A WordPress plugin supply chain attack hit PushEngage, OptinMonster, and TrustPulse. Attackers created hidden admin accounts and installed web shells. redsecuretech.co.uk/blog/pos… #PushEngage #SupplyChainAttack #WordPressSecurity #OptinMonster #TrustPulse #WebShell #HiddenAdmin

🚨 CYBER INTELLIGENCE ALERT: 🇪🇺🇺🇦 [UNCONFIRMED] MASSIVE WEBSHELL REPOSITORY CAMPAIGN BY THE EXPSX9 ACTOR ("X9 LIST") [STATUS: UNCONFIRMED / PERIMETER COMPROMISE / WEBSHELL REPOSITORY / MULTI-SECTOR IMPACT] A post attributed to the threat actor ExpSX9 has been detected on Telegram channels. The actor has published a list of targets across multiple sectors in Europe and Ukraine, suggesting the successful injection or upload of malicious WebShell scripts for remote command execution or subsequent resale of initial access. Threat Actor: ExpSX9 Leakage Campaign: X9 List Compromise Vector: Loading and Deployment of WebShells (PHP/ASPX). 📂 Breakdown of Compromised Infrastructures and Domains Analysis of the sample reveals an indiscriminate selection of automated targets, ranging from local government portals to non-governmental organizations (NGOs) and universities: 🇪🇸 catedrax.us.es (University of Seville - Spain): Institutional subdomain assigned to academic projects or chairs at the University of Seville. Hosting a WebShell here compromises the reputation of the educational domain (.es) and serves as a pivot point for academic malware campaigns. 🇫🇷 curtafond-mairie.fr (Government Sector - France): Official portal of the Curtafond Town Hall (Mairie). The presence of access points on local government servers increases the risk of exfiltration of civil records or PII (Personally Identifiable Information) of citizens. 🇺🇦 caritas.if.ua (Humanitarian Sector / NGO - Ukraine): Website of the international charity Caritas in the Ivano-Frankivsk region. It represents a vulnerable target due to its handling of humanitarian aid and donor data. 🇨🇿 merkurpolice.cz / carboservis.cz (Czech Republic): Czech commercial and industrial domains focused on corporate services. 🇮🇹 cnesc.it / cleanedizioni.it (Social and Publishing Sector - Italy): Portals linked to the National Civil Service Conference (CNESC) and publishing houses specializing in architecture and culture. 🌐 crytek-hq.com / childreninperaculture.com / cuevasdelpino.com: Global entertainment platforms, permaculture educational organizations, and rural tourism sites. ⚠️ Risk and Tactical Impact Considerations Defacement and Malware Distribution: Web shells planted by ExpSX9 grant the attacker full control over web server file systems. This facilitates the modification of main pages (defacement), the hijacking of legitimate web traffic to redirect users to fake banking portals, or the injection of scripts for automated malware downloads (drive-by downloads). Initial Access Brokerage (IAB): Ransomware syndicates commonly acquire these batches of basic web shells to use as initial entry points, escalating privileges within government or university internal networks to launch full-encryption attacks. 🛡️ Recommended Actions (Defensive Level) Forensic Scanning of Public Directories: Prioritize notifying the IT teams of affected domains (with special emphasis on government and academic environments such as us.es and mairie.fr) to run perimeter scanning tools (e.g., YARA rules specific to web shells), locating scripts that have been modified or recently created in write-enabled folders like /uploads/, /images/, or /wp-content/. HTTP Access Log Review: Analyze unusual POST requests directed at isolated files that show prolonged execution times or anomalous parameter passing (e.g., cmd=, exec=), and isolate the corresponding hosts. VECERT TOOLS Strategic Monitoring Tools & Intelligence Platform: 🌐 analyzer.vecert.io Security Verification & Monitoring: 🛡️ monitor.vecert.io #CyberSecurity 🔐 #ThreatIntelligence 📊 #WebShell #ExpSX9 #X9List #Spain 🇪🇸 #France 🇫🇷 #Ukraine 🇺🇦 #GovTech #EduTech #VECERT 🏢

SharePoint Server RCE via webshell upload — CVE-2026-45454. A user with basic Contribute perms can upload an ASPX webshell to the Master Page Gallery and get code execution as the app pool identity. One HTTP request, no admin needed. Patch now. aretiq.ai/research/12/

