Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
WordPress Plugin
data access Hackers malware WordPress Plugin

Harmful WordPress Plugin Posing as Security Tool Grants Hackers Full Access

 



A newly discovered cyberattack is targeting WordPress websites by using a plugin that pretends to improve security but actually opens a backdoor for criminals. This fake plugin secretly gives attackers full control of affected sites.


How the Infection Begins

Security researchers at Wordfence found this malware while cleaning an infected website earlier this year. They noticed that a key WordPress system file named ‘wp-cron.php’ had been tampered with. This edited file was creating and activating a hidden plugin on its own, without the website owner’s permission.

This plugin has appeared under various names such as:

• wp-antymalwary-bot.php

• addons.php

• wpconsole.php

• wp-performance-booster.php

• scr.php

Even if the plugin is deleted manually, the altered ‘wp-cron.php’ file automatically brings it back the next time someone visits the website. This allows the malicious code to keep coming back.


How Hackers Might Be Gaining Entry

It’s still not clear how the hackers are getting into these websites in the first place. Experts believe they may be using stolen login credentials for hosting accounts or file transfer services like FTP. Unfortunately, no server logs were available to confirm exactly how the breach happens.


What the Plugin Allows Attackers to Do

Once active, the plugin checks if it's running correctly and then silently gives the attacker admin-level control. By using a special hidden function, attackers can log in as an administrator without using the usual login page. All they need is a specific web address and a password to take over the site.

The plugin also opens a secret door (called an API route) that doesn’t require login access. This lets attackers do things like:

• Add harmful code into theme files

• Clear plugin cache data

• Carry out other hidden tasks via special web requests

In updated versions of the malware, the plugin can also add harmful JavaScript to the website’s code. This can be used to show spam, redirect users to risky websites, or collect data from site visitors.


What Site Owners Should Watch For

Website managers should check the ‘wp-cron.php’ file and their theme’s ‘header.php’ file for any unfamiliar edits. Also, log entries with keywords like “emergency_login” or “urlchange” should be seen as warning signs of a possible attack.

Regular monitoring and cleanup can help prevent these kinds of silent takeovers.

Read more »
Webshell
Authentication Breach CVE202531324 Cybersecurity malware NetWeaver Patch SAP servers VisualComposer Vulnerability Webshell

Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild

 

Security researchers have issued a warning about a severe vulnerability affecting SAP systems, with over 1,200 instances potentially exposed to remote exploitation. This comes after SAP disclosed a critical flaw in the NetWeaver Visual Composer’s Metadata Uploader earlier this week.

The NetWeaver Visual Composer is a development environment designed for building web-based business applications without coding. It is widely used to develop dashboards, forms, and interactive reports. The Metadata Uploader enables developers to import external metadata into the platform, establishing connections with remote data sources such as databases, web services, and other SAP systems.

SAP has identified the vulnerability as CVE-2025-31324, assigning it the highest severity rating of 10 out of 10. The flaw arises due to a lack of authentication in the Metadata Uploader, allowing attackers to upload malicious files without needing authorization.

Cybersecurity company Keeper, known for its password management and digital vault solutions, highlights the growing need for secure authentication frameworks. The platform utilizes zero-knowledge encryption and provides tools such as two-factor authentication, secure storage, dark web monitoring, and breach alerts.

Upon discovering the issue, SAP first released a workaround, followed by a comprehensive patch in late April. The company is now urging all users to implement the fix immediately. Multiple cybersecurity firms — including ReliaQuest, watchTowr, and Onapsis — have observed real-world exploitation of the flaw. According to reports, attackers have been using it to deploy web shells on compromised servers.

SAP, however, stated to BleepingComputer:

"It is not aware of any attacks that impacted customer data or systems."

There is some discrepancy in the actual number of affected systems. While the Shadowserver Foundation identified 427 exposed servers, Onyphe reports as many as 1,284 vulnerable SAP instances, with 474 already compromised.
Read more »
Spyware threats
Apple data breach cybersecurity news malware Spyware threats

Apple Sends Spyware Threat Alerts to Users in 100 Countries

 

Apple has issued threat notifications to users across 100 countries, warning them that their devices may have been targeted by sophisticated commercial spyware. The alerts, sent earlier this week, were confirmed by at least two recipients, including Italian journalist Cyrus Pellegrino and Dutch political commentator Eva Vlaardingerbroek.  

Pellegrino, a reporter with Fanpage, disclosed receiving the warning in a column published on Wednesday. He suggested that the attempted breach could be related to a wider wave of attacks involving Paragon spyware detected by WhatsApp earlier this year. 

