Between October 2025 and March 2026, security analysts observed a significant spike in phishing campaigns leveraging webhook functionality. These attacks take advantage of how automation tools are designed to connect apps and process real-time data, effectively turning a business productivity feature into a delivery channel for cyber threats.

How the Attack Works

Platforms like n8n and Zapier use webhooks to trigger workflows when a user interacts with a specific URL. Attackers are now embedding these webhook URLs into phishing emails, often disguising them as trusted services like file-sharing links.

When a victim clicks the link, the webhook triggers a workflow that dynamically serves content based on the user’s system or browser data. This makes the attack highly adaptive and harder to detect.

In many observed cases, users are redirected to fake pages that mimic services such as cloud storage platforms. These pages may include CAPTCHA-style verification to appear legitimate. Once the user interacts, a malicious file is downloaded—often disguised as a document or installer.

• Attackers use trusted webhook URLs to bypass security filters
• Payloads are dynamically tailored based on victim device data

Advanced Techniques and Impact

Research from Cisco Talos shows that attackers are not just delivering malware—they are also using these workflows to collect valuable data about their targets.

Some campaigns install remote monitoring tools that give attackers persistent access to infected systems. Others use tracking techniques, such as invisible pixels in emails, to monitor when messages are opened and gather device-level information.

Because the traffic originates from legitimate platforms, it blends into normal network activity. This makes it much harder for traditional security tools to flag or block the attack.

This campaign highlights a major shift in cyber threats. Instead of breaking into systems directly, attackers are abusing trusted tools that organizations rely on every day. As automation and AI-driven workflows become more common, they also introduce new risks that defenders must account for.

The post n8n Webhook Malware: Hackers Exploit Automation to Spread Attacks appeared first on First Hackers News.

Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.

Instead of obvious scripting activity, the attack blends into normal system behavior. This makes it harder for security teams to notice anything suspicious during the initial stages.

How the Attack Tricks Users

ClickFix still depends on social engineering. The attacker lures users to a fake website that looks like a CAPTCHA verification page. One such example is “healthybyhillary[.]com.”

The page guides the user through a simple-looking process:

• Press Win + R to open the Run dialog
• Paste a pre-copied command using Ctrl + V
• Hit Enter to execute it

To an average user, this feels like a normal verification step. But in reality, it triggers a malicious command that starts the infection process.

How It Evades Detection

Once executed, the attack uses rundll32.exe along with WebDAV to pull a malicious DLL from a remote server. Since rundll32.exe is a trusted Windows tool, this activity often appears legitimate.

A few key techniques make this variant harder to detect:

• Uses WebDAV to fetch remote files like a network share
• Executes DLL functions using ordinal numbers (#1) instead of readable names
• Avoids early use of PowerShell to bypass common detection rules
• Runs most of the attack in memory, leaving minimal traces on disk

After the initial stage, PowerShell is used quietly with flags like -NoP and -NonI, along with IEX (Invoke-Expression) to load additional payloads.

The final payload, known as SkimokKeep, includes advanced evasion methods:

• Resolves system functions using hashing instead of direct imports
• Checks for sandbox or VM environments before running
• Uses anti-debugging tricks like timing checks
• Injects code into legitimate processes such as browsers

Why This Matters

This shift is significant because many defenses are still focused on detecting script-based attacks. By abusing trusted Windows components and reducing visible activity, attackers get a much quieter entry point.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What Security Teams Should Watch

To detect or prevent this attack, organizations should focus on unusual system behavior rather than just scripts:

• Monitor suspicious use of rundll32.exe, especially with WebDAV-related arguments
• Enable command-line logging for system binaries (LOLBins)
• Restrict or monitor WebDAV traffic over port 80
• Block known malicious IPs and domains linked to the campaign
• Educate users about fake CAPTCHA pages and ClickFix tricks

This variant shows how attackers continue to adapt. The real risk isn’t just the malware itself—it’s how easily users can be convinced to launch it.

Block Known Malicious Infrastructure

Security teams should proactively block known indicators linked to this campaign to reduce exposure:

• 178.16.53[.]137
• 141.98.234[.]27
• 46.149.73[.]60
• 91.219.23[.]245

Suspicious domains to watch or block:

• mer-forgea.sightup[.]in[.]net
• data-x7-sync.neurosync[.]in[.]net

You can place this section right after the “What Security Teams Should Watch” section so it flows naturally as an action step.

