The University of Pennsylvania has confirmed that a hacker stole sensitive university data during a recent cyberattack. The breach, first detected on October 31, 2025, resulted in unauthorized access to systems connected to the university’s development and alumni activities. Initially, the University of show more ...
Pennsylvania dismissed reports of a hack as “fraudulent.” However, officials later acknowledged that data was indeed taken. In a statement released to alumni and shared publicly, the university explained that staff “rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker.” The University of Pennsylvania Breach and Attack Details The attackers gained access through a social engineering technique, a method that deceives individuals into revealing their credentials. Once inside, the hackers sent a mass email from official university addresses. The email read: “We got hacked. We love breaking federal laws like FERPA (all your data will be leaked). Please stop giving us money.” According to reports, the hackers compromised a PennKey single sign-on account, which allowed them access to multiple internal systems, including the university’s VPN, Salesforce databases, SAP systems, and SharePoint files. This access reportedly lasted for nearly two days, from October 30 to October 31, before being detected and contained. An internal source revealed that the university requires multi-factor authentication (MFA) for students, staff, and alumni accounts as a security measure. However, some senior officials were allegedly granted exemptions from the MFA requirement. When asked about the MFA exemptions or adoption rates, a university spokesperson declined to comment beyond the official data incident page. Scope of the Data Theft While the full scope of the data breach remains unclear, reports suggest that as many as 1.2 million records may have been compromised. The stolen data reportedly includes names, contact details, donation records, estimated net worth, and demographic information such as race, religion, and sexual orientation. The hacker also claimed to have accessed documents related to donor activities and bank transaction receipts. Although the university is still assessing the damage, officials confirmed that medical systems operated by Penn Medicine were not affected. As required by law, the university will contact individuals whose personal data was compromised, though no timeline has been announced. Investigation and Legal Fallout The University of Pennsylvania has reported the incident to the Federal Bureau of Investigation (FBI) and enlisted third-party cybersecurity experts to assist in the investigation. Despite these actions, the university is already facing potential legal consequences. At least one class-action lawsuit has been filed by former students, accusing the university of negligence in protecting personal data. The hackers’ motivations appear mixed. In the initial message to the university community, the attackers criticized legacy admissions and affirmative action policies, stating, “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.” However, further statements from the group indicate their primary motive was financial, aiming to profit from the stolen data rather than make a political statement.
Cisco has issued an urgent security advisory detailing two critical vulnerabilities affecting its Unified Contact Center Express (Unified CCX) platform. The flaws, identified as CVE-2025-20354 and CVE-2025-20358, could allow unauthenticated remote attackers to execute arbitrary code, bypass authentication, and show more ...
potentially gain root-level access to affected systems. The vulnerabilities were disclosed in the advisory cisco-sa-cc-unauth-rce-QeN8h7mQ, published on November 5, 2025, at 16:00 GMT. Cisco has classified both flaws as critical with a CVSS base score of 9.8 and 9.4, respectively. According to the company, no workarounds currently exist, making software updates the only effective remediation. Details of the Vulnerabilities: 2025-20354 and CVE-2025-20358 Cisco confirmed that the issues reside within the Java Remote Method Invocation (RMI) process and CCX Editor components of Unified CCX. Both vulnerabilities are independent, meaning one does not need to be exploited before the other can be used. CVE-2025-20354 is a remote code execution vulnerability stemming from improper authentication mechanisms within certain Unified CCX features. It allows an unauthenticated, remote attacker to upload arbitrary files and execute commands with root privileges. An attacker could exploit this flaw by sending a crafted file through the Java RMI process, effectively taking full control of the underlying operating system. This vulnerability, tracked under Cisco Bug ID CSCwq36528, received a CVSS score of 9.8, placing it among the highest severity levels. Cisco warned that successful exploitation could lead to complete system compromise, including the ability to elevate privileges to root. The second flaw, CVE-2025-20358, affects the CCX Editor application. This authentication bypass vulnerability arises from weaknesses in how the CCX Editor communicates with the Unified CCX server. An attacker could manipulate this process by redirecting authentication to a malicious server, deceiving the system into accepting