Stealth Malware Campaign Uses WordPress Sites to Spread Windows Trojan
A new malware campaign actively targeting WordPress websites is delivering a Windows-based Remote Access Trojan (RAT) called client32[.]exe. Discovered by cybersecurity firm Sucuri, this threat is already being exploited in the wild, with real websites confirmed to be compromised. The infection begins with two PHP files—header[.]php and man[.]php—quietly added to a site's backend. One file profiles visitors and logs their IP addresses to prevent reinfection, while the other provides attackers with a web-based control panel to manage targeted individuals. Once a user visits the compromised site, the malware silently forces a download of a batch file that launches a PowerShell script. This script retrieves a ZIP archive containing the trojan, unpacks it to a hidden location in the AppData directory, and runs it. It also establishes persistence by creating a registry entry that ensures the trojan launches on the system boot. From there, the malware connects to a remote command-and-control server over HTTPS, giving attackers full access to the victim’s system for remote control, surveillance, or data theft. This campaign does not focus on a specific region or industry; it targets any unprotected or outdated WordPress installation indiscriminately. The operation is built around stealth and persistence, utilizing legitimate Windows tools such as PowerShell and registry services to bypass security measures without raising any red flags. The malware evades detection by filtering infections through IP-based checks and minimizes its footprint by executing through trusted processes. It affects nearly all supported Windows versions, from Windows 7 through Windows 11, assuming the system allows PowerShell execution and registry modifications. There’s currently no known macOS or Linux variant. While the specific threat actors behind the campaign haven’t been identified, the tactics suggest a well-organized and skilled group with long-term goals. WordPress has not released an official advisory, but security researchers strongly urge site administrators to inspect file directories for unfamiliar PHP scripts, remove unauthorized changes, use Web Application Firewalls, and regularly update all CMS components and plugins. For end-users, the safest defense is to avoid suspicious downloads, maintain updated antivirus software, and apply system patches regularly. This campaign serves as a reminder that even trusted websites can be compromised, and staying vigilant is critical for both site owners and everyday users.
Pakistani Cybercriminals Built Network of Cracking Sites to Spread Info-Stealers
A new investigation has uncovered that over 300 fake software-cracking websites are being used to spread information-stealing malware secretly, and the operation has been traced back to a network of freelancers based in Pakistan. These sites offer supposedly free versions of popular software, but users who download from them unknowingly install malware that steals passwords, login details, and other sensitive data. The individuals behind this scheme are skilled in web development and online advertising, and they earn money each time someone is infected—similar to how traditional affiliate programs work, but for malware. The operation has been running for years, with many of the sites promoted heavily through search engines and forums to attract victims from around the world. Some individuals involved have even shifted to legitimate careers, showing how cybercrime can blend into the broader tech economy. What makes this campaign particularly dangerous is its widespread and persistent nature. Even when some sites are taken down, new ones quickly emerge to replace them. The stolen information is often sold on dark web marketplaces or used for further attacks, including ransomware and remote access breaches. The people behind the scenes benefit from the fact that Pakistan lacks extradition agreements with countries like the U.S. or those in the EU, making legal action against them extremely difficult. Furthermore, Pakistan’s growing cyber cooperation with countries like China and Russia adds another layer of complexity to enforcement. This campaign serves as a reminder that downloading cracked software carries serious risks—not just to individual users but also to businesses, whose employees may unknowingly compromise entire networks by attempting to bypass licensing.
Blind Eagle Targets Latin American with RATs and Phishing to Bypass Detection
A new cyber campaign tied to the Blind Eagle threat group is actively targeting financial institutions in Latin America, with a heavy focus on Colombian banks. Uncovered by Trustwave SpiderLabs, the operation combines open-source Remote Access Trojans (RATs) such as Remcos and AsyncRAT with phishing attacks and basic obfuscation tactics to evade traditional antivirus detection. The attackers rely on simple Visual Basic Script (VBS) files as the initial infection method, which is delivered through convincing phishing emails. These emails often link to fake login pages that mimic those of trusted Colombian banks, designed to steal login credentials. Once a victim clicks through, the VBS scripts download and execute malware, with added tricks to disable security tools and maintain persistence on infected systems. Despite their effectiveness, the attackers don’t make a significant effort to hide their infrastructure—many of their malware files and phishing pages are hosted on open directories and free hosting services, indicating a focus on speed over stealth. While the campaign isn’t technically advanced, it’s dangerous because of how effectively it exploits basic security lapses and user trust. The attackers utilize familiar tools and inexpensive infrastructure, even reusing the same SSL certificates and domain naming patterns, which could make them easier to detect with improved monitoring. Interestingly, the control panels used to manage infected systems are built in Brazilian Portuguese, giving attackers full access to victims’ machines, including options to upload files, steal data, and run commands. Hundreds of infections have already been observed, especially in Argentina, suggesting that the operation is spreading beyond its Colombian roots. For financial organizations in the region, this campaign serves as a clear warning: regional phishing tactics, combined with open-source malware, are more than sufficient to cause serious damage if defenses are outdated or staff aren’t trained to identify these threats. Businesses are urged to strengthen email filters, train employees to recognize local phishing attempts, and actively monitor for suspicious infrastructure targeting the region.
