With the advent of virtual reality, everyone got scared that the life we ​​know will disappear, and only…

With the advent of **virtual reality**, everyone got scared that the life we ​​know will disappear, and only those who understand new technologies will be able to find work. Remember what they said about newspapers. And about television. Radio. It seems likely that the same will play out in real life. Just consider what’s already unfolding in virtual reality, within metaverses like Fortnite, Roblox, Holiverse, and Decentraland.

****What does the “reality disappearance” mean?****

The disappearance of reality in the context of the popularity of the **metaverse** does not mean the disappearance of the physical world. It is rather a transformation of our perception and the usage of the real world. Here is how such transformation can happen. 

****Psychological disappearancе****

Let’s start with a simple example. Remember how, as children, we used to play the console for hours, forgetting about lunch? Or look at your children. How many times do you have to say it before they finally sit at the table? Now imagine this feeling, but taken to a new level, where the virtual world feels more interesting and important than the real one.

But haven’t you noticed that we’ve been living this way for the past ten years? Tinder, Facebook, Instagram, and TikTok are gradually consuming several hours of our time every day.

Here’s an example of how a man psychologically disappears in a game. There is a character in World of Warcraft. In virtual reality, this person is a hero, an idol who is looked up to. And what about real life?

There is an ordinary office worker in glasses in a cool unit, whom sometimes even the cleaning lady does not notice. Where would this person be more comfortable? Of course, where he or she is a role model. It’s like choosing what to have for tea: a sweet cake with thick whipping cream or sauerkraut. Well, obviously, in terms of psychology, the man will choose the virtual world in the given situation.

Now imagine that all your communication, work, and even cultural events have shifted to the digital world, the metaverse. Without leaving home, you arrange business meetings, go to concerts, and have fun with friends. It seems like science fiction but it is already a reality.

Travis Scott has collected 12 million viewers in Fortnite. Why go to a real stadium if you can go to a popular rapper’s concert without leaving your home? And without being afraid of a crowd of fans or risking being trampled. Convenient, right?

More and more people understand that there is no point in wasting time in traffic jams if you can solve everything online. And this is just the beginning.

****Economic disappearancе****

Now imagine that money also goes into the virtual world. No, it’s not just about cryptocurrency. People buy virtual land for millions of dollars, sew clothes for avatars, and collect NFTs, like previous stamps or coins.

Here’s an example. Someone bought a Gucci bag in Roblox for $4,000. Although it cost more than in real life, it was still bought. For some, this bag is a way to show status, even in the game.

****Land in Decentraland, avatars in Holiverse and turning tеxt into vidео** **

If you look closely, the “disappearance of reality” has already begun. The only thing is that it’s not as bright as in science fiction movies. We do not connect wires to our heads to get into the virtual world, but, it looks like, we are gradually disappearing there. 

****People buy plots of virtual land for millions of dollars and hope****

For example, in 2021, someone bought a plot of land in Decentraland for $2 million. This is virtual land, you can’t even touch it! Tomorrow the server will burn out, the Internet will be turned off, and no one will remember it. However, for such people, this is not a game, but an investment. They believe that tomorrow virtual real estate will become even more valuable.

The same thing with clothes, which we love to buy in reality. Now imagine that you are buying not a jacket or sneakers, but a skin for your avatar. You do not understand why, but thousands of people around the world do this. In games like Fortnite or Holiverse, this is completely normal because people pursue their own goals there.

For the buyer, this is a matter of status. Because this bag makes his avatar authentic. And that’s cool.

Why is this cool? Here’s an example. A virtual character under the nickname Lil Мiquelа lives only on the Internet. In reality, no one fully understands how she appeared.

Although Miquela does not exist in real life, millions of subscribers follow her on Instagram. She advertises brands, stars in campaigns, and even releases music. Her creators earn millions, and for subscribers, she is “more than real.”

**Holiverse: аvatar as a digital twin**

Just imagine: you take a sample of your DNA at home, and within a couple of days, you receive a digital copy of yourself, an avatar that lives in a virtual world, mimics your behaviour, and adapts to reflect any changes. This avatar does not just copy your body, it knows exactly how your body will react to different physical loads, food products and even cosmetics. This concept is being developed by the **Holiverse** startup, led by Lado Okhotnikov.

