{"id":1405,"date":"2026-06-22T16:42:10","date_gmt":"2026-06-22T16:42:10","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1405"},"modified":"2026-06-22T16:42:10","modified_gmt":"2026-06-22T16:42:10","slug":"browser-bugs-edr-killers-tv-botnet-openbsd-flaw-android-trojan-and-more","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1405","title":{"rendered":"Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Jun 22, 2026<\/span><\/span><span class=\"p-tags\">Cybersecurity \/ Hacking<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWTle5JU3HMoV1yUzXt6nAYO-EtyfOp22bJldi9N4fwakWmzrwwjBKfQNkprStB3B9K5HyUchIUCoNpGs-Kn2EHwClO7xJOV-qZQeDKFllNQrZ-TYq6OiikJkwi65NdfFcR7XhMTuIpmwSdoglwRcMcI43rLGB1B462ZXhd7nkh-q-FNnpPKoeUyL7bUqs\/s1700-e365\/recap-main.gif\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>It\u2019s Monday again.<\/p>\n<p>This week\u2019s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.<\/p>\n<p>The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.<\/p>\n<p>Here\u2019s the Monday recap. Let\u2019s get into the week\u2019s mess.<\/p>\n<h2 style=\"text-align: left;\"><b>\u26a1 Threat of the Week<\/b><\/h2>\n<p><b>FortiBleed Campaign Identifies Over 80K Targets <\/b>\u2014 A large-scale campaign codenamed FortiBleed has systematically targeted and compromised Fortinet FortiGate firewall and SSL VPN gateway devices worldwide. According to SOCRadar, it has been running since at least February 2026, with over 80,000 devices identified with working usernames and passwords that have been tested by suspected Russian-speaking threat actors using automated tools running around the clock. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. Fortinet also said the campaign likely involves the threat actors reusing credentials from previous incidents, such as CVE-2026-24858, CVE-2025-59718, and CVE-2025-59719, along with employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA).<\/p>\n<h2 style=\"text-align: left;\"><b>\ud83d\udd14 Top News<\/b><\/h2>\n<ul>\n<li><b><a href=\"https:\/\/thehackernews.com\/2026\/06\/salesforce-disables-klue-app.html\">Salesforce Disables Klue App Integration After New Extortion Campaign<\/b> \u2014 Salesforce revealed that it disabled the Klue Battlecards app integration within its platform in response to a security incident impacting the competitive intelligence company on June 11, 2026. \u00abSalesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app&#8217;s connection to Salesforce,\u00bb the company said. \u00abThis issue is limited to Klue&#8217;s app connection and does not arise from a vulnerability within the Salesforce platform.\u00bb The development comes as an extortion group dubbed Icarus compromised and exfiltrated data from customers of Klue after obtaining access through a compromised legacy credential associated with an integration service. A number of companies have publicly acknowledged the incident, but noted the impact is limited.<\/li>\n<li><b>The Gentlemen RaaS Develops GentleKiller EDR Killer Suite<\/b> \u2014 The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for shutting down endpoint detection and response (EDR) products before deploying the encryptor. The centerpiece of the group&#8217;s EDR-disabling capability is GentleKiller, an in-house developed framework that comes in eight different variants, each one impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver. GentleKiller targets over 400 processes belonging to 48 security products, including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET itself.<\/li>\n<li><b>Splunk Flaw Actively Exploited in the Wild <\/b>\u2014 Splunk&#8217;s Product Security Incident Response Team (PSIRT) said it became aware of \u00ablimited exploitation\u00bb of CVE-2026-20253, a critical flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. \u00abIn Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint,\u00bb Splunk said. \u00abThe vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.\u00bb In an analysis of the flaw, Resecurity said it&#8217;s \u00abparticularly dangerous\u00bb as it can be exploited remotely without authentication or user interaction. \u00abBy chaining multiple weaknesses together, an attacker can progress from unauthenticated access to arbitrary file operations and ultimately Remote Code Execution (RCE),\u00bb it <a href=\"https:\/\/www.resecurity.com\/blog\/article\/cve-2026-20253-splunk-enterprise-pre-authentication-remote-code-execution\">said<\/a>. \u00abA successful compromise may expose sensitive logs, credentials, security alerts, and operational data while providing attackers with a foothold for persistence, defense evasion, and lateral movement within the environment.