🚨 China-linked UNC5221 hackers exploited Ivanti EPMM zero-days (CVE-2025-4427 & 4428) immediately after disclosure, targeting mobile endpoints in defense, healthcare, and finance sectors.

Full report → https://thehackernews.com/2025/05/chinese-hackers-exploit-ivanti-epmm.html

⚡ Webinar ALERT!

Cybersecurity isn't enough—you must prove it.

Courts, regulators, and insurers demand "reasonable" programs, and vague efforts won't suffice. Learn what this means and how to comply.

📅 Register for this free session now → https://thehackernews.com/2025/05/webinar-learn-how-to-build-reasonable.html

🛑 WARNING — Any user to Domain Admin?

Akamai researchers demoed BadSuccessor, an attack abusing the new dMSA feature—enabled by default—to escalate privileges in Active Directory.

✅ Works in 91% of orgs.
❌ No patch yet

Details here → https://thehackernews.com/2025/05/critical-windows-server-2025-dmsa.html

⚠️ A Chinese-speaking threat actor quietly breached U.S. local gov systems via a critical flaw in Cityworks.

They didn’t just break in—they stayed—deploying Cobalt Strike & VShell via Rust-based TetraLoader.

Full report → https://thehackernews.com/2025/05/chinese-hackers-exploit-trimble.html

💥 Hidden code. Stolen secrets. Weaponized AI.

GitLab’s AI assistant Duo was vulnerable to indirect prompt injection—letting attackers quietly steal source code, embed malicious links, and exfiltrate zero-days.

Learn more: https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html

🚨 New CISA Alert: Hackers exploited CVE-2025-3928 in Commvault’s Metallic SaaS, compromising M365 credentials.

This isn’t an isolated case—it’s part of a broader campaign targeting SaaS apps with default configs and excessive permissions.

🔍 Details: https://thehackernews.com/2025/05/cisa-warns-of-suspected-broader-saas.html

🔥 The DoJ has dismantled DanaBot—a Russian-controlled malware that infected 300K+ devices and caused $50M+ in global losses.

16 charged. Servers seized.

Some hackers unmasked after accidentally infecting themselves.

Read more: https://thehackernews.com/2025/05/us-dismantles-danabot-malware-network.html

🔥 Europol just dropped the hammer: 300 servers taken down, €3.5M in crypto seized, and 20 international arrest warrants issued—key QakBot and TrickBot operatives named.

At the same time, Operation RapTor arrested 270 dark web vendors across 10 countries, seizing €184M in cash and crypto, 2 tons of drugs, and 180 firearms.

🔗 Learn more → https://thehackernews.com/2025/05/300-servers-and-35m-seized-as-europol.html

🛡️ 99.45% detection. 0.07% false positives.

SafeLine is now the top open-source WAF on GitHub (16.4K+ ⭐) — built for teams needing full control, zero-day defense, and advanced bot protection.

👉 See why it’s outpacing cloud WAFs → https://thehackernews.com/2025/05/safeline-waf-open-source-web.html

🚨 5,300 routers hijacked—not to attack, but to spy.

A shadowy group dubbed ViciousTrap is turning Cisco routers across 84 countries into a massive honeypot-style network—not to attack, but to silently watch.

🔍 Exploiting CVE-2023-20118
👻 Dropping a script called NetGhost

Read: https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html

Hackers are turning TikTok into a malware delivery tool.

From ClickFix to fake Spotify "boosts"—hackers are now using AI-generated TikToks to trick users into running malicious commands. One video got 500K views before takedown.

See full report → https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.html

🚨 Fake installers, real threat — Malware hidden in trojanized QQ Browser & LetsVPN setups drops Winos 4.0, a stealthy RAT built for memory-only attacks.

Signed with expired certs. Linked to Chinese-speaking targets & APT Silver Fox.

👀 Full scoop → https://thehackernews.com/2025/05/hackers-use-fake-vpn-and-browser-nsis.html

70% of top sites drop tracking cookies even after users say no.

That’s a lawsuit waiting to happen.

This guide shows CISOs how to catch hidden privacy failures before they cost you millions.

→ Fix it now: https://thehackernews.com/2025/05/cisos-guide-to-web-privacy-validation.html

🚨 Malware is hiding in your dev tools. 70+ npm & VS Code packages were caught stealing data, wiping files, even triggering shutdowns.

Hackers used trusted names to slip through.

Your next install could be a trap.
→ Audit often.
→ Trust less.

🔗Read: https://thehackernews.com/2025/05/over-70-malicious-npm-and-vs-code.html

⚡ New this week in cybersecurity RECAP:

– Chrome extensions hijacking sessions
– AI assistants leaking code
– State actors exploiting SaaS
– 20+ critical CVEs

You can't protect what you ignore.

Read the recap now → https://thehackernews.com/2025/05/weekly-recap-apt-campaigns-browser.html

🚨 Russia-linked TAG-110 is now hitting Tajikistan with macro-laced Word docs—ditching old methods for stealthier new ones.

Aimed at gov and research orgs, this shift signals bigger moves ahead.

New tactics. Same goal. Learn more: https://thehackernews.com/2025/05/russia-linked-hackers-target-tajikistan.html

🚨 Law firms are under attack.

A stealthy group known as Luna Moth is using fake IT calls—not malware—to quietly breach systems and steal sensitive data.

No clicks needed—just trust abused.

Learn why it’s working—and how to stop it: https://thehackernews.com/2025/05/hackers-are-calling-your-office-fbi.html

Drive your SOC forward with solutions trusted by 15,000 businesses worldwide

✅ Get bonus licenses for ANYRUN's Interactive Sandbox
✅ Double your cyber threat investigations quota with TI Lookup

Just 4 days left 👉 https://thn.news/anyrun-plans-spring-tg

🚨 AI agents are leaking secrets—and no one's watching.

Enterprises now manage 45+ machine identities per user—from chatbots to CI/CD bots. In 2024 alone, 23.7M secrets leaked on GitHub. AI tools like Copilot worsened this by 40%.

NHIs don’t rotate keys. Don’t log off. Don’t forget.

🔒 Learn how to lock down AI agents → https://thehackernews.com/2025/05/ai-agents-and-nonhuman-identity-crisis.html

👀 Your Docker containers might be mining crypto—without you knowing.

A new malware is hijacking exposed Docker APIs, spreading like a worm, and turning systems into a crypto-mining botnet—no C2 server required.

🔍 See how it spreads: https://thehackernews.com/2025/05/new-self-spreading-malware-infects.html

🚨 Hackers built a fake Bitdefender site to push Venom RAT—stealing passwords, crypto, and control.

Behind it? A stealthy combo of open-source tools, MFA bypass tricks, and real-time phishing tactics. You won’t believe what they’re exploiting now.

Read: https://thehackernews.com/2025/05/cybercriminals-clone-antivirus-site-to_4.html