CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

WhatsApp Zero-Day Exploited in Targeted Spyware Campaign

First reported
Last updated
πŸ“° 2 unique sources, 3 articles

Summary

Hide β–²

A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users. Apple has also sent multiple threat notifications since 2021, alerting users in over 150 countries about these sophisticated attacks. Apple has introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities. The spyware market has seen an increase in U.S. investors and new entities in various countries.

Timeline

  1. 11.09.2025 22:02 πŸ“° 2 articles Β· ⏱ 2d ago

    Apple warns of continued spyware attacks and provides mitigation advice

    Apple has warned customers that their devices were targeted in a new series of spyware attacks. CERT-FR, operated by ANSSI, is aware of at least four instances of Apple threat notifications alerting users about mercenary spyware attacks since the beginning of the year. These alerts were sent on March 5, April 29, June 25, and September 3. The notifications report highly sophisticated attacks, most of which employ zero-day vulnerabilities or require no user interaction at all. These complex attacks target individuals because of their status or function: journalists, lawyers, activists, politicians, senior officials, members of management committees in strategic sectors, etc. Apple advises users who were targeted by mercenary spyware attacks to enable Lockdown Mode and request rapid-response emergency security assistance through Access Now's Digital Security Helpline. Since 2021, Apple has sent threat notifications multiple times a year, notifying users in over 150 countries in total. Apple does not attribute the attacks or resulting threat notifications to any specific attackers or geographical regions. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities and make it harder for surveillance vendors, who typically rely on such zero-days for planting spyware on a target's phone. The number of U.S. investors in spyware and surveillance technologies increased from 11 in 2023 to 31 in 2024. New spyware entities have emerged in Japan, Malaysia, and Panama, including vendors like Bindecy and SIO. The spyware market now includes key actors such as resellers and brokers, which are often under-observed and not addressed in current policy deliberations.

    Show sources
    Open in new tab
  2. 01.09.2025 16:02 πŸ“° 1 articles Β· ⏱ 12d ago

    Zero-day in WhatsApp version 3.32.x exploited in targeted spyware attacks

    A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Remote Code Execution Vulnerability in Samsung's libimagecodec.quram.so Library Exploited in the Wild

A remote code execution vulnerability in Samsung's libimagecodec.quram.so library, tracked as CVE-2025-21043, was actively exploited in zero-day attacks targeting Samsung Android devices running Android 13, 14, 15, or 16. The flaw, reported by Meta and WhatsApp, allows attackers to execute arbitrary code remotely due to an out-of-bounds write weakness. The CVSS score for the vulnerability is 8.8. Samsung has released a patch for the vulnerability in the September 2025 Security Maintenance Release (SMR). The exploit may affect other instant messengers using the vulnerable library. Users are advised to update their devices to the latest security patch.

Open in new tab

EvilAI Malware Campaign Targets Global Organizations with AI-Enhanced Stealth Tactics

A threat actor is using AI-enhanced malware to infiltrate organizations worldwide. The campaign, dubbed EvilAI, has infected hundreds of victims across multiple sectors, including manufacturing, government, and healthcare. The malware is concealed within seemingly legitimate productivity and AI-enhanced apps, leveraging digital signatures and realistic features to avoid detection. The malware performs extensive reconnaissance and attempts to disable security products, setting the stage for future attacks. The malware is distributed through malicious advertisements and promoted links on search engines and social media. Once installed, it remains persistent on compromised systems and uses obfuscation techniques to evade detection. The campaign is ongoing and evolving, with new apps and tactics being deployed rapidly.

Open in new tab

Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations

The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.

Open in new tab

APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign

The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.

Open in new tab

GhostAction GitHub supply chain attack steals 3,325 secrets

A supply chain attack, dubbed GhostAction, has compromised 3,325 secrets across 817 GitHub repositories. The attack began on September 2, 2025, and involved injecting malicious GitHub Actions workflows into repositories to exfiltrate secrets. The attack targeted various ecosystems, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys. The compromised secrets could potentially be used to release malicious or trojanized packages. The attack was discovered by GitGuardian researchers on September 5, 2025. The exfiltration endpoint was taken down shortly after the campaign was discovered. The attack impacted at least nine npm and 15 PyPI packages, and potentially affected the entire SDK portfolio of several companies. The compromised secrets included PyPI tokens, npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys, and database credentials.

Open in new tab