\u00bb<\/li>\n<li><b>Unpatchable &#8216;usbliter8&#8217; Exploit Targets Apple A12 and A13 Chips <\/b>\u2014 Security researchers at Paradigm Shift released details of a working exploit dubbed usbliter8 that could be abused to achieve arbitrary code execution inside the SecureROM of Apple&#8217;s A12 and A13 chips. The vulnerability is classified as a hardware bug residing in the Synopsys DWC2 USB controller, meaning the issue can never be patched. That said, a successful exploitation requires an attacker to have physical access to a vulnerable device. A proof-of-concept for usbliter8 has been made publicly available.<\/li>\n<li><b>Operation Endgame Disrupts SocGholish Servers <\/b>\u2014 Dutch law enforcement authorities, along with counterparts from Canada, Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. The takedown is part of Operation Endgame, an ongoing international law enforcement initiative to combat botnets and associated criminal infrastructures. It was launched in 2024. As part of the effort, 106 servers linked to SocGholish have been taken down, and 14,971 WordPress sites have been rid of the infections. Website owners have been notified to update their content management system (CMS), change their credentials, and delete any suspicious accounts.<\/li>\n<li><b>Malicious Campaign Fakes Popularity to Deliver Crypto Clipper <\/b>\u2014 A cryptocurrency-stealing malware campaign has been targeting cryptocurrency asset holders and online gamblers by faking its own popularity, dressing up booby-trapped sniper bots and crash-game predictors with bogus GitHub stars, inflated download counts, and artificial intelligence (AI)-narrated YouTube tutorials. The activity has been traced to a Rust-based clipper malware targeting Windows and macOS users. The lures are \u00abedge\u00bb tools that promise easy money, crypto sniper bots, and \u00abpredictors\u00bb that claim to forecast crash-gambling games, aimed at traders and gamblers chasing shortcuts, while a WordPress phishing page acts as the hub, funneling victims to the downloads.<\/li>\n<li><b>Rokarolla Android Trojan Combines Banking Fraud with Screen Surveillance <\/b>\u2014 A new \u00abinvasive\u00bb Android trojan dubbed Rokarolla is being distributed via malicious websites, while masquerading as popular applications like TikTok or Google Chrome. It&#8217;s designed to target 217 distinct cryptocurrency and banking applications by serving fake overlay login screens, in addition to leveraging 137 commands that grant it complete control of a compromised device. It can harvest lock screen credentials, exfiltrate sensitive contact lists and SMS data, monitor the screen to capture WhatsApp data, take screenshots by abusing Android&#8217;s accessibility services, redirect cryptocurrency transactions, and utilize keyloggers to continuously record user input. The malware also actively hides its presence from the launcher screen and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect. \u00abThe infection process begins when a dropper misleads users into installing a secondary payload containing the core malware,\u00bb Zimperium said. \u00abBy masquerading as Google Play Protect, the dropper facilitates the installation of this payload. This strategy allows the malware to evade Android restrictions and exploit Accessibility services.\u00bb<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><b>\ud83d\udd25 Trending CVEs<\/b><\/h2>\n<p>Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.<\/p>\n<p>Check the list, patch what you have, and hit the ones marked urgent first \u2014 CVE-2026-20262 (Cisco SD-WAN Manager), CVE-2026-54420 (LiteSpeed cPanel Plugin), CVE-2026-48907 (Widget Factory Joomla Content Editor), CVE-2026-4020 (Gravity SMTP WordPress Plugin), <a href=\"https:\/\/www.obsidiansecurity.com\/blog\/litellm-privilege-escalation-rce\">CVE-2026-47101, CVE-2026-47102, CVE-2026-40217<\/a>, <a href=\"https:\/\/github.com\/BerriAI\/litellm\/security\/advisories\/GHSA-4xpc-pv4p-pm3w\">CVE-2026-49468<\/a> (LiteLLM), <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/reversing-nvidias-cve-2026-24190-how-a-kernel-flaw-put-enterprise-ai-clusters-and-workstations-at-risk\">CVE-2026-24190<\/a> (NVIDIA Display Driver for Windows and Linux), <a href=\"https:\/\/horizon3.ai\/attack-research\/disclosures\/cve-2026-48558-simplehelp-authentication-bypass-iocs\/\">CVE-2026-48558<\/a> (SimpleHelp), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/contact-form-to-any-api\/vulnerability\/wordpress-contact-form-to-any-api-plugin-3-0-3-cross-site-scripting-xss-vulnerability\">CVE-2026-39449<\/a> (Contact Form to Any API WordPress plugin), <a href=\"https:\/\/github.com\/pi-hole\/FTL\/security\/advisories\/GHSA-9cqv-839p-gpq2\">CVE-2026-39849<\/a>, <a href=\"https:\/\/github.com\/pi-hole\/FTL\/security\/advisories\/GHSA-9ff5-f3v5-2xc7\">CVE-2026-44693<\/a> (Pi-hole FTL), <a href=\"https:\/\/github.com\/rclone\/rclone\/security\/advisories\/GHSA-qw24-gh76-8rvv\">CVE-2026-49980<\/a>, <a href=\"https:\/\/github.com\/rclone\/rclone\/security\/advisories\/GHSA-jfwf-28xr-xw6q\">CVE-2026-41179<\/a>, <a href=\"https:\/\/github.com\/rclone\/rclone\/security\/advisories\/GHSA-25qr-6mpr-f7qx\">CVE-2026-41176<\/a> (Rclone), <a href=\"https:\/\/github.com\/lobehub\/lobehub\/security\/advisories\/GHSA-xmwj-c75x-6346\">CVE-2026-54157<\/a> (@lobehub\/lobehub), <a