TECHZONE™

Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Global Organizations https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an "active, large-scale" exploitation campaign. The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday

Malware Injected into 6 npm Packages After Maintainer Tokens Stolen in Phishing Attack https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. The list of affected

Hackers Exploit Critical CrushFTP Flaw to Gain Admin Access on Unpatched Servers https://thehackernews.com/2025/07/hackers-exploit-critical-crushftp-flaw.html A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0. "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS," according to

China's Massistant Tool Secretly Extracts SMS, GPS Data, and Images From Confiscated Phones https://thehackernews.com/2025/07/chinas-massistant-tool-secretly.html Cybersecurity researchers have shed light on a mobile forensics tool called Massistant that's used by law enforcement authorities in China to gather information from seized mobile devices. The hacking tool, believed to be a successor of MFSocket, is developed by a Chinese company named SDIC Intelligence Xiamen Information Co., Ltd., which was formerly known as Meiya Pico. It specializes in the

UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. "This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed

Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July

CERT-UA Discovers LAMEHUG Malware Linked to APT28, Using LLM for Phishing Campaign https://thehackernews.com/2025/07/cert-ua-discovers-lamehug-malware.html The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a phishing campaign that's designed to deliver a malware codenamed LAMEHUG. "An obvious feature of LAMEHUG is the use of LLM (large language model), used to generate commands based on their textual representation (description)," CERT-UA said in a Thursday advisory. The activity has been attributed with medium

Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services https://thehackernews.com/2025/07/critical-nvidia-container-toolkit-flaw.html Cybersecurity researchers have disclosed a critical container escape vulnerability in the NVIDIA Container Toolkit that could pose a severe threat to managed AI cloud services. The vulnerability, tracked as CVE-2025-23266, carries a CVSS score of 9.0 out of 10.0. It has been codenamed NVIDIAScape by Google-owned cloud security company Wiz. "NVIDIA Container Toolkit for all platforms contains a

Google Sues 25 Chinese Entities Over BADBOX 2.0 Botnet Affecting 10M Android Devices https://thehackernews.com/2025/07/google-sues-25-chinese-entities-over.html Google on Thursday revealed it's pursuing legal action in New York federal court against 25 unnamed individuals or entities in China for allegedly operating BADBOX 2.0 botnet and residential proxy infrastructure. "The BADBOX 2.0 botnet compromised over 10 million uncertified devices running Android's open-source software (Android Open Source Project), which lacks Google's security protections,"

From Backup to Cyber Resilience: Why IT Leaders Must Rethink Backup in the Age of Ransomware https://thehackernews.com/2025/07/how-cyber-resilience-helps-it-defend-against-ransomwa.html With IT outages and disruptions escalating, IT teams are shifting their focus beyond simply backing up data to maintaining operations during an incident. One of the key drivers behind this shift is the growing threat of ransomware, which continues to evolve in both frequency and complexity. Ransomware-as-a-Service (RaaS) platforms have made it possible for even inexperienced threat actors with

Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters https://thehackernews.com/2025/07/hackers-use-github-repositories-to-host.html Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025. "The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson

Hackers Exploit Apache HTTP Server Flaw to Deploy Linuxsys Cryptocurrency Miner https://thehackernews.com/2025/07/hackers-exploit-apache-http-server-flaw.html Cybersecurity researchers have discovered a new campaign that exploits a known security flaw impacting Apache HTTP Server to deliver a cryptocurrency miner called Linuxsys. The vulnerability in question is CVE-2021-41773 (CVSS score: 7.5), a high-severity path traversal vulnerability in Apache HTTP Server version 2.4.49 that could result in remote code execution. "The attacker leverages

Europol Disrupts NoName057(16) Hacktivist Group Linked to DDoS Attacks Against Ukraine https://thehackernews.com/2025/07/europol-disrupts-noname05716-hacktivist.html An international operation coordinated by Europol has disrupted the infrastructure of a pro-Russian hacktivist group known as NoName057(16) that has been linked to a string of distributed denial-of-service (DDoS) attacks against Ukraine and its allies. The actions have led to the dismantling of a major part of the group's central server infrastructure and more than 100 systems across the world.

CTEM vs ASM vs Vulnerability Management: What Security Leaders Need to Know in 2025 https://thehackernews.com/2025/07/ctem-vs-asm-vs-vulnerability-management.html The modern-day threat landscape requires enterprise security teams to think and act beyond traditional cybersecurity measures that are purely passive and reactive, and in most cases, ineffective against emerging threats and sophisticated threat actors. Prioritizing cybersecurity means implementing more proactive, adaptive, and actionable measures that can work together to effectively address the

Chinese Hackers Target Taiwan's Semiconductor Sector with Cobalt Strike, Custom Backdoors https://thehackernews.com/2025/07/chinese-hackers-target-taiwans.html The Taiwanese semiconductor industry has become the target of spear-phishing campaigns undertaken by three Chinese state-sponsored threat actors. "Targets of these campaigns ranged from organizations involved in the manufacturing, design, and testing of semiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well as financial investment

Cisco Warns of Critical ISE Flaw Allowing Unauthenticated Attackers to Execute Root Code https://thehackernews.com/2025/07/cisco-warns-of-critical-ise-flaw.html Cisco has disclosed a new maximum-severity security vulnerability impacting Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges. Tracked as CVE-2025-20337, the shortcoming carries a CVSS score of 10.0 and is similar to CVE-2025-20281, which was patched

Unmasking AsyncRAT: Navigating the labyrinth of forks https://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/ ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants

Hackers Leverage Microsoft Teams to Spread Matanbuchus 3.0 Malware to Targeted Firms https://thehackernews.com/2025/07/hackers-leverage-microsoft-teams-to.html Cybersecurity researchers have flagged a new variant of a known malware loader called Matanbuchus that packs in significant features to enhance its stealth and evade detection. Matanbuchus is the name given to a malware-as-a-service (MaaS) offering that can act as a conduit for next-stage payloads, including Cobalt Strike beacons and ransomware. First advertised in February 2021 on

UNC6148 Backdoors Fully-Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit https://thehackernews.com/2025/07/unc6148-backdoors-fully-patched.html A threat activity cluster has been observed targeting fully-patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances as part of a campaign designed to drop a backdoor called OVERSTEP. The malicious activity, dating back to at least October 2024, has been attributed by the Google Threat Intelligence Group (GTIG) to a group it tracks as UNC6148. The number of known victims is

Critical Golden dMSA Attack in Windows Server 2025 Enables Cross-Domain Attacks and Persistent Access https://thehackernews.com/2025/07/critical-golden-dmsa-attack-in-windows.html Cybersecurity researchers have disclosed what they say is a "critical design flaw" in delegated Managed Service Accounts (dMSAs) introduced in Windows Server 2025. "The flaw can result in high-impact attacks, enabling cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely," Semperis said in a report shared with