What makes Rokarolla particularly dangerous is its scale. Researchers observed the malware targeting 217 banking and cryptocurrency applications while providing operators with 137 remote commands, significantly expanding its capabilities beyond many previously documented Android banking trojans.

Threat Overview

Malware Name

Rokarolla

Malware Type

• Android Banking Trojan
• Malware-as-a-Service (MaaS)
• Credential Stealer
• Remote Access Trojan (RAT)

Primary Targets

• Mobile banking users
• Cryptocurrency investors
• Android smartphone users
• Financial institutions

How Rokarolla Infects Devices

The malware is typically distributed through malicious APK files disguised as legitimate applications. Victims are tricked into installing fake apps through phishing pages, malicious advertisements, fraudulent updates, or third-party application stores.

Once installed, Rokarolla aggressively requests permissions that allow it to interact with the Android Accessibility Service. This permission becomes the foundation for most of the malware’s malicious activities.

Accessibility Service Abuse

Android Accessibility Services were designed to assist users with disabilities. However, threat actors frequently abuse these permissions because they allow applications to:

• Read screen content
• Simulate user interactions
• Click buttons automatically
• Capture text entered by users

Rokarolla leverages these capabilities to monitor activity across banking and cryptocurrency applications while bypassing many traditional security mechanisms.

Google Play Protect Bypass

One of Rokarolla’s most concerning features is its ability to disable or interfere with Google Play Protect.

Why This Is Dangerous

Google Play Protect serves as Android’s primary built-in malware detection system. Once disabled:

• Malicious applications face fewer detection checks
• Additional malware can be installed
• Security warnings can be bypassed
• Users lose a critical layer of protection

Remote Device Control Capabilities

Researchers identified 137 attacker commands supported by Rokarolla.

These commands allow threat actors to remotely interact with infected devices and perform a wide range of malicious actions.

• Read SMS messages
• Send SMS messages
• Collect contacts
• Launch applications
• Execute commands

SMS and Two-Factor Authentication Interception

Many financial institutions rely on SMS-based two-factor authentication (2FA).

Rokarolla specifically targets these messages to bypass security controls.

Targeted Data

• One-Time Passwords (OTPs)
• Verification codes
• Authentication links
• Banking notifications

Cryptocurrency Theft Mechanism

Researchers discovered clipboard manipulation functionality within Rokarolla.

How It Works

1. User copies a cryptocurrency wallet address.
2. Malware monitors clipboard activity.
3. Original wallet address is replaced.
4. Funds are transferred to an attacker-controlled wallet.

Victims often remain unaware until the transaction has been completed because the replacement occurs silently in the background.

Indicators of Compromise (IOCs)

Security Recommendations

• Enable Google Play Protect
• Avoid Sideloading Applications
• Review Accessibility Permissions
• Keep Devices Updated

Rokarolla represents a new generation of Android banking malware that combines accessibility abuse, credential theft, SMS interception, clipboard hijacking, and Google Play Protect bypass techniques to achieve near-total control over infected devices. With support for 137 remote commands and targeting hundreds of financial applications, it demonstrates the increasing sophistication of mobile threats facing both consumers and enterprises.

The post Rokarolla Android Malware Disables Google Play Protect to Gain Full Device Control appeared first on First Hackers News.

Unlike traditional phishing attacks that immediately request credentials, Sniper Dz employs a multi-stage social engineering process designed to gradually build trust before redirecting users into malicious advertising and scam ecosystems. The campaign demonstrates how threat actors are increasingly combining social media platforms, legitimate web services, and browser features to maximize victim engagement.

Technical Analysis of the Campaign

Researchers found that the operation relies heavily on social engineering techniques rather than malware deployment. Victims are initially exposed to attractive Facebook advertisements promising prizes, discounts, giveaways, or exclusive offers.

The campaign then guides users through a series of seemingly legitimate web pages before ultimately triggering browser notification permissions and redirecting users into fraudulent content networks. By abusing trusted platforms and legitimate web services, the attackers are able to reduce suspicion and improve campaign effectiveness.

