The cyber group Tomiris has changed its strategy, using public services like Telegram and Discord for command-and-control in attacks against government entities in Central Asia. Their recent campaigns involve spear-phishing emails and malware that targets high-value political infrastructure, employing a variety of custom and open-source tools.

The article discusses two new dark large language models (LLMs), WormGPT 4 and KawaiiGPT, which help less-skilled cybercriminals automate attacks like phishing and malware creation. WormGPT 4 is sold on underground forums, while KawaiiGPT is freely available on GitHub, making it easy for aspiring hackers to access powerful tools. Researchers warn these models lower the skill barrier for cybercrime, posing a significant digital risk.

WormGPT 4 offers lifetime access for $220, enabling users to generate malware and phishing tools without needing advanced skills. While it simplifies certain cybercrime tasks, human intervention is still necessary to bypass security measures. Another model, KawaiiGPT, is even more accessible as it's free on GitHub.

North Korean hackers are using spear phishing emails that mimic human rights organizations and financial institutions to distribute malware. This campaign, called "Operation Poseidon," is linked to the Konni hacking group and aims to exploit vulnerabilities in email security through deceptive links. Cybersecurity experts warn that these sophisticated tactics make such attacks difficult to defend against.

This article investigates a Russian phishing campaign that uses a fake payment confirmation email to deploy the Phantom stealer malware. It details the multi-stage infection process, including the malicious ISO and executable files involved, and highlights the types of data targeted, such as credentials and cryptocurrency information.

A malware campaign is using fake guides for OpenAI's Atlas browser to lure macOS users into downloading an infostealer named AMOS. Victims are tricked into executing a malicious command that harvests sensitive data and installs a backdoor for remote access. Basic cybersecurity practices can help prevent these attacks.

Attackers are using a new method called "Browser-in-the-Browser" to create convincing fake login windows that steal usernames and passwords. These pop-ups look legitimate and can trick users, but employing a password manager and being cautious with links can help protect your accounts.

The "Stanley" toolkit allows criminals to create malicious Chrome extensions that can overlay phishing pages on legitimate sites while masking the true URL. By masquerading as useful tools, these extensions trick users into granting permissions, making them vulnerable to credential theft. This poses significant risks in remote work environments where browser security is paramount.

A new ClickFix campaign targets the hospitality sector in Europe, using fake Windows BSOD screens to trick users into executing malware. Attackers send phishing emails impersonating Booking.com, leading victims to a convincing fake website that prompts them to run malicious commands. Once executed, the malware grants remote access and can spread within the network.

A phishing campaign is impersonating well-known brands like Disney and Mastercard to steal Google Workspace and Facebook business account credentials. The attackers use fake Calendly invitations to lure victims, leading them to phishing pages designed to capture sensitive login information. The campaign employs advanced techniques to bypass security measures, making it a significant threat.

The hacker group MuddyWater has launched a new spear-phishing campaign using a Rust-based implant called RustyWater, targeting various sectors in the Middle East. This campaign involves malicious Word documents that deploy the malware, which can gather system information and maintain persistence on infected machines. The move marks a shift from traditional tools to more sophisticated, custom malware.

A new attack is tricking Mac users into downloading malware through a fake job application process on a bogus website. Victims are lured with false job offers and prompted to install a fake FFmpeg update, which actually installs a backdoor called Flexible Ferret. This malware gives attackers ongoing access to the infected system.

Threat actors are using phishing emails with weaponized attachments to deploy malware aimed at Russia and Belarus' defense sector. The malware establishes a backdoor via OpenSSH and a customized Tor service, facilitating remote access while avoiding detection. Environmental checks ensure it only activates on genuine user systems.

The Herodotus malware family targets Android devices by using random delays to imitate human typing, making it harder for security software to detect. Currently distributed through SMS phishing, it can bypass Accessibility permissions and interact with the user interface to steal sensitive information. Experts warn Android users to be cautious about app permissions and avoid downloading apps from untrusted sources.

This article explores how large language models (LLMs) can be used for both defensive and offensive purposes in cybersecurity, highlighting the rise of malicious models like WormGPT and WormGPT 4. These tools bypass ethical constraints, making cybercrime more accessible for less skilled attackers. The piece details their capabilities, including generating phishing content and malware, and discusses the implications for the threat landscape.

Transparent Tribe, a hacking group linked to Pakistan, has targeted Indian government and academic sectors with a new remote access trojan (RAT). The attacks utilize weaponized files disguised as PDFs and adapt their methods based on the antivirus software present on infected systems. Recent activity also includes a campaign using malicious shortcuts to deliver additional payloads for long-term access.

