Malware never sleeps, and neither do the cybercriminals behind it. One recent instance is that of ToyMaker, who has been leveraging a custom malware strain called LAGTOY, designed to scan for system vulnerabilities and remotely execute commands on compromised networks. Meanwhile, cybercriminals are circulating a revamped version of the HiddenMiner malware across dark web marketplaces. In other news, security researchers have identified a sophisticated multi-stage card skimming operation targeting Magento-based eCommerce websites. Explore more of the weekend’s top cybersecurity events below.
01
ToyMaker, an initial access broker, has been providing access to ransomware groups like CACTUS for double extortion attacks. It uses custom malware called LAGTOY to scan for vulnerabilities and execute commands on infected systems.
02
A modified version of HiddenMiner malware is being sold on dark web forums with capabilities such as virtual machine bypass, no admin rights requirement, rootkit-level stealth, antivirus blocking, and auto-download on startup.
03
Researchers uncovered a cyberattack involving SocGholish malware linked to RansomHub affiliates, where the infection chain started with a compromised WordPress site prompting users to update Microsoft Edge.
04
Researchers have discovered a multi-stage card skimming attack on a Magento eCommerce website that used a fake GIF image file and a malicious reverse-proxy server to steal sensitive data.
05
Hackers are actively exploiting two critical vulnerabilities, CVE-2024-58136 and CVE-2025-32432, in Craft CMS. Researchers have identified approximately 13,000 vulnerable instances, with nearly 300 potentially compromised.
06
A new iOS vulnerability related to Darwin notifications has been discovered, which can be exploited to cause a DoS attack on iPhones.
07
React Router, a widely used library for navigation in React applications, has addressed two vulnerabilities, CVE-2025-43864 and CVE-2025-43865, which allowed attackers to spoof content, alter data values, and perform cache-poisoning attacks.
08
Three critical vulnerabilities in the IXON VPN client, labeled as CVE-2025-ZZZ-01, CVE-2025-ZZZ-02, and CVE-2025-ZZZ-03, affecting both Windows and Linux systems, have been identified, allowing attackers to escalate privileges and threatening industrial systems.
09
Cybersecurity firm Palo Alto Networks announced the acquisition of Protect AI, a cybersecurity company focused on AI & ML systems.
10
Endor Labs secured a $93 million Series B funding round, led by DFJ Growth, with participation from Salesforce Ventures, Lightspeed Venture Partners, Dell Technologies Capital, and others.
