A new ransomware strain isn’t just locking up files, it’s locking out hope of recovery. Researchers uncovered EByte Ransomware, a Golang-based malware that’s actively targeting Windows systems with advanced cryptographic techniques, making decryption nearly impossible without the attackers' key.

A simple-looking PDF is all it takes for attackers to hijack your system. A new malware strain, Phantom Goblin, is being spread through RAR attachments in phishing campaigns, tricking users into opening a malicious LNK file disguised as a document. It also abuses VSCode tunnels for remote access.

Attackers don’t need new tricks when unpatched systems do the job for them. The CISA has flagged five new vulnerabilities under active exploitation, affecting Advantive VeraCore and Ivanti Endpoint Manager. The VeraCore flaw exploitation is linked to a likely Vietnamese threat group, while the Ivanti EPM vulnerabilities allow attackers to coerce credentials for further access.

Top Malware Reported in the Last 24 Hours

Lazarus targets npm, drops malware

North Korea's Lazarus Group has been found to have infiltrated the npm ecosystem with six new malicious packages. These packages, designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor, closely mimic the names of widely trusted libraries and employ typosquatting tactics. The packages contain BeaverTail malware and have been downloaded over 330 times. The Lazarus Group has also created and maintained GitHub repositories for these packages to lend an appearance of open-source legitimacy. 

New Ebyte Ransomware emerges

CYFIRMA has discovered a new ransomware variant, EByte Ransomware, written in Golang, which is actively targeting Windows systems. This malware uses advanced cryptographic methods, making file recovery nearly impossible without the attacker's decryption tool. Developed by a threat actor known as EvilByteCode, the ransomware has been made publicly available on GitHub, purportedly for educational purposes. The malware scans all available drives, sends a unique locker ID and a timestamp to a remote server for tracking infections, modifies system wallpaper with a ransom demand, and leaves behind a ransom note instructing victims to contact the attackers via email for decryption.

Phantom Goblin: New stealthy malware campaign

A new malware strain, dubbed Phantom Goblin, is being distributed through RAR attachments using social engineering techniques. The malware uses a malicious LNK file disguised as a PDF document to execute a PowerShell command that retrieves additional payloads from a GitHub repository. The malware primarily targets web browsers and developer tools, stealing sensitive information such as cookies, login credentials, and browsing history. It also establishes unauthorized remote access by leveraging Visual Studio Code tunnels. The stolen data is then exfiltrated to a Telegram bot, ensuring stealthy data transfer and persistence. 

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds five bugs to KEV catalog

The CISA has added five security flaws to its KEV catalog, which are being actively exploited. These vulnerabilities affect Advantive VeraCore (CVE-2024-57968 and CVE-2025-25181) and Ivanti Endpoint Manager (CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161). The VeraCore vulnerabilities are being exploited by a likely Vietnamese threat actor named XE Group, while the Ivanti EPM flaws are described as "credential coercion" bugs. Federal agencies are urged to apply necessary patches by March 31.

Chrome update fixes five flaws

Google has released a critical security update for its Chrome browser, addressing five vulnerabilities, including three high-severity flaws that could potentially allow attackers to execute arbitrary code. The update, version 134.0.6998.88/.89 for Windows and Mac, and 134.0.6998.88 for Linux, is currently being rolled out. The most concerning vulnerabilities are two high-severity type confusion flaws, CVE-2025-1920 and CVE-2025-2135, in the V8 JavaScript engine, which could lead to memory corruption and arbitrary code execution. A high-severity out-of-bounds write vulnerability, CVE-TBD, in the GPU component could also lead to system crashes or remote code execution. Two medium-severity vulnerabilities, CVE-2025-2136 and CVE-2025-2137, have also been patched. 

Several vulnerabilities in ICONICS software

A set of SCADA software systems made by ICONICS, widely used in critical infrastructure worldwide, was found to have at least five vulnerabilities - CVE-2024-1182, CVE-2024-7587, CVE-2024-8299, CVE-2024-8300, and CVE-2024-9852. The vulnerabilities, rated between 7 and 7.8 on the CVSS severity scale, include issues related to DLL hijacking, file tampering, denial of service, and dead code. ICONICS software is primarily used in sectors like government, military, manufacturing, water and wastewater, and energy. Some vulnerabilities stem from ICONICS' reliance on older, less secure versions of other tools and components.