Fake emails pretending to come from the US Social Security Administration try to get targets to install ScreenConnect for remote access.

Fake emails pretending to come from the US Social Security Administration (SSA) try to get targets to install ScreenConnect, a remote access tool.

_This campaign was flagged and investigated by the Malwarebytes Customer Support and Research teams._

ScreenConnect, formerly known as ConnectWise Control, is a remote support and remote access platform widely used by businesses to facilitate IT support and troubleshooting. It allows technicians to remotely connect to users’ computers to perform tasks such as software installation, system configuration, and to resolve issues.

Because ScreenConnect provides full remote control capabilities, an unauthorized user with access can operate your computer as if they were physically present. This includes running scripts, executing commands, transferring files, and even installing malware—all potentially without you realizing.

This makes ScreenConnect a dangerous tool in the hands of cybercriminals. A phishing group dubbed Molatori—because of the domains they use to host the ScreenConnect client—has been found to lure their targets into installing the ScreenConnect clients by sending emails pretending to come from the Social Security Administration (SSA):

> “Your Social Security Statement is now available  
> Thank you for choosing to receive your statements electronically.  
> Your document is now ready for download:
> 
> *   Please download the attachment and follow the provided instructions.
> *   NOTE: Statements & Documents are only compatible with PC/Windows systems.”

There are some variations to this mail in circulation but the example above shows how legitimate these emails look.

The link in the email leads to the ScreenConnect support.Client.exe, but was found under several misleading names like ReceiptApirl2025Pdfc.exe, and SSAstatment11April.exe.

After cybercriminals install the client on the target’s computer, they remotely connect to it and immediately begin their malicious activities. They access and exfiltrate sensitive information such as banking details, personal identification numbers, and confidential files. This stolen data can then be used to commit identity theft, financial fraud, and other harmful acts. Experts have identified financial fraud as the primary objective of the Molatori group.

There are several circumstances that make this campaign hard to detect:

*   The cybercriminals send phishing emails from compromised WordPress sites, so the domains themselves appear legitimate and not malicious.
*   They often embed the email content as an image, which prevents email filters from effectively scanning and blocking the message.
*   ScreenConnect is a legitimate application which happens to be abused because of its capabilities.

**What we can do**

When receiving unsolicited emails there are a few necessary precautions you can take to avoid falling for phishing:

*   Verify the source of the email through independent sources.
*   Don’t click on links until you are sure they are non-malicous.
*   Don’t open downloaded files or attachments until you are sure they are safe.
*   Use an up-to-date and active anti-malware solution.
*   If you suspect an email isn’t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.

**Malwarebytes users are protected**

Malwarebytes will detect suspicious instances of the ScreenConnect client as RiskWare.ConnectWise.CST.

And blocks connections to these associated domains:

*   atmolatori\[.\]icu
*   gomolatori\[.\]cyou
*   molatoriby\[.\]cyou
*   molatorier\[.\]cyou
*   molatorier\[.\]icu
*   molatoriist\[.\]cyou
*   molatorila\[.\]cyou
*   molatoriora\[.\]cyou
*   molatoriora\[.\]icu
*   molatoripro\[.\]cyou
*   molatoripro\[.\]icu
*   molatorisy\[.\]cyou
*   molatorisy\[.\]icu
*   onmolatori\[.\]icu
*   promolatori\[.\]icu
*   samolatori\[.\]cyou
*   samolatori\[.\]icu
*   umolatori\[.\]icu

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Fake Social Security Statement emails trick users into installing remote tool 

Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a "critical patch" but deploy a backdoor instead.
WordPress security company Patchstack described the activity as sophisticated and a variant of another campaign observed in December 2023 that employed a fake CVE ploy to breach sites running

WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android…

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution via hacked WordPress, targeted attacks using XWorm and Strela Stealer, and potential connections to Chang Way Technologies.

