This issue, identified as CVE-2024-3094, impacts versions 5.6.0 and 5.6.1. The injected code is designed to stay hidden during normal review processes and only becomes active during the software build stage. Once active, it can interfere with SSH authentication, potentially allowing attackers to gain unauthorized access to affected systems.

Technical Impact and Mitigation

The attack is highly sophisticated, as the malicious components are not fully visible in the main source code. Instead, they rely on additional build-time elements to assemble and execute the payload. This makes detection difficult using standard code inspection methods.

Once deployed, the compromised library can alter how SSH authentication behaves, creating an opportunity for attackers to bypass normal security checks and access systems remotely.

Key highlights:

• CVE-2024-3094 affects xz and xz-libs versions 5.6.0 and 5.6.1
• Malicious code is triggered during the build process
• Targets SSH authentication mechanisms
• Impacts Fedora Rawhide, Fedora 40 Beta, Debian unstable, and openSUSE
• Red Hat Enterprise Linux (RHEL) remains unaffected

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Immediate Actions

• Downgrade to trusted xz version 5.4.x
• Stop using Fedora Rawhide until systems are secured
• Apply official patches and updates from Red Hat
• Monitor systems for unusual SSH behavior

Even though active exploitation has not been widely reported, the nature of this compromise makes it a high-risk issue. Prompt action is necessary to protect systems from potential unauthorized access.

The post xz Backdoor Vulnerability Exposes Linux Systems to Remote Access appeared first on First Hackers News.

Researchers observed over 21,000 command-and-control (C2) servers between July and December 2025. Along with this growth, attackers are increasingly using infected devices as residential proxies, not just for DDoS attacks.

This rise also aligns with a surge in massive DDoS campaigns. Reports highlight “hyper-volumetric” attacks, including one reaching 31.4 Tbps, showing how far these botnets have evolved. At the same time, botnet activity has sharply increased after a period of stability, indicating a renewed wave of large-scale operations.

Evolution of Mirai-Based Botnets

Mirai first appeared in 2016, targeting internet-connected devices such as routers and IoT systems that often rely on weak or default credentials. Once compromised, these devices are added to a botnet that can launch high-volume traffic floods across multiple layers.

The public release of Mirai’s source code played a major role in its growth. It allowed attackers to create multiple variants, each adding new capabilities while keeping the core attack techniques intact.

One well-known variant, Satori, rapidly spread by exploiting vulnerabilities in routers, especially through command injection flaws. It used automated scripts to download and execute malware across different device architectures, allowing infections to scale quickly without user interaction.

Expanding Capabilities and Abuse Techniques

Modern Mirai botnets are no longer limited to DDoS attacks. They are now being used in more advanced and flexible ways, increasing their overall impact.

Key capabilities seen in recent campaigns include:

• Large-scale DDoS attacks reaching record-breaking volumes
• Use of infected devices as residential proxy networks
• Automated exploitation of IoT vulnerabilities
• Multi-architecture malware deployment for wider coverage
• Stealthier operations to avoid detection

Aisuru-Kimwolf Expanding DDoS and Proxy Abuse

Newer botnet families like Aisuru and Kimwolf have taken Mirai-based threats to the next level. These botnets are now used not only for massive DDoS attacks but also as residential proxy networks that can be rented for cybercrime activities.

Security reports have linked Aisuru-Kimwolf to extremely large attacks, including one reaching 31.4 Tbps. These attacks often generate massive traffic with billions of packets per second, using random patterns to avoid basic detection and filtering systems.

At the same time, Kimwolf, which targets Android devices, is being used to exploit residential proxy services. Attackers use these networks to access internal systems, infect devices like smart TVs and smartphones, and then sell that access for activities such as fraud and credential stuffing.

Ongoing Threat and Defensive Focus

Law enforcement and tech companies have started taking action against these botnets by targeting their command-and-control infrastructure and disrupting the platforms used to manage proxy networks.

However, these efforts have not fully stopped the threat. Mirai-based botnets continue to survive and grow because many devices remain unpatched, especially routers and Android systems. Attackers can also quickly rebuild their infrastructure after disruptions.

