As iOS 26 is being rolled out, a critical forensic challenge has emerged: the operating system now automatically overwrites the shutdown.log file on every reboot, effectively erasing crucial evidence of Pegasus and Predator spyware infections. This development represents a significant setback for forensic investigators and users seeking to determine whether their devices have been compromised—particularly […]
As iOS 26 is being rolled out, a critical forensic challenge has emerged: the operating system now automatically overwrites the shutdown.log file on every reboot, effectively erasing crucial evidence of Pegasus and Predator spyware infections. This development represents a significant setback for forensic investigators and users seeking to determine whether their devices have been compromised—particularly […]
Famous Chollima, a threat group affiliated with North Korea’s Reconnaissance General Bureau, has significantly expanded its operational capabilities by integrating two potent malware strains: BeaverTail and OtterCookie.
This convergence marks a critical evolution in the group’s attack methodology, targeting cryptocurrency and blockchain sectors with renewed sophistication.
The merging of these toolsets reflects a deliberate shift toward JavaScript-based malware delivery, reducing dependency on Python while maintaining broad operational flexibility across multiple platforms and target profiles.
The group’s latest campaign, tracked as Contagious Interview, exploits legitimate job-seeking platforms and recruitment channels to distribute trojanized applications.
Recent discoveries reveal that organizations face compromise through seemingly innocuous supply chain vectors, with a cryptocurrency-themed chess platform serving as an initial infection point.
The malicious payload infiltrated systems through dependency resolution when developers cloned a Bitbucket repository for Chessfi, inadvertently pulling the compromised node-nvm-ssh package from public NPM repositories.
This technique demonstrates how credential theft operations now seamlessly blend social engineering with technical supply chain exploitation.
Polyswarm Threat Response Unit analysts identified the converged malware architecture during investigations of a Sri Lanka-based compromise, where post-install scripts executed obfuscated JavaScript payloads embedded in seemingly legitimate package dependencies.
The attack sequence revealed sophisticated modular construction combining both BeaverTail and OtterCookie capabilities into a unified information-stealing framework targeting cryptocurrency wallets and sensitive documents.
Technical Convergence and Capability Fusion
The integration of BeaverTail and OtterCookie represents a deliberate architectural consolidation rather than coincidental overlap.
BeaverTail handles initial reconnaissance, enumerating browser profiles and targeting cryptocurrency wallet extensions across Chrome, Brave, and Edge browsers, specifically hunting MetaMask, Phantom, and Solflare installations.
The component downloads Python-based InvisibleFerret modules from command-and-control servers over port 1224, bootstrapping complete Python distributions on target Windows systems to enable full execution capabilities.
OtterCookie complements this infrastructure through modular extensions providing remote shell access via socket.io-client for command execution and system fingerprinting, file enumeration scanning drives for documents and credentials, and a dedicated cryptocurrency extension stealer mirroring BeaverTail’s wallet targeting logic.
A novel keylogging module first observed in April 2025 captures keystroke data and screenshot images, buffering exfiltrated information in temporary files before transmission to command infrastructure.
The malware implements anti-analysis countermeasures including environment checking and error-handler eval mechanisms for dynamic code execution, evolving from earlier HTTP cookie-based payload delivery to modular string execution paradigms across five iterations since late 2024.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cybersecurity researchers have developed a sophisticated new tool called EDR-Redir that can bypass Endpoint Detection and Response (EDR) systems by exploiting Windows’ Bind Filter and Cloud Filter drivers. This technique represents a significant advancement in evasion methods that operate entirely in user mode without requiring kernel privileges. The Windows Bind Link feature, introduced in Windows […]
Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior.
Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert.
Here’s how that false sense of security
Threat actors have launched a significant mass exploitation campaign targeting critical vulnerabilities in two popular WordPress plugins, GutenKit and Hunk Companion, affecting hundreds of thousands of websites globally.
These vulnerabilities, discovered in September and October 2024, have resurfaced as an active threat in October 2025, demonstrating the persistent danger of unpatched installations.