Sniper Dz Attack Flow

The attack follows a structured victim funnel designed to maximize conversion rates while minimizing detection.

Phase 1 – Social Media Lures

Attackers publish fraudulent advertisements and impersonation posts across social media platforms.

• Free gift offers
• Discount promotions
• Prize giveaways
• Mobile device rewards

Phase 2 – Legitimate-Looking Bridge Pages

Instead of immediately redirecting victims to malicious content, the campaign utilizes intermediary pages hosted on legitimate services.

• Link aggregation platforms
• Landing page builders
• Redirect services
• Social media profile pages

These bridge pages help bypass security filters and increase the perceived legitimacy of the campaign.

Simplified representation of the Sniper Dz victim funnel showing how users are guided from social media lures through trusted bridge pages before being exposed to browser notification abuse and scam content.

Phase 3 – Browser Notification Abuse

Once users reach the final stage, they are encouraged to allow browser notifications through deceptive prompts.

• Fake CAPTCHA pages
• “Click Allow to Continue”
• “Verify You’re Human”

After notification permissions are granted, attackers gain a persistent channel to deliver scam advertisements and fraudulent alerts directly to the victim’s browser.

Potential Risks to Users

• Financial Fraud
• Privacy Exposure
• Continuous Scam Exposure
• Credential Theft

Why Social Engineering Remains Effective

Modern scam campaigns increasingly rely on psychological manipulation rather than technical exploitation. By leveraging trusted platforms such as Facebook and legitimate web services, attackers can make fraudulent content appear authentic.

The use of multiple redirection stages also helps threat actors evade automated detection systems while increasing the likelihood that victims will complete the entire attack flow.

As users become more aware of traditional phishing techniques, attackers continue to evolve their tactics by combining social media abuse, browser notification exploitation, and deceptive marketing strategies.

Security Recommendations

• Verify Promotional Offers
• Review Browser Notifications
• Exercise Caution with Redirects
• Implement Security Awareness Training

The Sniper Dz campaign demonstrates how modern threat actors are leveraging social media impersonation, trusted bridge pages, and browser notification abuse to target users across the MENA region. Rather than relying on malware, the operation exploits user trust and social engineering tactics to drive victims toward fraudulent content, making awareness and browser security practices critical defenses against these evolving threats.

The post New Sniper Dz Scam Operation Exploits MENA Users with Fraudulent Facebook Offers appeared first on First Hackers News.

Data from GreyNoise shows that while daily attack activity has slightly slowed, it remains extremely high. Attack volumes now average 300,000 to 400,000 attempts per day, confirming that exploitation is ongoing and well-organized.

Large-Scale and Global Exploitation

The attack campaign is spread across a wide infrastructure. Researchers observed activity coming from thousands of unique IP addresses, spanning over 1,000 networks and more than 100 countries.

Cloud platforms are being widely abused to support the attacks. A large portion of the traffic originates from major cloud providers, with Amazon Web Services accounting for a significant share. This approach helps attackers blend in with legitimate traffic and rotate infrastructure quickly.

How the Attacks Work

Most exploitation attempts follow a consistent pattern:

• Initial probes test whether commands can be executed on the target system
• If successful, attackers deliver encoded payloads
• Additional scripts are run using techniques designed to bypass security controls

Attackers continue to refine their methods, creating tens of thousands of unique payloads and using varied tools to avoid detection. This constant change makes static defenses like fixed IP blocklists ineffective.

What Organizations Should Do

Systems that remain unpatched are still at risk. Nearly half of the attacking infrastructure appeared only in recent months, showing that new resources are constantly being added.

To reduce exposure, organizations should:

• Patch affected React Server Components immediately
• Monitor for suspicious PowerShell activity and encoded commands
• Use dynamic threat intelligence rather than static blocklists
• Apply network-level protections to exposed services

React2Shell is not a short-lived threat. It remains an active and persistent attack vector that requires immediate attention and ongoing monitoring.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post React2Shell Vulnerability Under Mass Exploitation appeared first on First Hackers News.

