The attack is built to spread itself through trusted developer workflows, making it one of the more sophisticated supply-chain threats seen in recent years.

The malware travels inside packages that look completely legitimate at first glance. Attackers republished several npm packages from a compromised account, slipping a hidden Linux binary into each one.

The moment a developer runs npm install, the binary executes automatically, with no extra steps required. There is nothing to click and nothing to approve.

Security analysts at JFrog said in a report shared with Cyber Security News (CSN) that IronWorm is a custom-built, Rust-based infostealer that scrapes every secret it can find on a developer’s machine, hides behind a kernel-level rootkit, and communicates with its operator through the Tor network.

The campaign was caught in the wild and appeared to target software developers, with a particular focus on crypto and web3 builders.

What makes this threat stand out is how aggressively it spreads. After stealing credentials, IronWorm uses them to push backdated commits into the victim’s GitHub repositories, planting malware into other packages.

Those infected packages then get published to npm, where they can infect the next developer who installs them. The attack essentially uses the victim’s own identity to continue spreading further.

The scale of the campaign is notable too. Researchers found 57 backdated malicious commits spread across nine GitHub organizations.

Some of those commits were made to look years old by copying the timestamp of the repository’s last real commit, a trick designed to avoid raising suspicion during routine code reviews.

IronWorm Supply Chain Attack Uses Malicious npm Packages

IronWorm hides its malicious binary inside a folder path that most developers would never think to check. The binary is packed using a modified UPX tool, with the standard signature removed to prevent automated unpacking.

Once running, the malware decrypts its internal strings one at a time, using a different key at each location, which makes reverse engineering unusually slow and difficult.

The credential theft is broad and deliberate. The malware scans for 86 different environment variables covering cloud platforms, databases, CI/CD systems, source control tokens, and AI service API keys.

It also reads more than 20 credential file paths from disk, including wallet configs and authentication files from tools that became popular only recently.

One dedicated module targets the Exodus desktop wallet specifically, injecting code that captures the wallet password and recovery phrase at the moment the user unlocks it.

A separate module targets Kubernetes pods, reading service account tokens and dumping every secret it can reach.

The Rootkit and Self-Replication Mechanism

IronWorm carries an eBPF-based rootkit that hides its processes and network connections from standard system monitoring tools. This rootkit operates at the kernel level, rewriting process lists before any monitoring software can see them.

Commands like ps and top return clean results, while the malware continues running in the background. The rootkit also blocks attempts to attach a debugger to the malware process, and trying to do so can crash the shell running the command.

The self-replication through npm is equally well thought out. When the malware runs inside a CI environment, it uses npm’s own Trusted Publishing flow to get short-lived publish credentials.

It never needs a stored token. With those credentials, it publishes a trojanized version of the package to the npm registry just like any normal release would look.

Researchers recommend auditing every repository that a compromised account had write access to, checking for backdated commits, unexpected build hooks, and changes attributed to automation names like dependabot or github-actions outside their usual context.

All API keys and secrets tied to the affected account should be rotated immediately, and malicious package versions should be unpublished with a clear security advisory issued to warn downstream users.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets appeared first on Cyber Security News.

The intrusion ran from October 2025 through at least March 2026, designed entirely around one single goal: stealing the complete contents of one person’s mailbox without raising an alarm.

It is a stark reminder of just how much sensitive intelligence sits inside a single high-ranking inbox. The attackers chose their target with clear intent. A stock exchange executive’s email holds far more than routine correspondence.

It can contain details of upcoming listings, enforcement actions, internal deliberations, calendar schedules, and market-moving events not yet made public.

Months of quiet, uninterrupted access to that kind of data gives an attacker a remarkable window into an organization’s near-term direction without ever touching any other system on the network.

Analysts from Symantec’s Threat Hunter Team, working alongside Carbon Black, identified the campaign and noted that the use of legitimate cloud infrastructure and publicly available tools made attribution to any known threat group impossible. 