This article explains the need to monitor and control outbound traffic to protect against internal threats like malware and phishing. It highlights how malicious software can communicate externally and the compliance requirements related to outbound traffic restrictions. It also discusses the challenges businesses face in implementing these restrictions and suggests advanced security solutions.

This article details a phishing scheme by DPRK hackers posing as recruiters. It analyzes the malware used in the scam, including code obfuscation techniques and how the attackers gather sensitive information from victims.

Researchers found a phishing campaign using Phorpiex malware to spread Global Group ransomware. The attack employs deceptive file names to trick users into downloading a Windows shortcut that encrypts files offline, making recovery nearly impossible. It also erases backup files to cover its tracks.

This article discusses a phishing scam where attackers impersonate recruiters to invite job seekers to fake interviews. The communication often includes suspicious links and requests for software installations, which can lead to malware infections. It emphasizes the importance of verifying the sender and maintaining updated security measures.

Researchers have identified four new phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—that enable large-scale credential theft. These kits utilize advanced techniques, including AI automation and evasion strategies, to deceive users and bypass security measures.

Threat actors are using a Japanese Unicode character to create deceptive phishing links that mimic legitimate Booking.com URLs, tricking users into visiting malicious sites. This technique exploits visual similarities in characters, making it difficult for users to discern the real domain. Security measures are suggested to help users identify and avoid such phishing attempts.

The article discusses the release of the source code for Ermac v3.0, a sophisticated banking Trojan that has been used to steal sensitive information from users. It highlights the potential risks associated with this malware and urges users to be vigilant against security threats.

An ongoing infostealer campaign is targeting Mac users through fraudulent GitHub repositories that masquerade as legitimate software downloads. The LastPass TIME team is raising awareness of this threat, which employs SEO tactics to position malicious links prominently in search results, and has already initiated takedown efforts against some of these fraudulent sites.

VirusTotal uncovered a phishing campaign that utilizes SVG files to create deceptive portals mimicking Colombia's judicial system, leading users to download malware. The AI Code Insight feature enabled the detection of these previously undetected SVG files, which cleverly employ JavaScript to simulate a legitimate download process. This highlights the growing use of SVGs in cyberattacks and the importance of AI in identifying such threats.

Over 4,000 victims in 62 countries have been targeted by the PXA Stealer malware, which has stolen hundreds of credit card numbers, 200,000 passwords, and over 4 million browser cookies. This Python-based infostealer uses sophisticated phishing techniques and has evolved to evade detection, exfiltrating sensitive data through Telegram-based marketplaces.

A newly discovered WinRAR vulnerability, tracked as CVE-2025-8088, has been exploited in phishing attacks to deploy RomCom malware. The flaw allows attackers to create malicious archives that can extract executables into paths that enable remote code execution when a user logs in. Users are urged to update to WinRAR 7.13 to mitigate this risk.

A new cyber espionage campaign named "Blind Eagle" has been linked to the Russian group known as Proton66, targeting organizations in Latin America. The attacks primarily focus on stealing sensitive information using sophisticated malware and phishing techniques to compromise victim systems. Experts warn that this campaign illustrates the increasing threat posed by state-sponsored actors in the region.

An artist recounts a phishing experience where a seemingly legitimate journalist's email led to the installation of malware on his Mac. After realizing his mistake, he took immediate action to secure his accounts and reported the incident to authorities, while also analyzing the malware to better understand the threat it posed.

Researchers at Mandiant have discovered a new malware strain dubbed "UNC6032," which utilizes AI-generated video content to deceive victims. The malware operates primarily through phishing campaigns, leveraging convincing videos to trick users into downloading malicious software. This highlights a growing trend in cyber threats where AI technology is exploited for malicious purposes.

Slow Pisces, a North Korean state-sponsored threat group, has stolen over $1 billion from the cryptocurrency sector in 2023 by targeting developers through disguised job offers on LinkedIn. They use malware hidden within coding challenges and have been linked to significant thefts from cryptocurrency companies, prompting action from GitHub and LinkedIn to remove malicious accounts. The malware employs advanced techniques like YAML deserialization to evade detection and execute additional payloads.

Kaspersky uncovered a cyber espionage campaign dubbed Operation ForumTroll, where sophisticated phishing emails led to infections via a zero-day exploit in Google Chrome. The malware identified, known as "Dante," was traced back to the Italian company Memento Labs and utilized advanced techniques to bypass browser security measures, highlighting ongoing vulnerabilities in web applications.

