Category: Cybersecurity

The security landscape for cloud-native applications is undergoing a profound transformation. Containers, Kubernetes, and serverless technologies are now the default for modern enterprises, accelerating delivery but also expanding the attack surface in ways traditional security models can’t keep up with.

As adoption grows, so does complexity. Security teams are asked to monitor sprawling hybrid environments, sift through thousands of alerts, and protect dynamic applications that evolve multiple times per day. The question isn’t just how to detect risks earlier — it’s how to prioritize and respond to what really matters in real time.

That’s where cloud-native application protection platforms (CNAPPs) come into play. These platforms consolidate visibility, compliance, detection, and response into a unified system. But in 2025, one capability is proving indispensable: runtime visibility.

The New Center of Gravity: Runtime

For years, cloud security has leaned heavily on preventative controls like code scanning, configuration checks, and compliance enforcement. While essential, these measures provide only part of the picture. They identify theoretical risks, but not whether those risks are active and exploitable in production.

Runtime visibility fills that gap. By observing what workloads are actually running — and how they behave — security teams gain the highest fidelity signal for prioritizing threats. Runtime context answers critical questions:

• Is this vulnerability reachable in a live workload?
• Is this misconfiguration creating a real attack path?
• Is this workload being exploited right now?

Without runtime, organizations risk chasing false positives while attackers exploit real weaknesses. With runtime, teams can focus on fixing the issues that matter most, reducing both noise and exposure.

From Prevention to Prioritization

Partnerships and integrations play a key role here. For example, Sysdig’s collaboration with Semgrep enables organizations to connect runtime vulnerabilities to their originating source code, reducing the back-and-forth between teams and streamlining remediation.

Why Consolidation Is Inevitable

Enterprises have long relied on best-of-breed security tools. But in the cloud, fragmentation becomes a liability. Multiple point products generate duplicate findings, lack shared context, and increase operational overhead.

CNAPP represents the next stage of consolidation. By unifying vulnerability management, posture assessment, threat detection, and incident response into a single platform, organizations can:

• Eliminate silos.
• Reduce tool sprawl.
• Gain a single source of truth for cloud risk.

And most importantly, they can tie everything back to runtime, ensuring that real-world threats are never lost in the noise.

Preparing for What’s Next

The rise of containers and cloud-native applications shows no sign of slowing. In fact, by the end of the decade, containers are expected to power half of all enterprise applications. With this growth comes pressure for security teams to adopt strategies that scale, simplify, and automate.

The future of cloud security will be defined by three priorities:

1. Runtime-powered visibility to cut through noise and focus on real risk.
2. AI-driven assistance to help teams triage, prioritize, and respond at machine speed.
3. Unified platforms that consolidate fragmented tools into a single, contextual view of cloud risk.

Enterprises that embrace this model will be positioned to move faster, reduce exposure, and stay ahead of attackers. Those who cling to disconnected tools and reactive processes will find themselves increasingly outpaced.

Secure What Matters, When It Matters

The cloud has redefined how businesses build and run applications. It’s now redefining how they must secure them. Runtime visibility, AI-driven prioritization, and unified platforms are no longer optional — they’re essential.

At Sysdig, we believe the future of cloud security is rooted in real-time context and collaboration. By focusing on what’s actively happening in production, organizations can align security and development, reduce false positives, and respond to threats with confidence.

The message is clear: stop chasing every alert and start focusing on what matters most.

To explore these trends in greater depth, download the full 2025 Gartner® Market Guide for Cloud-Native Application Protection Platforms.

A security weakness has been disclosed in the artificial intelligence (AI)-powered code editor Cursor that could trigger code execution when a maliciously crafted repository is opened using the program.

The issue stems from the fact that an out-of-the-box security setting is disabled by default, opening the door for attackers to run arbitrary code on users’ computers with their privileges.

“Cursor ships with Workspace Trust disabled by default, so VS Code-style tasks configured with runOptions.runOn: ‘folderOpen’ auto-execute the moment a developer browses a project,” Oasis Security said in an analysis. “A malicious .vscode/tasks.json turns a casual ‘open folder’ into silent code execution in the user’s context.”