His colleague, Fanpage editor Francesco Cancellato, had also previously been targeted with the same spyware after publishing investigations critical of Italy’s ruling far-right party, Brothers of Italy, led by Prime Minister Giorgia Meloni. 

Although the exact spyware used in these latest incidents remains unconfirmed, Pellegrino noted similarities with the Paragon-linked attacks. The WhatsApp security team had identified around 90 such cases in January, many involving individuals known for criticising Meloni’s government. Meloni has denied any association with the surveillance activity. 

In a post on X (formerly Twitter), Vlaardingerbroek confirmed receiving Apple’s notification but said she had no information about who might be behind the intrusion attempt. “Someone is trying to intimidate me,” she wrote, adding, “It won’t work.” Apple’s notification to victims warned that the attackers were likely targeting them because of “who you are or what you do.” 

The company said it had “high confidence” in its findings, though it did not attribute the attacks to any specific actor or region. Apple has issued similar warnings periodically since 2021 as part of its broader threat detection program. According to a recent blog post by the company, users in over 150 countries have been notified of such threats to date. The blog post described these spyware attacks as some of the most advanced digital threats currently in existence due to their global reach, high cost, and technical complexity. Apple did not respond to media queries regarding the latest round of notifications. 

In his article, Pellegrino described the chilling moment he received the alert. Concerned about being monitored, he immediately signalled his wife to stay silent and placed his phone in a microwave—a commonly cited makeshift method for blocking signals—before discussing the alert. He warned about the intrusive nature of such surveillance software, which can operate without any interaction from the target.  
“From the moment the phone is infected, the spyware operator has full access to the device, can read, see, and download everything,” he wrote. “Phones are the black boxes of our existence.” 

The revelations come amid growing concerns over the use of commercial spyware by state and non-state actors, with journalists, activists, and political opponents often among the primary targets.
Read more »
Ransomware
Akira Attack Breach Cloud Cybersecurity Data Encryption Extortion FBI Hitachi malware Ransomware

Hitachi Vantara Takes Servers Offline Following Akira Ransomware Attack

 

Hitachi Vantara, a subsidiary of Japan's Hitachi conglomerate, temporarily shut down several servers over the weekend after falling victim to a ransomware incident attributed to the Akira group.

The company, known for offering data infrastructure, cloud operations, and cyber resilience solutions, serves government agencies and major global enterprises like BMW, Telefónica, T-Mobile, and China Telecom.

In a statement to BleepingComputer, Hitachi Vantara confirmed the cyberattack and revealed it had brought in external cybersecurity specialists to assess the situation. The company is now working to restore all affected systems.

“On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.

"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.

We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

Although the company has not officially attributed the breach to any specific threat actor, BleepingComputer reports that sources have linked the attack to the Akira ransomware operation. Insiders allege that the attackers exfiltrated sensitive data and left ransom notes on infiltrated systems.

While cloud services remained unaffected, sources noted that internal platforms at Hitachi Vantara and its manufacturing arm experienced disruption. Despite these outages, clients operating self-hosted systems are still able to access their data.

A separate source confirmed that several government-led initiatives have also been impacted by the cyberattack.

Akira ransomware first appeared in March 2023 and swiftly became notorious for targeting a wide range of sectors worldwide. Since its emergence, the group has reportedly compromised more than 300 organizations, including high-profile names like Stanford University and Nissan (in Oceania and Australia).

The FBI estimates that Akira collected over $42 million in ransom payments by April 2024 after infiltrating over 250 organizations. According to chat logs reviewed by BleepingComputer, the gang typically demands between $200,000 and several million dollars, depending on the scale and sensitivity of the targeted entity.

Keywords: ransomware, cybersecurity, Hitachi, Akira, cloud, breach, data, FBI, malware, attack, encryption, extortion, hacking, disruption, recovery, infrastructure, digital, protection
Read more »
Telegram
Android Spyware Malicious Campaign malware Russian Military Telegram

Android Spyware Concealed in Mapping App Targets Russian Military

 

Doctor Web researchers discovered a new spyware, tracked as Android. Spy.1292.origin, targets Russian military people. The malicious code was concealed in a trojanized Alpine Quest app and distributed via Russian Android catalogues. The malware acquires contacts, geolocation, and file data, and it can also download additional modules to exfiltrate stored data when directed. 

