A surge in cyber threats has emerged across multiple fronts, with researchers uncovering four new Android spyware apps masquerading as VPNs, linked to Iran’s Ministry of Intelligence and the MuddyWater group. At the same time, a newly identified ransomware strain named Crux has surfaced, aligning itself with the BlackByte group. Meanwhile, threat actors behind the PoisonSeed campaign are exploiting cross-device sign-in flows to bypass FIDO key authentication through AitM phishing tactics. Keep reading for more cybersecurity news from the weekend.
01
Four new Android spyware apps linked to Iran’s MOIS and the MuddyWater group have surfaced, disguised as VPNs to steal WhatsApp data, recordings, and sensitive files.
02
Researchers have identified a new ransomware variant named Crux, which claims affiliation with the BlackByte ransomware group.
03
Singapore’s National Security Minister warns against the Chinese group UNC3886 of using zero-day exploits to target critical infrastructure, threatening national security and essential services.
04
A phishing email mimicking a VoIP voicemail notification used a WAV file attachment with a fake message from Veeam Software about an expired backup license, urging recipients to call back.
05
Researchers are tracking attacks on poorly secured Linux servers via SSH, where attackers deploy SVF DDoS Bot malware using Discord as a C&C server and proxies to launch DDoS attacks.
06
PoisonSeed attackers are bypassing FIDO key authentication via AitM phishing, exploiting cross-device sign-ins by tricking users into scanning malicious QR codes.
07
Microsoft has warned of active zero-day attacks on a newly discovered SharePoint Server vulnerability, urging immediate security updates to protect thousands of business and government systems.
08
Attackers can exploit a versioning error in Microsoft’s AppLocker block list, which sets the MaximumFileVersion to 65355 instead of 65535, allowing malicious files with versions between these values to bypass restrictions.
09
A critical vulnerability (CVE-2025-54309) in CrushFTP servers affects at least 10,000 instances globally, allowing remote attackers to gain admin access via HTTPS.
10
InCorp Advisory, a company specializing in GRC services, has acquired Ken & Co., a niche cybersecurity and digital assurance firm.
