VulnHub

Researchers have identified a malware campaign utilizing AsyncRAT, a remote access tool, which is being cleverly masked by cybercriminals through Cloudflare's services. By using Cloudflare’s free-tier offerings and TryCloudflare tunneling domains, attackers are able to host malicious WebDAV servers. This tactic allows them to hide their operations behind a trusted infrastructure, making detection more difficult. The campaign raises significant concerns for organizations relying on Cloudflare, as it shows how legitimate services can be exploited for malicious purposes. Companies must remain vigilant and enhance their security measures to counteract such deceptive tactics that can lead to unauthorized access and data breaches.

The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of cyberattacks targeting Ukraine's defense forces, utilizing a malware known as PLUGGYAPE. These attacks are believed to be linked to the Russian cyber group Void Blizzard, also referred to as Laundry Bear or UAC-0190. The attacks come amidst ongoing tensions and conflict in the region, raising concerns about the security of military operations in Ukraine. Given the group’s history and capabilities, these incidents could pose significant risks to the integrity of defense communications and operations. The situation underscores the continuing cyber warfare component of the conflict, as nation-states increasingly rely on digital tactics alongside traditional military strategies.

A new malware campaign known as PluggyApe has been targeting defense officials in Ukraine. The attackers have been using a charity theme to lure victims into clicking on links that lead to a fake charitable foundation website. This tactic involves sending instant messages through platforms like Signal and WhatsApp, making it appear as though the outreach is legitimate. The campaign's focus on defense personnel raises concerns about the potential for sensitive information to be compromised, especially given the ongoing conflict in the region. As cyber threats continue to evolve, this incident serves as a reminder of the need for vigilance among individuals and organizations against social engineering tactics.

Predator spyware has been found to be more advanced and dangerous than previously thought, turning failed cyberattacks into valuable intelligence for future exploits. This software can collect data from targets even when initial attacks do not succeed, making it a persistent threat. Researchers have indicated that this capability allows attackers to refine their methods and strategies, increasing the likelihood of successful future breaches. The implications are significant for individuals and organizations that could be targeted, as it raises concerns about privacy and security. As this spyware evolves, it poses a greater risk to sensitive information and personal data.

The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of cyber attacks targeting Ukrainian defense forces using a malware called PLUGGYAPE. These attacks occurred between October and December 2025 and have been linked to a Russian hacking group known as Void Blizzard. This group, also referred to as Laundry Bear or UAC-0190, has been active for several years. The use of popular messaging platforms like Signal and WhatsApp suggests that attackers are exploiting familiar tools to deliver their malware, making detection and prevention more challenging. This incident raises concerns about the cybersecurity of military organizations, especially in conflict zones, where the integrity of communications is crucial.

From October to December 2025, Ukraine's Defense Forces were targeted by a malware campaign disguised as a charity initiative. The attackers deployed backdoor malware known as PluggyApe, which allowed them unauthorized access to sensitive systems. This incident raises concerns about the security of military communications and the potential for further cyberattacks against Ukraine amidst ongoing tensions. The use of a charity theme to lure victims highlights the evolving tactics of cybercriminals, making it crucial for organizations to remain vigilant. As the conflict continues, the implications of such attacks could extend beyond immediate data breaches, affecting national security and public trust.

A new phishing campaign is targeting employees by exploiting their anxiety around performance reviews. The attackers are sending emails that impersonate management or HR, claiming to discuss performance evaluations scheduled for October 2025 and falsely hinting at potential layoffs. This tactic aims to create urgency and fear, prompting recipients to click on malicious links or download malware. Companies and employees need to be vigilant, as these scams can lead to data breaches or financial loss. The incident highlights the need for better cybersecurity awareness and training, especially during sensitive times like performance review periods.

Researchers have uncovered a significant web skimming campaign that has been stealing credit card information from online checkout pages since January 2022. This attack primarily targets major payment networks, including American Express, Mastercard, and UnionPay, affecting enterprise organizations that use these payment services. The skimming malware is designed to capture sensitive payment information as users enter it during online transactions. As a result, customers of these affected enterprises may be at risk of fraud and identity theft. It’s crucial for businesses to enhance their security measures and for users to monitor their financial statements for any suspicious activity.

The latest Security Affairs Malware newsletter covers a range of malware-related issues affecting users and organizations globally. One notable threat is the VVS Discord Stealer, which employs Pyarmor to obfuscate its code and evade detection. Additionally, researchers are raising alarms about malicious NPM packages that deliver the NodeCordRAT, a remote access tool that can compromise systems. The newsletter also discusses a new campaign linked to the Astaroth worm, which is being spread through WhatsApp in Brazil. These findings highlight the ongoing challenges in malware detection and the evolving tactics used by cybercriminals, putting many users at risk.

MuddyWater, an Iranian hacking group, has launched a spear-phishing campaign targeting various sectors in the Middle East, including diplomatic, maritime, financial, and telecom organizations. The attackers are using malicious Word documents that employ icon spoofing to trick users into activating a Rust-based remote access tool (RAT) known as RustyWater. This malware allows for asynchronous command and control, registry persistence, and anti-analysis capabilities, making it difficult for victims to detect and remove. The implications of this campaign are significant, as it could compromise sensitive information and disrupt critical infrastructure in the affected sectors. Organizations in these areas should be vigilant and enhance their cybersecurity measures to protect against such targeted attacks.

The FBI has issued a warning about a phishing campaign linked to North Korea's Kimsuky APT group, which is using QR codes as part of their tactics. This group is known for targeting individuals and organizations, particularly in sectors like defense and technology. By embedding malicious links in QR codes, attackers aim to trick victims into providing sensitive information or downloading malware. This method is particularly concerning as QR codes are increasingly used in everyday transactions, making it easier for attackers to exploit unsuspecting users. Organizations and individuals should be vigilant and verify the legitimacy of QR codes before scanning them, as this campaign highlights a growing trend in cyber threats.

The China-linked hacking group UAT-7290 has been actively spying on telecom providers in South Asia and Southeastern Europe since 2022. This group uses modular malware, including tools named RushDrop, DriveSwitch, and SilentRaid, to infiltrate and monitor their targets. By embedding deeply within the victim networks, they conduct extensive espionage operations that could compromise sensitive communications and data. The ongoing attacks raise concerns about the vulnerability of telecom infrastructure in these regions and the potential risks to national security and privacy for users. As these threats continue to evolve, it is crucial for telecom companies to enhance their cybersecurity measures to protect against such sophisticated espionage tactics.

Attackers are employing a combination of social engineering tactics, including fake CAPTCHAs and counterfeit Blue Screen of Death (BSOD) messages, to trick users into executing harmful code. This method, known as ClickFix, prompts victims to copy and paste malicious scripts, potentially compromising their systems. The attacks primarily target unsuspecting Windows users who may panic upon seeing the fake BSOD, believing their computer has crashed. It's crucial for users to be aware of these tactics and to verify the legitimacy of any error messages before taking action. This incident serves as a reminder of the importance of maintaining vigilance against deceptive online threats.

A new wave of attacks using GoBruteforcer malware is targeting cryptocurrency and blockchain projects by exploiting exposed databases. Researchers believe that many of these databases are improperly configured, potentially using AI-generated examples as templates. This makes them vulnerable to brute force attacks, where attackers try numerous password combinations to gain unauthorized access. The focus on crypto and blockchain projects is particularly concerning given the high value of assets and sensitive information involved. Companies in this space need to ensure their servers are securely configured to prevent these types of attacks, as the risk of data breaches and financial losses is significant.