It turns out you don’t need a spy novel to find a “Russian Ruse”, cybercriminals are already writing their own plot twists. The Chinese APT group Silver Fox is disguising itself with faux Russian cues in an SEO poisoning campaign. Meanwhile, South Korean systems are being hit by a stealthy USB-based malware campaign using a newly identified CoinMiner variant. Adding to the threat landscape, new data from SpyCloud shows a 400% year-over-year spike in phishing incidents. Keep reading further for more news.
01
The Chinese APT group Silver Fox is using a "Russian Ruse" in an SEO poisoning campaign to distribute the ValleyRAT malware through a fake Microsoft Teams application.
02
A sophisticated malware campaign in South Korea is spreading via compromised USB drives, using a new strain of CoinMiner called PrintMiner to evade detection while mining Monero cryptocurrency.
03
China-nexus cyber threat groups, including Earth Lamia and Jackpot Panda, are rapidly exploiting the critical React2Shell vulnerability (CVE-2025-55182) for unauthenticated remote code execution in React Server Components.
04
A new Windows-based malware called Sryxen is capable of stealing sensitive data such as browser credentials, Discord tokens, VPN details, and crypto wallets while bypassing Chrome's App-Bound Encryption (ABE) protections.
05
An advanced version of the Android spyware ClayRat is abusing Accessibility Services for keylogging, screen recording, and fake notifications to steal sensitive data like PINs and passwords while concealing its activity.
06
Operation DupeHike, tracked under the cluster UNG0902, is targeting Russian corporate HR with a bonus lure that delivers the DUPERUNNER implant and AdaptixC2 malware via process injection.
07
A new scam called ghost-tapping targets tap-to-pay mobile apps and NFC-enabled cards, with scammers using handheld NFC readers to exploit NFC technology and initiate fraudulent transactions.
08
SpyCloud data reveals a 400% year-over-year surge in phishing attacks, making corporate users three times more likely to be targeted by phishing than by infostealer malware.
09
Akamai fixed an HTTP Request Smuggling vulnerability (CVE-2025-66373) in its edge servers, which could have allowed attackers to bypass security controls or hijack sessions.
10
Threat actors, including the cluster Storm-2603, are weaponizing the legitimate Digital Forensics and Incident Response (DFIR) tool Velociraptor to establish stealthy C2 and deliver Warlock ransomware.