href=\"https:\/\/github.com\/vllm-project\/vllm\/security\/advisories\/GHSA-94f4-hr76-p5j6\">CVE-2026-48746<\/a> (vllm), <a href=\"https:\/\/github.com\/langflow-ai\/langflow\/security\/advisories\/GHSA-v5ff-9q35-q26f\">CVE-2026-48519<\/a> (Langflow), <a href=\"https:\/\/github.com\/advisories\/GHSA-9r27-c92g-8g7q\">CVE-2026-38329<\/a> (Bludit CMS), <a href=\"https:\/\/github.com\/lukehebe\/CVE-2026-39949\/tree\/main\">CVE-2026-39949<\/a> (Cacti), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wp-review-slider-pro\/vulnerability\/wordpress-wp-review-slider-pro-plugin-12-6-8-authenticated-subscriber-sql-injection-vulnerability-2\">CVE-2026-8444<\/a> (WP Review Slider Pro WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/taskbuilder\/vulnerability\/wordpress-taskbuilder-plugin-5-0-7-sql-injection-vulnerability\">CVE-2026-52697<\/a> (Taskbuilder WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wc-multishipping\/vulnerability\/wordpress-wcmultishipping-plugin-3-0-2-sql-injection-vulnerability\">CVE-2026-52700<\/a> (WCMultiShipping WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/theme\/xstore\/vulnerability\/wordpress-xstore-theme-9-7-3-unauthenticated-sqli-vulnerability\">CVE-2026-3326<\/a> (XStore WordPress theme), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/login-with-salesforce\/vulnerability\/wordpress-login-with-salesforce-plugin-1-0-2-unauthenticated-authentication-bypass-vulnerability\">CVE-2026-2418<\/a> (Login with Salesforce WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wp-photo-album-plus\/vulnerability\/wordpress-wp-photo-album-plus-plugin-9-1-11-001-unauthenticated-sql-injection-via-wppa-supersearch-parameter-vulnerability\">CVE-2026-6379<\/a> (WP Photo Album Plus WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/powerpack-for-learndash\/vulnerability\/wordpress-powerpack-for-learndash-plugin-1-3-0-unauthenticated-arbitrary-option-update-vulnerability\">CVE-2026-2446<\/a> (PowerPack for LearnDash WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/theme\/restaurant-cafeteria\/vulnerability\/wordpress-restaurant-cafeteria-theme-0-4-6-subscriber-arbitrary-plugin-installation-activation-vulnerability\">CVE-2025-15445<\/a> (Restaurant Cafeteria WordPress theme), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wp-review-slider-pro\/vulnerability\/wordpress-wp-review-slider-pro-plugin-12-6-8-authenticated-subscriber-sql-injection-vulnerability\">CVE-2026-8443<\/a> (WP Review Slider Pro WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/premmerce-dev-tools\/vulnerability\/wordpress-premmerce-dev-tools-plugin-2-0-missing-authorization-to-authenticated-subscriber-remote-code-execution-vulnerability\">CVE-2026-6933<\/a> (Premmerce Dev Tools WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wp-ticket\/vulnerability\/wordpress-customer-support-ticket-system-helpdesk-plugin-6-0-4-unauthenticated-sql-injection-vulnerability\">CVE-2026-9848<\/a> (WP Ticket Customer Service Software &amp; Support Ticket System WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/theme\/kastell\/vulnerability\/wordpress-kastell-theme-2-0-local-file-inclusion-vulnerability\">CVE-2026-52707<\/a> (Kastell WordPress theme), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/fastdup\/vulnerability\/wordpress-fastdup-plugin-2-7-2-path-traversal-vulnerability\">CVE-2026-52703<\/a> (FastDup WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/jet-engine\/vulnerability\/wordpress-jetengine-plugin-3-8-10-php-object-injection-vulnerability\">CVE-2026-52706<\/a> (JetEngine WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/theme\/nifty\/vulnerability\/wordpress-nifty-theme-1-4-1-php-object-injection-vulnerability\">CVE-2026-27429<\/a> (Nifty WordPress theme), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wp_scraper\/vulnerability\/wordpress-wordpress-woocommerce-scraper-plugin-import-data-from-any-site-plugin-1-0-7-arbitrary-file-upload-vulnerability\">CVE-2025-69129<\/a> (WordPress &amp; WooCommerce Scraper WordPress plugin), <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/ovabookpro\/vulnerability\/wordpress-bookpro-plugin-1-1-0-arbitrary-file-deletion-vulnerability\">CVE-2026-27400<\/a> (BookPro WordPress plugin), <a href=\"https:\/\/www.wordfence.com\/blog\/2026\/06\/critical-unauthenticated-arbitrary-file-deletion-vulnerability-patched-in-avada-builder-wordpress-plugin\/\">CVE-2026-8713<\/a> (Avada Builder WordPress plugin), <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/06\/stable-channel-update-for-desktop_01750511403.html\">from CVE-2026-12437 through CVE-2026-12443<\/a> (Google Chrome), <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2026-57\/\">CVE-2026-12326, CVE-2026-12327, CVE-2026-12328<\/a> (Mozilla Firefox), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/380058\">CVE-2026-8049, CVE-2026-8050<\/a> (SignalRGB kernel driver), <a href=\"https:\/\/advisory.splunk.com\/advisories\/SVD-2026-0614\">CVE-2026-20266<\/a> (Splunk