Cursor is an AI-powered fork of Visual Studio Code, which supports a feature called Workspace Trust to allow developers to safely browse and edit code regardless of where it came from or who wrote it.

With this option disabled, an attacker can make available a project in GitHub (or any platform) and include a hidden “autorun” instruction that instructs the IDE to execute a task as soon as a folder is opened, causing malicious code to be executed when the victim attempts to browse the booby-trapped repository in Cursor.

“This has the potential to leak sensitive credentials, modify files, or serve as a vector for broader system compromise, placing Cursor users at significant risk from supply chain attacks,” Oasis Security researcher Erez Schwartz said.

To counter this threat, users are advised to enable Workplace Trust in Cursor, open untrusted repositories in a different code editor, and audit them before opening them in the tool.

The development comes as prompt injections and jailbreaks have emerged as a stealthy and systemic threat plaguing AI-powered coding and reasoning agents like Claude Code, Cline, K2 Think, and Windsurf, allowing threat actors to embed malicious instructions in sneaky ways to trick the systems into performing malicious actions or leaking data from software development environments.

Software supply chain security outfit Checkmarx, in a report last week, revealed how Anthropic’s newly introduced automated security reviews in Claude Code could inadvertently expose projects to security risks, including instructing it to ignore vulnerable code through prompt injections, causing developers to push malicious or insecure code past security reviews.

“In this case, a carefully written comment can convince Claude that even plainly dangerous code is completely safe,” the company said. “The end result: a developer – whether malicious or just trying to shut Claude up – can easily trick Claude into thinking a vulnerability is safe.”

Another problem is that the AI inspection process also generates and executes test cases, which could lead to a scenario where malicious code is run against production databases if Claude Code isn’t properly sandboxed.

The AI company, which also recently launched a new file creation and editing feature in Claude, has warned that the feature carries prompt injection risks due to it running in a “sandboxed computing environment with limited internet access.”

Specifically, it’s possible for a bad actor to “inconspicuously” add instructions via external files or websites – aka indirect prompt injection – that trick the chatbot into downloading and running untrusted code or reading sensitive data from a knowledge source connected via the Model Context Protocol (MCP).

“This means Claude can be tricked into sending information from its context (e.g., prompts, projects, data via MCP, Google integrations) to malicious third parties,” Anthropic said. “To mitigate these risks, we recommend you monitor Claude while using the feature and stop it if you see it using or accessing data unexpectedly.”

“New forms of prompt injection attacks are also constantly being developed by malicious actors,” it added. “By uncovering real-world examples of unsafe behavior and new attack patterns that aren’t present in controlled tests, we’ll teach our models to recognize the attacks and account for the related behaviors, and ensure that safety classifiers will pick up anything that the model itself misses.”

At the same time, these tools have also been found susceptible to traditional security vulnerabilities, broadening the attack surface with potential real-world impact –

• A WebSocket authentication bypass in Claude Code IDE extensions (CVE-2025-52882, CVSS score: 8.8) that could have allowed an attacker to connect to a victim’s unauthenticated local WebSocket server simply by luring them to visit a website under their control, enabling remote command execution
• An SQL injection vulnerability in the Postgres MCP server that could have allowed an attacker to bypass the read-only restriction and execute arbitrary SQL statements
• A path traversal vulnerability in Microsoft NLWeb that could have allowed a remote attacker to read sensitive files, including system configurations (“/etc/passwd”) and cloud credentials (.env files), using a specially crafted URL
• An incorrect authorization vulnerability in Lovable (CVE-2025-48757, CVSS score: 9.3) that could have allowed remote unauthenticated attackers to read or write to arbitrary database tables of generated sites
• Open redirect, stored cross-site scripting (XSS), and sensitive data leakage vulnerabilities in Base44 that could have allowed attackers to access the victim’s apps and development workspace, harvest API keys, inject malicious logic into user-generated applications, and exfiltrate data
• A vulnerability in Ollama Desktop arising as a result of incomplete cross-origin controls that could have allowed an attacker to stage a drive-by attack, where visiting a malicious website can reconfigure the application’s settings to intercept chats and even alter responses using poisoned models

“As AI-driven development accelerates, the most pressing threats are often not exotic AI attacks but failures in classical security controls,” Imperva said. “To protect the growing ecosystem of ‘vibe coding’ platforms, security must be treated as a foundation, not an afterthought.”

