Category: Cybersecurity

Oct 23, 2025Ravie LakshmananCyber Espionage / Threat Intelligence

Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job.

“Some of these [companies’ are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program,” ESET security researchers Peter Kálnai and Alexis Rapin said in a report shared with The Hacker News.

It’s assessed that the end goal of the campaign is to plunder proprietary information and manufacturing know-how using malware families such as ScoringMathTea and MISTPEN. The Slovak cybersecurity company said it observed the campaign starting in late March 2025.

Some of the targeted entities include a metal engineering company in Southeastern Europe, a manufacturer of aircraft components in Central Europe, and a defense company in Central Europe.

While ScoringMathTea (aka ForestTiger) was previously observed by ESET in early 2023 in connection with cyber attacks targeting an Indian technology company and a defense contractor in Poland, MISTPEN was documented by Google Mandiant in September 2024 as part of intrusions aimed at companies in the energy and aerospace verticals. The first appearance of ScoringMathTea dates back to October 2022.

Operation Dream Job, first exposed by Israeli cybersecurity company ClearSky in 2020, is a persistent attack campaign mounted by a prolific North Korean hacking group dubbed Lazarus Group, which is also tracked as APT-Q-1, Black Artemis, Diamond Sleet (formerly Zinc), Hidden Cobra, TEMP.Hermit, and UNC2970. The hacking group is believed to be operational since at least 2009.

In these attacks, the threat actors leverage social engineering lures akin to Contagious Interview to approach prospective targets with lucrative job opportunities and trick them into infecting their systems with malware. The campaign also exhibits overlaps with clusters tracked as DeathNote, NukeSped, Operation In(ter)ception, and Operation North Star.

“The dominant theme is a lucrative but faux job offer with a side of malware: the target receives a decoy document with a job description and a trojanized PDF reader to open it,” ESET researchers said.

The attack chain leads to the execution of a binary, which is responsible for sideloading a malicious DLL that drops ScoringMathTea as well as a sophisticated downloader codenamed BinMergeLoader, which functions similarly to MISTPEN and uses Microsoft Graph API and tokens to fetch additional payloads.

Alternate infection sequences have been found to leverage an unknown dropper to deliver two interim payloads, the first of which loads the latter, ultimately resulting in the deployment of ScoringMathTea, an advanced RAT that supports around 40 commands to take complete control over the compromised machines.

“For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications,” ESET said. “This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process.”

Oct 23, 2025The Hacker NewsArtificial Intelligence / Data Protection

AI is everywhere—and your company wants in. Faster products, smarter systems, fewer bottlenecks. But if you’re in security, that excitement often comes with a sinking feeling.

Because while everyone else is racing ahead, you’re left trying to manage a growing web of AI agents you didn’t create, can’t fully see, and weren’t designed to control.

Join our upcoming webinar and learn how to make AI security work with you, not against you.

The Quiet Crisis No One Talks About

Did you know most companies now have 100 AI agents for every one human employee?

Even more shocking? 99% of those AI identities are completely unmanaged. No oversight. No lifecycle controls. And every one of them could be a backdoor waiting to happen.

It’s not your fault. Traditional tools weren’t built for this new AI world. But the risks are real—and growing.

Let’s Change That. Together.

In our free webinar, “Turning Controls into Accelerators of AI Adoption,” we’ll help you flip the script.

This isn’t about slowing the business down. It’s about giving you a real strategy to move faster—safely.

Here’s what we’ll cover:

• Stop firefighting: Learn how to set up security by design, not as an afterthought.
• Take control: Discover how to govern AI agents that behave like users—but multiply like machines.
• Be the enabler: Show leadership how security can accelerate AI adoption, not block it.

Curious yet? Don’t miss out.

This isn’t fluff or theory. You’ll get:

• A practical framework to gain visibility and stay ahead of risk
• Ways to prevent credential sprawl and privilege abuse from Day One
• A strategy to align with business goals while protecting what matters

Whether you’re an engineer, architect, or CISO, if you’ve felt like you’re stuck in reactive mode—you’re exactly who this is for.

This is your moment to turn control into confidence. Register Today.

Oct 23, 2025Ravie LakshmananCybersecurity / Hacking News

Criminals don’t need to be clever all the time; they just follow the easiest path in: trick users, exploit stale components, or abuse trusted systems like OAuth and package registries. If your stack or habits make any of those easy, you’re already a target.

