LIVE · cybersecurity feed

malware

zeroday.news · 2h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 2h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 8h ago

China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware

A Chinese threat actor, UAT-7810, is reportedly enhancing its custom malware to broaden its Operational Relay Box (ORB) network. This expansion involves compromising internet-facing networking devices, according to Cisco Talos.

zeroday.news · 23h ago·high

Chinese hackers develop LONGLEASH malware to expand ORB network

Chinese state-sponsored hackers, identified as UAT-7810, have developed new malware named LONGLEASH. It is being used to expand their ORB network by compromising internet-facing devices, specifically targeting unpatched Ruckus routers.

zeroday.news · 1d ago·high

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

A new Malware-as-a-Service offering called RedWing packages Android bank fraud tools and is rented via Telegram. It provides ready-made malware capable of taking over phones and stealing banking credentials and one-time passcodes.

zeroday.news · 1d ago·high

Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks

An Iran-linked threat actor is using an adaptable modular command-and-control framework in cyberattacks. It compromised IT service providers to reach high-value targets primarily in Israel.

zeroday.news · 1d ago

UAT-7810 continues building ORB networks using new malware

The threat actor UAT-7810 is reportedly developing new custom malware. This malware is being utilized to establish ORB networks, indicating an evolution in their tools and ongoing malicious operations.

zeroday.news · 1d ago

Fake IT support calls on Microsoft Teams push EtherRAT malware

Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks. [...]

zeroday.news · 2d ago

⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More

A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing

zeroday.news · 2d ago

Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts. The mult

zeroday.news · 2d ago

New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions

Researchers at Shandong University have shown a fast new way to pull data off computers that are cut off from every network. The technique, called TrojPix, tweaks on-screen pixels in ways the eye cannot see, so that the video cable carrying

zeroday.news · 2d ago

New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS

Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that's capable of targeting Windows, Linux, and macOS environments. According to LevelBlue, the cross-platform malware is advertised under

zeroday.news · 2d ago

SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing

Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology. Th

zeroday.news · 4d ago

New Avalon Malware Framework Packs CrownX Ransomware Capabilities

Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that's distributed by means of a multi-stage phishing chain capable of bypassing traditional security controls. Avalon combines c

zeroday.news · 5d ago

FBI Seizes NetNut Proxy Platform, Popa Botnet

The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technolo

zeroday.news · 6d ago

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API. "In this campaign, the attackers focused their attenti

zeroday.news · 6d ago

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new

zeroday.news · 6d ago

And the Winner in Dominant Malware Delivery? ClickFix

Researchers say the highly effective social engineering technique is no longer the exception for malware attacks — it's now the rule.

zeroday.news · 7d ago·high

Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula

Cybersecurity researchers have identified a new campaign by the banking Trojan Ousaban, primarily targeting users in Spain and Portugal. The malware, previously active in Brazil, is distributed via a sophisticated phishing PDF that leads victims to a malicious webpage. This page employs environmental and geo-fencing checks to ensure only intended targets download the payload, which includes a VBS script and the Ousaban executable. The Trojan then establishes persistence, decrypts banking-related strings using a custom algorithm, and communicates with command-and-control servers through dynamically generated hostnames.

zeroday.news · 7d ago

Phishers Gain Persistence at EU, Asia Hospitality Orgs

Separate but similar campaigns described by Microsoft and Trend Micro use malicious zip files to spread malware via social engineering and obsfucation, including blockchain abuse.

zeroday.news · 8d ago

USB drives carrying China-linked malware infected Japanese military networks for nearly a year

Read more in my article on the Hot for Security blog.

zeroday.news · 8d ago

Iran, Russia, China Target Water Systems for Sabotage

Nation-state attackers breach water systems through weak passwords, exposed PLCs, and poor segmentation — not sophisticated malware.

zeroday.news · 12d ago

Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses

The FSB state-sponsored operation has gotten a lot better at loading its malware and hiding its servers.

zeroday.news · 20d ago

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers

zeroday.news · 20d ago

Smashing Security podcast #472: AI gets hacked, and BitLocker gets bypassed

What if your AI coding assistant could be tricked into stealing your own company's secrets - by reading a single booby-trapped bug report? No phishing email. No malware. No password ever stolen. Just an AI doing exactly what it was told. Me

zeroday.news · 47d ago

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed deni

zeroday.news · 146d ago

Bypassing Administrator Protection by Abusing UI Access

In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exist. I described one of the ways I was able to bypass the feature before it was rele

zeroday.news · 163d ago

Bypassing Windows Administrator Protection

A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local use