After the release of DeepSeek v4 and growing online attention, the tool quickly became a target for attackers. They took advantage of its popularity to trick users into downloading malicious files.

Users must remain vigilant against these threats, particularly the risks associated with downloading files that may contain Fake DeepSeek malware.

Fake GitHub Repositories Spreading Malware

Attackers created fake GitHub repositories that look very similar to the real project. These pages appear legitimate, making it hard for users to notice the difference.

Users who download files from these fake repos end up installing malware. In this case, the malicious file was hidden inside a 7z archive on the Releases page, just like a normal software download.

Researchers from QiAnXin Threat Intelligence Center discovered that this attack is linked to a previous campaign known as OpenClaw. Both attacks use similar techniques and infrastructure, suggesting the same threat actor is behind them.

The attackers also used fake installer names related to other AI tools like Claude, Grok, WormGPT, and FraudGPT to spread the malware further.

Malware Behavior and Persistence Techniques

The main malware file, named DeepSeek-TUI_x64.exe, first checks if it is running in a secure or virtual environment. If it detects analysis tools, it stops execution to avoid being detected.

If the system looks like a real user machine, the malware continues its attack. It disables key Windows Defender protections, modifies firewall settings, and connects to external servers to download more malicious components.

These components help the attacker stay in the system. Some create scheduled tasks, others add registry entries for persistence, and some run silently in memory to avoid detection.

The malware uses multiple techniques to remain active, making it difficult to remove once installed. It can survive reboots and continue running without the user noticing.

Indicators of Compromise (IoCs):-

The post DeepSeek Repositories Scam Spreads Malware appeared first on First Hackers News.

Source code environments are considered high-value targets because they reveal the inner workings of security products. Even limited access can give attackers insights into detection logic, configurations, or potential weaknesses that could be studied for future exploitation or used in supply chain-style attacks.

Investigation Findings and Potential Risks

Trellix has stated that the breach appears contained and, at this stage, there is no evidence of direct impact on customers or product integrity.

Key findings so far include:

• No compromise of the build, release, or update pipeline
• No signs of malicious code being inserted into products
• No evidence of active exploitation using the accessed data

However, the nature of source code exposure still raises concerns. Attackers could analyze the code offline to identify vulnerabilities, reverse-engineer protections, or develop evasion techniques against Trellix security tools.

The company is continuing a detailed forensic review to understand how the access occurred, what data was viewed or copied, and whether any long-term risks remain. Strengthening internal controls, access monitoring, and repository protections is likely part of the ongoing response.

This incident reflects a broader trend where attackers target software vendors instead of end users, aiming to gain leverage through trusted platforms. Similar breaches involving Microsoft, Okta, and LastPass show how valuable internal systems have become as entry points.

Trellix has committed to transparency and plans to release more technical details once the investigation is complete, helping the wider security community understand and defend against similar threats.

The post Trellix Confirms Source Code Repository Breach appeared first on First Hackers News.

Instead of relying on fake domains or compromised mail servers, attackers use Google AppSheet to send emails through Google’s own infrastructure. These messages are generated as part of automated workflows, meaning they pass authentication checks like SPF, DKIM, and DMARC without raising suspicion.

As a result, security tools and spam filters see them as trusted communications, allowing phishing messages to land directly in inboxes of targeted users—often business account owners managing Facebook pages.

Multi-Layered Attack Strategy

The campaign is not a single phishing page but a structured, multi-stage system designed to increase success rates. Victims are first directed to pages hosted on Netlify, where attackers replicate the Facebook Help Center with high accuracy. These pages are customized per victim using unique subdomains, making them difficult to block using traditional security measures.

From there, users are guided through a series of steps that collect not only login credentials but also deeper identity information such as date of birth and even government-issued ID images. In some cases, the attackers shift tactics by offering fake incentives, like verification badges, hosted on platforms such as Vercel. These pages are designed to look dynamic and legitimate, while quietly bypassing detection systems using techniques like hidden Unicode characters.

