The operation was said to have begun on August 19, 2025, when spear-phishing emails were sent using a compromised account accessed through the VPN service NordVPN. The messages were directed at government ministries, embassies, and consulates across the Middle East and North Africa.

By August 24, the hackers’ command-and-control (C2) infrastructure was taken down, suggesting a shift to another phase of the intrusion. The campaign’s main objective appeared to be long-term espionage and data theft from high-value government systems.

Malicious Microsoft Word documents carrying VBA macros were used in the phishing emails. When recipients enabled the content, a malware loader called FakeUpdate was installed. This loader then deployed the Phoenix backdoor (version 4) on infected systems.

It was also revealed that this latest version of Phoenix included a new COM-based persistence mechanism, allowing it to remain active even after system reboots.

According to Group-IB, the Phoenix malware was designed to execute commands remotely, upload and download files, open a shell for direct access, and adjust its sleep interval to evade detection.

Alongside Phoenix, a custom infostealer was also used to collect browser data from Chrome, Opera, Brave, and Edge. Stored credentials and encryption keys were extracted and sent to the attackers’ remote servers. Tools such as PDQ for software deployment and Action1 for remote monitoring were also found in use, both previously linked to Iranian cyber operations.

The hacking activity showed clear similarities to previous MuddyWater campaigns. The use of identical code structures, malware families, and operational methods supported the attribution made by researchers.

Experts have warned that the campaign demonstrates how nation-state hackers continue to exploit phishing and remote tools to compromise sensitive networks. Organisations have been advised to disable macros by default, monitor Windows Registry changes, and review the use of remote management tools for suspicious behaviour.

The post Iranian Hackers Target Over 100 Government Bodies with ‘Phoenix’ Backdoor appeared first on First Hackers News.

Day One of Pwn2Own Ireland 2025 concluded with an extraordinary showcase of cybersecurity talent, as researchers demonstrated 34 unique zero-day vulnerabilities across a wide range of consumer devices.
The exploits earned participants a combined payout of $522,500, marking one of the most successful opening days in the competition’s history.

Hosted by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own is renowned for uncovering security flaws in real-world products. This year’s event stood out for its 100% success rate, with every single exploit attempt succeeding on the first day — a rare achievement in competitive hacking.

Teams Dominate Smart Home and NAS Devices

The first day featured 17 exploitation attempts targeting various connected devices including printers, routers, smart home systems, and NAS (Network-Attached Storage) units from major global manufacturers.

Team DDOS, made up of Bongeun Koo and Evangelos Daravigkas, took an early lead by chaining together eight vulnerabilities to compromise both a QNAP Qhora-322 router and a QNAP TS-453E NAS device.
Their impressive “SOHO Smashup” demonstration earned them $100,000 in prize money and 10 Master of Pwn points, placing them among the top contenders early in the event.

Smart Home Devices Fall to Expert Exploits

Several popular smart home products were also successfully compromised, including the Philips Hue Bridge, Synology ActiveProtect DP320, and Home Assistant Green.

Sina Kheirkhah from the Summoning Team stood out for participating in multiple successful exploits, including a powerful attack against the Synology ActiveProtect Appliance DP320 that earned an additional $50,000 in rewards.

In one of the most notable demonstrations, researcher DMDung of STAR Labs exploited a single out-of-bounds access vulnerability to take control of the Sonos Era 300 smart speaker — achieving the highest single-device payout of $50,000 and securing five Master of Pwn points.

Consumer printers were not spared from the day’s onslaught of exploits. Both Canon and HP devices were successfully hacked, highlighting ongoing concerns about the security of office and home printers.

The Canon imageCLASS MF654Cdw was a particularly popular target, with four different teams exploiting it using combinations of heap-based and stack-based buffer overflow vulnerabilities.
Meanwhile, Team Neodyme executed a stack-based buffer overflow on the HP DeskJet 2855e, earning $20,000 for their exploit.

The post Hackers Expose 34 Zero-Day Flaws at Pwn2Own Ireland 2025 — Over $522,000 Awarded on Day One appeared first on First Hackers News.

Salt Typhoon’s Sneaky Tactics

Since 2019, Salt Typhoon, also known as UNC4841, has targeted sensitive systems. They exploited a major flaw, CVE-2023-2868, in Barracuda Email Security Gateway systems. This flaw, with a severity score of 9.8, allowed hackers to access emails. Additionally, Silent Push, a cybersecurity firm, noted these domains connect to high-density IP addresses, hosting many websites. Some low-density IPs date back to October 2021.

