Category: Cybersecurity

Sep 04, 2025Ravie LakshmananGDPR / Data Privacy

The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules.

Both companies set advertising cookies on users’ browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision.

“When creating a Google account, users were encouraged to choose cookies linked to the display of personalized advertisements, to the detriment of those linked to the display of generic advertisements and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google’s services,” the CNIL noted.

The consent obtained in this manner is not valid and constitutes a violation of the French Data Protection Act (Article 82), it added. It’s worth noting that while this was the default behavior until October 2023, when the company added an option to refuse cookies, “the lack of informed consent still persisted.”

Google has also been called out for placing advertisements in the form of emails among other emails in the “Promotions” and “Social” tabs of Gmail, stating that the display of such ads required users’ explicit consent in accordance with the French Postal and Electronic Communications Code (CPCE).

French telecommunications operator Orange was fined €50 million back in December 2024 for similarly displaying ads between actual email messages without users’ consent. Google has been ordered to bring its systems into compliance within six months, or risk facing penalties of €100,000 per day.

The development comes as a U.S. jury found Google to have violated users’ privacy by collecting their data even after they opted out of Web & App Activity tracking. The decision, which awards $425 million in compensatory damages, is the culmination of a class action lawsuit filed against the company in July 2020.

In related privacy-related announcements, the U.S. Federal Trade Commission (FTC) said Disney has agreed to pay $10 million to settle allegations that it collected personal data from children watching YouTube videos without parental notification or consent, thus violating the U.S. Children’s Online Privacy Protection Rule (COPPA).

The agency said Disney failed to properly label some videos that it uploaded to YouTube as “Made for Kids,” thus allowing it to gather data from children under 13 who watched that content and use it to serve targeted ads.

In addition to the $10 million fine, the proposed settlement requires Disney to begin alerting parents before collecting personal data from children under age 13 and obtain their consent in accordance with COPPA. Disney is also required to start a program to ensure that videos it uploads to YouTube are properly designated as intended for kids.

Separately, the FTC is also taking action against a China-based robot toy maker, Apitor Technology, over allegedly permitting a third-party called JPush to collect children’s geolocation data without their knowledge and parental consent in violation of COPPA.

“Apitor integrated a third-party software development kit called JPush into its [Android] app that allowed JPush’s developer to collect location data and use it for any purpose, including advertising,” FTC said. “After Android users download the Apitor app, it begins collecting and sharing users’ precise location data with JPush’s servers, unbeknownst to child users and their parents.”

Sep 04, 2025Ravie LakshmananVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, noting that there is evidence of them being exploited in the wild.

The vulnerabilities in question are listed below –

• CVE-2023-50224 (CVSS score: 6.5) – An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in “/tmp/dropbear/dropbearpwd”
• CVE-2025-9377 (CVSS score: 8.6) – An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution

According to information listed on the company’s website, the following router models have reached end-of-life (EoL) status –

• TL-WR841N (versions 10.0 and 11.0)
• TL-WR841ND (version 10.0)
• Archer C7 (versions 2.0 and 3.0)

However, TP-Link has released firmware updates for the two vulnerabilities as of November 2024 owing to malicious exploitation activity.

“The affected products have reached their End-of-Service (EOS) and are no longer receiving active support, including security updates,” the company said. “For enhanced protection, we recommend that customers upgrade to newer hardware to ensure optimal performance and security.”

There are no public reports explicitly referencing the exploitation of the aforementioned vulnerabilities, but TP-Link, in an advisory updated last week, linked in-the-wild activity to a botnet known as Quad7 (aka CovertNetwork-1658), which has been leveraged by a China-linked threat actor codenamed Storm-0940 to conduct highly evasive password spray attacks.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are being urged to apply the necessary mitigations by September 24, 2025, to secure their networks.

The development comes a day after CISA placed another high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products (CVE-2020-24363, CVSS score: 8.8) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Sep 04, 2025Ravie LakshmananArtificial Intelligence / Malware

Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X’s malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok.

The findings were highlighted by Nati Tal, head of Guardio Labs, in a series of posts on X. The technique has been codenamed Grokking.

The approach is designed to get around restrictions imposed by X in Promoted Ads that allow users to only include text, images, or videos, and subsequently amplify them to a broader audience, attracting hundreds of thousands of impressions through paid promotion.

