CyberSecurity news

FlagThis - #websites

info@thehackernews.com (The@The Hacker News //

Hackers Exploit Craft CMS Zero-Day For Cryptocurrency Mining - Mimo exploits CVE-2025-32432 in Craft CMS to deploy crypto miners and proxyware on compromised websites.
A new cyber threat has emerged, with the threat actor known as Mimo exploiting a recently disclosed remote code execution vulnerability, CVE-2025-32432, in the Craft Content Management System (CMS). The attackers are leveraging this vulnerability to deploy a suite of malicious payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware on compromised websites. This allows them to not only abuse system resources for illicit cryptocurrency mining, but also monetize the victim's internet bandwidth for other malicious activities.

The exploitation of CVE-2025-32432 unfolds in two phases. The attacker activates a web shell by injecting PHP code via a specially crafted GET request. This action triggers a redirection, prompting the application to record the return URL within a server-side PHP session file. Once the web shell is enabled, commands can be executed remotely. The web shell is used to download and execute a shell script, which checks for indicators of prior infection and uninstalls any existing cryptocurrency miners before delivering next-stage payloads and launching the Mimo Loader.

The Mimo Loader modifies "/etc/ld.so.preload" to hide the malware process. Its ultimate goal is to deploy the IPRoyal proxyware and the XMRig miner on the compromised host. Sekoia researchers Jeremy Scion and Pierre Le Bourhis noted the unusual naming choice of the Python library "urllib2" being aliased as "fbi," suggesting it may be a tongue-in-cheek nod to the American federal agency, serving as a distinctive coding choice and a potential indicator for detection. The activity has been linked to the Mimo intrusion set, which has been active since at least March 2022 and has previously exploited vulnerabilities in Apache Log4j, Atlassian Confluence, PaperCut, and Apache ActiveMQ.

Recommended read:
References :
  • blog.sekoia.io: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.
  • bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites
  • The Hacker News: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware
  • securityonline.info: Mimo Returns: CVE-2025-32432 Exploited in Cryptomining and Proxyware Campaigns
  • ciso2ciso.com: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware – Source:thehackernews.com
  • bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites The operators appear to be based in the Middle East
  • Virus Bulletin: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.
Alex Delamotte@sentinelone.com //

AkiraBot Uses AI to Bypass CAPTCHAs - AkiraBot is an AI-powered botnet that leverages OpenAI’s API to generate custom outreach messages for spamming, targeting over 80,000 websites since last September to promote questionable SEO services.
AkiraBot, an AI-powered botnet, has been identified as the source of a widespread spam campaign targeting over 80,000 websites since September 2024. This sophisticated framework leverages OpenAI's API to generate custom outreach messages tailored to the content of each targeted website, effectively promoting dubious SEO services. Unlike typical spam tools, AkiraBot employs advanced CAPTCHA bypass mechanisms and network detection evasion techniques, posing a significant challenge to website security. It achieves this by rotating attacker-controlled domain names and using AI-generated content, making it difficult for traditional spam filters to identify and block the messages.

AkiraBot operates by targeting contact forms and chat widgets embedded on small to medium-sized business websites. The framework is modular and specifically designed to evade CAPTCHA filters and avoid network detections. To bypass CAPTCHAs, AkiraBot mimics legitimate user behavior, and uses services like Capsolver, FastCaptcha, and NextCaptcha. It also relies on proxy services like SmartProxy, typically used by advertisers, to rotate IP addresses and maintain geographic anonymity, preventing rate-limiting and system-wide blocks.

The use of OpenAI's language models, specifically GPT-4o-mini, allows AkiraBot to create unique and personalized spam messages for each targeted site. By scraping site content, the bot generates messages that appear authentic, increasing engagement and evading traditional spam filters. While OpenAI has since revoked the spammers' account, the four months the activity went unnoticed highlight the reactive nature of enforcement and the emerging challenges AI poses to defending websites against spam attacks. This sophisticated approach marks a significant evolution in spam tactics, as the individualized nature of AI-generated content complicates detection and blocking measures.

Recommended read:
References :
  • cyberinsider.com: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
  • hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms
  • www.sentinelone.com: AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale
  • The Hacker News: Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO.
  • Cyber Security News: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
  • securityaffairs.com: AkiraBot: AI-Powered spam bot evades CAPTCHA to target 80,000+ websites
  • gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
  • cyberpress.org: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
  • gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
  • www.scworld.com: Sweeping SMB site targeting conducted by novel AkiraBot spamming tool
  • 404 Media: Scammers Used OpenAI to Flood the Web with SEO Spam
  • CyberInsider: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
  • hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms, 400,000 Impacted
  • : Scammers used OpenAI as part of a bot that flooded the web with SEO spam. Also bypassed CAPTCHA https://www.404media.co/scammers-used-openai-to-flood-the-web-with-seo-spam/
  • Security Risk Advisors: SentinelOne's analysis of AkiraBot's capabilities and techniques.
  • www.sentinelone.com: SentinelOne blog post about AkiraBot spamming chats and forms with AI pitches.
  • arstechnica.com: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
  • Ars OpenForum: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
  • Digital Information World: New AkiraBot Targets Hundreds of Thousands of Websites with OpenAI-Based Spam
  • TechSpot: Sophisticated bot uses OpenAI to bypass filters, flooding over 80,000 websites with spam
  • futurism.com: OpenAI Is Taking Spammers' Money to Pollute the Internet at Unprecedented Scale
  • PCMag Middle East ai: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
  • www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
  • securityonline.info: AkiraBot: AI-Powered Spam Bot Floods Websites with Personalized Messages
  • PCMag UK security: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
  • www.pcmag.com: PCMag article about the use of GPT-4o-mini in the AkiraBot spam campaign.
  • Virus Bulletin: SentinelLABS researchers look into AkiraBot, a framework used to spam website chats and contact forms en masse to promote a low-quality SEO service. The bot uses OpenAI to generate custom outreach messages & employs multiple CAPTCHA bypass mechanisms.
  • Daily CyberSecurity: Spammers are constantly adapting their tactics to exploit new digital communication channels.
info@thehackernews.com (The@The Hacker News //