The idea looks fresh. Instead of wasting time and money on trying different medicines, you can use your virtual double. For example, you can:

*   find out how your physical condition will change if you add new workouts;
*   try which products will improve your life and which ones you better exclude;
*   test supplements or medicine that you are planning to take.

Lado Okhotnikov and his team emphasize user accessibility. To create a digital copy, you just need to take a DNA test at home, using a test kit that can be purchased at a pharmacy near your home or on a marketplace. Then you will need to send this sample to the lab, and after a short period, you will receive an exact copy of yourself: an avatar that can predict your body’s reactions with incredible accuracy.

The main advantage of Holiverse is the cost of the service. Lado Okhotnikov aims to make this technology available to everyone, turning personalized medicine from luxury into a necessity.

**Luma: turns text into video**

**Luma AI** presented Dream Machine; a service that “brings the text to life.” In terms of quality, the neural network is almost as good as Sora, one of the most powerful generative models. But this startup has a big advantage; Dream Machine is available to everyone. The neural network works on a new architecture and is already bypassing competitors like Runway Gen-2 or Pika. The video is realistic: without jerks, and the characters look natural and are not distorted.

Although the videos are short, a year ago this was considered science fiction. In a year or two, the service may be able to offer something truly significant. For example, tools for generating full-fledged virtual worlds.

Who knows, maybe in a few years we will be able to design entire virtual cities at home in a couple of minutes, simply by describing them in words. Or turn our ideas into animated films available to a million audience in metaverses.

****And what’s next?****

Being scared of technology is the same as trying to stop progress. However, even with the advent of that very virtual reality which everyone is talking about, real life will not go anywhere. You will still go to stores, equipment will still break down, and someone will still come to fix it. The virtual world can captivate, but it will not replace everything. It will not be possible to give up reality quickly and painlessly.

1.  **What is the Fediverse?**
2.  **Google Wants to Put Our Memories in a Database**
3.  **What Is Programmatic Advertising And How To Use It**
4.  **Microsoft patent reveals chatbot to talk to dead people**
5.  **What is Blockchain Gaming and its Play-to-Earn Model?**

The Metaverse Will Become More Popular Than the Real World: Will Reality Disappear?

Data WIRED collected during the 2024 Democratic National Convention strongly suggests the use of a cell-site simulator, a controversial spy device that intercepts sensitive data from every phone in its range.

A device capable of intercepting phone signals was likely deployed during the 2024 Democratic National Convention (DNC) in Chicago, WIRED has learned, raising critical questions about who authorized its use and for what purpose.

The device, known as a cell-site simulator, was identified by the Electronic Frontier Foundation (EFF), a digital rights advocacy organization, after analyzing wireless signal data collected by WIRED during the August event.

Cell-site simulators mimic cell towers to intercept communications, indiscriminately collecting sensitive data such as call metadata, location information, and app traffic from all phones within their range. Their use has drawn widespread criticism from privacy advocates and activists, who argue that such technology can be exploited to covertly monitor protesters and suppress dissent.

The DNC convened amid widespread protests over Israel’s assault on Gaza. While credentialed influencers attended exclusive yacht parties and VIP events, thousands of demonstrators faced a heavy law enforcement presence, including officers from the US Capitol Police, the Secret Service, Homeland Security Investigations, local sheriff’s offices, and Chicago police.

Concerns over potential surveillance prompted WIRED to conduct a first-of-its-kind wireless survey to investigate whether cell-site simulators were being deployed. Reporters, equipped with two rooted Android phones and Wi-Fi hot spots running detection software, used Rayhunter—a tool developed by the EFF to detect data anomalies associated with these devices. WIRED’s reporters monitored signals at protests and event locations across Chicago, collecting extensive data during the political convention.

Initial tests conducted during the DNC revealed no conclusive evidence of cell-site simulator activity. However, months later, EFF technologists reanalyzed the raw data using improved detection methods. According to Cooper Quintin, a senior technologist at the EFF, the Rayhunter tool stores all interactions between devices and cell towers, allowing for deeper analysis as detection techniques evolve.