The post ClickFix Variant Bypasses Detection Using Rundll32 & WebDAV appeared first on First Hackers News.

This update ensures that only drivers verified through Microsoft’s Windows Hardware Compatibility Program (WHCP) are allowed to run automatically. By enforcing stricter validation, Microsoft is reducing the risk of attackers using malicious drivers to gain deep, kernel-level access to systems.

This enhancement is crucial for maintaining high standards of Windows kernel driver security across all devices.

Kernel drivers operate at the core of the operating system, so any weakness in how they are signed or validated can be exploited. By removing support for legacy signing methods, Microsoft is closing a long-standing security gap.

Removal of Cross-Signed Drivers and Security Impact

The older cross-signing model allowed third-party certificate authorities to approve drivers without strict validation from Microsoft. While this approach helped with compatibility in the past, it also introduced security risks.

Attackers have historically abused this model by stealing signing keys and using them to install rootkits and other advanced malware. Even though Microsoft deprecated cross-signing in 2021, older certificates were still trusted by Windows systems until now.

With this update, that trust is fully removed. Drivers must now go through a stricter approval process that includes:

• Identity verification of the vendor
• Security and compatibility testing
• Malware scanning before certification

This significantly reduces the chances of malicious drivers being loaded into the Windows kernel.

Deployment Approach and Enterprise Considerations

To avoid disruptions, Microsoft is rolling out this change in stages. Initially, the system will monitor and evaluate driver activity before enforcing the block. This allows organizations to identify compatibility issues early.

Additionally, Microsoft will maintain an allow list for widely used legacy drivers to prevent system failures. If unsupported drivers are detected, enforcement may be delayed until the system is stable.

For enterprise environments, there is still controlled flexibility. Organizations that rely on custom kernel drivers can allow them using Application Control for Business policies. These policies must be securely signed and tied to UEFI Secure Boot, ensuring only trusted internal drivers are permitted.

Overall, this update marks a significant step toward strengthening Windows security by limiting kernel-level attack vectors and enforcing modern driver validation standards.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Windows 11 Blocks Untrusted Kernel Drivers to Improve Security appeared first on First Hackers News.

This issue, identified as CVE-2024-3094, impacts versions 5.6.0 and 5.6.1. The injected code is designed to stay hidden during normal review processes and only becomes active during the software build stage. Once active, it can interfere with SSH authentication, potentially allowing attackers to gain unauthorized access to affected systems.

Technical Impact and Mitigation

The attack is highly sophisticated, as the malicious components are not fully visible in the main source code. Instead, they rely on additional build-time elements to assemble and execute the payload. This makes detection difficult using standard code inspection methods.

Once deployed, the compromised library can alter how SSH authentication behaves, creating an opportunity for attackers to bypass normal security checks and access systems remotely.

Key highlights:

• CVE-2024-3094 affects xz and xz-libs versions 5.6.0 and 5.6.1
• Malicious code is triggered during the build process
• Targets SSH authentication mechanisms
• Impacts Fedora Rawhide, Fedora 40 Beta, Debian unstable, and openSUSE
• Red Hat Enterprise Linux (RHEL) remains unaffected

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Immediate Actions

• Downgrade to trusted xz version 5.4.x
• Stop using Fedora Rawhide until systems are secured
• Apply official patches and updates from Red Hat
• Monitor systems for unusual SSH behavior

Even though active exploitation has not been widely reported, the nature of this compromise makes it a high-risk issue. Prompt action is necessary to protect systems from potential unauthorized access.

The post xz Backdoor Vulnerability Exposes Linux Systems to Remote Access appeared first on First Hackers News.

Researchers observed over 21,000 command-and-control (C2) servers between July and December 2025. Along with this growth, attackers are increasingly using infected devices as residential proxies, not just for DDoS attacks.

This rise also aligns with a surge in massive DDoS campaigns. Reports highlight “hyper-volumetric” attacks, including one reaching 31.4 Tbps, showing how far these botnets have evolved. At the same time, botnet activity has sharply increased after a period of stability, indicating a renewed wave of large-scale operations.

Evolution of Mirai-Based Botnets

Mirai first appeared in 2016, targeting internet-connected devices such as routers and IoT systems that often rely on weak or default credentials. Once compromised, these devices are added to a botnet that can launch high-volume traffic floods across multiple layers.

The public release of Mirai’s source code played a major role in its growth. It allowed attackers to create multiple variants, each adding new capabilities while keeping the core attack techniques intact.