Symantec said in a report shared with Cyber Security News (CSN) that the commands and objectives observed throughout the campaign are consistent with espionage as the primary motivation.

The operational discipline on display was considered notable enough to warrant a public disclosure, despite the team’s standard practice of not publishing on single-victim incidents.

What made this campaign especially difficult to catch was how the attackers blended seamlessly into normal traffic. They relied exclusively on cloud services that any legitimate user might interact with daily, hiding their activity inside the kind of network noise that rarely triggers security alerts.

Over five months, they rebuilt persistence on the victim machine multiple times, continuously adapting their techniques to keep access alive.

Stock Exchange Executive’s Outlook Account Targeted

The initial access method was never confirmed, but by October 2025 attackers had already installed two masquerading binaries on the victim’s machine, both running with SYSTEM-level privileges.

The first posed as an Adobe update service (armsvc.exe), while the second impersonated a Microsoft OneDrive component (oneservice.exe). Both ran automatically via scheduled tasks, giving attackers a reliable foothold before the main theft operation ever began.

The core tool was built around Aspose, a legitimate .NET library for reading Outlook data files. Attackers used it to convert the executive’s offline Outlook storage file into a portable format, then quietly moved the output off the machine.

The tool was deployed under three different temporary filenames (ts_9ea0.tmp, ts_e0d5.tmp, ts_e2d5.tmp), all sharing the same file hash.

Starting with emails dating back to August 2025, each extraction run picked up precisely where the last one left off, building a near-complete copy of the entire mailbox over time. (See Figure 1: Attack Chain)

Exfiltration via Legitimate Cloud Infrastructure

The stolen data was funneled out through Dropbox and OneDrive using standard command-line tools that would look entirely normal on most enterprise systems.

For Dropbox, the attackers reused the same application credentials across every session, rotating only the short-lived authorization tokens.

For OneDrive, they bypassed DNS-based filtering entirely by making requests directly to hard-coded Microsoft IP addresses, ensuring no suspicious domain lookups appeared in perimeter logs.

In late November 2025, the attackers briefly tested a third channel by uploading files to a public temporary file-hosting service called temp.sh, but abandoned it after just a few attempts.

The campaign continued evolving through March 2026, when a fresh DLL (te.host.dll) and a new masquerading binary (armdriver.exe) were deployed, confirming the attackers were still active and refining their methods until the very end.

Organizations should monitor carefully for unusual scheduled task creations that use legitimate vendor names as cover, and flag bulk file transfers originating from mail data directories.

Restricting outbound connections to cloud storage APIs and enabling behavioral alerts tied to Outlook storage file access can help surface these long-dwell espionage campaigns before significant damage is done.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials appeared first on Cyber Security News.

The flaw, stemming from insecure deserialization of untrusted data, is now being actively exploited in real-world attacks, raising concerns across eCommerce environments that rely on Magento platforms.

According to CISA, the vulnerability exists in how the extension processes serialized PHP objects received through the CacheWarmer cookie.

An unauthenticated attacker can craft a malicious serialized payload and send it via this cookie, triggering unsafe deserialization on the server.

This behavior allows arbitrary code execution without requiring valid credentials, making it particularly dangerous for internet-facing Magento stores.

Magento Cache Warmer RCE flaw Exploited

The issue has been classified under CWE-502, which covers deserialization of untrusted data, a well-known class of vulnerabilities frequently abused in web applications.

When exploited, attackers can execute system commands, deploy backdoors, or pivot deeper into the hosting environment. Given Magento’s widespread use in enterprise and mid-sized eCommerce deployments, the attack surface is significant.

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog on June 3, 2026, confirming active exploitation.

Federal agencies and organizations are required to remediate the issue by June 6, 2026, under Binding Operational Directive (BOD) 22-01.

While there is currently no public confirmation linking this flaw to ransomware campaigns, the nature of the vulnerability makes it highly attractive for initial access brokers and financially motivated threat actors.

Security researchers note that exploitation attempts may include suspicious HTTP requests containing a manipulated “CacheWarmer” cookie with encoded PHP object payloads.