A breakthrough came when EFF technologists applied a new heuristic to examine situations where cell towers requested IMSI (international mobile subscriber identity) numbers from devices. According to the EFF’s analysis, on August 18—the day before the convention officially began—a device carried by WIRED reporters en route a hotel housing Democratic delegates from states in the US Midwest abruptly switched to a new tower. That tower asked for the device’s IMSI and then immediately disconnected—a sequence consistent with the operation of a cell-site simulator.

“This is extremely suspicious behavior that normal towers do not exhibit,” Quintin says. He notes that the EFF typically observed similar patterns only during simulated and controlled attacks. “This is not 100 percent incontrovertible truth, but it’s strong evidence suggesting a cell-site simulator was deployed. We don’t know who was responsible—it could have been the US government, foreign actors, or another entity.”

Under Illinois law, law enforcement agencies must obtain a warrant to deploy cell-site simulators. Similarly, federal agents—including those from the Department of Homeland Security—are required to secure warrants unless an immediate national security threat exists. However, a 2023 DHS Inspector General report found that both the Secret Service and Homeland Security Investigations did not always comply with these requirements.

The Chicago Police Department tells WIRED it did not deploy a cell-site simulator during the DNC, while the Secret Service tells WIRED in a statement that, “as a matter of practice,” it does not discuss the “means and methods” of its operations for “National Special Security Events.”

Other components of DHS as well as the DNC have not responded to requests for comment.

Quintin notes that the EFF detected similar anomalous behavior in a previous test conducted in Washington, DC’s Embassy Row, an area known for its high concentration of embassies and diplomatic offices. It wouldn’t be the first time that cell-site simulators were found in the nation's capitol. In 2019, the FBI accused Israel’s government of deploying a cell-site simulator near the White House—a claim Israel denied.

While the possible deployment of a cell-site simulator at the DNC has raised more questions than answers, for privacy and civil liberties advocates the implications are troubling nonetheless.

Nate Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project, says, “It would be a big deal if the digital artifacts you found were in fact due to the presence of a cell-site simulator deployed to identify people at a protest.” However, Wessler adds, “it is also entirely possible that law enforcement was using a cell-site simulator in the area for a lawful purpose.”

For Wessler, the lack of clarity around their use is itself a cause for concern. “The ambiguity is really chilling,” he says. “The uncertainty around their use undermines people’s ability to express themselves.”

Secret Phone Surveillance Tech Was Likely Deployed at 2024 DNC

SUMMARY Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains.…

****SUMMARY****

*   **Cybersecurity firm watchTowr discovered over 4,000 active hacker backdoors relying on expired domain names.**

*   **These backdoors are pre-existing entry points on already compromised systems, allowing new actors to exploit previous breaches.**

*   **By registering these expired domains, watchTowr observed compromised systems “phoning home,” including government hosts in multiple countries.**

*   **The research highlights a concerning trend of attackers exploiting abandoned backdoors left by other hackers, creating a “hacking-on-autopilot” scenario.**

*   **Many older web shells, tools used for remote access, contain built-in mechanisms that unintentionally expose compromised systems through callbacks to now-expired domains.**

Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains. These backdoors, hidden in compromised systems worldwide, have exposed a huge network of vulnerable government and educational institutions.

The investigation began when watchTowr registered over 40 expired domains, previously used by hackers, and set up logging servers to track incoming requests. The team collected 300MB of data, revealing a network of compromised hosts, including government-owned systems in Bangladesh, China, Nigeria, and more.

The researchers discovered that hackers had been using these abandoned backdoors to gain access to thousands of systems, without investing effort in identifying and compromising them. This technique has been termed by researchers as a _“mass-hacking-on-autopilot”_ approach, allowing hackers to commandeer and control compromised hosts, potentially leading to devastating consequences.

One notable example, according to watchTowr’s technical report shared with Hackread.com, is a backdoor linked to the Lazarus Group, a notorious hacking collective associated with North Korea. The researchers found over 3,900 unique compromised domains using this backdoor, which was designed to load a .gif image from the logging server, leaking the location of the compromised system.