The operation becomes more advanced in later stages. Attackers host phishing documents on Google Drive, presenting them as official Meta notifications. These documents, often designed using Canva, contain embedded links that redirect victims into interactive phishing environments. These environments are powered by real-time communication frameworks, allowing attackers to actively engage with victims during the login process.

This live interaction is a critical aspect of the campaign. Instead of passively collecting credentials, attackers can request one-time passwords, monitor user actions, and even capture browser sessions as they happen. This significantly increases the likelihood of successful account takeover, even when multi-factor authentication is enabled.

Real-Time Data Exfiltration and Attribution

Once credentials are captured, they are immediately transmitted through a centralized system built around Telegram bots. This allows operators to monitor incoming data in real time and quickly take control of compromised accounts before victims notice suspicious activity.

Analysis of the infrastructure shows a strong operational scale, with thousands of records flowing into attacker-controlled channels. Most victims are concentrated in regions like the United States and Europe, indicating a focus on high-value targets such as businesses and influencers.

Investigators were also able to trace elements of the campaign back to Vietnamese actors. This attribution is supported by metadata found in phishing documents and developer comments embedded within the malicious code, providing insight into the origin of the operation.

A Shift Toward Industrialized Phishing

AccountDumpling reflects a broader shift in cybercrime, where phishing is no longer a simple tactic but part of a larger, industrialized ecosystem. Attackers are combining trusted services, automation, and real-time interaction to create highly effective campaigns that are difficult to detect and disrupt.

Compromised accounts are rarely the end goal. They are often reused for further scams, advertising fraud, or additional phishing attacks, creating a cycle that sustains and expands the operation. This approach shows how modern threat actors are leveraging legitimate platforms at scale, turning them into tools for widespread abuse while staying under the radar.

The post Facebook Phishing Campaign Targets Business Accounts appeared first on First Hackers News.

The attack starts with a targeted phishing email sent to specific organizations, particularly government-related entities. The email is designed to look legitimate, pretending to come from an internal consultant and referencing a real-looking project to gain trust.

To make the message more convincing, it is marked as urgent and includes a request for a read receipt. This increases the chances that the recipient will open the attachments without suspicion.

This multi stage malware attack poses serious threats to organizations, as its multi-layered nature complicates detection and remediation efforts.

The email contains two files with slightly misspelled names to appear like quick internal documents:

• A Word file pretending to be a report
• A PDF file that looks like an official document

These small tricks are used to make the attack look normal and believable.

How the Multi-Stage Attack Works

The infection process is carefully designed and happens in multiple steps. This layered approach helps the malware stay hidden during each stage.

When the Word file is opened, it asks the user to enable macros. If the user allows it, hidden code runs in the background and downloads a malicious file from an external server. This technique helps bypass basic security checks.

At the same time, the PDF file acts as another attack path. It shows a fake error message asking the user to update their PDF reader. If the user clicks the prompt, it downloads another malicious file disguised as a legitimate application.

Once installed, the malware:

• Connects to remote servers using trusted services
• Uses tools like developer tunnels to maintain access
• Sends stolen data through platforms like Discord
• Executes commands on the infected system

By using legitimate platforms, the malware blends in with normal network traffic, making it difficult to detect.

Evasion Techniques and Why It’s Dangerous

This malware uses several techniques to avoid being detected by security systems. It checks for analysis environments, hides its code, and uses trusted services to carry out its activities.

Some of its key evasion methods include:

• Hiding malicious code inside compiled scripts
• Using trusted cloud services for communication
• Disguising files with familiar names and branding
• Delivering payloads in stages instead of all at once

Because of these methods, the malware can remain active for a long time without being noticed. It can steal data, monitor systems, and give attackers remote access.

This attack shows a growing trend where cybercriminals rely on trusted platforms and multi-step infections to bypass traditional defenses. Organizations should focus on monitoring behavior, restricting macros, and educating users to recognize suspicious emails.

