Toggle light / dark theme

NightEagle APT Exploits Microsoft Exchange Flaw to Target China’s Military and Tech Sectors

Cybersecurity researchers have shed light on a previously undocumented threat actor called NightEagle (aka APT-Q-95) that has been observed targeting Microsoft Exchange servers as a part of a zero-day exploit chain designed to target government, defense, and technology sectors in China.

According to QiAnXin’s RedDrip Team, the threat actor has been active since 2023 and has switched network infrastructure at an extremely fast rate. The findings were presented at CYDES 2025, the third edition of Malaysia’s National Cyber Defence & Security Exhibition and Conference held between July 1 and 3, 2025.

Over 40 Malicious Firefox Extensions Target Cryptocurrency Wallets, Stealing User Assets

Cybersecurity researchers have uncovered over 40 malicious browser extensions for Mozilla Firefox that are designed to steal cryptocurrency wallet secrets, putting users’ digital assets at risk.

“These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox,” Koi Security researcher Yuval Ronen said.

The large-scale campaign is said to have been ongoing since at least April 2025, with new extensions uploaded to the Firefox Add-ons store as recently as last week.

Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns

Cybersecurity researchers are calling attention to phishing campaigns that impersonate popular brands and trick targets into calling phone numbers operated by threat actors.

“A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, displaying another popular social engineering technique known as Telephone-Oriented Attack Delivery (TOAD), also known as callback phishing,” Cisco Talos researcher Omid Mirzaei said in a report shared with The Hacker News.

An analysis of phishing emails with PDF attachments between May 5 and June 5, 2025, has revealed Microsoft and Docusign to be the most impersonated brands. NortonLifeLock, PayPal, and Geek Squad are among the most impersonated brands in TOAD emails with PDF attachments.

TA829 and UNK_GreenSec Share Tactics and Infrastructure in Ongoing Malware Campaigns

Cybersecurity researchers have flagged the tactical similarities between the threat actors behind the RomCom RAT and a cluster that has been observed delivering a loader dubbed TransferLoader.

Enterprise security firm Proofpoint is tracking the activity associated with TransferLoader to a group dubbed UNK_GreenSec and the RomCom RAT actors under the moniker TA829. The latter is also known by the names CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu.

The company said it discovered UNK_GreenSec as part of its investigation into TA829, describing it as using an “unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes.”