unauthorized access. If successfully exploited, this vulnerability could enable an attacker to create and execute arbitrary scripts within the affected environment using an internal non-root account. Although this vulnerability is slightly less severe than the RCE flaw, its CVSS score of 9.4 still categorizes it as critical. The issue is documented under Cisco Bug ID CSCwq36573. Impacted Products and Workarounds Cisco stated that all versions of Unified CCX are vulnerable, regardless of device configuration. The company confirmed that its Packaged Contact Center Enterprise (Packaged CCE) and Unified Contact Center Enterprise (Unified CCE) products are not affected by CVE-2025-20354 or CVE-2025-20358. Cisco’s advisory noted that no workarounds or temporary mitigations are available for these vulnerabilities. The company strongly urges all customers to apply the newly released software updates as the only permanent solution. To fully remediate the flaws, Cisco recommends upgrading to fixed releases as follows: Unified CCX 12.5 SU3 ES07 (and earlier versions) Unified CCX 15.0 ES01 The Cisco Product Security Incident Response Team (PSIRT) validated the fixed versions and confirmed that these are the earliest builds containing the necessary patches. No Known Exploitation Yet As of publication, Cisco’s PSIRT reported no evidence of public exploitation or malicious activity related to CVE-2025-20354 or CVE-2025-20358. However, given the critical nature and remote attack vector of these vulnerabilities, security experts warn that exploitation attempts could surface soon after disclosure. Cisco credited security researcher Jahmel Harris for responsibly reporting the issues. The company’s acknowledgment reinforces the importance of coordinated vulnerability disclosure in protecting enterprise environments from high-impact cyber threats.
A newly disclosed security flaw in the Amazon WorkSpaces client for Linux has raised serious concerns across organizations relying on AWS virtual desktop infrastructure. The vulnerability, identified as CVE-2025-12779, enables local attackers to extract valid authentication tokens and gain unauthorized access to show more ...
other users’ WorkSpace sessions. On November 5, 2025, AWS issued a formal security bulletin, AWS-2025-025, detailing the issue and urging immediate remediation. The bulletin categorized the flaw as “Important (requires attention)” and warned users that improper token handling in specific client versions could expose sensitive credentials on shared systems. CVE-2025-12779 Vulnerability Details and Impact According to the advisory, the vulnerability affects the Amazon WorkSpaces client for Linux versions 2023.0 through 2024.8. These versions mishandle authentication tokens used in DCV-based WorkSpaces, potentially leaving them accessible to other local users on the same client machine. Under the right conditions, a malicious local user could retrieve these tokens and establish unauthorized access to another individual’s virtual desktop session. In its official statement, AWS noted: “Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, an unintended user may be able to extract a valid authentication token from the client machine and access another user’s WorkSpace.” The issue stems from improper token management within the affected client versions. When deployed in multi-user or shared Linux environments, these tokens may remain accessible to other users on the system. This creates a direct path for attackers to exploit the weakness and impersonate legitimate users. Once a valid token is obtained, an attacker can connect to the victim’s WorkSpace as an authenticated user, bypassing standard access controls. Because the session would appear legitimate, traditional network-based intrusion detection tools might fail to detect the compromise. This allows an attacker to maintain persistent access to sensitive applications, data, and system resources hosted within the virtual environment. The CVE-2025-12779 flaw highlights a critical risk in desktop virtualization environments where shared systems or contractor workstations are common. Unlike remote exploits that target network vulnerabilities, this issue operates at the local level. AWS Response and Patch Availability To mitigate the vulnerability, AWS confirmed that the problem has been resolved in the Amazon WorkSpaces client for Linux version 2025.0. Users are strongly advised to upgrade to version 2025.0 or newer as soon as possible. The updated client can be downloaded directly from the Amazon WorkSpaces Client Download page. Furthermore, AWS announced the end of support for the affected client versions, effectively requiring all organizations to transition to the patched release. Security teams are urged to audit their current deployments to identify any instances still running versions 2023.0 through 2024.8. Immediate upgrades should be prioritized for environments where multiple users share access to the same Linux systems. In addition to updating software, organizations are encouraged to review access logs for signs of unauthorized token extraction or abnormal login activity during the period when the vulnerability was active. This step is critical for detecting potential breaches that may have already occurred before the patch was applied.