To achieve this, malvertisers have been found to run video card-promoted posts with adult content as bait, with the spurious link hidden in the “From:” metadata field below the video player that apparently isn’t scanned by the social media platform.

In the next step, the fraudsters tag Grok in replies to the post, asking something similar to “where is this video from?,” prompting the AI chatbot to visibly display the link in response.

“Adding to that, it is now amplified in SEO and domain reputation – after all, it was echoed by Grok on a post with millions of impressions,” Tal said.

“A malicious link that X explicitly prohibits in ads (and should have been blocked entirely!) suddenly appears in a post by the system-trusted Grok account, sitting under a viral promoted thread and spreading straight into millions of feeds and search results!”

Guardio said the links direct users to sketchy ad networks, sending them to malicious links that push fake CAPTCHA scams, information-stealing malware, and other suspicious content via direct link (aka smartlink) monetization.

The domains are assessed to be part of the same Traffic Distribution System (TDS), which is often used by malicious ad tech vendors to route traffic to harmful or deceptive content.

The cybersecurity company told The Hacker News it has found hundreds of accounts engaging in this behavior over the past few days, with each of them posting hundreds or even thousands of similar posts.

“They seem to be posting non-stop for several days until the account gets suspended for violating platform policies,” it added. “So there are definitely many of them and it looks very organized.”

Sep 03, 2025Ravie LakshmananMalware / Social Engineering

Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar.

“The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems,” ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News.

The packages, both uploaded to npm in July 2025 and no longer available for download, are listed below –

The software supply chain security firm said the libraries are part of a larger and sophisticated campaign impacting both npm and GitHub, tricking unsuspecting developers into downloading and running them.

While the packages themselves make no effort to conceal their malicious functionality, ReversingLabs noted that the GitHub projects that imported these packages took pains to make them look credible.

As for the packages themselves, the nefarious behavior kicks in once either of them is used or included in some other project, causing it to fetch and run a next-stage payload from an attacker-controlled server.

Although this is par for the course when it comes to malware downloaders, where it stands apart is the use of Ethereum smart contracts to stage the URLs hosting the payload – a technique reminiscent of EtherHiding. The shift underscores the new tactics that threat actors are adopting to evade detection.

Further investigation into the packages has revealed that they are referenced in a network of GitHub repositories claiming to be a solana-trading-bot-v2 that leverages “real-time on-chain data to execute trades automatically, saving you time and effort.” The GitHub account associated with the repository is no longer available.

It’s assessed that these accounts are part of a distribution-as-service (DaaS) offering called Stargazers Ghost Network, which refers to a cluster of bogus GitHub accounts that are known to star, fork, watch, commit, and subscribe to malicious repositories to artificially inflate their popularity.

Included among those commits are source code changes to import colortoolsv2. Some of the other repositories caught pushing the npm package are ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot.

The naming of these GitHub repositories suggests that the cryptocurrency developers and users are the primary target of the campaign, using a combination of social engineering and deception.

“It is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle,” Valentić said. “And that means pulling back the covers on both open source packages and their maintainers: looking beyond raw numbers of maintainers, commits and downloads to assess whether a given package – and the developers behind it – are what they present themselves as.”

Sep 03, 2025Ravie LakshmananMobile Security / Vulnerability

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks.

The vulnerabilities are listed below –

• CVE-2025-38352 (CVSS score: 7.4) – A privilege escalation flaw in the Linux Kernel component
• CVE-2025-48543 (CVSS score: N/A) – A privilege escalation flaw in the Android Runtime component

Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation.

The tech giant did not reveal how the issues have been weaponized in real-world attacks, but acknowledged there are indications of “limited, targeted exploitation.”

Also patched by Google are several remote code execution, privilege escalation, information disclosure, and denial-of-service vulnerabilities impacting Framework and System components.

Google has released two security patch levels, 2025-09-01 and 2025-09-05, so as to give flexibility to Android partners to address a portion of vulnerabilities that are similar across all Android devices more quickly.

“Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level,” Google said.

Last month, the tech giant Google released security updates to resolve two Qualcomm vulnerabilities — CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5) — that were flagged by the chipmaker as actively exploited in the wild.

In January 2025, cybersecurity experts at Wiz Research found that Chinese AI specialist DeepSeek had suffered a data leak, putting more than 1 million sensitive log streams at risk.