AI Toolkit), <a href=\"https:\/\/confluence.atlassian.com\/security\/security-bulletin-june-16-2026-1796309326.html\">CVE-2026-41293, CVE-2026-43512, CVE-2026-42579, CVE-2026-42584, CVE-2026-43515<\/a> (Atlassian Confluence Data Center and Server), <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-ise-multi-G5WP8vv\">CVE-2026-20181, CVE-2026-20190<\/a> (Cisco Identity Services Engine and ISE Passive Identity Connector), <a href=\"https:\/\/nodejs.org\/en\/blog\/vulnerability\/june-2026-security-releases\">CVE-2026-48933, CVE-2026-48618<\/a> (Node.js), <a href=\"https:\/\/www.fortra.com\/security\/advisories\/product-security\/fi-2026-007\">CVE-2026-9862<\/a> (Fortra Core Privileged Access Manager), and <a href=\"https:\/\/github.com\/unclecode\/crawl4ai\/security\/advisories\/GHSA-365w-hqf6-vxfg\">multiple vulnerabilities<\/a> in Crawl4AI Docker API (no CVEs).<\/p>\n<h2 style=\"text-align: left;\"><b>\ud83c\udfa5 Cybersecurity Webinars<\/b><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/securing-ai-use\">Your Company Is Using More AI Than You Can See. Here\u2019s How to Secure It<\/a> \u2192 AI bots are actively accessing your company\u2019s sensitive data\u2014often without a clear human owner to hold accountable. Join this webinar to learn how to uncover hidden AI tools, lock down their permissions, and safely take back control of your network before a blind spot becomes a massive data breach.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/outpacing-mythos-cyberattacks\">Machine-Speed Attacks are Here: How to Stop AI-Powered Hackers<\/a> \u2192 Hackers are now using AI to launch lightning-fast, highly convincing attacks that easily slip past traditional security. If your defenses rely on old, &#8216;human-speed&#8217; tools, you&#8217;re already falling behind. Join this critical webinar to see exactly how AI-powered threats operate\u2014and get a clear, practical blueprint to lock down your network and stop machine-speed attacks in their tracks.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><b>\ud83d\udcf0 Around the Cyber World<\/b><\/h2>\n<ul>\n<li><b>Flaws in SiderAI and MaxAI <\/b>\u2014 Critical vulnerabilities have been disclosed in SiderAI (Spyder) and MaxAI (MaXSS) agentic side-panel Chrome extensions that can allow malicious websites to take screenshots of arbitrary websites or run arbitrary code by taking advantage of the add-ons&#8217; permissions. \u00abAbusing these vulnerabilities allows attackers to compromise all browser sessions across any website, leading to the leakage of sensitive information, the invocation of arbitrary commands, and even account takeover,\u00bb Rebora <a href=\"https:\/\/rebora.io\/blog\/spyder-and-maxss-chrome-extension-vulnerabilities-put-millions-at-risk\/\">said<\/a>. \u00abFurthermore, there was a potential risk of stealing files from the underlying operating system.\u00bb Both extensions have a \u00abFeatured\u00bb badge and have been collectively installed nearly 7 million times. Given that the issues remain unpatched, users are recommended to remove them until fixes are in place.<\/li>\n<li><b>Israeli Company Linked to Popa Android TV Box Botnet <\/b>\u2014 The Popa Android TV box botnet, which has been used for residential proxy traffic in ad fraud and website scraping, has been attributed to <a href=\"https:\/\/spur.us\/blog\/how-proxy-providers-co-opt-entire-networks\">NetNut<\/a>, operated by publicly traded Israeli company Alarum Technologies. <a href=\"https:\/\/www.qurium.org\/forensics\/finding-popa\/\">Qurium<\/a>, along with the <a href=\"https:\/\/github.com\/deepfield\/public-research\/blob\/main\/reports\/2026-06-18-robovpn-neunative.md\">Nokia Deepfield Emergency Response Team<\/a> and <a href=\"https:\/\/synthient.com\/blog\/popa-from-sourcing-to-distribution\">Synthient<\/a>, has found that Popa is a \u00abresidential proxy software family that turns consumer devices into internet relay nodes\u00bb by means of a software development kit. It&#8217;s worth noting that Popa was first flagged by QiAnXin XLab in March 2025 as an Android component of the Vo1d botnet. \u00abSo Popa is not a traditional downloader or banking trojan, the ultimate goal of the code is just to implement a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening tunnels on demand,\u00bb according to the report. \u00abNot differently from many other types of malware, Popa does not connect directly to a fixed command-and-control server. The compromised device starts by connecting a limited set of domain names to later learn where to register and tunnel the traffic.\u00bb The botnet has impacted millions of consumer TV boxes over the last four years. Alarum, which also maintains RoboVPN, a commercial VPN service that includes a residential-proxy SDK that turns the user&#8217;s machine into an exit node for third-party traffic. In a statement <a href=\"https:\/\/krebsonsecurity.com\/2026\/06\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\">shared<\/a> with cybersecurity journalist Brian Krebs, NetNut and Alarum have disputed the allegations, calling them \u00abdemonstrably inaccurate assertions and flawed deductions rather than verified facts,\u00bb adding \u00abthe SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems or otherwise compromise the devices on which they operate.