364 Artifacts 112[.]213.124.132 !!! Sqlmap,Telerik Exploit,SSRF,WebShell,Wordpress Exploit,Zyxel Exploit, All In One Attacker Server. app.etugen.io/trashpile/112.… #attacker #malware #c2 #china #webshell #scanner

🚨 CYBER INTELLIGENCE REPORT: 🇺🇸🇧🇭🇱🇰 🇲🇽🇦🇷🇮🇱🇹🇼🇬🇧🇮🇳🇨🇳 [GLOBAL MONITORING] CONSOLIDATED THREAT SIGNALS [ISSUE DATE: JUNE 14, 2026] [STATUS: HIGH-IMPACT MONITORING / GEOPOLITICAL, FINANCIAL, AND CRITICAL SABOTAGE OPERATIONS] Thermal processing and flow structuring of 20 tactical signals intercepted in the last few hours have been completed. The situation reveals an aggressive escalation in the sabotage of critical infrastructure (fuels), leaks from government intelligence agencies in Latin America, and persistent extortion and denial-of-service activity globally. 🏭 1. CRITICAL INFRASTRUCTURE AND FINANCIAL SECTOR 🇺🇸 United States | Fuel Supply Sabotage (Case #14606): Actor: Infrastructure Destruction Squad. Vector: Alleged ransomware and encryption attack against fuel distribution systems in Ohio (specifically the Holtfield Station in Hillsboro). The group announced the start of processes to destroy and encrypt operating systems. 🇧🇭🧭 Middle East (Bahrain) | Banking Denial-of-Service Attacks (Case #14613): Actor: GORZ ROSTAM. Vector: Coordinated DDoS attack campaign against portals and financial institutions in the region, resulting in the downtime and verified disruption of servers belonging to entities such as Mashreq Bank (mashreq.com). 🇱🇰 Sri Lanka | Compromise and Backdoor in Banking Link (Case #14612): Actor: BLACK MARKET 1337. Vector: Consolidation of the sale of persistent WebShell access and hardcoded persistence using GS-NetCat keys on the payroll and human resources server of the Sri Lanka Bankers Institute (ibsl.lk). 🇲🇽 Mexico | Exfiltration and School-Targeting Campaign (Cases #14608 and #14607): Actor: Cortex-group (Operator: Azazel). Details: Confirmed extraction of 90,000 records—including CURPs (Unique Population Registry Codes), names, campuses, and degree programs—belonging to Conalep, alongside the theft of 400 student photographs. Additionally, the deployment of a malicious executable binary (exploit) designed to target national teacher training systems was detected. 🇦🇷 Argentina | Active Threats Against Police Forces (Case #14615): Actor: vLeakz. Details: The actor continues to develop and prepare for an imminent cyberattack ("Future Attack") against the Buenos Aires Police. 🌐 3. GEOPOLITICS, CYBERESPIONAGE, AND MILITARY OPERATIONS (APT / DDoS) 🇮🇱🇺 Israel / Turkey | Military Command Network Breach (Case #14617): Actor: We are Cardinal (Cardinal Faction). Vector: Launch of "Operation Arrow of God." The group announced the end of a 70-day period of operational silence to reveal that its "Apollon-Virus" malware strain successfully breached Israel Defense Forces (IDF) command networks. 🇹🇼 Taiwan | Disruption of State Road Infrastructure (Case #14618): Actor: BD Anonymous. Vector: Distributed Denial-of-Service (DDoS) attack that successfully took down the official web platform of Taiwan's National Highway Police Bureau (outage externally validated via Check-Host). 🇬🇧 United Kingdom | Sabotage of Military Drone and Energy Sectors (Cases #14616 and #14600): Actor: Dark storm (Operation OpGreatBritain). Vector: Coordinated DDoS attacks impacting the web availability of the British energy sector and portals of engineering firms specializing in the development and production of Unmanned Aerial Vehicles (UAVs/Drones). 🇺🇸 United States | Presidential Operational Disinformation (Case #14614): Actor: TEAM BD DARK FORCE. Vector: Campaign classified as disinformation, focusing on an attempt to leak data and personal information (doxing) linked to President Donald Trump. 💻 4. BLACK MARKETS, BOTNETS, AND CLANDESTINE DISPUTES 🇮🇷 Iran | Deployment of New Botnet Infrastructure (Case #14610): Actor: Threat Market. Detail: Announcement and imminent launch of the BTMOB 4.6 (Bob Botnet) network malware update. 🇷🇺 Russia | Clandestine OSINT Intelligence Automation (Case #14611): Actor: csint .pro. Detail: Telegram launch of the "Exposed ID" automated system, a criminal intelligence aggregation engine that consolidates over 150 leaked database sources. 🇮🇳 India | Credential Compromise and Active WebShells (Case #14605): Actor: Garuda security. Detail: Public exposure of hardcoded administrative credentials and embedded WebShell paths within the MES Medical College educational and institutional portal. #CyberSecurity 🔐 #ThreatIntelligence 📊 #DDoS #Ransomware 💸 #MilitaryEspionage #Mexico 🇲🇽 #Taiwan 🇹🇼 #VECERT 🏢

