TECHZONE™

Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware https://thehackernews.com/2025/05/hackers-use-fake-vpn-and-browser-nsis.html Cybersecurity researchers have disclosed a malware campaign that uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. The campaign, first detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident loader called Catena. "Catena uses embedded shellcode and configuration switching logic to stage

Danabot under the microscope https://www.welivesecurity.com/en/videos/danabot-microscope/ ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure

Lumma Stealer: Down for the count https://www.welivesecurity.com/en/videos/lumma-stealer-disruption/ The bustling cybercrime enterprise has been dealt a significant blow in a global operation that relied on the expertise of ESET and other technology companies

Danabot: Analyzing a fallen empire https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/ ESET Research shares its findings on the workings of Danabot, an infostealer recently disrupted in a multinational law enforcement operation

Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.html The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security

ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. The threat actor has been observed exploiting a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers (CVE-2023-20118) to corral them into

300 Servers and €3.5M Seized as Europol Strikes Ransomware Networks Worldwide https://thehackernews.com/2025/05/300-servers-and-35m-seized-as-europol.html As part of the latest "season" of Operation Endgame, a coalition of law enforcement agencies have taken down about 300 servers worldwide, neutralized 650 domains, and issued arrest warrants against 20 targets. Operation Endgame, first launched in May 2024, is an ongoing law enforcement operation targeting services and infrastructures assisting in or directly providing initial or consolidating

SafeLine WAF: Open Source Web Application Firewall with Zero-Day Detection and Bot Protection https://thehackernews.com/2025/05/safeline-waf-open-source-web.html From zero-day exploits to large-scale bot attacks — the demand for a powerful, self-hosted, and user-friendly web application security solution has never been greater. SafeLine is currently the most starred open-source Web Application Firewall (WAF) on GitHub, with over 16.4K stars and a rapidly growing global user base. This walkthrough covers what SafeLine is, how it works, and why it’s

U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Global Cybercrime Operation https://thehackernews.com/2025/05/us-dismantles-danabot-malware-network.html The U.S. Department of Justice (DoJ) on Thursday announced the disruption of the online infrastructure associated with DanaBot (aka DanaTools) and unsealed charges against 16 individuals for their alleged involvement in the development and deployment of the malware, which it said was controlled by a Russia-based cybercrime organization. The malware, the DoJ said, infected more than 300,000

CISA Warns of Suspected Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs https://thehackernews.com/2025/05/cisa-warns-of-suspected-broader-saas.html The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," the agency said. "This

GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. GitLab Duo is an artificial intelligence (AI)-powered coding assistant that enables users to write,

ESET takes part in global operation to disrupt Lumma Stealer https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer/ Our intense monitoring of tens of thousands of malicious samples helped this global disruption operation

Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host https://thehackernews.com/2025/05/unpatched-versa-concerto-flaws-let.html Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances. It's worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues

FBI and Europol Disrupt Lumma Stealer Malware Network Linked to 10 Million Infections https://thehackernews.com/2025/05/fbi-and-europol-disrupt-lumma-stealer.html A sprawling operation undertaken by global law enforcement agencies and a consortium of private sector firms has disrupted the online infrastructure associated with a commodity information stealer known as Lumma (aka LummaC or LummaC2), seizing 2,300 domains that acted as the command-and-control (C2) backbone to commandeer infected Windows systems. "Malware like LummaC2 is deployed to steal

Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid Logistics https://thehackernews.com/2025/05/russian-hackers-exploit-email-and-vpn.html Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165.

PureRAT Malware Spikes 4x in 2025, Deploying PureLogs to Target Russian Firms https://thehackernews.com/2025/05/purerat-malware-spikes-4x-in-2025.html Russian organizations have become the target of a phishing campaign that distributes malware called PureRAT, according to new findings from Kaspersky. "The campaign aimed at Russian business began back in March 2023, but in the first third of 2025 the number of attacks quadrupled compared to the same period in 2024," the cybersecurity vendor said. The attack chains, which have not been

Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims https://thehackernews.com/2025/05/fake-kling-ai-facebook-ads-deliver-rat.html Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence (AI)-powered platform to synthesize images and videos from text and image prompts. Launched in June 2024, it's developed by Kuaishou Technology,

Securing CI/CD workflows with Wazuh https://thehackernews.com/2025/05/securing-cicd-workflows-with-wazuh.html Continuous Integration and Continuous Delivery/Deployment (CI/CD) refers to practices that automate how code is developed and released to different environments. CI/CD pipelines are fundamental in modern software development, ensuring code is consistently tested, built, and deployed quickly and efficiently. While CI/CD automation accelerates software delivery, it can also introduce security

How to Detect Phishing Attacks Faster: Tycoon2FA Example https://thehackernews.com/2025/05/how-to-detect-phishing-attacks-faster.html It takes just one email to compromise an entire system. A single well-crafted message can bypass filters, trick employees, and give attackers the access they need. Left undetected, these threats can lead to credential theft, unauthorized access, and even full-scale breaches. As phishing techniques become more evasive, they can no longer be reliably caught by automated solutions alone. Let’s take

Researchers Expose PWA JavaScript Attack That Redirects Users to Adult Scam Apps https://thehackernews.com/2025/05/researchers-expose-pwa-javascript.html Cybersecurity researchers have discovered a new campaign that employs malicious JavaScript injections to redirect site visitors on mobile devices to a Chinese adult-content Progressive Web App (PWA) scam. "While the payload itself is nothing new (yet another adult gambling scam), the delivery method stands out," c/side researcher Himanshu Anand said in a Tuesday analysis. "The malicious landing