**Simple Explanation**

To understand this better, consider the concept of a “web shell.” These are essentially small snippets of code secretly placed on a web server after a successful breach. They act as remote control panels, allowing attackers to execute commands, manage files, and even deploy further malicious tools.

Historically, these web shells often included mechanisms that “phoned home” to a specific domain or server controlled by the attacker. When that domain expires and is re-registered by someone else, those “phone calls” are now answered by an unexpected recipient.

Older web shells, like the infamous “r57shell” and “c99shell,” while outdated, still appear to be in use. Interestingly, some of these older shells even contained built-in backdoors _for the shell’s creator_. This meant that even if the initial attacker secured their access with a password, the original author could still gain entry using a secret “master key.” This highlights a history of the hacking community itself having a somewhat chaotic approach to security.

In one example, researchers observed a web shell constantly sending the login credentials (in plain text!) to a domain that watchTowr now controlled. The attacker believed they had secured their access, but the very tool they were using was betraying them.

One of the sites with a live Shell – This time it is a c99shell (Via watchTowr)

The report also highlights the vulnerability of government institutions, with compromised systems found in the Federal High Court of Nigeria and other government entities. The researchers emphasize that these findings demonstrate the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

****Dangerous Situation****

The watchTowr team warns that problems like this will persist, with consequences for software updates, cloud infrastructure, and SSLVPN appliances. The report also highlights that even attackers can make mistakes, as demonstrated by another research from researchers at vpnMentor. They identified high-profile groups, such as ShinyHunters and Nemesis, that exploited AWS buckets to steal over 2 terabytes of sensitive data. In the process, these groups inadvertently exposed their own S3 buckets.

The good news is that The Shadowserver Foundation has agreed to take ownership of the implicated domains and sinkhole them, preventing further exploitation. The watchTowr team’s research serves as a crucial reminder of the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

1.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
2.  **Controller flaws let hackers physically damage moving bridges**
3.  **US and Europe Account for 73% of Global Exposed ICS Systems**
4.  **Thousands of Exposed ICSs in US and UK Threaten Water Supplies**
5.  **“Revolver Rabbit” Hacker Uses RDGA to Register 500,000 Domains**

Thousands of Live Hacker Backdoors Found in Expired Domains

The inside story of the teenager whose “swatting” calls sent armed police racing into hundreds of schools nationwide—and the private detective who tracked him down.

The School Shootings Were Fake. The Terror Was Real

Fortinet uncovers a new PayPal phishing scam exploiting legitimate platform features. Learn how this sophisticated attack works and how to protect yourself from falling victim.

****SUMMARY****

*   **Phishing Scam Targets PayPal**: Scammers exploit PayPal’s system to link victim accounts to unauthorized addresses.

*   **Legitimate-Looking Emails**: The scam uses real-looking emails and valid PayPal login pages to deceive users.

*   **Microsoft365 Exploit**: Attackers use MS365 domains to send PayPal money requests, bypassing phishing filters.

*   **Account Takeover**: Victims unknowingly link their PayPal accounts to the scammer, risking financial loss.

*   **Stay Safe**: Avoid unsolicited emails, verify URLs, and enable 2FA to protect your PayPal account.

Fortinet’s FortiGuard Labs has identified a sophisticated PayPal phishing scam targeting unsuspecting users by exploiting a loophole in the platform’s system. According to Fortinet’s CISO (Chief Information Security Officer) Carl Windsor, the scam leverages legitimate PayPal functionality to trick users into linking their accounts to unauthorized addresses, potentially granting attackers control over their finances.

The attack utilizes a seemingly legitimate email, often with a valid sender address and a genuine-looking URL. However, the true danger lies within the email’s content. It directs recipients to a legitimate PayPal login page, prompting them to log in to investigate a supposed payment request.

Screenshot of the actual phishing email (Via Fortinet’s FortiGuard Labs)

Further probing revealed that the scammer registered an MS365 test domain and created a Distribution List containing victim emails (Billingdepartments1gkjyryfjy876.onmicrosoft.com), then sent a legitimate PayPal money request to all recipients. 

