Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser data stealers.

Cybersecurity experts have uncovered how hackers use CSS to deceive spam filters and monitor user behavior. This sophisticated technique allows malicious actors to remain under the radar while gaining insights into user preferences and actions.

CVE-2024-41147 is an out-of-bounds write vulnerability in Miniaudio. CVE-2025-27163 and CVE-2025-27164 are out-of-bounds read vulnerabilities in the font functionality in Adobe Acrobat, which can lead to information disclosure.

Cisco Talos uncovered two new variants of the Sagerunex backdoor, which were detected during attacks on telecommunications and media companies, as well as many Sagerunex variants persistent in the government and manufacturing industries.

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language.

Cisco Talos has identified a phishing campaign targeting Facebook business users in Taiwan, using emails disguised as legal notices to trick recipients into downloading malware.

The campaign involves modular infection chains requiring the victim's interaction, with the malware being delivered through Maldoc or HTML-based methods. The phishing emails use the Russian language, fake Yandex Disk links, and spoofed VK pages.

UAT-5647 has advanced its tooling to include downloaders RustClaw and MeltingClaw, a Rust backdoor DustyHammock, and a C++ backdoor ShadyHammock. The threat actor attempted to compromise edge devices to evade detection during lateral movement.

BabyLockerKZ has expanded its reach to different continents, shifting from Europe to South America in early 2023. It has distinct features compared to MedusaLocker, such as unique storage keys and differences between Windows and Linux versions.

By exploiting web app services, the attackers deploy a web shell to launch malware and gather credentials, compromising IIS servers to spread the BadIIS malware. The malware facilitates proxy ware and SEO fraud by manipulating search engine rankings.