The post Multi Stage Malware Attack Uses Obfuscation to Evade Detection appeared first on First Hackers News.

This campaign involves a Linux version of the GoGra backdoor, showing that the group is expanding beyond its earlier Windows-based operations. By using trusted cloud services, the malware blends into normal network traffic, allowing it to bypass many standard security tools that typically look for suspicious external connections.

The attack appears to focus on espionage rather than financial gain. Evidence suggests that targets are mainly located in South Asia, with attackers using region-specific document names to make their phishing attempts more convincing. This level of targeting shows a carefully planned and strategic operation.

Outlook Mailbox Malware Explained

The attackers gain access through social engineering, tricking users into opening files that appear harmless. These files are often disguised as official documents, but they actually contain hidden malicious code.

Once the file is opened, the malware quietly installs itself in the background. It avoids drawing attention while setting up persistence, ensuring it can continue running even after the system is restarted.

Some key characteristics of the infection process include:

• Disguised files that look like PDFs or official documents
• Malware hidden inside Linux executable files
• Silent installation without visible signs
• Persistence mechanisms that allow it to survive reboots

This approach makes it difficult for users to realize they have been infected until much later.

How the Backdoor Uses Microsoft Infrastructure

What makes this attack particularly sophisticated is how it uses Microsoft’s own services as a communication channel. Instead of connecting to suspicious servers, the malware interacts with legitimate cloud infrastructure, which helps it stay hidden.

After installation, the backdoor uses Microsoft APIs to communicate with a real Outlook mailbox. It regularly checks for new messages that contain instructions from the attacker. These commands are processed on the infected system, and the results are sent back through email responses.

The malware is designed to clean up after itself, deleting messages once they are used. This reduces traces of the attack and makes forensic investigation more difficult.

The main capabilities of the backdoor include:

• Receiving commands through Outlook mailbox messages
• Executing those commands on the infected machine
• Sending results back via email
• Removing evidence after communication

Because all of this happens through trusted services, the activity can easily go unnoticed in normal network monitoring.

Why This Attack Is Concerning

This campaign highlights a growing trend where attackers abuse legitimate platforms to hide their operations. By using trusted services like Microsoft’s cloud, they can bypass many traditional defenses that rely on detecting suspicious traffic.

The impact of such an attack can be serious. Attackers may gain long-term access to systems, collect sensitive data, and monitor user activity without being detected. Since the malware operates quietly and removes traces of its actions, it can remain active for extended periods.

This also shows how threat actors are evolving their techniques, moving toward more stealthy and persistent methods. Organizations can no longer rely only on basic perimeter defenses and must adopt more advanced monitoring strategies.

To reduce risk, security teams should pay close attention to unusual system behavior, unexpected background services, and abnormal use of cloud APIs. Monitoring activity from endpoints that do not typically interact with such services can help identify potential threats early.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Hackers Hide GoGra Backdoor in Outlook Mailboxes appeared first on First Hackers News.

Axios is a widely used JavaScript library that helps developers handle HTTP requests in both Node.js and browsers. Because it is used in so many projects, this axios npm hack can affect a large number of applications and development systems.

The attack took place on March 31, 2026, when hackers compromised two versions of Axios — 1.14.1 and 0.30.4. When developers installed these versions, a hidden malicious package called “plain-crypto-js” was automatically included without their knowledge, demonstrating the dangers of an axios npm hack.

This package acts as a loader. It connects to attacker-controlled servers and downloads additional malware. One of the main threats is a Remote Access Trojan (RAT), which allows attackers to gain control over infected machines.

If a developer’s system is affected, attackers can quietly steal sensitive data such as source code, environment variables, and credentials. They can also move deeper into company systems, including CI/CD pipelines, which increases the overall risk.

What You Should Do Immediately

CISA recommends that organizations review their systems for any recent Axios updates. If the affected versions were installed, quick action is important.

