The threat landscape continues to shift quietly but steadily, with attackers introducing new techniques and refining their methods across different platforms. A new .NET malware strain is leveraging steganography to hide Lokibot payloads inside PNG and BMP files. Meanwhile, macOS users face the emerging “Nova” campaign, which swaps legitimate Ledger and Trezor apps with convincing phishing lookalikes to steal crypto wallets. Adding to the threat landscape, Beazley Security reports a sharp rise in ransomware attacks in Q3 2025, with Akira, Qilin, and INC Ransomware collectively driving 65% of incidents. Keep reading for more.
01
New .NET malware uses steganography to embed Lokibot payloads in PNG/BMP files, bypassing detection. The updated loader variant includes modules to evade detection, disguised as business correspondence to trick victims.
02
The new macOS malware campaign “Nova” targets cryptocurrency wallets by replacing legitimate Ledger and Trezor apps with phishing clones.
03
New ShadowRay 2.0 attacks exploit an old vulnerability in Ray Clusters to create a self-propagating cryptomining botnet. The campaign also involves data theft, DDoS attacks, and uses AI-generated payloads for advanced execution.
04
The Sneaky 2FA Phishing-as-a-Service (PhaaS) kit integrates Browser-in-the-Browser (BitB) functionality to simulate legitimate login pages and steal Microsoft account credentials.
05
As per Beazley Security, ransomware attacks surged in Q3 2025, with Akira, Qilin, and INC Ransomware groups responsible for 65% of cases. Initial access was most commonly achieved through compromised VPN credentials, accounting for 48% of breaches.
06
Attackers are exploiting WhatsApp’s screen-sharing feature, impersonating trusted entities and tricking victims into sharing their screens or installing remote access tools, leading to financial theft and data breaches.
07
Scammers are sending fake Digital Millennium Copyright Act (DMCA) notices to steal user credentials from the social media platform X. The phishing emails pressure users to act within 24 hours, leading them to a fake login page.
08
SolarWinds patched three critical vulnerabilities in Serv-U software that allow RCE with admin privileges. The flaws include logic abuse (CVE-2025-40547), broken access control (CVE-2025-40548), and path restriction bypass (CVE-2025-40549).
09
A critical vulnerability in the AI-Bolit component of Imunify security products allows arbitrary code execution and root privilege escalation, risking millions of servers worldwide.
10
IBM released patches for four critical vulnerabilities in AIX and VIOS systems, with CVE-2025-36250 being the most severe. These vulnerabilities allow unauthenticated remote attackers to execute arbitrary commands and steal sensitive credentials.
