This article explores the recent campaign of Murdoc_Botnet, a malware variant of Mirai targeting vulnerable AVTECH and Huawei…

This article explores the recent campaign of Murdoc\_Botnet, a malware variant of Mirai targeting vulnerable AVTECH and Huawei devices. The Qualys Threat Research team discovered this ongoing campaign in July 2024.

The Qualys Threat Research Unit has discovered a live campaign for the Mirai botnet, which began in July 2024 and deploys a new botnet called Murdoc\_Botnet. It is a large-scale operation within the Mirai campaign, exploiting vulnerabilities targeting AVTECH Cameras and Huawei HG532 routers. 

The attackers utilized ELF and shell script execution to deploy the Murdoc\_Botnet botnet sample. This technique leverages existing vulnerabilities (CVE-2024-7029, CVE-2017-17215) to download the next-stage payloads. The research began with the discovery and analysis of Murdoc\_Botnet binaries used for DDOS activities. Using Qualys EDR, threat intelligence data, and open-source intelligence (OSINT), the researchers were able to attribute Murdoc\_Botnet as a Mirai variant.

The researchers discovered around 1300+ active IPs and 100+ distinct servers, each tasked with deciphering its activities and establishing communication with compromised IPs/servers. These servers facilitated the distribution of Mirai malware. These servers played a role in distributing the Mirai malware.

Further analysis revealed the presence of over 100 command-and-control servers tasked with establishing communication with infected devices. These servers also facilitated the distribution of Mirai malware.

As per Qualys Threat Research’s technical blog post, shared exclusively with Hackread.com ahead of its publishing, Murdoc\_Botnet targets \*nix systems, particularly vulnerable AVTECH and Huawei devices. The malware primarily uses bash scripts that leverage GTFOBins to fetch payloads, grant them execution permission using chmod, and then execute and remove them.

Moreover, it fetches the next-stage payloads using existing exploits. The infection process involves exploiting vulnerabilities to download shell scripts. These scripts are then executed on the compromised devices, which in turn download the new variant of Mirai botnet (Murdoc\_Botnet).

Malaysia, Thailand, Mexico, and Indonesia have been identified as the most affected countries in this campaign. To protect against Murdoc\_Botnet attacks, organizations should monitor suspicious processes, avoid executing shell scripts from untrusted sources, and keep systems and firmware updated with the latest patches. These measures can significantly reduce the risk of infection from Murdoc\_Botnet and Mirai variants.

1.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
2.  **Mirai-like Botnet Targets Zyxel NAS Devices in Europe**
3.  **Mirai-Inspired Gorilla Botnet Hits Devices in 100 Countries**
4.  **Androxgh0st Botnet Hits IoT Devices with 27 Vulnerabilities**
5.  **Tiny Mantis Launch More Powerful DDoS Attacks Than Mirai**

New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits

Cybersecurity researchers have warned of a new large-scale campaign that exploits security flaws in AVTECH IP cameras and Huawei HG532 routers to rope the devices into a Mirai botnet variant dubbed Murdoc_Botnet.
The ongoing activity "demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks," Qualys security researcher Shilpesh

Mirai Variant Murdoc_Botnet Exploits AVTECH IP Cameras and Huawei Routers

A global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices.
The activity "take[s] advantage of misconfigured DNS records to pass email protection techniques," Infoblox security researcher David Brunsdon said in a technical report published last week. "This

13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks

The FBI has announced it's deleted PlugX malware from approximately 4,258 US-based computers and networks.

The FBI says it has removed PlugX malware from thousands of infected computers worldwide.

The move came after suspicion that cybercriminals groups under control of the People’s Republic of China (PRC) used a version of PlugX malware to control, and steal information from victims’ computers.

PlugX has been around since at least 2008 but is under constant development. With the remote access it provides criminals, it is often used to spy on users and plant additional malware on interesting systems.