According to the Wiz Research team, they identified a publicly accessible ClickHouse database belonging to DeepSeek. This allowed “full control over database operations, including the ability to access internal data”, Wiz Research stated, with more than a million lines of log streams involved, containing chat history, secret keys and more.

Wiz immediately reported the issue to DeepSeek, which quickly secured the exposure. Still, the incident underscored the danger of data leakage.

Intentional or unintentional?

Data leakage is a broad concept, covering a range of scenarios. As IBM notes, the term in general refers to a scenario where “sensitive information is unintentionally exposed to unauthorized parties”.

It could be intentional or unintentional. On the intentional side, for instance, hackers could use phishing or social engineering techniques to manipulate an organization’s employees into exposing their personal data.

There’s even the risk of an insider threats: for instance, a worker with a grudge who seeks to compromise systems, perhaps for financial benefit or as part of some quest for revenge.

But unintentional leakage is just as big a concern. This could be a case of simple human error: sending an email to the wrong person or providing too much information to a third party for example.

There are a wide range of common vectors – we’ll run through just a few.

Misconfigured cloud storage

Cloud misconfigurations can be a common cause of data leakage. The Cloud Security Alliance highlights the danger from simple mistakes, like leaving default passwords in place or failing to properly configure access controls.

Endpoint vulnerabilities

Data processed through hardware like unencrypted laptops or stored in devices such as USBs can be a key vulnerability for leakage; it’s important that employees are aware of – and follow – organizational security policies to mitigate this risk.

Emails and messaging

There’s a real danger that data can be intercepted: this could come from a simple error (sending a sensitive attachment to the wrong address) or through a deliberate attack. Robust encryption is essential to ensure it stays in the right hands.

Shadow IT

Employees often use their own IT as part of their daily working lives (such as external cloud technologies), including for data storage. While this isn’t generally malicious, it can make risk management more difficult, notes the UK’s National Cyber Security Centre (NCSC), “because you won’t have a full understanding of what you need to protect and what you value most.”

Financial and legal problems

There are several common drivers of data leakage, ranging from weak access controls to a lack of data-classification policies, insufficient monitoring, and inadequate employee training. But no matter the specific cause, the consequences can be devastating.

For example, regulatory authorities around the world now enforce strict data protection policies, which can result in huge fines for organizations that fail to comply; this includes the EU’s General Daa Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

There is also the broader risk of losing intellectual property (IP) or other sensitive company information. Crimes like credit card fraud could stem from a leak, while public companies could even see a fall in their share price.

Perhaps most importantly, failing to protect employee and customer data could have a devastating impact on an organization’s reputation, with long-term negative implications for the business.

Building your defenses

So how can organizations protect themselves, their employees and their customers from the dangers of data leakage? Here are some key approaches:

Enforce least-privilege access: By granting users access only to the data they need to perform their job, the ‘blast radius’ of a breach or leakage will be significantly reduced.

Pursue data loss prevention (DLP): This is a wide-ranging solution, combining technologies like AI and antivirus software with techniques and actions focused on people and processes, all with the aim of identifying and preventing data-connected harm.

Classify sensitive data: Protection begins with knowledge. Develop a thorough understanding of your riskiest data to ensure you know where to prioritize your security implementation.

Audits: Through both external audit checks and a comprehensive internal audit program, organizations can increase their chances of identifying potential vulnerabilities.

Training: Of course, no technical solution or operational enhancement can succeed without full employee engagement and understanding. Adequate training will ensure your staff and other stakeholders are up to speed, while engagement may even produce new insights into vulnerabilities and mitigation techniques.

CompassDRP: Detect leaked data

As your digital attack surface grows, so does the risk of data leakage. Outpost24’s CompassDRP helps organizations manage this expanding threat environment, with a key module focused on data leakage.

The feature has crucial applications for many businesses. These include:

• Detect potentially leaked documents or confidential data: Users often rely on unauthorized or misconfigured applications to share documents and sometimes confidential data with customers or colleagues. The Data Leakage feature is designed to detect such cases across numerous sources, including document repositories.
• Detect potentially leaked source code: Such leakages could reveal internal information to an attacker, including IP or even the authentication tokens in the code. The Data Leakage feature searches code repositories to detect these leaks.

