Google patches Chrome zero-day bug exploited by hackers
Google has released out-of-band security updates to address a critical vulnerability in its Chrome browser. The flaw, tracked as CVE-2025-2783, has been actively exploited in the wild. According to reports, the flaw has been used in sophisticated, targeted cyberespionage attacks likely orchestrated by an Advanced Persistent Threat (APT) actor. In the attacks, victims were infected after clicking on a malicious link embedded in a phishing email. The phishing emails specifically targeted organizations in Russia, including media outlets, educational institutions, and government entities.
Additionally, Mozilla has warned Windows users about a similar vulnerability, tracked as CVE-2025-2857. This is a Firefox sandbox escape flaw, which can be used by a remote attacker to trick the victim into visiting a specially crafted website, bypass sandbox restrictions and execute arbitrary code on the system.
MMC zero-day bug exploited in Russia-linked EncryptHub attacks
Trend Micro researchers have linked a recently patched zero-day vulnerability (CVE-2025-26633) to a campaign by the Russian threat actor Water Gamayun (also known as EncryptHub and Larva-208) that exploits the Microsoft Management Console (MMC) framework. The attack, called ‘MSC EvilTwin,’ uses .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, maintain persistence, and steal sensitive data from compromised systems.
In other news, Silent Push researchers discovered a phishing campaign that targets Russian individuals who are sympathetic to defending Ukraine, exploiting website lures to gather personal information. Given the illegal nature of anti-war activities in Russia, those who participate are often arrested and charged. The campaign is believed to be carried out by Russian Intelligence Services or a similar aligned threat actor. It involves four main phishing clusters, which impersonate the CIA, the Russian Volunteer Corps, Legion Liberty, and the Ukrainian Defense Intelligence's “I Want to Live” hotline. All these clusters share the same objective of collecting personal data from victims to benefit the threat actor.
A new investigation by DomainTools Investigations (DTI) has uncovered a large-scale phishing campaign targeting defense and aerospace organizations, potentially linked to cyber espionage efforts related to the Ukraine war. DTI found that the campaign involves mail servers running spoofed domains that impersonate legitimate entities in defense, aerospace, and IT sectors. The domains host fraudulent login pages aimed at stealing login credentials, with the likely objective being intelligence gathering connected to the ongoing conflict. The threat actor behind the campaign remains unidentified.
ESET researchers uncovered a new campaign by the China-linked FamousSparrow APT group, which had been thought to be inactive since 2022, targeting organizations in the United States and Mexico. The researchers uncovered two previously undocumented versions of the group's custom backdoor called ‘SparrowDoor’ that come with upgrades in both architecture and functionality. The observed campaign also marks the first time when the threat actor leveraged the ShadowPad backdoor exclusively used by China-aligned threat actors.
RedCurl, a Russian-speaking threat actor also known as Earth Kapre or Red Wolf, has recently shifted tactics by deploying a new ransomware called 'QWCrypt'. The ransomware targets hypervisors, encrypting virtual machines (VMs) and crippling organizations' virtualized infrastructure. There is no evidence yet of RedCurl using stolen data for extortion. The group has primarily targeted organizations in the US, with additional victims in Germany, Spain, and Mexico.
Cybersecurity firm Sygnia detailed a highly persistent and stealthy cyber espionage operation by a China-nexus threat actor, tracked as ‘Weaver Ant,’ targeting a major telecommunications provider in Asia. The group employed a combination of web shells and tunneling methods to facilitate long-term persistence within the network. They deployed an encrypted China Chopper web shell, a tool traditionally used by Chinese threat actors. The web shell allowed Weaver Ant to execute commands, manage files, and exfiltrate data remotely.
The Austrian State Security and Intelligence Service (DSN) said it has taken down a network allegedly orchestrating a large-scale disinformation campaign on behalf of Russia, aimed at manipulating public opinion within Austria. According to the agency, the primary goal of this operation was to sway public and political views to the detriment of Ukraine and in favor of Russia.
Raspberry Robin evolves to initial access broker
Researchers uncovered a network of nearly 200 unique command-and-control (C2) domains associated with the notorious Raspberry Robin malware that are being used to facilitate attacks, including the distribution of multiple strains of malware. Raspberry Robin, also tracked as Roshtyak or Storm-0856, has been an ongoing threat since its emergence in 2019. Initially designed as a tool for spreading various malicious payloads, the malware provides initial access broker (IAB) services to multiple criminal groups, many of which have ties to Russian cybercrime. Over time, its scope has expanded, now acting as a delivery mechanism for high-profile threats such as SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot.