\u00bb The development comes weeks after another report from Include Security found that an iOS SDK that Bright Data embeds in consumer apps can turn devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic with users&#8217; consent.\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiDSiCSS07-nO_rqQBjhDRbdC9VaQQ6ULV_7OkOjVZ6mIqRryq8pEb1LW16SlDPagzWSwU_BFd9GYgo_HizzD5eJ_4zDgco1SGWB7JJvnTNrDrX_luaRmgRDUKfJPo2uyhyphenhyphenLP3q0qZ2trbQp5bWwa75e3m3TtJa2kZn6JBRGtgFMUOLAv5dz8NS4AMfevw3\/s1700-e365\/android.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiDSiCSS07-nO_rqQBjhDRbdC9VaQQ6ULV_7OkOjVZ6mIqRryq8pEb1LW16SlDPagzWSwU_BFd9GYgo_HizzD5eJ_4zDgco1SGWB7JJvnTNrDrX_luaRmgRDUKfJPo2uyhyphenhyphenLP3q0qZ2trbQp5bWwa75e3m3TtJa2kZn6JBRGtgFMUOLAv5dz8NS4AMfevw3\/s1700-e365\/android.png\" alt=\"\" border=\"0\" data-original-height=\"1536\" data-original-width=\"1024\"\/><\/a><\/div>\n<\/li>\n<li><b>Prinz Eugen Encrypts Recently Modified Files\u00a0<\/b>\u2014 A new Go-based ransomware called Prinz Eugen has been observed targeting recently modified files for encryption. \u00abIt performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk,\u00bb Malwarebytes Threatdown <a href=\"https:\/\/www.threatdown.com\/blog\/prinz-eugen-ransomware-a-deep-dive-into-a-new-go-based-encryptor\/\">said<\/a>. It&#8217;s suspected that the attackers gain initial access through compromised RDP credentials. The ransomware binary also takes steps to frustrate forensic analysis and recovery. The ransomware has been attributed to an actor called ROOTBOY, who has a track record of selling stolen data on cybercrime forums.<\/li>\n<li><b>Okendo Reviews Widget Compromised in SmartApeSG Supply Chain Attack <\/b>\u2014 Okendo Reviews widget, a popular customer review platform used by more than 18,000 brands, is said to have been compromised as part of attacks designed to deploy malware via embedded malicious JavaScript code. The activity, detected on May 14, 2026, has been tied to SmartApeSG, which was previously observed using <a href=\"https:\/\/www.blumira.com\/blog\/smartapesg-returns-with-unique-obfuscation-techniques\">ClickFix and FakeUpdates lures<\/a> to distribute NetSupport Manager. \u00abThe injected JavaScript used obfuscation, environment checks, and staged execution,\u00bb Zscaler <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/smartapesg-launches-okendo-reviews-supply-chain-attack\">said<\/a>. \u00abThe SmartApeSG injected JavaScript behaved as a staged loader, and did not attempt to execute every action immediately. Instead, the JavaScript focused on control, reconstruction, and retrieval, which reduced the visibility of the script and gave the operator more flexibility.\u00bb The end goal of the attacks is to serve bogus ClickFix prompts that lead to malware deployment. In the past, SmartApeSG has also <a href=\"https:\/\/hunt.io\/blog\/russian-malicious-infrastructure-c2-servers-mapped\">relied<\/a> on command-and-control (C2) servers hosted on Russian infrastructure providers to communicate with hosts infected with Remcos RAT through fake CAPTCHA prompts injected into websites that instructed users to execute commands copied to the clipboard. Okendo has since addressed the issue and restored the widget script to a clean state.<\/li>\n<li><b>AI-Generated Websites Used to Deliver SmartRAT <\/b>\u2014 Typosquatting domains hosting malicious content generated with AI-powered website creation tools are being used to deliver a PowerShell-based malware called SmartRAT (aka Banana RAT). The web page impersonates a Brazilian bank and a ClickFix lure to trick victims into running a PowerShell command that downloads the malware. \u00abThreat actors are leveraging website builders to create convincing lures quickly and at scale, with capabilities ranging from basic credential theft to a ClickFix campaign that delivers remote access trojans (RATs),\u00bb Zscaler <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/clickfix-campaign-generated-ai-delivers-smartrat\">said<\/a>. \u00abSmartRAT supports encrypted C2 communications, remote control (screen\/keyboard\/mouse), credential theft (keylogging and banking overlays), and persistence via scheduled tasks and a Windows service.\u00bb<\/li>\n<li><b>ClickFix Delivers GuLoader <\/b>\u2014 Another ClickFix has been observed using a combination of ClickFix and EtherHiding to deliver malware called GuLoader using a compromised WordPress site as an entry point. \u00abThe attack chain combines four distinct components, compromised WordPress, EtherHiding via BSC Testnet, ClickFix social engineering, and GULoader delivery via UNC path, into a single intrusion sequence where every traditional defensive layer has a structural reason to remain silent,\u00bb Sicuranext said.