They added the list to the PayPal web portal and distributed it to targeted victims. The Microsoft365 SRS rewrite scheme rewrites the sender to pass the SPF/DKIM/DMARC check. It is worth noting that Microsoft365 SRS (Sender Rewriting Scheme) is a feature in Microsoft 365 that rewrites the sender address of an email message.

Once the victim logs in, the scammer’s account is linked to the victim’s account, allowing them to take control of the victim’s PayPal account, a trick that bypasses PayPal’s phishing check instructions.

“The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look,” Windsor wrote in a blog post.

This new phishing scam highlights the importance of cybersecurity awareness. Users must be cautious of unsolicited emails, avoid clicking on links or attachments from unknown senders, hover over links to verify URLs, and never enter login credentials on websites unless certain of the authenticity. Enabling two-factor authentication (2FA) on PayPal accounts can further enhance security.

1.  **PayPal Notifies 35,000 Users of Data Breach**
2.  **PayPal Users hit with “Suspicious Activity” Phishing Scam**
3.  **Microsoft, PayPal, Facebook most targeted brands in phishing**
4.  **World Bank SSL Certificate Hacked to Host PayPal Phishing Scam**
5.  **DocuSign API Abused to Evade Spam Filters with Phishing Invoices**

New PayPal Phishing Scam Exploits MS365 Tools and Genuine-Looking Emails

Millions of email servers worldwide remain alarmingly vulnerable to cyberattacks due to a critical security oversight: the absence of Transport Layer Security (TLS) encryption.

**SUMMARY**

*   **Critical Oversight in Email Servers**: Over 3.3 million email servers worldwide lack TLS encryption, leaving usernames, passwords, and email content vulnerable to interception during transmission.

*   **Top Affected Regions**: The U.S. has nearly 900,000 exposed servers, followed by Germany (500,000+) and Poland (380,000+), highlighting the global scope of the issue.

*   **Vulnerability Details**: POP3 and IMAP protocols, commonly used for email access, are at risk when not secured with TLS, enabling eavesdropping and dictionary attacks.

*   **Mitigation Steps**: ShadowServer urges organizations to enable TLS, review the necessity of these protocols, or move services behind a VPN to secure email communications.

*   **Broader Security Recommendations**: Experts stress the importance of advanced measures like strong password policies, regular audits, and proactive monitoring of external attack surfaces for robust email system protection.

A recent investigation by ShadowServer has uncovered a critical security flaw affecting millions of email servers worldwide. The study revealed a staggering 3.3 million POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) servers operating without **Transport Layer Security** (TLS) encryption.

This lack of encryption renders these servers susceptible to attacks like data interception and dictionary attacks, where attackers attempt to guess common usernames and passwords. The United States leads in the number of vulnerable hosts, with nearly 900,000 exposed. Germany and Poland follow closely with over 500,000 and 380,000 vulnerable servers, respectively. 

****Why did the issue occur?** **

Two primary protocols facilitate email access: POP3 (Post Office Protocol 3), which downloads emails to the user’s device, and IMAP (Internet Message Access Protocol), which allows access from multiple devices. The vulnerability arises when these protocols operate without TLS, leaving the communication channel open for eavesdropping.

For your information, TLS is a fundamental security protocol that encrypts communication channels, ensuring the confidentiality and integrity of data exchanged over the Internet. Its absence in these email servers exposes them to **significant risks**.

Without TLS, user credentials and email content are transmitted in plain text, making them easily accessible to anyone monitoring the network traffic. This not only compromises user privacy but also opens the door to **password-guessing attacks**, where attackers can systematically try common passwords to gain unauthorized access to email accounts.

The Shadowserver Foundation urges affected organizations to immediately enable TLS support for their IMAP/POP3 services. They also recommend evaluating the necessity of these services and considering alternative solutions like moving them behind a **Virtual Private Network** (VPN).

However, while enabling TLS encryption is crucial, it’s essential to recognize that it alone cannot prevent all attacks. You must adopt advanced and reliable security measures, including stronger password policies and regular security audits, to safeguard email systems from evolving threats.