Cybersecurity experts at Trustwave’s SpiderLabs have discovered an increase in malicious online activities originating from a Russian “bulletproof” hosting provider known as Proton66. These services, often favoured by cybercriminals due to their relaxed policies, have been linked to a wave of attacks targeting organizations worldwide since January 8, 2025.

Researchers have detailed their findings in a two-part series. The first part highlights a major increase in “mass scanning, credential brute-forcing, and exploitation attempts” coming from Proton66’s network (ASN 198953). This means attackers were actively probing for weaknesses in systems and trying to guess login details on a large scale.

SpiderLabs has also noticed an increase in scanning and exploiting traffic from Proton66’s network from January 8, 2025, with a sharp decline in February. The attacks targeted specific network blocks, the most active being 45.135.232.0/24 and 45.140.17.0/24, while some had been inactive for a significant period, with the last reported malicious activity dating back to July and November 2021.

Traffic Volume Analysis (Source: SpiderLabs)

Notably, the address 193.143.1.65, was observed connected to the operators of a new ransomware strain called SuperBlack, and its operators were distributing “some of the latest critical priority exploits,” researchers noted in the blog post.

The second part discusses malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android users to fake Google Play Store pages likely to steal their information or install malicious apps.

The domain naming conventions used suggest targets speaking English (“us-playmarket.com“), French (“playstors-france.com“), Spanish (“updatestore-spain.com“), and Greek (“playstors-gr.com“).

SpiderLabs also discovered operators deploying Strela Stealer, an information-stealing tool that extracts email login credentials from targeted systems, between January and February 2025.

Another campaign involved XWorm malware targeting users of Korean-speaking chat rooms. Additionally, connections to WeaXor ransomware, a modified version of Mallox that encrypts files and demands a ransom for recovery, were detected. At the time of the report, the WeaXor group was asking for “$2,000, transferred in BTC or USDT.”

Sample Ransom Note (Source: SpiderLabs)

Interestingly, SpiderLabs’ investigation reveals a potential rebranding or connection between Proton66 and Hong Kong-based company, Chang Way Technologies Co. Limited. In November 2024, security firm Intrinsec linked Proton66 and PROSPERO to bulletproof hosting services advertised on underground forums as UNDERGROUND and BEARHOST.

SpiderLabs’s investigation revealed that while the Russian control panel for UNDERGROUND/BEARHOST customers remained at my.31337.ru, the my.31337.hk page was updated with a “CHANGWAY / HOSTWAY” theme. Still, technical connections between the infrastructures remained, suggesting an underlying link.

Technology and financial organizations are the prime targets of this campaign. However, the SuperBlack ransomware group preferred targeting non-profit, engineering, and financial sectors. Research by Forescout linked this IP address to the Mora\_001 threat actor who exploited vulnerabilities in Fortinet FortiOS devices, leading to the deployment of the SuperBlack ransomware.

It is worth noting that hackers have exploited vulnerabilities in Palo Alto Networks’ PAN-OS software (CVE-2025-0108), Mitel MiCollab (CVE-2024-41713), and D-Link NAS devices (CVE-2024-10914). D-Link has announced that the affected devices have reached their end-of-life, therefore, no security updates will be provided.

Nevertheless, researchers strongly recommend that organizations block all the internet address ranges associated with both Proton66 and Chang Way Technologies to protect themselves from potential compromise.

Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity, commented on the development, stating that while IPs aren’t reliable indicators of threat actors, since changing scan sources is cheap, patterns like consistent brute-force attempts still matter. “It’s a reminder to monitor login velocity, harden exposed services, and make attacks costly for low-effort actors,” he said.

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure.
The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites.
"The

OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation

A hacker using the alias “Satanic” claims a WooCommerce data breach via a third party, selling data on…

A hacker using the alias “Satanic” claims a WooCommerce data breach via a third party, selling data on over 4.4 million users/clients, including records tied to major organizations like NVIDIA, Texas.gov, and the National Institute of Standards and Technology (NIST).

Just hours after claiming responsibility for a **breach involving Magento**, a hacker known as “Satanic” has surfaced again, this time alleging a data breach connected to WooCommerce, one of the most widely used eCommerce platforms on the web.

