Social media’s open doors are proving a playground for malware with a Middle Eastern twist. Desert Dexter, a sly campaign, has been hitting the Middle East and North Africa with a tweaked AsyncRAT. It’s hunting cryptocurrency wallets and chatting with a Telegram bot, spreading through legit file-sharing accounts and Telegram channels.

A WordPress plugin’s chatty nature just turned into a hacker’s dream. A critical flaw in the Chaty Pro plugin, used by tens of thousands of websites, lets attackers upload malicious files thanks to lax security checks. Left unpatched, it’s a fast track to site takeovers.

LinkedIn’s polished veneer is getting a malware makeover, and it’s a convincing act. Cofense spotted a campaign mimicking LinkedIn InMail, complete with branding and a sales director’s pitch for a quote - though the person’s real, the company’s fake. Those “Read More” and “Reply To” buttons? They’re a one-way ticket to the ConnectWise RAT, sidestepping the usual phishing playbook for something nastier.

Top Malware Reported in the Last 24 Hours

Russian attackers mimic EFF, target gamers

Researchers discovered a targeted cybercriminal campaign that impersonates the Electronic Frontier Foundation (EFF) to target Albion Online players. The attackers used phishing strategies and decoy documents to steal in-game assets, employing the Stealc malware and Pyramid C2 infrastructure. The threat actors exploited the game's player-driven economy, where in-game assets are traded for real money through third-party markets. The campaign involved phishing emails that tricked victims into downloading malicious PDF reports, supposedly from the EFF, which claimed unauthorized transactions on their accounts. Once opened, the document launched a malware infection chain designed to steal sensitive data. 

New Desert Dexter drops modified AsyncRAT

Positive Technologies uncovered a malicious campaign targeting the Middle East and North Africa since September 2024. The campaign, named Desert Dexter, leverages social media to distribute a modified version of the AsyncRAT malware, which targets cryptocurrency wallets and communicates with a Telegram bot. The attackers host the malware in legitimate online file-sharing accounts or Telegram channels set up for this purpose. Approximately 900 victims have been identified across various countries, with Egypt, Libya, the UAE, Russia, Saudi Arabia, and Turkey being the most targeted. 

New PyPI malware steals Ethereum private keys

Socket has discovered a malicious PyPI package called set-utils that steals Ethereum private keys by exploiting common account creation functions. The package is disguised as a simple utility for Python sets and mimics popular libraries, tricking developers into installing it. Since January 29, it has been downloaded over 1,000 times, targeting Ethereum developers and organizations working with Python-based blockchain applications. The package intercepts Ethereum account creation and exfiltrates private keys via the blockchain using a C2 server. 

Top Vulnerabilities Reported in the Last 24 Hours

Elastic patches Kibana bug

Elastic has released a security update for Kibana, to address a critical vulnerability tracked as CVE-2025-25012. This vulnerability, with a CVSS score of 9.9, could allow attackers to execute arbitrary code on vulnerable systems. The issue stems from a prototype pollution problem that can be exploited through a crafted file upload and specific HTTP requests. The impact varies depending on the Kibana version, with versions 8.15.0 to 8.17.0 being exploitable by users with the 'Viewer' role, and versions 8.17.1 and 8.17.2 being exploitable by users with specific privileges. Elastic has fixed this vulnerability in Kibana version 8.17.3.

Critical flaw in Chaty pro plugin

A critical vulnerability, CVE-2025-26776, has been identified in the Chaty Pro plugin for WordPress. This plugin, used by around 18,000 websites for chat functionality, has an arbitrary file upload vulnerability that could allow attackers to take over websites. The issue arises from a lack of proper authorization and security checks in the code handling user input, enabling attackers to upload and execute malicious files. The developers have addressed this vulnerability in version 3.3.4 of the plugin, which now uses the secure wp_handle_upload() function and implements proper checks. 

Top Scams Reported in the Last 24 Hours

YouTube warns of phishing attacks

YouTube has issued a warning about a phishing scam that uses an AI-generated video of its CEO to steal creators' credentials. The scammers send private videos to targeted users via emails, claiming that YouTube is changing its monetization policy. The linked video directs users to a fake YouTube page where they are asked to sign in to confirm the updated terms, but the page is designed to steal their credentials. The scammers create urgency by threatening account restrictions if users do not comply. 

Beware of this LinkedIn phishing scam!

Cofense discovered a LinkedIn-impersonating malware campaign that distributes the ConnectWise RAT. The email, disguised as a LinkedIn InMail notification, uses LinkedIn branding to appear genuine, although it's not entirely accurate to current legitimate LinkedIn emails. Unlike typical LinkedIn-spoofed emails used for credential phishing or BEC, this campaign delivers the ConnectWise RAT. The email, which appears to be from a sales director requesting a quote, contains a photo of a real person unrelated to the message. The company mentioned in the email is a combination of two legitimate corporations but does not exist. The email's "Read More" and "Reply To" buttons lead to the ConnectWise RAT installer.