FEBRUARY 21st was a typical day, recalls Ben Zhou, the boss of ByBit, a Dubai-based cryptocurrency exchange. Before going to bed, he approved a fund transfer between the firm’s accounts, a “typical manoeuvre” performed while servicing more than 60m users around the world. Half an hour later he got a phone call. “Ben, there’s an issue,” his chief financial officer said, voice shaking. “We might be hacked…all of the Ethereum is gone.”

A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers.

Any service using xml-crypto or a Node.js SAML implementation using it, should update immediately to the latest version. WorkOS customers are safe and were not impacted.

For the first time, RL researchers discover malicious locally-installed npm packages infecting other legitimate packages.

Une opération de sensibilisation en direction d’une cible particulièrement exposée Les établissements scolaires sont régulièrement ciblés par des attaques malveillantes via les espaces numériques de travail (ENT) des élèves. Ces actions cybercriminelles génèrent une forte pression sur les élèves, ce qui avait notamment conduit à la fermeture des ENT courant 2024.

Lucid is a sophisticated Phishing-as-a-Service (PhaaS) platform operated by Chinese-speaking threat actors, targeting 169 entities across 88 countries globally. With 129 active instances and 1000+ registered domains, Lucid ranks among prominent PhaaS platforms, alongside Darcula and Lighthouse.
Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud. The platform employs an automated attack delivery mechanism, deploying customizable phishing websites distributed primarily through SMS-based lures. To enhance effectiveness, Lucid leverages Apple iMessage and Android’s RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates.
Lucid incorporates advanced anti-detection and evasion techniques, such as IP blocking and user-agent filtering, to prolong the lifespan of its phishing sites. Additionally, it features a built-in card generator, enabling threat actors to validate and exploit stolen payment data efficiently. Given its advanced infrastructure and persistent activity, Lucid poses a significant and ongoing cyber threat. Its operations underscore the growing reliance on PhaaS platforms to facilitate payment fraud and financial cybercrime, necessitating heightened vigilance and proactive mitigation efforts.

Next.js is an open-source web framework built by Vercel that powers React-based apps with features like server-side and static rendering. Recently, a critical vulnerability (CVE) was disclosed that lets attackers bypass middleware-based authorization checks. The issue was originally discovered and analyzed by Rachid Allam (zhero). In this blog, we’ll break down the vulnerability and walk through their research and will create a Nuclei template to help you detect it across your assets.

    While patching a SCF File NTLM hash disclosure issue on our security-adopted Windows versions, our researchers discovered a related v...

Discover technical analysis of GorillaBot, a new malware variant based on the original code of the Mirai botnet.

You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog. I'm deliberately keeping this post very succinct to ensure the message goes out to my impacted subscribers ASAP, then I'll update the post with more details.

• VanHelsingRaaS is a new and rapidly growing ransomware-as-a-service (RaaS) affiliate program launched on March 7, 2025. The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%. The only rule is not to target the Commonwealth of Independent States (CIS).
• Check Point Research discovered two VanHelsing ransomware variants targeting Windows, but as the RaaS mentions in its advertisement, it provides more offerings “targeting Linux, BSD, ARM, and ESXi systems”. The program provides an intuitive control panel that simplifies operating ransomware attacks. Check Point Research obtained two variants of the VanHelsing Ransomware, compiled just five days apart. The newest variant shows significant updates, highlighting the fast-paced evolution of this ransomware.
• In less than two weeks since its introduction to the cybercrime community, this ransomware operation has already infected three known victims, demanding large ransom payments for decryption and the deletion of stolen data. During negotiations, they demanded $500,000 to be paid to a specified Bitcoin wallet.

Sygnia investigates Weaver Ant, a stealthy China-nexus threat actor targeting telecom providers. Learn how web shells enable persistence and espionage.

The hackers compromised home routers made by Zyxel to gain entry into a “major” telecommunications company's environment.

orums as part of our Threat Discovery Process.
Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files. Its stealthy evasion tactics and persistence mechanisms make detection and removal challenging. This highlights the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and minimize breach risks.

Target Technologies: Windows
Target Geography: France, USA.
Target Industry: Government, Manufacturing, Pharma.
Encrypted file extension: .vanhelsing
Observed First: 2025-03-16
Threat actor Communication mode: Tor

This critical vulnerability allowed attackers to bypass authentication implemented in the middleware layer. With the popularity of this framework on the internet and within our customers' attack surfaces, our Security Research team took a deeper look at the issue.

GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities CVE-2024-4879 (Critical), CVE-2024-5217 (Critical), and CVE-2024-5178 (Medium). These vulnerabilities reportedly may be chained together for full database access.

Over 100 auto dealerships were being abused compliments of a supply chain attack of a shared video service unique to dealerships. When active, the attack presented dealership visitors with a ClickFix webpage which led to a SectopRAT malware.

Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers

tj-actions/changed-files corrupted to run credential-stealing memory scraper.

Recently, Yasser Allam, known by the pseudonym inzo_, and I, decided to team up for some research. We discussed potential targets and chose to begin by focusing on Next.js (130K stars on github, currently downloaded + 9,4 million times per week), a framework I know quite well and with which I already have fond memories, as evidenced by my previous work. Therefore, the “we” throughout this paper will naturally refer to the two of us.

Next.js is a comprehensive javascript framework based on React, packed with numerous features — the perfect playground for diving into the intricacies of research. We set out, fueled by faith, curiosity, and resilience, to explore its lesser-known aspects, hunting for hidden treasures waiting to be found.

It didn’t take long before we uncovered a great discovery in the middleware. The impact is considerable, with all versions affected, and no preconditions for exploitability — as we’ll demonstrate shortly.