Ataque via extensões Magento compromete centenas de lojas online
https://tugatech.com.pt/t66101-ataque-via-extensoes-magento-compromete-centenas-de-lojas-online
#Windows #RDP lets you log in using revoked passwords. #Microsoft is OK with that.
Researchers say the behavior amounts to a persistent #backdoor.
In response, Microsoft said the behavior is a “a design decision (...) As such, Microsoft said the behavior doesn’t meet the definition of a #security #vulnerability, and company engineers have no plans to change it.
Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan
Earth Kasha, an APT group believed to be part of APT10, has launched a new campaign in March 2025 targeting government agencies and public institutions in Taiwan and Japan. The campaign uses spear-phishing to deliver an updated version of the ANEL backdoor, potentially for espionage purposes. Key updates include a new command to support BOF execution in memory and the use of SharpHide for persistence. The second-stage backdoor, NOOPDOOR, now supports DNS over HTTPS for C&C communications. The attack chain involves compromised email accounts, malicious Excel files, and various evasion techniques. This campaign demonstrates Earth Kasha's continued evolution and poses significant geopolitical implications.
Pulse ID: 6813da43537c3d86e6ba3ca2
Pulse Link: https://otx.alienvault.com/pulse/6813da43537c3d86e6ba3ca2
Pulse Author: AlienVault
Created: 2025-05-01 20:32:02
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Malicious WordPress Plugin Disguised as a Security Tool Injects Backdoor and Grants Admin Access
A new malware campaign is targeting WordPress sites by masquerading as a security plugin - but in reality, it installs a stealthy backdoor that gives attackers full control of the site.
Discovered by Wordfence, this fake plugin:
- Provides persistent remote access
- Executes arbitrary PHP code
- Injects malicious JavaScript into visitors' browsers
- Hides itself from the plugin dashboard to avoid detection
The infection centers around a tampered wp-cron[dot]php file that automatically activates the plugin - even if it's deleted.
Names used by the malicious plugin include:
- WP-antymalwary-bot.php
- wpconsole.php
- wp-performance-booster.php
- scr.php
Once triggered, the malware:
- Grants attacker admin access via a `GET` parameter with a cleartext password
- Allows PHP injection via a custom unauthenticated REST API
- Modifies `header.php` files and inserts base64-decoded JavaScript
Clues in your logs? Watch for:
- `emergency_login`
- `check_plugin`
- `urlchange`
- `key`
WordPress admins - this is your wake-up call.
If your site relies on third-party themes or unmanaged plugins, it’s time to audit everything.
Backdoors disguised as helpful tools are becoming the norm - and once inside, they’re hard to find.
At @Efani we see too many breaches happen because “trusted” tools weren’t trustworthy. Security starts with visibility.
Hackers exploram funcionalidade IPv6 para instalar malware através de atualizações falsas https://tugatech.com.pt/t66016-hackers-exploram-funcionalidade-ipv6-para-instalar-malware-atraves-de-atualizacoes-falsas
TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
TheWizards, a China-aligned APT group, employs Spellbinder, a lateral movement tool for adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows them to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The group targets individuals, gambling companies, and entities in Southeast Asia, UAE, China, and Hong Kong. Their malware chain includes the WizardNet backdoor and utilizes DNS hijacking to deliver malicious updates. Evidence links TheWizards to Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), suggesting it may be a digital quartermaster for this APT group. The attackers use sophisticated tools and techniques to evade detection and maintain persistence on compromised systems.
Pulse ID: 68124373bde0da2a4679b021
Pulse Link: https://otx.alienvault.com/pulse/68124373bde0da2a4679b021
Pulse Author: AlienVault
Created: 2025-04-30 15:36:19
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Telegram vient d'envoyer un message privé groupé pour se plaindre d'une tentative de la #France de briser son chiffrement.
Autant je ne suis pas pour les #backdoor gouvernementales, autant perso j'ai lu "ouin ouin la France ouin ouin" suivi d'un pavé tentant de me faire croire qu'une entreprise super opaque en a quelque chose à faire de ma vie privée XD
Chinese snoops use stealth RAT to #backdoor US orgs – still active last week
"Let the #espionage and access resale campaigns begin (again)"
https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
Alerta WordPress: Falsa atualização crítica para WooCommerce esconde Backdoor perigoso https://tugatech.com.pt/t65863-alerta-wordpress-falsa-atualizacao-critica-para-woocommerce-esconde-backdoor-perigoso
Triada strikes back – Source: securelist.com https://ciso2ciso.com/triada-strikes-back-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #InstantMessengers #Cryptocurrencies #Financialthreats #GoogleAndroid #MobileMalware #Mobilethreats #securelistcom #backdoor #Facebook #Telegram #WhatsApp #Dropper #Malware #Trojan #Skype
La pression sur le chiffrement s’accroît en Europe - Next https://next.ink/182140/la-pression-sur-le-chiffrement-saccroit-en-europe/ En France, en Suède au Danemark comme au niveau de la commission européenne, les attaques contre le chiffrement des communications se multiplient.
Au niveau national comme à celui de la Commission, la pression augmente sur le chiffrement de bout en bout des communications (end-to-end encryption, E2EE).
Début avril, la Com… #surveillance #technopolice #messagerie #chiffrement #backdoor
Hackers usam controlo remoto do Zoom para roubar criptomoedas https://tugatech.com.pt/t65700-hackers-usam-controlo-remoto-do-zoom-para-roubar-criptomoedas
#Telegram founder and CEO Pavel Durov has taken a page out of #Signal book and says he'll pull the app out of France if officials demand an encryption #backdoor
https://t.me/durov/410 (on Telegram)
Hackers Target Telegram Bot Developers with Backdoor npm Packages
Pulse ID: 6807da0d39c34032b80b0483
Pulse Link: https://otx.alienvault.com/pulse/6807da0d39c34032b80b0483
Pulse Author: cryptocti
Created: 2025-04-22 18:03:57
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
CEO do Telegram acusa autoridades em França de forçarem criação de backdoor https://tugatech.com.pt/t65691-ceo-do-telegram-acusa-autoridades-em-franca-de-forcarem-criacao-de-backdoor
Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices. #DataBreache #backdoor #Cybersecurity https://www.bleepingcomputer.com/news/security/over-16-000-fortinet-devices-compromised-with-symlink-backdoor/
#Florida’s New Social Media Bill Says The Quiet Part Out Loud And Demands An Encryption #Backdoor - https://www.techdirt.com/2025/04/17/floridas-new-social-media-bill-says-the-quiet-part-out-loud-and-demands-an-encryption-backdoor/
ProtectEU threatens End-to-End-Encryption across VPNs, messaging apps, and secure email services.
This is part of a growing global trend where governments push for backdoors under the guise of national security. While aimed at combating crime, these proposals risk eroding digital privacy, weakening cybersecurity, and potentially driving privacy-focused services out of EU jurisdictions altogether.
️