AI malware may be in the early stages of development, but it's already being detected in cyberattacks, according to new research published this week. Google researchers looked at five AI-enabled malware samples - three of which have been observed in the wild - and found that the malware was often lacking in show more ...
functionality and easily detected. Nonetheless, the research offers insight into where the use of AI in threat development may go in the future. “Although some recent implementations of novel AI techniques are experimental, they provide an early indicator of how threats are evolving and how they can potentially integrate AI capabilities into future intrusion activity,” the researchers wrote. AI Malware Includes Infostealers, Ransomware and More The AI-enabled malware samples included a reverse shell, a dropper, ransomware, a data miner and an infostealer. The researchers said malware families like PROMPTFLUX and PROMPTSTEAL are the first to use Large Language Models (LLMs) during execution. “These tools dynamically generate malicious scripts, obfuscate their own code to evade detection, and leverage AI models to create malicious functions on demand, rather than hard-coding them into the malware,” they said. “While still nascent, this represents a significant step toward more autonomous and adaptive malware.” “[A]dversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations,” they added. “This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution.” However, the new AI malware samples are only so effective. Using hashes provided by Google, they were all detected by roughly a third or more of security tools on VirusTotal, and two of the malware samples were detected by nearly 70% of security tools. AI Malware Samples and Detection Rates The reverse shell, FRUITSHELL (VirusTotal), is a publicly available reverse shell written in PowerShell that establishes a remote connection to a command-and-control (C2) server and enables a threat actor to launch arbitrary commands on a compromised system. “Notably, this code family contains hard-coded prompts meant to bypass detection or analysis by LLM-powered security systems,” the researchers said. It was detected by 20 of 62 security tools (32%), and has been observed in threat actor operations. The dropper, PROMPTFLUX (VirusTotal), was written in VBScript and uses an embedded decoy installer for obfuscation. It uses the Google Gemini API for regeneration by prompting the LLM to rewrite its source code and saving the new version to the Startup folder for persistence, and the malware attempts to spread by copying itself to removable drives and mapped network shares. Google said the malware appears to still be under development, as incomplete features are commented out and the malware limits Gemini API calls. “The current state of this malware does not demonstrate an ability to compromise a victim network or device,” they said. The most interesting feature of PROMPTFLUX may be its ability to periodically query Gemini to obtain new code for antivirus evasion. “While PROMPTFLUX is likely still in research and development phases, this type of obfuscation technique is an early and significant indicator of how malicious operators will likely augment their campaigns with AI moving forward,” they said. It was detected by 23 of 62 tools (37%). The ransomware, PROMPTLOCK (VirusTotal), is a proof of concept cross-platform ransomware written in Go that was developed by NYU researchers. It uses an LLM to dynamically generate malicious Lua scripts at runtime, and is capable of filesystem reconnaissance, data exfiltration, and file encryption on Windows and Linux systems. It was detected by 50 of 72 security tools on VirusTotal (69%). The data miner, PROMPTSTEAL (VirusTotal), was written in Python and uses the Hugging Face API to query the LLM “Qwen2.5-Coder-32B-Instruct” to generate Windows commands to gather system information and documents. The Russian threat group APT28 (Fancy Bear) has been observed using PROMPTSTEAL, which the researchers said is their “first observation of malware querying an LLM deployed in live operations.” It was detected by 47 of 72 security tools (65%). The infostealer, QUIETVAULT (VirusTotal), was written in JavaScript and targets GitHub and NPM tokens. The credential stealer uses an AI prompt and AI CLI tools to look for other potential secrets and exfiltrate files to GitHub. It has been observed in threat actor operations and was detected by 29 of 62 security tools (47%). The full Google report also looks at advanced persistent threat (APT) use of AI tools, and also included this interesting comparison of malicious AI tools such as WormGPT: [caption id="attachment_106590" align="aligncenter" width="1098"] Comparison of malicious AI tools (Google)[/caption]
“We’ve hacked your computer! Send money to the specified account, or all your photos will be posted online”. You or someone you know has probably encountered an email with this kind of alarming message. We’re here to offer some reassurance: nearly every blackmail email we’ve ever seen has been a show more ...