U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called “gross cybersecurity negligence” that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks.

“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” Wyden wrote in a four-page letter to FTC Chairman Andrew Ferguson, likening Redmond to an “arsonist selling firefighting services to their victims.”

The development comes after Wyden’s office obtained new information from healthcare system Ascension, which suffered a crippling ransomware attack last year, resulting in the theft of personal and medical information associated with nearly 5.6 million individuals.

The ransomware attack, which also disrupted access to electronic health records, was attributed to a ransomware group known as Black Basta. According to the U.S. Department of Health and Human Services, the breach has been ranked as the third-largest healthcare-related incident over the past year.

According to the senator’s office, the breach occurred when a contractor clicked on a malicious link after conducting a web search on Microsoft’s Bing search engine, causing their system to be infected with malware. Subsequently, the attackers leveraged “dangerously insecure default settings” on Microsoft software to obtain elevated access to the most sensitive parts of Ascension’s network.

This involved the use of a technique called Kerberoasting that targets the Kerberos authentication protocol to extract encrypted service account credentials from Active Directory.

Kerberoasting “exploits an insecure encryption technology from the 1980s known as ‘RC4’ that is still supported by Microsoft software in its default configuration,” Wyden’s office said, adding it urged Microsoft to warn customers about the threat posed by the threat on July 29, 2024.

RC4, short for Rivest Cipher 4, is a stream cipher that was first developed in 1987. Originally intended to be a trade secret, it was leaked in a public forum in 1994. As of 2015, the Engineering Task Force (ETF) has prohibited the use of RC4 in TLS, citing a “variety of cryptographic weaknesses” that allow plaintext recovery.

Eventually, Microsoft did publish an alert in October 2024 outlining the steps users can take to stay protected, in addition to stating its plans to deprecate support for RC4 as a future update to Windows 11 24H2 and Windows Server 2025 –

Microsoft, which removed support for the Data Encryption Standard (DES) in Kerberos for Windows Server 2025 and Windows 11, version 24H2 earlier this February, said it has also introduced security improvements in Server 2025 that prevent the Kerberos Distribution Center from issuing Ticket Granting Tickets using RC4 encryption, such as RC4-HMAC(NT).

Some of Microsoft’s recommended mitigations to harden environments against Kerberoasting include –

• Using Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) wherever possible
• Securing service accounts by setting randomly generated, long passwords that are at least 14 characters long
• Making sure all service accounts are configured to use AES (128 and 256 bit) for Kerberos service ticket encryption
• Auditing user accounts with Service Principal Names (SPNs)

However, Wyden wrote that Microsoft’s software does not enforce a 14-character password length for privileged accounts, and that the company’s continued support for the insecure RC4 encryption technology “needlessly exposes” its customers to ransomware and other cyber threats by allowing attackers to crack the passwords of privileged accounts.

The Hacker News has reached out to Microsoft for comment, and we will update the story if we hear back. This is not the first time the Windows maker has been blasted for its cybersecurity practices.

In a report released last year, U.S. Cyber Safety Review Board (CSRB) lambasted the company for a series of avoidable errors that could have prevented Chinese threat actors known as Storm-0558 from compromising the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world.

“Ultimately, Microsoft’s abysmal cybersecurity track record has had no impact on its lucrative federal contracts thanks to its dominant market position and inaction by government agencies in the face of the company’s string of security failures,” Wyden’s office argued.

“The letter underscores a long-standing tension in enterprise cybersecurity, the balance between legacy system support and secure-by-default design,” Ensar Seker, CISO at SOCRadar, said. “It’s about systemic risk inherited from default configurations and the architectural complexity of widely adopted software ecosystems like Microsoft’s. When a single vendor becomes foundational to national infrastructure, their security design decisions, or lack thereof, can have cascading consequences.”

“Ultimately, this isn’t about blaming one company. It’s about recognizing that national security is now tightly coupled with the configuration defaults of dominant IT platforms. Enterprises and public sector agencies alike need to demand more secure-by-design defaults and be ready to adapt when they’re offered.”

