Cybercriminals have created over 250 fake Android and iOS apps targeting Korean users, disguising spyware as legitimate dating, social media, and file-sharing services. These convincing copycats feature professional logos and fake five-star reviews to trick users into downloading them. Once installed, the malware steals contacts, photos, messages, and device data.

Attackers then escalate to personal blackmail, as happened to one victim who downloaded a fake dating app after a breakup. The hacker contacted his family members with threats after luring him into compromising situations. Researchers from Zimperium discovered 88 domains behind the campaign, with 25 indexed by Google search results.

Source: Dark Reading

Ontario Health atHome knew about a massive cyberattack affecting up to 200,000 patients as early as April 14 but didn't tell the public until June 27. The breach at vendor Ontario Medical Supply actually happened in March, compromising patient names, addresses, medical diagnoses, and prescription data.

The agency waited six weeks to notify Ontario's privacy commissioner and only informed patients after Liberal MPP Adil Shamji forced their hand by revealing the incident publicly. Health Minister Sylvia Jones then ordered the agency to contact affected patients. Critics call the delay "deception" and "incompetence," warning the stolen data could enable identity theft and blackmail.

Source: Global News

Apple released security updates Tuesday fixing dozens of vulnerabilities, including CVE-2025-6558, a bug already exploited against Chrome users. Google patched this flaw in Chrome 138 last July after discovering active attacks targeting its graphics components. The vulnerability lets attackers escape browser sandboxes through malicious web pages.

Apple's updates cover iOS 18.6, macOS Sequoia 15.6, and other platforms, patching 87 CVEs in macOS alone. While there's no evidence Safari users were targeted, the flaw could crash the browser when visiting malicious sites. CISA previously flagged this as a critical threat requiring federal agencies to patch by August 12.

Source: Security Week

Cybercriminals exploited a critical SAP vulnerability (CVE-2025-31324) to breach a U.S. chemicals company and install Auto-Color malware on their Linux systems. The attack demonstrates how hackers are targeting enterprise software flaws to gain access to corporate networks.

SAP systems are widely used by major corporations for business operations, making this vulnerability particularly concerning for companies across industries. Organizations running SAP software should immediately apply security patches and review their Linux system configurations to prevent similar attacks.

Source: thehackernews.com

The Gunra ransomware group, which emerged in April targeting Windows systems, has released a sophisticated Linux variant capable of running 100 parallel encryption threads—double what most ransomware allows. This cross-platform expansion makes Gunra particularly dangerous, offering attackers unprecedented speed and flexibility in file encryption.

The group gained notoriety by allegedly leaking 40TB of hospital data in May and has since targeted victims across Brazil, Japan, Canada, Turkey, South Korea, Taiwan, and the US. Unlike its Windows version, the Linux variant skips ransom notes and focuses purely on rapid, configurable encryption. Trend Micro researchers warn organizations to monitor this fast-evolving threat closely.

Source: Dark Reading

Google researchers exposed UNC3944, a ransomware group targeting US retail, airline, and insurance companies through sophisticated phone scams. The hackers call IT help desks pretending to be employees, trick staff into resetting passwords, then use stolen credentials to access virtual server systems and deploy ransomware within hours.

Unlike typical cyberattacks, they don't use malware but manipulate legitimate administrative tools, making detection extremely difficult. The group's activity declined after 2024 law enforcement actions. But other ransomware groups are now copying these tactics, making this a growing threat requiring immediate defensive action.

Source: Industrial Cyber

Gov. Tim Walz activated the Minnesota National Guard Tuesday to help St. Paul recover from a sophisticated cyberattack that has crippled city systems since Friday. Mayor Melvin Carter declared a state of emergency, calling it a "deliberate, coordinated digital attack" by external criminals targeting the city's infrastructure. The FBI and cybersecurity firms are investigating alongside the Guard's cyber forces.

City Wi-Fi, internal networks, and online bill payment are down, forcing some workers offline. Libraries and recreation services are also affected, though 911 remains operational. Officials won't restore services until they fully understand the breach's scope.

Source: CBS News Minnesota

The Cybersecurity and Infrastructure Security Agency has added a cross-site request forgery vulnerability in PaperCut NG/MF print management software to its Known Exploited Vulnerabilities catalog. The flaw is currently being exploited by attackers in the wild.

CISA is requiring all federal agencies to patch their systems immediately to prevent potential security breaches. PaperCut NG/MF is widely used across government and enterprise environments for managing printing services, making this vulnerability particularly concerning for organizations running unpatched versions of the software.

Source: The Hacker News

The Python Package Index (PyPI) is warning developers about an ongoing phishing campaign targeting their accounts. Attackers are sending fake verification emails and using lookalike domains to steal credentials from Python developers. The fraudulent emails appear legitimate but direct users to malicious sites designed to harvest login information.

PyPI officials are urging developers to verify email authenticity before clicking links and to enable two-factor authentication. This campaign specifically targets the Python development community, potentially compromising software supply chains if successful.

Source: The Hacker News

The Scattered Spider cybercrime group launched sophisticated ransomware attacks on July 28, 2025, targeting VMware ESXi servers across critical U.S. infrastructure including retail and airline sectors. The hackers used stolen credentials and social engineering to hijack ESXi hypervisors, encrypting multiple virtual machines at once and causing widespread business disruptions.

CISA issued an urgent advisory urging organizations to patch vulnerable ESXi systems and strengthen access controls. Security experts say their evolving tactics make detection increasingly difficult for defenders. The attacks underscore urgent concerns about ransomware threats to virtualized environments that many organizations rely on for core operations.

Source: The Hacker News