Teams should downgrade to safe versions like 1.14.0 or 0.30.3 and remove the malicious “plain-crypto-js” package from their projects. It is also important to rotate all sensitive credentials, including API keys, SSH keys, and access tokens.

Monitoring network activity is another key step. Any unusual outbound connections should be investigated, and security scans should be run to ensure no hidden threats remain.

How to Prevent Similar Attacks

This incident highlights how software supply chain attacks are becoming more advanced. Many of these attacks take advantage of default package manager settings that automatically install dependencies.

To reduce risk, organizations should strengthen their security practices. Enabling strong authentication for developer accounts can prevent unauthorized access. Disabling automatic script execution during installations can also block malicious behavior.

It is also a good practice to avoid using newly published packages without proper verification. Monitoring systems for unusual activity, such as unexpected processes or unknown network connections, can help detect threats early.

By taking these precautions, organizations can better protect their development environments from future attacks.

The post CISA Flags Axios npm Hack in Supply Chain Attack appeared first on First Hackers News.

Between October 2025 and March 2026, security analysts observed a significant spike in phishing campaigns leveraging webhook functionality. These attacks take advantage of how automation tools are designed to connect apps and process real-time data, effectively turning a business productivity feature into a delivery channel for cyber threats.

How the Attack Works

Platforms like n8n and Zapier use webhooks to trigger workflows when a user interacts with a specific URL. Attackers are now embedding these webhook URLs into phishing emails, often disguising them as trusted services like file-sharing links.

When a victim clicks the link, the webhook triggers a workflow that dynamically serves content based on the user’s system or browser data. This makes the attack highly adaptive and harder to detect.

In many observed cases, users are redirected to fake pages that mimic services such as cloud storage platforms. These pages may include CAPTCHA-style verification to appear legitimate. Once the user interacts, a malicious file is downloaded—often disguised as a document or installer.

• Attackers use trusted webhook URLs to bypass security filters
• Payloads are dynamically tailored based on victim device data

Advanced Techniques and Impact

Research from Cisco Talos shows that attackers are not just delivering malware—they are also using these workflows to collect valuable data about their targets.

Some campaigns install remote monitoring tools that give attackers persistent access to infected systems. Others use tracking techniques, such as invisible pixels in emails, to monitor when messages are opened and gather device-level information.

Because the traffic originates from legitimate platforms, it blends into normal network activity. This makes it much harder for traditional security tools to flag or block the attack.

This campaign highlights a major shift in cyber threats. Instead of breaking into systems directly, attackers are abusing trusted tools that organizations rely on every day. As automation and AI-driven workflows become more common, they also introduce new risks that defenders must account for.

The post n8n Webhook Malware: Hackers Exploit Automation to Spread Attacks appeared first on First Hackers News.

The operation focused on the W3LL phishing kit, a tool widely used by cybercriminals to steal credentials and bypass multi-factor authentication. Attackers used this kit to carry out large-scale fraud attempts, with losses estimated to exceed $20 million.

How the W3LL Phishing Kit Worked

The W3LL toolkit was designed to make cybercrime easier, even for low-skilled attackers. It was sold as a service, allowing buyers to quickly launch phishing campaigns using ready-made fake login pages that closely mimicked legitimate websites.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What made this tool especially dangerous was its ability to go beyond simple credential theft. Instead of just capturing usernames and passwords, it also collected session data and authentication tokens. This allowed attackers to bypass MFA protections and gain ongoing access to accounts without raising immediate alerts.

The ecosystem also included an underground marketplace called W3LLSTORE. This platform enabled criminals to buy and sell stolen credentials, corporate access, and remote connections, creating a full cybercrime supply chain.

• Over 25,000 compromised accounts were sold between 2019 and 2023
• More than 17,000 victims were targeted globally in recent campaigns
• Fraud attempts exceeded $20 million
• Stolen access was often resold multiple times for profit

Law Enforcement Action and Impact

Even after the original marketplace shut down, the operation continued through private channels. Investigators tracked its evolution and identified the key individuals behind it.

