Hybrid P2P Botnet, 13-12 months-Outdated Apache RCE and 18 Extra Tales

A brand new variant of the botnet referred to as Phorpiex (aka Trik) has been noticed, utilizing a hybrid communication mannequin that mixes conventional C2 HTTP polling with a peer-to-peer (P2P) protocol over each TCP and UDP to make sure operational continuity within the face of server takedowns. The malware acts as a conduit for encrypted payloads, making it difficult for exterior events to inject or modify instructions. The first aim of Phorpiex’s Twizt variant is to drop a clipper that re-routes cryptocurrency transactions, in addition to distribute high-volume sextortion e mail spam and facilitate ransomware deployment (e.g., LockBit Black, International). It additionally reveals worm-like conduct by propagating by way of detachable and distant drives, and drop modules liable for exfiltrating mnemonic phrases and scanning for Native File Inclusion (LFI) vulnerabilities. “Phorpiex has consistently demonstrated its capability to evolve, shifting from a pure spam operation to a sophisticated platform,” Bitsight stated. “The Phorpiex botnet remains a highly adaptive and resilient threat.” There are about 125,000 infections day by day on common, with essentially the most affected international locations being Iran, Uzbekistan, China, Kazakhstan, and Pakistan.

A distant code execution (RCE) vulnerability that lurked in Apache ActiveMQ Basic for 13 years might be chained with an older flaw (CVE-2024-32114) to bypass authentication. Tracked as CVE-2026-34197 (CVSS rating: 8.8), the newly recognized bug permits attackers to invoke administration operations by way of the Jolokia API and trick the message dealer into retrieving a distant configuration file and executing working system instructions. Based on Horizon3.ai, the safety defect is a bypass for CVE-2022-41678, a bug that permits authenticated attackers to set off arbitrary code execution and write internet shells to disk. “The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments,” Horizon3.ai researcher Naveen Sunkavally stated. “On some versions (6.0.0 – 6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE.” The newly found safety defect was addressed in ActiveMQ Basic variations 5.19.4 and 6.2.3.

Cyber-enabled fraud value victims over $17.7 billion throughout 2025, as monetary losses to internet-enabled fraud proceed to develop. The whole loss exceeds $20.87 billion, up 26% from 2024. “Cyber-enabled fraud is responsible for almost 85% of all losses reported to IC3 [Internet Crime Complaint Center] in 2025,” the U.S. Federal Bureau of Investigation (FBI) stated. “Cryptocurrency investment fraud was the highest source of financial losses to Americans in 2025, with $7.2 billion reported in losses.” In all funding scams led the pack with $8.6 billion in reported losses, adopted by enterprise e mail compromise ($3 billion) and tech help scams ($2.1 billion). Sixty-three new ransomware variants have been recognized final yr, resulting in greater than $32 million in losses. Akira, Qilin, INC./Lynx/Sinobi, BianLian, Play, Ransomhub, Lockbit, Dragonforce, Safepay, and Medusa emerged as the highest ten variants to hit important manufacturing, healthcare, public well being, and authorities entities.

Based on information from NETSCOUT, greater than 8 million DDoS assaults have been recorded throughout 203 international locations and territories between July and December 2025. “The attack count remained stable compared to the first half of the year, but the nature and sophistication of attacks changed dramatically,” the corporate stated. “The TurboMirai class of IoT botnets, including AISURU and Eleven11 (RapperBot), emerged as a major force. DDoS-for-hire platforms are now integrating dark-web LLMs and conversational AI, lowering the technical barrier for launching complex, multi-vector attacks. Even unskilled threat actors can now orchestrate sophisticated campaigns using natural-language prompts, increasing risk for all industries.”

A former Meta worker within the U.Ok. is beneath investigation over allegations that he illegally downloaded about 30,000 non-public images from Fb. Based on The Guardian, the accused developed a software program program to evade Fb’s inner safety techniques and entry customers’ non-public pictures. Meta uncovered the breach greater than a yr in the past, terminated the worker, and referred the case to regulation enforcement. The corporate stated it additionally notified affected customers, though it is not clear what number of have been impacted.