\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg2lQwbPdQALh9VX39W1TMhBxahyaHTkIwE3-sMC-8cvIsO5QMHcXLyVwDRMv1Yra12d10q8lCNLxlGoeRBlniQf9inuQ-_DBhkpJBjGubCJ4NCKjers1SCKsSU7xJ-h-CiBQO_BxIvb9XB1ij4rI8MZQZTHdq2hT0X2FPCp-lC7jtyEpiCKo-ARJAZZMqM\/s1700-e365\/kill.jpeg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg2lQwbPdQALh9VX39W1TMhBxahyaHTkIwE3-sMC-8cvIsO5QMHcXLyVwDRMv1Yra12d10q8lCNLxlGoeRBlniQf9inuQ-_DBhkpJBjGubCJ4NCKjers1SCKsSU7xJ-h-CiBQO_BxIvb9XB1ij4rI8MZQZTHdq2hT0X2FPCp-lC7jtyEpiCKo-ARJAZZMqM\/s1700-e365\/kill.jpeg\" alt=\"\" border=\"0\" data-original-height=\"1272\" data-original-width=\"1600\"\/><\/a><\/div>\n<\/li>\n<li><b>UnregStealer Targets Brazilian Banks <\/b>\u2014 A new purpose-built trojan called UnregStealer has been targeting Latin America (LATAM) financial institutions. Described as a human-operated credential theft campaign, it was first discovered by IBM X-Force in May 2026. \u00abMost LATAM banking trojans rely on automated infection chains and compiled malware, UnregStealer is different,\u00bb the company <a href=\"https:\/\/www.ibm.com\/think\/news\/unregstealer-human-operated-browser-credential-theft-targeting-brazilian-banking\">said<\/a>. \u00abtrojans rely on automated infection chains and compiled malware, UnregStealer is different. This trojan involves a real operator, who watches each victim&#8217;s session live and pulls the trigger manually. This variation makes the campaign nearly invisible to sandboxes and behavioral detection systems that never see the payload activate.\u00bb Attack chains begin with social engineering lures that masquerade as mandatory SSL certificate updates to deliver a PowerShell stager, ultimately resulting in the deployment of a malicious Chrome extension named \u00abCertificado SSL Chrome\u00bb that&#8217;s responsible for data theft and exfiltration. In recent months, LATAM financial institutions have been targeted by a JavaScript adversary-in-the-middle (AitM) framework called OverlordMX that also makes use of a human operator, who monitors victims in real time and manually triggers the necessary overlays to capture credentials. The campaign is assessed to be the work of a Spanish-speaking threat actor. \u00abThe attack operates in two stages: a web-inject layer that intercepts sensitive information from the victim, followed by a socially engineered RAT delivery that grants the operator full remote control of the victim\u2019s device,\u00bb IBM <a href=\"https:\/\/www.ibm.com\/think\/news\/overlordmx-new-social-engineering-campaign-targeting-latam\">said<\/a>.<\/li>\n<li><b>Pushka Android Malware Detailed <\/b>\u2014 An Android malware called Pushka is equipped to carry out on-device fraud, while granting remote access trojan (RAT) capabilities to the operators by abusing accessibility services. \u00abPushka can use fake overlay tactics to phish victims&#8217; credentials on their mobile devices and can further steal and exfiltrate data from their devices,\u00bb IBM X-Force <a href=\"https:\/\/www.ibm.com\/think\/news\/pushka-malware-cannon-knows-how-fire-back\">said<\/a>. \u00abPushka&#8217;s RAT capabilities can perform actions on behalf of the user, including entering the user&#8217;s login credentials, and clicking buttons.\u00bb Pushka was first spotted in September 2025 across different European countries. It uses fake TV apps as decoys to trick users into installing them. The app acts as a dropper, and uses Android&#8217;s PackageInstaller.Session API to silently install its main payload while bypassing Android 13\u2019s Restricted Settings. \u00abThis method replaces the traditional use of Intent.ACTION_INSTALL_PACKAGE and is specifically used to mimic the legitimate installation flow used by the Play Store, allowing the malware to evade the OS-level restrictions introduced in newer Android versions,\u00bb IBM said.<\/li>\n<li><b>Ransomware Ecosystem Consolidates in Q1 2026 <\/b>\u2014 Data from Flare <a href=\"https:\/\/flare.io\/learn\/resources\/blog\/ransomware-as-a-service-lockbit-alumni-launch-competing-programs-as-ecosystem-co\">shows<\/a> that the ransomware ecosystem is \u00abreconsolidating around fewer, more capable operators after a fragmented stretch,\u00bb led by brands like LockBit, Qilin, and The Gentlemen. The top 10 groups account for 71% of all Q1 2026 victims, with LockBit 5.0 logging 163 victims.<\/li>\n<li><b>Australian Bank Accounts Targeted by Extension-Based Trojan <\/b>\u2014 A highly sophisticated browser extension-based banking is targeting Australian banking customers. \u00abThis is not a traditional virus designed to crash systems or cause visible disruption,\u00bb IBM <a href=\"https:\/\/www.ibm.com\/think\/news\/invisible-thief-sophisticated-browser-extension-emptying-bank-accounts\">said<\/a>. \u00abInstead, it is specifically engineered to function as an invisible threat, embedding itself within the browser and operating directly inside the victim&#8217;s trusted, authenticated session.