Sep 11, 2025Ravie LakshmananArtificial Intelligence / Mobile Security

Google on Tuesday announced that its new Google Pixel 10 phones support the Coalition for Content Provenance and Authenticity (C2PA) standard out of the box to verify the origin and history of digital content.

To that end, support for C2PA’s Content Credentials has been added to Pixel Camera and Google Photos apps for Android. The move, Google said, is designed to further digital media transparency.

C2PA’s Content Credentials are a tamper-evident, cryptographically signed digital manifest providing verifiable provenance for digital content such as images, videos, or audio files. The metadata type, according to Adobe, serves as a “digital nutrition label,” giving information about the creator, how it was made, and if it was generated using artificial intelligence (AI).

“The Pixel Camera app achieved Assurance Level 2, the highest security rating currently defined by the C2PA Conformance Program,” Google’s Android Security and C2PA Core teams said. “Assurance Level 2 for a mobile app is currently only possible on the Android platform.”

“Pixel 10 phones support on-device trusted time-stamps, which ensures images captured with your native camera app can be trusted after the certificate expires, even if they were captured when your device was offline.”

The capability is made possible using a combination of Google Tensor G5, Titan M2 security chip, and hardware-backed security features built into the Android operating system.

Google said it has implemented C2PA to be secure, verifiable, and usable offline, thereby ensuring that provenance data is trustworthy, the process is not personally identifiable, and works even when the device is not connected to the internet.

This is achieved using –

• Android Key Attestation to allow Google C2PA Certification Authorities (CAs) to verify that they are communicating with a genuine physical device
• Hardware-backed Android Key Attestation certificates that include the package name and signing certificates associated with the app that requested the generation of the C2PA signing key to verify the request originated from a trusted, registered app
• Generating and storing C2PA claim signing keys using Android StrongBox in the Titan M2 security chip for tamper-resistance
• Anonymous, hardware-backed attestation to certify new cryptographic keys generated on-device without knowing who is using it
• Unique certificates to sign each image, making it “cryptographically impossible” to deanonymize the creator
• On-device, offline Time-Stamping Authority (TSA) component within the Tensor chip to generate cryptographically-signed time-stamps when the camera’s shutter is pressed

“C2PA Content Credentials are not the sole solution for identifying the provenance of digital media,” Google said. “They are, however, a tangible step toward more media transparency and trust as we continue to unlock more human creativity with AI.”

Threat actors affiliated with the Akira ransomware group have continued to target SonicWall devices for initial access.

Cybersecurity firm Rapid7 said it observed a spike in intrusions involving SonicWall appliances over the past month, particularly following reports about renewed Akira ransomware activity since late July 2025.

SonicWall subsequently revealed the SSL VPN activity aimed at its firewalls involved a year-old security flaw (CVE-2024-40766, CVSS score: 9.3) where local user passwords were carried over during the migration and not reset.

“We are observing increased threat activity from actors attempting to brute-force user credentials,” the company noted. “To mitigate risk, customers should enable Botnet Filtering to block known threat actors and ensure Account Lockout policies are enabled.”

SonicWall has also urged users to review LDAP SSL VPN Default User Groups, describing it as a “critical weak point” if misconfigured in the context of an Akira ransomware attack —

This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.

This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.

Rapid7, in its alert, said it has also observed threat actors accessing the Virtual Office Portal hosted by SonicWall appliances, which, in certain default configurations, can facilitate public access and enable attackers to configure mMFA/TOTP with valid accounts, assuming there is a prior credential exposure.

“The Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations,” it said.

To mitigate the risk, organizations are advised to rotate passwords on all SonicWall local accounts, remove any unused or inactive SonicWall local accounts, ensure MFA/TOTP policies are configured, and restrict Virtual Office Portal access to the internal network.

Akira’s targeting of SonicWall SSL VPNs has also been echoed by the Australian Cyber Security Centre (ACSC), which acknowledged it’s aware of the ransomware gang striking vulnerable Australian organizations through the devices.

Since its debut in March 2023, Akira has been a persistent threat in the ransomware threat landscape, claiming 967 victims to date, as per information from Ransomware.Live. According to statistics shared by CYFIRMA, Akira accounted for 40 attacks in the month of July 2025, making it the third most active group after Qilin and INC Ransom.