By abusing weakly protected components such as kernel drivers and named pipes, a standard user account can be elevated to SYSTEM-level access. Kernel drivers are especially attractive targets when IOCTL handling lacks proper input validation.

Windows Kernel and Named Pipe Flaws

In some WDM drivers that use METHOD_BUFFERED mode, the I/O Manager creates a kernel buffer but does not properly check the data coming from user space. This missing validation becomes a serious security weakness.

Attackers can abuse this gap by sending specially crafted IOCTL requests. These requests include dangerous pointer and size values that the kernel mistakenly trusts and processes.

A typical attack starts by finding exposed device names, then reviewing IOCTL handling logic, and finally identifying weak input checks. Once found, attackers can force the driver to call unsafe kernel functions such as MmMapIoSpace.

This gives them arbitrary read and write access in kernel memory, which can be used to steal the SYSTEM process token and assign it to their own process, resulting in full privilege escalation.

Named pipes are widely used for communication between processes, especially by services running as SYSTEM. This makes them an attractive target for attackers.

While named pipes do not access memory directly like kernel drivers, many services trust incoming pipe messages without proper checks, creating another path for privilege escalation.

The attack begins by looking for SYSTEM-owned named pipes that have weak permissions, allowing any user to read from or write to them. Attackers then study how the pipe works by analyzing the service’s code.

In some cases, services accept pipe requests without properly checking who sent them. This lets a normal user ask the service to perform privileged actions.

Researchers have seen examples where this flaw allowed changes to sensitive HKLM registry keys. One real-world case involved a commercial antivirus product, where an insecure named pipe was abused to modify the registry without authorization.

This weakness can let attackers abuse Image File Execution Options (IFEO) to run their own code as SYSTEM.

To reduce risk, security teams should closely review third-party kernel drivers, limit IOCTL access, and ensure all user input is properly checked before it reaches the kernel. Named pipes also need strict permission checks and clear validation of every request.

Research published by Hackyboiz shows that many environments expose named pipes with overly broad permissions. Organizations should identify these pipes and disable or lock down the risky ones. As Windows systems continue to be targeted by advanced attackers, understanding these local privilege-escalation paths is critical for protecting enterprise environments.

The post Windows Kernel and Named Pipe Flaws Enable Privilege Escalation appeared first on First Hackers News.

With over 20,000 active installations, this popular plugin is utilized for content submissions created by users and is the brainchild of Plugin Planet.

All about the vulnerability :

The security researcher at Patchstack, Rafie Muhammad, brought attention to this vulnerability, and it has now been officially registered as CVE-2023-45603. According to the researcher, this vulnerability permits unauthorized file uploads.

The bug pertains to how the plugin manages uploaded files, specifically within the “usp_attach_images” function. Unauthenticated users could potentially exploit this vulnerability by uploading files containing embedded PHP code, which may subsequently execute on the server, potentially jeopardizing the security of the website.

The researcher elaborated that their team unearthed the vulnerability within the User Submitted Posts WordPress plugin in September 2023.

Plugin Planet promptly issued a patch just two days after its discovery. By October 10, 2023, the vulnerability had been officially documented in the Patchstack database.

“Since the main problem is that arbitrary file name extensions are allowed to be uploaded, the vendor decided to add a whitelist check before uploading the file to the server“, refers.

The matter has been resolved in the most recent release of the WordPress plugin, denoted as version 20230914. Users are strongly advised to promptly upgrade to safeguard their websites.

The researcher also emphasized, “Always scrutinize each $_FILES parameter in the plugin or theme code. Be sure to validate the file name and extension before proceeding with file uploads.”

Website owners are also encouraged to review their code for potential vulnerabilities and implement a whitelist of approved file extensions as a preventive measure against unauthorized file uploads.

