Coverage: Last 72 hours

Today’s Highlights

Attackers are actively exploiting vulnerabilities on edge devices and VPN appliances, making rapid patching a necessity. Supply chain and social engineering threats have grown, particularly attacks manipulating third-party JavaScript and professional services via phone-based pretexts. AI-driven support and automation workflows are being abused to bypass traditional controls, and law firms, cloud users, and operators of unmanaged infrastructure are facing higher risk. Defenders should prioritize patch and configuration audits, as well as enhance monitoring for both technical and user-driven threats across SaaS, web, and network layers.

Table of Contents

1. C0XMO botnet spreads via DD-WRT router flaw, kills rival malware
2. Silent Ransom Group targets law firms with fake IT support calls
3. Suspicious Polyfill login prompts pop up on Toshiba, Muji websites
4. Chinese APT deploys new malware to keep access to hacked networks
5. Dark web Nemesis Market vendor gets 26 years for selling drugs
6. Critical Everest Forms Pro flaw exploited to take over WordPress sites
7. CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers

Top Stories

C0XMO botnet spreads via DD-WRT router flaw, kills rival malware

Source: BleepingComputer | Risk: High | Impacted: Remote office routers, Unmanaged DD-WRT devices, Organizations with third-party or consumer router deployments

Summary: A new variant of the Gafgyt botnet called C0XMO is targeting DD-WRT router firmware and can move to other device types with various CPU architectures.

Why it matters: Unpatched DD-WRT routers vulnerable to takeover allow botnet operators to conscript enterprise and remote office equipment at scale, which can be leveraged for ransomware staging, lateral movement, or proxying further attacks.

Practitioner Perspective

C0XMO targeting DD-WRT routers highlights the persistent risk posed by unmanaged or outdated edge devices. Attackers are opportunistically harvesting these assets for botnet operations, which can disrupt business networks and serve as pivot points into internal environments. Most organizations have poor visibility and management of non-standard or third-party router deployments, especially at branch or remote sites. Security teams must prioritize patching and inventory for all DD-WRT hardware, and should check for indicators of rival malware termination, which may signal recent botnet activity. Failing to remediate keeps the organization exposed to both disruption and data exfiltration.

Recommended Actions

• Identify and update all DD-WRT router firmware across environments to latest vendor-patched versions
• Search for C0XMO and Gafgyt botnet activity in edge device and network traffic logs

Silent Ransom Group targets law firms with fake IT support calls

Source: BleepingComputer | Risk: High | Impacted: Law firms, Professional services firms, Helpdesk and support desks

Summary: The Silent Ransom Group extortion gang is actively targeting U.S. law firms and professional services organizations in social engineering attacks that often lead to data theft within hours of initial contact, according to a new report by cybersecurity firm Mandiant.

Why it matters: Targeted social engineering campaigns against legal professionals enable attackers to steal privileged data and compromise highly sensitive business operations before standard monitoring can respond.

Practitioner Perspective

The Silent Ransom Group’s operational tempo demonstrates how skilled adversaries are bypassing technical controls through tailored pretexting and voice phishing campaigns. Law firms and professional services organizations are attractive because a single compromise may unlock broad confidential data. Existing phishing training often misses phone- or IT support-based attacks, and response playbooks rarely address rapid escalation via help desk impersonation. Security leaders should test user response to this threat and install compensating controls, such as strict out-of-band verification, for IT requests involving privileged access or sensitive systems. This threat validates the need for real-world social engineering simulations and incident containment plans beyond email phishing.

Recommended Actions

• Conduct tailored vishing simulations against staff with legal or privileged system access
• Review help desk escalation and verification procedures specifically for IT support requests

Suspicious Polyfill login prompts pop up on Toshiba, Muji websites

Source: BleepingComputer | Risk: High | Impacted: Web teams with Polyfill dependencies, Customers and visitors to affected websites, Organizations with external JavaScript CDN reliance

Summary: Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials.

Why it matters: Third-party JavaScript libraries like Polyfill can be weaponized to inject credential harvesting prompts, putting all website users and downstream partners at risk without warning or local code changes.

Practitioner Perspective

Incidents involving supply chain manipulation via Polyfill illustrate the frailty of web security when widely used external scripts are compromised. Web teams are often in the dark about when and how third-party libraries are updated or replaced, removing meaningful control over attacker introduction points. Credential phishing via rogue login prompts is subtle and likely to compromise unaware users and partners who reuse credentials. Organizations should urgently inventory dependencies and consider self-hosting critical scripts to regain control. For high-profile web properties, prioritize blocking or sandboxing known abused scripts, and proactively validate page content for unauthorized modification.

Recommended Actions

• Audit all website code for Polyfill dependencies and replace with self-hosted versions where feasible
• Implement content security policies to restrict third-party JavaScript execution on login or sensitive pages

Chinese APT deploys new malware to keep access to hacked networks

Source: BleepingComputer | Risk: High | Impacted: M365 tenants, Organizations targeted by Chinese APTs, Environments with weak SaaS monitoring or legacy SSO policies

Summary: A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.

Why it matters: Sophisticated adversaries sustaining long-term access via custom malware in Microsoft 365 environments raise the stakes for cloud and hybrid organizations that rely heavily on SaaS for business operations.

Practitioner Perspective

UNC5221 is adapting to detection by using previously unseen malware for persistence and exfiltration inside Microsoft 365. Traditional endpoint or perimeter controls offer little resistance when attackers establish backdoors directly in SaaS ecosystems. These campaigns demonstrate that compromise can persist undetected if organizations lack granular SaaS telemetry and do not hunt for suspicious app registrations or token misuse. Security teams should enhance monitoring of M365 audit logs and application consent grants and assume that trusted providers are not immune to advanced threat activity. The focus must shift to forensic review and detection engineering tailored for cloud identity abuse and backdoor deployment.