run-of-the-mill scam. Such messages, often using identical text, are sent out to a massive number of recipients. The threats described in them typically have absolutely no basis in reality. The attackers send these emails out in a “spray and pray” fashion to leaked email addresses, simply hoping that at least a few recipients will find the threats convincing enough to pay the “ransom”. This article covers which types of spam emails are currently prevalent in various countries, and explains how to defend yourself against email blackmailers. Classic scams: hacks, sextortion, and “your money or your life” Classic scam emails may vary in their content, but their essence always remains the same: the blackmailer plays the role of a noble villain, allowing the victim to walk away unharmed if they transfer money (usually cryptocurrency). To make the threat more believable, attackers sometimes include some of the victim’s personal data in the email, such as their full name, tax ID, phone number, or even their physical address. This doesn’t mean you’ve actually been hacked — more often than not, this information is sourced from leaked databases widely available on the dark web. The most popular theme among email blackmailers is a “hack” where they claim to have gained full access to your devices and data. Within this theme, there are three common scenarios: The attacker is concise and gets straight to the point: they state the exact amount of money you need to transfer to prevent your private information from becoming public. Detailed and dramatic emails: these elaborate spam emails contain a wealth of detail about the malware the attacker allegedly used to infect the recipient’s device, and the types of data they’ve accessed. This usually includes everything at once: the PC itself, the mouse, the webcam, and the keyboard. Sometimes, the scammers even graciously advise you to change your passwords regularly and avoid clicking on unknown links in the future to prevent unpleasant situations. On this point we actually agree with their recommendations. The specific details of the “hacker attack” and the attacker’s demands are omitted from the email body. Instead, the recipient is prompted to find this information by clicking a link to a website. Scammers use this tactic to bypass email spam filters. Blackmailers also don’t shy away from the topic of adult content. Typically, they simply intimidate the victim with threats that everyone will find out what kind of explicit content they’ve allegedly been viewing. Some attackers go further — they claim to have gained access to the person’s webcam and recorded intimate activity while simultaneously screen-recording their PC. The price of their silence starts at several hundred dollars in cryptocurrency. Crucially, these blackmailers intentionally try to isolate the victim by telling them not to report the email to law enforcement or loved ones, and claiming that doing so will immediately trigger the threats. By the way, safe and private viewing of adult content is a challenge unto itself, but we’ve covered that in Watching porn safely: a guide for grown-ups. A scammer threatens to publish a victim’s intimate videos and demands cryptocurrency Perhaps the most extreme form of email blackmail involves death threats. Naturally, such an email would make anyone uneasy, and many people become genuinely worried for their own safety. The noble hitman, however, is always willing to spare the victim’s life if they can “outbid the one who ordered the hit”. “You have 72 hours left to live.” The blackmailer suggests not involving the police and simply paying off “the one who ordered the hit” instead You’ve been served: law enforcement impersonation scams in Europe Besides legends of “noble hackers” and “hitmen” who immediately offer a way out for a hefty fee, there are longer, more elaborate scams. In these attacks, scammers pose as law enforcement officers. They don’t ask for money right away, as that would arouse suspicion. Instead, the victim receives a “summons” accusing them of committing a serious, often highly delicate crime. This typically involves allegations of distributing pornography (including child pornography), of pedophilia, human trafficking, or even indecent exposure. The “evidence” isn’t pulled out of thin air, but supposedly taken directly from the victim’s computer, to which the “special services” have gained “remote access”. Spam blackmail targeting users in France The document is designed to instill absolute terror: it includes a threat of arrest and a large fine, a signature with a seal, an official address, and names of high-ranking prosecutors. The scammers demand that the victim promptly makes contact via the email address provided in the message to offer an explanation — then, perhaps, the charges will be dropped. If the victim fails to respond, they’re threatened with arrest, registration on a list of sex offenders, and having their “file” passed to the media. When the terrified victim contacts the attackers, the scammers then offer to “pay a fine” for an “out-of-court settlement of the criminal case” — a case that, of course, doesn’t exist. Scammers once again accuse victims of viewing child pornography These types of emails are sent under the guise of coming from major law enforcement organizations