It took just one cleverly disguised Batch script to outmaneuver security tools for over 48 hours, slipping past defenses with ease. A new malware delivery framework is making waves with its advanced obfuscation techniques, allowing it to remain undetected for an extended period. The malware, deploying either XWorm or AsyncRAT, operates almost entirely in memory, minimizing its footprint.

The irony couldn’t be greater - an advanced security training platform now carries a critical vulnerability that lets attackers turn the tables. A severe RCE flaw has been discovered in MITRE’s Caldera, an open-source tool designed for simulating cyber threats. The vulnerability affects all versions except 5.1.0+ and the latest master branch, enabling attackers to take over systems remotely.

A viral video you’ll regret clicking - scammers have found a new way to bait their victims. Researchers uncovered a surge in phishing campaigns that use fake viral video links to lure users into downloading malware. The attack starts with a deceptive PDF file claiming to contain a must-watch clip, but clicking the link sends victims down a rabbit hole of fake pages, intrusive ads, and misleading download buttons.

Top Malware Reported in the Last 24 Hours

New batch script installs XWorm

A new malware delivery framework, using advanced obfuscation techniques, has managed to evade security tools for over 48 hours. The attack chain involves a Batch script that uses PowerShell and VBS to deploy either XWorm or AsyncRAT, representing a significant evolution in fileless attack methodologies. The campaign starts with a heavily obfuscated Batch file that employs layered encoding and environmental checks to ensure it's running on a real victim machine. Once confirmed, the script activates PowerShell commands to fetch secondary payloads from remote servers while keeping a minimal footprint on disk. The second-stage payload uses Telegram's API to exfiltrate system metadata and screenshots to attacker-controlled channels, making network detection difficult.

GitVenom campaign mimics GitHub projects

A malware campaign named GitVenom has been targeting GitHub users, particularly gamers and crypto investors. The campaign involves hundreds of fake GitHub repositories created by threat actors, disguised as open-source projects such as automation tools, crypto bots, and hacking utilities. These repositories contain malicious code written in various programming languages. The attackers use AI-generated README files, tags, and fake commits to make the repositories appear legitimate. The malware aims to download further malicious components and execute them. The campaign has deployed a Node.js stealer, AsyncRAT and Quasar backdoors, and a clipboard hijacker, enabling the operators to earn around 5 BTC. The campaign may have been active for several years, with most infection attempts observed in Russia, Brazil, and Turkey.

Malicious PyPI package abuses Deezer API

A malicious PyPI package called automslc has been downloaded over 100,000 times and is designed to enable unauthorized music downloads from the popular streaming service Deezer. The package bypasses Deezer's access restrictions by embedding hardcoded credentials and communicating with an external C2 server, allowing it to log into Deezer, harvest track metadata, request full-length streaming URLs, and download complete audio files in violation of Deezer's API terms. The package remains live on PyPI, but efforts are being made to have it removed. 

Top Vulnerabilities Reported in the Last 24 Hours

Critical bug in WordPress plugin

A critical security vulnerability, CVE-2025-24752, in the Essential Addons for Elementor plugin, used by over two million WordPress websites, has left sites vulnerable to script injection attacks through malicious URL parameters. The flaw, which scored 7.1 on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset functionality. The vulnerability originated from the improper handling of the popup-selector query parameter in the plugin’s JavaScript code. Attackers could create URLs containing malicious scripts in this parameter, which were executed when users clicked the link, leading to potential session hijacking, phishing redirects, or malware distribution. 

Severe bug in MITRE Caldera

A severe RCE vulnerability, tracked as CVE-2025-27364, has been discovered in MITRE's Caldera security training platform. This bug affects all versions of Caldera, except for the latest fixed versions 5.1.0+ or those in the master source branch. The open-source project, used by red and blue teams for simulating attacks and developing defenses, can itself be remotely hijacked due to this flaw. The RCE can be triggered in most default configurations where Go, Python, and the GNU Compiler Collection are installed, which are required for Caldera's full functionality. The vulnerability is related to the deployment of Manx and Sandcat agents with attacker-set instructions. The bug can be exploited through a specially crafted HTTPS request. 

Top Scams Reported in the Last 24 Hours

Surge in phishing campaigns with fake viral video links

McAfee Labs has detected a rise in phishing campaigns that use fake viral video links to trick users into downloading malware. The attack employs social engineering techniques, leading users through a series of malicious websites before delivering the payload. The campaign begins with a PDF file that appears to be a phishing scam, using clickbait about a "viral video" to entice users into clicking suspicious links. Upon clicking, users are redirected to various webpages displaying fake content, excessive ads, and misleading download buttons. Eventually, users are led to a password-protected download link hosted on Mega.nz, which contains the malware payload in the form of a .msi file.