Because these tools are already installed on most systems and commonly used by administrators, malicious activity can easily blend in with normal operations.

ANY.RUN Report Reveals Growing Threat

According to ANY.RUN’s analysis of more than 2 million malware and phishing investigations during the first quarter of 2026, threat actors are rapidly shifting toward stealthier attack techniques.

The report highlights:

• Loader-based attacks nearly doubled
• Credential theft increased significantly
• Living-off-the-Land (LotL) techniques grew by more than 58%
• Attackers increasingly abused trusted system utilities
• Malware campaigns became more automated and difficult to detect

Researchers noted that attackers often use tools such as PowerShell, WMI, Certutil, MSHTA, and JavaScript execution environments to perform malicious actions while appearing legitimate.

These trusted tools allow attackers to:

• Download malware payloads
• Execute fileless attacks
• Establish persistence
• Move laterally through networks
• Avoid traditional antivirus detection

Security experts warn that attackers can establish persistence within seconds, leaving defenders with very little time to respond.

Credential Theft Continues to Drive Attacks

ANY.RUN researchers found that credential theft remains one of the primary goals for modern threat actors.

Once attackers obtain valid credentials, they can access systems while appearing to be legitimate users. Combined with trusted tool abuse, this creates a dangerous scenario where malicious activity can remain hidden for extended periods.

Many attackers begin with lightweight loaders that quietly gain initial access before deploying more dangerous payloads such as:

• Ransomware
• Remote Access Trojans (RATs)
• Information stealers
• Credential theft tools

This approach allows cybercriminals to scale attacks while minimizing detection.

Strengthening Defenses Against Trusted Tool Abuse

Because legitimate tools generate normal-looking activity, ANY.RUN recommends focusing on behavioral monitoring rather than relying solely on traditional signature-based security solutions.

Organizations should monitor for:

• Unusual PowerShell commands
• Suspicious script execution
• Abnormal command-line arguments
• Unexpected network connections
• Unusual administrative activity
• Suspicious parent-child process relationships

Additional recommendations include:

• Enforcing least-privilege access
• Restricting script execution
• Using application control policies
• Leveraging threat intelligence
• Deploying sandbox analysis solutions
• Improving incident response capabilities

The findings show that attackers are becoming increasingly skilled at hiding in plain sight. As trusted tools continue to be weaponized, organizations must focus on behavior-based detection and rapid response strategies to identify threats before they can cause significant damage

The post Hackers Exploit Trusted Tools Malware for Attacks appeared first on First Hackers News.

The issue came to light after data linked to the company appeared on dark web forums. Initial findings suggest that attackers were able to access the repository following an earlier breach involving the Checkmarx breach that impacted the company weeks before.

This shows how cyber attacks don’t always end with the first compromise. In many cases, attackers return later to extract more data or expand their access.

What Happened

The incident appears to be connected to a previous supply chain attack that occurred in March 2026. Attackers likely used that initial access to move deeper into internal systems and eventually reach the GitHub repository.

Weeks later, some of that data was leaked publicly, bringing the incident into focus. This highlights a common pattern in modern attacks—initial access followed by delayed exploitation.

Impact on Customers

Despite the seriousness of the situation, Checkmarx has stated that customer environments are not directly affected. The exposed repository was separate from production systems, and company policies do not allow customer data to be stored in such repositories.

Key points include:

• The affected repository is not connected to live customer systems
• Customer data is not stored in the exposed environment
• Ongoing analysis is being conducted to confirm what data was leaked

The company has also stated that it will notify customers immediately if any sensitive information is found during the investigation.

Investigation and Ongoing Analysis

Checkmarx is working with external forensic experts to understand the full scope of the breach. The investigation is focused on identifying what data was accessed, how attackers moved within the environment, and whether any additional systems were affected.

Security teams are also analyzing the leaked data to verify its contents and assess any potential risks.

Response and Containment Measures

To control the situation, the company has taken immediate steps to secure its systems. Access to the affected GitHub repository has been restricted, and internal security teams are closely monitoring for any further suspicious activity.

These actions are aimed at preventing additional exposure and supporting the ongoing forensic investigation.

