APT41 hides malware commands where no one’s looking: your calendar. In a creative twist on C2 infrastructure, China-backed APT41 embedded encrypted instructions inside Google Calendar events. Targets received ZIPs masquerading as PDFs, which deployed a multistage malware suite. The result: stealthy, long-term access across governments and industries.

AyySSHush doesn’t make noise, it builds armies. More than 9,000 ASUS routers have been compromised by this botnet, which quietly slips in through a CVE-2023-39780 exploit. Attackers install persistent SSH backdoors, disable logging, and remain invisible through firmware updates. The campaign’s low network footprint hides a growing infrastructure of hijacked devices ready for future use.

OneDrive’s permissions flaw lets apps peek at everything. A design issue in Microsoft’s OneDrive File Picker lets apps access more data than intended. Vague consent prompts and overly broad OAuth scopes mean entire OneDrive contents could be exposed. Microsoft hasn’t patched it yet, so users should tread carefully.

Top Malware Reported in the Last 24 Hours

APT41 abuses Google Calendar

Chinese state-sponsored group APT41 exploited Google Calendar for malware command-and-control operations using the TOUGHPROGRESS malware. The attack targeted government entities and various industries globally. It involved spear-phishing emails with ZIP files that contained malware disguised as PDF documents. The malware operated through three components: PLUSDROP for decryption, PLUSINJECT for process hollowing, and TOUGHPROGRESS for C2 via Google Calendar. Encrypted commands were stored in calendar events, allowing attackers to control compromised Windows hosts effectively.

Another day, another malicious WordPress plugin

A malicious WordPress plugin disguised as Yoast SEO was discovered in the /wp-content/plugins/contact-form/ directory, injecting fake "Java Update" pop-ups to deceive website visitors. The plugin targeted non-admin users, displaying a fake Java update prompt with visuals and progress bars, prompting users to download a malicious executable file. The plugin hid itself from the WordPress admin dashboard, complicating detection and removal. The injected JavaScript targeted primarily Windows users, initiating malicious downloads and tracking user activity through hidden forms and cookies.

Interlock ransomware group drops new RAT

The Interlock ransomware gang has deployed a new RAT named NodeSnake, targeting universities for persistent access to networks. NodeSnake is delivered via phishing emails and utilizes PowerShell or CMD scripts for persistence, creating a deceptive Registry entry. The malware features heavy code obfuscation, randomization of filenames, and cycles through C2 addresses. Once installed, it collects metadata about the user and system, exfiltrating data to the C2, while also allowing the execution of commands and loading additional payloads.

Botnet hacks ASUS routers

Over 9,000 ASUS routers have been compromised by a botnet called AyySSHush, which exploits the CVE-2023-39780 command injection vulnerability to install a persistent SSH backdoor. The attackers use brute-forcing and authentication bypass techniques, allowing them to maintain access even after firmware updates. They disable logging and security features to evade detection, resulting in only 30 malicious requests recorded over three months despite the widespread infection. The campaign aims to build a network of backdoored routers for future malicious activities, although its exact objectives remain unclear.

Dark Partners: Cybercrime gang targets crypto

Dark Partners, a cybercrime group, has been conducting large-scale cryptocurrency thefts by using fake websites that mimic popular AI, VPN, and crypto tools. These sites deliver malware like Poseidon Stealer (macOS) and Lumma Stealer (Windows) to steal sensitive data, including cryptocurrency wallet information. The group uses anti-sandbox modules, obfuscation, and advanced techniques like retrieving C2 server addresses via Google Calendar links. The malware can exfiltrate data from 76 wallets and desktop applications, with fake download pages designed to target specific operating systems.

Top Vulnerabilities Reported in the Last 24 Hours

Flaw in Microsoft OneDrive File Picker

A flaw in Microsoft's OneDrive File Picker allows web apps like ChatGPT, Slack, Trello, and ClickUp to access users' entire OneDrive content instead of specific files selected by users. The flaw stems from excessive permissions due to the lack of fine-grained OAuth scopes and vague user consent prompts, exposing users to potential security risks. Sensitive secrets, such as tokens, are stored insecurely in browsers, increasing the risk of unauthorized access. Microsoft has acknowledged the issue but hasn't released a fix; users are advised to take precautionary measures.

Critical bug in Dell PowerStore T

Dell PowerStore T systems face critical vulnerabilities, including CVE-2025-36572, which allows unauthorized access via hard-coded credentials. The vulnerabilities affect both proprietary and third-party components, with risks ranging from privilege escalation to remote code execution. Dell has released a high-priority update (version 4.0.1.3-2494147) for all affected PowerStore T models and advises immediate installation.