Recommended Actions

• Hunt for signs of Brickstorm, Plenet, and AgentPSD malware in Office 365 audit and authentication logs
• Review all application consents and third-party app registrations in M365 environments

Dark web Nemesis Market vendor gets 26 years for selling drugs

Source: BleepingComputer | Risk: Medium | Impacted: Dark web market participants, Law enforcement agencies, Cybercrime monitoring teams

Summary: A California man was sentenced to more than 26 years in federal prison for trafficking fentanyl and methamphetamine through Nemesis Market, one of the world’s largest dark web marketplaces.

Why it matters: Law enforcement’s ability to prosecute major online vendors demonstrates operational reach and may disrupt organized cybercriminal activity, but is unlikely to affect the core technical risks posed by dark web marketplaces in the short term.

Practitioner Perspective

The sentencing serves as a reminder that judicial efforts can impact prolific cybercriminals, but core market infrastructure often persists. Organizations monitoring for exposure of credentials or data on dark web markets need continuous vigilance, as market takedowns or arrests may only temporarily disrupt activity. Security teams should have processes for responding to data leakage and employee compromise originating from these illicit markets.

Recommended Actions

• Monitor dark web sources for organization-related credential or data leaks
• Notify relevant stakeholders if new exposures are discovered in cybercrime forums

Emerging Signals

(No entries for this section today.)

Exploits & CVEs

Critical Everest Forms Pro flaw exploited to take over WordPress sites

Source: BleepingComputer | Risk: High | Impacted: Public-facing WordPress sites, Organizations running Everest Forms Pro plugin, Web teams responsible for intake or registration forms

Summary: Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website.

Why it matters: Sites running vulnerable Everest Forms Pro plugins face full site takeover, enabling attackers to plant malware, exfiltrate data, or leverage compromised sites to attack downstream visitors and partners.

Practitioner Perspective

Active exploitation of CVE-2026-3300 demonstrates the chronic risk of undermaintained WordPress plugins with elevated privileges. Attackers have automated exploitation at scale, so defenders should not assume obscurity is protection. Teams with marketing, HR, or intake workflows built on WordPress forms are particularly at risk, as compromise may not be noticed until after defacement or data loss. Organizations need to patch or disable vulnerable Everest Forms Pro instances and review plugin lifecycle management. If exploitation is suspected, rapid containment and forensic review are mandatory, as attackers often deploy persistent access post-compromise.

Recommended Actions

• Apply patches for CVE-2026-3300 to all Everest Forms Pro installations
• Audit access logs for suspicious admin activity or plugin abuse related to Everest Forms Pro

CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers

Source: BleepingComputer | Risk: High | Impacted: Businesses running SolarWinds Serv-U, IT teams relying on Serv-U for file transfer, Organizations with legacy or poorly maintained file transfer infrastructure

Summary: CISA warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers.

Why it matters: Active exploitation of unpatched SolarWinds Serv-U servers can cause immediate operational outages and open avenues for follow-on attacks while systems are offline.

Practitioner Perspective

With proof-of-concept and active exploitation circulating, any Serv-U instance not patched is a liability, especially in environments reliant on file transfer services. Denial-of-service can serve as both a smokescreen and an opportunity for deeper compromise during restoration. Many organizations still overlook lesser-known file transfer services in asset discovery and vulnerability management, leading to delayed response. Prioritize Serv-U visibility, update cadence, and isolation. For regulated sectors, failure to remediate may result in more than just downtime, expect scrutiny or penalties if deadlines pass.

Recommended Actions

• Deploy SolarWinds Serv-U patches for the recent high-severity DoS CVE to all internet-facing servers
• Monitor for unexplained file transfer outages or server stability issues on Serv-U hosts

Defensive Actions

• Review Meta AI support reset logic for privilege escalation or insufficient verification controls
• Enforce multi-factor authentication and alerting for any AI-initiated password resets
• Audit recent password changes linked to automated or support-driven requests in Instagram and Meta platforms
• Simulate attack scenarios against self-service and delegated recovery flows in major SaaS accounts
• Inventory Windows Terminal deployments and confirm AI-related feature enablement policies
• Assess whether Intelligent Terminal or similar AI-shell integrations introduce elevated privilege, unsigned code, or network transfer risks
• Monitor local logs for suspicious shell command execution arising from AI-driven suggestions
• Restrict installation of unapproved or experimental AI terminal plugins via endpoint management
• Update GL.iNet GL-MT3000 firmware to version 4.7 or later to mitigate CVE-2026-11448
• Review firewall rules insulating GL.iNet routers from untrusted WAN or LAN access
• Urgently deploy PAN-OS patch for CVE-2026-0257 to all GlobalProtect VPN gateways
• Monitor for anomalous VPN logins and configuration changes since vulnerability disclosure
• Apply the SolarWinds Serv-U CVE-2026-28318 hotfix or patch to all vulnerable instances before the federal deadline
• Validate all Serv-U servers are included in vulnerability management inventory

What We’re Watching

• Surge in attacks abusing AI-powered workflow automations for account takeover and privilege escalation
• Ongoing exploitation of edge and IoT device vulnerabilities for lateral movement and malware staging
• Law firm and professional services targeting via voice-based social engineering
• Widespread impacts from supply chain manipulation of CDN-hosted JavaScript libraries
• Increasing persistence of state-backed actors in SaaS and cloud environments

Stay vigilant and prioritize patching and monitoring of public-facing assets, SaaS environments, and authentication workflows.

Categories: Cybersecurity Blog, Cybersecurity News

Tags: Botnet, Cloud Security, cybersecurity, daily briefing, IoT, Patch Management, Social Engineering, Supply Chain, Vulnerability, WordPress