Links to Other Hacking Groups

Interestingly, Salt Typhoon shares methods with groups like Earth Estries, FamousSparrow, GhostEmperor, and UNC5807. For instance, they targeted U.S. telecom companies in 2024, focusing on critical systems. Moreover, 16 domains were registered using Proton Mail emails tied to fake addresses, showing their clever tricks to stay hidden.

Implications for Global Cybersecurity

This exposure of 45 unreported domains in Salt Typhoon operations serves as a wake-up call for organizations worldwide, especially those in high-risk sectors like telecommunications and government. The longevity of this campaign—spanning from 2019 to the present—highlights the persistent nature of state-sponsored cyber threats from actors like Salt Typhoon.

Experts at Silent Push urge immediate action: “As such, we strongly urge any organization that believes itself to be at risk of Chinese espionage to search its DNS logs for the past five years for requests to any of the domains in our archive feed, or their subdomains. It would also be prudent to check for requests to any of the listed IP addresses, particularly during the time periods in which this actor operated them.”

Protecting Against These Threats

This discovery highlights the danger of China-linked cyber threats. Silent Push advises checking DNS logs for the past five years for these domains or IPs. Also, organizations should:

• Update systems to fix vulnerabilities like CVE-2023-2868.
• Watch for suspicious subdomains or IPs.
• Share threat information to stay ahead of hackers.

In conclusion, these 45 domains reveal Salt Typhoon’s long-running espionage. Therefore, telecoms and governments must act fast to strengthen cybersecurity defenses against such advanced threats.

The post China-Backed Hackers Used 45 Hidden Domains in Telecom Cyber Attacks appeared first on First Hackers News.

On August 29, 2025, cybercriminals infiltrated Sinqia S.A., a São Paulo-based subsidiary of the leading financial technology provider Evertec, Inc. The attackers exploited the Brazilian Central Bank’s instant payment system, known as Pix, to initiate unauthorized business-to-business transactions. Pix, launched in November 2020, has become Brazil’s most popular payment method, operating 24/7 and handling massive volumes of real-time transfers—making it a prime target for sophisticated cyber attacks.

The breach involved attempts to steal approximately $130 million, affecting operations linked to two financial institutions that are customers of Sinqia. Local media reports have pointed fingers at HSBC as one of the involved banks, though the institution has firmly stated that no customer funds or personal data were compromised. Sinqia, which provides financial software and IT services to the banking sector, supports 24 financial institutions across Brazil, amplifying the potential ripple effects of this incident.

Outcomes and Ongoing Recovery Efforts

Following the detection, Sinqia engaged external cybersecurity forensics experts to investigate and mitigate the breach. A portion of the targeted $130 million has already been recovered, with efforts continuing to reclaim the rest. Importantly, there’s no evidence that the attack extended beyond the Pix system or involved the exposure of personal data, providing some relief amid the chaos.

In response, the Central Bank of Brazil temporarily revoked Sinqia’s access to the Pix platform. The company is actively collaborating with authorities, submitting necessary documentation and assurances to restore connectivity. Evertec, Sinqia’s parent company and a major player in transaction processing across Latin America, Puerto Rico, and the Caribbean, has filed disclosures with the U.S. Securities and Exchange Commission (SEC), noting that the financial and reputational impacts could be significant. This includes potential effects on internal controls, though full details are still emerging.

HSBC, responding to media speculation, reiterated that the incident had no bearing on its customers’ assets or information, emphasizing the isolated nature of the breach within Sinqia’s operations.

Broader Implications for Cybersecurity in Fintech

This attempted $130 million bank heist serves as a stark reminder of the escalating risks in the fintech sector, where real-time payment systems like Pix are both innovative and vulnerable. Brazil’s Pix has faced repeated threats from Android banking malware and other cyber exploits, reflecting a global trend of increasing attacks on financial infrastructure.

For businesses, the incident stresses the importance of multi-factor authentication, regular vendor audits, and advanced threat detection systems. As cyber threats evolve—with reports like the Picus Blue Report 2025 showing a doubling in password cracking attempts—fintech firms must prioritize proactive defenses to safeguard against similar breaches.

Evertec acquired Sinqia in 2023 to expand its footprint in Brazil’s booming financial market, but this event could lead to heightened scrutiny from regulators and investors. The full material impact, including any long-term damage to trust and operations, remains to be seen.

The post Hackers Launch Daring $130 Million Bank Heist Attempt on Brazilian Fintech Firm appeared first on First Hackers News.

What Happened in the Zscaler Data Breach?

