A critical security flaw in the WordPress Post SMTP plugin has left more than 400,000 websites vulnerable to account takeover attacks.

The vulnerability, identified as CVE-2025-11833, enables unauthenticated attackers to access email logs containing sensitive password reset information, potentially compromising administrator accounts and entire websites.

The flaw stems from a missing authorization check in the plugin’s core functionality, allowing threat actors to exploit logged email data without requiring any authentication credentials.

The Post SMTP plugin, designed to replace WordPress’s default PHP mail function with SMTP mailers, includes an email logging feature that inadvertently exposes critical security information.

Since November 1, 2025, attackers have actively targeted this vulnerability, with over 4,500 exploitation attempts already blocked by security systems.

The widespread use of this plugin across hundreds of thousands of WordPress installations has created a significant attack surface for cybercriminals seeking unauthorized access to websites.

Wordfence researchers identified the vulnerability through their Bug Bounty Program on October 11, 2025, just one day after its introduction.

Security researcher netranger discovered and responsibly reported the flaw, earning a bounty of $7,800 for the critical finding.

The WP Experts development team responded swiftly to disclosure, releasing patch version 3.6.1 on October 29, 2025, to address the security gap affecting all versions up to and including 3.6.0.

The vulnerability carries a CVSS score of 9.8, placing it in the critical severity category. Site administrators must immediately update to version 3.6.1 to protect their installations from ongoing exploitation attempts.

Wordfence Premium users received firewall protection on October 15, 2025, while free version users will receive the same safeguards by November 14, 2025.

Technical Exploitation Mechanism

The vulnerability resides within the PostmanEmailLogs class constructor, which displays logged email messages without performing capability checks on the __construct function.

Attackers can exploit this weakness by manipulating URL parameters to access arbitrary email logs through the plugin’s interface.

Vulnerability Details:-

The vulnerable code accepts GET requests with specific parameters including page, view, and log_id, allowing unauthorized users to retrieve stored email content directly from the database.

public function __construct() {
    global $wpdb;
    $this->db = $wpdb;
    $this->logger = new PostmanLogger( get_class( $this ) );

    //Render Message body in iframe
    if(
        isset( $_GET['page'] ) && $_GET['page'] == 'postman_email_log'
        &&
        isset( $_GET['view'] ) && $_GET['view'] == 'log'
        &&
        isset( $_GET['log_id'] ) && !empty( $_GET['log_id'] )
    ) {
        $id = sanitize_text_field( $_GET['log_id'] );
        $email_query_log = new PostmanEmailQueryLog();
        $log = $email_query_log->get_log( $id, '' );
        echo ( isset ( $header ) && strpos( $header, "text/html" ) );
        die;
    }
}

The exploitation process involves attackers triggering password reset requests for administrator accounts, then accessing the logged reset emails containing password reset links through the unprotected interface.

This two-step attack vector enables complete site takeover, granting malicious actors full administrative privileges to upload backdoors, modify content, and redirect users to malicious destinations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post WordPress Post SMTP Plugin Vulnerability Exposes 400,000 Websites to Account Takeover Attacks appeared first on Cyber Security News.

XLoader remains one of the most challenging malware families confronting cybersecurity researchers.

This sophisticated information-stealing loader emerged in 2020 as a rebrand of FormBook and has evolved into an increasingly complex threat.

The malware’s code decrypts only at runtime and sits protected behind multiple encryption layers, each locked with different keys hidden throughout the binary.

Even automated sandbox analysis tools struggle against XLoader’s aggressive evasion techniques that block malicious execution when virtual environments are detected.

Check Point researchers identified a breakthrough approach to analyzing XLoader by leveraging generative artificial intelligence.

The latest XLoader version 8.0 sample presented significant obstacles with customized encryption schemes, obfuscated API calls, and extensive sandbox evasion techniques.

The malware authors release new versions regularly, changing internal mechanisms and adding anti-analysis methods that render previous research quickly outdated.

The research demonstrated how ChatGPT accelerated static reverse engineering from days to hours.

By exporting IDA Pro database contents and analyzing them through cloud-based artificial intelligence, researchers showed deep analysis could proceed without maintaining live disassembler sessions.

This approach removed dependency on heavy local tooling while making results reproducible and easier to share.

Decrypting XLoader’s Built-in Protection

XLoader version 8.0 implements sophisticated protection mechanisms through a built-in crypter that wraps the main payload in two rounds of RC4 encryption.

The first layer applies RC4 decryption to the entire buffer, followed by a second pass processing 256-byte chunks using a different key.