One well-known variant, Satori, rapidly spread by exploiting vulnerabilities in routers, especially through command injection flaws. It used automated scripts to download and execute malware across different device architectures, allowing infections to scale quickly without user interaction.

Expanding Capabilities and Abuse Techniques

Modern Mirai botnets are no longer limited to DDoS attacks. They are now being used in more advanced and flexible ways, increasing their overall impact.

Key capabilities seen in recent campaigns include:

• Large-scale DDoS attacks reaching record-breaking volumes
• Use of infected devices as residential proxy networks
• Automated exploitation of IoT vulnerabilities
• Multi-architecture malware deployment for wider coverage
• Stealthier operations to avoid detection

Aisuru-Kimwolf Expanding DDoS and Proxy Abuse

Newer botnet families like Aisuru and Kimwolf have taken Mirai-based threats to the next level. These botnets are now used not only for massive DDoS attacks but also as residential proxy networks that can be rented for cybercrime activities.

Security reports have linked Aisuru-Kimwolf to extremely large attacks, including one reaching 31.4 Tbps. These attacks often generate massive traffic with billions of packets per second, using random patterns to avoid basic detection and filtering systems.

At the same time, Kimwolf, which targets Android devices, is being used to exploit residential proxy services. Attackers use these networks to access internal systems, infect devices like smart TVs and smartphones, and then sell that access for activities such as fraud and credential stuffing.

Ongoing Threat and Defensive Focus

Law enforcement and tech companies have started taking action against these botnets by targeting their command-and-control infrastructure and disrupting the platforms used to manage proxy networks.

However, these efforts have not fully stopped the threat. Mirai-based botnets continue to survive and grow because many devices remain unpatched, especially routers and Android systems. Attackers can also quickly rebuild their infrastructure after disruptions.

For defenders, the focus should remain on strong basic security practices:

• Keep routers and IoT devices updated
• Monitor unusual outbound traffic
• Secure Android and edge devices
• Track indicators linked to Mirai variants

As these botnets continue to evolve, they are becoming more powerful and more versatile, combining large-scale disruption with stealthy abuse of network access.

The post Mirai Botnets Now Driving DDoS and Proxy Abuse appeared first on First Hackers News.

A recent demonstration by security researcher @matteyeux showed successful kernel read and write access on an iPad mini 6 running iOS 18.6.2 using the DarkSword exploit. This public validation shows that the exploit remains effective in real-world conditions and increases the risk for millions of Apple devices that have not yet been patched.

Google Threat Intelligence Group reportedly first observed DarkSword in active campaigns in November 2025. The exploit kit has been mainly linked to UNC6353, a suspected Russian espionage group that previously used the Coruna iOS exploit kit. Reported targets have included victims in Ukraine, Saudi Arabia, Turkey, and Malaysia, showing that the threat has already been used in focused international operations.

Technical Structure and Post-Compromise Activity

DarkSword is not just a single exploit but a complete exploit kit and infostealer written in JavaScript. The attack typically begins when a victim visits a compromised website containing a malicious iframe, a method commonly associated with watering hole attacks.

Once the target opens the page, the exploit escapes Safari’s WebContent sandbox. It then bypasses important Apple protections, including Trusted Path Read-Only and Pointer Authentication Codes, by abusing sensitive internal dyld structures in writable stack memory. The chain then moves through the GPU process by exploiting an out-of-bounds write flaw in the ANGLE graphics engine before targeting the XNU kernel through a Copy-On-Write vulnerability in the AppleM2ScalerCSCDriver driver.

This gives attackers arbitrary memory read and write access, allowing them to modify sandbox restrictions and reach protected parts of the file system. Researchers also found that DarkSword operates fully in memory and quickly loads final-stage malware after compromise. Three malware families linked to the activity have been identified as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These payloads are designed to steal sensitive data, including secure messages, saved credentials, and cryptocurrency wallet information.

Security Response and Protection Measures

The public validation of DarkSword by independent researchers significantly increases the overall threat level. Once a working exploit chain becomes accessible beyond its original operators, the chances of wider abuse rise sharply.

The command-and-control infrastructure used in these operations adds to the concern. Instead of using obvious malicious domains, attackers relied on subdomains created on compromised legitimate websites, helping their traffic blend in and making detection harder.