For defenders, the focus should remain on strong basic security practices:

• Keep routers and IoT devices updated
• Monitor unusual outbound traffic
• Secure Android and edge devices
• Track indicators linked to Mirai variants

As these botnets continue to evolve, they are becoming more powerful and more versatile, combining large-scale disruption with stealthy abuse of network access.

The post Mirai Botnets Now Driving DDoS and Proxy Abuse appeared first on First Hackers News.

At the core of this attack is a malicious file named wp-index.php, which abuses WordPress’s must-use plugin functionality to ensure continuous operation that cannot be disabled via the standard admin dashboard.

The malware uses advanced obfuscation techniques, including ROT13 encoding, to conceal its communications with a remote command-and-control server.

Once executed, the malware fetches payloads from a hidden URL and stores them directly in the WordPress database under the option key _hdra_core. This tactic allows it to evade security solutions that focus mainly on filesystem changes.

Security researchers at Sucuri discovered this stealthy backdoor during routine investigations, highlighting its unusually effective persistence mechanisms across various infection vectors.

Notably, the malware creates a covert administrative user account named “officialwp” and uses WordPress filter functions to hide this account from the dashboard, masking its presence from site administrators.

The infection process is highly sophisticated, with the main loader script downloading base64-encoded payloads from hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php. When decoded, these payloads reveal a complete and robust malware framework.

The malware framework also incorporates a stealthy file manager, deceptively named “pricing-table-3.php”, which is placed within the active theme directory. This backdoor tool is shielded by a custom authentication token — “fsociety_OwnzU_4Evr_1337H4x!” — that must be sent via HTTP headers to gain access, adding an additional layer of concealment and control for the attackers.

Database-Centric Persistence Strategy

The most alarming aspect of this malware is its database-centric persistence strategy. Instead of depending on traditional file-based infections—often detectable through file integrity monitoring—the backdoor embeds its payload within WordPress’s options table. It then executes this stored code and swiftly removes any temporary files created during the process, effectively minimizing forensic traces and making detection significantly more difficult.

This technique enables the malware to withstand typical cleanup procedures, ensuring its continued presence even after superficial disinfection attempts. By storing and executing its payload from the database, the attackers retain remote code execution capabilities and full administrative control over the compromised WordPress site, making the infection both resilient and deeply embedded.

The post Stealthy Backdoor Discovered in WordPress Plugins Grants Hackers Long-Term Website Access appeared first on First Hackers News.

All about DeBackdoor

In many cases, developers acquire deep learning models from third-party sources without access to training data or the ability to inspect the model’s internals, making backdoor detection difficult. Most existing methods require access to the model’s architecture, training data, or multiple instances.

DeBackdoor overcomes these challenges by using a deductive approach to generate potential triggers and a search technique to identify the most effective ones. It focuses on optimizing the Attack Success Rate (ASR), a key metric for evaluating the success of backdoor attacks.

How it detects

DeBackdoor’s detection methodology involves defining a search space for potential trigger templates based on the attack’s description. It then applies Simulated Annealing (SA), a stochastic search technique, to iteratively generate and test candidate triggers.

SA is chosen for its ability to avoid local minima, allowing for a more thorough exploration of the trigger space compared to simpler methods like Hill Climbing.

By applying these triggers to a small set of clean inputs and assessing the model’s responses, DeBackdoor can identify if the model is backdoored.

The framework has shown high detection performance across various attack scenarios, including different trigger types and label strategies such as All2One, All2All, and One2One.

DeBackdoor outperforms existing detection baselines like AEVA and B3D, which are limited in scope and effectiveness.

Its adaptability makes it especially valuable in situations where the attack strategy is unknown or varies, offering a strong solution for securing deep learning models in critical applications.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Detecting Deep Learning Backdoors: The DeBackdoor Approach appeared first on First Hackers News.

FakeUpdate Spreads WarmCookie as Chrome, Edge Updates

Researchers at Gen Threat Labs have found a campaign spreading the WarmCookie backdoor. This campaign uses a known tactic called FakeUpdate, which tricks victims into downloading fake web browser updates.

