RATs are crawling back, this time not in your basement, but in your servers. Researchers have uncovered a new PHP-based variant of the Interlock RAT, ditching its former JavaScript (NodeSnake) skin for stealthier deployment. Meanwhile, a Belarus-linked threat acto has been spotted dropping a malicious CHM file from Poland, which uses a C++ downloader to fetch a disguised payload posing as an image. Moreover, a stealthy PHP malware on a hacked WordPress site is using ZIP archives to inject code, hijack SEO, redirect traffic, and quietly promote spam. Read further for more cybersecurity updates from the weekend.
01
Researchers have uncovered a new PHP-based variant of Interlock RAT, replacing the earlier NodeSnake version, and spreading through large-scale campaigns using compromised sites and KongTuke web-injects.
02
A Belarus-linked threat actor (likely UNC1151/FrostyNeighbor) uploaded a malicious CHM file from Poland containing a C++ downloader that retrieves and runs a payload disguised as an image.
03
Attackers are exploiting Google’s Gemini AI in Workspace by hiding prompt injections in HTML-styled email text, tricking it into generating phishing links in summaries without using attachments or visible URLs.
04
GPUHammer, a new RowHammer attack variant, targets NVIDIA GPUs, causing memory bit flips that degrade AI model accuracy from 80% to less than 1%.
05
A supply chain attack targeting the Gravity Forms WordPress plugin was discovered, involving malicious code injected into the plugin's files. The malware allows attackers to create administrator accounts, upload files, and remotely execute code.
06
A stealthy PHP malware on a hacked WordPress site uses ZIP archives to inject code, hijack SEO, redirect users, and evade detection to promote spam sites.
07
A zero-day RCE exploit for WinRAR is being sold on the dark web for $80K by a threat actor named “zeroplayer,” targeting current and legacy versions via malicious archive files.
08
Researchers have discovered a critical SQL injection vulnerability (CVE-2025-25257) in Fortinet’s FortiWeb Fabric Connector, which enables unauthorized RCE.
09
Multiple flaws have been uncovered in the Thermomix TM5 that allow firmware downgrades, code execution, and persistent compromise due to weak update security and extractable encryption keys.
10
Virtru, a data security firm, has secured $50 million in a Series D funding round led by ICONIQ, with additional support from Bessemer Venture Partners, Foundry, and The Chertoff Group.