Of the 657 ransomware attacks impacting industrial entities worldwide flagged in Q2 2025, Qilin, Akira, and Play ransomware families took the top three slots, each reporting 101, 79, and 75 incidents, respectively.

Akira maintained “substantial activity with consistent targeting of manufacturing and transportation sectors through sophisticated phishing and multi-platform ransomware deployments,” industrial cybersecurity company Dragos said in a report published last month.

Recent Akira ransomware infections have also leveraged search engine optimization (SEO) poisoning techniques to deliver trojanized installers for popular IT management tools, which are then used to drop the Bumblebee malware loader.

The attacks then utilize Bumblebee as a conduit to distribute the AdaptixC2 post-exploitation and adversarial emulation framework, install RustDesk for persistent remote access, exfiltrate data, and deploy the ransomware.

According to Palo Alto Networks Unit 42, the versatile and modular nature of AdaptixC2 can allow threat actors to execute commands, transfer files, and perform data exfiltration on infected systems. The fact that it’s also open-source means it can be customized by adversaries to fit their needs.

Other campaigns propagating AdaptixC2, the cybersecurity company said, have used Microsoft Teams calls mimicking IT help desk to trick unsuspecting users into granting them remote access via Quick Assist and drop a PowerShell script that decrypts and loads into memory the shellcode payload.

“The Akira ransomware group follows a standard attack flow: obtaining initial access via the SSLVPN component, escalating privileges to an elevated account or service account, locating and stealing sensitive files from network shares or file servers, deleting or stopping backups, and deploying ransomware encryption at the hypervisor level,” Rapid7 said.

Sep 11, 2025Ravie LakshmananMalvertising / Browser Security

Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data.

The malvertising campaign, per Bitdefender, is designed to push fake “Meta Verified” browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. At least 37 malicious ads have been observed serving the extension in question.

“The malicious ads are bundled with a video tutorial that guides viewers through the process of downloading and installing a so-called browser extension, which claims to unlock the blue verification tick on Facebook or other special features,” the Romanian cybersecurity vendor said.

But, in reality, the extension – which is hosted on a legitimate cloud service called Box — is capable of collecting session cookies from Facebook and sending them to a Telegram bot controlled by the attackers. It’s also equipped to obtain the victim’s IP address by sending a query to ipinfo[.]io/json.

Select variants of the rogue browser add-on have been observed using the stolen cookies to interact with the Facebook Graph API to likely fetch additional information related to the accounts. In the past, malware like NodeStealer has leveraged the Facebook Graph API to collect budget details of the account.

The end goal of these efforts is to sell valuable Facebook Business and Ads accounts on underground forums for profit to other fraudsters, or repurpose them to fuel more malvertising campaigns, which, in turn, leads to more hijacked accounts – effectively creating a self-perpetuating cycle.

The campaign exhibits all the “fingerprints” typically associated with Vietnamese-speaking threat actors, who are known to adopt various stealer families to target and gain unauthorized access to Facebook accounts. This hypothesis is also bolstered by the use of Vietnamese to narrate the tutorial and add source code comments.

“By using a trusted platform, attackers can mass-generate links, automatically embed them into tutorials, and continuously refresh their campaigns,” Bitdefender said. “This fits a larger pattern of attackers industrializing malvertising, where everything from ad images to tutorials is created en masse.”

The disclosure with another campaign that’s targeting Meta advertisers with rogue Chrome extensions distributed via counterfeit websites posing as artificial intelligence (AI)-powered ad optimization tools for Facebook and Instagram. At the heart of the operation is a fake platform named Madgicx Plus.

“Promoted as a tool to streamline campaign management and boost ROI using artificial intelligence, the extension instead delivers potentially malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts,” Cybereason said.

“The extensions are promoted as productivity or ad performance enhancers, but they operate as dual-purpose malware capable of stealing credentials, accessing session tokens, or enabling account takeover.

The extensions, the first of which is still available for download from the Chrome Web Store as of writing, are listed below –

Once installed, the extension gains full access to all websites the user visits, enabling the threat actors to inject arbitrary scripts, as well as intercept and modify network traffic, monitor browsing activity, capture form inputs, and harvest sensitive data.

