ZIP files remain a favorite tool for cyber attackers, concealing malware behind seemingly harmless archives to infiltrate systems. In a recent campaign, researchers uncovered malicious SVG and SWF files impersonating Colombian authorities, which used hidden JavaScript to create phishing pages and deliver harmful ZIP archives. Meanwhile, NoisyBear, a suspected Russian threat group, targeted Kazakhstan’s oil and gas sector, employing spear-phishing emails with ZIP files that deployed PowerShell scripts and DLL implants for espionage. Adding to the threat landscape, the new NightshadeC2 botnet has emerged, leveraging "UAC Prompt Bombing" to bypass Windows Defender and compromise endpoints. Keep reading for more cybersecurity news.
01
Researchers identified undetected malicious SVGs and SWFs in a malware campaign impersonating Colombian authorities, leveraging hidden JavaScript to create phishing pages and deliver malicious ZIP files.
02
NoisyBear, a suspected Russian threat group, targeted Kazakhstan’s oil and gas sector in Operation BarrelFire cyber-espionage campaign using spear-phishing emails with malicious ZIP files that deploy PowerShell tools and DLL implants.
03
The cyber threat actor TAG-150 has been using proprietary malware families—CastleLoader, CastleBot, and CastleRAT—in phishing campaigns and fake repositories to target victims, primarily in the U.S.
04
Hackers use the MeetC2 framework to exploit Google Calendar APIs, disguising malicious traffic as legitimate sync activity to evade detection tools like DLP systems.
05
A new NightshadeC2 botnet has been found using "UAC Prompt Bombing" and multiple C and Python variants with diversified communication methods to evade Windows Defender and compromise endpoints.
06
A newly discovered exploit, Electron CVE-2025-55305, bypasses code integrity checks in Electron-based apps like Signal, 1Password, Slack, and Google Chrome. By tampering with V8 heap snapshots, attackers can inject unsigned code into applications.
07
Hackers exploited a Sitecore zero-day vulnerability (CVE-2025-53690) caused by reused sample ASP.NET machine keys in legacy deployments, enabling remote code execution and deploying WeepSteel malware for reconnaissance.
08
A high-severity TOCTOU vulnerability (CVE-2025-38352) in the Linux kernel’s POSIX CPU timers, actively exploited in the wild, has been added to CISA’s KEV catalog.
09
A recently disclosed macOS vulnerability (CVE-2025-24204) allowed attackers to read any process’s memory due to gcore being mistakenly granted elevated permissions in macOS 15.0, fixed in 15.3.
10
A heap-based buffer overflow vulnerability (CVE-2025-53149) in the ksthunk.sys driver can lead to a non-paged heap overflow due to improper handling of input and output buffers.