Google stated it is monitoring a financially motivated menace cluster referred to as UNC6783 that is tied to the “Raccoon” persona and is focusing on dozens of high-profile organizations throughout a number of sectors by compromising enterprise course of outsourcing (BPO) suppliers and assist desk workers for later information extortion. “The campaign relies on live chat social engineering to direct employees to spoofed Okta logins using [org].zendesk-support[##].com domains,” Austin Larsen, Google Risk Intelligence Group (GITG) principal menace analyst, stated. “Their phishing kit steals clipboard contents to bypass MFA and enroll their own devices for persistent access. We also observed them using fake security updates (ClickFix) to drop remote access malware.” Organizations are suggested to prioritize FIDO2 {hardware} keys for high-risk roles, monitor dwell chat for suspicious hyperlinks, and recurrently audit newly enrolled MFA gadgets.

A big-scale Magecart marketing campaign is utilizing invisible 1×1 pixel SVG components to inject a faux checkout overlay on 99 Magento e-commerce shops, exfiltrating cost information to 6 attacker-controlled domains. “In the early hours of April 7th, nearly 100 Magento stores got mass-infected with a ‘double-tap’ skimmer: a credit card stealer hidden inside an invisible SVG element,” Sansec stated. “The likely entry vector is the PolyShell vulnerability that continues to affect unprotected Magento stores.” Like different assaults of this type, the skimmer exhibits victims a convincing “Secure Checkout” overlay, full with card validation and billing fields. As soon as the cost particulars are captured, it silently redirects the patron to the true checkout web page. Adobe has but to launch a safety replace to handle the PolyShell flaw in manufacturing variations of Magento.

Cybercriminals are utilizing emojis throughout illicit communities to sign monetary exercise, entry and account compromise, tooling and repair choices, signify targets or areas, and talk momentum or significance. Utilizing emojis permits unhealthy actors to bypass safety controls. “Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text,” Flashpoint stated. “This is particularly valuable in: large Telegram channels with international membership, cross-border fraud operations, [and] decentralized marketplaces. This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks.”

A ClickFix marketing campaign focusing on Home windows customers is leveraging malicious MSI installers to ship a Node.js-based data stealer. “This Windows payload is a highly adaptable remote access Trojan (RAT) that minimizes its forensic footprint by using dynamic capability loading,” Netskope stated. “The core stealing modules and communication protocols are never stored on the victim’s disk. Instead, they are delivered in-memory only after a successful C2 connection is established. To further obfuscate the attacker’s infrastructure, the malware routes gRPC streaming traffic over the Tor network, providing a persistent and masked bidirectional channel.”

Extra ClickFix, this time focusing on macOS. Based on Jamf, a ClickFix-style macOS assault is abusing the “applescript://” URL scheme to launch Script Editor and ship an Atomic Stealer infostealer payload, thereby bypassing Terminal completely. The assault leverages faux Apple-themed internet pages that embrace directions to “reclaim disk space on your Mac” by clicking on an “Execute” button that triggers the “applescript://” URL scheme. The brand new method is probably going a response to a brand new safety characteristic launched by Apple in macOS 26.4 that scans instructions pasted into Terminal earlier than they’re executed. “It’s a meaningful friction point, but as this campaign illustrates, when one door closes, attackers find another,” safety researcher Thijs Xhaflaire stated.

A malicious PyPI bundle named hermes-px has been marketed as a “Secure AI Inference Proxy” however accommodates performance to steal customers’ prompts. “The package actually hijacks a Tunisian university’s private AI endpoint, bundles a stolen and rebranded Anthropic Claude Code system prompt, launders all responses to hide the true upstream source, and exfiltrates every user message directly to the attacker’s Supabase database, bypassing the very Tor anonymity it promises,” JFrog stated.

Knowledge from Censys has revealed that there are 5,219 internet-exposed hosts that self-identify as Rockwell Automation/Allen-Bradley gadgets. “The United States accounts for 74.6% of global exposure (3,891 hosts), with a disproportionate share on cellular carrier ASNs indicative of field-deployed devices on cellular modems,” it stated. “Spain (110), Taiwan (78), and Italy (73) represent the largest non-Anglosphere concentrations. Iceland’s presence (36 hosts) is disproportionate to its population and warrants attention, given its geothermal energy infrastructure.” The disclosure follows a joint advisory from U.S. companies that warned of ongoing exploitation of internet-facing Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) by Iranian-affiliated nation-state actors since March 2026 to breach U.S. important infrastructure sectors, inflicting operational disruption and monetary loss in some circumstances. The companies stated the assaults are paying homage to related assaults on PLCs by Cyber Av3ngers in late 2023.