What Organizations Should Do

Organizations using Checkmarx solutions are advised to stay updated through official communications. While there is no confirmed impact on customers, it is important to remain cautious and informed.

Security teams should review any updates provided by the company and reach out through official support channels if they have concerns or require clarification.

This incident highlights how supply chain attacks can evolve over time. Even after the initial breach is contained, attackers may still have access that can be used later.

It also reinforces the importance of separating development environments from production systems, as this can significantly reduce the impact of such exposures.

In today’s threat landscape, a single breach is rarely the end—it is often just the beginning of a longer attack chain.

The post Checkmarx Breach: GitHub Repository Exposure Confirmed appeared first on First Hackers News.

On April 13, 2026, the vulnerability identified as CVE-2026-21643 was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This inclusion is not routine—it signals confirmed attacker activity and indicates that exploitation is no longer theoretical. Threat actors are already leveraging this weakness to target organizations, making immediate remediation critical.

Understanding the Vulnerability

The flaw exists in FortiClient Enterprise Management Server (EMS), a centralized platform used by organizations to manage endpoint security, enforce policies, and monitor device compliance. Because EMS sits at the core of endpoint control, any compromise can have far-reaching consequences across the entire network.

Technically, this issue is classified as a SQL injection vulnerability (CWE-89). It arises when user-supplied input is not properly validated before being processed by the backend database. Attackers can exploit this weakness by sending specially crafted HTTP requests that manipulate database queries and execute unintended commands.

What elevates the severity of this vulnerability is its unauthenticated nature. An attacker does not need valid credentials or prior access to the environment. If the EMS instance is exposed to the internet, it becomes a direct target. By simply interacting with the vulnerable interface, an attacker can execute arbitrary commands on the system.

Real-World Risk and Exploitation Impact

The ability to execute code remotely without authentication places this vulnerability in the highest risk category. Once exploited, attackers can gain control over the EMS server, which often acts as a central authority for endpoint devices within an organization.

This level of access can enable attackers to move laterally across the network, deploy malicious payloads, manipulate endpoint configurations, or establish persistent backdoors. In many environments, EMS servers are trusted systems, which makes them an ideal pivot point for deeper compromise.

Although there is no confirmed evidence yet linking this vulnerability to ransomware campaigns, the attack pattern aligns closely with how ransomware operators typically gain initial access. Vulnerabilities that allow remote execution without authentication are frequently weaponized early in attack chains.

Why Immediate Action Is Critical

CISA’s KEV listing is a clear indicator that organizations cannot afford delays. The window between public disclosure and widespread exploitation is often extremely short, and in this case, that window has already closed.

Organizations should treat this as an active incident risk rather than a routine patching task. Security teams are strongly advised to prioritize this vulnerability above regular update cycles and respond with urgency.

• Apply the latest Fortinet security patches immediately
• Review system and application logs for unusual or malformed HTTP requests
• Monitor for signs of unauthorized access or unexpected command execution
• Follow all mitigation guidance provided by Fortinet
• Disable or isolate affected systems if patching cannot be completed right away

Under Binding Operational Directive 22-01, U.S. federal agencies are required to remediate this vulnerability by April 16, 2026. This aggressive timeline reflects the severity of the threat and should serve as a benchmark for private organizations as well.

Final Thoughts

This vulnerability highlights a recurring issue in modern enterprise security—critical systems exposed to the internet without sufficient protection layers. When combined with an unauthenticated exploit, even a single overlooked patch can lead to full-scale compromise.

Organizations that rely on Fortinet EMS must act immediately, not only to patch the vulnerability but also to validate that their systems have not already been targeted. Proactive monitoring, rapid patching, and strict access controls remain essential in defending against threats of this nature.

In the current threat landscape, speed is not just an advantage—it is a necessity.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post CISA Alerts on Active Fortinet SQL Injection Exploit appeared first on First Hackers News.

Attack Execution and Evasion Techniques

The malicious PDF is designed to evade traditional detection mechanisms. Initial samples showed extremely low detection rates, indicating that the payload is carefully crafted to bypass antivirus engines.

Once opened, the document executes obfuscated JavaScript hidden within its structure. This script leverages legitimate application functions to interact with the system and external servers, making the activity appear less suspicious.

