Chinese group Jewelbug hacked a Russian IT provider, exploiting Microsoft tools and exfiltrating data via Yandex Cloud.

Wiz exposed 550 leaked secrets in VS Code extensions, as TigerJack exploits marketplaces with malware.

“This attack highlights not just the creativity and sophistication of attackers but also the danger of trusted system functionality being weaponized to evade traditional detection,” the researchers noted. “It’s not just about spotting malicious activity; it’s about recognizing how legitimate tools and processes can be manipulated and turned against you.”

ReliaQuest told The Hacker News it cannot share any further details regarding when the attack commenced other than noting that the attackers had access to the system for over a year.

“The threat actor likely resorted to this method over an N-day flaw for a simple reason: why use an exploit if they didn’t have to?,” it pointed out. “They likely gained initial access through a weak administrator password and then repurposed a software component into a backdoor.”

Researchers link TA585 to MonsterV2 RAT stealer delivered via IRS-themed phishing, JavaScript injects, and GitHub lures.

Storm-2657 exploits phishing and weak MFA to hijack HR SaaS accounts and redirect payroll funds.

RondoDox expands to exploit 56 flaws across 30 vendors, fueling global IoT botnet attacks.

Rust-based ChaosBot exploits Discord and phishing to infiltrate networks, while Chaos-C++ adds data destruction.

Fortinet warns Stealit malware uses Node.js SEA and fake installers to deliver stealers, RATs, and persistence.

A large-scale botnet is targeting Remote Desktop Protocol (RDP) services in the United States from more than 100,000 IP addresses.

The campaign started on October 8 and based on the source of the IPs, researchers believe the attacks are launched by a multi-country botnet.

RDP is a network protocol that enables remote connection and control of Windows systems. It is typically used by administrators, helpdesk staff, and remote workers.