The attack vectors leverage improper permission checks in REST API endpoints, allowing unauthenticated attackers to install malicious plugins and achieve remote code execution without authentication or user intervention.
The GutenKit plugin, with over 40,000 active installations, and Hunk Companion, with approximately 8,000 active users, represent significant attack surfaces due to their widespread adoption.
Wordfence Threat Response Unit analysts identified that attackers began mass exploitation again on October 8th, 2025, approximately one year after initial disclosure, indicating threat actors continue leveraging these critical flaws for large-scale compromise operations.
The Wordfence Firewall has already blocked more than 8,755,000 exploit attempts targeting these vulnerabilities since protective rules were deployed.
The threat landscape reveals organized attack infrastructure with multiple malicious payloads designed for persistence and lateral movement.
Wordfence Threat Response Unit researchers noted that attackers distribute heavily obfuscated backdoors, file managers, and webshells capable of mass defacement, network reconnaissance, and terminal access.
These malicious packages exploit the permission callback mechanism set to return true, transforming otherwise legitimate plugin installation functionality into a weaponized entry point for system compromise.
REST API Permission Mechanism Exploitation
The fundamental vulnerability stems from a critical misconfiguration in REST API endpoint registration. Both plugins implement permission callbacks that unconditionally permit unauthenticated requests through returning true values, effectively disabling access controls entirely.
In GutenKit, the vulnerable endpoint routes to the install_and_activate_plugin_from_external() function via the gutenkit/v1/install-active-plugin endpoint, while Hunk Companion exposes similar functionality through hc/v1/themehunk-import.
The exploitation mechanism works by sending POST requests with arbitrary plugin URLs hosted on external repositories, typically GitHub or attacker-controlled domains.
When an unauthenticated request reaches these endpoints, the server downloads and extracts the specified ZIP archive directly into wp-content/plugins without validating plugin authenticity or code integrity.
Wordfence Threat Response Unit analysts discovered that malicious packages contain obfuscated PHP scripts with All in One SEO plugin headers to evade basic detection, alongside base64-encoded file managers and PDF-header disguised backdoors enabling complete system compromise.
The installation process executes automatically, activating malicious code immediately and providing attackers direct command execution capabilities for installing additional malware, modifying website content, and establishing persistent access mechanisms.
Website administrators should immediately update GutenKit to version 2.1.1 and Hunk Companion to version 1.9.0. Review wp-content/plugins and wp-content/upgrade directories for suspicious installations.
Monitor access logs for requests to /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import endpoints, and implement firewall rules to restrict API access to authenticated users only.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
HashiCorp has disclosed two critical vulnerabilities in Vault and Vault Enterprise that could enable attackers to bypass authentication mechanisms and launch denial-of-service attacks against infrastructure. The first vulnerability, identified under Bulletin ID HCSEC-2025-31, stems from a regression in how Vault processes JSON payloads. According to HashiCorp’s disclosure published on October 23, 2025, the vulnerability allows […]
Dell Technologies has disclosed three critical vulnerabilities affecting Dell Storage Manager that could allow unauthenticated remote attackers to completely compromise storage systems. Dell Storage Manager versions prior to 2020 R1.21 are vulnerable to attacks that bypass authentication mechanisms entirely, enabling adversaries to gain full system access without valid credentials. The vulnerabilities, disclosed on October 24, […]
Security researchers at NeuralTrust have uncovered a critical vulnerability in OpenAI’s Atlas browser that allows attackers to bypass safety measures by disguising malicious instructions as innocent-looking web addresses. The flaw exploits how the browser’s omnibox interprets user input, potentially enabling harmful actions without proper security checks. The Omnibox Vulnerability Explained Atlas features an omnibox that […]
The notorious Mem3nt0 mori hacker group has been actively exploiting a zero-day vulnerability in Google Chrome, compromising high-profile targets across Russia and Belarus.
Dubbed CVE-2025-2783, this flaw allowed attackers to bypass Chrome’s robust sandbox protections with minimal user interaction, leading to the deployment of sophisticated spyware.
