Android malware
-
Herodotus Android malware uses human-like typing delays to evade detection
Threat Fabric has identified Herodotus, an Android malware-as-a-service that uses randomized typing delays to mimic human input and evade timing-based detection, and is being distributed via SMS to users in Italy and Brazil.
-
SideWinder adopts ClickOnce-based infection chain in South Asia espionage campaign
Researchers say the SideWinder group used a new ClickOnce‑based infection chain alongside Word exploits in spear‑phishing waves from March to September 2025 to deliver ModuleInstaller and the StealerBot implant against diplomatic and government targets in South Asia.
-
Researchers: network published more than 3,000 malicious YouTube videos to distribute malware
Security researchers say a network of compromised YouTube accounts published more than 3,000 videos since 2021 to promote links that lead to malware downloads; Check Point labelled the operation the YouTube Ghost Network and said Google removed most of the videos.
-
Researchers find self‑propagating ‘GlassWorm’ targeting VS Code extensions using Solana for command control
Researchers have found a self‑spreading worm called GlassWorm that infects VS Code extensions on Open VSX and the Microsoft Marketplace, uses the Solana blockchain and Google Calendar for command control, and steals developer credentials and cryptocurrency assets.
-
One-day ‘PhantomCaptcha’ spearphishing campaign delivered WebSocket RAT to Ukraine relief organizations
A one-day PhantomCaptcha spearphishing campaign on Oct. 8 used fake CAPTCHA prompts and ClickFix-style commands to install a WebSocket RAT, targeting Ukrainian regional officials and organisations involved in war relief, researchers said.
-
Google links three new ‘ROBOT’ malware families to Russia-linked COLDRIVER
Google’s Threat Intelligence Group linked three new malware families — NOROBOT, YESROBOT and MAYBEROBOT — to the Russia-linked COLDRIVER group, describing a ClickFix-style delivery chain and ongoing rapid development aimed at evading detection. Dutch prosecutors also said three youths are suspected of providing services to a foreign government and one had contact with a Russia-affiliated…
-
China-linked Salt Typhoon exploited Citrix to target European telecom, Darktrace says
Security firm Darktrace reported that a European telecommunications organisation was targeted in July 2025 by a China-linked group known as Salt Typhoon, which exploited a Citrix NetScaler Gateway to gain access and deployed Snappybee via DLL side-loading; the activity was detected and remediated and the victim was not named.
-
Phishing campaign lures LastPass and Bitwarden users to install remote-access tools
A phishing campaign impersonating LastPass and Bitwarden is distributing a binary that installs the Syncro RMM agent and deploys ScreenConnect for remote access, researchers reported; LastPass says it was not breached and users are advised to ignore unsolicited alerts and verify notices on official channels.
-
Researchers: Stealit malware uses Node.js single-executable feature to spread
Fortinet researchers said the Stealit malware campaign is abusing Node.js’ experimental Single Executable Application feature and, in some variants, Electron, to distribute stealers and a RAT via counterfeit installers on file‑sharing sites.
-
Ukraine agency says Russian-linked hackers used AI to aid cyber attacks in H1 2025
Ukraine’s SSSCIP said Russian-linked hackers increased use of AI in cyber attacks in H1 2025, recording 3,018 incidents and using AI-generated phishing and malware while exploiting webmail flaws and abusing legitimate cloud services.