Indicators of compromise may involve unexpected web server processes, unauthorized file creation within Magento directories, or outbound connections to unknown IP addresses following exploitation.

Logs may reveal abnormal cookie values or repeated requests targeting cache warming endpoints. Organizations using the Mirasvit Full Page Cache Warmer extension are strongly advised to apply vendor-provided patches or mitigations immediately.

If no fix is available, CISA recommends disabling or removing the affected component entirely to eliminate exposure.

Additional defensive measures include implementing web application firewall rules to inspect and block malicious serialized input, monitoring application logs for anomalies, and restricting access to sensitive endpoints.

This incident highlights the continued risk posed by insecure deserialization flaws in modern web applications. As attackers increasingly automate the exploitation of newly disclosed vulnerabilities, timely patching and proactive monitoring remain critical to defending production environments.

Magento administrators, in particular, should review third-party extensions regularly to ensure they meet secure coding standards and do not introduce hidden attack vectors into otherwise hardened systems.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks appeared first on Cyber Security News.

References to claude-oceanus-v1-p began circulating among researchers on June 3, 2026, after the model identifier appeared inside Anthropic’s Claude Console and surfaced through unauthorized API proxy services.

The sightings immediately triggered speculation that Anthropic was advancing toward a broader rollout of a successor to the Claude Mythos line, with red team evaluators reporting access to the new model beginning that same day.

The controlled evaluation was short-lived. Within hours of the model reaching validated red teamers, reports emerged that an unidentified actor had allegedly resold API access to claude-oceanus-v1-p through a Chinese-based proxy service at a premium rate of $16 per million input tokens, a figure significantly above Anthropic’s standard enterprise pricing tiers.

Anthropic’s history with unauthorized proxy abuse is well-documented; earlier in 2026, the company accused Chinese AI labs including DeepSeek, Moonshot AI, and MiniMax of using approximately 24,000 fake accounts to run over 16 million interactions with Claude models through proxy channels.

In response to the Oceanus resale incident, Anthropic reportedly paused model access for the broader red team cohort pending an internal investigation.

Claude Oceanus-v1-p is understood to build directly upon the Claude Mythos Preview foundation, which launched in April 2026 and demonstrated an alarming capability profile for the cybersecurity community.

Mythos Preview, operating under Anthropic’s restricted research track, was assessed by the company’s Frontier Red Team as capable of identifying and exploiting zero-day vulnerabilities across every major operating system and web browser, with Glasswing partners collectively uncovering over 10,000 high or critical-severity vulnerabilities since the program’s inception.

The Turing Institute further noted that Mythos’ red team found vulnerabilities with a recovery rate exceeding 99% across disclosed test cases.

The Oceanus red team evaluation comes on the heels of Anthropic’s June 2 expansion of Project Glasswing its restricted AI cyberdefense initiative to approximately 150 new organizations spanning more than 15 countries, including India, France, Germany, South Korea, and Australia.

The expanded group now includes important infrastructure sectors like power, water, healthcare, and communications. These sectors were not part of the program when it first launched with a focus on Big Tech.

Anthropic stated that a successful cyberattack on most new partner organizations could affect in excess of 100 million people.

Anthropic has stated candidly that Mythos-level capabilities and, by extension, Oceanus-v1-p, will not be cleared for general public release until the company develops “highly robust safeguards to prevent misuse,” acknowledging that such safeguards do not yet exist in the industry.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Anthropic’s Claude Oceanus-v1-p Opens to Red Team Testing, but Distribution is Compromised appeared first on Cyber Security News.

Instead of tricking people into typing passwords on fake websites, attackers are now dropping malware directly onto victims’ devices to do the stealing for them.

This shift has been building gradually, and it signals a more dangerous phase in the evolution of online scams. Traditional phishing still exists and remains a serious threat.

However, a growing number of attackers now prefer to deploy infostealers, a category of malware designed to silently collect passwords, browser cookies, session tokens, saved autofill data, cryptocurrency wallet details, and even files stored on the device.