It also prompts users to link their Facebook and Google accounts to access the service, while their identity information is covertly harvested in the background. Furthermore, the add-ons function similarly to the aforementioned fake Meta Verified extension in that it uses victims’ stolen Facebook credentials to interact with the Facebook Graph API.

“This staged approach reveals a clear threat-actor strategy: first capturing Google identity data, then pivoting to Facebook to broaden access and increase the chances of hijacking valuable business or advertising assets,” Cybereason said.

Sep 11, 2025The Hacker NewsContinuous Threat Exposure Management

CISOs know their field. They understand the threat landscape. They understand how to build a strong and cost-effective security stack. They understand how to staff out their organization. They understand the intricacies of compliance. They understand what it takes to reduce risk. Yet one question comes up again and again in our conversations with these security leaders: how do I make the impact of risk clear to business decision-makers?

Boards want to hear how risk affects revenue, governance, and growth. They have a limited attention span for lists of vulnerabilities or technical details. When the story gets too technical, even urgent initiatives lose traction and fail to get funded.

CISOs need to translate technical issues into terms the board understands. Doing so builds trust, garners support and shows how security decisions connect directly to long-term growth. It was the urgent need to bridge the CISO-Board communication gap that led us to create a new paradigm in CISO continuing education: Risk Reporting to the Board for Modern CISOs.

The Disconnect Between Boards and CISOs

Boards are increasingly held accountable for cyber risk. SEC rules require public companies to disclose cyber incidents within four business days and to describe board cyber oversight in annual reports. In the EU, NIS2 holds management bodies directly responsible for cybersecurity measures, with penalties up to €10 million or 2% of global turnover.

Boards track governance, liability, and enterprise value. CISOs present threats, vulnerabilities, and controls. Surveys confirm this gap: Gartner’s 2024 Board of Directors Survey reports that 84% of directors classify cybersecurity as a business risk, yet research finds that only about half of boards rate their understanding as strong enough for effective oversight.

CISO-Board alignment has never been more important, but the two sides still speak different languages. This challenge surfaced so often in our conversations with security leaders that it led us to a simple conclusion: if so many experienced professionals need this skill, it should be taught.

Teaching How to Close the Boardroom Gap

The goal was clear: boards need insights that connect cyber risk to business outcomes. Risk Reporting to the Board for Modern CISOs was built from scratch to help security leaders meet that need.

The course teaches CISOs how to reframe their message in ways that resonate with directors. It focuses on practical skills: moving beyond vanity metrics to dashboards that answer the “So what?” question, building concise presentations that boards can act on, anticipating and managing difficult questions, and framing budget requests in financial and strategic terms. The course also introduces Continuous Threat Exposure Management as a model for presenting risk in a structured, forward-looking way.

Each of the five lessons is designed to be practical and easy to apply. Participants leave with methods and templates they can use in their next board meeting. The key areas of focus include:

• The Board’s View of Risk: What directors focus on and how to frame security as an enabler of safe innovation and competitive advantage.
• Clear Risk Communication: Moving past vanity metrics by building dashboards that tell a risk story that ties technical findings to business impact.
• High-Impact Presentations: Creating concise, effective board presentations, aligning with key executives in advance, and handling difficult questions with confidence.
• Stronger Business Cases: Translating security needs into financial and strategic language. Building requests around risk reduction value, total cost of ownership, and alignment with company objectives.
• Operationalizing CTEM: Applying the five stages of Continuous Threat Exposure Management to strengthen security posture and structure reporting in a forward-looking way.

The course is led by Dr. Gerald Auger, whose career spans more than twenty years in both industry and academia. He served as cybersecurity architect for a major medical center and has taught tens of thousands of students through his Simply Cyber platform. His mix of practical and teaching experience makes the course grounded, relevant, and directly useful for CISOs in the boardroom.

The Bottom Line

Cybersecurity is at the center of business oversight. Boards expect insight that is clear and actionable, and CISOs need to present risk in terms that connect directly to governance, finance, and strategy. Risk Reporting to the Board for Modern CISOs was designed with these challenges in mind. The course gives security leaders practical tools to translate their expertise into language the board can act on.