Each encryption round requires specific keys derived through complex algorithms scattered across multiple functions.

Check Point analysts noted the main payload undergoes this dual-layer encryption scheme, with Stage-1 and Stage-2 keys calculated through separate derivation processes.

The Stage-1 key (20EBC3439E2A201E6FC943EE95DACC6250A8A647) and Stage-2 key (86908CFE6813CB2E532949B6F4D7C6E6B00362EE) were successfully extracted through artificial intelligence-assisted analysis combined with runtime debugging validation.

The complete unpacking process traditionally consuming days of manual reverse engineering, was compressed into approximately 40 minutes, offering defenders fresher indicators of compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post XLoader Malware Analyzed Using ChatGPT’s, Breaks RC4 Encryption Layers in Hours appeared first on Cyber Security News.

The Tycoon 2FA phishing kit has emerged as one of the most sophisticated Phishing-as-a-Service platforms since its debut in August 2023, specifically engineered to circumvent two-factor authentication and multi-factor authentication protections on Microsoft 365 and Gmail accounts.

This advanced threat employs an Adversary-in-the-Middle approach, utilizing reverse proxy servers to host convincing phishing pages that perfectly replicate legitimate login interfaces while capturing user credentials and session cookies in real-time.

According to the Any.run malware trends tracker, Tycoon 2FA leads with over 64,000 reported incidents this year, making it one of the most prevalent phishing threats in the current landscape.

The attack spreads through multiple distribution vectors including malicious PDF documents, SVG files, PowerPoint presentations, and emails containing phishing links.

Threat actors have also leveraged cloud storage platforms such as Amazon S3 buckets, Canva, and Dropbox to host fake login pages, making detection more challenging for traditional security solutions.

What makes this campaign particularly dangerous is its ability to steal authentication codes even when two-factor authentication is enabled, effectively rendering this security measure useless against the sophisticated interception techniques employed by the kit.

Cybereason analysts identified that the phishing kit implements multiple pre-redirection checks as defense mechanisms against detection, including domain verification, CAPTCHA challenges, bot and scanning tool detection, and debugger checks that actively look for security researchers analyzing the code.

These checks ensure that only genuine victims reach the final phishing page while automated security tools and analysts are redirected to benign websites.

The kit also demonstrates an advanced understanding of organizational security policies by analyzing error messages from login attempts, allowing attackers to tailor their campaigns for maximum effectiveness.

The technical sophistication extends to the use of boilerplate templates that dynamically generate fake login pages based on actual responses from Microsoft servers, creating a seamless experience that prompts users to input their MFA codes, which are then relayed to legitimate servers in real-time, successfully bypassing this critical security layer.

Multi-Stage JavaScript Execution and Credential Harvesting

The attack unfolds through a complex multi-stage JavaScript execution chain designed to evade detection while harvesting credentials.

The initial HTML page contains a JavaScript file with a base64-encoded payload compressed using the LZ-string algorithm, which decompresses and executes the hidden payload in memory.

The second stage employs a technique called DOM Vanishing Act, where malicious JavaScript code removes itself from the Document Object Model after execution, leaving no visible trace for security tools inspecting the page code.

The script contains three different base64-encoded payloads, each designed to run under specific conditions.

The first payload uses XOR cipher obfuscation and executes only when window.location.pathname.split contains an exclamation mark or dollar sign, confirming that the user arrived via the intended malicious link rather than through automated scanning.

The email extraction process creates a custom string by appending “WQ” to the victim’s email address before exfiltrating it to the command-and-control server via POST request to /zcYbH5gqRHbzSQXiK8YtTbhpNSGtkZc6xbMyRBGazbWU8fjfq, where the server responds with AES-encrypted payloads decrypted using the CryptoJS library.

When victims enter credentials into the fake login page, the attacker acting as a middleman immediately receives the information and submits it to legitimate Microsoft servers.

The victim’s webpage is then dynamically updated based on server responses using webparts, making the phishing attempt appear seamless and highly convincing.

The final JavaScript payload collects browser information including navigator.userAgent and sends requests to geolocation services, encrypting the gathered data with a hardcoded key before transmission to the attacker’s endpoint at /tdwsch3h8IoKcUOkog9d14CkjDcaR0ZrKSA95UaVbbMPZdxe, successfully completing the credential theft operation.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Attack Techniques of Tycoon 2FA Phishing Kit Targeting Microsoft 365 and Gmail Accounts Detailed appeared first on Cyber Security News.

A sophisticated evolution of the RondoDox botnet has emerged with a staggering 650% increase in exploitation capabilities, marking a significant escalation in the threat landscape for both enterprise and IoT infrastructure.