Analysts at Malwarebytes, in a report shared with Cyber Security News (CSN), noted that this approach is appealing because it scales well and reduces friction for the attacker.

Rather than waiting for a victim to visit a fake login page and enter credentials, the malware simply harvests whatever is already saved on the infected machine.

This also makes the attack much harder to spot. A classic phishing attempt often leaves visible red flags, a strange link, a suspicious sender address, or an oddly formatted login page.

Infostealers, by contrast, work quietly in the background after installation, giving victims little reason to suspect anything is wrong.

One significant driver behind this change is the widespread adoption of multi-factor authentication, or MFA. Because MFA adds an extra layer of login verification, stolen passwords alone are no longer enough for many account takeovers.

By stealing session cookies instead, attackers can bypass MFA entirely and access accounts without needing a password or a one-time code.

Cybercriminals Shift From Fake Login Pages

Another major factor is the explosion of the malware-as-a-service ecosystem, commonly known as MaaS. This underground market allows criminals to buy ready-made infostealer kits, loaders, and initial access tools without needing to build anything themselves.

It has dramatically lowered the bar for entry, letting even low-skilled attackers run large-scale credential theft campaigns. These services are not just cheap, they are also designed for speed and flexibility.

Operators can push out updates, rotate their infrastructure, and launch fresh campaigns quickly, while a network of affiliates handles distribution through phishing emails, fake downloads, malvertising, and social media traps.

The division of labor makes these operations highly efficient and difficult to shut down. Infostealers rarely mark the end of an attack, and in most cases, they are just the opening move.

The stolen data, including saved passwords, session cookies, and corporate access credentials, is packaged and sold to other criminals who specialize in account takeover, fraud, business email compromise, or ransomware deployment. A single infected device can generate income across multiple buyer types at once.

How Infostealers Reach Victims and How to Stay Safe

Infostealers reach victims through a wide range of delivery methods. Malicious ads, fake browser update prompts, pirated software, game cheats, cracked tools, and shady browser extensions are among the most common entry points.

These channels are effective because they reach people who are not necessarily expecting an attack and who may already be used to clicking through prompts without much thought.

A tactic called ClickFix has also gained traction recently. It works by tricking users into running commands or scripts on their own devices, often by presenting a fake error message or warning that instructs them to paste something into a command prompt.

Malwarebytes researchers warn that users should never execute any command copied from a website, email, or message unless they fully understand what it does and trust the source completely.

Staying safe requires building simple, consistent habits. Users should avoid clicking on sponsored ads and navigate directly to official websites when downloading software.

Pirated tools and cracked software carry a high risk of bundled malware and should be avoided entirely.

Slowing down before clicking any link or opening any attachment in an email can make a real difference, especially when the message creates a sense of urgency around billing, account issues, or security alerts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks appeared first on Cyber Security News.

The group has been deploying a growing arsenal of malware, including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, against organizations in Japan, the United Kingdom, Germany, and across Southeast Asia.

These campaigns are financially motivated and show a level of planning that sets TA4922 apart from typical criminal groups. The group’s reach is no longer regional. It is becoming a global threat.

What makes TA4922 especially dangerous is how it tricks its victims. The group sends carefully crafted emails disguised as messages from HR departments, tax authorities, and payroll teams.

These messages are written in the target’s local language and look convincing enough to fool cautious employees. Once a victim clicks a link or opens an attachment, the malware silently installs itself.

Analysts at Proofpoint identified and documented this activity in a detailed threat report shared with Cyber Security News (CSN). According to Proofpoint, TA4922 is a highly sophisticated actor with a rapidly evolving malware arsenal.

The group is assessed to be financially motivated, with goals including data theft, fraud, and persistent access to victim environments. Proofpoint notes that TA4922 currently conducts more unique campaigns than any other tracked cybercrime actor in their threat data.

The group first appeared on Proofpoint’s radar in spring 2025, initially focused on East Asia. By early 2026, TA4922 had dramatically expanded into Europe and South Africa.