With support from U.S. authorities, the FBI seized critical infrastructure used to run the phishing service. At the same time, Indonesian police arrested the suspected developer and took control of domains linked to the operation.

Officials described the platform as more than just a phishing kit—it functioned as a complete cybercrime service. By shutting it down, authorities have disrupted a major tool that attackers relied on to breach organizations.

This takedown highlights how modern phishing has evolved into organized, scalable operations—and why international cooperation is essential to combat today’s cyber threats.

The post W3LL Phishing Kit Takedown Disrupts MFA Bypass Campaign appeared first on First Hackers News.

On April 13, 2026, the vulnerability identified as CVE-2026-21643 was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This inclusion is not routine—it signals confirmed attacker activity and indicates that exploitation is no longer theoretical. Threat actors are already leveraging this weakness to target organizations, making immediate remediation critical.

Understanding the Vulnerability

The flaw exists in FortiClient Enterprise Management Server (EMS), a centralized platform used by organizations to manage endpoint security, enforce policies, and monitor device compliance. Because EMS sits at the core of endpoint control, any compromise can have far-reaching consequences across the entire network.

Technically, this issue is classified as a SQL injection vulnerability (CWE-89). It arises when user-supplied input is not properly validated before being processed by the backend database. Attackers can exploit this weakness by sending specially crafted HTTP requests that manipulate database queries and execute unintended commands.

What elevates the severity of this vulnerability is its unauthenticated nature. An attacker does not need valid credentials or prior access to the environment. If the EMS instance is exposed to the internet, it becomes a direct target. By simply interacting with the vulnerable interface, an attacker can execute arbitrary commands on the system.

Real-World Risk and Exploitation Impact

The ability to execute code remotely without authentication places this vulnerability in the highest risk category. Once exploited, attackers can gain control over the EMS server, which often acts as a central authority for endpoint devices within an organization.

This level of access can enable attackers to move laterally across the network, deploy malicious payloads, manipulate endpoint configurations, or establish persistent backdoors. In many environments, EMS servers are trusted systems, which makes them an ideal pivot point for deeper compromise.

Although there is no confirmed evidence yet linking this vulnerability to ransomware campaigns, the attack pattern aligns closely with how ransomware operators typically gain initial access. Vulnerabilities that allow remote execution without authentication are frequently weaponized early in attack chains.

Why Immediate Action Is Critical

CISA’s KEV listing is a clear indicator that organizations cannot afford delays. The window between public disclosure and widespread exploitation is often extremely short, and in this case, that window has already closed.

Organizations should treat this as an active incident risk rather than a routine patching task. Security teams are strongly advised to prioritize this vulnerability above regular update cycles and respond with urgency.

• Apply the latest Fortinet security patches immediately
• Review system and application logs for unusual or malformed HTTP requests
• Monitor for signs of unauthorized access or unexpected command execution
• Follow all mitigation guidance provided by Fortinet
• Disable or isolate affected systems if patching cannot be completed right away

Under Binding Operational Directive 22-01, U.S. federal agencies are required to remediate this vulnerability by April 16, 2026. This aggressive timeline reflects the severity of the threat and should serve as a benchmark for private organizations as well.

Final Thoughts

This vulnerability highlights a recurring issue in modern enterprise security—critical systems exposed to the internet without sufficient protection layers. When combined with an unauthenticated exploit, even a single overlooked patch can lead to full-scale compromise.

Organizations that rely on Fortinet EMS must act immediately, not only to patch the vulnerability but also to validate that their systems have not already been targeted. Proactive monitoring, rapid patching, and strict access controls remain essential in defending against threats of this nature.

In the current threat landscape, speed is not just an advantage—it is a necessity.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post CISA Alerts on Active Fortinet SQL Injection Exploit appeared first on First Hackers News.

Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.