-
Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus. According to multiple reports from Cyble and Seqrite Labs, the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Tycoon 2FA phishing kit represents one of the most sophisticated threats targeting enterprise environments today. This Phishing-as-a-Service (PhaaS) platform, which emerged in August 2023, has become a formidable adversary against organizational security, employing advanced evasion techniques and adversary-in-the-middle (AiTM) strategies to bypass multi-factor authentication protections. According to the Any.run malware trends tracker, Tycoon 2FA […]
The post Anatomy of Tycoon 2FA Phishing: Tactics Targeting M365 and Gmail appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A critical remote code execution vulnerability affecting XWiki’s SolrSearch component has become the target of widespread exploitation attempts, prompting cybersecurity authorities to add it to their watchlist.
The flaw allows attackers with minimal guest privileges to execute arbitrary commands on vulnerable systems, posing a significant security risk to organizations using this open-source enterprise wiki platform.
XWiki, which positions itself as an advanced open-source enterprise wiki and alternative to platforms like Confluence and MediaWiki, released a security advisory and patch in February addressing this severe vulnerability.
The flaw resides in the SolrSearch component and remarkably requires only guest-level privileges for exploitation, making it accessible to virtually any user with basic system access.
Vulnerability Discovery and Delayed Exploitation
The early release of proof-of-concept code alongside the advisory meant that the vulnerability experienced an unusually delayed exploitation timeline. Initial reconnaissance scans appeared in July, but actual exploitation attempts did not surge until recently.
The exploitation method demonstrates relatively straightforward execution patterns. Attackers send specially crafted GET requests to the vulnerable XWiki endpoint, specifically targeting the SolrSearch RSS media function.
SANS observed that the malicious requests embed Groovy script commands within asynchronous execution blocks, allowing remote code execution through shell commands.
Captured exploit attempts reveal attackers attempting to download and execute shell scripts from external servers, specifically from the IP address 74.194.191.52.
The User-Agent string in these requests contains the email address bang2013@atomicmail.io, potentially belonging to the threat actor.
Investigation of the hosting server uncovered an unexpected connection to Chicago rap culture, with references to captivity rapper King Lil Jay and rival RondoNumbaNine, both previously associated with opposing gang affiliations.
The vulnerability presents critical risks because it enables complete system compromise through remote code execution capabilities. Organizations running XWiki installations must prioritize immediate patching to prevent potential breaches.
The attack requires no user interaction and minimal complexity, making it particularly attractive to opportunistic threat actors conducting mass internet scanning campaigns.
Security teams should verify their XWiki installations are updated with the February security patch, monitor for suspicious SolrSearch requests, and implement network-level protections to detect exploitation attempts.
The combination of low attack complexity and widespread scanning activity indicates this vulnerability will remain a high-priority target for malicious actors.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Actively Scanning Internet to Exploit XWiki Remote Code Execution Vulnerability appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Google has issued a critical security alert for Android devices, highlighting a severe zero-click vulnerability in the system’s core components that could allow attackers to execute malicious code remotely without any user interaction.
Disclosed in the November 2025 Android Security Bulletin, this flaw affects multiple versions of the Android Open Source Project (AOSP) and underscores the ongoing risks in mobile operating systems.
As smartphones handle sensitive data like banking credentials and personal communications, such vulnerabilities pose significant threats to millions of users worldwide.
The primary concern revolves around CVE-2025-48593, a remote code execution (RCE) bug discovered in the System component. This vulnerability requires no additional privileges or user engagement, making it particularly dangerous.
Attackers could potentially exploit it via crafted network packets or malicious apps distributed through sideloads or third-party stores.
Google classified it as critical due to its potential for full device compromise, including data theft, ransomware deployment, or even turning the phone into a botnet node. The issue was reported internally via Android bug ID A-374746961 and patched in AOSP versions 13 through 16.
Vulnerability Breakdown and Affected Systems
This zero-click exploit stems from improper handling of system-level processes, allowing arbitrary code injection during routine operations like app launches or background syncing.
Security researchers note that while the exact root cause remains under wraps to prevent widespread abuse, it aligns with past Android flaws where memory corruption enabled privilege escalation.
Devices running Android 10 and later are eligible for updates, but older versions may remain exposed if manufacturers lag in deployment.
In addition to the critical RCE, the bulletin addresses CVE-2025-48581, a high-severity elevation of privilege (EoP) vulnerability in the same System component. This could let malicious apps gain unauthorized access to sensitive features, though it requires some initial foothold.
CVE ID References Type Severity Updated AOSP Versions CVE-2025-48593 A-374746961 RCE Critical 13, 14, 15, 16 CVE-2025-48581 A-428945391 EoP High 16 To protect against these threats, users should immediately check for system updates via Settings > System > System Update. Google recommends applying the 2025-11-01 security patch level, which fully resolves these issues for supported devices.
Manufacturers like Samsung, Pixel, and others must roll out patches promptly, as delays could leave billions vulnerable.
This bulletin arrives amid rising mobile threats, including state-sponsored spyware targeting activists. No active exploits have been reported yet, but the zero-click nature amplifies risks for high-profile targets.