To reduce risk, Apple users and enterprise security teams should ensure that all devices are updated immediately to iOS 26.1 or later, as these versions include fixes for the kernel vulnerabilities involved in the exploit chain. For high-risk users such as journalists, executives, and government personnel, enabling Apple’s Lockdown Mode can provide an additional layer of defense against advanced web-based attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post DarkSword iOS Exploit Leaked Online, Putting Apple Devices at Risk appeared first on First Hackers News.

Unlike many traditional cyberattacks that focus on financial gain, wiper malware aims to cause maximum disruption. Once it infects a system, it can erase important information and damage operating systems, making recovery extremely difficult.

What is Wiper Malware

Wiper malware is a type of malicious software created to erase data, corrupt files, and damage operating systems. When activated, it begins deleting important files and may overwrite storage sectors so that the data cannot be recovered. Because of this destructive design, the main goal of the attack is to disrupt operations rather than extract financial value.

Key characteristics of wiper malware include

• Permanent deletion of files and system data
• Corruption of operating systems and boot records
• Disruption of entire networks and infrastructure

These capabilities allow attackers to cause severe operational damage within a short time.

Why Security Authorities Are Raising Concerns

Cybersecurity authorities are raising warnings because destructive malware campaigns have increased in recent years. Many attackers are shifting from traditional data theft to attacks that focus on operational damage and disruption.

Wiper malware is particularly dangerous because it can spread across connected systems and destroy large volumes of data. If organizations do not have reliable backup systems or recovery plans, restoring operations can take significant time and resources.

How Wiper Malware Enters a Network

Like many cyber threats, wiper malware typically enters a network through common attack techniques. Phishing emails, unpatched vulnerabilities, and compromised credentials are often used as the initial entry point.

Once attackers gain access, they may move across multiple systems within the network before deploying the destructive payload. This allows the malware to affect several machines at the same time, increasing the overall damage.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Potential Impact on Organizations

The impact of a wiper malware attack can be severe because the data destruction is usually permanent. Organizations may lose important files, operational systems, and access to critical services.

Possible consequences include

• Loss of sensitive and operational data
• Shutdown of business systems and services
• Financial losses caused by downtime
• Reputational damage and regulatory challenges

Organizations that do not maintain proper backups or incident response plans may struggle to recover quickly.

How Organizations Can Reduce the Risk

Organizations can lower the risk of destructive malware by strengthening their cybersecurity practices. Maintaining regular offline backups, applying system updates, and monitoring networks for unusual activity are important steps.

Security awareness training for employees is also essential, since phishing emails remain one of the most common entry points for malware attacks.

Conclusion

Wiper malware represents a serious cyber threat focused on destruction rather than financial gain. As cybersecurity authorities continue to warn about the growing risk, organizations must ensure that their defenses, monitoring capabilities, and backup strategies are strong enough to withstand such attacks.

Preparing in advance is essential to minimize disruption and protect critical digital infrastructure.

The post Wiper Malware: The Rising Cyber Threat Authorities Are Warning About appeared first on First Hackers News.

In this operation, attackers pretend to be internal IT support staff and convince victims to grant remote access to their computers. Once access is obtained, they deploy a stealthy malware tool called A0Backdoor to maintain long-term control of the system.

Researchers at BlueVoyant linked the activity to a threat group known as Blitz Brigantine, also tracked as Storm-1811.

How the Microsoft Teams Attack Begins

The campaign starts with a tactic designed to overwhelm the victim.

Attackers send a large number of spam emails to the target’s inbox in a short period of time. This “email bombing” creates confusion and pressure for the employee.

Soon after, the attacker contacts the victim through Microsoft Teams, pretending to be from the company’s IT help desk and offering to fix the email problem.

The victim is then guided to open Windows Quick Assist, a legitimate remote support tool built into Windows. Once the victim approves the request, the attacker gains full remote control of the device.

Malware Installation Process

After gaining access, the attackers begin installing malicious software on the system.

They download installer packages that appear to be legitimate updates for Microsoft Teams or Windows Phone Link. To make the files look trustworthy, the attackers:

• host the installers on Microsoft cloud storage accounts
• sign the files using digital certificates
• disguise them as normal software updates

When the installer runs, it places a real Microsoft application alongside a malicious file named hostfxr.dll.

When the legitimate program starts, it accidentally loads the malicious file instead. This technique is known as DLL sideloading, which allows malware to run quietly without raising suspicion.

Advanced Evasion Techniques

The malicious loader uses several tricks to avoid detection and analysis.