Among others, the PlugX Remote Access Trojan (RAT) was used in a lasting campaign uncovered last year in which a Chinese group known as “Velvet Ant” used compromised F5 BIG-IP appliances to gain access to networks, managing to stay hidden for years.

US Attorney Jacqueline Romero for the Eastern District of Pennsylvania commented:

> “This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.”

After researchers found out that thousands of infected machines reported to one specific IP address, they managed to seize control over the IP address that served as a Command & Control (C2) server.

In close cooperation with the French authorities, the FBI and Justice Department used this IP address to “sinkhole” the botnet. Sinkholing in this context means that the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole.

With control of the sinkhole, a specially configured DNS server can simply route the requests of the bots to a fake C2 server. This provides the controller of the sinkhole with valuable information about the affected systems and an opportunity to send commands to delete the PlugX version from the connecting devices.

FBI special agent in Charge Wayne Jacobs of the FBI Philadelphia Field Office said:

> “The FBI worked to identify thousands of infected US computers and delete the PRC malware on them. The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans.”

The FBI says it is notifying those who had the malware deleted from their computers via their internet service providers (ISPs).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 PlugX malware deleted from thousands of systems by FBI 

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.…

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients. Within 90 minutes, 1,165 malicious emails bombarded 22 user inboxes, aiming to trick users into clicking on malicious links.

Researchers at SlashNext have published new findings revealing attackers using tactics similar to the **Black Basta ransomware gang**, targeting 22 inboxes within 90 minutes. The attack was swift and targeted, aiming to overwhelm users and bypass traditional security measures.

According to their **blog post**, shared with Hackread.com, this Black Basta-style attack utilizes a ransomware scam that deceives employees into granting remote access to their computers. 

SlashNext’s investigation of this phishing wave revealed five key tactics used by attackers: masquerading as popular platforms like WordPress and Shopify, using legitimate-looking domains to send fake account creation and subscription emails, utilizing seemingly harmless domains, using unusual characters or minor variations in subject lines, and targeting different user roles to increase attention.

The attackers first flood inboxes with seemingly legitimate emails like newsletters or payment receipts. The emails used subject lines like “Account Confirmation” and “Subscription Notice” to entice users to click malicious links, causing a sense of urgency. Attackers further employed social engineering tactics by incorporating foreign languages or odd characters to bypass basic keyword filters. 

This initial barrage creates confusion and makes it difficult to distinguish genuine emails from malicious ones. When users are overwhelmed, attackers swoop in, often via phone calls or messages impersonating IT support. By speaking confidently, they gain trust and trick users into installing remote access software like **TeamViewer or AnyDesk**. Once this software is installed, attackers gain a foothold in the system, potentially spreading malware or compromising sensitive data on the network.

Targeted Campaign Stats and the types of scams (Via SlashNext)

Fortunately, SlashNext’s Integrated Cloud Email Security (ICES) quickly identified hundreds of red flags targeting a small group of users. Within a mere 90 minutes, a whopping 1,165 emails bombarded 22 mailboxes, averaging over 50 emails per user in rapid bursts. This tactic aimed to create panic and encourage impulsive clicks.

The ICES platform’s early detection allowed the client to respond proactively and prevent the attack from spreading. SlashNext’s AI-powered security system, SEER™, proactively identified and blocked these emails in real time. SEER™ analyzes email behaviour beyond simple keyword checks, detecting suspicious patterns like encoded URLs and fake login pages. Researchers noted a sudden rise in these attacks across the web between November and December. SlashNext was the first to launch an automated AI-powered defence to handle the situation in real time.

The incident shows the increasing nature of cybersecurity threats, with attackers using sophisticated techniques to evade traditional security measures. Organizations should prioritize threat detection and response, and regular security assessments to identify vulnerabilities and improve overall security.

1.  **‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks**
2.  Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Flaws
3.  Russian APT29 Using NSO Group-Style Exploits in Attacks: Google
4.  Iranian Hackers Team Up with Ransomware Gangs in Attacks on US
5.  BlackByte Ransomware Exploits VMware Flaw in VPN-Based Attacks

Top/Feature Image via Freepik

Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes

A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account…

A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account and replaced the legitimate Kong Ingress Controller v.3.4.0 image with a malicious version.