Basic Safety Measures 

Administrators of a WordPress website should consider several fundamental security measures:

1. Employing robust and unique passwords for access.
2. Consistently updating the software to the latest versions.
3. Implementing a dedicated antivirus protection tool.
4. Periodically reviewing and enhancing the website’s security protocols.

Ensuring WordPress site security is paramount in safeguarding your website against threats. By deploying suitable security measures and maintaining regular software updates, you can fortify your website’s security and uphold a steadfast and trustworthy online presence.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post User Submitted Posts: Vulnerability found in WordPress plugin appeared first on First Hackers News.

“Aqua security researchers, including Mor Weinberger, Yakir Kadkoda, and Ilay Goldman, conveyed in a report to The Hacker News that these vulnerabilities lead to unavoidable typosquatting attacks in the registry and complicate users’ ability to discern package ownership.”

Vulnerabilities in PowerShell Gallery Enabling Supply Chain Attacks

Managed by Microsoft, PowerShell Gallery is a primary hub for distributing and obtaining PowerShell code, encompassing modules, scripts, and Desired State Configuration (DSC) resources. The registry hosts 11,829 unique packages and a total of 244,615 packages.

The cloud security company pinpointed concerns linked to the registry’s lenient package naming policy, which lacks safeguards against typosquatting attacks. This oversight empowers attackers to upload deceptive malicious PowerShell modules, fooling unsuspecting users.

Another issue involves a malicious individual being able to manipulate a module’s metadata, such as Author(s), Copyright, and Description fields. This manipulation makes the module seem more genuine, tricking unsuspecting users into installing it.

The researchers mentioned that users can only confirm the true author/owner by accessing the “Package Details” tab.

However, this leads only to the false author’s profile since attackers can freely choose any name while making a user on the PowerShell Gallery. Hence, identifying the true author of a PowerShell module in the PowerShell Gallery is challenging.

Another issue is a third vulnerability, exploitable by attackers to list all package names and versions, even those meant to be private. This exploit employs the PowerShell API “https://www.powershellgallery.com/api/v2/Packages?$skip=number,” granting unrestricted access to the entire PowerShell package database, along with its versions.

Aqua notified Microsoft about the issues in September 2022. Microsoft supposedly implemented reactive fixes by March 7, 2023. However, the problems can still be replicated.

The researchers emphasized, “As we rely more on open-source projects and registries, security risks become more noticeable.”

“The main responsibility for user security rests with the platform. It’s crucial for PowerShell Gallery and similar platforms to bolster their security measures.”

The post Researchers Detect Vulnerabilities in PowerShell Gallery Enabling Supply Chain Attacks appeared first on First Hackers News.

The findings come as a follow-up to Team Cymru’s previous malware infrastructure analysis, emerging just over two months after Lumen Black Lotus Labs disclosed that 25% of its C2 servers remain active for only a single day.

QakBot Malware

QakBot, also known as QBot, is a sophisticated banking Trojan malware that targets financial institutions and their customers. It steals sensitive information, creates botnets, and establishes a command-and-control network to control infected computers remotely.

The cybersecurity firm reported that QakBot has a consistent pattern of going on an extended break each summer and then resurfacing sometime in September. This year, its spamming activities halted around 22 June 2023.

QakBot’s C2 network has a tiered architecture similar to Emotet and IcedID. The C2 nodes communicate with Tier 2 (T2) C2 nodes hosted on VPS providers in Russia.

Most of the bot C2 servers, which communicate with victim hosts, are in India and the U.S. The outbound T2 connections lead to IP addresses primarily based in the U.S., India, Mexico, and Venezuela.

Additionally, there is a BackConnect (BC) server alongside the C2s and Tier 2 C2s, which turns the infected bots into proxies for other malicious activities.

Team Cymru’s latest research shows a significant decrease in the number of C2s communicating with the T2 layer, leaving only eight remaining. This reduction was partly due to Black Lotus Labs’ null-routing of the higher-tier infrastructure in May 2023.

An analysis of NetFlow data reveals a pattern where increased outbound T2 connections often follow spikes in inbound bot C2 connections. Conversely, spikes in outbound T2 connections coincide with a decline in bot C2 activity.