Organizations of all sizes deal with growing volumes of data today. This is a huge advantage, helping gather insights into your business and your customer base. However, it also poses risks, as we have seen.

By embracing technological innovation and operational enhancements, you can help ensure your organization realizes the many benefits of this information without succumbing to the dangers and costly consequences of data leakage. Book a CompassDRP live demo.

Sep 03, 2025Ravie LakshmananArtificial Intelligence / Vulnerability

Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws.

HexStrike AI, according to its website, is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting, and capture the flag (CTF) challenges.

Per information shared on its GitHub repository, the open-source platform integrates with over 150 security tools to facilitate network reconnaissance, web application security testing, reverse engineering, and cloud security. It also supports dozens of specialized AI agents that are fine-tuned for vulnerability intelligence, exploit development, attack chain discovery, and error handling.

But according to a report from Check Point, threat actors are trying their hands on the tool to gain an adversarial advantage, attempting to weaponize the tool to exploit recently disclosed security vulnerabilities.

“This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks,” the cybersecurity company said.

Discussions on darknet cybercrime forums show that threat actors claim to have successfully exploited the three security flaws that Citrix disclosed last week using HexStrike AI, and, in some cases, even flag seemingly vulnerable NetScaler instances that are then offered to other criminals for sale.

Check Point said the malicious use of such tools has major implications for cybersecurity, not only shrinking the window between public disclosure and mass exploitation, but also helping parallelize the automation of exploitation efforts.

What’s more, it cuts down the human effort and allows for automatically retrying failed exploitation attempts until they become successful, which the cybersecurity company said increases the “overall exploitation yield.”

“The immediate priority is clear: patch and harden affected systems,” it added. “Hexstrike AI represents a broader paradigm shift, where AI orchestration will increasingly be used to weaponize vulnerabilities quickly and at scale.”

The disclosure comes as two researchers from Alias Robotics and Oracle Corporation said in a newly published study that AI-powered cybersecurity agents like PentestGPT carry heightened prompt injection risks, effectively turning security tools into cyber weapons via hidden instructions.

“The hunter becomes the hunted, the security tool becomes an attack vector, and what started as a penetration test ends with the attacker gaining shell access to the tester’s infrastructure,” researchers Víctor Mayoral-Vilches and Per Mannermaa Rynning said.

“Current LLM-based security agents are fundamentally unsafe for deployment in adversarial environments without comprehensive defensive measures.”

Sep 03, 2025Ravie LakshmananData Breach / Cyber Espionage

An Iran-nexus group has been linked to a “coordinated” and “multi-wave” spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world.

The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice.

“Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication,” the company said. “Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension.”

The attack chains involve the use of spear-phishing emails with themes related to geopolitical tensions between Iran and Israel to send a malicious Microsoft Word that, when opened, urges recipients to “Enable Content” in order to execute an embedded Visual Basic for Applications (VBA) macro, which is responsible for deploying the malware payload.

The email messages, per Dream, were sent to embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas, suggesting that the activity cast a wide phishing net. European embassies and African organizations are said to have been the most heavily targeted.

The digital missives were sent from 104 unique compromised addresses belonging to officials and pseudo-government entities to give them an extra layer of credibility. At least some of the emails originated from a hacked mailbox belonging to the Oman Ministry of Foreign Affairs in Paris (*@fm.gov.om).

“The lure content consistently referenced urgent MFA communications, conveyed authority, and exploited the common practice of enabling macros to access content, which are the hallmarks of a well-planned espionage operation that deliberately masked attribution,” Dream said.

The end goal of the attacks is to deploy using the VBA macro an executable that can establish persistence, contact a command-and-control (C2) server, and harvest system information.

Cybersecurity company ClearSky, which also detailed some aspects of the campaign late last month, said the phishing emails were sent to multiple ministries of foreign affairs.

“Similar obfuscation techniques were used by Iranian threat actors in 2023 when they targeted Mojahedin-e-Khalq in Albania,” it said in a post on X. “We assess with moderate confidence that this activity is linked to the same Iranian threat actors.”

Sep 03, 2025Ravie LakshmananThreat Intelligence / Network Security

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps).

“Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps,” the web infrastructure and security company said in a post on X. “The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.”

The entire attack lasted only about 35 seconds, with the company stating its “defenses have been working overtime.”

Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions.

Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected the devices, be it computers, IoT devices, and other machines, with malware.

