Step right up to the slickest show in the digital shadows, where EncryptHub is running the ring. This rising cybercrime crew is dazzling victims across platforms like QQ Talk, WeChat, and Google Meet with trojanized apps and clever multi-stage attack chains. They’re even teasing a new act called EncryptRAT to keep their audience on edge.

Something wicked is crashing the WordPress party, and it’s not on the guest list. Over 1,000 sites have been slipped a nasty surprise, planting backdoors that swing wide open for hackers. These uninvited intruders are ready to sneak back in and turn the festivities into a free-for-all.

These dusty old cameras are stealing the spotlight, but it’s a scene straight out of a cyber horror flick. A critical flaw in Edimax IC-7100 IP cameras has botnets buzzing with excitement, exploiting shaky default passwords. They’re staging a takeover, dropping Mirai malware to keep the chaos rolling.

Top Malware Reported in the Last 24 Hours

What we know about EncryptHub

EncryptHub is a rising cybercriminal entity that has been observed using multi-stage attack chains, distributing trojanized versions of popular applications, and employing third-party PPI distribution services. It has been targeting QQ Talk, WeChat, DingTalk, VooV Meeting, Google Meet, Microsoft Visual Studio 2022, and Palo Alto Global Protect users. The attackers are also developing a product called EncryptRAT and have been observed incorporating popular vulnerabilities into their campaigns. 

Multi-site JavaScript malware campaign

A malicious JavaScript injection was discovered on a WordPress website, causing visitors to be redirected to unwanted third-party domains. The infection was found in a theme file and operated through a two-stage redirection process. The malware was injected into a specific theme file and loaded an external JavaScript file, which then created a hidden link and forced a redirect to malicious content. At least 31 infected websites were identified, and the domains are currently on the VirusTotal blocklist. The malware could lead to loss of traffic and reputation, SEO blacklisting, and further malware infections. 

JS backdoors impact 1,000+ WordPress websites

Over 1,000 WordPress websites have been infected with malicious JavaScript code that creates four backdoors for attackers to gain multiple points of re-entry. The malicious code is served via cdn.csyndication[.]com and has been found on 908 websites so far. The four backdoors allow attackers to execute commands, inject malicious code, gain persistent remote access, and open a reverse shell. To mitigate the risk, users are advised to delete unauthorized SSH keys, rotate WordPress admin credentials, and monitor system logs.

Top Vulnerabilities Reported in the Last 24 Hours

PHP-CGI bug exploited in attacks

Threat actors of unknown origin have been targeting organizations in Japan since January, exploiting the vulnerability CVE-2024-4577 in PHP-CGI on Windows to gain initial access. They use the Cobalt Strike kit 'TaoWu' for post-exploitation activities. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attackers use tools like JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt for reconnaissance, privilege escalation, and lateral movement. They establish persistence via Windows Registry modifications, scheduled tasks, and bespoke services. The attackers erase event logs for stealth and use Mimikatz to dump and exfiltrate passwords and NTLM hashes. 

Multiple botnets abuse Edimax camera 0-day

The CISA disclosed a critical vulnerability (CVE-2025-1316) in Edimax IC-7100 IP cameras, which is being exploited by multiple botnets. The vulnerability allows remote command execution through specially crafted requests. The affected devices are likely to be legacy products and may not receive patches from Edimax. The exploitation of this vulnerability requires authentication, but attackers are using known default credentials to gain access. Once access is gained, they execute a shell script to download a Mirai malware payload.