like Europol. They’re most frequently addressed to residents of France, Spain, the Czech Republic, Portugal, and other European countries. They also share a curious feature: typically, the subject line and the body of the email are quite brief, with the entire fraudulent case being laid out in attached documents. Reminder: we can’t stress this enough — never open email attachments if you don’t know or trust the sender! And to ensure that malicious and phishing emails don’t even reach your inbox, use a reliable protective solution. Authority scams in CIS countries The “law enforcement theme” is also prevalent in CIS (former-Soviet-Union) countries. In 2025, scammers circulated “Summons for Criminal Investigation” alleging the initiation of a criminal case. This was supposedly issued by the Russian Ministry of Internal Affairs in collaboration with such fantastic units as “Russian Interpol” and the “Bureau of Investigation Against Organized Crime”. According to the fictional narrative, a certain “National Center for the Analysis of Child Pornography and Exhibitionism Images” had seized computers somewhere and determined that the recipient’s IP address was used to “access inappropriate and pornographic websites”. Of course, a quick online search will reveal that none of the organizations mentioned in that email have ever officially existed in Russia. The “Director of the Police Criminal Investigation Department” will, for added persuasiveness, write in ALL CAPS, and sign their name with an English transliteration In another similar email, the recipient, at the behest of the head of the “Russian Federal Bureau of Investigation (FBI)”, supposedly became a person of interest to a certain “International Criminal Police Organization — Interpol of the Federal Police of Russia”. (We should clarify that no law enforcement agencies with even remotely similar names have ever existed in Russia.) In the email, the attackers refer to a “Cybercrime Act in accordance with the Crimes Act of 1900 (sic!) from 245RU(2)” — laws so secret that apparently no legal expert knows they exist. Moreover, the message, sent from a generic Gmail address, is supposedly from the Minister of Internal Affairs himself. However, in the attached summons, he is referred to as the “Commissioner of the Federal Police of the Russian Federation” — likely a clumsy translation from English. The scam email from the non-existent “Russian Federal Bureau of Investigation” is signed by none other than the Minister of Internal Affairs Similar scam emails also reach residents of Belarus, arriving in both Russian and Belarusian. The victims are supposedly being pursued by multiple agencies simultaneously: the Ministry of Internal Affairs and Ministry of Foreign Affairs of Belarus, the Militsiya of the Republic of Belarus, and a certain “Main Directorate for Combating Cybercrime of the Minsk City Internal Affairs Directorate for Interpol in Belarus”. One might assume that the email recipient is the country’s most wanted villain, being hunted by the “cyberpolice” itself. In the summons, the blackmailers cite non-existent laws, and threaten to add the victim to a fictitious “National Register of Underage (sic!) Sexual Offenders” — a clear machine translation failure — and, of course, request an urgent reply to the email. An email from the non-existent cyberpolice of Belarus In another campaign, attackers sent emails in the name of the real State Security Committee of Belarus. However, they referenced a fake law and contacted the accused at the behest of the President of Europol — never mind that Europol doesn’t have a President, and the name of the real executive director is completely different. Another scam campaign in Belarusian In addition to sex crimes, citizens of Belarus are also accused of “repeated use of necrotic (sic!) and psychotropic drugs”. In these emails, the attackers claim to be from the DEA — the U.S. Drug Enforcement Administration. Why a U.S. federal agency would be interested in Belarusian citizens remains a mystery. The scammers failed to realize that the law enforcement body in Belarus is called the “militsya” (militia) rather than “politsya” (police) Identifying scam emails As you can see from the examples above, the majority of these scam emails appear highly implausible — and yet they still find victims. That said, with scammers increasingly adopting AI tools, it’s reasonable to expect a significant improvement in both the text quality and design of these fraudulent campaigns. Let’s highlight several indicators that will help you recognize even the most skillfully crafted fakes. Personal data. Although it makes scam emails look formal and believable, even if the email features your address, tax ID, phone number, or passport details, it doesn’t mean that the threat is legitimate. In all likelihood, your information was simply sourced from leaked databases and exploited by the scammers. The opposite is also true: impersonal greetings like “Dear Sir/Madam” or “Dear Customer” are undoubtedly also a red flag. The sender’s address is registered on a free email service. A request to open an attached file, or follow a link to “find out the details”. Manipulation, threats, calls for urgent action, and demands not to tell anyone about the email. Attackers deliberately use these