Copyright The Hacker News
Cybercrime has stopped being a problem of just the internet — it’s becoming a problem of the real world. Online scams now fund organized crime, hackers rent violence like a service, and even trusted apps or social platforms are turning into attack vectors. The result is a global system where every digital weakness can be turned into physical harm, economic loss, or political leverage. Understanding these links is no longer optional — it’s survival. For a full look at the most important security news stories of the week, keep reading. Hidden flaws resurface in Windows core Details have emerged about three now-patched security vulnerabilities in Windows Graphics Device Interface (GDI) that could enable remote code execution and information disclosure. These issues – CVE-2025-30388, CVE-2025-53766, and CVE-2025-47984 – involve out-of-bounds memory access triggered through malformed enhanced metafile (EMF) and EMF+ records that can cause memory corruption during image rendering. They are rooted in gdiplus.dll and gdi32full.dll, which process vector graphics, text, and print operations. They were addressed by Microsoft in the Patch Tuesday updates in May, July, and August 2025 in gdiplus.dll versions 10.0.26100.3037 through 10.0.26100.4946 and gdi32full.dll version 10.0.26100.4652. "Security vulnerabilities can persist undetected for years, often resurfacing due to incomplete fixes," Check Point said. "A particular information disclosure vulnerability, despite being formally addressed with a security patch, remained active for years due to the original issue receiving only a partial fix. This example underscores a basic conundrum for researchers: introducing a vulnerability is often easy, fixing it can be difficult, and verifying that a fix is both thorough and effective is even more challenging." Syndicate staffed by fake workers net millions Three Chinese nationals, Yan Peijian, 39, Huang Qinzheng, 37, and Liu Yuqi, 33, were convicted and sentenced to a little over two years in prison in Singapore for their involvement in hacking into overseas gambling websites and companies for the purposes of cheating during gameplay and stealing databases of personally identifiable information for trade. The three individuals, part of a group of five Chinese nationals and one Singaporean man, were originally arrested and charged in September 2024. "The three accused persons were tasked by the syndicate's group leader to probe sites of interest for system vulnerabilities, conduct penetration attacks, and exfiltrate personal information from the compromised systems," the Singapore Police Force said. "Further investigations revealed that the syndicate possessed foreign government data, including confidential communications." The three defendants were also found to be in possession of tools like PlugX and "hundreds of different remote access trojans" to conduct cyber attacks. According to Channel News Asia, the three men entered the country on fake work permits in 2022 and worked for a 38-year-old Ni-Vanuatu citizen named Xu Liangbiao. They were paid about $3 million for their work. Xu, the alleged leader, is said to have left Singapore in August 2023. His present whereabouts are unknown. AI speeds triage but human skill still needed Check Point has demonstrated a way by which ChatGPT can be used for malware analysis and flip the balance when it comes to taking apart sophisticated trojans like XLoader, which is designed such that its code decrypts only at runtime and is protected by multiple layers of encryption. Specifically, the research found that cloud-based static analysis with ChatGPT can be combined with MCP for runtime key extraction and live debugging validation. "The use of AI doesn't eliminate the need for human expertise," security researcher Alexey Bukhteyev said. "XLoader's most sophisticated protections, such as scattered key derivation logic and multi-layer function encryption, still require manual analysis and targeted adjustments. But the heavy lifting of triage, deobfuscation, and scripting can now be accelerated dramatically. What once took days can now be compressed into hours." RondoDox goes from DVRs to enterprise-wide weapon The malware known as RondoDox has witnessed a 650% increase in exploitation vectors, expanding from niche DVR targeting to enterprise. This includes more than 15 new exploitation vectors targeting LB-LINK, Oracle WebLogic Server, PHPUnit, D-Link, NETGEAR, Linksys, Tenda, TP-Link devices, as well as a new command-and-control (C2) infrastructure on compromised residential IP. Once dropped, the malware proceeds to eliminate competition by killing existing malware such as XMRig and other botnets, disabling SELinux and AppArmor, and running the main payload that's compatible with the system architecture. DHS pushes sweeping biometric rule for immigration The U.S. Department of Homeland Security (DHS) has proposed an amendment to existing regulations governing the use and collection of biometric information. The agency has put forth requirements for a "robust system for biometrics collection, storage, and use related to adjudicating immigration benefits and other requests and performing other functions necessary for administering and enforcing immigration and naturalization laws." As part of the plan, any individual filing or associated with a benefit request or other request or collection of information, including U.S. citizens, U.S. nationals, and lawful permanent residents, must submit biometrics, regardless of their age, unless DHS otherwise exempts the requirement. The agency said using biometrics for identity verification and management will assist DHS's efforts to combat trafficking, confirm the results of biographical criminal history checks, and deter fraud. The DHS is taking comments on the proposal until January 2, 2026. Researchers uncover large-scale AWS abuse network Cybersecurity researchers have discovered a new large-scale attack infrastructure