The group mixes malicious activity with legitimate tools and trusted cloud hosting services, making their attacks harder to detect.

One of the more alarming aspects of TA4922’s behavior is how fast it builds new tools. Proofpoint assessed with high confidence that the group likely uses AI coding tools to rapidly develop new Python-based malware.

Unchanged placeholder values in SilentRunLoader’s code, such as the string “your_secret_key_here,” suggest code was generated with minimal review. This fast development cycle means defenders are constantly chasing new variants.

TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT

TA4922 ran several notable campaigns between March and April 2026, each deploying different malware. In early March, the group sent HR-themed emails to organizations in Japan disguised as salary adjustment notices.

These carried ZIP files hosted on GoFile, and once opened, triggered DLL sideloading to deliver Atlas RAT, which connected to a command-and-control server at 206.238.115.58 over port 886.

A second Atlas RAT campaign in April targeted organizations in the UK and Germany using HR lures with filenames like “Paperwork.zip.” RomulusLoader appeared in late March, targeting Japanese organizations via LimeWire-hosted files.

In mid-April, TA4922 used RomulusLoader to push legitimate remote monitoring tools such as AnyDesk and SyncFuture, blending into normal network traffic.

SilentRunLoader was deployed against UK targets using fake tax authority emails, stealing Chrome credentials and sending them to an actor-controlled server.

Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.

It runs multiple anti-sandbox checks and communicates with its server using ChaCha encryption. ValleyRAT, built on the Winos4.0 framework, adds DDoS support and downloads additional modules on demand. Together, these tools give TA4922 deep and persistent access to compromised systems.

Defending Against TA4922 and Its Malware Tools

Organizations need to act now to reduce their exposure to this threat. Proofpoint recommends enforcing application allowlisting on trusted directories to prevent unapproved executables from running.

Teams should also monitor or prevent execution from temporary folders like %TEMP% and %APPDATA%, commonly abused by malware like RomulusLoader. Watching for executables written to root directories can help catch suspicious activity early.

Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure. Applying least-privilege principles across accounts limits how much damage an attacker can cause once inside a network.

Since TA4922 is known to move victims from email to messaging platforms like WhatsApp and Microsoft Teams, security teams should train employees to recognize and report this social engineering before it leads to a full compromise.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Proofpoint Warns TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT appeared first on Cyber Security News.

Security researchers from Evalian’s SOC team identified the operation, which leverages convincing OpenAI branding and search engine ads to lure users actively seeking legitimate AI tools.

The campaign centers around a malicious domain, openew[.]An app designed to mimic an official ChatGPT download page closely.

Victims are presented with multiple download options, including Windows, macOS, and a Chrome extension.

While the browser extension redirects to a legitimate listing to build trust, the Windows and macOS installers deliver trojanized payloads.

The domain is newly registered via Namecheap and resolves to IP address 144[.]172[.]104[.]205, which is hosted on RouterHosting infrastructure, a provider frequently observed in short-lived malicious campaigns.

The Windows payload, distributed as Chat_GPT.exe (SHA256: 56CC26E88C064B0C423AA8AD6530E58F91D1E4D28FAB1A8BCEDEF16A6582B4D2), uses an Inno Setup installer to deploy an Electron-based application.

Despite appearing legitimate, the binary contains inconsistencies, including mismatched metadata and a code-signing certificate issued to an unrelated entity, F.F.A.P. Hurkmans Beheer B.V.

Fake ChatGPT Site Spreads Malware via Ads

This highlights a common tactic where valid signatures are abused to bypass user suspicion without guaranteeing software legitimacy.

Static analysis reveals that the application bundles a Chromium-based runtime with an obfuscated JavaScript payload stored in the app. asar file.

A large script, identified as winter.js, contains heavily obfuscated logic that uses encoded strings and dynamic execution patterns, making straightforward analysis difficult.

The application includes Node.js modules such as child_process, fs, and systeminformation, indicating capabilities for system reconnaissance, file manipulation, and command execution.