This week’s ThreatsDay highlights show exactly how those weak points are being exploited — from overlooked misconfigurations to sophisticated new attack chains that turn ordinary tools into powerful entry points.

Every one of these incidents tells the same story: attackers don’t break in — they log in, inject, or hijack what’s already trusted. The difference between surviving and becoming a headline is how fast you patch, isolate, and verify.

Stay sharp, review your defenses, and keep watching ThreatsDay — because next week’s breaches are already being written in today’s overlooked bugs.

Oct 23, 2025The Hacker NewsDevOps / Data Protection

As machine identities explode across cloud environments, enterprises report dramatic productivity gains from eliminating static credentials. And only legacy systems remain the weak link.

For decades, organizations have relied on static secrets, such as API keys, passwords, and tokens, as unique identifiers for workloads. While this approach provides clear traceability, it creates what security researchers describe as an “operational nightmare” of manual lifecycle management, rotation schedules, and constant credential leakage risks.

This challenge has traditionally driven organizations toward centralized secret management solutions like HashiCorp Vault or CyberArk, which provide universal brokers for secrets across platforms. However, these approaches perpetuate the fundamental problem: the proliferation of static secrets requiring careful management and rotation.

“Having a workload in Azure that needs to read data from AWS S3 is not ideal from a security perspective,” explains one DevOps engineer managing a multicloud environment. “Cross-cloud authentication and authorization complexity make it hard to set this up securely, especially if we choose to simply configure the Azure workload with AWS access keys.”

The Business Case for Change

Enterprise case studies document that organizations implementing managed identities report a 95% reduction in time spent managing credentials per application component, along with a 75% reduction in time spent learning platform-specific authentication mechanisms, resulting in hundreds of saved hours annually.

But how to approach the transition, and what prevents us from entirely eliminating static secrets?

Platform-Native Solutions

Managed identities represent a paradigm shift from the traditional “what you have” model to a “who you are” approach. Rather than embedding static credentials into applications, modern platforms now provide identity services that issue short-lived, automatically rotated credentials to authenticated workloads.

The transformation spans major cloud providers:

• Amazon Web Services pioneered automated credential provisioning through IAM Roles, where applications receive temporary access permissions automatically without storing static keys
• Microsoft Azure offers Managed Identities that allow applications to authenticate to services like Key Vault and Storage without developers having to manage connection strings or passwords
• Google Cloud Platform provides Service Accounts with cross-cloud capabilities, enabling applications to authenticate across different cloud environments seamlessly
• GitHub and GitLab have introduced automated authentication for development pipelines, eliminating the need to store cloud access credentials in development tools

“Using a secret manager dramatically improves the security posture of systems that rely on shared secrets, but heavy use perpetuates the use of shared secrets rather than using strong identities,” according to identity security researchers. The goal isn’t to eliminate secret managers entirely, but to dramatically reduce their scope.

Smart organizations are strategically reducing their secret footprint by 70-80% through managed identities, then using robust secret management for remaining use cases, creating resilient architectures that leverage the best of both worlds.

The Non-Human Identity Discovery Challenge

Most organizations don’t have visibility into their current credential landscape. IT teams often discover hundreds or thousands of API keys, passwords, and access tokens scattered across their infrastructure, with unclear ownership and usage patterns.

“You can’t replace what you can’t see,” explains Gaetan Ferry, a security researcher at GitGuardian. “Before implementing modern identity systems, organizations need to understand exactly what credentials exist and how they’re being used.”

GitGuardian’s NHI (Non-Human Identity) Security platform addresses this discovery challenge by providing comprehensive visibility into existing secret landscapes before managed identity implementation.

The platform discovers hidden API keys, passwords, and machine identities across entire infrastructures, enabling organizations to:

• Map dependencies between services and credentials
• Identify migration candidates ready for managed identity transformation
• Assess risks associated with current secret usage
• Plan strategic migrations rather than blind transformations

Cybersecurity researchers have shed light on a cybercriminal group called Jingle Thief that has been observed targeting cloud environments associated with organizations in the retail and consumer services sectors for gift card fraud.

“Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards,” Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman said in a Wednesday analysis. “Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards.”

The end goal of these efforts is to leverage the issued gift cards for monetary gain by likely reselling them on gray markets. Gift cards make for a lucrative choice as they can be easily redeemed with minimal personal information and are difficult to trace, making it harder for defenders to investigate the fraud.

The name Jingle Thief is a nod to the threat actor’s pattern of conducting gift card fraud coinciding with festive seasons and holiday periods. The cybersecurity company is tracking the activity under the moniker CL‑CRI‑1032, where “CL” stands for cluster and “CRI” refers to criminal motivation.

