The copyright threat in your inbox might be bait. A phishing campaign sweeping across central and eastern Europe is using fake legal complaints to deliver the Rhadamanthys Stealer. Attackers use DLL side-loading to hijack legitimate PDF readers and establish persistence via Registry Run keys.

Meanwhile, researchers flagged three critical vulnerabilities in the Versa Concerto platform that could allow authentication bypass, privilege escalation, and remote code execution. The vulnerabilities affect popular SD-WAN and SASE deployments, leaving organizations exposed if patches haven’t been manually applied.

Think twice before clicking on that Ledger update. A new macOS malware campaign is deploying fake versions of the Ledger Live app to steal cryptocurrency seed phrases. The latest malware strain, dubbed Odyssey, impersonates the real app and tricks users into typing their 24-word passphrase after simulating an error.

Top Malware Reported in the Last 24 Hours

Rhadamanthys Stealer returns with copyright phishing

A phishing campaign targeting central and eastern Europe uses copyright infringement lures to distribute Rhadamanthys Stealer. Threat actors exploit DLL side-loading techniques by hijacking the execution flow of a legitimate PDF reader, delivering malicious payloads through emails that impersonate legal departments. These emails accuse recipients of copyright violations, leading to downloads from services like Mediafire. The malware establishes persistence via Windows Registry Run keys and exfiltrates sensitive information. The campaign primarily targets multimedia professionals, leveraging localized language to enhance credibility and engagement.

Formjacking malware targets WooCommerce

Sophisticated formjacking malware has been discovered targeting WooCommerce checkout pages on WordPress sites. The malware injects fake payment forms to steal sensitive customer data, including credit card details. The malware uses browser localStorage to store stolen data persistently across sessions, ensuring resilience and anti-forensic capabilities. The infection likely originated from a compromised WordPress admin account, with malicious JavaScript injected via a plugin like Simple Custom CSS and JS.

Malicious VS Code extensions drop spyware

Datadog identified three malicious VS Code extensions targeting Solidity developers: solaibot, among-eth, and blankebesxstnion. These extensions disguise themselves as legitimate tools while concealing harmful code. The extensions deliver multi-stage, obfuscated malware, including payloads hidden inside image files hosted online, to exfiltrate data and establish persistence on Windows systems. The malware campaign is attributed to a single threat actor, MUT-9332, who previously distributed a Monero cryptominer via backdoored VS Code extensions. The malicious extensions were downloaded fewer than 50 times before being removed from the VS Code Marketplace, and metadata suggests they impersonated legitimate publishers. The browser extension in extension.zip exfiltrates Ethereum wallet credentials by injecting scripts into Chromium-based browsers.

Top Vulnerabilities Reported in the Last 24 Hours

Flaw in GitLab Duo

GitLab Duo was found vulnerable to remote prompt injection, leading to private source code theft and manipulation of AI-generated outputs. Attackers exploited hidden prompts embedded in comments, descriptions, and source code to manipulate Duo’s behavior. Techniques like Unicode smuggling, Base16 encoding, and invisible text were used to hide malicious prompts. HTML injection allowed malicious URLs and raw HTML to be rendered, bypassing sanitization and enabling data exfiltration via <img> tags. Duo’s access to private source code and project issues made it susceptible to leaking confidential information, including zero-day vulnerabilities.

Critical bug in Versa Concerto

Three critical vulnerabilities were discovered in Versa Concerto platform, affecting SD-WAN and SASE solutions. The flaws, identified by ProjectDiscovery in February 2025, include a privilege escalation vulnerability (CVE-2025-34025), an authentication bypass (CVE-2025-34026), and a remote code execution risk (CVE-2025-34027). Despite being notified in mid-February, Versa has not publicly released patches, although hotfixes were made available to customers on March 7 and a software update on April 16. 

NETGEAR router bug enables admin access

A critical vulnerability (CVE-2025-4978) with a CVSSv4 score of 9.3 has been identified in the NETGEAR DGND3700v2 router, allowing unauthenticated remote attackers to bypass login credentials through a hidden backdoor in the web interface. By accessing the endpoint /BRS_top.html, attackers can disable HTTP Basic Authentication, granting full administrative access to the router's configuration. This flaw affects devices running firmware version V1.1.00.15_1.00.15NA, enabling attackers to modify settings, install malware, and disable security features. NETGEAR has released firmware version 1.1.00.26 to address this issue.

Threats in Spotlight

Fake Ledger apps target macOS users

Hackers are using fake Ledger apps to target macOS users, aiming to steal seed phrases that secure access to cryptocurrency wallets. The malware impersonates the legitimate Ledger app and tricks users into entering their seed phrases on phishing pages. The campaign has evolved since August 2024, with the latest malware, Odyssey, replacing the Ledger Live app on victims' devices. It includes a phishing page that prompts users to enter their 24-word seed phrase after a fake error message. The malware can also steal macOS usernames and exfiltrate data to a C2 server. Copycat attacks have emerged, including the AMOS stealer, which uses a DMG file to bypass security and install a trojanized Ledger Live clone.