Malware

🟠 High | Source: The Hacker News A China-linked threat actor, TA4922, has expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known malware families including ValleyRAT and Atlas RAT, with a rapidly evolving toolkit suggesting well-resourced, sustained operations. This represents a significant escalation in geographic scope and poses a direct threat to European enterprises. Architect’s Take: Review and tighten email gateway controls to block phishing lures associated with TA4922, and ensure endpoint detection rules cover ValleyRAT (Winos 4.0) and Atlas RAT indicators. Consider hunting for lateral movement or C2 beaconing patterns consistent with these RAT families across cloud-hosted workloads and on-premises infrastructure. ...

🟠 High | Source: The Hacker News A China-linked threat group, TA4922, has significantly expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known remote access trojans including ValleyRAT and Atlas RAT, with a fast-moving operational pace and an evolving malware toolkit. This matters because the expansion into European markets signals a deliberate strategic shift, increasing risk for organisations in these regions. ...

🟠 High | Source: The Hacker News A macOS malvertising campaign called Operation FlutterBridge is distributing a new backdoor, FlutterShell, through malicious Google and YouTube advertisements. The campaign is an evolution of a previously identified threat cluster (JSCoreRunner/FileRipple) first observed in late 2025. This matters because it uses trusted ad platforms to target macOS users, broadening the attack surface beyond traditional phishing vectors. Architect’s Take: Enforce endpoint detection and response (EDR) tooling on all macOS devices, including developer and privileged-access workstations, and consider restricting or monitoring ad-network traffic at the corporate proxy or DNS layer. Review browser isolation and application allowlisting policies to limit the execution of unsigned or unnotarised binaries delivered via browser-based download prompts. ...

🟠 High | Source: The Hacker News Attackers have built convincing fake websites impersonating popular open-source and freeware tools, engineering them to rank highly in Google search results. Visitors are silently routed through a Traffic Distribution System (TDS) that profiles them before delivering tailored malware, including credential stealers and session hijacking frameworks. The campaign is notable for its scale and the quality of the spoofed sites, making it easy for developers and engineers to be deceived. ...

🟠 High | Source: The Hacker News Attackers have created convincing fake websites impersonating popular open-source tools, optimising them to rank highly on Google search results. Visitors are silently routed through a Traffic Distribution System (TDS) that delivers malware including credential stealers and session hijacking frameworks. This is a supply chain-adjacent threat targeting developers and technical users who search for and download software directly from the web. Architect’s Take: Enforce organisational policies requiring software to be sourced only from verified package managers (npm, PyPI, etc.) or official repositories, and block direct binary downloads from unvetted sites via web proxy or CASB controls. Consider adding developer workstations to your threat model and ensure EDR coverage extends to engineering endpoints. ...

🟡 Medium | Source: The Register — Security A ransomware operator has broken the unwritten but widely observed rule among Russian-speaking cybercriminal groups by attacking targets within Russia or CIS countries, drawing attention to themselves and likely facing consequences from both law enforcement and criminal peers. This norm has historically served as an informal shield, with many ransomware variants including code to abort execution if a CIS locale is detected. The incident highlights the internal politics and geographic conventions that shape how ransomware gangs operate. ...

🟠 High | Source: The Hacker News Russian state-linked threat group Gamaredon is actively exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to deploy a chain of malware against Ukrainian targets. The attack begins with an HTML Application payload (GammaPhish) which then downloads further malware including GammaWorm and GammaSteel, designed for data theft and lateral propagation. This is a targeted, state-sponsored campaign with significant implications for organisations operating in or with Ukraine. ...