Massive Malware Campaign Targets 150,000 Websites - ZuizhongJS, a web malware campaign, has compromised over 150,000 websites to inject ads and redirect users to Chinese gambling sites through JavaScript and PHP code injection.
A massive malware campaign, identified as ZuizhongJS, has compromised over 150,000 websites through JavaScript injection to promote Chinese gambling platforms. Threat actors are breaching websites to drive traffic to illicit gambling sites. This campaign which injects obfuscated JavaScript and PHP code into the compromised sites hijacks browser windows. The primary goal is to generate revenue by redirecting users to full-screen overlays of fake betting websites, including impersonations of legitimate platforms like Bet365.

The attackers are believed to be linked to the Megalayer exploit, known for distributing Chinese-language malware and employing similar domain patterns and obfuscation tactics. The injected code is often hidden using HTML entity encoding and hexadecimal to evade detection. This campaign underscores the growing threat of client-side attacks and the need for robust website security measures, including regular script audits and strict Content Security Policies, to protect users from malicious redirects and potential financial harm.

Recommended read:
References :
  • Cyber Security News: Hackers Breach 150,000 Websites to Drive Traffic to Chinese Gambling Sites
  • gbhackers.com: Threat Actors Compromise 150,000 Websites to Promote Chinese Gambling Platforms
  • The Hacker News: 150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms
  • www.techradar.com: Thousands of websites have now been hijacked by this devious, and growing, malicious scheme
Megan Crouse@eWEEK //

Cloudflare's AI Labyrinth Traps Web Scraping Bots - Cloudflare has introduced AI Labyrinth, a new tool to combat web scraping bots that steal website content for AI training by luring crawlers into a maze of irrelevant content.
References: The Register - Software , eWEEK , OODAloop ...
Cloudflare has launched AI Labyrinth, a new tool designed to combat web scraping bots that steal website content for AI training. Instead of simply blocking these crawlers, AI Labyrinth lures them into a maze of AI-generated content. This approach aims to waste the bots' time and resources, providing a more effective defense than traditional blocking methods which can trigger attackers to adapt their tactics. The AI Labyrinth is available as a free, opt-in tool for all Cloudflare customers, even those on the free tier.

The system works by embedding hidden links within a protected website. When suspicious bot behavior is detected, such as ignoring robots.txt rules, the crawler is redirected to a series of AI-generated pages. This content is "real looking" and based on scientific facts, diverting the bot from the original website's content. Because no human would deliberately explore deep into a maze of AI-generated nonsense, anyone who does can be identified as a bot with high confidence. Cloudflare emphasizes that AI Labyrinth also functions as a honeypot, allowing them to identify new bot patterns and improve their overall bot detection capabilities, all while increasing the cost for unauthorized web scraping.

Recommended read:
References :
  • The Register - Software: Cloudflare builds an AI to lead AI scraper bots into a horrible maze of junk content
  • eWEEK: Crowdflare’s Free AI Labyrinth Distracts Crawlers That Could Steal Website Content to Feed AI
  • The Verge: Cloudflare, one of the biggest network internet infrastructure companies in the world, has announced AI Labyrinth, a new tool to fight web-crawling bots that scrape sites for AI training data without permission. The company says in a blog post that when it detects “inappropriate bot behavior,â€� the free, opt-in tool lures crawlers down a path
  • OODAloop: Trapping misbehaving bots in an AI Labyrinth
  • THE DECODER: Instead of simply blocking unwanted AI crawlers, Cloudflare has introduced a new defense method that lures them into a maze of AI-generated content, designed to waste their time and resources.
  • Digital Information World: Cloudflare’s Latest AI Labyrinth Feature Combats Unauthorized AI Data Scraping By Giving Bots Fake AI Content
  • Ars OpenForum: Cloudflare turns AI against itself with endless maze of irrelevant facts
  • Cyber Security News: Cloudflare Introduces AI Labyrinth to Thwart AI Crawlers and Malicious Bots
  • poliverso.org: Cloudflare’s AI Labyrinth Wants Bad Bots To Get Endlessly Lost
  • aboutdfir.com: Cloudflare builds an AI to lead AI scraper bots into a horrible maze of junk content Cloudflare has created a bot-busting AI to make life hell for AI crawlers.

Posts

Blogs

Research Tools