Team Cymru explained that QakBot’s strategy of using victims as C2 infrastructure with T2 communication results in double harm to users – first in the initial compromise and then in the risk of being publicly identified as malicious.

Indicators of Compromise

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post QakBot Malware Operators Ramp Up C2 Network with 15 New Servers appeared first on First Hackers News.

MOVEit Transfer

The software at the center of the recent massive Clop ransomware breach, MOVEit Transfer, has been updated to address a critical SQL injection bug along with two additional vulnerabilities of lesser severity.

The SQL injection vulnerabilities enable attackers to manipulate queries in order to gain unauthorized access to a database or manipulate its contents by executing malicious code. These attacks exploit the absence of adequate input/output data sanitization in the targeted application.

The two SQL injection security issues impact various versions of MOVEit Transfer, including:

• Versions 12.1.10 and earlier
• Versions 13.0.8 and earlier
• Versions 13.1.6 and earlier
• Versions 14.0.6 and earlier
• Versions 14.1.7 and earlier
• Versions 15.0.3 and older.

The second SQL injection flaw, identified as CVE-2023-36932, received a high severity rating because an attacker could exploit it after authentication.

A third vulnerability addressed by this patch is CVE-2023-36933, a high severity issue that allows attackers to cause an unexpected program termination.

In response to the significant impact of the security incident, the American software company has made the decision to implement a proactive measure by introducing monthly security updates known as “Service Packs.”

This new approach enhances the software upgrade process, enabling MOVEit Transfer administrators to apply fixes more efficiently and promptly than previous methods.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post MOVEit Transfer customers are being warned to fix a new, critical flaw appeared first on First Hackers News.

Below are the two vulnerabilities :

CVE-2023-33009: A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1.

CVE-2023-33010: Another buffer overflow vulnerability in the ID processing function in the same Zyxel firmware versions.The flaw could once again allow an unauthenticated attacker to cause “conditions DoS” or remotely execute code on an affected device. Both issues are classified as “critical” vulnerabilities, with a severity score of 9,8.

How to install updates

Login to your ZLD appliance and go to Configuration → Licensing → Registration → Service and click the Service License Refresh button.  This must be done before you can access your myZyxel account to download new firmware patches. This will sync necessary info with the myZyxel server (info like running firmware version, MAC Address, S/N, etc.).

Open an internet browser and go to URL: https://portal.myzyxel.com/ and login to your account.

Once in your account dashboard, find the ZLD router you wish to download firmware for and click on the Download button under the “Firmware Update” column.

The post Zyxel firewalls are affected by two security flaws appeared first on First Hackers News.

CVE-2022-45359 Vulnerability

The CVE-2022-45359 vulnerability allows unauthenticated attackers to upload executables to vulnerable e-commerce websites, as well as install backdoors, obtain remote code execution, and take control of the website for further compromise. 

The bug is being weaponized to full access to a vulnerable website to sites running the YITH WooCommerce Gift Cards Premium plugin, WordPress security company Wordfence noted.

According to reports, Wordfence was able to reverse-engineer the exploit using attack data and a copy of the vulnerable plugin, and they are now disclosing details about its operation.Sending a request to /wp-admin/admin-post.php as an unauthenticated attacker will cause functions that run on admin init to be activated because admin init runs for any page in the /wp-admin/ directory.

The issue was discovered on November 22, 2022, and was addressed with the release of version 3.20.0.

Below are some files uploaded by threat actors in attacks analyzed by Wordfence:

• kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com)
• b.php – this file is a simple uploader
• admin.php – this file is a password-protected backdoor

The vulnerability has been exploited in attacks, with the following IP addresses accounting for the vast majority of exploitation attempts: 

• 103.138.108[.]15 
• 188.66.0[.]135 

Mitigation

Users of the WooCommerce Gift Cards plugin must update to version 3.20.0 or higher to avoid the vulnerability. 

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks appeared first on First Hackers News.