> We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap).
> 
> It's time to retire those! pic.twitter.com/Iw9cZPxshg
> 
> — The Shadowserver Foundation (@Shadowserver) December 31, 2024

Martin Jartelius, CISO at Outpost24 commented on the issue stating, _“_As always, a reminder for all that keeping an eye on your external attack surface and ensuring that things are, and remain, configured appropriately is a simple and cost-effective security control._“_

_“_Most modern email clients will use opportunistic TLS, meaning they start by attempting encrypted connections, so the de facto impact of this is in parts mitigated provided a system also supports encrypted options. But one should not rely on the connecting clients for the security of the exchange as the primary control_,”_ Martin added.

1.  **New EmailGPT Flaw Puts User Data at Risk**
2.  **Mailcow Patches Critical XSS and File Overwrite Flaws**
3.  **How to Recover Deleted Emails from Exchange Server?**
4.  **DNS Tunneling Used for Stealthy Scans and Email Tracking**
5.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
6.  **Future of Phishing Email Training for Employees in Cybersecurity**

Millions of Email Servers Exposed Due to Missing TLS Encryption

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

****SUMMARY****

*   **Sophisticated Phishing Tool**: Russian cybercriminals created a WordPress plugin, PhishWP, to mimic legitimate payment pages and steal sensitive data like credit card details, CVVs, and 3DS OTPs.

*   **Real-Time Data Exploitation**: PhishWP transmits stolen information directly to attackers via Telegram, enabling immediate unauthorized use or sale on the dark web.

*   **Advanced Features**: The plugin offers customizable fake checkout pages, browser profiling, 3DS code pop-ups, and auto-response emails to deceive users and bypass security measures.

*   **Global Impact**: Multi-language support and obfuscation features allow attackers to launch targeted phishing campaigns worldwide, leading to financial losses and data breaches.

*   **Mitigation Strategies**: Users are urged to implement phishing protection tools, maintain vigilance, and adopt proactive cybersecurity measures to combat these threats effectively.

Online transactions have become an integral part of our lives in the digital age. We rely on the Internet for everything from shopping and banking to social interactions. However, this convenience comes at a price as cybercriminals exploit users’ trust to obtain sensitive data.

The cybersecurity firm SlashNext has discovered one such threat. According to their research, which was shared with Hackread.com ahead of its publication on Monday, Russian cybercriminals have created a new WordPress plugin, PhishWP, to create fake payment pages. Instead of processing payments, they steal credit card numbers, expiration dates, CVVs, and billing addresses.

PhishWP creates deceptively realistic online payment pages that mimic legitimate services like Stripe. These fake pages lure unsuspecting users into entering their credit card details, expiration dates, CVV codes, and even the crucial one-time passwords (OTPs) used for 3D Secure authentication. 

In its blog post, SlashNext outlined an attack scenario where an attacker creates a fake e-commerce website using PhishWP and replicates Stripe payment pages. Users are directed to a fake checkout page, where a 3DS code pop-up requests an OTP, which users unknowingly provide. The plugin transmits collected information to the attacker’s Telegram account, allowing them to exploit data for unauthorized purchases or sell it on dark web marketplaces.

This means that the sophisticated plugin goes beyond simply collecting data; it integrates with platforms like Telegram, enabling real-time transmission of stolen information directly to the attackers, maximizing the potential for immediate exploitation.

Furthermore, the plugin leverages advanced techniques like 3DS code harvesting, where it tricks victims into entering OTPs via pop-ups, effectively bypassing security measures designed to verify cardholder identity. 

To enhance its effectiveness, PhishWP offers several key features, including customizable checkout pages that closely resemble legitimate payment interfaces, browser profiling capabilities to create attacks as per the specific user environments, and auto-response emails that create a false sense of security in victims. By combining these features with multi-language support and obfuscation options, attackers can launch highly targeted and evasive phishing campaigns on a global scale.

Screenshot from the Russian hacker forum (Via SlashNext)

Researchers note that PhishWP is a powerful tool that allows cybercriminals to conduct phishing attacks with utmost sophistication, causing significant financial losses and personal data breaches.

To mitigate these risks, it is essential to use reliable security measures, such as browser-based phishing protection tools, which provide real-time defence against malicious URLs and prevent users from visiting compromised websites. Vigilance and proactive security measures can reduce your vulnerability to these sophisticated attacks to a great extent.

