A sophisticated malware campaign targeting WordPress sites has emerged, utilizing PHP variable functions and cookie-based obfuscation to evade traditional security detection mechanisms.

The attack represents an evolution in obfuscation techniques, where threat actors fragment malicious code across multiple HTTP cookies and dynamically reconstruct executable functions at runtime.

This approach makes static analysis significantly more challenging, as the malicious intent remains hidden until all cookie components are assembled and executed.

The malware has been detected over 30,000 times in September 2025 alone, demonstrating its widespread deployment and continued effectiveness against vulnerable websites.

The attack vector primarily targets PHP-based web applications, particularly WordPress installations, by injecting backdoor scripts that accept commands through specially crafted cookies.

Unlike traditional malware that embeds complete malicious payloads within files, this campaign distributes function names and encoded parameters across numbered cookie indices.

Once deployed, the malware waits for specific cookie configurations before activating, requiring attackers to send precisely structured requests containing all necessary components.

This conditional execution serves dual purposes: evading automated security scans that may trigger the script without proper cookies, and preventing unauthorized access by other malicious actors who discover the backdoor.

Wordfence researchers identified multiple variants of this malware family during routine incident response operations, adding samples to their threat intelligence database containing over 4.4 million unique malicious signatures.

The detection came through analysis of compromised sites where conventional signature-based scanning initially struggled to flag the heavily obfuscated code.

Analysis revealed that while individual variants differ in implementation details, they share core characteristics including dense obfuscation, excessive array lookups, and deliberate cookie validation checks that act as authentication mechanisms for attackers.

Technical Implementation and Code Execution Chain

The malware operates through a multi-stage execution chain that leverages PHP’s variable function capability, where appending parentheses to any variable causes PHP to execute a function matching the variable’s string value.

In examined samples, the script begins by storing the $_COOKIE superglobal into a local variable and validating that exactly 11 cookies are present, with one containing the specific string “array11”.

The malware then concatenates cookie values to reconstruct function names, such as combining cookies containing “base64_” and “decode” to form the complete base64_decode function name.

The execution chain demonstrates sophisticated layering:-

$locale[79] = $locale[79] . $locale[94];
$locale[23] = $locale[79]($locale[23]);

This reconstructs base64_decode, then decodes another cookie containing “Y3JlYXRlX2Z1bmN0aW9u” to produce “create_function”. The malware subsequently uses create_function with attacker-controlled parameters to generate arbitrary executable code.

Later variants employ string replacement techniques, transforming obfuscated strings like “basx649fxcofx” into “base64_decode” by replacing characters ‘x’, ‘f’, and ‘9’ with ‘e’, ‘d’, and ‘_’ respectively.

This multi-layered approach defeats pattern-matching detection while maintaining full remote code execution capabilities through serialized payloads delivered via cookie parameters.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts appeared first on Cyber Security News.

An international ecosystem of sophisticated scam operations has emerged, targeting vulnerable populations through impersonation tactics and fraudulent financial aid promises.

The campaign, dubbed “Vulnerability Vultures,” primarily focuses on older adults who represent lucrative targets for threat actors.

According to the FBI’s Internet Crime Complaint Center, the 60-plus age group filed the highest number of complaints in 2024, with losses totaling $4.8 billion, nearly double the next highest category.

Federal Trade Commission data further reveals that adults 70 years or older experience significantly higher median dollar losses compared to younger demographics.

The scammers leverage major social media platforms as initial contact points, subsequently redirecting victims to fraudulent websites or private messaging channels where they harvest financial details and sensitive personal information.

These operations demonstrate geographic diversity, with evidence suggesting operators based in Nigeria, South Asia, and the United States.

The threat actors deliberately target individuals susceptible to offers of physical or financial benefits, including both older adults and previous scam victims who may be seeking restitution.

Graphika analysts identified that the cross-platform structure of these scam operations enables scalability, anonymity, and effective evasion of platform moderation measures.

The threat actors deploy inauthentic personas and manipulated media to impersonate trusted figures, institutions, and brands such as the FBI and established news organizations.

By incorporating AI-generated audio, cloned websites, and repurposed authentic content, the scammers create convincing simulations of legitimacy and authority that deceive even cautious victims.

Attack Methodology and Social Engineering Tactics

The operations follow a consistent three-stage attack pattern: building trust through authoritative impersonation, ushering victims to off-platform communication channels, and extracting personal or financial data through registration forms for non-existent relief programs.

These schemes operate at high volume, deploying identical short-lived advertisements, AI automation, paid promotion, and disposable accounts that maintain operational persistence despite ongoing enforcement efforts from platform providers and law enforcement agencies.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers appeared first on Cyber Security News.

TransparentTribe, a Pakistani-nexus intrusion set active since at least 2013, has intensified its cyber espionage operations targeting Linux-based systems of Indian military and defense organizations.

The campaign, initially documented in July 2025 by CYFIRMA with activity traced back to June 2025, has evolved significantly with the development of a sophisticated Golang-based remote access trojan dubbed DeskRAT.

This malware represents a notable escalation in the group’s technical capabilities, demonstrating their commitment to maintaining strategic cyber dominance against Indian defense interests.

The attack campaign employs a deceptively simple yet effective multi-stage delivery mechanism that begins with phishing emails containing malicious ZIP archives.

These archives are disguised with innocuous-sounding names such as “MoM_regarding_Defence_Sectors_by_Secy_Defence” to evade initial detection.