• checks system firmware for signs of virtual testing environments
• creates multiple junk processing threads to disrupt debugging tools
• uses time-based conditions to unlock the main payload

The malware only activates within a specific 55-hour time window, making it harder for researchers to analyze.

Another unusual trick involves an invisible space character hidden in a command line prompt. The malware requires this hidden character to generate the correct key needed to decrypt the final payload.

These techniques make the attack extremely difficult to study or reproduce.

A0Backdoor and Data Exfiltration

Once the protection checks are completed, the malware loads A0Backdoor directly into memory.

This backdoor allows attackers to collect information and maintain persistent access to the infected system.

The malware gathers details such as:

• system device information
• username and environment details
• network configuration data

This information helps attackers identify and manage compromised machines.

Using DNS Tunneling to Stay Hidden

To communicate with attacker servers without raising alarms, the malware uses a technique called DNS tunneling.

Instead of connecting directly to a suspicious command server, the malware sends requests through trusted public DNS resolvers such as 1.1.1.1 or 8.8.8.8.

These requests are disguised as normal mail exchange queries used in everyday email routing.

The attackers hide commands and stolen data inside long subdomains within the DNS requests. The public resolver forwards the request to the attacker’s server and sends the response back to the infected machine.

Because the traffic looks like regular network activity, it blends in with normal corporate operations.

The attackers also rely on older registered domains instead of new ones, helping them bypass security filters that often block recently created domains.

How Organizations Can Reduce Risk

Security experts warn that this campaign shows how attackers are shifting from traditional ransomware to more stealthy and targeted intrusion techniques.

Organizations should take several steps to reduce risk:

• train employees to verify IT support messages received through Microsoft Teams
• monitor and restrict remote access tools like Quick Assist
• block unapproved software installers from running on company systems
• watch for unusual DNS traffic patterns

Improving employee awareness and controlling remote access tools can significantly reduce the chances of these types of attacks succeeding.

Organizations should train employees to recognize signs of a Microsoft Teams attack to prevent remote access abuse.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Hackers Use Microsoft Teams Attack Method to Gain Remote Access appeared first on First Hackers News.

The vulnerability, tracked as CVE-2025-66168, could allow attackers to disrupt the service by sending specially crafted network packets. If exploited, the Apache ActiveMQ DoS vulnerability may cause the broker to behave unexpectedly and lead to Denial-of-Service (DoS) disruptions, interrupting data flow between connected systems.

Organizations that rely on ActiveMQ for messaging and application integration should review their deployments in light of the Apache ActiveMQ DoS vulnerability and apply the latest security updates.

It is crucial for organizations to stay informed about the Apache ActiveMQ DoS vulnerability and implement necessary security measures.

Understanding the Apache ActiveMQ DoS Vulnerability

The problem was discovered by security researcher Gai Tanaka and affects the way ActiveMQ processes MQTT protocol messages.

MQTT is commonly used in environments such as IoT platforms and systems with limited network bandwidth. The vulnerability occurs when the broker processes incoming MQTT packets without properly verifying a specific length value inside the packet structure.

If an attacker sends a malformed packet containing manipulated values, the broker may incorrectly calculate the size of the message. This can lead to processing errors that disrupt the broker’s normal operation.

How the Attack Works

An attacker must first establish a valid connection with the broker before sending the malicious packet.

Once connected, the attacker can send specially crafted MQTT packets that confuse the message parsing logic and trigger abnormal broker behavior.

Important conditions for exploitation include:

• The attacker must authenticate with the broker
• MQTT transport must be enabled on the server
• Malformed packets must be delivered after connection is established

Systems that do not use MQTT connectors are not affected by this specific vulnerability.

Affected Versions

The vulnerability impacts several releases of Apache ActiveMQ, including:

• Versions below 5.19.2
• Versions 6.0.0 to 6.1.8
• Version 6.2.0

Organizations running these versions should verify their deployments as soon as possible.

Patches and Recommended Actions

The Apache Software Foundation has released security updates that fix the packet validation issue.

Administrators should upgrade their systems to one of the following patched versions:

• 5.19.2
• 6.1.9
• 6.2.1

These updates improve packet validation and prevent the processing errors that could cause service disruption.

If upgrading immediately is not possible, administrators can temporarily lower the risk by turning off MQTT transport connectors, provided their applications do not require MQTT messaging.

Regular patching and monitoring remain essential for protecting messaging infrastructure from emerging vulnerabilities.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Apache ActiveMQ Vulnerability Enables DoS Attacks appeared first on First Hackers News.