Telecommunications Giant Targeted by State-Sponsored Hackers A prominent telecommunications company in Asia was reportedly infiltrated for over four years by Chinese state-sponsored hackers, as revealed in a recent report by cybersecurity firm Sygnia. Although the identity of the affected telecom provider remains undisclosed, the incident highlights the vulnerabilities in critical…
In a concerning revelation, the Computer Emergency Response Team of Ukraine (CERT-UA) has reported three cyberattacks targeting state administration and critical infrastructure. The objective of these attacks appears to be data theft from sensitive governmental entities. According to CERT-UA, the coordinated campaign utilized compromised email accounts to dispatch phishing emails.…
A new and sophisticated post-exploitation framework known as EXFILTRATOR-22, or EX-22, has surfaced, designed to facilitate ransomware deployment within enterprise networks while maintaining stealth. This tool presents a range of features that streamline the post-exploitation process, making it increasingly accessible for cybercriminals, as outlined in a recent report by cybersecurity…
In recent months, six law firms fell victim to distinct cybersecurity threats targeting them with GootLoader and FakeUpdates (also known as SocGholish) malware during January and February 2023. These campaigns highlight an alarming trend in the increasing sophistication of cyber attacks aimed at the legal sector. GootLoader, a downloader first…
A recent report has identified a China-linked threat actor, referred to as Chaya_004, actively exploiting a critical vulnerability in SAP NetWeaver. This attack leverages the flaw CVE-2025-31324, which has been assigned a maximum CVSS score of 10.0. The malicious activity linked to this actor has been ongoing since April 29,…
May 22, 2025
Vulnerability / Threat Intelligence
A Chinese-speaking threat actor, identified as UAT-6382, has exploited a recently patched remote-code-execution vulnerability in Trimble Cityworks to deploy Cobalt Strike and VShell. According to an analysis by Cisco Talos researchers Asheer Malhotra and Brandon White, “UAT-6382 effectively targeted CVE-2025-0944, conducted reconnaissance, and quickly implemented various web shells and custom malware for sustained access.” Following their infiltration, UAT-6382 showed significant interest in systems related to utility management. Cisco Talos observed these attacks beginning in January 2025, specifically aimed at the enterprise networks of local government entities in the U.S. CVE-2025-0944, with a CVSS score of 8.6, pertains to a vulnerability in the GIS-focused asset management software that could allow for remote code execution. The flaw has been patched.
Chinese Hackers Exploit Trimble Cityworks Vulnerability to Gain Access to U.S. Government Networks May 22, 2025 In a concerning cybersecurity development, a group of Chinese-speaking hackers identified as UAT-6382 has been implicated in exploiting a recently patched vulnerability in Trimble Cityworks. This flaw enabled the group to execute remote code…
May 22, 2025
Vulnerability / Threat Intelligence
A Chinese-speaking threat actor, identified as UAT-6382, has exploited a recently patched remote-code-execution vulnerability in Trimble Cityworks to deploy Cobalt Strike and VShell. According to an analysis by Cisco Talos researchers Asheer Malhotra and Brandon White, “UAT-6382 effectively targeted CVE-2025-0944, conducted reconnaissance, and quickly implemented various web shells and custom malware for sustained access.” Following their infiltration, UAT-6382 showed significant interest in systems related to utility management. Cisco Talos observed these attacks beginning in January 2025, specifically aimed at the enterprise networks of local government entities in the U.S. CVE-2025-0944, with a CVSS score of 8.6, pertains to a vulnerability in the GIS-focused asset management software that could allow for remote code execution. The flaw has been patched.
New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware
April 17, 2023
Financial Security / Malware
Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.
QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.
New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware April 17, 2023 Financial Security / Malware Recent research from Kaspersky has unveiled a new initiative utilizing the QBot banking Trojan to compromise business email communications as a method to disseminate malware. This latest campaign began on April 4,…
New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware
April 17, 2023
Financial Security / Malware
Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.
QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.
A sophisticated cyber attack targeting an East Asian IT company involved the use of a custom malware, RDStealer, developed in Golang. “The operation spanned over a year, aimed at stealing credentials and data,” stated Bitdefender security researcher Victor Vrabie in a report shared with The Hacker News. Evidence from the Romanian cybersecurity firm indicates that the operation, dubbed RedClouds, began in early 2022 and reflects the interests of China-based threat actors. Initially, the campaign utilized common remote access and post-exploitation tools such as AsyncRAT and Cobalt Strike, but it later shifted to custom malware in late 2021 or early 2022 to evade detection. A key evasion strategy involved using Microsoft Windows folders typically excluded from security scans, like System32 and Program Files, to conceal the malware.
Experts Uncover Extended Cyber Attack Targeting East Asian IT Firm with Custom Malware RDStealer June 20, 2023 In a significant security breach, cybersecurity experts have revealed a prolonged and sophisticated cyber attack on an information technology firm located in East Asia, spearheaded by a custom malware strain known as RDStealer.…
A sophisticated cyber attack targeting an East Asian IT company involved the use of a custom malware, RDStealer, developed in Golang. “The operation spanned over a year, aimed at stealing credentials and data,” stated Bitdefender security researcher Victor Vrabie in a report shared with The Hacker News. Evidence from the Romanian cybersecurity firm indicates that the operation, dubbed RedClouds, began in early 2022 and reflects the interests of China-based threat actors. Initially, the campaign utilized common remote access and post-exploitation tools such as AsyncRAT and Cobalt Strike, but it later shifted to custom malware in late 2021 or early 2022 to evade detection. A key evasion strategy involved using Microsoft Windows folders typically excluded from security scans, like System32 and Program Files, to conceal the malware.
A notable breach has emerged from North Korea’s Kimsuky espionage group, with insiders leaking hundreds of gigabytes of sensitive internal files and tools to the public. This incident, which surfaced in early June 2025, reveals critical backdoors, phishing mechanisms, and reconnaissance strategies employed by the state-sponsored threat actor—marking an unusual…
