Microsoft and Google among most affected as zero day exploits jump 46%
Forescout’s latest threat review released at Black Hat USA shows zero-day attacks rose 46% in the first half of 2025, with Microsoft and Google at the top of the most exploited products. Ransomware attacks were up 36%, increasingly targeting unconventional devices like IP cameras and BSD servers to bypass defenses and move laterally across networks. Of 137 tracked threat actors, 40% were state-sponsored, with Iran-aligned hacktivists particularly focusing on critical OT infrastructure.
Vietnamese hackers use PXA Stealer, hit 4,000 IPs and steal 200,000 passwords globally
Vietnamese hackers appear to be behind a new global malware campaign using PXA Stealer, a Python-based info-stealer that has compromised more than 4,000 IPs across 62 countries and stolen over 200,000 passwords. The malware targets browsers, crypto wallets, VPN clients, and apps like Discord, exfiltrating data via Telegram to underground markets. Researchers say this latest variant is more evasive and multi-stage, using DLL sideloading and decoy files to avoid detection.
New Plague Linux malware stealthily maintains SSH access
A Linux backdoor dubbed Plague lets attackers maintain persistent, unauthenticated SSH access by embedding itself as a malicious Pluggable Authentication Module (PAM). It was discovered by Nextron Systems and uses layered obfuscation, anti-debugging, hardcoded passwords, and environment scrubbing techniques to evade detection and erase forensic traces. Multiple samples have been uploaded to VirusTotal but none have been flagged.
NVIDIA Triton bugs let unauthenticated attackers execute code and hijack AI servers
Researchers at Wiz disclosed a set of critical vulnerabilities in NVIDIA’s Triton Inference Server that could let unauthenticated attackers remotely execute code and take full control of AI servers. The flaws are affecting both Windows and Linux deployments and stem from the Python backend and include issues like out-of-bounds writes and memory limit bypasses. If chained together, they could let attackers steal AI models, manipulate inference outputs, or move laterally in networks. NVIDIA patched the issues in version 25.07, and there’s no evidence of exploitation in the wild so far.
Huge thanks to our sponsor, ThreatLocker
ThreatLocker® is a global leader in Zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com/CISO.
Northwest Radiologists data breach hits 350,000 in Washington
A data breach at Northwest Radiologists back in January exposed the personal information of 348,118 Washington residents. Attackers had unauthorized access between January 20–25, affecting names, Social Security numbers, medical details, and other information. The company hasn’t confirmed the attack type, but signs point to ransomware. Law enforcement was notified, security upgrades have been implemented, and impacted individuals are being offered free credit and ID monitoring. No threat actor has claimed responsibility.
Panel to create roadmap for establishing US Cyber Force
A new 17-member panel called the Commission on Cyber Force Generation has been formed to design a plan for establishing a U.S. Cyber Force as a separate military branch. Backed by CSIS and the Cyberspace Solarium Commission 2.0, the group includes former top Pentagon officials and cyber commanders, aiming to deliver recommendations before the 2026 National Defense Authorization Act.
Ghost in the Zip reveals expanding ecosystem behind PXA Stealer
Researchers from SentinelLabs and Beazley Security are tracking a global cybercrime campaign dubbed “Ghost in the Zip,” which uses the Python-based PXA Stealer malware to steal sensitive data from victims in more than 60 countries. The malware is delivered via archive files disguised as PNG or PDF documents, leveraging sideloaded legitimate apps like Haihaisoft PDF Reader and older versions of Microsoft Word. It exfiltrates stolen data—including passwords, cookies, and crypto wallet info—through Telegram and Cloudflare Workers, and is resold via Telegram-based cybercriminal marketplaces.
Mozilla flags phishing wave aimed at hijacking trusted Firefox add-ons
Mozilla is warning Firefox add-on developers about a phishing campaign impersonating Mozilla or addons.mozilla.org, trying to trick devs into clicking fake account update links. It appears to be hijacking trusted developer accounts to distribute malicious extensions…many of which target crypto users by stealing wallet credentials like seed phrases. Over 40 of these malicious add-ons have been identified, some posing as legitimate tools from brands like Coinbase or MetaMask.
Ohio sets new cybersecurity rules for local governments, including public approval of ransomware payments
Ohio enacted new cybersecurity rules requiring all local governments to implement formal policies and publicly approve any ransomware payments. The move was passed as part of the state’s budget and follows a wave of cyberattacks on municipalities like Cleveland. Lawmakers say the new measures should increase transparency and improve defenses against increasingly sophisticated attacks that jeopardize constituent data and local infrastructure.