“Alpine Quest is topographic software that allows different maps to be used both in online and offline mode. It is popular among athletes, travelers, and hunters but also widely used by Russian military personnel in the Special Military Operation zone—and this is what the malware campaign organizers decided to exploit.” reads the report published by researchers at Doctor Web. Threat actors embedded Android.Spy.1292.origin into one of the older Alpine Quest app versions and distributed the trojanized variant under the guise of a freely available version of Alpine Quest Pro, a program with advanced functionality.” 

To propagate the trojanized Alpine Quest software, threat actors developed a fraudulent Telegram channel. They shared an app download link from a Russian app store, and then they used the same route to push a malicious update. To evade detection, Android.Spy.1292.origin is embedded within a real copy of the Alpine Quest app, causing it to seem and behave just like the original. 

When the app is activated, the trojan discreetly collects and sends information to a command-and-control server, including the user's phone number, accounts, contact list, current date, geolocation, stored file details, and app version. Simultaneously, it transmits some of this information, such as updated geolocation, with the attackers' Telegram bot whenever the device's position changes. 

Once the trojan has gathered file information, attackers can command it to download and execute other modules to steal specific data. The attackers behind the malicious app appear to be interested in confidential information transmitted via Telegram and WhatsApp, as well as the locLog file generated by Alpine Quest. This allows Android.Spy.1292.origin to track user whereabouts and extract sensitive data. Its modular design enables it to broaden its capabilities and engage in a wider range of malicious actions. 

“As a result, Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked. In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks.” the researchers added. 

The researchers recommend installing Android apps only from trustworthy sources, such as official app stores, and avoiding Telegram groups and dodgy websites, particularly those providing free versions of commercial apps. Users should also verify app distributors, as cybercriminals frequently copy legitimate developers using identical names and logos.
Read more »
trending news
DragonForce Ransomware Group malware News Ransomware trending news

DragonForce Unveils Cartel-Style Ransomware Model to Attract Affiliates

The ransomware landscape is seeing a shift as DragonForce, a known threat actor, introduces a new business model designed to bring various ransomware groups under a single, cartel-like umbrella. This initiative is aimed at simplifying operations for affiliates while expanding DragonForce’s reach in the cybercrime ecosystem. 

Traditionally, ransomware-as-a-service (RaaS) operations involve developers supplying the malicious tools and infrastructure, while affiliates carry out attacks and manage ransom negotiations. In exchange, developers typically receive up to 30% of the ransom collected. DragonForce’s updated model deviates from this approach by functioning more like a platform-as-a-service, offering its tools and infrastructure for a smaller cut—just 20%. 

Under this new setup, affiliates are allowed to create and operate under their own ransomware brand, all while utilizing DragonForce’s backend systems. These include data storage for exfiltrated files, tools for ransom negotiations, and malware deployment systems. This white-label model allows groups to appear as independent operations while relying on DragonForce’s infrastructure. 

A spokesperson for DragonForce told BleepingComputer that the group operates with clear rules and standards, which all affiliates are expected to follow. Any violations, they say, result in immediate removal from the network. Though these rules aren’t publicly disclosed, the group claims to maintain control since all services run on its servers. 

Interestingly, DragonForce claims it avoids certain targets in the healthcare sector, specifically facilities treating cancer and heart conditions. The group insists its motives are purely financial and not intended to harm vulnerable individuals. Cybersecurity analysts at Secureworks have noted that this new structure could appeal to both inexperienced and seasoned attackers. 

The simplified access to powerful ransomware tools, without the burden of managing infrastructure, lowers the barrier to entry and could lead to a broader adoption among cybercriminals. DragonForce has indicated its platform is open to unlimited affiliate brands capable of targeting a range of systems, including ESXi, NAS, BSD, and Windows environments. 

While the number of affiliates joining the network remains undisclosed, the group claims to have received interest from several prominent ransomware outfits. One such group, RansomBay, is already reported to be participating in the model. As this cartel-style operation gains traction, it could signal a new phase in ransomware operations—where brand diversity masks a centralised, shared infrastructure designed for profit and scalability.
Read more »
storage
Avast Email Scams Gmail malware Spam storage

Don’t Delete Spam Emails Too Quickly — Here’s Why


 

Most of us delete spam emails as soon as they land in our inbox. They’re irritating, unwanted, and often contain suspicious content. But what many people don’t know is that keeping them, at least briefly can actually help improve your email security in the long run.


How Spam Helps Train Your Email Filter

Email services like Gmail, Outlook, and others have systems that learn to detect unwanted emails over time. But for these systems to improve, they need to be shown which emails are spam. That’s why it’s better to mark suspicious messages as spam instead of just deleting them.

