Someone clicks a shortcut in a phishing email, and just like that, the whole machine turns. A new version of KoiLoader is making the rounds, delivering Koi Stealer through a layered infection chain that quietly builds persistence before pulling down malware designed to scoop up passwords, cookies, and system data. The final payload rides on a custom C2 channel and slips through with a script that even disables AMSI on its way in.

It’s hiding in plain sight - just not where anyone usually looks. Threat actors have been tucking malicious code into the mu-plugins folder on WordPress sites, a spot that doesn’t show up in the regular plugin dashboard. Redirects, webshells, and SEO spam are all part of the toolkit, with infections showing up through subtle changes in traffic, files, or system load before anyone notices what’s off.

Apple’s patch day wasn’t routine this time. Two zero-days, including a WebKit flaw and a USB bypass bug, were among dozens of vulnerabilities addressed across iOS, iPadOS, and macOS. While one bug could let attackers escape browser sandboxes, the other allowed physical access to sidestep device protections. Both are now patched - assuming your devices are up to date.

Top Malware Reported in the Last 24 Hours

New KoiLoader variant unearthed

Researchers identified a new version of KoiLoader, used for C&C and deploying Koi Stealer, an information stealer. The attack initiates with a phishing email containing a ZIP attachment, which holds a deceptive .lnk file. Upon clicking, it triggers a hidden PowerShell command that downloads two malicious JScript files. These scripts establish scheduled tasks, create an illusion of system-trusted processes, and download further payloads. The second script acts as the infection's engine room, retrieving system info, creating a unique file path for persistence, and downloading two PowerShell scripts. The first script disables AMSI, and the second loads the KoiLoader binary into memory. Finally, KoiLoader downloads and executes the KoiStealer malware, which is designed to extract saved passwords, system credentials, session cookies, and browser and application data. KoiLoader uses a custom HTTP-based C2 protocol and offers various command options. 

Operation HollowQuill: New cyber-espionage campaign

A sophisticated cyber-espionage campaign named Operation HollowQuill has been discovered by SEQRITE Labs. It targets academic, governmental, and defense-related networks in Russia, particularly the Baltic State Technical University (BSTU “VOENMEKH”), using malicious PDFs to deliver Cobalt Strike payload. The attack begins with a malicious RAR archive containing a .NET-based malware dropper disguised as research invitations. This archive includes a legitimate OneDrive executable, a Golang-based shellcode loader, and a decoy PDF. Upon execution, the dropper deploys the shellcode loader, injects malicious code into the OneDrive process, and opens the decoy PDF. The final stage involves deploying a Cobalt Strike beacon that connects to a C2 server.

New Triton RAT abuses Telegram

Cado Security Labs has discovered a new Python-based RAT called Triton RAT, which uses Telegram for remote system access and data exfiltration. This open-source malware, found on GitHub, can perform various malicious activities such as credential theft, system control, and persistence establishment. It initiates operation by retrieving a Telegram Bot token and chat ID from Pastebin, enabling communication with a Telegram bot serving as the C2 server. The RAT can execute keylogging, access webcams, steal clipboard data and saved passwords, and bypass 2FA to access Roblox accounts using stolen cookies. It also gathers system information, executes remote shell commands, records screens, changes wallpapers, and uploads or downloads files. 

Malware hidden in Mu-Plugins

Threat actors are hiding malicious code in the mu-plugins directory of WordPress websites. This directory is less noticeable as it's not listed in the standard WordPress plugin interface, making it easier for users to ignore during routine security checks. Three cases of malware were discovered: Fake Update Redirect Malware, Webshell, and a spam injector. These malware allow attackers to redirect traffic to malicious websites, maintain persistent access via backdoors, and inject spam content to manipulate SEO rankings. The malware can be identified by unusual behavior on the site, suspicious files in the mu-plugins directory, elevated server resource usage, and unexpected file modifications. 

Top Vulnerabilities Reported in the Last 24 Hours

Apple patches 0-days in older iPhones

Apple has released security updates for its desktop and mobile products, addressing dozens of vulnerabilities, including two zero-day flaws. The first zero-day, CVE-2025-24201, is an out-of-bounds write issue in WebKit that allows attackers to craft web content to break out of the Web Content sandbox. This flaw was fixed in iOS 18.3.2, iPadOS 18.3.2, and Safari 18.3.1, and has now been patched in older versions of iOS and iPadOS. The second zero-day, CVE-2025-24200, is a medium-severity authorization bug that could allow a physical attacker to disable USB Restricted Mode on a locked device. This was fixed in iOS 18.3.1 and iPadOS 18.3.1. Apple also released new security updates for the latest generation mobile devices, resolving 60 vulnerabilities with iOS 18.4 and iPadOS 18.4, and 38 flaws with iPadOS 17.7.6. macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5 were also updated to address numerous bugs. 

Top Scams Reported in the Last 24 Hours

Rising use of lookalike domains in email attacks

Cybercriminals are increasingly using lookalike domains to carry out targeted email-based scams and financial fraud. They target various sectors, including finance, legal services, insurance, and construction. These scams begin with registering a similar domain, setting up email servers, compiling a list of potential victims, and sending deceptive emails to trick recipients into providing sensitive information or authorizing payments. Several campaigns have been spotted using lookalike domains, such as impersonating financial institutions, invoice scams, executive impersonation, account takeover, recruitment scams, and phishing.