Key attack characteristics:

• Uses heavily obfuscated JavaScript to avoid detection
• Leverages trusted application APIs for malicious actions
• Collects system-level data to profile the victim environment
• Communicates with external infrastructure to exfiltrate data
• Maintains in-memory execution to reduce forensic traces

The attack chain is adaptive. Based on the victim’s system profile, the attacker may choose to deliver additional payloads, increasing the likelihood of a successful compromise.

Impact and Exploitation Capabilities

This vulnerability presents a high-risk scenario due to its stealth and ease of exploitation. No advanced interaction is required, making it highly effective in phishing campaigns or targeted attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Potential impact includes:

• Unauthorized access to sensitive local files
• Exposure of system and environment information
• Remote code execution leading to full system compromise
• Possible sandbox escape, bypassing built-in protections

In controlled testing, researchers confirmed that the communication channel used by the malware can support delivery of further payloads, enabling deeper system control.

Defensive Measures and Monitoring

With no official patch currently available, proactive defense becomes critical. Organizations must rely on layered security controls and behavioral monitoring to detect and mitigate threats.

Recommended defensive strategies:

• Block known malicious endpoints and monitor for new suspicious connections
• Inspect outbound traffic for unusual patterns linked to PDF processes
• Detect anomalies in application behavior, especially unexpected file access
• Monitor for suspicious User-Agent strings such as “Adobe Synchronizer”
• Restrict execution of active content within PDF files where possible

Operational Security Considerations

This incident highlights a broader trend of attackers weaponizing trusted file formats like PDFs to deliver advanced exploits. Since these files are widely used in business environments, they present an effective entry point.

Security teams should strengthen awareness around file-based threats and ensure that users are trained to handle unsolicited documents with caution. Developers and defenders alike must also stay updated with threat intelligence to quickly adapt to evolving attack techniques.

Until an official patch is released, maintaining strict control over document handling and network activity is essential to minimizing risk.

The post Adobe Reader Zero-Day Targets Users appeared first on First Hackers News.

A recent demonstration by security researcher @matteyeux showed successful kernel read and write access on an iPad mini 6 running iOS 18.6.2 using the DarkSword exploit. This public validation shows that the exploit remains effective in real-world conditions and increases the risk for millions of Apple devices that have not yet been patched.

Google Threat Intelligence Group reportedly first observed DarkSword in active campaigns in November 2025. The exploit kit has been mainly linked to UNC6353, a suspected Russian espionage group that previously used the Coruna iOS exploit kit. Reported targets have included victims in Ukraine, Saudi Arabia, Turkey, and Malaysia, showing that the threat has already been used in focused international operations.

Technical Structure and Post-Compromise Activity

DarkSword is not just a single exploit but a complete exploit kit and infostealer written in JavaScript. The attack typically begins when a victim visits a compromised website containing a malicious iframe, a method commonly associated with watering hole attacks.

Once the target opens the page, the exploit escapes Safari’s WebContent sandbox. It then bypasses important Apple protections, including Trusted Path Read-Only and Pointer Authentication Codes, by abusing sensitive internal dyld structures in writable stack memory. The chain then moves through the GPU process by exploiting an out-of-bounds write flaw in the ANGLE graphics engine before targeting the XNU kernel through a Copy-On-Write vulnerability in the AppleM2ScalerCSCDriver driver.

This gives attackers arbitrary memory read and write access, allowing them to modify sandbox restrictions and reach protected parts of the file system. Researchers also found that DarkSword operates fully in memory and quickly loads final-stage malware after compromise. Three malware families linked to the activity have been identified as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These payloads are designed to steal sensitive data, including secure messages, saved credentials, and cryptocurrency wallet information.

Security Response and Protection Measures

The public validation of DarkSword by independent researchers significantly increases the overall threat level. Once a working exploit chain becomes accessible beyond its original operators, the chances of wider abuse rise sharply.

The command-and-control infrastructure used in these operations adds to the concern. Instead of using obvious malicious domains, attackers relied on subdomains created on compromised legitimate websites, helping their traffic blend in and making detection harder.