\u00bb It comes with capabilities to alter displayed balances, transaction history, and transfer limits; intercept one-time passwords (OTP) before submission; steal active banking session cookies; track visited pages and transaction patterns; and maintain a persistent WebSocket C2 connection for real-time commands. Exactly how the extension is distributed is unclear. \u00abBecause the attack runs within a legitimate, authenticated session, it inherits the user\u2019s trust context and security controls, effectively neutralizing traditional protections,\u00bb the company added.<\/li>\n<li><b>Chinese and Russian Influence Operations Use AI to Bypass Bot Detection <\/b>\u2014 In a new report, Two Six Technologies said Russian and Chinese inauthentic accounts are likely using AI to enhance content quality rather than to increase content volume and exhibit fewer bot-like behaviours. \u00abAI is enabling and motivating adversaries to craft better content and more human-like accounts,\u00bb the company <a href=\"https:\/\/twosixtech.com\/blog\/more-sophistication-less-slop-russian-and-chinese-malign-influence-actors-are-working-smarter-in-the-age-of-ai\/\">said<\/a>. \u00abInauthentic accounts are using AI to add visual appeal to their content. To reach broader audiences, they are probably also using it for translation. Pro-Russia and pro-China accounts now have slower posting speeds, and more pro-Russia accounts are inactive for a long stretch each day, mimicking a human who sleeps.\u00bb<\/li>\n<li><b>Operation Escaneo Targets Mexican Federal and Financial Orgs <\/b>\u2014 A sophisticated campaign targeting Latin American governments and financial institutions has come to light, thanks to an exposed attacker server (\u00ab62.171.185[.]97\u00bb) that revealed the custom tools, exploitation chain, and persistence tactics adopted by the threat actors. \u00abThe campaign is characterised by a proprietary distributed reconnaissance engine (Kimera), a curated exploit armory targeting enterprise perimeter devices (Fortinet, Ivanti, Cisco), portable lateral movement toolkits, and layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels,\u00bb CloudSEK <a href=\"https:\/\/www.cloudsek.com\/blog\/operation-escaneo-mexican-government-financial-institutions-cyberattack\">said<\/a>. \u00abThe threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms.\u00bb The activity has been attributed medium confidence to a group called PanchoVilla (aka MexicanMafia).<\/li>\n<li><b>GNU Savannah Security Flaw Fixed <\/b>\u2014 The Free Software Foundation (FSF) said it has addressed an exploit demonstrated by Hacktron, alongside additional security issues. \u00abAfter thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah&#8217;s software supply chain,\u00bb the FSF <a href=\"https:\/\/www.fsf.org\/news\/statement-regarding-gnu-savannah-security-reports\">said<\/a>. \u00abThough the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects.\u00bb<\/li>\n<li><b>27-Year-Old Authentication Bypass in OpenBSD <\/b>\u2014 Argus said it discovered a <a href=\"https:\/\/www.openwall.com\/lists\/oss-security\/2026\/06\/16\/9\">27-year-old authentication bypass flaw<\/a> in OpenBSD&#8217;s PPP stack that could be used to sidestep Password Authentication Protocol (PAP) entirely. \u00abOpenBSD&#8217;s sppp_pap_input function used attacker-controlled length fields as the bcmp comparison length for credential validation,\u00bb the company <a href=\"https:\/\/blog.argus-systems.ai\/blog\/openbsd-pap-27-year-auth-bypass.html\">said<\/a>. \u00abSending zero-length name and password fields caused bcmp to return 0 unconditionally, bypassing PAP authentication entirely.\u00bb The flaw was introduced in July 1999. A fix was issued on June 14, 2026.<\/li>\n<li><b>Abusing AI Features in SQL Server 2025 for C2 <\/b>\u2014 SpecterOps has <a href=\"https:\/\/specterops.io\/blog\/2026\/06\/10\/oops-i-weaponized-the-database-abusing-ai-features-in-mssql-2025\/#h-defensive-considerations\">revealed<\/a> that it&#8217;s possible to weaponize native AI features in Microsoft SQL Server 2025, such as sp_invoke_external_rest_endpoint, CREATE EXTERNAL MODEL, and AI_GENERATE_EMBEDDINGS as a practical channel for data exfiltration and C2, assuming an attacker has compromised an account with the sysadmin role in the database. To counter the threat, it&#8217;s essential to review SQL Server database logins, audit and alert usage of xp_cmdshell, SQL Agent Jobs, and CLR Assemblies, and set up notifications for any changes to sys.external_models or when sp_invoke_external_rest_endpoint is enabled.