A critical security vulnerability was identified in Kong Ingress Controller version 3.4.0. This vulnerability stemmed from an unauthorized image uploaded to DockerHub on December 23rd, 2024. The affected image (hash: sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) contained malicious code that enabled cryptojacking. 

This malicious code directed the controller to pool.supportxmr.com, a crypto mining site, which means the image contained code that secretly mined cryptocurrency. Moreover, it would have been executed by any system running the compromised image, effectively turning those systems into unintended mining rigs.

The Kong team became aware of the issue on January 2nd, 2025 and took swift action. They removed version 3.4.0 and all associated tags from DockerHub. Additionally, they rotated all access keys used for DockerHub access. Finally, a patched version, 3.4.1, was released on January 2nd, 2025. This version removed the unauthorized cryptojacking code.

There is currently no evidence to suggest that any Kong Ingress Controller versions besides 3.4.0 (specifically the image hash mentioned above) were affected.

****What You Should Do:****

If you deployed Kong Ingress Controller version 3.4.0 between December 22nd, 2024 and January 3rd, 2025, immediate action is required. You should remove this image from all internal registries and clusters.

To fix the issue, remove the vulnerable image (sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) from internal registries and clusters, pull a remediated image from either the patched version 3.4.1 or a clean version 3.4.0.

The fixed image hashes for the clean, re-tagged version of 3.4.0 are:

AMD64: sha256:b358296fa6a1458c977c0513ff918e80b708fa9d7721f9d438f3dfce24f60f4f

ARM64: sha256:e0125aa85a4c9eef7822ba5234e90958c71e1d29474d6247adc3e7e21327e8ee

By taking these steps, you can ensure you are no longer running a vulnerable image and protect your systems from cryptojacking attempts.

Dan Lorenc, CEO and founder of software supply chain security platform Chainguard provided Hackread.com with a detailed comment addressing the core issues within this attack stating, “Supply-chain breaches happen, and it looks like the kong/kubernetes-ingress-controller images are the latest to fall victim. Here’s what we know so far:

*   A DockerHub PAT used to upload release images was compromised sometime before Dec. 23rd
*   The attacker used this PAT to upload a malicious version of the 3.4.0 release image directly to DockerHub
*   This image contained code to mine cryptocurrency and send results to a specific wallet
*   High CPU usage was reported by a user on December 29th, and the malicious images were taken down by January 2nd
*   New versions were uploaded, and the keys used to upload were revoked/rotated by the maintainers

“How should you protect against attacks like this? As a maintainer, any key you have is a key that you can leak,” said Dan. “Lock down and regularly audit all systems that have access to PATs like this, or choose systems that allow OIDC-based authentication to avoid this altogether. CI/CD pipelines are notoriously hard to configure securely; tools like Zizmor (lnkd.in/eGSGrMqm) help here. Signing artefacts can help even if you can’t use OIDC to publish or users pull from mirrors out of your control.”

“As an end-user, pin images you receive from third-parties by digest and test/malware scan them before upgrading. Check signatures if they exist,” Dan explained.

Nevertheless, a crypto mining attack on organizations could have drastic implications, including increased resource consumption, higher energy costs, and a multitude of security risks. The compromised image could have introduced vulnerabilities or backdoors, allowing attackers to gain further access, highlighting the importance of software supply chain security, particularly for critical components like container images. Organizations should employ image integrity verification mechanisms, and conduct regular security audits to identify and mitigate vulnerabilities.

1.  **OracleIV DDoS Botnet Hits Docker Engine API Instances**
2.  **Malware Hits 9Hits, Turns Docker Servers into Crypto Miners**
3.  **Hackers hijacking Bitbucket and Docker Hub for Monero mining**
4.  **TeamTNT Exploits 16M IPs in Malware Attack on Docker Clusters**
5.  **Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps**

Malicious Kong Ingress Controller Image Found on DockerHub

A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks.
The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States.

Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

Ramat Gan, Israel, 7th January 2025, CyberNewsWire

**Ramat Gan, Israel, January 7th, 2025, CyberNewsWire**

CyTwist, a leader in advanced next-generation threat detection solutions, has launched its patented detection engine to combat the insidious rise of AI-generated malware.

The cybersecurity landscape is evolving as attackers harness the power of artificial intelligence (AI) to develop advanced and evasive threats. The rise of AI-generated malware and AI-enhanced cyberattacks has escalated the threat landscape, leaving traditional defenses struggling to keep up. Businesses now face the critical challenge of adapting to this new era of cyber warfare, characterized by speed, sophistication, and adaptability.

**The Threat of AI-Driven Cyberattacks**

AI has altered the dynamics of cyber conflict, enabling attackers to execute sophisticated operations previously associated with state-sponsored entities. AI-generated phishing emails, adaptive botnets, and automated reconnaissance tools are now common components of cybercriminal tactics. These technologies bypass signature-based defenses and mimic legitimate behavior, making detection more challenging.

For example, in a recent attack on French corporates and government agencies, an AI-engineered malware exploited advanced techniques like COM hijacking and encrypted payloads, enabling attackers to remain undetected for extended periods, exfiltrate sensitive data, and establish long-term persistence within the network. This incident highlights three key risks of AI-driven attacks:

·      Sophistication: AI allows attacks to evolve in real-time, rendering static defenses obsolete.

·      Speed: Automated reconnaissance and attack execution drastically reduce the time needed to breach networks and execute the attack.

·      Evasion: AI-generated threats mimic human behavior, complicating detection for security teams.

In response to this growing challenge, CyTwist has developed a patented detection engine that identifies stealthy, AI-driven attack campaigns and malware that bypass traditional security tools, including leading EDR and XDR solutions. By leveraging advanced behavioral analysis, CyTwist Profiler identifies new and emerging threats in real time, stopping attackers before they can cause harm.

**CyTwist: Advanced Defense Against AI-Generated Threats**

CyTwist recently demonstrated its advanced detection capabilities during a red team simulation with a major telecommunications provider. The exercise mirrored the sophisticated techniques observed in the recent attack on French organizations and government agencies, employing AI-generated malware with encryption and evasion tactics. While the existing security tools failed to detect the attack, CyTwist’s solution identified malicious activity within minutes.

The head of incident response at the telecom operator highlighted the tool’s value, stating “We were impressed by CyTwist’s capability of detecting sophisticated, AI-generated malware that our EDR had failed to pick up. CyTwist provided the critical insights we needed to detect the attack in time, adding a valuable security layer against AI-generated threats.”

This simulation underscored the importance of adopting advanced technologies to address modern cyber challenges.

> “The use of AI in cyberattacks is reshaping the threat landscape, enabling attackers to operate elusively and at speed, capable of gliding past traditional security solutions. Our patented detection engine is specifically engineered to address these challenges.” Said Eran Orzel, CEO of CyTwist.

**Strategies for Mitigating AI-Generated Threats**

As organizations face increasing threats from AI-driven attacks, proactive strategies are essential. Key recommendations include:

**1\. Adopting Advanced Detection Technologies:** Traditional detection tools are not always sufficient defense against the dynamic nature of modern cyber threats. Modern detection tools that leverage AI, machine learning, behavioral analytics, and anomaly detection are needed to uncover threats missed by traditional approaches.

**2\. Prioritized Rapid Detection and Response:** Speed is critical when responding to AI-driven threats. Continuous monitoring and automated response systems enable swift containment of threats and real-time triage tools help security teams focus on critical alerts and ignore the noise.

**3\. Enhanced Resilience Through Security Frameworks:** Building adaptive security frameworks that integrate advanced detection tools will enable a response to emerging threats in real time. Regular training for security teams is needed to build the skills to counter the latest AI-driven attack methods.

