Phishing emails remain a favored entry point for cybercriminals, often disguised as legitimate business communications to deceive users, such as in the Serpentine#Cloud campaign, where attackers use invoice-themed .lnk files to deploy Python-based malware via Cloudflare tunnels and gain persistent system access. Meanwhile, North Korea’s BlueNoroff group has adopted deepfake video tactics during Zoom calls, coupled with Telegram-based meeting invites, to distribute macOS malware through spoofed Zoom domains. In parallel, poorly secured MySQL servers—particularly in South Korea—are being actively targeted to deploy a range of malware, including Gh0stRAT, AsyncRAT, XWorm, HpLoader, and Zoho ManageEngine exploits. Continue reading for more cybersecurity news.
01
The Serpentine#Cloud malware campaign has been exploiting Cloudflare tunnels to deploy Python-based malware, using phishing emails with malicious .lnk files disguised as invoices or payment documents to gain persistent access.
02
North Korean BlueNoroff hackers are using deepfake videos during Zoom calls and fake meeting invites sent via Telegram to trick employees into downloading macOS malware from malicious Zoom domains.
03
A Russia state-sponsored threat actor, UNC6293, was found impersonating the U.S. Department of State to target prominent academics and critics of Russia.
04
The Banana Squad threat group has been exploiting GitHub repositories with trojanized files. Over 60 GitHub repositories containing hundreds of malicious Python files were discovered.
05
A malware campaign has been targeting Minecraft players through fake mods distributed via the Stargazers Ghost Network on GitHub.
06
Attackers are targeting poorly managed MySQL servers, particularly in Korea, to install various malware types, including Gh0stRAT, AsyncRAT, XWorm, HpLoader, and Zoho ManageEngine.
07
Researchers identified Amatera Stealer as a rebrand of ACR Stealer with upgraded features, sold via MaaS subscriptions and spread through ClearFake injects, malicious scripts, and fake CAPTCHAs on compromised sites.
08
A newly disclosed vulnerability in Apache Traffic Server (ATS), tracked as CVE-2025-49763, allows attackers to exploit the Edge Side Includes (ESI) plugin to trigger DoS attacks via memory exhaustion.
09
A critical command injection vulnerability, CVE-2024-3721, in TBK DVR devices is being actively exploited by botnets like Mirai, Condi, Fodcha, and Unstable for unauthenticated RCE via crafted HTTP requests.
10
Dublin-based email security platform, Mesh Security, is being acquired by Bitdefender, a Romanian cybersecurity firm, for an undisclosed sum.
