VulnHub

A new botnet named SSHStalker has emerged, targeting Linux servers and infecting around 7,000 systems. This botnet exploits vulnerabilities from older 2009-era software, utilizing IRC bots and mass-scanning techniques to gain access. Researchers from Flare discovered SSHStalker while monitoring SSH honeypots over a two-month period, specifically using weak credentials to attract attackers. The presence of this botnet underscores the ongoing risk posed by outdated security measures, especially for systems that have not been updated in years. Users and administrators of Linux servers need to be vigilant and ensure their systems are secure against such legacy exploits.

A North Korea-associated hacking group known as UNC1069 is targeting cryptocurrency organizations to steal sensitive information from both Windows and macOS systems. Their approach involves social engineering tactics, including the use of a compromised Telegram account to set up a fake Zoom meeting. This deception leads victims to download malware through a method called ClickFix, which researchers believe may also utilize AI-generated content to enhance its effectiveness. The implications of these attacks are significant, as they not only threaten the financial security of targeted companies but also highlight the evolving tactics used by cybercriminals in the cryptocurrency sector. Protecting against such sophisticated schemes is increasingly critical for organizations in this space.

A recent cybersecurity incident has raised concerns involving multiple companies, including Ivanti and SmarterTools. Researchers discovered a malware strain named ZeroDayRat that targets users of certain gambling platforms in Singapore. This malware is designed to steal sensitive data, potentially impacting users' personal and financial information. The incident is particularly alarming as it highlights the risks associated with online gambling and the importance of securing personal data against such threats. Users are advised to remain vigilant and ensure their devices are protected against this evolving malware.

The article discusses the threat posed by a malware known as ZeroDayRAT, which has been identified as a form of stalkerware. This malware can bypass multi-factor authentication (MFA) by gaining access to users' SIM cards, location data, and recent text messages. With this information, attackers can take over accounts or conduct targeted social engineering attacks. The implications are serious, as individuals' privacy and security can be compromised, leading to potential identity theft or harassment. Users need to be vigilant about their mobile security and consider additional protective measures to safeguard their information.

A new cyber campaign known as Bloody Wolf is actively targeting individuals in Uzbekistan and Russia using the NetSupport Remote Access Trojan (RAT). Researchers report that around 50 victims have been affected in Uzbekistan and about 10 in Russia, with smaller numbers in Kazakhstan, Turkey, Serbia, and Belarus. This type of malware allows attackers to gain control over infected systems, posing significant risks to personal and sensitive information. The targeting of these specific regions suggests a focused effort by the attackers, likely indicating political or economic motivations behind the campaign. Users in these countries should be vigilant about suspicious emails and software installations to protect against such threats.

A new phishing campaign linked to the Phorpiex malware is targeting users globally, delivering ransomware through emails with malicious attachments. These emails often use deceptive double extensions, such as Document.doc.lnk, to trick recipients into opening them. Once activated, the malware can spread across networks, potentially locking files and demanding ransom payments from affected organizations. This ongoing threat, active throughout 2024 and 2025, poses significant risks to businesses and individuals alike, as it can lead to the loss of sensitive data and financial resources. Users need to remain vigilant about email attachments and ensure robust security measures are in place to defend against such attacks.

A new botnet called SSHStalker has compromised approximately 7,000 Linux systems, primarily those hosted in the cloud. This botnet uses Internet Relay Chat (IRC) for control and automates attacks via Secure Shell (SSH) to gain access to these systems. The attackers are exploiting weak SSH credentials, making it crucial for system administrators to strengthen their password policies and implement key-based authentication. This incident highlights the ongoing vulnerability of Linux servers to automated attacks and the importance of maintaining strong security practices. Users need to be vigilant and consider regular audits of their SSH configurations to prevent unauthorized access.

A fraudulent 7-Zip website has emerged, distributing a compromised version of the popular file archiving software. This malicious installer includes a trojan that converts the user's computer into a residential proxy node, which can be used by attackers for various illicit activities. Users who unknowingly download this installer are putting their machines at risk and could potentially face privacy violations or further exploitation. This situation is particularly concerning as it exploits the trust many people have in widely used software like 7-Zip. It's crucial for users to ensure they download software only from official sources to avoid similar threats.

A new Linux botnet named 'SSHStalker' has reportedly infected around 7,000 systems. This botnet employs a mass-compromise strategy, utilizing various scanners and malware to gain control over vulnerable devices. The attackers are likely taking advantage of outdated security practices, which makes this incident a reminder for system administrators to enhance their security measures. The widespread nature of this botnet indicates that many users might be at risk, especially if their systems are not properly secured. Addressing these vulnerabilities is crucial to prevent further infections and potential data breaches.

A new strain of ransomware known as Global Group is being distributed through phishing emails. This malware is particularly concerning because it can encrypt files without requiring an internet connection, meaning that even offline systems are at risk. Organizations and individuals who fall victim to these phishing attacks could face significant data loss and operational disruptions. Cybersecurity experts warn that the ease of delivery via email makes this a widespread threat that could affect various sectors. Users are advised to be cautious with unsolicited emails and to implement robust security measures to protect against potential attacks.

VoidLink is a newly identified Linux-based command-and-control (C2) framework that is designed to facilitate credential theft and data exfiltration across multiple cloud platforms. This malware allows attackers to gain unauthorized access to sensitive information, posing a significant risk to organizations that rely on cloud services. As it targets systems in a multi-cloud environment, companies using cloud storage and applications are particularly vulnerable. The presence of AI code within VoidLink suggests that it may employ advanced techniques to evade detection and enhance its operational capabilities. This development is concerning for cybersecurity professionals, as it indicates a growing sophistication in the tools used by cybercriminals.

Researchers have identified a significant cyber campaign known as the TeamPCP worm, which has been targeting cloud-native environments since late December 2025. This worm exploits vulnerabilities in widely used technologies, including exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. By hijacking these services, attackers are able to create a malicious infrastructure for further exploitation. This situation is alarming as it can potentially affect numerous organizations that rely on these cloud services for their operations. Companies need to ensure their cloud environments are properly secured against such vulnerabilities to prevent unauthorized access and data breaches.

Researchers at Cisco Talos have identified a toolkit called DKnife that has been in use since 2019 to hijack router traffic for cyber-espionage purposes. This Linux-based toolkit allows attackers to inspect and alter data as it travels through routers and edge devices. It can also install malware on various devices, including PCs and smartphones. The implications of this toolkit are significant, as it poses a threat to the confidentiality and integrity of sensitive data transmitted over networks. Users and organizations relying on affected routers should be particularly vigilant about their network security practices to mitigate potential risks.

The DKnife toolkit has been in use since 2019, allowing attackers to hijack traffic from edge devices to spy on users and deliver malware. This toolkit targets routers and other network devices, making it a significant threat to both individuals and organizations that rely on these systems for internet connectivity. By intercepting data, attackers can monitor communications and potentially steal sensitive information. The ongoing use of DKnife illustrates the persistent risks posed by advanced cyber espionage techniques. Users and companies need to be vigilant about securing their network devices to prevent such intrusions.

Researchers have identified a supply chain attack affecting legitimate npm and PyPI packages, specifically targeting versions of @dydxprotocol/v4-client-js. The compromised versions include 3.4.1, 1.22.1, 1.15.2, and 1.0.31. Attackers have modified these packages to distribute malware designed to steal cryptocurrency wallet credentials and enable remote access through RAT (Remote Access Trojan) software. This incident poses a significant risk to developers and users relying on these packages, as it can lead to unauthorized access to sensitive financial information. Companies and individual developers should review their dependencies and ensure they are using safe versions to mitigate potential risks.