In late March 2026, Anthropic inadvertently uncovered inner Claude Code supply materials through a misconfigured npm bundle, which included roughly 512,000 strains of inner TypeScript. Whereas the publicity lasted solely about three hours, it triggered fast mirroring of the supply code throughout GitHub, prompting Anthropic to subject takedown notices (and later a partial retraction). Evidently, menace actors wasted no time and took benefit of the topical nature of the leak to distribute Vidar Stealer, PureLogs Stealer, and GhostSocks proxy malware by way of faux leaked Claude Code GitHub repositories. “The campaign abuses GitHub Releases as a trusted malware delivery channel, using large trojanized archives and disposable accounts to repeatedly evade takedowns,” Development Micro stated. “The combined functionality of the malware payloads enables credential theft, cryptocurrency wallet exfiltration, session hijacking, and residential proxy abuse across Windows, giving the operators multiple monetization paths from a single infection.”

A brand new 64-bit model of Lumma Stealer referred to as Remus (traditionally referred to as Tenzor) has emerged within the wild following Lumma’s takedown and the doxxing of its alleged core members. “The first Remus campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to EtherHiding and employing new anti-analysis checks,” Gen researchers stated. Moreover utilizing equivalent code, direct syscalls/sysenters, and the identical string obfuscation approach, one other element linking the 2 is the usage of an application-bound encryption technique, solely noticed in Lumma Stealer to this point.

In a setback for Anthropic, a Washington, D.C., federal appeals court docket declined to dam the U.S. Division of Protection’s nationwide safety designation of the AI firm as a provide chain threat. The event comes after one other appeals court docket in San Francisco got here to the other conclusion in a separate authorized problem by Anthropic, granting it a preliminary injunction that bars the Trump administration from imposing a ban on the usage of AI chatbot Claude.The corporate has stated the designation may value the corporate billions of ⁠{dollars} in misplaced enterprise and reputational hurt. As Reuters notes, the lawsuit is one among two that Anthropic filed over the Trump administration’s unprecedented transfer to categorise it as a provide chain threat after it refused to permit the army to make use of Claude for home mass surveillance or autonomous weapons.

In a brand new marketing campaign noticed by Kaspersky, unwitting customers trying to find proxy shoppers like Proxifier on search engines like google and yahoo like Google and Yandex are being directed to malicious GitHub repositories that host an executable, which acts as a wrapper across the professional Proxifier installer.As soon as launched, it configures Microsoft Defender Antivirus exclusions, launches the true Proxifier installer, units up persistence, and runs a PowerShell script that reaches out to Pastebin to retrieve a next-stage payload. The downloaded PowerShell script is liable for retrieving one other script containing the Clipper malware from GitHub. The malware substitutes cryptocurrency pockets addresses copied to the clipboard with an attacker-controlled pockets with the intention of rerouting monetary transactions. Because the begin of 2025, greater than 2,000 Kaspersky customers – most of them in India and Vietnam – have encountered the menace.

Risk actors are leveraging notification pipelines in well-liked collaboration platforms to ship spam and phishing emails. As a result of these emails are dispatched from the platform’s personal infrastructure (e.g., Jira’s Invite Clients characteristic), they’re unlikely to be blocked by e mail safety instruments. “These emails are transmitted using the legitimate mail delivery infrastructure associated with GitHub and Jira, minimizing the likelihood that they will be blocked in transit to potential victims,” Cisco Talos stated. “By taking advantage of the built-in notification functionality available within these platforms, adversaries can more effectively circumvent email security and monitoring solutions and facilitate more effective delivery to potential victims.” The event coincides with a phishing marketing campaign focusing on a number of organizations with invitation lures despatched from compromised e mail accounts that result in the deployment of professional distant monitoring and administration (RMM) instruments like LogMeIn Resolve. The marketing campaign, tracked as STAC6405, has been ongoing since April 2025. In a single case, the menace actor has been discovered to leverage a pre-existing set up of ScreenConnect to obtain a HeartCrypt-protected ZIP file that in the end results in the set up of malware that is per ValleyRAT. Different campaigns have leveraged procurement-themed emails to direct customers to cloud-hosted PDFs containing embedded hyperlinks that, when clicked, take victims to Dropbox credential harvesting pages. Risk actors have additionally distributed executable recordsdata disguised as copyright violation notices to trick them into putting in PureLogs Stealer as a part of a multi-stage marketing campaign. What’s extra, Reddit posts promoting the premium model of TradingView have acted as a conduit for Vidar and Atomic Stealer to steal worthwhile information from each Home windows and macOS techniques. “The threat actor actively comments on their own posts with different accounts, creating the illusion of a busy and helpful community,” Hexastrike stated. “More concerning, any comments from real users pointing out that the downloads are malware get deleted within minutes. The operation is hands-on and closely monitored.”

