A recent security analysis has uncovered critical vulnerabilities in the infotainment systems of KIA vehicles, raising alarm across the automotive cybersecurity community.
These flaws allow attackers to inject and execute malicious code through specially crafted PNG image files, potentially compromising vehicle safety and user privacy.
Security researchers, during an in-depth examination of KIA’s head unit and its underlying Real-Time Operating System (RTOS), found that the infotainment firmware failed to properly validate certain image file formats—most notably PNG files.
By exploiting this weakness, attackers could embed executable payloads inside images that, when processed by the infotainment system, triggered remote code execution.
he attack leverages a buffer overflow vulnerability in the image parsing library used by KIA’s infotainment system.
When a malicious PNG file is loaded—either via USB, Bluetooth, or over-the-air update—the system’s parser mishandles the image data, allowing the attacker’s code to overwrite critical memory regions.
Attack Chain
A deep investigation by DeepSpecter.com uncovered a multi-year data exposure involving Uffizio, the software provider behind a widely used white-label GPS fleet management platform. Despite claiming GDPR compliance, Uffizio’s software — and its deployment by hundreds of global resellers — leaked sensitive fleet data across at least 12 countries for over five years, continuing even after a public CVE disclosure and an internal GDPR audit.
The leaked data included SIM identifiers, license plates, company names, tracker IMEIs, and real-time activity — effectively mapping the movement of thousands of vehicles, including those operated by police, ambulances, municipal fleets, and even nuclear energy providers. The fact that Uffizio was quick to patch its software while exposure continued elsewhere underscores a broader issue: the delivery chain was broken, and we’ll expose that in a dedicated follow-up.
This case makes one thing clear — compliance is not enough. Businesses responsible for real-world assets and lives cannot afford to treat security as a checkbox. When fleet systems tie directly to public safety and critical infrastruc data-leakture, the absence of active monitoring turns regulatory compliance into a false sense of protection. The risk is real, the impact is human, and silence is no longer an option.
NSFOCUS Fuying Lab's Global Threat Hunting System has discovered a new botnet family called "hpingbot" that has been quickly expanding.
This cross-platform botnet, built from scratch using the Go programming language, targets both Windows and Linux/IoT environments and supports multiple processor architectures including amd64, mips, arm, and 80386.
Unlike derivatives of well-known botnets like Mirai or Gafgyt, hpingbot showcases remarkable innovation by leveraging unconventional resources for stealth and efficiency, such as using the online text storage platform Pastebin for payload distribution and the network testing tool hping3 to execute Distributed Denial of Service (DDoS) attacks.
According to the Report, this approach not only enhances its ability to evade detection but also significantly reduces the costs associated with development and operation, making hpingbot a formidable and evolving threat in the digital realm.
Hpingbot’s operational strategy is notably distinct, as it employs Pastebin to host and dynamically update malicious payloads, allowing attackers to adjust their load distribution frequently.
DDoS Attacks
Attack method
Monitoring data from Fuying Lab indicates that Pastebin links embedded in the botnet have shifted content multiple times since mid-June 2025, from hosting IP addresses to providing scripts for downloading additional components.
This flexibility is paired with the botnet’s reliance on hping3, a versatile command-line tool typically used for network diagnostics, to launch a variety of DDoS attacks such as SYN, UDP, and mixed-mode floods.
Interestingly, while the Windows version of hpingbot cannot utilize hping3 for DDoS attacks due to environmental limitations, its persistent activity underscores a broader focus on downloading and executing arbitrary payloads, hinting at intentions beyond mere network disruption.
Arctic Wolf has observed a search engine optimization (SEO) poisoning and malvertising campaign promoting malicious websites hosting trojanized versions of legitimate IT tools such as PuTTY and WinSCP.
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.
The new component allows executing arbitrary remote commands, it survives reboots, and permits maintaining control over infected hosts indefinitely.
MacPaw's cybersecurity division Moonlock analyzed the backdoor in Atomic malware after a tip from independent researcher g0njxa, a close observer of infostealer activity.
"AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected," the researchers say.
"The backdoored version of Atomic macOS Stealer now has the potential to gain full access to thousands of Mac devices worldwide."