Dynamic analysis shows the malware employs CAPTCHA-based gating before executing its core functionality, a technique designed to evade automated sandbox detection.

Once the user completes the CAPTCHA, the malware spawns multiple PowerShell processes with execution flags such as “-ExecutionPolicy Unrestricted,” suggesting staged payload delivery in which commands are injected at runtime rather than embedded statically.

According to Evalian’s SOC team, the malware creates a Chromium-style profile in %AppData%\Satoshi to maintain persistence and store data such as cookies and cache files.

This behavior, combined with event-driven execution, indicates that the malware delays its primary actions until specific user interactions occur, further complicating detection.

Interestingly, the embedded network configurations reference legitimate DNS-over-HTTPS services such as Cloudflare and Google, thereby blending malicious traffic into normal encrypted DNS traffic.

This approach helps obscure command-and-control communications and evade traditional network monitoring tools.

The macOS variant (SHA256: 7E5B708F6659B1FAD3AAE7B589A706434FBF21708AEEC5AF5910189B96E25FEF) remained largely undetected by antivirus engines at the time of discovery, suggesting either low distribution volume or effective evasion techniques.

This campaign demonstrates how threat actors are evolving malvertising strategies by combining trusted branding, modern application frameworks such as Electron, and layered evasion techniques, including obfuscation, CAPTCHA validation, and staged execution.

Unlike traditional phishing, malvertising targets users with high intent, making the initial compromise more effective.

For defenders, key signals include unexpected Electron applications spawning scripting engines, mismatched installer metadata, and unusual directories such as %APPDATA%\Satoshi.

Monitoring newly registered domains impersonating software vendors and analyzing process behavior rather than relying solely on signatures remains critical.

As AI tools continue to gain widespread adoption, campaigns like this highlight the growing risk of brand impersonation in malware delivery, reinforcing the need for stronger user awareness and behavioral detection controls.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Weaponized ChatGPT Download Site Delivers Malware Via Sponsored Search Results appeared first on Cyber Security News.

Kali365, a phishing-as-a-service (PhaaS) platform first spotted in April 2026, was initially built to steal Microsoft 365 login tokens by tricking users into authorizing fake device login requests.

Now it has grown into something much bigger, going after Okta single sign-on systems, Russian messaging platform MAX Messenger, and dozens of other services.

The platform works by abusing a legitimate Microsoft login process called the OAuth 2.0 device authorization flow.

This method was originally designed for devices like smart TVs and printers that cannot support standard logins.

Kali365 exploits this by generating a real Microsoft login code, embedding it in a fake document-sharing page, and waiting for the victim to enter it on the actual Microsoft site.

Once that happens, the attacker quietly receives a working login token without ever needing the victim’s password or MFA code.

Analysts at Arctic Wolf tracked this operation and mapped out its full reach. Arctic Wolf said in a report shared with Cyber Security News (CSN), “Arctic Wolf has observed a significant expansion of the phishing-as-a-service operation Kali365, which abuses Microsoft’s OAuth device authorization flow to bypass MFA.” 

Their research uncovered a live command-and-control panel, a 126-host phishing cluster, and a new attack campaign targeting Russian users through MAX Messenger.

The FBI had already issued a public warning about Kali365 in May 2026, calling it a low-barrier tool that gives less-technical attackers access to AI-generated phishing lures and real-time victim tracking dashboards.

The platform is sold on Telegram for roughly $250 per month, paid in Bitcoin, making it accessible to a wide range of threat actors. That accessibility is exactly what makes this operation so dangerous for security teams around the world.

Kali365 PhaaS Operation Expands Beyond Microsoft 365

The same operator behind the original Microsoft 365 campaign has now branched into a multi-brand phishing operation.

Researchers found 126 malicious hosts, all running the same kit, impersonating services like Okta SSO, Xerox DocuShare, LiveDrive, AWS naming patterns, GMX, and Russian platforms including Mail.ru, Yandex Disk, and Odnoklassniki.