dubbed TruffleNet that's built around the open-source tool TruffleHog, which is used to systematically test compromised credentials and perform reconnaissance across Amazon Web Services' (AWS) environments. "In one incident involving multiple compromised credentials, we recorded activity from more than 800 unique hosts across 57 distinct Class C networks," Fortinet said. "This infrastructure was characterized by the use of TruffleHog, a popular open-source secret-scanning tool, and by consistent configurations, including open ports and the presence of Portainer," an open-source management UI for Docker and Kubernetes that simplifies container deployment and orchestration. In these activities, the threat actors make calls to the GetCallerIdentity and GetSendQuota APIs to test whether the credentials are valid and abuse the Simple Email Service (SES). While no follow-on actions were observed by Fortinet, it's assessed that the attacks originate from a possibly tiered infrastructure, with some nodes dedicated to reconnaissance and others reserved for later stages of the attack. Also observed alongside the TruffleNet reconnaissance activity is the abuse of SES for Business Email Compromise (BEC) attacks. It's currently not known if these are directly connected to each other. The development comes as Fortinet revealed that financially motivated adversaries are targeting a broad range of sectors but relying on the same low-complexity, high-return methods, typically gaining initial access through compromised credentials, external remote services like VPNs, and exploitation of public-facing applications. These attacks are often characterized by the use of legitimate remote access tools for secondary persistence and leveraging them for data exfiltration to their infrastructure. FIN7 deploys stealthy SSH backdoor for persistence PRODAFT has revealed that the financially motivated threat actor known as FIN7 (aka Savage Ladybug) has deployed since 2022 a "Windows specific SSH-based backdoor by packaging a self-contained OpenSSH toolset and an installer named install.bat." The backdoor provides attackers with persistent remote access and reliable file exfiltration using an outbound reverse SSH tunnel and SFTP. Cloudflare fends off massive DDoS surge on election day Web infrastructure company Cloudflare said Moldova's Central Election Commission (CEC) experienced significant cyber attacks in the days leading to the country's Parliament election on September 28. The CEC also witnessed a "series of concentrated, high-volume (DDoS) attacks strategically timed throughout the day" on the day of the elections. Attacks also targeted other election-related, civil society, and news websites. "These attack patterns mirrored those against the election authority, suggesting a coordinated effort to disrupt both official election processes and the public information channels voters rely on," it said, adding it mitigated over 898 million malicious requests directed at the CEC over a 12-hour period between 09:06:00 UTC and 21:34:00 UTC. Silent Lynx exploits diplomacy themes to breach targets The threat actor tracked as Silent Lynx (aka Cavalry Werewolf, Comrade Saiga, ShadowSilk, SturgeonPhisher, and Tomiris) has been observed targeting government entities, diplomatic missions, mining firms, and transportation companies. In one campaign, the adversary singled out organizations involved in Azerbaijan-Russian diplomacy, using phishing lures related to the CIS summit held in Dushanbe around mid-October 2025 to deliver the open-source Ligolo-ng reverse shell and a loader called Silent Loader that's responsible for running a PowerShell script to connect to a remote server. Also deployed is a C++ implant named Laplas that's designed to connect to an external server and receive additional commands for execution via "cmd.exe." Another payload of note is SilentSweeper, a .NET backdoor that extracts and runs a PowerShell Script that acts as a reverse shell. The second campaign, on the other hand, aimed at China-Central Asia relations to distribute a RAR archive that led to the deployment of SilentSweeper. The activity has been codenamed Operation Peek-a-Baku by Seqrite Labs. Cyber gangs blend digital and physical extortion across Europe European organizations witnessed a 13% increase in ransomware over the past year, with entities in the U.K., Germany, Italy, France, and Spain most affected. A review of data leak sites over the period September 2024–August 2025 has revealed that the number of European victims has increased annually to 1,380. The most targeted sectors were manufacturing, professional services, technology, industrials, engineering, and retail. Since January 2024, over 2,100 victims across Europe have been named on extortion leak sites, with 92% involving file encryption and data theft. Akira (167), LockBit (162), RansomHub (141), INC, Lynx, and Sinobi were the most successful ransomware groups over the period. CrowdStrike said it's also seeing a surge in violence-as-a-service offerings across the continent with the goal of securing big payouts, including physical cryptocurrency theft. Cybercriminals connected to The Com, a loose-knit collective of young, English-speaking hackers, and a Russia-affiliated group called Renaissance Spider have coordinated physical attacks, kidnapping, and arson through Telegram-based networks. Renaissance Spider, which has been active since October 2017, is also said to have emailed fake bomb threats to European entities, likely aiming to undermine support for Ukraine. There have been 17 of these kinds of attacks since January 2024, out of which 13 took place in France. Fake ChatGPT and WhatsApp apps exploit user trust Cybersecurity researchers have discovered apps that use the branding of established services like OpenAI's ChatGPT and DALL-E, and WhatsApp. While the fake DALL-E Android app ("com.openai.dalle3umagic") is used for ad traffic generation, the ChatGPT wrapper app connects to legitimate