The breach originated from a sophisticated supply chain attack exploiting SalesLoft’s Drift AI chat agent, which integrates with Salesforce to manage sales workflows. Threat actors, identified by Google Threat Intelligence Group (GTIG) as UNC6395, stole OAuth and refresh tokens from SalesLoft Drift, gaining unauthorized access to Zscaler’s Salesforce environment between August 8 and August 18, 2025. This allowed hackers to exfiltrate sensitive customer data from Zscaler’s Salesforce instance. Importantly, Zscaler’s core products, services, and infrastructure were not compromised, but the breach still poses significant risks due to the nature of the exposed information.

Exposed Information: What Was Leaked?

The attackers accessed a range of sensitive customer data stored in Zscaler’s Salesforce environment. According to Zscaler’s advisory, the compromised information includes:

• Customer Names: Full names of individuals associated with Zscaler accounts.
• Business Email Addresses: Corporate email IDs, which could be used for targeted phishing campaigns.
• Job Titles: Professional roles, enabling attackers to craft convincing social engineering attacks.
• Phone Numbers: Business contact numbers, increasing the risk of voice phishing (vishing).
• Regional/Location Details: Geographic data tied to customer accounts.
• Zscaler Product Licensing and Commercial Information: Details about licensing agreements and commercial transactions.
• Support Case Content: Plain text from certain customer support cases, though no attachments or files were included.

While Zscaler has found no evidence of misuse so far, the stolen data is highly valuable for cybercriminals. It could be used for phishing, vishing, or social engineering attacks, where attackers impersonate Zscaler or trusted vendors to extract further sensitive information or credentials.

Data breaches like this aren’t just headlines – they have real-world consequences. Exposed customer info could be weaponized for:

• Phishing and Social Engineering: Hackers might impersonate Zscaler to trick users into revealing more data.
• Reputation Damage: For Zscaler, a company built on trust in security, this could erode client confidence.
• Industry Wake-Up Call: It underscores the need for robust vendor risk management, especially in cloud-based services.

The post Zscaler Data Breach 2025: Customer Names, Emails, and Support Data Exposed in SalesLoft and Drift Hack appeared first on First Hackers News.

Google’s Threat Intelligence Group has identified multiple cybersecurity breaches in American insurance companies, all consistent with Scattered Spider’s signature tactics. Previously targeting UK and U.S. retailers—including prominent names like Marks & Spencer, Harrods, and Co-op—this hacker collective is now pivoting to a new vertical insurance.

What Is Scattered Spider?

Scattered Spider—also known by aliases like UNC3944, 0ktapus, Scatter Swine, Starfraud, and Muddled Libra—is a decentralized hacking coalition specializing in ransomware, social engineering, and SIM-swapping attacks. Their campaigns often begin with deceptive communications—calls, SMS or email—targeted at help desks or call centers to bypass multi-factor authentication and gain unauthorized access.

Recent Intrusions Impacting Major Insurers

Several high-profile U.S. insurance organizations, including Erie Insurance and Philadelphia Insurance Companies, have reported network outages and suspicious activity dating from early to mid-June. Both incidents involved emergency shutdowns of internal systems, telephony infrastructure, and customer portals.

• Erie Insurance detected abnormal network behavior on June 7, disrupting services and initiating a forensic investigation in partnership with law enforcement.
• Philadelphia Insurance Companies (PHLY) reported unauthorized access around June 9, isolating systems to contain the breach while working with external cybersecurity experts.

Attack Methods: A Sophisticated Social Engineering Campaign

Scattered Spider employs a highly coordinated and deceptive set of cyberattack strategies, primarily centered around advanced social engineering. One of their most common tactics is help-desk impersonation, where attackers fabricate convincing stories to manipulate support staff into resetting login credentials, granting unauthorized access. They also exploit MFA fatigue—also known as MFA bombing—by continuously sending multi-factor authentication requests until users inadvertently approve access out of frustration or confusion. In addition, SIM swapping and phishing are used to hijack mobile numbers or steal login credentials, enabling intrusions into cloud platforms and endpoint devices. Once deep access is achieved, the group often proceeds to deploy powerful ransomware strains like DragonForce, RansomHub, and Qilin, encrypting critical data and demanding ransom for its release. These methods highlight Scattered Spider’s expertise in blending psychological manipulation with technical precision.

Why the Insurance Sector Is at Risk

• Sector-by-Sector Strategy: Scattered Spider typically targets one industry intensely before moving on.
• Human Vulnerabilities: Insurance firms rely heavily on call centers and legacy identity systems—prime targets for social engineering .
• Rich Data & Customer Trust: Access to sensitive financial and personal data makes insurers lucrative for cybercriminals.