According to a post made on **Breach Forums** earlier today, the threat actor claims the incident occurred on April 6, 2025, and involves the extraction of more than 4.4 million records containing detailed personal and business information.

The announcement suggests the data wasn’t pulled from **WooCommerce**‘s core infrastructure directly but rather from systems closely tied to websites using the platform, likely CRM or marketing automation tools connected through third-party integrations.

Satanic on Breach Forums (Screenshot credit: Hackread.com)

The data breach appears to include both customer and company-level information, including emails, phone numbers, physical addresses, and social media links to business data such as sales revenue, employee count, domain authority rankings, and platform usage.

In total, the hacker claims the database holds:

*   **998,000 phone numbers**

*   **4,432,120 individual records**

*   **1.3 million unique email addresses**

*   **Metadata on corporate websites, including technology stacks and payment solutions**.

****Top Organisations Listed in the Sample Data****

A 1,000-line sample shared by the hacker includes data from several notable websites, such as “nist.gov,” the official site of the National Institute of Standards and Technology (NIST), a U.S. Department of Commerce agency. Also listed is “texas.gov,” the official portal for the State of Texas.

In addition to government entities, the sample contains records linked to major organizations, including NVIDIA Corporation, the New York City Department of Education, the University of Oklahoma, and Oxford University Press, alongside data from other well-known institutions and private companies worldwide.

Each record includes detailed information typically found in well-arranged marketing databases, such as estimated revenue, number of SKUs (Stock Keeping units), marketing platforms in use (e.g., ActiveCampaign, HubSpot), hosting providers, and links to company social media.

Interestingly, several entries show references to WordPress CMS, with WooCommerce listed as the eCommerce plugin. Others highlight integrations with Salesforce, Pardot, and various payment platforms like PayPal and Stripe. This points to a data source larger than WooCommerce itself, possibly compiled through APIs or scraped from exposed CRM panels.

Sample data analysed by Hackread.com (Screenshot credit: Hackread.com)

****Data for Sale****

The hacker is currently offering the database for sale via direct messages or Telegram without listing a fixed price. According to their post, they are “taking offers only.”

This claim follows a growing pattern from the same actor, who recently alleged a breach involving **Magento** via a third party and previously took credit for the **Tracelo breach** affecting 1.4 million users. Just last week, Satanic also claimed to have **breached Twilio’s SendGrid**, though that incident was publicly denied by the company.

If the WooCommerce-related breach proves authentic, it would represent one of the largest known exposures involving WordPress-based commerce platforms this year. The combination of personal contact information, business intelligence, and technology stack profiling makes the dataset valuable for threat actors engaged in phishing, social engineering, or competitive intelligence scraping.

At the time of publishing, WooCommerce has not issued any public statement regarding the claim. While Hackread.com has reached out to the company, businesses relying on WooCommerce and connected CRM or marketing tools should consider reviewing their third-party integrations and checking for unusual data access patterns.

This story is developing.

Hacker Claims WooCommerce Data Breach, Selling 4m User Records

Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files.

Thursday, April 3, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter. 

They say art is subjective, but have you ever seen a well-formatted bar chart? Van Gogh had _Starry Night_, but Talos’ 2024 Year in Review (available now!) has color-coded data with perfect labels. True beauty. 

If you haven’t yet had a chance to fully digest this gorgeous report (massive shout-out to our creative team), here are some links. Clicking on them may not change your life, but what if it does? Only one way to find out: 

Our Year in Review landing page houses all our Year in Review content, from videos to podcasts and topic summaries. There's more content coming out every week this month. Oh, you can also download the report itself here, which is useful. 

Here’s a two-minute animated overview. Watch those bad boy bar charts come to life. 

The TTP: Year in Review Special (Part 1) is inspired by The Last of Us in more ways than you might think. We have a two-part video interview with the report’s authors, featuring me calling cybercriminals “cheeky f\*\*\*\*\*s." Part 2 is coming out tomorrow, April 4th. 