Android’s modular update system via Google Play helps, but fragmentation remains a challenge. Experts urge enabling auto-updates and avoiding untrusted apps to stay secure in an increasingly hostile digital landscape.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Android 0-Click Vulnerability in System Component Allows Remote Code Eexecution Attacks appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft is rolling out a significant security enhancement for its Authenticator app starting February 2026, introducing jailbreak and root detection capabilities that will automatically wipe Microsoft Entra credentials from compromised devices. This move represents a strategic shift toward strengthening enterprise identity security by preventing unauthorized account access through manipulated mobile platforms. The upcoming change will […]
The post Microsoft Plans to Remove Entra Accounts from Authenticator on Jailbroken Devices appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The cybersecurity threat landscape shifted dramatically on October 30, 2025, when security researchers monitoring honeypot infrastructure detected a significantly evolved variant of the RondoDox botnet. The updated malware now features 75 distinct exploitation vectors, a fundamental expansion that transforms the threat from a primarily IoT-focused botnet into a multifaceted enterprise threat capable of targeting everything […]
The post RondoDox Botnet Swells Its Arsenal — 650% Jump in Enterprise-Focused Exploits appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The decentralised finance (DeFi) ecosystem was rocked by a significant exploit targeting Balancer, one of the leading DeFi platforms. The breach specifically impacted Balancer’s V2 Composable Stable Pools, resulting in losses that reportedly exceed $100 million. This major incident highlights ongoing security challenges within the DeFi sector and underscores the importance of robust auditing and […]
The post Balancer DeFi Platform Hit by Major Exploit Resulting in $100M+ in Losses appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Security researchers have identified a dangerous remote access trojan called SleepyDuck lurking in the Open VSX IDE extension marketplace, targeting developers who use code editors like Cursor and Windsurf. The malicious extension masqueraded as a legitimate Solidity programming language helper, squatting on the name of an established extension to evade detection. The compromised extension juan-bianco.solidity-vlang […]
The post ‘SleepyDuck’ Malware in Open VSX Lets Attackers Remotely Control Windows PCs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
An ongoing malicious advertising campaign is weaponizing legitimate software downloads to deploy OysterLoader malware, previously identified as Broomstick and CleanUpLoader.
This sophisticated initial access tool enables cybercriminals to establish footholds in corporate networks, ultimately serving as a delivery mechanism for the notorious Rhysida ransomware gang.
The Rhysida ransomware operation has targeted enterprises since emerging from the Vice Society group in 2021, later rebranding in 2023. Despite attempts to evade law enforcement through name changes, security researchers continue tracking their evolving tactics.
The current campaign uncovered by Expel represents their second major malvertising operation, building on tactics proven successful during their initial run from May to September 2024. Since June 2025, threat actors have maintained persistent operations with dramatically increased intensity and scope.
Rhysida’s Evolution and Persistent Threat
Rhysida operators purchase advertisements on Bing’s search engine, directing unsuspecting users toward convincing but malicious landing pages.
These sponsored results appear prominently in search results and even within Windows 11 start menu searches, placing malware downloads directly before potential victims.
Recent campaigns have impersonated popular software, including Microsoft Teams, PuTTY, and Zoom, with threat actors creating nearly identical fake download pages.
Bing ads showing up in the Windows 11 start menu, that one result is sponsored and misspells PuTTy as “Putty”
The malicious PuTTY advertisements demonstrate this technique, with sponsored results intentionally misspelling “PuTTY” as “Putty” while appearing legitimate enough to deceive users seeking the authentic remote access tool.
OysterLoader’s effectiveness stems from two primary evasion techniques. First, attackers pack the malware through compression and obfuscation, hiding its true capabilities from security tools.
This results in remarkably low initial detection rates, with fewer than five antivirus engines typically flagging new samples. Second, threat actors employ code-signing certificates, exploiting Windows trust mechanisms to appear legitimate.
Due to their obfuscation, it can take several days before more AV engines flag the malware The scale of this operation is evident in certificate usage. While the 2024 campaign utilized seven certificates, the current 2025 campaign has burned through over 40 unique code-signing certificates, indicating substantial resource investment and operational commitment.
Rhysida doesn’t rely solely on OysterLoader. Expel researchers discovered the gang simultaneously deploying Latrodectus malware, confirmed when identical code-signing certificates appeared on both malware families.
Additionally, Rhysida has exploited Microsoft’s Trusted Signing service, circumventing its 72-hour certificate validity restrictions. Microsoft reports revoking over 200 certificates associated with this campaign, yet operations remain active.
Security teams should remain vigilant against malvertising campaigns and verify software downloads exclusively through official channels to avoid compromise.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Weaponized Putty and Teams Ads Deliver Malware Allowing Hackers to Access Network appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Google’s artificial intelligence (AI)-powered cybersecurity agent called Big Sleep has been credited by Apple for discovering as many as five different security flaws in the WebKit component used in its Safari web browser that, if successfully exploited, could result in a browser crash or memory corruption. The list of vulnerabilities is as follows – CVE-2025-43429 – A buffer overflow
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