🚨 CYBER INTELLIGENCE ALERT: 🇱🇰 [UNCONFIRMED] ALLEGED SALE OF PERSISTENT ACCESS AND INFRASTRUCTURE INTRUSION — INSTITUTE OF BANKER'S OF SRI LANKA (IBSL) [STATUS: UNCONFIRMED / INITIAL ACCESS BROKER (IAB) / SERVER COMPROMISE / FINANCIAL-EDUCATIONAL SECTOR] An offer has been detected on clandestine channels (identified under the section "BLACK MARKET 1337 | NEW", visible in the screenshot) that is selling persistent server-level access that directly compromises the official platform of the Institute of Banker's of Sri Lanka (ibsl. lk). Threat Actor: BLACK MARKET 1337 Affected Entity: Institute of Banker's of Sri Lanka (ibsl.lk/) 📂 Technical Analysis of the Intrusion and Persistence (Terminal Evidence) According to the Indonesian-language announcement and the terminal-based proof of concept (PoC) shown in the image evidence, the attacker has managed to establish command execution privileges within the server, detailing advanced technical capabilities: 1. Diagnosis of the Compromised Environment (System Logs) The interactive terminal reveals that the attackers have compromised a virtualized environment in the cloud (specifically on the Microsoft Azure infrastructure): Host Identifier: VM-SMS (This name critically suggests that the server hosts or is directly connected to the institute's payroll, human resources, and SMS messaging system). Privilege Level: The attacker executes commands under the standard web user account, with the ability to list active processes (ps auxf), view environment variables, and map the system architecture. 2. Access Vectors and Hardcoded Evasion The actor advertises access through three malware control methods: Operational WebShell (ASPX/PHP): A browser-based interface for uploading, downloading, and manipulating web system files, explicitly evading the rules ...of the Web Application Firewall (WAF). Reverse Shell / Bind Shell Ready: Communication channels ready to establish reverse connections to the attacker's infrastructure. 3. Advanced Persistence Mechanism (GS-NetCat) The most critical technical aspect of the alert lies in the installation of GS-NetCat (Global Socket Netcat). The attacker details having embedded a secret backup key (Key Backup: GS-NetCat Installed & Embedded). Self-healing Function: If the IT team or the institute's antivirus software detects and removes the main WebShell file, attackers can reactivate and restore full access within seconds using the encrypted background connections provided by the GS-NetCat key. 🛡️ Recommended Actions (Tactical Level) Network Threat Hunting (GS-NetCat Hunting): IBSL network administrators are strongly advised to inspect outbound connections and active sockets on their Linux servers for anomalous binaries or network traffic linked to Global Socket tools (ports and encrypted outbound connections utilizing external server relay). VECERT TOOLS Strategic Monitoring Tools & Intelligence Platform: 🌐 analyzer.vecert.io Security Verification & Monitoring: 🛡️ monitor.vecert.io #CyberSecurity 🔐 #ThreatIntelligence 📊 #SriLanka 🇱🇰 #IBSL #InitialAccess #WebShell #GSNetCat #FinancialInvestigation 💸 #Azure #VECERT 🏢

Finding a webshell is half the job. The new JCE check in mySites.guru finds rogue profiles and backdoors, then lets you remove them and patch JCE from the same screen. mysites.guru/blog/finding-ev…