psychological tricks to throw you off balance and deprive you of external support. Typos and grammatical errors. If you suspect the email is a very poor word-for-word translation from another language, you’re probably right. However, a well-written email is no reason to let your guard down: while scammers are often not the most skilled linguists, they sometimes create exceptionally high-quality spam campaigns. Character substitution to bypass spam filters. Attackers mix alphabets, use characters with diacritics such as “K” instead of “K”, and sometimes simply insert chunks of incoherent text or “noise up” the body with random characters. The text remains readable but often looks odd. An example of scammers attempting to bypass spam filters by substituting characters and adding meaningless blocks of text How to protect yourself from email blackmail Don’t panic. Scammers deliberately use fear, create a sense of urgency, and rely on your trust in authority. Their goal is for you to believe their fabricated story, but they have no real leverage. If you’re being rushed, threatened, or given ultimatums, make a conscious effort to slow down and avoid making impulsive decisions. Install a reliable security solution that will promptly alert you about suspicious emails, malicious files, or links. Pay attention to the details. If you receive an email supposedly from a government or law enforcement agency, first examine the sender’s email address. If there’s a reply-to address, compare it with the sender’s. Use search engines to check if the organizations mentioned in the email actually exist, and who manages them. Look up the laws they cite. Pay close attention to signatures and titles — in short, do a full fact-check. Finally, ask yourself if you’re really important enough for, say, the Minister of Internal Affairs to be writing to you personally. Use only verified communication channels. Remember that government agencies will never blackmail or threaten you in official correspondence. If you’re still unsure whether the email is real or fake, find the official contact information of the organization mentioned in it, and reach out through an alternative, verified channel — for instance, by phone. Don’t click links or call phone numbers (especially mobile numbers) provided in the email you received — always verify contacts online. If you receive an email with a death threat, don’t engage with the scammer, and contact the police immediately. The vast majority of these scare tactics are blatant blackmail, which is a criminal offense in most countries. The key is to remain calm. Read more on popular scammer tricks: How phishers and scammers use AI The scam on your doorstep Beware of Google Forms bearing crypto gifts You’re in for a big payout again Spam 101: what is spam, and how to defeat it
New synthetic security staffers promise to bring artificial intelligence comfortably into the security operations center, but they will require governance to protect security.
The tool let its operators secretly record conversations, track device locations, capture photos, collect contacts, and perform other surveillance on compromised devices.
Human-centered identity frameworks are incorrectly being applied to AI agents, creating the potential for catastrophe at machine speed, Poghosyan argues.
A spokesperson for the CBO confirmed the security incident and said the agency has taken immediate action to contain it while also implementing “additional monitoring and new security controls to further protect the agency’s systems going forward.”
Researchers spotted a 9-month-long campaign involving previously undiscovered spyware they call LANDFALL, which leveraged a zero-day bug in Samsung Galaxy phones.
The latest model for improving U.S. Cyber Command is circulating at the Pentagon. Some of the initiatives will spill into the next decade — an approach that is sure to create friction on Capitol Hill and beyond.
Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded. Secure Annex researcher John Tuckner, who flagged the extension "susvsex," said it does not attempt to hide its malicious functionality. The extension was uploaded on
Imagine this: Sarah from accounting gets what looks like a routine password reset email from your organization’s cloud provider. She clicks the link, types in her credentials, and goes back to her spreadsheet. But unknown to her, she’s just made a big mistake. Sarah just accidentally handed over her login details to cybercriminals who are laughing all the way to their dark web
Google on Thursday said it's rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative comments. The approach is designed to tackle a common practice called review bombing, where online users intentionally post negative user reviews in an
A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems. According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named "shanhai666" and are designed to run malicious code after specific trigger dates in August 2027 and
A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East. The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary
A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues. The organization, according to a report from Broadcom's Symantec and Carbon Black teams, is "active in attempting to influence U.S. government