If you’re using a desktop email app like Outlook or Thunderbird, flagging such emails as “junk” helps the program recognize future threats better. If you're reading emails through a browser, you can select the unwanted message and use the “Spam” or “Move to Junk” option to send it to the right folder.

Doing this regularly not only protects your own inbox but can also help your co-workers if you’re using a shared office mail system. The more spam messages you report, the faster the system learns to block similar ones.


No Need to Worry About Storage

Spam folders usually empty themselves after 30 days. So you don’t have to worry about them piling up unless you want to manually clear them every month.


Never Click 'Unsubscribe' on Random Emails

Some emails, especially promotional ones, come with an unsubscribe button. While this can work with genuine newsletters, using it on spam emails is risky. Clicking “unsubscribe” tells scammers that your email address is real and active. This can lead to more dangerous emails or even malware attacks.


How to Stay Safe from Email Scams

1. Be alert. If something feels off, don’t open it.

2. Avoid acting quickly. Scammers often try to pressure you.

3. Don’t click on unknown links. Instead, visit websites directly.

4. Never open files from unknown sources. They can hide harmful programs.

5. Use security tools. Good antivirus software can detect harmful links and block spam automatically.


Helpful Software You Can Use

Programs like Bitdefender offer full protection from online threats. They can block viruses, dangerous attachments, and suspicious websites. Bitdefender also includes a chatbot where you can send messages to check if they’re scams. Another option is Avast One, which keeps your devices safe from fake websites and spam, even on your phone. Both are easy to use and budget-friendly.

While it may seem odd, keeping spam emails for a short time and using them to train your inbox filter can actually make your online experience safer. Just remember — never click links or download files from unknown senders. Taking small steps can protect you from big problems.

Read more »
Twitter
Cyberattacks Cybersecurity CyberThreat DarkStorm DDoS Elon Musk malware Meta Twitter

Investigating the Role of DarkStorm Team in the Recent X Outage

 


It has been reported that Elon Musk’s social media platform, X, formerly known as Twitter, was severely disrupted on Monday after a widespread cyberattack that has caused multiple service disruptions. Data from outage monitoring service Downdetector indicates that at least three significant disruptions were experienced by the platform throughout the day, affecting millions of users around the world. During this time, over 41,000 people around the world, including Europe, North America, the Middle East, and Asia, reported outages. 
 
The most common technical difficulties encountered by users were prolonged connection failures and a lack of ability to fully load the platform. According to a preliminary assessment, it is possible that the disruptions were caused by a coordinated and large-scale cyber attack. While cybersecurity experts are still investigating the extent and origin of the incident, they have pointed to the growing trend of organised cyber-attacks targeting high-profile digital infrastructures, which is of concern. A number of concerns have been raised regarding the security framework of X following the incident, especially since the platform plays a prominent role in global communications and information dissemination. Authorities and independent cybersecurity analysts continue to analyze data logs and attack signatures to identify the perpetrators and to gain a deeper understanding of the attack methodology. An Israeli hacktivist collective known as the Dark Storm Team, a collective of pro-Palestinian hacktivists, has emerged as an important player in the cyberwarfare landscape. Since February 2010, the group has been orchestrating targeted cyberattacks against Israeli entities that are perceived as supportive of Israel. 
 
In addition to being motivated by a combination of political ideology and financial gain, this group is also well known for using aggressive tactics in the form of Distributed Denial-of-Service (DDoS) attacks, database intrusions, and other disruptive cyber attacks on government agencies, public infrastructure, and organizations perceived to be aligned with Israeli interests that have gained widespread attention. 
 
It has been reported that this group is more than just an ideological movement. It is also a cybercrime organization that advertises itself openly through encrypted messaging platforms like Telegram, offering its services to a variety of clients. It is rumored that it sells coordinated DDoS attacks, data breaches, and hacking tools to a wide range of clients as part of its offerings. It is apparent that their operations are sophisticated and resourceful, as they are targeting both vulnerable and well-protected targets. A recent activity on the part of the group suggests that it has escalated both in scale and ambition in the past few months. In February 2024, the Dark Storm Team warned that a cyberattack was imminent, and threatened NATO member states, Israel, as well as countries providing support for Israel. This warning was followed by documented incidents that disrupted critical government and digital infrastructure, which reinforced the capability of the group to address its threats. 
 
According to intelligence reports, Dark Storm has also built ties with pro-Russian cyber collectives, which broadens the scope of its operations and provides it with access to advanced hacking tools. In addition to enhancing their technical reach, this collaboration also signals an alignment of geopolitical interests. 