Upon extraction, the archives reveal a DESKTOP file that masquerades as a legitimate PDF document, complete with a PDF icon to reinforce the deception.

When executed by unsuspecting users, the file triggers a complex infection chain that ultimately establishes persistent remote access to compromised systems.

Sekoia analysts identified and analyzed the evolution of this campaign through their threat detection systems, discovering new samples in August and September 2025 that revealed an updated infection chain.

The researchers implemented multiple YARA rules to track the activity and found samples that were previously unknown to other security vendors, indicating the group’s efforts to stay ahead of conventional detection mechanisms.

This discovery underscores the sophistication and evolving nature of TransparentTribe’s operations.

The technical infrastructure supporting this campaign has also undergone refinement. Initial phishing emails directed targets to ZIP files hosted on legitimate cloud services such as Google Drive, but the operation has since shifted to dedicated staging servers.

This evolution demonstrates operational security awareness and an attempt to avoid reliance on third-party platforms that could be more easily monitored or suspended by security teams.

Deceptive Infection Mechanism Through Embedded Obfuscation

The DESKTOP file employed in this campaign contains a particularly ingenious obfuscation technique that hides malicious Bash commands within thousands of lines of commented PNG image data.

The actual [Desktop Entry] section containing the malware execution instructions is strategically placed between two massive blocks of PNG data, effectively concealing the payload from casual inspection.

This layering technique exploits the fact that a typical user reviewing the file would encounter overwhelming amounts of image data before discovering the embedded commands.

The Bash one-liner executed upon file activation orchestrates a sophisticated multi-stage payload delivery.

The command first generates a unique filename in the /tmp/ directory using a timestamp, then downloads an encoded binary from the remote staging server using curl with specific error-handling flags.

The downloaded content undergoes dual decoding: initial hexadecimal conversion using xxd, followed by Base64 decryption.

Once decoded, the payload executes directly through eval, gaining immediate control of the system.

Simultaneously, the infection chain launches Firefox to display a decoy PDF document hosted on the attacker’s server, creating the illusion of a legitimate document opening while the RAT silently establishes its presence.

This coordinated execution provides social engineering cover for the malware installation.

DeskRAT itself maintains command and control communications through WebSocket connections, enabling real-time interaction between the attackers and compromised systems.

The malware’s Golang implementation provides cross-platform compatibility and enhanced persistence capabilities, making it particularly effective against the diverse Linux environments deployed throughout Indian military infrastructure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT appeared first on Cyber Security News.

As the festive season approaches, organizations are witnessing a disturbing increase in targeted attacks on digital gift card systems.

The Jingle Thief campaign, orchestrated by financially motivated threat actors based in Morocco, has emerged as a notorious campaign exploiting seasonal vulnerabilities to steal and monetize gift cards at scale.

By leveraging tailored phishing and smishing campaigns, the attackers set their sights on major retailers and large enterprises operating cloud-based infrastructures, particularly those reliant on Microsoft 365 and similar services.

Their goal: compromise user credentials, gain unauthorized access, and exploit gift card systems during periods of heightened activity and reduced vigilance.

The operation begins with carefully crafted phishing emails and SMS messages that entice victims into providing their login details via deceptive portals mimicking legitimate Microsoft 365 interfaces.

These counterfeit sites, uniquely branded to mirror the targeted organization’s style, harvest credentials while evading routine detection.

Attackers often send out these lures using self-hosted PHP mailer scripts running from compromised WordPress servers, effectively obscuring their own infrastructure.

Once inside, they proceed with extensive reconnaissance, pivoting laterally through SharePoint and OneDrive accounts to locate internal documentation and gift card issuance workflows.

Their sophistication lies not merely in the initial compromise but in their ability to remain undetected—sometimes for months—while orchestrating repeated fraud attempts across multiple gift card issuance applications.

Palo Alto Networks analysts tracked the Jingle Thief campaign under cluster CLCRI1032, linking it to known threat entities such as Atlas Lion and STORM-0539.

Their research uncovered advanced operational tactics focused on maintaining persistence and operational patience.

Attacks observed in early 2025 saw over 60 user accounts compromised within a single global organization, with threat actors demonstrating adaptable methods to subvert defensive controls, including mailbox manipulation and identity infrastructure abuse.

The attack lifecycle showcases how initial access via phishing evolves toward long-term persistence through rogue device registration.

Infection Mechanism: Persistence through Device Registration

A striking element of the Jingle Thief campaign is its method of establishing persistent, malware-resistant access.

After credential theft, threat actors exploit Microsoft Entra ID’s self-service and device enrollment features, registering attacker-controlled devices and rogue authenticator apps.

This approach subverts multi-factor authentication (MFA), allowing them continuous access—even after password resets.

The attackers have been observed silently enrolling smartphones using the native onboarding process:-

# Example: Rogue Device Enrollment – Simulated Python workflow
import requests
url = "https://entra.microsoft.com/device/register"
data = {"user_id": compromised_id, "device_info": attacker_device}
requests.post(url, json=data)

This illustrating how the adversary leverages legitimate MFA onboarding to entrench in the environment, making detection extremely challenging.

Through these advanced techniques, Jingle Thief attackers reliably evade conventional security controls, rendering typical remediation measures ineffective until full identification and infrastructure clean-up are achieved.

Cybersecurity teams are urged to prioritize identity-based monitoring and behavioral anomaly detection, especially during festive seasons when such threats intensify.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks appeared first on Cyber Security News.