Discovered by Kaspersky researchers in March 2025, Google swiftly patched the vulnerability, but not before infections spread through personalized phishing campaigns mimicking invitations to the prestigious Primakov Readings forum.
CVE ID
Description
CVSS Score
Affected Versions
Patch Version
Impact
CVE-2025-2783
Incorrect handle validation in Mojo IPC leading to sandbox escape on Windows
9.8 (High)
Chrome < 134.0.6998.177
134.0.6998.177/.178
Arbitrary code execution, espionage via spyware deployment
The attacks, part of an operation Kaspersky named ForumTroll, targeted media outlets, universities, government agencies, and financial institutions, underscoring the group’s focus on intelligence gathering.
Victims received impeccably crafted emails in Russian, luring them to malicious sites that triggered the exploit upon visit no downloads or clicks beyond the initial link were needed.
This drive-by infection chain exploited Chrome’s Mojo inter-process communication system, a critical component for handling data between browser processes on Windows.
The vulnerability stemmed from a subtle oversight: Chrome’s code failed to properly validate pseudo-handles like -2 (for the current thread), enabling attackers to dupe the system into duplicating handles across sandbox boundaries.
This logical flaw, rooted in outdated Windows optimizations, allowed shellcode execution in the privileged browser process, paving the way for malware persistence.
Unraveling The Attack Chain
The infection progressed in carefully designed stages, as reconstructed by Kaspersky’s Global Research and Analysis Team (GReAT).
It began with a phishing email validator script that used WebGPU to confirm a genuine browser visit, thwarting automated scanners.
If validated, an elliptic-curve Diffie-Hellman key exchange decrypted the next payload, hidden in innocuous files like JavaScript bundles and fonts.
Attack Chain
Although the remote code execution (RCE) exploit evaded capture, the sandbox escape via CVE-2025-2783 was pivotal: it hooked functions in Chrome’s V8 inspector and ipcz library to relay thread handles, suspending and hijacking the browser process to inject a persistent loader.
This loader employed COM hijacking, overriding Windows registry entries for legitimate components like twinapi.dll to ensure malware execution in processes such as rdpclip.exe.
The payload, obfuscated with OLLVM and encrypted via a modified ChaCha20, decrypted into LeetAgent a rare spyware using leetspeak commands for tasks like keylogging, file theft (targeting docs, PDFs, and spreadsheets), and process injection.
Configuration arrived over HTTPS from C2 servers on Fastly.net, with extensive traffic obfuscation hinting at commercial origins.
Kaspersky traced LeetAgent’s debut to 2022, linking it to broader ForumTroll campaigns involving malicious attachments like ISO files and LNK shortcuts disguised as partnership invitations.
Deeper analysis revealed that LeetAgent’s loader shared code with Dante, an elusive commercial spyware from the Italian firm Memento Labs, rebranded from the infamous Hacking Team in 2019.
LeetAgent Loader
Dante, unveiled at the 2023 ISS World conference, packed VMProtect obfuscation, anti-debugging via event log queries for VM artifacts, and dynamic API resolution to evade hooks.
Its orchestrator managed modules encrypted with AES-256, using machine-bound keys from CPU IDs and product keys, stored in Base64-named folders under %LocalAppData%.
Kaspersky confirmed overlaps in persistence, font-hidden data, and exploit code, attributing ForumTroll’s toolkit to Memento Labs despite the vendor’s “start from scratch” promises.
This discovery highlights the shadowy spyware market’s resilience, where tools like Dante potentially nodding to Hacking Team’s “Da Vinci” via Dante Alighieri’s infernal journeys persist in APT hands.
Firefox patched a similar IPC flaw as CVE-2025-2857 shortly after. Experts warn of lingering pseudo-handle risks in other software.
For protection, update Chrome to 134.0.6998.177 or later, enable enhanced safe browsing, and monitor for IOCs like suspicious Base64 folders.
As Mem3nt0 mori evolves, vigilance against phishing remains paramount in this cat-and-mouse game of digital shadows.