This is not a collection of separate threats but one infrastructure rotating across many brand disguises. The most striking new addition is a campaign targeting MAX Messenger, Russia’s state-backed app with over 110 million registered users.

The attacker set up a fake “prize claim” page on greatness-marketing[.]top, designed to look like a prize verification site.

Victims are prompted to enter their Russian phone number, then a real one-time password from MAX Messenger, and finally a two-factor code. All of it reaches the attacker in real time through a Telegram bot named @NovosibyrskyMoneyBot.

Once a MAX account is taken over, the attacker gains access to messages, media files, and the victim’s full contact list. That contact list then becomes the next wave of targets, as the compromised account spreads the same prize lure to everyone in it.

This propagation model mirrors long-running scam tactics on Telegram, but applied here at the scale of one of the largest messaging platforms in the Russian-speaking world.

Defenders Must Act Fast

Arctic Wolf’s researchers recommend treating panel[.]securehubcloud[.]com as a confirmed command-and-control address.

Any outbound connection from a company network to that host is a strong sign that a device has loaded an active Kali365 phishing page. Security teams should block that endpoint at the network level and set up immediate alerts.

Blocking the entire attachedfile[.]com domain family is also advised, as all 39 observed subdomains were found serving the same phishing kit.

For Microsoft 365 environments, disabling the device code authentication flow through a Conditional Access policy is one of the most effective steps available.

Organizations should also monitor for suspicious post-authentication behavior like mass contact exports or inbox access from unfamiliar locations. Security awareness training remains essential so users can recognize unexpected login prompts before it is too late.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Kali365 PhaaS Operation Expands Beyond Microsoft 365 to Target Okta and MAX Messenger appeared first on Cyber Security News.

While it spent most of last year flying under the radar, early 2026 brought a noticeable spike in activity tied to former affiliates of the now-defunct BlackBasta operation.

The group targets organizations through well-worn but effective tactics, stealing large volumes of sensitive data before selectively encrypting files on compromised systems.

BlackBasta, which had operated as a successor to the notorious Conti ransomware group since February 2022, collapsed in February 2025 after its internal chat logs were leaked online.

That exposure forced the group to disband, but it did not stop the individuals behind the attacks. Many of its former affiliates simply carried on under different banners, deploying other ransomware families like Cactus and, more recently, aligning with Payouts King.

Zscaler identified these attacks and published a report shared with Cyber Security News (CSN) confirming they could attribute some of this renewed activity to the Payouts King ransomware group with high confidence.

The researchers noted that attack patterns closely matched those seen in previous BlackBasta campaigns, including the same social engineering playbook.

The initial infection typically begins with spam bombing, where the attacker floods a target’s inbox with large volumes of junk email.

They then impersonate an IT support employee, reaching out via Microsoft Teams and convincing the victim to initiate a Quick Assist session.

Once access is granted, the attacker drops malware on the system, quietly establishing a foothold inside the organization’s network.

From there, Payouts King moves quickly. It attempts to gain full system-level privileges, deletes Windows shadow copies to block recovery, clears event logs to slow forensic investigations, and empties the recycle bin before starting encryption.

The group also operates a dark web data leak site, adding pressure on victims to pay by threatening to publish stolen information.

Payouts King Ransomware Evades EDR

One of the most notable aspects of this ransomware is how aggressively it works to avoid detection. It builds and decrypts strings on the fly rather than storing them as readable text, making static analysis much harder.

It also resolves Windows functions using hash values instead of plain names, and applies a custom checksum algorithm with a unique seed per value, defeating tools that rely on pre-built hash tables to identify malware.

When a file cannot be opened for encryption since a security tool has locked it, the ransomware scans all running processes and checks them against a list of 131 known antivirus and endpoint detection software processes.

Rather than using standard Windows API calls to terminate these tools, it uses direct system calls that bypass the hooks most endpoint detection products depend on to catch suspicious activity.

Encryption Design and Defense Evasion

Payouts King uses 4,096-bit RSA combined with 256-bit AES in counter mode for encryption, with a statically linked OpenSSL library embedded in the malware.