Mr. Mayuresh Dani, Manager, Security Research at Qualys Threat Research Unit, commented on the latest development stating _“_WordPress plugins like PhishWP pose significant risks by mimicking payment interfaces to steal user information, including credit card details and 3DS codes. Data is sent to attackers via Telegram, making PhishWP a highly effective information stealer when victims input valid details._“_

1.  **US Marshals Service Data Sold on Russian Hacker Forum**
2.  **New Rockstar 2FA Phishing Kit Targets Microsoft 365 Accounts**
3.  **Military Satellite Access Sold on Russian Hacker Forum for $15K**
4.  **Android Botnet Nexus Being Rented Out on Russian Hacker Forum**
5.  **Network access to Pakistan’s top fed agency sold on Russian forum**

New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

The malware, operated by China-backed cyberattackers, has been significantly fortified with new evasive and post-infection capabilities.

Source: Antony Cooper via Alamy Stock Photo

An unknown attacker is wielding an updated version of a backdoor malware that was previously deployed against high-profile Southeast Asian organizations in targeted attacks, this time against ISPs and governmental entities in the Middle East.

Researchers at Kaspersky have detected a new variant of the EagerBee backdoor outfitted with various new components in attacks that demonstrate a significant evolution of the malware framework, they revealed in a blog post published today.

EagerBee is primarily designed to operate in memory to enhance its stealth capabilities and help it evade detection by traditional endpoint security solutions, according to Kaspersky. It's also unique in that it obscures its command shell activities by injecting malicious code into legitimate processes that are executed within the context of explorer.exe or the targeted user's session.

"These tactics allow the malware to seamlessly integrate with normal system operations, making it significantly more challenging to identify and analyze," Kaspersky senior security researcher Saurabh Sharma wrote in the post.

A previous variant of the malware was seen in attacks by a a trio of Chinese state-aligned threat clusters, which previously collaborated in Operation Crimson Palace to steal sensitive military and political secrets from a high-profile government organization in Southeast Asia.

Related:Deepfakes, Quantum Attacks Loom Over APAC in 2025

The latest version of EagerBee that was used in the Middle East attacks features several new advanced features, including a novel service injector designed to inject the backdoor into a running service, and a slew of previously undocumented plug-ins that can be deployed after the backdoor's installation.

"These enabled a range of malicious activities such as deploying additional payloads, exploring file systems, executing command shells, and more," Sharma wrote.

**Who Are the Cyberattackers Behind EagerBee?**

Previous researchers had attributed EagerBee to Chinese threat group Iron Tiger (aka Emissary Panda or APT27), one of numerous groups that often collaborate with other China-backed state-sponsored actors; that tends to make specific attribution of both attacks and malware murky.

Case in point: Kaspersky's latest analysis of the backdoor deployed in the Middle East attributes EagerBee to a different Chinese actor, CoughingDown. That's because there was a creation of services on the same day via the same Web shell to execute EagerBee and the CoughingDown Core Module in one of the attacks researchers analyzed, according to Sharma. Moreover, the researchers observed overlap in the command-and-control (C2) domain used both by EagerBee and the CoughingDown Core Module in the attack.

Related:Middle East Cyberwar Rages On, With No End in Sight

Further evidence discovered in the Middle East attacks linking EagerBee to CoughingDown includes code overlap in a malicious DLL file used in the attack with a multiplug-in malware developed by CoughingDown in late September 2020, according to Sharma. "We assess with medium confidence that the EagerBee backdoor is related to the CoughingDown threat group," he wrote.

**EagerBee Backdoor Malware's Advanced Features**

The Kaspersky team identified key new plug-in features of EagerBee that are all run by a plug-in orchestrator module to execute commands that perform various malicious activities.

The orchestrator exports a single method responsible for injecting the module into memory and subsequently calling its entry point. In addition to victim-specific data collected by the malware, this plug-in gathers and reports various other information — such as current usage of physical and virtual memory, system locale and time-zone settings, and Windows character encoding — about the infected system to the C2 server.

