CyberSecurity news

FlagThis - #websites

@training.invokere.com //
Researchers have uncovered a new and sophisticated variant of the Interlock RAT, a remote access trojan associated with the Interlock ransomware group. This latest iteration is written in PHP, marking a departure from previously observed JavaScript-based versions. The malware is being distributed through a widespread campaign that leverages compromised websites and Cloudflare tunnels. The attack chain begins with a single-line script injected into website HTML, often unbeknownst to the website owners. This script employs IP filtering to serve the payload, which then manipulates the user into clicking a captcha for "verification," ultimately leading to the execution of a PowerShell script that deploys the Interlock RAT.

The delivery mechanism for this new PHP variant utilizes the KongTuke FileFix technique. Researchers have noted that this updated method has been observed deploying the PHP version of the Interlock RAT, and in some instances, this has subsequently led to the deployment of the Node.js variant of the same RAT. The capabilities of this Interlock RAT variant include remote control of compromised systems, thorough system reconnaissance, and the ability to perform lateral movement within a network. This demonstrates an evolving level of sophistication in the threat actor's tactics.

The DFIR Report, in collaboration with Proofpoint, identified the malware and its distribution methods. The observed execution involves a PowerShell command that deletes a scheduled task named "Updater" before downloading and executing a script from a specific URL. This script, in turn, abuses the `php.exe` executable from an uncommon location to further download and execute the RAT. Security professionals are advised to be aware of PowerShell spawning `php.exe` from unusual directories as a potential indicator of compromise. Additionally, the RAT's reconnaissance activities, such as running `systeminfo`, `tasklist`, `whoami`, or `nltest`, provide further opportunities for detection.

Recommended read:
References :

info@thehackernews.com (The@The Hacker News //
A sophisticated cybercriminal network known as VexTrio has been exploiting WordPress sites to run a global scam network. Cybersecurity researchers have uncovered a large-scale campaign involving malicious JavaScript injections into legitimate websites. These injections redirect visitors to various scam pages through traffic broker networks associated with VexTrio, a major cybercriminal affiliate network. The network uses sophisticated DNS techniques, traffic distribution systems (TDS), and domain generation algorithms to deliver malware and scams across global networks, impacting thousands of websites globally.

VexTrio operates through a network of malicious adtech companies, including Los Pollos, Taco Loco, and Adtrafico, which function as commercial affiliate networks. These networks connect malware distributors with "advertising affiliates" who promote illicit schemes such as gift card fraud, malicious apps, phishing sites, and scams. The compromised WordPress sites are injected with malicious code, initiating a redirection chain to VexTrio's scam infrastructure. Examples of such malicious injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns.

The campaign has seen significant activity, with over 269,000 websites infected with JSFireTruck JavaScript malware in a single month. This obfuscation technique uses only six ASCII characters to produce working code, making it difficult to analyze without specialized tools. The injected code checks for search engine referrers and redirects users to malicious URLs delivering malware, exploits, and malvertising. While efforts to disrupt the network, such as the exposure of Los Pollos' involvement, have caused temporary disruptions and shifts in tactics, the VexTrio network continues to pose a substantial threat.

Recommended read:
References :
  • blogs.infoblox.com: Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal
  • The Hacker News: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
  • The Hacker News: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • unit42.paloaltonetworks.com: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
  • www.scworld.com: 270K websites injected with ‘JSF-ck’ obfuscated code
  • Infoblox Blog: Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal
  • ciso2ciso.com: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month – Source:thehackernews.com
  • Techzine Global: DNS analysis reveals links between VexTrio and WordPress hackers
  • Virus Bulletin: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
  • ciso2ciso.com: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network – Source:thehackernews.com
  • ciso2ciso.com: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network – Source:thehackernews.com

Lily Hay@feeds.arstechnica.com //
References: www.wired.com , arstechnica.com ,
Cybercriminals are increasingly leveraging residential proxy services to mask malicious web traffic, making it appear as routine online activity and evading detection. This tactic involves routing illicit activities through a network of real IP addresses assigned to homes and offices, making it difficult to distinguish between legitimate and harmful traffic. Researchers at the Sleuthcon conference in Arlington, Virginia, highlighted this growing trend, noting that the shift towards using proxies has become significant in recent years as law enforcement agencies have become more effective at targeting traditional "bulletproof" hosting services.

The core issue lies in the fact that proxy services are designed to obfuscate the source of web traffic, making it nearly impossible to identify malicious actors within a node. As Thibault Seret, a researcher at Team Cymru, explained, the strength of a proxy service lies in its anonymity, which while beneficial for internet freedom, presents a major challenge for analyzing and identifying harmful activities. This is particularly true of residential proxies, which use real IP addresses of everyday internet users, blurring the lines between legitimate and criminal behavior.

The use of residential proxies by cybercriminals represents a significant shift in tactics, prompting security professionals to reassess their detection strategies. These proxies operate on consumer devices like old Android phones or low-end laptops, making it even more difficult to trace the origin of malicious activities. As criminals and companies seek to maintain anonymity and privacy, they are increasingly relying on these services, complicating the efforts to combat cybercrime effectively.

Recommended read:
References :
  • www.wired.com: Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight: In an effort to evade detection, cybercriminals are increasingly turning to “residential proxy†services that cover their tracks by making it look like everyday online activity | WIRED
  • arstechnica.com: Cybercriminals turn to “residential proxy†services to hide malicious traffic
  • arstechnica.com: Cybercriminals turn to “residential proxy†services to hide malicious traffic

info@thehackernews.com (The@The Hacker News //
A new cyber threat has emerged, with the threat actor known as Mimo exploiting a recently disclosed remote code execution vulnerability, CVE-2025-32432, in the Craft Content Management System (CMS). The attackers are leveraging this vulnerability to deploy a suite of malicious payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware on compromised websites. This allows them to not only abuse system resources for illicit cryptocurrency mining, but also monetize the victim's internet bandwidth for other malicious activities.

The exploitation of CVE-2025-32432 unfolds in two phases. The attacker activates a web shell by injecting PHP code via a specially crafted GET request. This action triggers a redirection, prompting the application to record the return URL within a server-side PHP session file. Once the web shell is enabled, commands can be executed remotely. The web shell is used to download and execute a shell script, which checks for indicators of prior infection and uninstalls any existing cryptocurrency miners before delivering next-stage payloads and launching the Mimo Loader.

The Mimo Loader modifies "/etc/ld.so.preload" to hide the malware process. Its ultimate goal is to deploy the IPRoyal proxyware and the XMRig miner on the compromised host. Sekoia researchers Jeremy Scion and Pierre Le Bourhis noted the unusual naming choice of the Python library "urllib2" being aliased as "fbi," suggesting it may be a tongue-in-cheek nod to the American federal agency, serving as a distinctive coding choice and a potential indicator for detection. The activity has been linked to the Mimo intrusion set, which has been active since at least March 2022 and has previously exploited vulnerabilities in Apache Log4j, Atlassian Confluence, PaperCut, and Apache ActiveMQ.

Recommended read:
References :
  • blog.sekoia.io: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.
  • bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites
  • The Hacker News: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware
  • securityonline.info: Mimo Returns: CVE-2025-32432 Exploited in Cryptomining and Proxyware Campaigns
  • ciso2ciso.com: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware – Source:thehackernews.com
  • bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites The operators appear to be based in the Middle East
  • Virus Bulletin: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.