LATEST THREAT INTELLIGENCE.
What is the Real Relationship between WordPress Hackers and Malicious Adtech?
Description: An investigation into VexTrio, a malicious traffic distribution system (TDS), revealed surprising connections between WordPress hackers and adtech companies. When VexTrio's operations were disrupted, multiple malware actors migrated to a new TDS that was discovered to be related to VexTrio. Several commercial TDSs were found to share software elements with VexTrio and benefit from its relationship with website malware actors. The investigation uncovered a complex network of adtech firms, including Partners House, BroPush, and RichAds, that use similar technologies and tactics to distribute malicious content. These firms have information about the identities of malware actors, which could potentially lead to their disruption.
Created at: 2025-06-13T07:59:41.899000
Updated at: 2025-07-13T07:02:26.133000
Beware of AI Pickpockets: Pickai Backdoor Spreading Through ComfyUI Vulnerability
Description: A new backdoor named Pickai is exploiting ComfyUI vulnerabilities to spread and steal sensitive AI data. Developed in C++, Pickai offers remote command execution and reverse shell capabilities with strong persistence and evasion techniques. It uses multiple C2 servers for redundancy and has infected nearly 700 devices globally. The malware is hosted on Rubick.ai, an AI e-commerce platform serving major brands, posing significant supply chain risks. Pickai employs various obfuscation methods, including string encryption, process disguise, and multiple persistence mechanisms. Its network communication uses a three-tier timing strategy for C2 communication and device information reporting.
Created at: 2025-06-13T07:48:35.975000
Updated at: 2025-07-13T07:02:26.133000
Graphite Caught: First Forensic Confirmation of Paragon's iOS Mercenary Spyware Finds Journalists Targeted
Description: An investigation reveals that two journalists were targeted with Paragon's Graphite mercenary spyware on iOS devices. Forensic analysis confirmed the use of a zero-click attack exploiting a vulnerability (CVE-2025-43200) in iOS 18.2.1. The same attacker targeted both victims, suggesting a coordinated effort against media professionals. The spyware was linked to a specific server and iMessage account. This discovery is part of a broader pattern of spyware use against European journalists, raising concerns about press freedom and digital security. The Italian government acknowledged using Graphite in some cases but denied involvement in targeting certain journalists. The incident highlights the ongoing threat of mercenary spyware to civil society and the need for greater accountability.
Created at: 2025-06-12T22:00:29.873000
Updated at: 2025-07-12T22:01:42.892000
Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
Description: The article examines a malware variant associated with the SLOW#TEMPEST campaign, focusing on advanced obfuscation techniques used by the threat actors. The malware is distributed as an ISO file containing multiple files, including two malicious ones. The loader DLL, zlibwapi.dll, decrypts and executes the embedded payload, which is appended to another DLL. The analysis reveals sophisticated anti-analysis techniques, including Control Flow Graph (CFG) obfuscation using dynamic jumps and obfuscated function calls. The researchers demonstrate methods to counter these techniques using emulation and code patching. The loader DLL also employs an anti-sandbox check, only executing its payload if the target machine has at least 6 GB of RAM. The study highlights the importance of combining advanced dynamic analysis with static analysis to effectively understand and mitigate modern malware threats.
Created at: 2025-07-11T14:36:38.963000
Updated at: 2025-07-11T20:25:53.697000
New BrowserVenom malware being distributed via fake DeepSeek phishing website
Description: A new malicious campaign is distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The phishing site, promoted via Google Ads, mimics the official DeepSeek homepage. The attack installs BrowserVenom, an implant that forces all browsing traffic through a proxy controlled by threat actors, enabling network traffic manipulation and data collection. The infection process involves a fake CAPTCHA, exclusion of the user's folder from Windows Defender, and installation of a malicious certificate. BrowserVenom modifies browser settings across various platforms to route traffic through the attacker's proxy. Infections have been detected globally, with victims in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt.
Created at: 2025-06-11T15:14:05.324000
Updated at: 2025-07-11T15:00:02.476000
Attackers Inject Code into WordPress Theme to Redirect Visitors
Description: An analysis reveals a recent attack vector targeting WordPress themes, specifically injecting malicious code into the footer.php file. The injected code uses a function called r2048 to retrieve a URL from a remote server and redirect visitors. This method is particularly insidious as it's not visible from the WordPress dashboard. The attackers utilize either cURL or file_get_contents to fetch the redirection URL, allowing for dynamic control over the destination based on factors like the user's browser or device. This technique underscores the importance of regular theme and plugin audits, as well as securing FTP and SSH access to prevent unauthorized file modifications.
Created at: 2025-07-11T06:42:39.591000
Updated at: 2025-07-11T11:04:26.347000
The Solidity Language open-source package was used in a $500,000 crypto heist
Description: A malicious extension for the Solidity programming language in the Cursor AI IDE led to a $500,000 cryptocurrency theft. The fake extension, downloaded 54,000 times, appeared higher in search results than the legitimate one due to ranking algorithm factors. It installed malware that downloaded PowerShell scripts, installed remote management software, and deployed data-stealing payloads. The attackers obtained wallet passphrases and stole cryptocurrency. Similar malicious packages were found targeting blockchain developers. The incident highlights the ongoing threat of malicious open-source packages in the crypto industry and the need for caution when downloading tools from package repositories.
Created at: 2025-07-11T06:42:39.049000
Updated at: 2025-07-11T11:02:03.487000
Patch, track, repeat
Description: The report discusses the current state of vulnerability management, highlighting the increasing number of CVEs published daily and the rise in Known Exploited Vulnerabilities (KEVs). It emphasizes the importance of continuous tracking and patching of vulnerabilities. The report also covers Microsoft's July 2025 security update, which addresses 132 vulnerabilities, including 14 critical ones. The author stresses the need for prompt application of these patches to protect against potential attacks. Additionally, the report touches on recent cybersecurity news, including the arrest of an alleged Chinese hacker, AI jailbreaking techniques, and ransomware group shutdowns.
Created at: 2025-07-11T10:56:05.616000
Updated at: 2025-07-11T10:56:05.616000
Unmasking the Infrastructure of a Spear‑phishing Campaign
Description: Censys researchers uncovered a spear‑phishing campaign where threat actors leveraged a cluster of 16 open directories hosting heavily obfuscated Visual Basic Script (VBS) files. The study analyzes how attackers set up these public-accessible directories to store malicious scripts, the obfuscation techniques employed, and the infrastructure's lifecycle.
Created at: 2025-06-11T09:40:24.683000
Updated at: 2025-07-11T09:02:02.286000
Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery
Description: Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_eggs, a JavaScript-based backdoor. The group uses trusted cloud services like AWS to host malicious infrastructure, evading detection. Their phishing emails impersonate job applicants, with domains mimicking real names. FIN6 employs sophisticated filtering techniques to ensure malware delivery only to intended targets. The more_eggs malware, developed by Venom Spider, allows for command execution and credential theft. Defense strategies include cautious handling of resume links, blocking execution of suspicious files, and implementing EDR policies.
Created at: 2025-06-11T09:28:26.905000
Updated at: 2025-07-11T09:02:02.286000