Files under 10MB are fully encrypted, while larger files are split into 13 blocks with only half of each encrypted, a method designed to speed up attacks without reducing their impact.

The ransomware avoids calling standard Windows file rename functions after encryption, instead using a lower-level call that most security tools do not monitor.

Encrypted files receive the extension .ZWIAAW, and the ransom note named readme_locker.txt is only dropped when a specific command-line flag is provided at runtime, making automated sandbox analysis considerably harder.

To defend against threats like this, organizations should prioritize user awareness training focused on spotting fake tech support requests over platforms like Microsoft Teams.

Enforcing multi-factor authentication across all accounts and closely monitoring for unusual use of remote access tools like Quick Assist are also critical.

Security teams should also invest in proactive threat hunting rather than relying entirely on automated detection to catch advanced threats like Payouts King.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls appeared first on Cyber Security News.

The flaw, tracked as CVE-2026-3300 with a CVSS score of 9.8, affects all versions up to 1.9.12 and has already been observed in widespread exploitation campaigns.

The vulnerability was publicly disclosed on March 30, 2026, after the vendor released a patch on March 18, 2026. Despite the availability of a fix, threat actors began actively targeting unpatched installations on April 13, 2026.

According to Wordfence threat intelligence data, more than 29,300 exploitation attempts have been blocked, with a significant spike of over 17,900 attacks recorded on May 16 alone.

WordPress Plugin Exploitation

The root cause of the issue lies in the plugin’s “Complex Calculation” feature, specifically within the process_filter() function.

This function dynamically constructs PHP code by concatenating user-supplied form inputs, then evaluates it with the dangerous eval() function.

Although input is processed with sanitize_text_field(), the function fails to escape critical characters, such as single quotes, which allows attackers to bypass string context and inject malicious PHP code.

This design flaw allows unauthenticated attackers to craft malicious payloads through standard form fields such as text, email, URL, select, and radio inputs.

By injecting a single quote followed by arbitrary PHP code and a comment sequence, attackers can manipulate the generated code and achieve execution on the server.

Observed attack patterns indicate that threat actors primarily exploit this vulnerability to create rogue administrator accounts.

In one common exploitation attempt, attackers inject PHP code that calls WordPress’s wp_insert_user() function to create a new admin user with the username “diksimarina.”

Once administrative access is established, attackers can upload webshells, modify site content, deploy backdoors, or pivot further into the hosting environment.

Security telemetry identified multiple IPs actively exploiting Everest Forms Pro, generating thousands of malicious requests and serving as strong IOCs for blocking and monitoring.

High-Activity Malicious IP Addresses:

202.56.2[.]126: Tens of thousands of blocked requests.

209.146.60[.]26: Several thousand exploit attempts.

15.235.166[.]18: Hundreds of malicious requests.

2402:1f00:8000[:]800::40db: Active IPv6 exploit activity.

185.78.165[.]153: Confirmed hostile scanning activity.

The attacks typically target the /wp-admin/admin-ajax.php endpoint, submitting specially crafted POST requests designed to exploit the vulnerable calculation logic.

The vulnerability poses a significant risk because it does not require authentication and can be triggered remotely through publicly accessible forms.

Any website using Everest Forms Pro with the Complex Calculation feature enabled is particularly exposed.

Wordfence customers received early protection through firewall rules as early as February 27, 2026, while free users were protected starting March 29, 2026.

However, relying solely on virtual patching is insufficient, as updating to the latest patched version, 1.9.13, remains critical to mitigate the risk fully.

Website administrators are strongly advised to update the plugin immediately, audit user accounts for unauthorized administrator creation, and review server logs for suspicious requests.

Indicators of compromise include unknown admin users, especially those matching observed attacker patterns, and requests originating from known malicious IP addresses.

Given the active exploitation and low barrier to attack, this vulnerability represents a high-impact threat to WordPress environments, reinforcing the need for timely patching and continuous monitoring.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code appeared first on Cyber Security News.