VulnHub

Cybersecurity researchers have identified a JavaScript-based command-and-control framework named PeckBirdy, which has been utilized by China-aligned hackers since 2023. This framework has primarily targeted the Chinese gambling industry, as well as various Asian government entities and private organizations. Trend Micro reports that the flexibility of PeckBirdy allows these attackers to adapt their methods for different environments. The use of such sophisticated tools raises concerns about the security of critical sectors, especially in regions where these attacks are focused. It's crucial for organizations in the affected areas to enhance their security measures to defend against these ongoing threats.

Kaspersky researchers have identified updates to the CoolClient backdoor and the deployment of new tools associated with the HoneyMyte group, also known as Mustang Panda or Bronze President. This group is known for its advanced persistent threat (APT) campaigns, which have now introduced three variants of a browser data stealer. These updates suggest an ongoing effort by attackers to enhance their capabilities and target sensitive data from users. The implications are significant, as organizations and individuals could be at risk of having their personal and financial information stolen. Users are encouraged to remain vigilant and ensure their systems are protected against these evolving threats.

Poland's energy sector recently faced a severe cyber attack attributed to the Russian hacking group Sandworm. This incident involved a wiper malware that aimed to disrupt the functioning of the power grid, posing significant risks to the country's energy stability. Authorities have raised alarms about the potential for further attacks, as Sandworm is known for its destructive tactics and has previously targeted critical infrastructure. The implications of this attack extend beyond Poland, reflecting ongoing geopolitical tensions and the vulnerability of national infrastructures to cyber warfare. As the situation develops, experts urge energy companies to enhance their cybersecurity measures to prevent similar incidents in the future.

Russian hackers known as Sandworm have been accused of launching a cyberattack on Poland's power grid using data-wiping malware. This incident comes a decade after they disrupted the Ukrainian power grid, indicating a pattern of targeting critical infrastructure in Eastern Europe. The attack poses significant risks, not only to Poland's energy supply but also raises concerns about regional security and the potential for similar incidents in other countries. As tensions between Russia and NATO continue, this incident could escalate fears about cyber warfare and its impact on national security. Authorities are investigating the attack and assessing the full extent of its impact on the power grid operations.

In December 2025, Poland experienced a significant cyber attack on its power grid, attributed to the Russia-linked hacking group Sandworm. Researchers from ESET analyzed the malware involved and determined that the attack was one of the largest targeting Poland's energy infrastructure. The involvement of Sandworm, known for its previous cyber operations, raises concerns about the security of critical national systems. This incident not only endangers the stability of Poland's energy supply but also highlights the ongoing risks posed by state-sponsored cyber threats in Europe. As nations increasingly rely on digital infrastructure, the implications for energy security and national defense become more pronounced.

Researchers from Resecurity have uncovered a new malware called PDFSIDER that takes advantage of the legitimate PDF24 application to steal sensitive data and provide attackers with remote access to compromised systems. This malware is part of a sophisticated campaign targeting corporate networks, utilizing spear-phishing tactics to lure victims and encrypted communications to evade detection. Companies using PDF24 should be particularly vigilant as this attack leverages a trusted application, making it easier for attackers to bypass security measures. The implications are serious, as this could lead to significant data breaches and unauthorized access to sensitive corporate information.

Cisco has addressed a serious flaw in its Secure Email products, which was exploited by a China-linked hacking group known as UAT-9686. The vulnerability, tracked as CVE-2025-20393, has a maximum severity score of 10.0 and affects the Secure Email Gateway and Email and Web Manager. Attackers were able to exploit this flaw as a zero-day, meaning it was actively used in attacks before a patch was made available. It's crucial for users of these products to apply the latest updates to protect their systems from potential exploitation. This incident highlights the ongoing risks posed by advanced persistent threat groups targeting widely used software.

A significant data breach has exposed the personal information of 17.5 million Instagram users. The breach is attributed to a North Korea-linked hacking group known as Kimsuky, which has been involved in various cyberattacks, including a new tactic called 'quishing.' This method combines phishing with QR codes, making it easier for attackers to deceive victims into revealing sensitive information. The scale of the breach raises concerns about user privacy and security, particularly for those whose data has been compromised. Users are urged to change their passwords and enable two-factor authentication to enhance their security.

The FBI has issued a warning about a phishing campaign linked to North Korea's Kimsuky APT group, which is using QR codes as part of their tactics. This group is known for targeting individuals and organizations, particularly in sectors like defense and technology. By embedding malicious links in QR codes, attackers aim to trick victims into providing sensitive information or downloading malware. This method is particularly concerning as QR codes are increasingly used in everyday transactions, making it easier for attackers to exploit unsuspecting users. Organizations and individuals should be vigilant and verify the legitimacy of QR codes before scanning them, as this campaign highlights a growing trend in cyber threats.

The latest Security Affairs Malware newsletter outlines several concerning cybersecurity incidents. Notably, the Evasive Panda APT group has been reported to poison DNS requests to deploy MgBot, a type of malware. Additionally, there is a spear-phishing campaign that targets U.S. and allied manufacturing and healthcare organizations by exploiting vulnerabilities in the npm registry. Furthermore, details have emerged about a supply chain incident involving EmEditor, where information-stealing malware has been distributed. These incidents demonstrate the ongoing threat posed by sophisticated cyber actors, particularly in sectors critical to national security and public health.

In April and May 2023, a Chinese advanced persistent threat (APT) group exploited a zero-day vulnerability in Ivanti's Endpoint Mobile Management (EPMM) platform, impacting thousands of organizations. This attack allowed unauthorized access and control over mobile devices managed through Ivanti's software, raising serious concerns about the security of sensitive data within those systems. The incident serves as a stark reminder of the vulnerabilities that can exist in widely used management tools. Security experts warn that similar attacks could occur again if organizations do not take proactive measures to secure their systems. Companies using Ivanti EPMM should assess their security posture and implement necessary updates to prevent future breaches.

Researchers have identified a new tactic used by the Chinese advanced persistent threat group, Mustang Panda, involving a kernel-mode rootkit. This rootkit utilizes a signed driver file that contains two user-mode shellcodes to deploy the ToneShell backdoor. This method allows the attackers to gain deeper access to the victim's systems, making detection more difficult. Organizations should be aware of this sophisticated technique, as it poses significant risks to data integrity and security. Protecting systems against such advanced threats is crucial for maintaining cybersecurity hygiene.

Kaspersky has reported on a new campaign from the HoneyMyte APT group, also known as Mustang Panda or Bronze President, which has evolved to use a sophisticated kernel-mode rootkit. This rootkit is designed to deploy and secure a backdoor known as ToneShell, which allows attackers to maintain persistent access to compromised systems. The implications of this development are significant, as it enhances the group’s ability to infiltrate networks and evade detection. Organizations need to be vigilant against these advanced tactics to protect sensitive data and maintain system integrity. This campaign highlights the ongoing threats posed by state-sponsored hacking groups and the need for robust cybersecurity measures.

A Chinese cyberespionage group known as Evasive Panda has been using a technique called DNS poisoning to install a backdoor known as MgBot on targeted systems in Türkiye, China, and India. Kaspersky researchers identified this campaign, which shows the group's focus on espionage activities against specific entities in these countries. DNS poisoning allows attackers to redirect victims to malicious servers without their knowledge, facilitating the installation of the backdoor. This incident raises concerns about the security of sensitive information, as the MgBot backdoor can provide attackers with ongoing access to compromised systems. Organizations in the affected regions should be vigilant and strengthen their cybersecurity measures to protect against such sophisticated attacks.