Multiple critical vulnerabilities have been identified in Citrix NetScaler ADC and NetScaler Gateway appliances, including a memory overflow flaw (CVE-2025-7775) that enables remote code execution (RCE) and denial of service (DoS).

A newly identified phishing campaign is deploying a sophisticated RAT dubbed MostereRAT, targeting Microsoft Windows systems. The campaign begins with phishing emails targeting Japanese users, impersonating legitimate business inquiries.

Critical authentication bypass vulnerabilities have been discovered in Zscaler, Netskope, and Check Point ZTNA. These vulnerabilities allow to bypass authentication mechanisms, impersonate users across organizations, and access sensitive data.

RondoDox is a new botnet threat that exploits two critical vulnerabilities: CVE-2024-3721 (TBK DVR models) and CVE-2024-12856 (Four-Faith router models). These vulnerabilities allow remote attackers to execute arbitrary commands.

A sophisticated variant of the Havoc Remote Access Trojan (RAT) was deployed in a targeted cyber intrusion against critical national infrastructure in the Middle East. This variant leverages a disguised remote injector to deploy the Havoc payload.

A critical authentication bypass vulnerability (CVE-2025-49825) has been identified in Teleport, an open-source platform used for secure access to infrastructure via SSH, RDP, Kubernetes, and other protocols.

A critical command injection vulnerability, CVE-2024-3721, in TBK DVR devices is being actively exploited by multiple botnet operators. This flaw enables unauthenticated remote code execution via crafted HTTP requests.

A new phishing campaign leveraging the Horabot malware has been observed targeting Spanish-speaking users in Latin America. Delivered via malicious HTML attachments in phishing emails, Horabot enables lateral propagation through Outlook.

FortiGuard Labs recently observed a sophisticated campaign dubbed RolandSkimmer. This threat actor targets users in Bulgaria, leveraging malicious browser extensions across Chrome, Edge, and Firefox.

1,082 packages employed minimal code within a low file count, around 1,052 packages utilized suspicious installation scripts, 1,043 instances lacked repository URLs, and 974 packages contained suspicious URLs for C2 servers communication.