This Beers with Talos B team episode genuinely caused someone to direct message me, citing their spouse’s concerns about their laughter levels when listening (“Are you okay?”). 

A couple of the report’s top findings: 

*   Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70 percent of Cisco Talos Incident Response cases. 
*   Operators endeavored to disable targets’ security solutions in most of the Talos IR cases we observed, almost always succeeding. 
*   Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.

**The one big thing **

Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader. The file names use Russian words related to the movement of troops in Ukraine as a lure. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Why do I care? **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. 

**So now what? **

Ways our customers can detect and block this threat are listed in this dedicated blog post.

**Top security headlines of the week**

**Gootloader Malware Resurfaces in Google Ads for Legal Docs**: Attackers target law professionals by hiding the infostealer in ads delivered via Google-based malvertising. (Dark Reading) 

**UK threatens £100K-a-day fines under new cyber bill:** The tech secretary revealed the landmark legislation's full details for first time. (The Register) 

**Hacker linked to Oracle Cloud intrusion threatens to sell stolen data**: The alleged breach was linked to a critical vulnerability (Cybersecurity Dive) 

**WordPress attackers hide malware in overlooked plugins directory**: The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. (SC Magazine)

**Can’t get enough Talos? **

I mean, bless you if that’s the case, because the Year in Review links in the opening section are probably enough to keep you going. But if you’re still thirsty for more, here’s what the press have been making of the Year in Review findings: 

*   **CNET:** Phishing Emails Aren't as Obvious Anymore. Here's How to Spot Them
*   **The Register**: Ransomware crews add 'EDR killers' to their arsenal - and some aren't even malware
*   **SiliconANGLE**: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
*   **CyberScoop:** Identity lapses ensnared organizations at scale in 2024

**Upcoming events where you can find Talos**

*   RSA (April 28 – May 1) San Francisco, CA  
*   PIVOTcon (May 7 – 9) Malaga, Spain  
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** **9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376  Typical Filename: c0dwjdi6a.dll   VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

**SHA 256:** **5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1**   
MD5: 3e10a74a7613d1cae4b9749d7ec93515    
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1   
Typical Filename: IMG001.exe    
Claimed Product: N/A    
Detection Name: Win.Dropper.Coinminer::1201 

**SHA256:** **47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**  
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos

One mighty fine-looking report

Cybersecurity researchers at Jscamblers have uncovered a sophisticated web-skimming campaign targeting online retailers. The campaign utilizes a legacy…

Cybersecurity researchers at Jscamblers have uncovered a sophisticated **web-skimming** campaign targeting online retailers. The campaign utilizes a legacy application programming interface (**API**) to validate stolen credit card details in real time before transmitting them to malicious servers. This technique allows attackers to ensure they are only harvesting active and valid card numbers, significantly increasing the efficiency and potential profit of their operations.

According to Jscrambler’s analysis, shared with Hackread.com, this web-skimming operation has been ongoing since at least August 2024. The attack starts with the injection of malicious JavaScript code, designed to mimic legitimate payment forms, into the checkout pages of targeted websites. This code captures customer payment information as it is entered. The second phase involves obfuscation using a base64-encoded string, which conceals crucial URLs from static security analyses, such as those performed by Web Application Firewalls (**WAFs**).

The key innovation in this campaign lies in its use of a deprecated version of the **Stripe API**, a popular payment processing service, to verify the card’s validity before the data is sent to the attackers’ servers. In the third stage, the legitimate Stripe iframe is concealed and replaced with a deceptive imitation, and the “Place Order” button is cloned, hiding the original. The entered payment data is validated using Stripe’s API, and card details, if confirmed, are quickly transmitted to a drop server controlled by the attackers. The user is then prompted to reload the page following an error message.

Researchers have identified that affected online retailers are primarily those using popular e-commerce platforms like **WooCommerce**, **WordPress**, and **PrestaShop**. They also observed **Silent Skimmer** variants, but not consistently.  Around 49 affected merchants, a figure suspected to be an underestimate, were identified, along with two domains used to serve the attack’s second and third stages. An additional 20 domains on the same server were also detected. Jscrambler reported that 15 of the compromised sites had addressed the issue.