A new FileFix social engineering attack mimics Meta account suspension alerts to deceive users into installing the StealC infostealer malware. It utilizes a multi-language phishing page that instructs victims to copy a disguised PowerShell command into the File Explorer address bar, ultimately leading to the execution of malicious code hidden within a JPG image. Acronis highlights the evolution of this attack method and emphasizes the need for heightened awareness against such sophisticated phishing tactics.

The article discusses the exploitation of Microsoft Teams for delivering malware through direct messages, highlighting the tactics employed by cybercriminals to bypass security measures. It emphasizes the need for organizations to enhance their cybersecurity protocols to mitigate such threats.

iClicker's website was compromised in a ClickFix attack that used a fake CAPTCHA to trick users into executing a PowerShell script that potentially installed malware on their devices. The attack, targeting college students and instructors, aimed to steal sensitive data, but the malware's specific nature varied based on the visitor type. Users who interacted with the fake CAPTCHA between April 12 and April 16, 2025, are advised to change their passwords and run security checks on their devices.

Cybersecurity experts warn that malicious PDFs are increasingly being used as delivery mechanisms for phishing attacks, particularly targeting Gmail users. These PDFs can masquerade as legitimate documents but contain links or scripts designed to steal user credentials and sensitive information. Awareness and caution are crucial for users to avoid falling victim to these deceptive tactics.

Spanish authorities have arrested a 25-year-old Brazilian national known as GoogleXcoder, who is accused of leading the GXC Team crime-as-a-service operation that sold phishing kits and Android malware. The GXC Team targeted banks and other organizations, contributing to significant financial losses through their phishing campaigns.

Threat actors are exploiting the ConnectWise ScreenConnect installer to create signed remote access malware through a method called authenticode stuffing, which alters hidden settings in the software's digital signature. This has led to infections reported via phishing attacks that trick users into downloading malicious executables disguised as legitimate software. ConnectWise has since revoked the certificate used for these binaries, but the campaign highlights the risks of using modified enterprise tools.

A malicious campaign is targeting macOS developers through fake Homebrew, LogMeIn, and TradingView platforms that distribute infostealing malware such as AMOS and Odyssey. The campaign uses deceptive tactics to trick users into executing harmful commands in Terminal, leading to the theft of sensitive information from their systems. Researchers identified over 85 domains involved in this scheme, which are promoted via Google Ads to appear in search results.

A phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, prompting recipients to download a malicious desktop application. The downloaded software installs a remote management tool called Syncro, enabling threat actors to remotely access users' computers and potentially steal sensitive information. LastPass has clarified that these claims are false and users should verify security alerts through official channels.

A new Android banking Trojan named Anatsa has been discovered, targeting users by mimicking legitimate banking applications. It employs advanced techniques to steal sensitive information and bypass security measures, posing a significant threat to users’ financial security. The malware is spread through malicious apps and phishing campaigns, highlighting the need for increased vigilance among mobile users.

A multi-stage reverse proxy card skimming attack has been discovered that exploits fake GIFs to capture sensitive payment information. The attack involves complex techniques to evade detection and highlights the importance of securing payment processes against such sophisticated threats.

A recent phishing campaign targeting Ukraine impersonates government agencies, using malicious SVG files to deliver malware including Amatera Stealer and PureMiner. Upon opening the attachment, victims unwittingly download a CHM file that executes a series of malicious actions, ultimately compromising sensitive information and hijacking system resources.

A sophisticated phishing scheme named BeaverTail masquerades as a job offer for an AI engineering role, tricking developers into executing malicious code from a fake GitHub repository. This malware operates in five stages, stealing sensitive information, establishing remote access, and deploying additional malicious components while exploiting trust through social engineering tactics.

A fake version of ChatGPT, disguised as an InVideo AI tool, is tricking users into downloading ransomware. This malicious software locks users out of their systems and demands a ransom for access. The incident highlights the urgent need for vigilance against such deceptive schemes in the AI landscape.

Microsoft Teams will implement automatic warnings for private messages containing links flagged as malicious, including spam, phishing, and malware. This feature, available for Microsoft Defender for Office 365 and Teams enterprise customers, is set to begin public preview in September 2025 and become generally available by November 2025. Admins can enable or manage these warnings through the Teams Admin Center.

A significant rise in phishing activities using .es domains has been reported, with a 19-fold increase in malicious campaigns since January, making it the third most common TLD for such activities. Most of these campaigns focus on credential phishing, primarily spoofing Microsoft, and are often hosted on Cloudflare services. Researchers warn that this trend may indicate a growing tactic among various threat actors rather than just a few specialized groups.