To reduce risk, Apple users and enterprise security teams should ensure that all devices are updated immediately to iOS 26.1 or later, as these versions include fixes for the kernel vulnerabilities involved in the exploit chain. For high-risk users such as journalists, executives, and government personnel, enabling Apple’s Lockdown Mode can provide an additional layer of defense against advanced web-based attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post DarkSword iOS Exploit Leaked Online, Putting Apple Devices at Risk appeared first on First Hackers News.

This is a strong signal for organizations to act immediately. Systems exposed to the internet, especially file transfer servers, are high-value targets because they often handle sensitive business data and provide a direct entry point into internal networks.

Technical Details and Mitigation Steps

The vulnerability, tracked as CVE-2025-47813, is an information disclosure issue caused by improper handling of user-supplied input. Specifically, when an attacker sends an unusually large value in the UID cookie, the server fails to handle the request securely and returns detailed error messages.

These error responses can unintentionally reveal internal system details such as file paths, configurations, or backend logic. While this does not directly allow code execution, it significantly lowers the barrier for attackers by giving them insight into how the system works, which can be used to plan targeted attacks or bypass protections.

Because this vulnerability is now listed in the KEV catalog, it is confirmed to be under active exploitation, increasing the urgency for remediation.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Organizations should take the following actions without delay:

• Apply the latest security patches or updates provided by the vendor
• Review and follow infrastructure security guidance for exposed services
• Avoid processing untrusted input without proper validation and error handling
• Temporarily disable or restrict access to the server if patching is not possible

Federal agencies are expected to address this issue within a strict timeline, and private organizations are strongly advised to follow the same urgency.

Overall, even though this is categorized as an information disclosure flaw, its real risk lies in enabling deeper, more targeted attacks. Immediate patching, proper input handling, and limiting exposure are essential to reducing the attack surface.

The post CISA Alerts Active Exploitation of Wing FTP Vulnerability appeared first on First Hackers News.

Incident response investigations link the activity to UNC6201, a China-linked threat cluster. The group shares overlaps with Silk Typhoon (UNC5221).

Security researchers from Mandiant and Google Threat Intelligence Group (GTIG) observed attackers using this vulnerability to move laterally across networks, maintain long-term persistence, and deploy advanced malware.

The malware used in attacks includes SLAYSTYLE (web shell), BRICKSTORM (backdoor), and GRIMBOLT (new backdoor).

Although the initial entry method is still unknown, UNC6201 commonly targets edge devices such as VPN appliances to gain access.

What Caused the Vulnerability?

The issue is due to hardcoded default admin credentials inside Dell RecoverPoint’s Apache Tomcat Manager configuration.

The credentials were found in:

/home/kos/tomcat9/tomcat-users.xml

Because of this, unauthenticated remote attackers can log into the Tomcat Manager.

Tomcat Manager allows software deployment and administrative tasks. Attackers abused the /manager/text/deploy endpoint to upload malicious WAR files.

In real attacks, this was used to deploy the SLAYSTYLE web shell, giving attackers root-level command execution on the appliance.

Shift to GRIMBOLT Malware

In September 2025, attackers moved from using BRICKSTORM to a new malware called GRIMBOLT.

GRIMBOLT is written in C#, compiled using Native Ahead-of-Time (AOT), does not include Common Intermediate Language (CIL) metadata, and is packed with UPX.

AOT compilation converts code directly into machine-native code during build time. This makes detection harder because traditional security tools often scan CIL metadata.

To stay persistent, attackers modify the legitimate convert_hosts.sh script so the backdoor runs automatically at boot through rc.local.

Advanced Network Evasion

UNC6201 also uses advanced stealth techniques.

Attackers create temporary hidden network interfaces inside ESXi virtual machines, known as “Ghost NICs.” This allows silent movement between internal networks and SaaS infrastructure without triggering monitoring tools.

They also use Single Packet Authorization (SPA). Attackers monitor traffic on port 443 for a specific hexadecimal string. When detected, the source IP is added to an allowlist. Only that IP can access port 10443, while all other traffic is redirected silently. This hides the command-and-control (C2) channel from scanners and security tools.

Vulnerability Details

Affected Versions & Required Actions

Dell has issued urgent mitigation guidance.

Indicators of Compromise (IOCs)

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Critical zero-day vulnerability is being actively exploited in Dell RecoverPoint appeared first on First Hackers News.