Further probing revealed that the skimmer scripts are dynamically generated and tailored to each targeted website, indicating a high degree of sophistication and automated deployment. Researchers employed a brute-forcing technique, manipulating the Referrer header, to identify additional victims.

In one instance, the skimmer impersonated a Square payment iframe while in some other instances, the skimmer injected payment options, such as cryptocurrency wallets, dynamically inserting fake **MetaMask** connection windows. The wallet addresses associated with these attempts showed little to no recent activity, though.

In their **blog post**, researchers have warned Merchants to implement real-time webpage monitoring solutions to detect unauthorized script injections, whereas Third-Party Service Providers (TPSPs) can enhance security by adopting hardened iframe implementations to prevent iframe hijacking and form modifications.

Screenshot of the Iframed fake square payment form

“Jscrambler’s research team continues to track this campaign, and we urge all online merchants to prioritize security measures against client-side threats,” researchers concluded.

Hackers Exploit Stripe API for Web Skimming Card Theft on Online Stores

Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites.
mu-plugins, short for must-use plugins, refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the

Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images

A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities…

A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities for years to conduct highly effective phishing campaigns.

According to researchers, this operation utilizes a phishing-as-a-service (**PhaaS**) platform, enabling both technical and non-technical cybercriminals to launch targeted attacks.

The platform is equipped with tools to bypass security systems, including the exploitation of open redirects on adtech servers, redirection through **compromised WordPress websites**, and the use of DNS MX records to identify victim email service providers. Also, they use mass spam delivery and dynamic content tailoring to evade traditional security measures.

“We have discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands,” researchers noted in the **blog pos**t, shared with Hackread.com ahead of its release.

Regarding the distribution of spam emails, the platform’s primary attack vector, researchers observed a distinct centralization pattern, with a considerable portion originating from servers hosted by iomart (United Kingdom) and HostPapa (United States), indicating a unified network rather than dispersed activity from multiple independent entities.

Top 10 Popular ISPs (Source: Infoblox)

Morphing Meerkat uses a dynamic serving of fake login pages customized to the victim’s email service provider by querying **DNS MX records** using Cloudflare DoH or Google Public DNS. The platform maps these records to corresponding phishing HTML files, featuring over 114 unique brand designs, ensuring a personalized phishing experience and increasing the likelihood of successful credential theft.

The operation has evolved significantly since its detection in January 2020. Initially, it targeted only five email brands (Gmail, Outlook, AOL, Office 365, and Yahoo) and lacked translation capabilities. By July 2023, it had integrated DNS MX records-based dynamic loading of phishing pages and now supports dynamic translation into over a dozen languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese.

To harvest stolen credentials, they utilize several methods, including email delivery via EmailJS, **PHP scripts**, **AJAX** requests, and communication with Telegram channels using web API hooks. The platform also implements anti-analysis measures, such as disabling keyboard shortcuts and mouse right-clicks and obfuscating code to hinder security researchers.

 As Infoblox points out, “moderately advanced internet users and security researchers often verify the malicious state of a phishing webpage by examining its HTML code.” Morphing Meerkat counters this by actively blocking such inspection.

Morphing Meerkat Attack Chain (Source: Infoblox)

The use of **open redirect vulnerabilities** on adtech platforms, particularly DoubleClick, allows the threat actors to bypass email security systems by leveraging the domain’s high reputation. The platform also employs cloaking techniques, redirecting users to legitimate login pages and inflating code with non-functional elements, complicating threat analysis.

Considering the platform’s potential to exploit security blind spots through open redirects, DoH communication, and file-sharing services, it is essential that organizations strengthen DNS security, restrict DoH communication, and limit access to non-essential infrastructure to prevent exploitation.