“The initial impact of a volumetric attack is to create congestion that degrades the performance of network connections to the internet, servers, and protocols, potentially causing outages,” Akamai says in an explanatory note.

“However, attackers may also use volumetric attacks as a cover for more sophisticated exploits, which we refer to as ‘smoke screen’ attacks. As security teams work diligently to mitigate the volumetric attack, attackers may launch additional attacks (multi-vector) that allow them to surreptitiously penetrate network defenses to steal data, transfer funds, access high-value accounts, or cause further exploitation.”

The development comes a little over two months after Cloudflare said it blocked in mid-May 2025 a DDoS attack that hit a peak of 7.3 Tbps targeting an unnamed hosting provider.

In July 2025, the company also said hyper-volumetric DDoS attacks – L3/4 DDoS attacks exceeding 1 billion packets per second (Bpps) or 1 Tbps – skyrocketed in the second quarter of 2025, scaling a new high of 6,500 in comparison to 700 hyper-volumetric DDoS attacks in Q1 2025.

The development comes as Bitsight detailed the RapperBot kill chain, which targets network video recorders (NVRs) and other IoT devices for purposes of enlisting them into a botnet capable of carrying out DDoS attacks. The botnet infrastructure was taken down last month as part of a law enforcement operation.

In the attack documented by the cybersecurity company, the threat actors are said to have exploited security flaws in NVRs to gain initial access and download the next-stage RapperBot payload by mounting a remote NFS file system (“104.194.9[.]127”) and executing it.

This is accomplished by means of a path traversal flaw in the web server to leak the valid administrator credentials, and then use it to push a fake firmware update that runs a set of bash commands to mount the share and run the RapperBot binary based on the system architecture.

“No wonder the attackers choose to use NFS mount and execute from that share, this NVR firmware is extremely limited, so mounting NFS is actually a very clever choice,” security researcher Pedro Umbelino said. “Of course, this means the attackers had to thoroughly research this brand and model and design an exploit that could work under these limited conditions.”

The malware subsequently obtains the DNS TXT records associated with a set of hard-coded domains (“iranistrash[.]libre” and “pool.rentcheapcars[.]sbs” in order to get the actual list of actual command-and-control (C2) server IP addresses.

The C2 IP addresses, in turn, are mapped to a C2 domain whose fully qualified domain name (FQDN) is generated using a simplified domain generation algorithm (DGA) that consists of a combination of four domains, four subdomains, and two top-level domains (TLDs). The FQDNs are resolved using hard-coded DNS servers.

RapperBot ends up establishing an encrypted connection to the C2 domain with a valid DNS TXT record description, from where it received the commands necessary to launch DDoS attacks. The malware can also be commandeered to scan the internet for open ports to further propagate the infection.

“Their methodology is simple: scan the Internet for old edge devices (like DVRs and routers), brute-force or exploit and make them execute the botnet malware,” Bitsight said. “No persistence is actually needed, just scan and infect, again and again. Because the vulnerable devices continue to be exposed out there and they are easier to find than ever before.”

Sep 03, 2025Ravie LakshmananVulnerability / Mobile Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, CVE-2020-24363 (CVSS score: 8.8), concerns a case of missing authentication that could be abused to obtain elevated access to the susceptible device.

“This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot,” the agency said. “The attacker can then obtain incorrect access control by setting a new administrative password.”

According to malwrforensics, the issue has been fixed with firmware version TL-WA855RE(EU)_V5_200731. However, it bears noting that the product has reached end-of-life (EoL) status, meaning it’s unlikely to receive any patches or updates. Users of the Wi-Fi range extender are advised to replace their gear with a newer model that addresses the issue.

CISA has not shared any details on how the vulnerability is being exploited in the wild, by whom, or on the scale of such attacks.

Also added to the KEV catalog is a security flaw that WhatsApp disclosed last week (CVE-2025-55177, CVSS score: 5.4) as having been exploited as part of a highly-targeted spyware campaign by chaining it with an Apple iOS, iPadOS, and macOS vulnerability (CVE-2025-43300, CVSS score: 8.8).

Not much is known about who was targeted and which commercial spyware vendor is behind the attacks, but WhatsApp told The Hacker News that it sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign.

Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary mitigations by September 23, 2025, for both the vulnerabilities to counter active threats.