The article provides a comprehensive guide on enhancing email security to protect against various threats such as phishing, malware, and spam. It discusses essential practices and tools for safeguarding your inbox, including the importance of strong passwords, multi-factor authentication, and the use of security software. Additionally, it highlights workplace strategies for maintaining email security to ensure a safer communication environment.

Security researchers have linked various malware campaigns to the Proton66 network, which provides bulletproof hosting services for cybercriminals. These campaigns exploit compromised WordPress websites and have targeted users with phishing schemes and information stealers, particularly in specific regions such as Korea and Europe.

Phishing sites are masquerading as legitimate downloads from DeepSeek, distributing a proxy backdoor that compromises users' systems. These malicious sites exploit trust to lure victims into downloading harmful software. Users are advised to be cautious and verify sources before downloading applications.

Discord users are at risk from a new phishing attack involving invite link hijacking, which leads to the installation of malware on victims' devices. The attack exploits the trust users place in Discord links, making it crucial for users to verify the authenticity of links before clicking. Security experts recommend staying vigilant and using protective measures to avoid falling victim to such scams.

Authorities in Pakistan have arrested 21 individuals linked to the “Heartsender” malware service, which facilitated spam and cybercrime for over a decade, resulting in extensive financial losses. The operation, which targeted various internet companies, was identified by KrebsOnSecurity in 2021, and included notorious figures like Rameez Shahzad, the alleged ringleader. The arrests follow a series of raids conducted by the National Cyber Crime Investigation Agency amid ongoing investigations into transnational organized crime.

The Python Software Foundation has issued a warning about new phishing attacks targeting PyPI users, urging them to reset their credentials after receiving fake emails from a fraudulent site. Victims are being misled into verifying their email for account maintenance, which could lead to credential theft and subsequent malware attacks on published packages. Users are advised to change passwords immediately and implement stronger security measures like two-factor authentication.

Multiple DuckDB-related npm packages were compromised, including duckdb and its associated modules, which contained malicious code aimed at draining crypto wallets. The attack mirrors previous incidents of phishing in the npm ecosystem, leading to the vendor marking the latest release as deprecated and issuing an advisory on GitHub.

A new spear-phishing campaign, dubbed "Venom Spider," is targeting hiring managers and recruiters by masquerading as job seekers. The attackers exploit the necessity for HR staff to open email attachments, delivering a backdoor malware known as "More_eggs" to compromise systems and gather sensitive information.

Cybercriminals are increasingly exploiting the Lovable AI website builder to create phishing pages and fraudulent sites that impersonate well-known brands. Despite Lovable's efforts to detect and eliminate malicious content, the rising number of AI site generators is lowering the barriers for cybercrime. Recent campaigns have targeted organizations and individuals through sophisticated phishing schemes, resulting in significant data theft and malware distribution.

The npm author Qix was targeted in a significant supply chain attack through a phishing email that spoofed npm branding, tricking the author into compromising their account. Malicious code was introduced into several packages, redirecting cryptocurrency transactions to the attacker's addresses, highlighting the persistent threat of phishing in the open-source ecosystem.

Noodlophile Stealer has evolved to conduct targeted copyright phishing attacks, specifically focusing on enterprises with social media footprints. This sophisticated malware exploits social media information to craft convincing phishing campaigns aimed at extracting sensitive data from organizations.

Threat actors have exploited SourceForge to distribute fake Microsoft Office add-ins that install malware, including cryptocurrency miners and clipboard hijackers, on victims' computers. Over 4,600 systems, primarily in Russia, have been affected by this campaign, which involved deceptive project pages mimicking legitimate tools. Users are advised to download software only from trusted sources and verify files before execution.

Cybercriminals are exploiting Meta's advertising platforms to promote a fake TradingView Premium app that distributes the Brokewell malware for Android devices. This malware is capable of stealing sensitive information, monitoring users, and taking control of compromised devices, specifically targeting mobile users with localized ads since July 22nd. Researchers from Bitdefender have detailed the malware's advanced functionalities, including stealing cryptocurrency and bypassing two-factor authentication.

Fake software activation videos circulating on TikTok are promoting the Vidar stealer malware, which compromises user data and credentials. Users are lured into downloading malicious software disguised as legitimate tools, leading to significant security risks and potential data breaches. The article highlights the importance of cybersecurity awareness in the face of such deceptive tactics on social media platforms.

A group has adapted its tactics to exploit the ongoing protests in Nepal by deploying mobile and Windows malware alongside phishing schemes to steal sensitive data. Utilizing the guise of Nepalese Emergency Services and military figures, they trick users into downloading malicious applications that exfiltrate personal information. The article highlights specific malware samples and their indicators of compromise (IOCs).