A powerful new RAT has surfaced, raising the stakes in targeted cyber espionage operations. North Korea-linked Lazarus Group has deployed a new RAT, ScoringMathTea, through its Operation DreamJob campaign to infiltrate UAV companies and steal drone technology tied to Ukraine. At the same time, researchers have uncovered a sophisticated malware operation distributing trojanized apps that impersonate a Korean delivery service, using AI-driven obfuscation and meaningless Korean strings. Adding to the landscape, the Python-based Xillen Stealer has rolled out versions 4 and 5 with expanded capabilities. Keep reading for more news.
01
North Korea–linked Lazarus Group has introduced a new RAT, ScoringMathTea, in its Operation DreamJob campaign to target UAV companies and steal drone technology supporting Ukraine.
02
A sophisticated malware campaign is using AI-driven obfuscation to bypass detection and distribute trojanized apps posing as a Korean delivery service, masking code elements with meaningless Korean strings.
03
China-linked APT31 targeted Russian IT contractors and government integrators, using legitimate services like Yandex Cloud for stealthy C2 communication and data exfiltration.
04
A new C2 platform, Matrix Push C2, is being used by cybercriminals to deliver malware and phishing via browser-native, fileless techniques, leveraging push notifications, fake alerts, and redirects to target users across operating systems.
05
The Python-based Xillen Stealer has released versions 4 and 5, adding broader targeting and new capabilities including persistence, credential theft across password managers and social platforms, browser data collection, Kubernetes and Docker scanning, and EDR evasion.
06
North Korean APTs Kimsuky and Lazarus are collaborating on advanced global campaigns, with Kimsuky conducting reconnaissance through phishing, while Lazarus exploits zero-day vulnerabilities for cryptocurrency theft and data exfiltration across the military, financial, blockchain, energy, and healthcare sectors.
07
Researchers abused WhatsApp’s contact-discovery API to test 63 billion numbers and identify 3.5 billion active accounts, exposing profile photos and “about” texts, with India leading at 749 million users.
08
Grafana Labs addressed a critical security flaw (CVE-2025-41115) in its SCIM provisioning feature, allowing attackers to escalate privileges or impersonate users.
09
A critical vulnerability in Azure Bastion (CVE-2025-49752) allows attackers to bypass authentication and escalate privileges to administrative levels with a single network request.
10
A high-severity command injection vulnerability (CVE-2025-64756) has been discovered in the CLI of the widely-used Node.js package, glob, that allows remote code execution when filenames are attacker-controlled.