Proactive Defense Strategies

To strengthen cyber resilience, Google and Mandiant recommend that insurance firms should:

• Implement Zero‑Trust Identity Controls: Segregate user identities, enforce strong password policies, and integrate phishing-resistant MFA.
• Enhance Helpdesk Authentication: Use challenge-response scripts, photo verification, or voice recognition before resetting passwords.
• Train Staff in Social Engineering Awareness: Educate on tactics like MFA bombing and pretexted calls.
• Monitor for Anomalous Access: Flag logins from unusual locations or residential IPs—especially post-reset.
• Conduct Regular Forensic Readiness: Maintain log review, incident playbooks, and partnerships with third-party cybersecurity firms.

The post Scattered Spider Hackers Shift Focus to U.S. Insurance Firms: Expert Analysis appeared first on First Hackers News.

These vulnerabilities, ranging from 5.3 (Medium) to 9.8 (Critical) in severity, are all linked to the PAPI (Protocol Application Programming Interface) protocol.

ArubaOS Critical Vulnerability

Unauthenticated Buffer Overflow Vulnerability

This vulnerability, present in multiple areas, could enable threat actors to execute unauthenticated remote code on vulnerable systems.

Exploiting this vulnerability could result in the execution of arbitrary code with elevated privileges. The vulnerability exists in various components with different severities:

• Utility Daemon (CVE-2024-26305 – 9.8 (Critical))
• L2/L3 Management Service (CVE-2024-26304 – 9.8 (Critical))
• Automatic Reporting Service (CVE-2024-33511 – 9.8 (Critical))
• Local User Authentication Database (CVE-2024-33512 – 9.8 (Critical))

Unauthenticated Denial-Of-Service

This vulnerability enables a threat actor to disrupt the normal functioning of the affected product, rendering it inoperable. The vulnerability occurs in multiple components with the following severities:

• AP Management Service (CVE-2024-33513, CVE-2024-33514, CVE-2024-33515 – 5.9 (Medium))
• Auth Service (CVE-2024-33516 – 5.3 (Medium))
• Radio Frequency Manager Service (CVE-2024-33517 – 5.3 (Medium))
• Radio Frequency Daemon (CVE-2024-3518 – 5.3 (Medium))

Affected Products and Fixed Versions

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post ArubaOS Critical Vulnerability Allows Remote Code Execution by Attackers appeared first on First Hackers News.

Hackers Exploit SVG Image Files for GUloader Malware

GuLoader is notorious for its stealth capabilities and capacity to circumvent conventional security measures by employing polymorphic code and encryption.

These features enable it to constantly alter its structure, posing challenges for antivirus software and intrusion detection systems in detecting its presence. SpiderLabs’ observations indicate a significant surge in the utilization of GuLoader.

McAfee Labs has recently detected a campaign involving the distribution of GUloader through malicious SVG files delivered via email.

SVG stands for Scalable Vector Graphics. Furthermore, it is a widely used file format for vector graphics that describes two-dimensional graphics in XML format. Moreover, SVG files are used for various purposes, including web design, icons, logos, illustrations, and interactive graphics.

One of the main advantages of SVG files is that they can be scaled to any size without losing quality, making them ideal for responsive web design and high-resolution displays. Additionally, SVG files can be edited with text editors or graphic design software. Moreover, they support features like animations and interactivity through JavaScript.

The infection process initiates when a user opens an SVG file attached to an email. This action prompts the browser to download a ZIP file that contains a Windows Script File (WSF).

The WSF file then executes, utilizing wscript to invoke a PowerShell command that establishes a connection to a malicious domain. Consequently, it executes hosted content, including shellcode injected into the MSBuild application.

More details

The attack begins with a spam email containing an SVG file named “dhgle-Skljdf.svg”. Embedded JavaScript within the SVG file triggers the creation of a malicious ZIP archive upon opening.

Once extracted, the ZIP file reveals an obfuscated WSF script, thereby complicating analysis.

This script employs PowerShell to establish a connection to a malicious domain and execute the retrieved content. Additionally, this content includes base64-encoded shellcode and a PowerShell script.

The PowerShell script endeavors to inject the shellcode into the legitimate MSBuild process through the Process Hollowing technique.

Following injection, the shellcode conducts an anti-analysis check and alters the Registry run key to establish persistence.

In the last stage, the process entails downloading and executing the final malicious executable, GUloader, or its variants.

