Fake wallet apps are slipping through the cracks on Google Play. Over 20 phishing applications impersonating popular crypto wallets have been found stealing mnemonic phrases to drain users’ funds. Distributed via compromised developer accounts, the apps have been linked to over 50 phishing domains.

Wazuh servers are now a hot target for botnet operators. Researchers observed active exploitation of a critical flaw allowing remote code execution via unsanitized API requests. Both a Mirai variant and the Resbot botnet are abusing the flaw to infect IoT devices with malware across multiple architectures.

Another day, another remote code execution bug patched under pressure. A critical RCE vulnerability in ManageEngine Exchange Reporter Plus has been patched following its discovery in the Content Search module. Attackers could use it to take over systems entirely, prompting an emergency update from ManageEngine.

Top Malware Reported in the Last 24 Hours

Crypto phishing apps on the Play Store

Over 20 malicious cryptocurrency phishing applications were identified on the Google Play Store, targeting users by impersonating popular wallets like SushiSwap and PancakeSwap. These apps steal users' mnemonic phrases, allowing attackers to access and drain cryptocurrency funds. They were distributed through compromised developer accounts and utilized phishing URLs embedded in privacy policies. The threat actors employed frameworks for rapid app deployment and operated a coordinated campaign linked to over 50 phishing domains. Some apps directly loaded phishing sites in WebView, further deceiving users into providing sensitive information.

Mirai exploits Wazuh vulnerability

Akamai detected active exploitation of the critical RCE vulnerability CVE-2025-24016 in Wazuh servers, with a CVSS score of 9.9. This vulnerability allows attackers to execute arbitrary code via unsanitized API requests. Two botnets, including a Mirai variant and the Resbot botnet, exploit this vulnerability to spread malware targeting IoT devices. CVE-2025-24016 affects Wazuh versions 4.4.0 to 4.9.0, with a fix available in version 4.9.1. The first botnet uses shell scripts to download and execute Mirai malware payloads named "morte," targeting various architectures. The second botnet, Resbot, uses Italian-themed domains and targets IoT devices with its payload named "resgod."

SoraAI branding used for malware distribution

Malicious actors are exploiting the popularity of OpenAI's SoraAI and using GitHub to distribute malware disguised as a shortcut file named SoraAI.lnk. This multi-stage attack chain employs social engineering tactics to steal sensitive data, leveraging trusted platforms and tools to evade detection. The malware extracts browser cookies, passwords, system information, and more, with exfiltrated data sent via Telegram and GoFile[.]io. 

Top Vulnerabilities Reported in the Last 24 Hours

Bug in ManageEngine Exchange Reporter Plus

A critical vulnerability (CVE-2025-3835) in ManageEngine Exchange Reporter Plus allows remote code execution, potentially compromising system integrity. The flaw resides in the Content Search module, making it an attractive target for attackers to inject malicious code. Attackers exploiting this vulnerability can gain full control of affected servers, enabling data theft, malware installation, and lateral movement within networks. ManageEngine released an emergency security update (Build 5722) on May 29, to patch the vulnerability, urging immediate application of the update.

CISA adds flaws to KEV catalog

The CISA added two critical vulnerabilities impacting Erlang/OTP SSH (CVE-2025-32433) and Roundcube Webmail (CVE-2024-42009) to its KEV catalog due to active exploitation. CVE-2025-32433 allows unauthenticated remote code execution on Erlang/OTP SSH servers and was fixed in April 2025. CVE-2024-42009 is an XSS vulnerability in Roundcube Webmail that enables attackers to steal emails, fixed in August 2024. PoC exploits for CVE-2025-32433 have been released, and U.S. agencies must patch by June 30.