The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries, especially in Pakistan, using spear-phishing and malicious documents as initial access vectors. Recent campaigns have highlighted a sharp evolut
malware (114)
Attacker Breakout Time refers to the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. Threat actors are accelerating their attacks and adopting innovative new ways to circumvent endpoint detection mechanisms, according to a new report from ReliaQuest. The threat intelligence vendor claimed in its latest Threat Spotlight report for the period June–August 2025 that the average breakout time dropped to only 18 minutes. One
Successful phishing campaigns typically combine sophisticated victim-deception tactics with layers of stealth, persistence, and advanced evasion techniques, so that threat actors can quietly maintain access across compromised systems and networks. A prime example is a new operation involving the use of a banking malware–turned–remote access Trojan (RAT) that researchers at Fortinet are tracking as "MostereRAT." It chains the use of an obscure programming language, security tool tampering, and t
The US Secret Service on 23 September reported it has foiled what appears to be a sophisticated plot for cyber-espionage and disruption of mobile networks in New York at a time when more than 100 heads of state and governments and foreign ministers are in the city for the UN General Assembly’s leaders’ session.
In a statement, the Secret Service said that the agency recovered more than 300 co-located SIM servers and 100,000 SIM cards across multiple sites in New York tristate area. The agency s
A new sneaky type of malware, known as Raven Stealer, has been identified by the Lat61 Threat Intelligence Team at Point Wild. The research team, led by Onkar R. Sonawane, has found that this seemingly simple program is surprisingly adept at remaining undetected while stealing your personal information. The research, shared with Hackread.com, reveals that the malware is primarily spread through underground forums and often bundled with pirated software.
Built using the programming languages De
Over the past year, FortiGuard Labs has been tracking a stealthy malware strain exploiting a range of vulnerabilities to infiltrate systems. Initially disclosed by a Chinese cybersecurity firm under the name “Gayfemboy,” the malware resurfaced in July with new activity, targeting vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco, and exhibiting signs of evolution in both form and behavior. This Fortinet research presents an in-depth analysis of Gayfemboy, r
A threat actor has been observed “patching” a vulnerability post exploitation, likely in a bid to lock out other adversaries and secure exclusive access. The novel tactic was detected by Red Canary researchers in a cluster of activity targeting a flaw in Apache ActiveMQ, an open-source message broker, to gain persistent access on cloud-based Linux systems. The critical vulnerability, CVE-2023-46604, allows for remote code execution (RCE) in Linux systems due to inadequate validation of throwab
Remote Access Trojans, also known as RATs, have been around for years, although their prevalence in the market has surged recently. RATs are digital skeleton keys, giving an attacker remote control over a system, often without the user ever knowing. This kind of access often starts with someone clicking a malicious link or opening a rogue attachment in a phishing email or messaging app. From there, the attacker can move laterally, steal data, monitor activity, or trigger ransomware.
RATs have
The US can dreadfully report that they are #1 in malware activity. Canada is #2. Not to be outdone, the UK is now the third most targeted country in the world for malware after seeing over 100 million cyber-attacks over the past three months, this according to a new report. Research from cyber security firm NordVPN found that criminals are increasingly targeting everyday internet users through links in emails and texts, as well as through malicious websites and attachments.[1]
The UK now rank
A new backdoor malware campaign targeting Linux systems and exploiting critical vulnerability in SAP has been uncovered by cybersecurity researchers. The malware, known as Auto-Color, was deployed in a targeted intrusion against a US-based chemicals company in April 2025. According to an advisory published by Darktrace on 29 July 2025, the attack began when a threat actor exploited CVE-2025-31324, a critical flaw in SAP NetWeaver that allows remote file uploads and potential system compromise.
The notorious Russian cyber-espionage gang known as Fancy Bear, also known as APT28, has increased its attacks against governments and military entities worldwide using new sophisticated cyber tools and technology. Fancy Bear is perhaps best known in the United States for its hack and leak of Democratic National Committee emails in the lead-up to the 2016 presidential election. Eleven Western countries have accused the hacking group of targeting defense, transport, and tech firms involved in
Hackers believed to be affiliated with an Iranian intelligence agency are using a newly-discovered strain of the DCHSpy malware to snoop on adversaries. Researchers from the cybersecurity firm Lookout detected the latest version of DCHSpy one week after Israel’s June bombing campaign targeting Iran’s nuclear program began. DCHSpy was first detected in 2024, but has since evolved and can now exfiltrate data from WhatsApp and files stored on devices, Lookout said. The malware also collects cont
In April 2025, Huntabil.IT observed a targeted attack on a Web3 startup, attributing the incident to a DPRK threat actor group. Several reports on social media at the time described similar incidents at other Web3 and Crypto organizations. Analysis revealed an attack chain consisting of an eclectic mix of scripts and binaries written in AppleScript, C++, and Nim. Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts, and fake updates, th
Researchers from FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments. Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots. The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves as a heartbeat server to confirm the victim is still online and
Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client’s Authenticode signature. ConnectWise ScreenConnect is a remote monitoring and management (RMM) software that enables IT administrators and managed service providers (MSPs) to troubleshoot devices remotely. When a ScreenConnect installer is built, it can be customized to include the remote server the client should connect to, the text displayed
Almost half (44%) of mobile users report being exposed to scams and threats daily, with a majority concerned about losing important files and productivity loss as a result, according to Malwarebytes. The security vendor polled 1,300 adults in the US, UK, Austria, Germany, and Switzerland for its "Tap, Swipe, Scam" report. Although it focused on the personal impact of such threats, they’re having a growing impact on enterprise risk, given the large number of organizations that allow Bring Your
A new malware called LOSTKEYS, capable of stealing files and system data, has been identified by Google’s Threat Intelligence Group (GTIG) as part of a series of cyberattacks attributed to COLDRIVER, a threat actor linked to the Russian government. The malware, observed in attacks during January, March, and April 2025, marks a new step in COLDRIVER’s evolving capabilities. Previously known primarily for credential phishing targeting Western diplomats, NGOs, and intelligence personnel, the gr
In April 2025, FortiGuard Labs observed a threat actor using phishing emails with malicious HTML files to spread Horabot, malware that primarily targets Spanish-speaking users. It is known for using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email credentials, harvest contact lists, and install banking trojans.
Horabot leverages Outlook COM automation to send phishing messages from the victim’s mailbox, enabl
Russian authorities have arrested three individuals suspected of developing the Mamont malware, a recently identified banking trojan targeting Android devices. The suspects, whose identities remain undisclosed, were apprehended in the Saratov region. A video released by the Russian Ministry of Internal Affairs (MVD) shows the arrested individuals in handcuffs, being escorted by police officers.
According to the MVD, the trio is linked to over 300 cybercrime incidents. Authorities also seized co
In January 2025, our friends at FortiGuard Labs observed an attack that used Winos4.0, an advanced malware framework actively used in recent threat campaigns, to target companies in Taiwan. Figure 1 shows an example of the attack chain. Usually, there is a loader that is only used to load the malicious DLL file, and the Winos4.0 module is extracted from the shellcode downloaded from its C2 server.
Link to full report: IR-25-063-002_Winos.pdf