CyTwist’s patented detection engine represents a significant advancement in addressing AI-enhanced cyber threats, providing organizations with the tools needed to navigate this increasingly complex landscape.

To learn more about CyTwist’s cutting-edge solutions, users can visit cytwist.com or reach out via \[email protected\].

**About CyTwist**

CyTwist is an advanced cybersecurity solution, specializing in next-generation threat detection and response. Its patented detection engine enables organizations to stay ahead of evolving threats, providing unmatched protection against stealthy, AI-generated attacks and novel malware. CyTwist was founded by a team of experienced cybersecurity professionals and former intelligence officers who bring extensive expertise in counterintelligence and cybersecurity.

In an era where attackers leverage AI to outpace traditional defenses, CyTwist Profiler provides a critical layer of security, enabling organizations to detect, investigate, and neutralize threats before they cause harm.

**Contact**

**CEO**  
**Eran Orzel**  
**CyTwist**  
**\[email protected\]**

CyTwist Launches Advanced Security Solution to identify AI-Driven Cyber Threats in minutes

The Wall Street Journal reports that Charter, Consolidated, and Windstream have been added to the growing list of…

The Wall Street Journal reports that Charter, Consolidated, and Windstream have been added to the growing list of US telecom companies breached by Chinese state-sponsored hackers in the Salt Typhoon campaign.

The list of telecommunications companies compromised in the **Salt Typhoon cyberattack** continues to grow, with recent reports naming Charter Communications, Consolidated Communications, and Windstream as the latest victims of Chinese government espionage. 

This follows previous confirmations from **AT&T, Verizon, T-Mobile**, and Lumen Technologies, as earlier reported by Hackread.com, that their networks had been breached. According to Anne Neuberger, White House deputy national security adviser for cyber and emerging technologies, Chinese hackers have targeted nine US telecoms, with the latest three remaining unclear.

The Wall Street Journal **reported** that Chinese spies exploited vulnerabilities in network devices from Fortinet and Cisco to gain unauthorized access to these telecom networks. In some cases, attackers gained control of high-level network management accounts lacking multi-factor authentication, granting them access to several routers. This access allowed them to potentially monitor network traffic and cover their tracks.

This incident has prompted several government-level security developments. The US Department of Treasury **recently sanctioned** a Chinese cybersecurity company for its role in another cyberattack, and the US government is taking steps to strengthen the security of American telecom infrastructure.

These measures include increased scrutiny by the FCC, legislative efforts to enhance security, and recommendations for individuals and organizations to improve their cybersecurity practices.

Moreover, given the ongoing wave of Salt Typhoon’s breaches, the US Cybersecurity and Infrastructure Security Agency (CISA) is advising government officials to switch to end-to-end encrypted messaging apps like Signal. 

The latest revelation highlights the growing threat of Chinese cyberattacks on US infrastructure, with the Salt Typhoon campaign indicating a shift from traditional espionage to more disruptive activities. Experts urge organizations in international business or critical infrastructure to enhance their cybersecurity defences.

**Chris Hauk**, Consumer Privacy Champion at Pixel Privacy commented on the latest development stating, _“_Possible targets of these Chinese attackers need to immediately follow the steps outlined by the FBI and NSA to help harden their systems against attack. Actually, any organization would be advised to follow the steps._“_

_“_Patching and upgrading apps and devices, limiting the types of connections and privileged accounts, and only using strong encryption, are just some of the steps organizations can take to harden their systems against attack_,”_ Chris added.

1.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
2.  **CISA – FBI: Chinese Hackers Compromised US Telecom Networks**
3.  **US Charges 5 Suspected MGM Hackers from Scattered Spider Gang**
4.  **Microsoft: Chinese Flax Typhoon uses legit tools for cyber espionage**
5.  **Chinese Hackers Breach US Firm, Maintain Network Access for Months**

US Telecom Breaches Widen as 9 Firms Hit by Chinese Salt Typhoon Hackers

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

****SUMMARY****

*   **Sophisticated Phishing Tool**: Russian cybercriminals created a WordPress plugin, PhishWP, to mimic legitimate payment pages and steal sensitive data like credit card details, CVVs, and 3DS OTPs.