Currently, the attacks are targeting users in France. In addition to popular browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge, the campaign also offers “updates” for applications like Java, VMware Workstation, Proton VPN, and WebEx. Attackers either hack or create websites that display fake update requests. Following these requests leads to the download of a malicious program disguised as a browser update.

The FakeUpdate campaign is not new, as similar ones have existed before. WarmCookie has also previously used deceptive methods for distribution, such as job offers.

This updated version now enables data theft, device profiling, program enumeration, command execution, screenshot capture, and installation of additional malware.

The FakeUpdate site closely resembles a legitimate one, with a convincing URL. Currently, the site edgeupgrade[.]com is still active. Clicking the “Update” button downloads the file “Install_x64.exe,” which is the WarmCookie backdoor. Once launched, the malware checks for a virtual environment. If none is found, it collects the system fingerprint and sends it to the attackers’ command and control server.

The WarmCookie backdoor gives attackers full access to compromised systems, with new features like running DLLs from the temp folder and executing EXE and PowerShell files. This allows for basic data theft and the delivery of payloads like ransomware. All modern browsers on Windows now auto-update, removing the need for manual downloads; users just need to restart the browser.

How to stay protected from malware and online threats:

• Keep Software Updated: Regularly update your operating system, web browsers, and applications to patch vulnerabilities.
• Use Antivirus Software: Install reputable antivirus or anti-malware programs and keep them updated to detect and remove threats.
• Enable Firewalls: Use a firewall to monitor incoming and outgoing network traffic and block suspicious activity.
• Avoid Suspicious Links: Be cautious when clicking on links or downloading files from unknown sources, especially in emails or pop-ups.
• Use Strong Passwords: Create complex passwords and consider using a password manager to keep track of them.
• Enable Two-Factor Authentication (2FA): Use 2FA wherever possible for an added layer of security on your accounts.
• Backup Data: Regularly back up important files to an external drive or cloud storage to prevent data loss in case of an attack.
• Educate Yourself: Stay informed about the latest threats and learn how to recognize phishing attempts and other scams.
• Limit Privileges: Run applications with the least privilege necessary and avoid using administrative accounts for everyday tasks.
• Monitor System Behavior: Keep an eye on system performance for unusual activity, such as unexpected slowdowns or unauthorized changes.

The post WarmCookie malware spreads via fake update campaign in France appeared first on First Hackers News.

Loki Backdoor

Mythic offers a unified interface for managing agents across platforms, allowing flexibility and customization to create agents with specific features.

The official Mythic repository now has over two dozen agents, including the Loki agent, which uses a modified djb2 hashing algorithm to obscure API functions and commands, differing from the original Havoc agent by using a different magic number (2231).

The hash is calculated by shifting the value left by 5 bits, adding the original hash and current character, making the agent’s behavior harder to analyze and detect.

The Loki loader malware sends encrypted data about the infected system to a command-and-control server. The server responds by sending a DLL, which the loader runs in the device’s memory to handle further communication.

Both the May and July versions use similar encryption methods, but differ slightly in how they handle data and UUIDs. The May version sends a plaintext UUID, while the July version encodes it. After connecting, the loader passes control to the DLL, which carries out the malicious tasks.

The malware, stagger_1.1.dll, is a Windows x64 executable based on the Havoc agent, using hashed commands for file transfer, process management, and environment control. While it lacks native traffic tunneling, attackers use tools like ngrok or gTunnel to access private networks, loading them in memory to avoid detection.

According to Securelist, Russian companies across various industries have been targeted by a sophisticated malware campaign, likely delivered through email attachments. Attackers, using publicly available tools, have compromised over a dozen organizations.

Victims were tricked into opening malicious files, leading to the installation of Loki malware. Attribution remains difficult due to the use of common tools and evasive tactics.

Open-source post-exploitation frameworks like the July and May loaders are increasingly used to remotely control victim devices, often evading detection. Indicators of compromise include specific file hashes, network traffic, and C2 addresses. gTunnel and ngrok are key tools for tunneling and communication.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post New Loki Backdoor Targets macOS Systems appeared first on First Hackers News.