The utilization of SVG files to distribute malware such as GUloader represents a worrisome advancement in the cybersecurity realm.

It’s imperative for organizations and individuals to exercise caution when encountering unexpected email attachments, particularly those containing SVG files.

Additionally, security professionals should prioritize updating their detection systems to effectively mitigate this evolving threat.

IOCs

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Hackers Exploit SVG Image Files for GUloader Malware Distribution appeared first on First Hackers News.

These files can serve as conduits for delivering multiple payloads to target users, enabling attackers to exploit vulnerabilities or execute various malicious operations once the files are extracted.

Cybercriminals Exploit Weaponized ZIP

Recently, cybersecurity analysts at ANY.RUN uncovered active exploitation by hackers utilizing weaponized ZIP files to pilfer NTLM hashes.

The ingenious aspect lies in the intricate crafting of a 450-byte template for this HTML page. This page facilitates encrypted HTTP traffic redirection through multiple nodes. Facilitating this process is Google App Script (GAS), which receives requests from compromised systems.

Furthermore, the attackers employ the SMB protocol for implementation, utilizing the impacket-smbserver tool on their servers. This integration adds complexity and sophistication, indicative of a meticulously planned cyber strategy.

When the HTML content is opened, the attackers obtain the following user data:

• IP address
• NTLM challenge data
• Username
• Victim’s computer name

MITRE

• Phishing (T1566)
• User and PC name enumeration (T1589)
• NTLM compromise (T1187)

Recommendation

To block these exploits effectively, consider implementing the following recommendations:

1. Security Awareness Training: Educate users about the risks associated with opening attachments or clicking on links from unknown or suspicious sources.
2. Email Filtering: Utilize advanced email filtering solutions to detect and block malicious attachments and links before they reach users’ inboxes.
3. Web Filtering: Employ web filtering tools to block access to known malicious websites and prevent users from inadvertently downloading malicious files.
4. Network Segmentation: Segment your network to limit the spread of malware in case of a successful breach. This can prevent attackers from easily moving laterally within your network.
5. Patch Management: Keep all software, including operating systems, web browsers, and plugins, up to date with the latest security patches to mitigate known vulnerabilities.
6. Antivirus and Anti-Malware Software: Deploy robust antivirus and anti-malware solutions across all endpoints to detect and remove malicious files and activities.
7. Behavioral Analysis: Implement security solutions that use behavioral analysis techniques to identify and block suspicious activities, such as abnormal file behavior or network traffic patterns.
8. Disable SMBv1: Consider disabling the outdated SMBv1 protocol, which is commonly exploited by attackers, and encourage the use of more secure versions like SMBv2 or SMBv3.
9. Network Monitoring: Monitor network traffic and system logs for signs of unusual or suspicious activity, which could indicate a potential exploit attempt.
10. Incident Response Plan: Develop and regularly update an incident response plan to ensure a prompt and coordinated response to security incidents, including the mitigation of exploits and the restoration of affected systems.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Cybercriminals Exploit Weaponized ZIP Files to Acquire NTLM Hashes appeared first on First Hackers News.

COLDFUSION ACE VULNERABILITIES EXPLOITED IN REAL-WORLD ATTACKS

On January 8, CISA issued their routine advisory on recently exploited vulnerabilities, highlighting two security breaches in Adobe ColdFusion, both traced back to the summer of 2023.

Despite the availability of patches around the same timeframe, the organization expresses certainty about the exploitation, aligning with prevailing trends. The concern intensifies as both vulnerabilities carry a CVSS rating of 9.8, indicating a high level of risk associated with their utilization in cyberattacks.

Both CVE-2023-29300 and CVE-2023-38203 highlight inadequate data validation during deserialization, resulting in arbitrary code execution (ACE). Intriguingly, both vulnerabilities affect the same string versions of ColdFusion – 2018, 2021, and 2023.

Exploiting these vulnerabilities involves sending a specially crafted data package to a vulnerable ColdFusion server, allowing adversaries to execute desired code without requiring user interaction, thereby heightening the severity of the vulnerability.

Arbitrary code execution vulnerabilities not only provide entry points but also opportunities for lateral movement. The ease of exploitation, requiring no user input, makes it a straightforward process. Given ColdFusion’s popularity as an app server solution, compromising it facilitates access to critical information, making finding a victim effortless.

List of Affected ColdFusion Versions

 Here is the list of ColdFusion versions that are no longer vulnerable to the said exploits:

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Two Adobe ColdFusion Vulnerabilities Exploited in The Wild appeared first on First Hackers News.