OpenAI APIs while identifying itself as an "unofficial interface" for the artificial intelligence chatbot. Although not outright malicious, impersonation without transparency can expose users to unintended security risks. The counterfeit WhatsApp app, named WhatsApp Plus, masquerades as an upgraded version of the messaging platform, but contains stealthy payloads that can harvest contacts, SMS messages, and call logs. "The flood of cloned applications reflects a deeper problem: brand trust has become a vector for exploitation," Appknox said. "As AI and messaging tools dominate the digital landscape, bad actors are learning that mimicking credibility is often more profitable than building new malware from scratch." Phishers weaponize trusted email accounts post-breach Threat actors are continuing to launch phishing campaigns after their initial compromise by leveraging compromised internal email accounts to expand their reach both within the compromised organization as well as externally to partner entities. "The follow-on phishing campaigns were primarily oriented towards credential harvesting," Cisco Talos said. "Looking forward, as defenses against phishing attacks improve, adversaries are seeking ways to enhance these emails' legitimacy, likely leading to the increased use of compromised accounts post-exploitation." Asia-wide phishing surge uses multilingual lures Recent phishing campaigns across East and Southeast Asia have been found to leverage multilingual ZIP file lures and shared web templates to target government and financial organizations. "These operations are characterized by multilingual web templates, region-specific incentives, and adaptive payload delivery mechanisms, demonstrating a clear shift toward scalable and automation-driven infrastructure," Hunt.io said. "From China and Taiwan to Japan and Southeast Asia, the adversaries have continuously repurposed templates, filenames, and hosting patterns to sustain their operations while evading conventional detection. The strong overlap in domain structures, webpage titles, and scripting logic indicates a shared toolkit or centralized builder designed to automate payload delivery at scale. This investigation links multiple clusters to a unified phishing toolkit used across Asia." Remote kill-switch fears spark probe into Chinese buses Authorities in Denmark have launched an investigation following a discovery that electric buses manufactured by the Chinese company Yutong had remote access to the vehicles' control systems and allowed them to be remotely deactivated. This has raised security concerns that the loophole could be exploited to affect buses while in transit. "The testing revealed risks that we are now taking measures against," Bernt Reitan Jenssen, chief executive of the Norwegian public transport authority Ruter, was quoted as saying. "National and local authorities have been informed and must assist with additional measures at a national level." Cloudflare scrubs botnet domains from global rankings Cloudflare has scrubbed domains associated with the massive AISURU botnet from its top domain rankings. According to security journalist Brian Krebs, AISURU's operators are using the botnet to boost their malicious domain rankings, while simultaneously targeting the company's domain name system (DNS) service. China delivers harsh verdict in cross-border scam crackdown A court in China has sentenced five members of a Myanmar crime syndicate to death for their roles in running industrial-scale scamming compounds near the border with China. The death sentences were handed out to the syndicate boss Bai Suocheng and his son Bai Yingcang, as well as Yang Liqiang, Hu Xiaojiang, and Chen Guangyi. Five others were sentenced to life. In all, 21 members and associates of the syndicate were convicted of fraud, homicide, injury, and other crimes. According to Xinhua, the defendants ran 41 industrial parks to facilitate telecommunications and online fraud at scale. The harsh penalty is the latest in a series of actions governments across the world have taken to combat the rise of cyber-enabled scam centers in Southeast Asia, where thousands are trafficked under the pretext of well-paying jobs, and are trapped, abused, and forced to defraud others in criminal operations worth billions. In September 2025, 11 members of the Ming crime family arrested during a 2023 cross-border crackdown were sentenced to death. Massive global credit card scam busted in €300M sting A coordinated law enforcement operation against a massive credit card fraud scheme dubbed Chargeback has led to the arrest of 18 suspects. The arrested individuals are German, Lithuanian, Dutch, Austrian, Danish, American, and Canadian nationals. "The alleged perpetrators are suspected of setting up an intricate scheme of fake online subscriptions to dating, pornography, and streaming services, among others, which were paid for by credit card," Eurojust said. "Among those arrested are five executive officials from four German payment service providers. The perpetrators deliberately kept monthly credit card payments to their accounts below the maximum of EUR 50 to avoid arousing suspicion among victims about high transfer amounts." The illicit scam is estimated to have defrauded at least €300 million from over 4.3 million credit card users with 19 million accounts in 193 countries between 2016 and 2021. The total value of attempted fraud against card users amounts to more than €750 million. Europol said the suspects used numerous shell companies, primarily registered in the U.K. and Cyprus, to conceal their activities. Every hack or scam has one thing in common — someone takes advantage of trust. As security teams improve their defenses, attackers quickly find new tricks. The best way to stay ahead isn’t to panic, but to stay informed, keep learning, and stay alert. Cybersecurity keeps changing fast — and our understanding needs to keep up. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
