Cyber-espionage campaigns continue to intensify worldwide, with North Korea’s Kimsuky group (APT43) mounting a global operation against diplomatic missions and deploying XenoRAT malware to seize system control, steal sensitive data, and conduct surveillance. At the same time, the Noodlophile Stealer is evolving its tactics to target enterprises with large Facebook footprints, distributing spear-phishing emails disguised as copyright infringement notices. Further compounding the threat landscape, the popular Chrome extension FreeVPN[.]One, once considered safe, has turned malicious, now functioning as spyware that captures screenshots and exfiltrates sensitive user data. Read further for more cybersecurity updates from the last 24 hours.
01
North Korea’s Kimsuky group (APT43) launched a global cyber-espionage campaign against diplomatic missions, using spear-phishing and cloud platforms to deliver XenoRAT malware for system control, data theft, and reconnaissance.
02
The Noodlophile Stealer is targeting enterprises with large Facebook footprints through spear-phishing emails disguised as copyright notices, using reconnaissance-based details and AI-crafted multilingual lures to increase success.
03
A fake ChatGPT desktop app is delivering the PipeMagic backdoor in ransomware attacks, exploiting Windows zero-day CVE-2025-29824 by masquerading as a legitimate open-source tool laced with hidden malicious code.
04
Attackers are targeting Indian users by posing as a government electricity subsidy service and distributing Android malware via YouTube videos, phishing sites, and GitHub-hosted APKs to steal financial and personal data.
05
A new threat campaign, "Solana-Scan," targets the Solana cryptocurrency ecosystem with malicious NPM packages containing infostealer malware aimed at Russian crypto developers.
06
The PolarEdge botnet has infected nearly 40,000 IoT and edge devices worldwide—concentrated in South Korea and the U.S.—to build operational relay boxes (ORBs) for disguising malicious traffic and enabling cyberespionage.
07
The Chrome extension FreeVPN[.]One, once legitimate, has now turned malicious, secretly capturing screenshots and exfiltrating sensitive user data with AES-256 encryption and RSA key wrapping.
08
Attackers exploited Cisco Safe Links by abusing the trusted secure-web.cisco.com domain, compromising accounts, leveraging cloud services, and reusing active Safe Links to launch phishing campaigns.
09
Chinese-speaking threat actors are exploiting Ghost-tapping, an NFC relay fraud method, by selling burner phones loaded with stolen card data and custom software to conduct fraudulent mobile wallet payments.
10
Over 800 N-able N-central servers remain unpatched against two critical vulnerabilities (CVE-2025-8875 and CVE-2025-8876) that are actively exploited. These flaws allow attackers to inject and execute commands due to improper sanitization and insecure deserialization.