The problems come from weaknesses in the Java Remote Method Invocation (RMI) process and the CCX Editor application, posing major risks to enterprise contact centers.

Vulnerability Details

Two critical flaws were found:

1. CVE-2025-20354 – Remote Code Execution (CVSS 9.8)
This issue affects the Java RMI process. Attackers can upload files without authentication and use them to run system commands and gain full root access.

2. CVE-2025-20358 – Authentication Bypass (CVSS 9.4)
This flaw affects the CCX Editor. Attackers can trick the system into accepting fake authentication, allowing them to create and run scripts with administrative privileges.

Impact

• All Cisco Unified CCX systems are affected, regardless of configuration.
• Packaged CCE and Unified CCE are not impacted.
• The two vulnerabilities are independent and do not need to be chained.

Patches and Recommendations

Cisco has released updates, and no workarounds exist. Organizations should apply patches immediately:

• Unified CCX 12.5: Update to 12.5 SU3 ES07 or later
• Unified CCX 15.0: Update to 15.0 ES01 or later

Systems running older versions (earlier than 12.5 SU3 or 15.0) are at high risk.

Cisco’s PSIRT reports no active attacks yet, but the ease of exploitation makes these vulnerabilities highly attractive to attackers.

• Check your current Unified CCX version and apply the required patches immediately.
• Prioritize patching any system exposed to the internet.
• Use temporary controls like network segmentation and limiting RMI access to trusted networks.

These vulnerabilities allow full system compromise, so urgent action is required to secure affected deployments.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Attackers Can Exploit Multiple Flaws in Cisco Unified CCX to Run Commands appeared first on First Hackers News.

The vulnerability exists because the appliance does not properly validate user-supplied input. As a result, even a user with the Observer role—the lowest level of access—can send crafted HTTP requests that bypass normal security checks.

Once exploited, attackers could create new accounts, modify system settings, or take over the appliance entirely.

Which Deployments Are Affected?

Cisco confirms that the issue affects only the Virtual Appliance running on VMware ESXi.
The following are not impacted:

• Catalyst Center hardware appliances
• Virtual Appliances deployed on AWS

In terms of software versions:

• Not affected: Versions earlier than 2.3.7.3-VA and version 3.1
• Affected: Versions 2.3.7.3-VA and later
• Fixed version: Upgrade to 2.3.7.10-VA or later

There are no temporary workarounds. An upgrade is the only way to eliminate the risk.

According to Cisco’s PSIRT team:

• No active exploitation has been detected
• No public reports or attacks have been observed
• The vulnerability was found internally during a TAC support case

Even though it hasn’t been exploited yet, the ease of privilege escalation makes this a high-priority issue for organizations.

Action Required

Cisco advises all customers using the affected Virtual Appliance to:

1. Review the official Cisco security advisory
2. Check the running software version
3. Immediately apply the fixed release (2.3.7.10-VA or higher)

Updating ensures the appliance cannot be compromised through this privilege escalation flaw and keeps the deployment aligned with Cisco’s security best practices.

The post Cisco Catalyst Center Bug Lets Attackers Gain Higher Access appeared first on First Hackers News.

The vulnerability, CVE-2025-64446, allows attackers to run admin-level commands without logging in. This means they can take complete control of the system. The issue has a CVSS score of 9.1, making it very serious.

The problem comes from a path traversal bug in the FortiWeb GUI. With a specially crafted HTTP or HTTPS request, attackers can bypass security checks and run commands with full privileges. This can result in:

• Creating unauthorized admin accounts
• Stealing data
• Total system compromise

Fortinet has confirmed active attacks, so patching immediately is strongly recommended.

Affected Versions:
FortiWeb 8.0, 7.6, 7.4, 7.2, and 7.0

Recommended Updated Versions:
8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12 or higher

If you cannot apply the update right away, Fortinet suggests disabling HTTP/HTTPS access to the management interface on all internet-facing interfaces. This can help reduce risk but should only be used as a temporary solution.

After updating, admins should check system logs and look for any unknown or suspicious admin accounts to ensure their device has not already been compromised.

The post Active Exploits Target Critical FortiWeb WAF Flaw appeared first on First Hackers News.