Pirated software continues to be a favorite hunting ground for cybercriminals, and LummaC2 is the latest parasite lurking in cracked downloads. The malware is being spread through fake versions of Total Commander, using Reddit and Google Collab Drive to lure victims. Once installed, it harvests sensitive credentials from browsers and emails, proving once again that shortcuts to free software often come at a steep cost.

Old malware doesn’t die, it evolves. Researchers uncovered links between the infrastructure of Stately Taurus and the long-running Bookworm malware, showing that the espionage group has been refining its tactics since the past nine years. Using DLL sideloading, Bookworm quietly infiltrates Windows systems under the guise of legitimate executables. Its resemblance to the ToneShell backdoor suggests that these tools may have been built by the same developers.

Phishing-as-a-service is getting a dangerous upgrade. The Darcula PhaaS platform is rolling out Darcula Suite, a new version that lets cybercriminals create customized phishing sites with just a few clicks. Currently in beta, this DIY phishing kit includes a chockful of features, making sophisticated scams more accessible than ever.

Top Malware Reported in the Last 24 Hours

LummaC2 mimics Total Commander tool

ASEC has discovered a new distribution method for the LummaC2 malware, which is disguised as a cracked version of the Total Commander file management tool for Windows. The malware is distributed through a series of page transitions on Google Collab Drive and Reddit, with the attack specifically targeting users looking to download cracked software. The malware is heavily obfuscated and compressed using NSIS and AutoIt scripts. When executed, it infects the system with LummaC2. The malware is primarily disguised as illegal programs such as cracks and serials, and when a system is infected, sensitive information such as browser-stored account credentials and email credentials are sent to the threat actor's C&C server. 

Updated Shadowpad opens door to ransomware

Trend Micro detected a series of cybersecurity incidents in Europe involving the Shadowpad malware, which is associated with various Chinese threat actors. The malware targeted at least 21 companies across 15 countries, with more than half of the targets being in the manufacturing industry. In some cases, the threat actor also deployed ransomware from an unreported family. The threat actors gained access through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication mechanisms. The malware is modular and has been updated with features such as anti-debugging techniques, encryption of the payload in the registry, and usage of DNS over HTTPS. 

JumbledPath: Custom malware used by Salt Typhoon

The China-linked cyber espionage group, Salt Typhoon, has been using a custom-built utility called JumbledPath to spy on U.S. telecommunication providers, according to a report by Cisco Talos researchers. The group has breached multiple telecom networks, including ISPs in the U.S. and Italy, a U.K-affiliated U.S. telecom, and providers in South Africa and Thailand. The group has also manipulated network settings and used JumbledPath to remotely capture packets, clear logs, and exfiltrate encrypted data. 

Stately Taurus activity linked to Bookworm malware

Unit 42 found connections between the infrastructure used by Stately Taurus and the Bookworm malware, indicating a continuity in tactics since its initial discovery in 2015. This malware uses a sophisticated DLL sideloading technique to effectively infiltrate Windows systems. The group has been targeting organizations within the Association of Southeast Asian Nations (ASEAN). Bookworm operates by using legitimate executables signed by automation organizations to load malicious payloads. It also shares similarities with another backdoor variant, ToneShell, suggesting they may have been developed by the same team. 

Top Vulnerabilities Reported in the Last 24 Hours

Critical bugs in Mongoose library

Security researchers found two critical vulnerabilities in Mongoose, an Object Data Modeling library for MongoDB. The first vulnerability, CVE-2024-53900, is an SQL injection flaw that lets specially crafted queries manipulate data. It was reported and fixed in version 8.8.3, but later a bypass allowed for continued remote code execution. This second issue was assigned CVE-2025-23061 and addressed in version 8.9.5. 

Atlassian patches critical flaws

Atlassian has released patches for 12 critical and high-severity vulnerabilities in its Bamboo, Bitbucket, Confluence, Crowd, and Jira products. The updates address five critical issues in Confluence Data Center and Server, and Crowd Data Center and Server, including two critical flaws in Apache Tomcat (CVE-2024-50379 and CVE-2024-56337), that could lead to remote code execution. The updates for Crowd also resolve a high-severity DoS vulnerability (CVE-2022-25927). In Bamboo Data Center and Server, two high-severity DoS flaws (CVE-2024-7254 and CVE-2024-47072) were fixed, and a high-severity RCE bug was patched in Bitbucket Data Center and Server. 

Top Scams Reported in the Last 24 Hours

Payment card skimming campaign uses StripeAPI

A new, highly sophisticated payment card skimming campaign has been discovered, which exploits Stripe's deprecated API to verify card details before stealing them, ensuring only valid information is taken while maintaining a normal user experience to evade detection. The attack begins with a compromised first-party script that uses two known malicious domains as initial distribution points for the skimming payload. The attack is notable for its selective validation process, which intercepts legitimate payment form submissions, creates a perfect visual replica of the Stripe payment elements, validates captured card data through Stripe’s API before exfiltration, and maintains the original purchase flow to avoid detection. 

Darcula PhaaS auto-generates phishing kits

The Darcula PhaaS platform is set to release its third major version, Darcula Suite, currently in beta, which features a do-it-yourself phishing kit generator. This new feature allows users to target any brand by cloning legitimate sites and customizing phishing elements. The upcoming release also offers a user-friendly admin dashboard, IP and bot filtering, campaign performance measurement, and automated credit card theft/digital wallet loading, among other features.