Google warns that various threat actors, including those linked to Russia and China, are exploiting a critical flaw in WinRAR to gain access and deploy malware. This vulnerability, CVE-2025-8088, allows attackers to execute malicious code by manipulating archive files, leading to widespread attacks on multiple targets.

Threat actors are using phishing emails with weaponized attachments to deploy malware aimed at Russia and Belarus' defense sector. The malware establishes a backdoor via OpenSSH and a customized Tor service, facilitating remote access while avoiding detection. Environmental checks ensure it only activates on genuine user systems.

Iranian hacking group APT42 has been conducting a sophisticated campaign against senior defense and government officials, using social engineering tactics and even targeting their families to apply pressure. The malware they deploy operates stealthily, blending with normal activity and employing various techniques to maintain persistence and exfiltrate sensitive data.

The article discusses the emergence of ScarCruft, a sophisticated threat actor that employs RokRat malware to conduct cyber espionage and data theft. It details the malware's capabilities and its targeted attacks against high-profile organizations. Additionally, the article emphasizes the importance of cybersecurity measures to counter such threats.

Kaspersky uncovered a cyber espionage campaign dubbed Operation ForumTroll, where sophisticated phishing emails led to infections via a zero-day exploit in Google Chrome. The malware identified, known as "Dante," was traced back to the Italian company Memento Labs and utilized advanced techniques to bypass browser security measures, highlighting ongoing vulnerabilities in web applications.

The article discusses a new malware identified as "Sparrow," attributed to a Chinese cyber espionage group known as FamousSparrow. This malware poses a significant threat to organizations in the Americas by exploiting vulnerabilities in various systems to conduct surveillance and data theft.

Google Threat Intelligence Group is monitoring the BRICKSTORM malware campaign, attributed to the UNC5221 threat actor, which targets the tech and legal sectors to maintain stealthy access to victim organizations. The malware exploits zero-day vulnerabilities and employs sophisticated techniques for lateral movement and data theft, remaining undetected for an average of 393 days. Organizations are urged to reassess their security measures, particularly concerning network appliances that may lack traditional security monitoring.

A critical security vulnerability (CVE-2025-22457) in Ivanti Connect Secure VPN appliances is being actively exploited by a suspected China-nexus threat actor, UNC5221, leading to remote code execution and the deployment of various malware families. Organizations are urged to upgrade their systems immediately to mitigate potential risks associated with this vulnerability.

The U.S. government has unsealed charges against 16 individuals linked to DanaBot, a malware-as-a-service platform responsible for stealing information and causing over $50 million in losses. The FBI revealed that the malware infected more than 300,000 systems worldwide, and some defendants inadvertently exposed their identities by infecting their own computers. The operation included the seizure of servers used to control the malware and store stolen data.