The threat cluster has been attributed with moderate confidence to criminal groups tracked as Atlas Lion and Storm-0539, with Microsoft describing it as a financially motivated crew originating from Morocco. It’s believed to be active since at least late 2021.

Jingle Thief’s ability to maintain footholds within compromised organizations for extended periods, in some cases for over a year, makes it a dangerous group. During the time it spends with the environments, the threat actor conducts extensive reconnaissance to map the cloud environment, moves laterally across the cloud, and takes steps to sidestep detection.

Unit 42 said it observed the hacking group launching a wave of coordinated attacks targeting various global enterprises in April and May 2025, using phishing attacks to obtain credentials necessary to breach victims’ cloud infrastructure. In one campaign, the attackers are said to have maintained access for about 10 months and broken into 60 user accounts within a single organization.

“They exploit cloud-based infrastructure to impersonate legitimate users, gain unauthorized access to sensitive data, and carry out gift card fraud at scale,” the researchers noted.

The attacks often involve attempts to access gift‑card issuance applications to issue high‑value cards across different programs, while simultaneously ensuring these actions leave minimal logs and forensic trails.

Jingle Thief phishing attack chain across Microsoft 365

They are also highly targeted and tailored to each victim, with the threat actors carrying out reconnaissance before sending persuasive phishing login pages via email or SMS that can fool victims and trick them into entering their Microsoft 365 credentials.

As soon as the credentials are harvested, the attackers waste no time logging into the environment and carry out a second round of reconnaissance, this time targeting the victim’s SharePoint and OneDrive for information related to business operations, financial processes, and IT workflows.

This includes searching for gift card issuance workflows, VPN configurations and access guides, spreadsheets or internal systems used to issue or track gift cards, and other key details related to virtual machines and Citrix environments.

In the next phase, the threat actors have been found to leverage the compromised account to send phishing emails internally within the organization to broaden their foothold. These messages often mimic IT service notifications related to IT service notifications or ticketing updates by making use of information gleaned from internal documentation or previous communications.

Furthermore, Jingle Thief is known to create inbox rules to automatically forward emails from hacked accounts to addresses under their control, and then cover up traces of the activity by moving the sent emails immediately to Deleted Items.

In some cases, the threat actor has also been observed registering rogue authenticator apps to bypass multi-factor authentication (MFA) protections and even enrolling their devices in Entra ID so as to maintain access even after victims’ passwords are reset or the session tokens are revoked.

Besides their exclusive focus on cloud services rather than endpoint compromise, another aspect that makes Jingle Thief’s campaigns noteworthy is their propensity for identity misuse over deploying custom malware, thereby minimizing the chances of detection.

“Gift card fraud combines stealth, speed and scalability, especially when paired with access to cloud environments where issuance workflows reside,” Unit 42 said. “This discreet approach helps evade detection while laying the groundwork for future fraud.”

“To exploit these systems, the threat actors need access to internal documentation and communications. They can secure this by stealing credentials and maintaining a quiet, persistent presence within Microsoft 365 environments of targeted organizations that provide gift card services.”

Oct 23, 2025Ravie LakshmananVulnerability / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild.

The vulnerability, CVE-2025-61932 (CVSS v4 score: 9.3), impacts on-premises versions of Lanscope Endpoint Manager, specifically Client program and Detection Agent, and could allow attackers to execute arbitrary code on susceptible systems.

“Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability, allowing an attacker to execute arbitrary code by sending specially crafted packets,” CISA said.

The flaw impacts versions 9.4.7.1 and earlier. It has been addressed in the versions below –

• 9.3.2.7
• 9.3.3.9
• 9.4.0.5
• 9.4.1.5
• 9.4.2.6
• 9.4.3.8
• 9.4.4.6
• 9.4.5.4
• 9.4.6.3, and
• 9.4.7.3

It’s currently not known how the vulnerability is being exploited in real-world attacks, who is behind them, or the scale of such efforts. However, an alert issued by the Japan Vulnerability Notes (JVN) portal earlier this week noted that Motex has confirmed an unnamed customer “received a malicious packet suspected to target this vulnerability.”

In light of active exploitation efforts, Federal Civilian Executive Branch (FCEB) agencies are recommended to remediate CVE-2025-61932 by November 12, 2025, to safeguard their networks.

Oct 23, 2025Ravie LakshmananData Breach / Vulnerability

E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours.

