An unfamiliar name is showing up in ransomware notes and it’s backed by code, not bureaucracy. FOG ransomware is being distributed through phishing emails that reference the “Department of Government Efficiency,” deploying payloads that encrypt data. Victims receive ransom notes alongside scripts for data collection and privilege escalation. Since January, the campaign has claimed 100 victims across multiple sectors.

A single enabled feature could open your network to remote control. ASUS has warned of a critical vulnerability in its routers when AiCloud is active. The flaw allows attackers to send specially crafted requests to run commands without authentication. Firmware updates are available, but until patched, users are advised to disable internet-facing services and secure admin interfaces.

A forged email that passes every security check - that’s the new phishing trick. Attackers are using DKIM replay tactics to forward legitimate Google security alerts to unsuspecting victims. The alerts, signed and verified, redirect users to fake support pages hosted on trusted platforms.

Top Malware Reported in the Last 24 Hours

Cybercriminals dissipate FOG ransomware

Cybercriminals are spreading FOG ransomware by impersonating ties to the Department of Government Efficiency (DOGE) and using phishing attacks. Trend Micro discovered nine ransomware samples with .flocked extension and readme.txt notes uploaded on VirusTotal, targeting individuals and organizations. The ransomware operators have claimed 100 victims since January, with various sectors affected. The ransomware payload includes scripts for data collection, privilege escalation, and a Monero wallet address.

New SuperCard X steals credit cards

A new Android malware named SuperCard X has emerged, targeting devices through NFC relay attacks to steal credit card data for point-of-sale and ATM transactions. The malware is linked to Chinese-speaking threat actors and is promoted through Telegram channels. Victims are tricked into installing a malicious app that reads card chip data and allows attackers to make contactless payments and ATM withdrawals using emulated cards. SuperCard X remains undetected by antivirus engines and employs advanced security measures like mTLS for secure communications.

Malicious npm packages plant SSH backdoors

Cybersecurity researchers discovered three malicious npm packages (node-telegram-utils, node-telegram-bots-api, and node-telegram-util) masquerading as a popular Telegram bot library. Despite low download counts, these packages pose a significant risk. They install persistent SSH backdoors on Linux systems by adding keys to authorized_keys, enabling remote access and data exfiltration even after package removal. The packages use starjacking, linking to the legitimate library's GitHub to appear credible. Additionally, another package, @naderabdi/merchant-advcash, was found to hide a reverse shell triggered during runtime after a successful payment, disguising itself as a payment integration tool.

Top Vulnerabilities Reported in the Last 24 Hours

Critical bug in AiCloud routers

ASUS has revealed a critical vulnerability (CVE-2025-2492, CVSS 9.2) in its routers if the AiCloud feature is active. This flaw permits remote attackers to execute unauthorized functions via crafted requests due to improper authentication. ASUS has issued firmware updates for affected branches (3.0.0.4_382, _386, _388, and 3.0.0.6_102) and urges users to update. If patching isn't feasible, recommendations include using strong, unique passwords for Wi-Fi and router admin pages, and disabling AiCloud and other internet-exposed services like remote access, port forwarding, and VPN servers to minimize risk.

Critical RCE flaw in Meshtastic

A critical security flaw (CVE-2025-24797) with a high severity score (CVSS 9.4) has been found in the Meshtastic open-source mesh networking platform. It affects firmware versions prior to 2.6.2 and allows unauthenticated remote code execution. The vulnerability stems from incorrect handling of malformed mesh packets containing invalid Protocol Buffers data, leading to a buffer overflow. An attacker can exploit this remotely without user interaction on the default mesh channel, even across multiple network hops. The issue is fixed in firmware version 2.6.2. 

Top Scams Reported in the Last 24 Hours

Phishers abuse Google OAuth

Hackers exploited a weakness called DKIM replay phishing to send fake emails appearing to originate from Google (no-reply@google[.]com). By creating a specially named Google OAuth app and granting it access, they triggered Google to send a legitimate, DKIM-signed security alert to their own inbox. They then forwarded this verified email to victims. The forwarded email passed DKIM checks because the signature was valid, tricking recipients. The phishing message led to a fake support portal on sites.google.com designed to steal Google credentials. A similar tactic targeted PayPal users.