First documented by FortiGuard Labs in September 2024, the original RondoDox variant focused narrowly on DVR systems with just two exploit vectors.

The newly discovered RondoDox v2, however, demonstrates a dramatic expansion with over 75 distinct exploitation vectors targeting everything from legacy routers to modern enterprise applications.

This evolution represents a fundamental shift in botnet development strategy, bridging the gap between opportunistic IoT exploitation and targeted enterprise compromise.

The malware was detected on October 30, 2025, through honeypot telemetry when research infrastructure began receiving automated exploitation attempts from IP address 124.198.131.83 originating from New Zealand.

The attack pattern immediately distinguished itself through its volume and sophistication, deploying 75 distinct exploit payloads in rapid succession.

Each payload attempted command injection vectors targeting router and IoT vulnerabilities, with all payloads downloading malicious scripts from the command-and-control server at 74.194.191.52.

Unusually, the threat actor embedded an open attribution signature—bang2013@atomicmail.io—directly into User-Agent strings, marking a departure from the anonymous operational security typically employed by botnet operators.

Beelzebub analysts identified the malware through their AI-native deception platform, which captured the complete attack chain and enabled comprehensive technical analysis of the botnet’s capabilities.

RondoDox v2 targets an extensive range of vulnerable devices spanning multiple vendor ecosystems and spanning over a decade of CVE history.

The exploit arsenal includes critical vulnerabilities such as CVE-2014-6271 (Shellshock), CVE-2018-10561 (Dasan GPON routers), CVE-2021-41773 (Apache HTTP Server), and CVE-2024-3721 (TBK DVR systems).

The malware demonstrates cross-platform flexibility by deploying 16 architecture-specific binaries including x86_64, multiple ARM variants, MIPS, PowerPC, and even legacy architectures like m68k and SPARC.

This comprehensive architecture support ensures maximum infection potential across diverse embedded systems and enterprise servers.

The command-and-control infrastructure operates on compromised residential IP addresses distributed across multiple ASNs, providing resilience and evasion capabilities that make traditional blocking strategies less effective.

Technical Infrastructure and Obfuscation Mechanisms

The dropper script employed by RondoDox v2 showcases sophisticated evasion and persistence techniques designed to bypass security controls and eliminate competing malware.

Upon execution, the script immediately disables SELinux and AppArmor security frameworks using commands such as setenforce 0 and service apparmor stop, creating an environment conducive to malicious activity.

The script then proceeds with aggressive competitor elimination, systematically killing processes associated with cryptocurrency miners like xmrig and other known botnet families including redtail.

This behavior ensures resource monopolization on infected systems while reducing detection probability by eliminating noisy competing malware.

The binary payload itself employs XOR-based string obfuscation with a key value of 0x21 to conceal critical configuration data from static analysis tools.

Decoded strings reveal command-and-control protocol implementations including “handshake” for C2 initialization and “udpraw” indicating DDoS capabilities.

The malware demonstrates anti-analysis awareness by checking for exit code 137, which indicates SIGKILL termination commonly employed by automated sandbox environments.

Detection of this condition causes immediate script termination, effectively evading many automated malware analysis systems.

#!/bin/sh
# bang2013@atomicmail.io
exec > /dev/null 2>&1
[ -t 0 ] && exit 0
for p in /proc/[0-9]*; do pid=${p##*/}; [ ! -e "$p/exe" ] && kill -9 $pid 2>/dev/null; done
setenforce 0
service apparmor stop
mount -o remount,rw /||sudo mount -o remount,rw /

Persistence mechanisms leverage cron-based scheduling with @reboot directives, ensuring automatic execution following system restarts.

The malware attempts installation across multiple filesystem locations including /tmp/lib/rondo, /dev/shm/lib/rondo, and /var/tmp/lib/rondo, demonstrating awareness of different system configurations and permission structures.

Network communication occurs over TCP port 345 using a custom binary protocol that initiates with a “handshake” message to the primary C2 server at 74.194.191.52.

The malware spoofs User-Agent strings to appear as legitimate iPhone iOS 18.5 devices, further obscuring malicious traffic within enterprise environments.

DDoS capabilities include HTTP flood attacks mimicking gaming traffic, UDP raw socket operations, TCP SYN flooding, and protocol mimicry for OpenVPN, WireGuard, and popular gaming platforms including Minecraft, Fortnite, and Discord.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post RondoDox Botnet Updated Their Arsenal with 650% More Exploits Targeting Enterprises appeared first on Cyber Security News.