The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), a critical improper input validation flaw that could be abused to take over customer accounts in Adobe Commerce through the Commerce REST API.

Also known as SessionReaper, it was addressed by Adobe last month. A security researcher who goes by the name Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236.

The Dutch company said that 62% of Magento stores remain vulnerable to the security flaw six weeks after public disclosure, urging website administrators to apply the patches as soon as possible before broader exploitation activity picks up.

The attacks have originated from the following IP addresses, with unknown threat actors leveraging the flaw to drop PHP webshells or probe phpinfo to extract PHP configuration information.

• 34.227.25[.]4
• 44.212.43[.]34
• 54.205.171[.]35
• 155.117.84[.]134
• 159.89.12[.]166

“PHP backdoors are uploaded via ‘/customer/address_file/upload’ as a fake session,” Sansec said.

The development comes as Searchlight Cyber published a detailed technical analysis of CVE-2025-54236, describing it as a nested deserialization flaw that enables remote code execution.

It’s worth noting that CVE-2025-54236 is the second deserialization vulnerability impacting Adobe Commerce and Magento platforms in as many years. In July 2024, another critical flaw dubbed CosmicSting (CVE-2024-34102, CVSS score: 9.8) was subjected to widespread exploitation.

With proof-of-concept (PoC) exploits and additional specifics now entering public domains, it’s imperative that users move quickly to apply the fixes.

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine’s war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).

The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee Council, United Nations Children’s Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe’s Register of Damage for Ukraine, and Ukrainian regional government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions, SentinelOne said in a new report published today.

The phishing emails have been found to impersonate the Ukrainian President’s Office, carrying a booby-trapped PDF document that contains an embedded link, which, when clicked, redirects victims to a fake Zoom site (“zoomconference[.]app”) and tricks them into running a malicious PowerShell command via a ClickFix–style fake Cloudflare CAPTCHA page under the guise of a browser check.

The bogus Cloudflare page acts as an intermediary by setting up a WebSocket connection with an attacker-controlled server, and transmits a JavaScript-generated clientId, with the browser taking the victim to a legitimate, password-protected Zoom meeting if the WebSocket server responds with a matching identifier.

It’s suspected that this infection path is likely reserved for live social engineering calls with victims, although SentinelOne said it did not observe the threat actors activating this line of attack during its investigation.

The PowerShell command executed after it’s pasted to the Windows Run dialog leads to an obfuscated downloader that’s primarily responsible for retrieving and executing a second-stage payload from a remote server. This second-stage malware performs reconnaissance of the compromised host and sends it to the same server, which then responds with the PowerShell remote access trojan.

“The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware,” security researcher Tom Hegel said. “The WebSocket-based RAT is a remote command execution backdoor, effectively a remote shell that gives an operator arbitrary access to the host.”

The malware connects to a remote WebSocket server at “wss://bsnowcommunications[.]com:80” and is configured to receive Base64-encoded JSON messages that include a command to be executed with Invoke-Expression or run a PowerShell payload. The results of the execution are subsequently packaged into a JSON string and sent to the server over the WebSocket.

Further analysis of VirusTotal submissions has determined that the 8-page weaponized PDF has been uploaded from multiple locations, including Ukraine, India, Italy, and Slovakia, likely indicating broad targeting.

SentinelOne noted that preparations for the campaign began on March 27, 2025, when the attackers registered the domain “goodhillsenterprise[.]com,” which has been used to serve the obfuscated PowerShell malware scripts. Interestingly, the infrastructure associated with “zoomconference[.]app” is said to have been active only for a single day on October 8.

This suggests “sophisticated planning and strong commitment to operational security,” the company pointed out, adding it also uncovered fake applications hosted on the domain “princess-mens[.]click” that are aimed at collecting geolocation, contacts, call logs, media files, device information, installed apps list, and other data from compromised Android devices.

The campaign has not been attributed to any known threat actor or group, although the use of ClickFix overlaps with that of recently disclosed attacks mounted by the Russia-linked COLDRIVER hacking group.

“The PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control,” SentinelOne said.

“The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion.”

Oct 22, 2025Ravie LakshmananMalware / Cyber Espionage

The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities.

The end goal of the campaign is to infiltrate high-value targets and facilitate intelligence gathering, Singaporean cybersecurity company Group-IB said in a technical report published today.

More than three-fourths of the campaign’s targets include embassies, diplomatic missions, foreign affairs ministries, and consulates, followed by international organizations and telecommunications firms.