New Morphing Meerkat Phishing Kit Exploits DNS to Spoof 100+ Brands

Disney’s latest Snow White movie, with a 1.6/10 IMDb rating, isn’t just the biggest flop the company has…

Disney’s latest Snow White movie, with a 1.6/10 IMDb rating, isn’t just the biggest flop the company has ever released. It’s such an embarrassment that the movie isn’t even available on Disney’s own streaming platform, Disney+.

According to cybersecurity researchers at Veriti, scammers are exploiting the situation by offering pirated versions of Snow White, specifically targeting torrent users and tricking them into downloading malware.

Screenshot credit: Hackread.com via IMDb

****The Lure of a Pirated Download****

On March 20th, what initially appeared to be a legitimate blog post on the website “TeamEsteem” (teamesteemmethodcom) offered a pirated version of the 2025 Snow White movie. The post provided a magnet torrent link that appeared safe but was actually a trap. Researchers identified the torrent file as a malicious campaign designed to compromise users’ devices.

According to the company’s blog post shared with Hackread.com, the torrent link led to a package of three files. While it might have seemed like a standard movie download, it was anything but. Veriti found that 45 people were already sharing or “seeding” the file, which could include both unsuspecting victims and attackers working to spread the trap faster.

****A Fake Codec That “Spells” Trouble****

When users downloaded the torrent, they didn’t get a movie. Instead, they got a bundle of files, including a README document and a suspicious file named “xmph_codec.exe.” The README claimed the codec file was necessary to play the movie, a common trick used in the early days of online piracy to fool users into installing malicious software.

However, in this case, running the “codec” file triggered a chain of malicious actions on the user’s device, including the following:

*   **Disables Security:** It shuts down Windows Defender and other built-in protections, leaving the device wide open to more attacks.

*   **Installs Malware:** The file was flagged as malicious by 50 out of 73 security tools on VirusTotal, a popular platform for analyzing suspicious files.

*   **Drops More Threats:** It quietly adds additional harmful files to the system, setting the stage for further damage.

*   **Installs TOR Browser:** It downloads and installs the TOR browser, a tool often used to access the Dark Web, without the user’s knowledge.

*   **Connects to the Dark Web:** The malware communicates with a hidden server on the Dark Web (using a .onion address), making it hard for security tools to track or block it.

In short, what looked like a free movie exposes users to data theft or possibly ransomware.

The malicious post on TeamEsteem blog and File breakdown inside the torrent package (Screenshots via: Veriti)

****What’s The Connection with TeamEsteem?****

TeamEsteemMethod.com is the official website of Team Esteem, LLC, a US-based organization founded by Jamie Levine, dedicated to assisting parents, schools, and educators in addressing various childhood challenges.

Veriti’s team believes the attackers behind this campaign managed to get their malicious blog post onto the TeamEsteem website in one of two ways: either by exploiting a vulnerability in the outdated version of the Yoast SEO plugin or by using stolen admin credentials to access the website.

The vulnerability in question is CVE-2023-40680, found in the outdated version of the Yoast SEO plugin, a popular SEO tool used by over 10 million WordPress websites. Alternatively, the attackers may have logged into the site using stolen admin credentials to post the fake blog entry themselves.

Either way, the attackers used the site as a medium to trick users into downloading their malware, banking on the hype around Snow White to draw in victims.

****Not The First Time****

This isn’t the first time cybercriminals have used pirated movies as bait, and it won’t be the last. High-profile releases like Snow White are prime targets because they attract huge interest, especially when legal options are limited. With no streaming release on platforms like Disney+, many fans turn to torrent sites, hoping to save money or time. But as this campaign shows, there’s no such thing as a “free lunch.”

In the past, attackers have exploited the popularity of movies like John Wick 3, Contagion, Black Widow, Joker, Ford v Ferrari, Pirates of the Caribbean, and many others to distribute malware and ransomware.

The good news? You can still avoid falling into traps by avoiding piracy, being cautious with malicious torrents, keeping your anti-malware updated to detect the latest threats, and using common sense.

Tag

#wordpress