Among the most prominent incidents attributed to the group include the October 2024 DDoS attack against the John F Kennedy International Airport's online systems, which was a high-profile incident. As part of their wider agenda, the group justified the attack based on the airport's perceived support for Israeli policies, showing that they were willing to target essential infrastructure as part of their agenda. Dark Storm, according to analysts, combines ideological motivations with profit-driven cybercrime, making it an extremely potent threat in today's cyber environment, as well as being a unique threat to the world's cybersecurity environment. 
 
An investigation is currently underway to determine whether or not the group may have been involved in any of the recent service disruptions of platform X which occured. In order to achieve its objectives, the DarkStorm Team utilizes a range of sophisticated cyber tactics that combine ideological activism with financial motives in cybercrime. They use many of their main methods, including Distributed Denial-of-Service (DDoS) platforms, ransomware campaigns, and leaking sensitive information for a variety of reasons. In addition to disrupting the operations of their targeted targets, these activities are also designed to advance specific political narratives and generate illicit revenue in exchange for the disruption of their operations. In order to coordinate internally, recruit new members, and inform the group of operating updates, the group heavily relies on encrypted communication channels, particularly Telegram. Having these secure platforms allows them to operate with a degree of anonymity, which complicates the efforts of law enforcement and cybersecurity firms to track and dismantle their networks. 

Along with the direct cyberattacks that DarkStorm launches, the company is actively involved in the monetization of stolen data through the sale of compromised databases, personal information, and hacking tools on the darknet, where it is commonly sold. Even though DarkStorm claims to be an organization that consists of grassroots hackers, cybersecurity analysts are increasingly suspecting the group may have covert support from nation-state actors, particularly Russia, despite its public position as a grassroots hacktivist organization. Many factors are driving this suspicion, including the complexity and scale of their operations, the strategic choice of their targets, and the degree of technical sophistication evident in their attacks, among others. A number of patterns of activity suggest the groups are coordinated and well resourced, which suggests that they may be playing a role as proxy groups in broader geopolitical conflicts, which raises concerns about their possible use as proxies. 
 
It is evident from the rising threat posed by groups like DarkStorm that the cyber warfare landscape is evolving, and that ideological, financial, and geopolitical motivations are increasingly intertwined. Thus, it has become significantly more challenging for targeted organisations and governments to attribute attacks and defend themselves, as Elon Musk has become increasingly involved in geopolitical affairs, adding an even greater degree of complexity to the recent disruption of platform X cyberattack narrative. When Russian troops invaded Ukraine in February 2022, Musk has been criticized for publicly mocking Ukrainian President Volodymyr Zelensky, and for making remarks considered dismissive of Ukraine's plight. Musk was the first to do this in the current political environment. The President of the Department of Government Efficiency (DOGE), created under the Trump administration, is the head of the DOGE, an entity created under Trump’s administration that has been reducing U.S. federal employment in an unprecedented way since Trump returned to office. There is a marked change in the administration's foreign policy stance, signaling a shift away from longstanding US support for Ukraine, and means that the administration is increasingly conciliatory with Russia. Musk has a geopolitical entanglement that extends beyond his role at X as well. 
 
A significant portion of Ukraine's digital communication has been maintained during the recent wartime thanks to the Starlink satellite internet network, which he operates through his aerospace company SpaceX. It has been brought to the attention of the public that these intersecting spheres of influence – spanning national security, communication infrastructure, and social media – have received heightened scrutiny, particularly as X continues to be a central node in global politics. According to cybersecurity firms delving into the technical aspects of the Distributed Denial-of-Service (DDoS) attack, little evidence suggests that Ukrainian involvement may have been involved in the attack. 
 
It is believed that a senior analyst at a leading cybersecurity firm spoke on the condition of anonymity because he was not allowed to comment on X publicly because of restrictions on discussing X publicly. This analyst reported that no significant traffic was originating from Ukraine and that it was absent from the top 20 sources of malicious IPs linked to the attack. Despite the fact that Ukrainian IP addresses are rarely spotted in such data due to the widespread practice of IP spoofing and the widespread distribution of compromised devices throughout the world, the absence of Ukrainian IP addresses is significant since it allows attention to be directed to more likely sources, such as organized cybercrime groups and state-related organizations. 
 
There is no denying the fact that this incident reflects the fragile state of digital infrastructure in a politically polarized world where geopolitical tensions, corporate influence, and cyberwarfare are convergent, and as investigations continue, experts are concerned that actors such as DarkStorm Team's role and broader implications for global cybersecurity policy will continue to be a source of controversy.
Read more »
Subscribe to: Posts (Atom)