The article discusses two new dark large language models (LLMs), WormGPT 4 and KawaiiGPT, which help less-skilled cybercriminals automate attacks like phishing and malware creation. WormGPT 4 is sold on underground forums, while KawaiiGPT is freely available on GitHub, making it easy for aspiring hackers to access powerful tools. Researchers warn these models lower the skill barrier for cybercrime, posing a significant digital risk.

Google warns that various threat actors, including those linked to Russia and China, are exploiting a critical flaw in WinRAR to gain access and deploy malware. This vulnerability, CVE-2025-8088, allows attackers to execute malicious code by manipulating archive files, leading to widespread attacks on multiple targets.

Europol coordinated a crackdown on three cybercrime operations, targeting the malware Rhadamanthys, the Elysium botnet, and VenomRAT. Police arrested a key suspect in Greece and seized over 1,000 servers, revealing millions of stolen credentials from infected computers. Rhadamanthys gained prominence after the takedown of another malware, Lumma, earlier this year.

Dutch authorities arrested a 33-year-old man at Schiphol Airport, believed to be the mastermind behind the AVCheck malware platform. This site, shut down in May 2025, allowed cybercriminals to test their malware against various antivirus systems. The arrest followed an international investigation linked to the platform's takedown.

GoldFactory, a Chinese-speaking cybercrime group, is attacking mobile users in Indonesia, Thailand, and Vietnam by impersonating government services and distributing modified banking apps. Their tactics involve tricking victims into installing malware through phone calls and fake app links, leading to thousands of infections. The group has developed sophisticated methods to bypass security features of legitimate banking applications.

This article details an organized cybercriminal operation that primarily targets cryptocurrency users and Web3 employees through sophisticated malware and social engineering tactics. The gang, linked to multiple traffer groups, has generated at least $2.4 million in theft, using fake applications and extensive infrastructure to deliver their attacks.

A new infostealer called SantaStealer has been launched, promoting itself on Telegram and underground forums. This malware collects sensitive data and aims to evade detection by operating in-memory, though initial samples reveal weaknesses in its design and execution.

Researchers found that Sicarii ransomware has a decryption flaw, rendering victims' data unrecoverable even if they pay the ransom. The malware generates a new RSA key for each attack, discarding the private key, leaving no viable recovery option. Caution is advised for organizations considering ransom payments.

This article explores how large language models (LLMs) can be used for both defensive and offensive purposes in cybersecurity, highlighting the rise of malicious models like WormGPT and WormGPT 4. These tools bypass ethical constraints, making cybercrime more accessible for less skilled attackers. The piece details their capabilities, including generating phishing content and malware, and discusses the implications for the threat landscape.

Researchers found a phishing campaign using Phorpiex malware to spread Global Group ransomware. The attack employs deceptive file names to trick users into downloading a Windows shortcut that encrypts files offline, making recovery nearly impossible. It also erases backup files to cover its tracks.

A new variant of spyware called Stealerium automates sextortion by detecting when users browse pornography, capturing screenshots and webcam images to blackmail victims. Researchers at Proofpoint revealed that this malware, available as open-source on GitHub, enhances traditional infostealer functions by adding a layer of privacy invasion and humiliation. The malware has been linked to multiple cybercriminal campaigns since May.

EvilCorp, a sanctioned Russian cybercriminal group, has been linked to RansomHub, a rapidly growing ransomware-as-a-service operation. The collaboration between these entities raises concerns about potential sanctions for RansomHub, as their combined tactics involve using malware like SocGholish to infiltrate systems and execute ransomware attacks. This connection could complicate the landscape for organizations responding to ransomware incidents and increase scrutiny from law enforcement.

Microsoft has dismantled the Lumma Stealer operation, a malware distribution network involved in stealing user credentials and sensitive information. The company's actions included seizing domains associated with the malware, significantly disrupting its functionality and targeting cybercriminal activities.

North Korea is reportedly targeting cryptocurrency job seekers to distribute malware designed to steal passwords. These cyber operations aim to exploit the growing interest in crypto jobs, leveraging social engineering tactics to infect potential candidates' devices. The initiative reflects North Korea's ongoing efforts to fund its regime through cybercrime activities.

Cybercriminals are utilizing malicious traffic distribution systems (TDS), such as TAG-124, to deliver targeted malware and conduct ransomware attacks on high-value targets, particularly in the healthcare sector. This infrastructure enhances the efficiency of cybercriminal operations, enabling them to exploit vulnerabilities and maximize extortion payouts. Understanding and mitigating the risks associated with TAG-124 is crucial for organizations to defend against these sophisticated attacks.

Authorities in Pakistan have arrested 21 individuals linked to the “Heartsender” malware service, which facilitated spam and cybercrime for over a decade, resulting in extensive financial losses. The operation, which targeted various internet companies, was identified by KrebsOnSecurity in 2021, and included notorious figures like Rameez Shahzad, the alleged ringleader. The arrests follow a series of raids conducted by the National Cyber Crime Investigation Agency amid ongoing investigations into transnational organized crime.

Interpol has successfully dismantled a network of over 20,000 malicious IP addresses that were used for various cybercrimes, including hacking and distributing malware. This operation aimed to enhance global cybersecurity and reduce the impact of cyber threats on individuals and organizations. The initiative highlights the ongoing efforts of law enforcement agencies to combat online criminal activities.

Hackers have exploited a leaked copy of Shellter Elite, a commercial AV/EDR evasion tool, to deploy infostealer malware, marking the first misuse incident since the vendor's strict licensing model was introduced. Despite ongoing malicious activity since April, Shellter was not notified by security researchers at Elastic Security Labs, who later confirmed the misuse and developed detections for the affected version. Shellter has since released an updated version for vetted customers, excluding the one responsible for the leak.

Cybercriminals are increasingly exploiting the Lovable AI website builder to create phishing pages and fraudulent sites that impersonate well-known brands. Despite Lovable's efforts to detect and eliminate malicious content, the rising number of AI site generators is lowering the barriers for cybercrime. Recent campaigns have targeted organizations and individuals through sophisticated phishing schemes, resulting in significant data theft and malware distribution.

The U.S. government has unsealed charges against 16 individuals linked to DanaBot, a malware-as-a-service platform responsible for stealing information and causing over $50 million in losses. The FBI revealed that the malware infected more than 300,000 systems worldwide, and some defendants inadvertently exposed their identities by infecting their own computers. The operation included the seizure of servers used to control the malware and store stolen data.

An international law enforcement operation has successfully taken down AVCheck, a counter antivirus service used by cybercriminals to test malware evasion against commercial antivirus software. The takedown is part of Operation Endgame, which aims to disrupt organized cybercrime by targeting services that help criminals refine their malware for maximum effectiveness. Evidence links AVCheck's administrators to other crypting services that further support cybercriminal activities.