It starts with a ZIP file and ends with your credentials gone. The latest version of KoiLoader arrives via phishing email and delivers Koi Stealer to harvest data. A new Android trojan, TsarBot, targets over 750 apps across multiple platforms, using overlays and permissions abuse to steal sensitive info right from under users' thumbs. In other news, Operation HollowQuill is reading more than research papers. This espionage campaign is using booby-trapped PDFs to target Russian academic and defense networks, slipping in Cobalt Strike beacons under the guise of legitimate documents. Read on for more.
01
Researchers discovered a new version of KoiLoader malware, which is used to establish C&C and deploy Koi Stealer, initiated through a phishing email with a deceptive ZIP attachment.
02
A new Android banking trojan, TsarBot, has been discovered, targeting over 750 applications including banking, finance, cryptocurrency, and social media platforms.
03
Threat actors are hiding malicious code in the mu-plugins directory of WordPress websites. Three cases of malware were discovered: fake update redirect malware, webshell, and a spam injector.
04
Cado Security Labs has discovered a new Python-based RAT called Triton RAT, which uses Telegram for remote system access and data exfiltration. It detects "blacklisted" processes linked to debugging tools or antivirus software.
05
Apple has released patches for two zero-day vulnerabilities, CVE-2025-24201 and CVE-2025-24200, across its older iOS and iPadOS versions.
06
The EU has announced a €1.3 billion ($1.4 billion) investment to fund cybersecurity and AI projects from 2025 to 2027 as part of the Digital Europe Programme (DIGITAL).
07
Operation HollowQuill, a sophisticated cyber-espionage campaign, targets academic, governmental, and defense-related networks in Russia using malicious PDFs to deliver Cobalt Strike malware.
08
A vulnerability chain found in Kentico Xperience 13 allows an attacker to escalate from an XSS vulnerability to full RCE on a target install. The vulnerabilities were patched in version 13.0.178.
09
A significant increase in suspicious login scanning activity targeting Palo Alto Networks GlobalProtect VPN gateways has been noted, with nearly 24,000 unique IP addresses involved.
10
Cybercriminals are increasingly using lookalike domains to execute targeted email-based scams, which are difficult to detect and allow for a wider range of organizations and individuals to be targeted.