*   **Real-Time Data Exploitation**: PhishWP transmits stolen information directly to attackers via Telegram, enabling immediate unauthorized use or sale on the dark web.

*   **Advanced Features**: The plugin offers customizable fake checkout pages, browser profiling, 3DS code pop-ups, and auto-response emails to deceive users and bypass security measures.

*   **Global Impact**: Multi-language support and obfuscation features allow attackers to launch targeted phishing campaigns worldwide, leading to financial losses and data breaches.

*   **Mitigation Strategies**: Users are urged to implement phishing protection tools, maintain vigilance, and adopt proactive cybersecurity measures to combat these threats effectively.

Online transactions have become an integral part of our lives in the digital age. We rely on the Internet for everything from shopping and banking to social interactions. However, this convenience comes at a price as cybercriminals exploit users’ trust to obtain sensitive data.

The cybersecurity firm SlashNext has discovered one such threat. According to their research, which was shared with Hackread.com ahead of its publication on Monday, Russian cybercriminals have created a new WordPress plugin, PhishWP, to create fake payment pages. Instead of processing payments, they steal credit card numbers, expiration dates, CVVs, and billing addresses.

PhishWP creates deceptively realistic online payment pages that mimic legitimate services like Stripe. These fake pages lure unsuspecting users into entering their credit card details, expiration dates, CVV codes, and even the crucial one-time passwords (OTPs) used for 3D Secure authentication. 

In its blog post, SlashNext outlined an attack scenario where an attacker creates a fake e-commerce website using PhishWP and replicates Stripe payment pages. Users are directed to a fake checkout page, where a 3DS code pop-up requests an OTP, which users unknowingly provide. The plugin transmits collected information to the attacker’s Telegram account, allowing them to exploit data for unauthorized purchases or sell it on dark web marketplaces.

This means that the sophisticated plugin goes beyond simply collecting data; it integrates with platforms like Telegram, enabling real-time transmission of stolen information directly to the attackers, maximizing the potential for immediate exploitation.

Furthermore, the plugin leverages advanced techniques like 3DS code harvesting, where it tricks victims into entering OTPs via pop-ups, effectively bypassing security measures designed to verify cardholder identity. 

To enhance its effectiveness, PhishWP offers several key features, including customizable checkout pages that closely resemble legitimate payment interfaces, browser profiling capabilities to create attacks as per the specific user environments, and auto-response emails that create a false sense of security in victims. By combining these features with multi-language support and obfuscation options, attackers can launch highly targeted and evasive phishing campaigns on a global scale.

Screenshot from the Russian hacker forum (Via SlashNext)

Researchers note that PhishWP is a powerful tool that allows cybercriminals to conduct phishing attacks with utmost sophistication, causing significant financial losses and personal data breaches.

To mitigate these risks, it is essential to use reliable security measures, such as browser-based phishing protection tools, which provide real-time defence against malicious URLs and prevent users from visiting compromised websites. Vigilance and proactive security measures can reduce your vulnerability to these sophisticated attacks to a great extent.

Mr. Mayuresh Dani, Manager, Security Research at Qualys Threat Research Unit, commented on the latest development stating _“_WordPress plugins like PhishWP pose significant risks by mimicking payment interfaces to steal user information, including credit card details and 3DS codes. Data is sent to attackers via Telegram, making PhishWP a highly effective information stealer when victims input valid details._“_

1.  **US Marshals Service Data Sold on Russian Hacker Forum**
2.  **New Rockstar 2FA Phishing Kit Targets Microsoft 365 Accounts**
3.  **Military Satellite Access Sold on Russian Hacker Forum for $15K**
4.  **Android Botnet Nexus Being Rented Out on Russian Hacker Forum**
5.  **Network access to Pakistan’s top fed agency sold on Russian forum**

Tag

#botnet