When CISOs build these skills, they move from talking about technical metrics to explaining risk in terms that link to business goals and show how security drives long-term growth. That leads to clearer conversations with directors, steadier support for security programs, and a stronger role for cybersecurity in the company’s overall strategy.

Want to learn more about Risk Reporting to the Board for Modern CISOs?

Note: This article was expertly written by Tobi Trabing, VP Global Sales Engineering at XMCyber.

Sep 11, 2025Ravie LakshmananMalware / Credential Theft

Cybersecurity researchers have disclosed details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deliver a fleshless loader that drops a remote access trojan (RAT) called AsyncRAT to steal sensitive data from compromised hosts.

“The attacker used ScreenConnect to gain remote access, then executed a layered VBScript and PowerShell loader that fetched and ran obfuscated components from external URLs,” LevelBlue said in a report shared with The Hacker News. “These components included encoded .NET assemblies ultimately unpacking into AsyncRAT while maintaining persistence via a fake ‘Skype Updater’ scheduled task.”

In the infection chain documented by the cybersecurity company, the threat actors have been found to leverage a ScreenConnect deployment to initiate a remote session and launch a Visual Basic Script payload via hands-on-keyboard activity.

“We saw trojanized ScreenConnect installers masquerading as financial and other business documents being sent via phishing emails,” Sean Shirley, LevelBlue MDR SOC Analyst, told The Hacker News.

The script, for its part, is designed to retrieve two external payloads (“logs.ldk” and “logs.ldr”) from an attacker-controlled server by means of a PowerShell script. The first of the two files, “logs.ldk,” is a DLL that’s responsible for writing a secondary Visual Basic Script to disk, using it to establish persistence using a scheduled task by passing it off as “Skype Updater” to evade detection.

This Visual Basic Script contains the same PowerShell logic observed at the start of the attack. The scheduled task ensures that the payload is automatically executed after every login.

The PowerShell script, besides loading “logs.ldk” as a .NET assembly, passes “logs.ldr” as input to the loaded assembly, leading to the execution of a binary (“AsyncClient.exe”), which is the AsyncRAT payload with capabilities to log keystrokes, steal browser credentials , fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions in Google Chrome, Brave, Microsoft Edge, Opera, and Mozilla Firefox.

All this collected information is eventually exfiltrated to a command-and-control (C2) server (“3osch20.duckdns[.]org”) over a TCP socket, to which the malware beacons in order to execute payloads and receive post-exploitation commands. The C2 connection settings are either hard-coded or pulled from a remote Pastebin URL.

“Fileless malware continues to pose a significant challenge to modern cybersecurity defenses due to its stealthy nature and reliance on legitimate system tools for execution,” LevelBlue said. “Unlike traditional malware that writes payloads to disk, fileless threats operate in memory, making them harder to detect, analyze, and eradicate.”

Sep 10, 2025Ravie LakshmananCybersecurity / Malware

An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme.

“This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads,” Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News.

“The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.”

The targeting of the Philippines is something of a recurring pattern for Chinese state-sponsored hacking groups, particularly in light of geopolitical tensions fueled by territorial disputes in the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei.

The Romanian cybersecurity vendor, which first detected signs of malicious activity in early 2024, described EggStreme as a tightly integrated set of malicious components that’s engineered to establish a “resilient foothold” on infected machines.

The starting point of the multi-stage operation is a payload called EggStremeFuel (“mscorsvc.dll”) that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent.

EggStremeFuel’s functions are realized by opening an active communication channel with a command-and-control (C2), enabling it to –

• Get drive information
• Start cmd.exe and establish communication via pipes
• Gracefully close all connections and shutdown
• Read a file from server and save it to disk
• Read a local file from a given path and transmit its content
• Send the external IP address by making a request to myexternalip[.]com/raw
• Dump the in-memory configuration to disk

Calling EggStremeAgent the “central nervous system” of the framework, the backdoor works by monitoring new user sessions and injects a keylogger component dubbed EggStremeKeylogger for each session to harvest keystrokes and other sensitive data. It communicates with a C2 server using the Google Remote Procedure Call (gRPC) protocol.