CoffeeLoader malware Loader linked to SmokeLoader operations
Zscaler ThreatLabz said they discovered a new malware family named CoffeeLoader, which primary function is to download and execute second-stage payloads. CoffeeLoader employs various techniques to bypass security, including a GPU-based packer, call stack spoofing, sleep obfuscation, and Windows fibers. It is distributed through SmokeLoader, with both malware families exhibiting similar behaviors.
Additionally, researchers at ReversingLabs found a malicious package on the npm repository, named "ethers-provider2," which alters the legitimate "ethers" package to open a reverse shell difficult to remove. The "ethers-provider2" package contains a downloader that installs a script, which continuously checks if the widely used "ethers" package is installed. The "ethers" package, a legitimate library for interacting with the Ethereum blockchain, has over a million weekly downloads on npm.
The notorious Medusa ransomware is using a malicious driver named ‘AbyssWorker’ to disable security tools on infected systems, a new report from cybersecurity firm Elastic Security Labs says. The driver, tracked as smuol.sys, is designed to masquerade as a legitimate CrowdStrike Falcon driver, and is signed using a revoked certificate from a Chinese company. It is also shielded by VMProtect, a security tool used to obfuscate code and make analysis more challenging for researchers.
Cyber threat intelligence firm KELA said it has uncovered the true identities of Pryx and Rey, the masterminds behind Hellcat's cybercrime operations. Hellcat (previously known as "ICA Group,"), a notorious hacking group that emerged in late 2024, gained notoriety for its high-profile attacks on major corporations like Schneider Electric, Telefónica, and Orange Romania.
PJobRAT makes a comeback, takes another crack at chat apps
Researchers at Sophos X-Ops discovered a new cyber-espionage campaign using the Android remote access trojan (RAT) PJobRAT. The malware, previously targeting Indian military personnel, is now being used in attacks against Taiwanese users. PJobRAT, disguised as instant messaging apps “SangaalLite” and “CChat,” is designed to steal sensitive information from infected devices. The fake apps were distributed through compromised WordPress sites.
New credential stuffing service Atlantis AIO targets over 140 online platforms
A new cybercrime platform called ‘Atlantis AIO’ has emerged providing cybercriminals with an automated service to carry out large-scale credential stuffing attacks. The service, which targets over 140 online platforms, including email services, e-commerce sites, banks, and VPN providers, is designed to streamline the process of hijacking accounts using stolen credentials.
A phishing-as-a-service (PhaaS) platform, operated by the threat actor known as ‘Morphing Meerkat,’ has been generating phishing kits that spoof over 100 brands by using DNS mail exchange (MX) records to deliver fake login pages. The platform offers services like mass spam delivery, email security bypass, and obfuscation. Infoblox reports that the actor exploits open redirect vulnerabilities on adtech infrastructure, uses compromised domains for phishing emails, and distributes stolen credentials through email and chat services.
A DOGE staff member linked to a cybercrime ring
A DOGE staffer, Edward ‘Big Balls’ Coristine, ran a company called DiamondCDN, which provided hosting services for cybercrime operations, including a group known as EGodly.
The UK National Crime Agency (NCA) has issued a warning about a rising threat from online networks of teenage boys, known as "Com networks." These groups, primarily consisting of English-speaking boys, engage in harmful and criminal activities, including cybercrime, fraud, extremism, and child abuse. The NCA reports a significant increase, with known incidents rising six-fold from 2022 to 2024. The networks are known for sharing sadistic and misogynistic material, often targeting victims as young as themselves. Some cases have seen young girls coerced into harming themselves or others.
Russian authorities have arrested three individuals in the Saratov region, suspected of developing the Mamont malware, a banking trojan targeting Android devices. The suspects, whose identities are undisclosed, are connected to over 300 cybercrimes. Authorities seized various items, including computers, storage devices, communication tools, and bank cards. Mamont malware spreads through Telegram channels, disguised as legitimate apps or video files. Once installed, it enables criminals to steal funds from victims' bank accounts and exfiltrate sensitive information. The malware can also spread to the victim's contacts.