After transmitting this information, the plug-in orchestrator also reports whether the current process has elevated privileges and then collects details about all running processes on the system. Once the information is sent, the plug-in orchestrator waits for commands to execute, which are carried out by the various backdoor plug-ins.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

These include a file manager plug-in that is responsible for, among other things, renaming, moving, copying, and deleting files; reading and writing files to and from the system; and injecting additional payloads into memory. Another process manager plug-in lists running processes in the system; launches new modules and executes command lines; and terminates existing processes.

Two other plug-ins found in the novel variant include a remote access manager that facilitates and maintains remote connections while also providing command shell access, and a service manager that manages system services, including installing, starting, stopping, deleting, and listing them.

**Malware Sophistication Demands Cyber Defender Vigilance**

Despite links to CoughingDown, Kaspersky researchers could not determine the initial infection vector for the deployment of EagerBee.

In the previous attacks using the backdoor in Asia, attackers leveraged the now infamous Exchange ProxyLogon flaw as the initial entry point; however, there is no evidence of this in the attacks here, according to Kaspersky. However, the researchers still recommend that defenders promptly patch ProxyLogon to secure their network perimeter, as it "remains a popular exploit method among attackers to gain unauthorized access to Exchange servers," Sharma noted.

Overall, the emergence of a fortified variant of EagerBee in attacks in the Middle East demonstrates how attackers continue to advance malware frameworks in terms of both ability to evade detection and the sheer breadth of malicious functionality they can achieve, demanding that organizations also up their security game, he said.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

### Impact

Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used.

### Patches

Upgrade to version 0.8.1 or higher.

### Workarounds

No.

### References

Issue is similar to https://nvd.nist.gov/vuln/detail/CVE-2025-22376.


**Guzzle OAuth Subscriber has insufficient nonce entropy**

Low severity GitHub Reviewed Published Jan 6, 2025 in guzzle/oauth-subscriber • Updated Jan 6, 2025

GHSA-237r-r8m4-4q88: Guzzle OAuth Subscriber has insufficient nonce entropy

This week on the Lock and Code podcast, we speak with Anna Brading and Mark Stockley about whether anywhere is safe from AI slop.

_This week on the Lock and Code podcast…_

You can see it on X. You can see on Instagram. It’s flooding community pages on Facebook and filling up channels on YouTube. It’s called “AI slop” and it’s the fastest, laziest way to drive engagement.

Like “click bait” before it (“You won’t believe what happens next,” reads the trickster headline), AI slop can be understood as the latest online tactic in getting eyeballs, clicks, shares, comments, and views. With this go-around, however, the methodology is turbocharged with generative AI tools like ChatGPT, Midjourney, and MetaAI, which can all churn out endless waves of images and text with little restrictions.

To rack up millions of views, a “fall aesthetic” account on X might post an AI-generated image of a candle-lit café table overlooking a rainy, romantic street. Or, perhaps, to make a quick buck, an author might “write” and publish an entirely AI generated crockpot cookbook—they may even use AI to write the glowing reviews on Amazon. Or, to sway public opinion, a social media account may post an AI-generated image of a child stranded during a flood with the caption “Our government has failed us again.”

There is, currently, another key characteristic to AI slop online, and that is its low quality. The dreamy, Vaseline sheen produced by many AI image generators is easy (for most people) to spot, and common mistakes in small details abound: stoves have nine burners, curtains hang on nothing, and human hands sometimes come with extra fingers.

But little of that has mattered, as AI slop has continued to slosh about online.

There are AI-generated children’s books being advertised relentlessly on the Amazon Kindle store. There are unachievable AI-generated crochet designs flooding Reddit. There is an Instagram account described as “Austin’s #1 restaurant” that only posts AI-generated images of fanciful food, like Moo Deng croissants, and Pikachu ravioli, and Obi-Wan Canoli. There’s the entire phenomenon on Facebook that is now known only as “Shrimp Jesus.”

If none of this is making much sense, you’ve come to the right place.

Today, on the Lock and Code podcast with host David Ruiz, we’re speaking with Malwarebytes Labs Editor-in-Chief Anna Brading and ThreatDown Cybersecurity Evangelist Mark Stockley about AI slop—where it’s headed, what the consequences are, and whether anywhere is safe from its influence.

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Tag

#ssl