ToddyCat APT 

In 2023, Kaspersky GERT uncovered a major internal fraud in a government organization, where threat actors used an internal service to steal over $20 million.

GERT’s DFIR analysis uncovered several attack vectors:

• A debugging interface vulnerability for cookie theft and user impersonation.
• Privilege escalation and account manipulation for fraudulent transactions.
• Unauthorized VPN access from external and internal networks.

The team connected user activities across different systems, including both local and remote IDs, to confirm that internal actors were working together.

This case highlights the critical need for strong internal controls, effective privileged access management, and comprehensive logging to identify and address insider threats in financial systems. Additionally, Kaspersky uncovered a sophisticated attack that had been ongoing in a customer’s infrastructure for over two years, revealing the depth and persistence of the intrusion.

The Flax Typhoon APT group used living-off-the-land techniques, misusing SoftEther VPN and Zabbix agent for unintended purposes. They deployed malware via Windows LOLBins like certutil and disguised services to avoid detection.

The attack involved NTDS dumping, Mimikatz, and CobaltStrike, including creating firewall rules for hidden communication. As a result, the client successfully sued the insider employee and accomplices, highlighting the critical need for APT detection solutions to identify and eliminate long-term threats.

GERT’s assessment confirmed the attack timeline, compromised users, and execution methods. The investigation revealed SMB abuse, IKEEXT service persistence, and the CVE-2021-26855 vulnerability in Microsoft Exchange Servers.

A malicious wlbsctrl.dll was used for persistence and lateral movement via SMB. An ICMP backdoor was found embedded in an application, featuring mutex checking, registry manipulation, and encrypted payload execution.

The backdoor used AES encryption with the C drive’s volume serial number as a key parameter. Payloads were injected into dllhost.exe, creating ICMP sockets, receiving Base64 data, and using encrypted shellcodes.

While the attack shows ToddyCat’s TTPs, full attribution is unclear. The case underscores the importance of asset surveillance, threat intelligence, and MDR services.

The post ToddyCat APT Exploits SMB and IKEEXT RCE to Deploy ICMP Backdoor appeared first on First Hackers News.

Log4j Vulnerability Exploited Again

On July 30, 2024, a Confluence honeypot detected an exploitation attempt of the Log4Shell vulnerability originating from a known Tor exit node, 185.220.101 [34]. This incident marked the start of a new campaign by opportunistic threat actors. Upon deeper investigation, it was uncovered that the attackers were leveraging the Log4Shell vulnerability, a critical flaw in the Apache Log4j library, to deploy XMRig, a popular cryptocurrency mining software.

The Log4Shell vulnerability, initially discovered in November 2021, has a CVSS score of 10, indicating its high severity. It allows attackers to execute arbitrary code remotely, making it a prime target for exploitation. In this case, attackers used the vulnerability to gain unauthorized access to systems, where they then installed XMRig to mine cryptocurrency, effectively hijacking the system’s resources for their gain.

This event underscores the ongoing risk posed by the Log4Shell vulnerability, even years after its discovery.

An attacker exploited a Log4j vulnerability by sending an obfuscated payload with an LDAP URL. This caused the vulnerable Java application to download and run a malicious Java class from a remote server. The class then retrieved another script (“lte”) and executed it with root privileges. While the script’s exact purpose is unclear, its ability to run any command suggests it could be used for more harmful actions.

Additionally, the malicious Java class downloaded a hidden Bash script that scanned the system, installed a cryptocurrency miner, set up persistence through systemd or cron jobs, and created reverse shells for remote access.

The script collects detailed system information like CPU specs, OS version, user data, network connections, running processes, and system uptime, sending this data to a remote server via an HTTP POST request.

To avoid detection, it self-destructs by overwriting the bash history and erasing the current shell’s command history.

DataDog’s investigation into possible Log4Shell exploitation uncovered several indicators of compromise, including the suspicious IP address 185.220.101.34 and domains like superr.buzz and cmpnst.info. They also found suspicious file paths like /tmp/lte, suggesting attempts to exploit the vulnerability for unauthorized access.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Log4j Vulnerability Exploited Again to Deploy Crypto-Mining Malware appeared first on First Hackers News.