It supports an impressive 58 commands that enable a broad range of capabilities to facilitate local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data exfiltration, and payload injection, including an auxiliary implant codenamed EggStremeWizard (“xwizards.dll”).

“The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain,” Zavadovschi noted.

“This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience and ensuring that communication with the attacker can be maintained even if one C2 server is taken offline.”

The activity is also characterized by the use of the Stowaway proxy utility to establish an internal network foothold. Complicating detection further is the fileless nature of the framework, causing malicious code to be loaded and executed directly in memory without leaving any traces on disk.

“This, coupled with the heavy use of DLL side-loading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat,” Bitdefender said.

“The EggStreme malware family is a highly sophisticated and multi-component threat designed to achieve persistent access, lateral movement, and data exfiltration. The threat actor demonstrates an advanced understanding of modern defensive techniques by employing a variety of tactics to evade detection.”

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems.

According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures.

CHILLYHELL is the name assigned to a malware that’s attributed to an uncategorized threat cluster dubbed UNC4487. The hacking group is assessed to have been active since at least October 2022.

According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.

The Apple device management company said it discovered a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. The artifact, notarized by Apple back in 2021, is said to have been publicly hosted on Dropbox since then. Apple has since revoked the developer certificates linked to the malware.

Once executed, the malware extensively profiles the compromised host and establishes persistence using three different methods, following which it initializes command-and-control (C2) communication with a hard-coded server (93.88.75[.]252 or 148.72.172[.]53) over HTTP or DNS, and enters into a command loop to receive further instructions from its operators.

To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon. As a backup mechanism, it alters the user’s shell profile (.zshrc, .bash_profile, or .profile) to inject a launch command into the configuration file.

A noteworthy tactic adopted by the malware is its use of timestomping to modify the timestamps of created artifacts to avoid raising red flags.

“If it does not have sufficient permission to update the timestamps by means of a direct system call, it will fall back to using shell commands touch -c -a -t and touch -c -m -t respectively, each with a formatted string representing a date from the past as an argument included at the end of the command,” Jamf researchers Ferdous Saljooki and Maggie Zirnhelt said.

CHILLYHELL supports a wide range of commands that allow it to launch a reverse shell to the C2 IP address, download a new version of the malware, fetch additional payloads, run a module named ModuleSUBF to enumerate user accounts from “/etc/passwd” and conduct brute-force attacks using a pre-defined password list retrieved from the C2 server.

“Between its multiple persistence mechanisms, ability to communicate over different protocols and modular structure, ChillyHell is extraordinarily flexible,” Jamf said. “Capabilities such as timestomping and password cracking make this sample an unusual find in the current macOS threat landscape.”

“Notably, ChillyHell was notarized and serves as an important reminder that not all malicious code comes unsigned.”

The findings dovetail with the discovery of ZynorRAT, a RAT that uses a Telegram bot called @lraterrorsbot (aka lrat) to commandeer infected Windows and Linux hosts. Evidence shows that the malware was first submitted to VirusTotal on July 8, 2025. It does not share any overlaps with other known malware families.

Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution –

• /fs_list, to enumerate directories
• /fs_get, to exfiltrate files from the host
• /metrics, to perform system profiling
• /proc_list, to run the “ps” Linux command
• /proc_kill, to kill a specific process by passing the PID as input
• /capture_display, to take screenshots
• /persist, to establish persistence

ZynorRAT’s Windows version is near-identical to its Linux counterpart, while still resorting to Linux-based persistence mechanisms. This likely indicates that development of the Windows variant is a work in progress.

“Its main purpose is to serve as a collection, exfiltration, and remote access tool, which is centrally managed through a Telegram bot,” Sysdig researcher Alessandra Rizzo said. “Telegram serves as the main C2 infrastructure through which the malware receives further commands once deployed on a victim machine.”

Further analysis of screenshots leaked via the Telegram bot has revealed that the payloads are distributed via a file-sharing service known as Dosya.co, and that the malware author may have “infected” their own machines to test out the functionality.

ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin, given the language used in Telegram chats.

“Although the malware ecosystem has no shortage of RATs, malware developers are still dedicating their time to creating them from scratch,” Rizzo said. “ZynorRAT’s customization and automated controls underline the evolving sophistication of modern malware, even within their earliest stages.”