A new wave of malware activity is targeting South Korean users, with Remcos RAT being distributed under the guise of legitimate VeraCrypt installers and gambling-related utilities through web browsers and Telegram channels linked to underground gambling networks. In parallel, threat actors associated with the KongTuke group have rolled out a sophisticated operation dubbed CrashFix, leveraging a malicious browser extension called NexShield. Researchers have also uncovered PDFSIDER, a stealthy malware variant that abuses DLL side-loading to install a backdoor with encrypted command-and-control communications, enabling it to evade endpoint detection controls. Keep reading further for more news.
01
Remcos RAT is targeting South Korean users by masquerading as VeraCrypt installers or illegal gambling–related tools, spreading via web browsers and Telegram within underground gambling ecosystems.
02
Threat actors from the KongTuke group have launched a sophisticated campaign, "CrashFix," using a malicious browser extension named NexShield.
03
Five malicious Chrome extensions were discovered targeting enterprise HR and ERP platforms like Workday, NetSuite, and SuccessFactors. They steal authentication tokens, block incident response, and enable session hijacking.
04
Researchers identified PDFSIDER, a malware variant using DLL side-loading to deploy a backdoor with encrypted C2 capabilities, bypassing endpoint detection mechanisms.
05
Researchers analyzed 57 million logs from a misconfigured DNS-based push notification system, exploiting “lame delegation” to claim abandoned domains and expose deceptive campaigns and scam operations.
06
Researchers discovered and exploited a cross-site scripting (XSS) vulnerability in the web panel of the StealC infostealer, enabling them to gather evidence about its operations.
07
Flaws in Google Vertex AI enable privilege escalation by hijacking Service Agents as “double agents” via two attack paths—Agent Engine tool injection and Ray on Vertex AI.
08
A critical ServiceNow flaw, CVE-2025-12420 (BodySnatcher), lets unauthenticated attackers impersonate any user using only an email address, bypassing MFA and SSO.
09
A critical Windows Kerberos flaw, CVE-2026-20929, allows attackers to abuse DNS CNAME records to relay credentials and bypass NTLM authentication.
10
Hackers are actively exploiting a critical flaw in the Modular DS WordPress plugin (CVE-2026-23550), enabling unauthorized admin access on versions 2.5.1 and earlier and impacting over 40,000 installations.