“MuddyWater accessed the compromised mailbox through NordVPN (a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence,” said security researchers Mahmoud Zohdy and Mansour Alhmoud.

“By exploiting the trust and authority associated with such communications, the campaign significantly increased its chances of deceiving recipients into opening the malicious attachments.”

The attack chain essentially involves the threat actor distributing weaponized Microsoft Word documents that, when opened, prompt the email recipients to enable macros in order to view the content. Once the unsuspecting user enables the feature, the document proceeds to execute malicious Visual Basic for Application (VBA) code, resulting in the deployment of version 4 of the Phoenix backdoor.

The backdoor is launched by means of a loader called FakeUpdate that’s decoded and written to disk by the VBA dropper. The loader contains the Advanced Encryption Standard (AES)-encrypted Phoenix payload.

MuddyWater, also called Boggy Serpens, Cobalt Ulster, Earth Vetala, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, TEMP.Zagros, and Yellow Nix, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It’s known to be active since at least 2017.

The threat actor’s use of Phoenix was first documented by Group-IB last month, describing it as a lightweight version of BugSleep, a Python-based implant linked to MuddyWater. Two different variants of Phoenix (Version 3 and Version 4) have been detected in the wild.

The cybersecurity vendor said the attacker’s command-and-control (C2) server (“159.198.36[.]115”) has also been found hosting remote monitoring and management (RMM) utilities and a custom web browser credential stealer that targets Brave, Google Chrome, Microsoft Edge, and Opera, suggesting their likely use in the operation. It’s worth noting that MuddyWater has a history of distributing remote access software via phishing campaigns over the years.

“By deploying updated malware variants such as the Phoenix v4 backdoor, the FakeUpdate injector, and custom credential-stealing tools alongside legitimate RMM utilities like PDQ and Action1, MuddyWater demonstrated an enhanced ability to integrate custom code with commercial tools for improved stealth and persistence,” the researchers said.

Oct 22, 2025Ravie LakshmananCryptocurrency / Software Integrity

Cybersecurity researchers have uncovered a new supply chain attack targeting the NuGet package manager with malicious typosquats of Nethereum, a popular Ethereum .NET integration platform, to steal victims’ cryptocurrency wallet keys.

The package, Netherеum.All, has been found to harbor functionality to decode a command-and-control (C2) endpoint and exfiltrate mnemonic phrases, private keys, and keystore data, according to security company Socket.

The library was uploaded by a user named “nethereumgroup” on October 16, 2025. It was taken down from NuGet for violating the service’s Terms of Use four days later.

What’s notable about the NuGet package is that it swaps the last occurrence of the letter “e” with the Cyrillic homoglyph “e” (U+0435) to fool unsuspecting developers into downloading it.

In a further attempt to increase the credibility of the package, the threat actors have resorted to artificially inflating the download counts, claiming it has been downloaded 11.7 million times — a huge red flag given that it’s unlikely for an entirely new library to rack up such a high count within a short span of time.

“A threat actor can publish many versions, then script downloads of each .nupkg through the v3 flat-container or loop nuget.exe install and dotnet restore with no-cache options from cloud hosts,” security researcher Kirill Boychenko said. “Rotating IPs and user agents and parallelizing requests boosts volume while avoiding client caches.”

“The result is a package that appears ‘popular,’ which boosts placement for searches sorted by relevance and lends a false sense of proof when developers glance at the numbers.”

The main payload within the NuGet package is within a function named EIP70221TransactionService.Shuffle, which parses an XOR-encoded string to extract the C2 server (solananetworkinstance[.]info/api/gads) and exfiltrates sensitive wallet data to the attacker.

The threat actor has been found to have previously uploaded another NuGet package called “NethereumNet” with the same deceptive functionality at the start of the month. It has already been removed by the NuGet security team.

This is not the first homoglyph typosquat that has been spotted in the NuGet repository. In July 2024, ReversingLabs documented details of several packages that impersonated their legitimate counterparts by substituting certain elements with their equivalents to bypass casual inspection.

Unlike other open-source package repositories like PyPI, npm, Maven Central, Go Module, and RubyGems that enforce restrictions on the naming scheme to ASCII, NuGet places no such constraints other than prohibiting spaces and unsafe URL characters, opening the door to abuse.

To mitigate such risks, users should carefully scrutinize libraries before downloading them, including verifying publisher identity and sudden download surges, and monitor for anomalous network traffic.