persistence methods and WebSocket C2.
-
Researchers: network published more than 3,000 malicious YouTube videos to distribute malware
Security researchers say a network of compromised YouTube accounts published more than 3,000 videos since 2021 to promote links that lead to malware downloads; Check Point labelled the operation the YouTube Ghost Network and said Google removed most of the videos.
-
Researchers find self‑propagating ‘GlassWorm’ targeting VS Code extensions using Solana for command control
Researchers have found a self‑spreading worm called GlassWorm that infects VS Code extensions on Open VSX and the Microsoft Marketplace, uses the Solana blockchain and Google Calendar for command control, and steals developer credentials and cryptocurrency assets.
-
Researchers warn spoofed AI sidebars can trick Atlas and Comet users into dangerous actions
Security researchers at SquareX say they can use a malicious browser extension to overlay a fake AI sidebar in Atlas and Comet, tricking users into phishing pages, OAuth theft of Gmail/Drive access, or running commands that install a reverse shell.
-
Researchers warn ‘Jingle Thief’ group exploits cloud access to commit gift card fraud
Palo Alto Networks Unit 42 says a group called Jingle Thief is targeting cloud environments used by retailers to steal credentials, issue unauthorized gift cards and resell them on gray markets, using phishing, long‑term access and identity misuse to evade detection.
-
BIND flaws could enable DNS cache poisoning; patches issued
BIND developers warned of two vulnerabilities, CVE-2025-40778 and CVE-2025-40780, that can enable DNS cache poisoning by allowing forged responses to be accepted; patches were released and operators are urged to apply them.
-
Hackers exploit critical SessionReaper flaw in Adobe Commerce, Sansec says
E-commerce security firm Sansec reported active exploitation of the critical SessionReaper flaw (CVE-2025-54236) in Adobe Commerce, blocking over 250 attempts and warning that a majority of stores remain unpatched.
-
Iran-linked MuddyWater used compromised email to deliver Phoenix backdoor to 100+ MENA government targets, Group-IB says
Group-IB says Iran-linked MuddyWater used a compromised mailbox accessed via NordVPN to phish MENA organisations, deploying weaponised Word documents that installed the Phoenix v4 backdoor across more than 100 government targets and hosting RMM tools and a browser credential stealer on its C2 infrastructure.
-
One-day ‘PhantomCaptcha’ spearphishing campaign delivered WebSocket RAT to Ukraine relief organizations
A one-day PhantomCaptcha spearphishing campaign on Oct. 8 used fake CAPTCHA prompts and ClickFix-style commands to install a WebSocket RAT, targeting Ukrainian regional officials and organisations involved in war relief, researchers said.
-
Kaspersky outlines ‘PassiveNeuron’ campaign using bespoke implants and Cobalt Strike
Kaspersky has reported a sustained espionage campaign named PassiveNeuron that has targeted government, financial and industrial servers across Asia, Africa and Latin America since mid-2024, using bespoke implants Neursite and NeuralExecutor alongside Cobalt Strike; the activity remains unattributed.