A high-severity safety flaw has been disclosed within the Linux kernel’s ksmbd SMB3 server. Tracked as CVE-2026-23226 (CVSS rating: 8.8), it falls beneath the identical bug class as CVE-2025-40039, which was patched in October 2025. “When two connections share a session over SMB3 multichannel, the kernel can read a freed channel struct – exposing the per-channel AES-128-CMAC signing key and causing a kernel panic,” Orca stated. “An attacker needs valid SMB credentials and network access to port 445.” Alternatively, the vulnerability will be exploited by an attacker to leak the per-channel AES-128-CMAC key used to signal all SMB3 site visitors, enabling them to forge signatures, impersonate the server, or bypass signature verification. It has been fastened within the commit “e4a8a96a93d.”

New analysis has demonstrated it is doable to trick Anthropic’s vibe coding instrument Claude Code into performing a full-scope penetration assault and credential theft by modifying a undertaking’s “CLAUDE.md” file to bypass the coding agent’s security guardrails. The directions explicitly inform Claude Code to assist the developer full a penetration testing evaluation towards their very own web site and help them of their duties. “Claude Code should scan CLAUDE.md before every session, flagging instructions that would otherwise trigger a refusal if attempted directly within a prompt,” LayerX stated. “When Claude detects instructions that appear to violate its safety guardrails, it should present a warning and allow the developer to review the file before taking any actions.”

Grafana has patched a safety vulnerability that would have enabled attackers to trick its synthetic intelligence (AI) capabilities into leaking delicate information by way of an oblique immediate injection and with out requiring any person interplay. The assault has been codenamed GrafanaGhost by Noma Safety. “By bypassing the client-side protections and security guardrails that restrict external data requests, GrafanaGhost allows an attacker to bridge the gap between your private data environment and an external server,” the cybersecurity firm stated. “Because the exploit ignores model restrictions and operates autonomously, sensitive enterprise data can be leaked silently in the background.” GrafanaGhost is stealthy, because it requires no login credentials and doesn’t depend upon a person clicking a malicious hyperlink. The assault is one other instance of how AI-assisted options built-in into enterprise environments will be abused to entry and extract important information property whereas remaining completely invisible to defenders.

LSPosed is a strong framework for rooted Android gadgets that permits customers to switch the conduct of the system and apps in real-time with out truly making any modifications to APK recordsdata. Based on CloudSEK, menace actors at the moment are weaponizing the instrument to remotely inject fraudulent SMS messages and spoof person identities in trendy cost ecosystems through a malicious module referred to as “Digital Lutera.” The assault successfully undermines SIM-binding restrictions utilized to banking and immediate cost apps in India. Nonetheless, for this method to work, the menace actor requires a sufferer to put in a Trojan that may intercept SMS messages despatched to/from the system. Whereas the assault beforehand mixed a trojanized cell system (the sufferer) and a modified cell cost APK (on the attacker’s system) to trick financial institution servers into believing the sufferer’s SIM card is bodily current within the attacker’s telephone, the newest iteration leans on LSPosed to attain the identical objectives. A key requisite to this assault is that the attacker should have a rooted Android system with the LSPosed module and the professional, unmodified cost app put in. “This new attack vector allows threat actors to hijack legitimate, unmodified payment applications by ‘gaslighting’ the underlying Android operating system,” CloudSEK stated. “By using LSPosed, the threat actor ensures the payment app’s signature remains valid, making it invisible to many standard integrity checks.”