The research leads to optimized attack tools and a thorough understanding of vulnerabilities, highlighting the urgent need to replace MIFARE Classic in modern applications.

It explores vulnerabilities in MIFARE Classic memory cards using the CRYPTO-1 protocol, analyzing card-only attacks that exploit weaknesses like predictable nonce generation and parity bit leaks.

The FM11RF08S card is introduced as a response to vulnerabilities in MIFARE Classic, featuring countermeasures such as a static encrypted nonce for nested authentication and a repeatable initial nonce generated by a Linear Feedback Shift Register (LFSR). However, researchers discovered a backdoor in FM11RF08S RFID tags by analyzing the tags’ responses to unexpected commands. They uncovered a hidden authentication method that bypasses the standard security measures of the card.

This backdoor allows attackers full read access to all tag data, including blocks that were previously inaccessible. Additionally, the researchers developed a technique to recover the main encryption key, rendering the tag’s security mechanisms ineffective and compromising the overall security of the FM11RF08S card.

It weakens the security of many RFID systems using this tag model, highlighting the urgent need for robust security in embedded systems.

They discovered and exploited a backdoor in FM11RF08 and FM11RF08S MIFARE Classic clones, significantly speeding up key recovery attacks. By targeting keyA and keyB together and optimizing the search process, they cut attack time by six times.

They also found a universal backdoor key for older FM11RF08 models and FM1208-10 devices, allowing rapid key extraction and posing major security risks. Testing revealed that some non-Fudan cards unexpectedly accept backdoor commands with the same key used by Fudan FM11RF08 cards.

Certain cards, like NXP MF1ICS5005, MF1ICS5006, MF1ICS5007, and USCUID/GDM magic cards, respond to backdoor commands using standard keyA/keyB authentication. The darknested attack is especially effective against SLE66R35, MF1ICS5003, and MF1ICS5004 due to its slower key recovery process compared to the darkside attack. Researchers have found a critical hardware backdoor in the FM11RF08S MIFARE Classic chip, allowing previously unachievable attacks on card data, including cloning.

The backdoor in FM11RF08 chips, present since 2007, undermines their security and affects global systems. The same key is also found on older NXP and Infineon cards. This highlights the need for infrastructure audits and migration to more secure alternatives. Tools and methods are available on Proxmark3 for public analysis and defense.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Backdoor in MIFARE Smart Cards Reveals User-Defined Keys appeared first on First Hackers News.

All about the vulnerability in D-Link Routers

According to Twcert blogs, the vulnerability arises from an undisclosed factory testing backdoor in specific D-Link router models. Attackers on the local network can enable the Telnet service by accessing a specific URL. Additionally, by analyzing the firmware, attackers can obtain administrator credentials, giving them full control over the compromised router.

Impacted Router Models

The following D-Link router models are affected by this vulnerability:

E15, E30, G403, G415, G416, M15, M18, M30, M32, M60, R03, R04, R12, R15, R18, R32.

Users of these router models are strongly advised to update their firmware to the latest version to mitigate the risk of exploitation. D-Link has released firmware updates to address this critical vulnerability. Here are the guidelines for updating router firmware:

• Models G403, G415, G416, M18, R03, R04, R12, R18: Update to firmware version 1.10.01 or later.
• Models E30, M30, M32, M60, R32: Update to firmware version 1.10.02 or later.
• Models E15, R15: Update to firmware version 1.20.01 or later.

Users are urged to promptly apply these firmware updates to safeguard their routers from potential attacks.

Security researcher Raymond discovered and reported the vulnerability.

D-Link has acknowledged the issue and issued firmware updates to resolve the vulnerability.

As always, it is advisable to regularly check for and apply firmware updates to maintain the security of your network devices.

Stay vigilant and protect your routers from potential threats.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Hidden Backdoor in D-Link Routers Lets Attackers Log in as Admin appeared first on First Hackers News.