<\/li>\n<li><b>ErrTraffic TDS Exposed <\/b>\u2014 A traffic distribution system (TDS) known as ErrTraffic is being operated under a malware-as-a-service (MaaS) model for bad actors to direct users to ClickFix lures. ErrTraffic is a JavaScript framework that&#8217;s injected into compromised WordPress sites. It employs the <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/err-hiding-and-seek-how-errtraffic-v3-leverages-etherhiding-in-clickfix-campaign\">EtherHiding<\/a> technique as a dead drop resolver to hide its C2 infrastructure within the blockchain. Sekoia&#8217;s analysis of the framework has <a href=\"https:\/\/blog.sekoia.io\/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework\/#h-backdoor\">identified<\/a> two distinct clusters of activity: Analytics and Beer. While Analytics interacts with the Polygon blockchain to fetch Vidar Stealer, the Beer cluster distributes several stealer families, including Vidar, Stealc, Remus and Salat. Alternatively, malvertising lures impersonating AI tools like Google Antigravity and OpenAI ChatGPT have also been used by the Analytics cluster to propagate DanaBot and Hijack Loader. A threat actor using the name LenAI has advertised and sold the ErrTraffic framework, with a one-month subscription costing $380. The attackers have also been found to use credential stuffing attacks to gain initial access to WordPress accounts and install PHP backdoors on the sites by masquerading as a must-use plugin.\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiVpDlYWlttcShCfhLia1yfiFqEFXjTTJesDJmFXsdlAJ5VGhsq2PPHwowC11pOwsn754I0k0OKkcVbTh5fJ-CTld0FhWSfU5B319YmqfeaHgCV6Zwto8wJtIK-8QukCnpktqycubv2uVmd1Gba-WtnIKWUPeY13ugV8V9p4QRrq4o1-G81MWlsuKIKZf0p\/s1700-e365\/sek.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiVpDlYWlttcShCfhLia1yfiFqEFXjTTJesDJmFXsdlAJ5VGhsq2PPHwowC11pOwsn754I0k0OKkcVbTh5fJ-CTld0FhWSfU5B319YmqfeaHgCV6Zwto8wJtIK-8QukCnpktqycubv2uVmd1Gba-WtnIKWUPeY13ugV8V9p4QRrq4o1-G81MWlsuKIKZf0p\/s1700-e365\/sek.png\" alt=\"\" border=\"0\" data-original-height=\"616\" data-original-width=\"1251\"\/><\/a><\/div>\n<\/li>\n<li><b>Malicious Resumes Lead to Xctdoor Malware <\/b>\u2014 AhnLab has disclosed details of a new campaign that uses malicious Windows Shortcut (LNK) files disguised as resumes that, upon execution, display decoy documents, while dropping additional scripts which then employ DLL side-loading to deploy Xctdoor, a Go-based backdoor previously attributed to North Korean threat actors. \u00abThis attack is a method of executing an LNK file disguised as a normal document, using a task scheduler and a startup program to ensure persistence, and then exploiting the normal executable to execute backdoor malware,\u00bb AhnLab <a href=\"https:\/\/asec.ahnlab.com\/ko\/94163\/\">said<\/a>.<\/li>\n<li><b>Bypassing Microsoft Entra Conditional Access Policies <\/b>\u2014 NetSPI said it found a way to bypass Microsoft Entra Conditional Access Policies by abusing Nested App Authentication to return access tokens for the Microsoft Graph API. \u00abIt was possible to use certain Nested App Authentication (or BroCI) flows to bypass any Conditional Access policy,\u00bb security researcher Thomas Byrne <a href=\"https:\/\/www.netspi.com\/blog\/technical-blog\/cloud-pentesting\/bypassing-microsoft-entra-conditional-access-policies-via-nested-app-authentication\/\">said<\/a>. \u00abThis vulnerability served mainly as a persistence mechanism as it would have required a successful phishing attack to return an initial refresh token before the vulnerable authentication flows could be carried out.\u00bb A fix for the issue has since been rolled out by Microsoft.<\/li>\n<li><b>Mexican Financial Sector Targeted by GitBait <\/b>\u2014 At least a dozen Mexican banks have been targeted by a modular phishing infrastructure dubbed GitBait that abuses GitHub-hosted Pages and employs obfuscated scripts and a centralized credential exfiltration via SheetBest API. Per <a href=\"https:\/\/www.group-ib.com\/blog\/gitbait-phishing-mexico-banking-finance\/\">Group-IB<\/a>, the large-scale campaign has been active for three years. The activity is \u00abbuilt on a fully serverless architecture that abuses GitHub Pages for hosting and the SheetBest API for credential exfiltration \u2014 eliminating the need for any dedicated backend infrastructure.\u00bb It&#8217;s believed that victims are reached through common phishing delivery channels such as SMS, messaging apps, email, or social media platforms. In all cases, the victim receives a fraudulent URL that directs them to a phishing page impersonating a trusted financial institution. The phishing pages harvest user credentials, payment card details, client identifiers, and passwords through a multi-stage flow that mimics legitimate banking authentication workflows. In some cases, the captured data is exfiltrated to a Telegram bot, marking a deviation from the SheetBest-based mechanism. More than 100 domains associated with the campaign have been identified.<\/li>\n<li><b>Email Bombing Leads to Deno-Based Proxy and RAT <\/b>\u2014 A large-scale email flooding campaign is being used as a pretext to target employees with bogus Microsoft Teams calls from an attacker impersonating internal IT support. Victims are then persuaded to download and execute a malicious archive from a fake self-service portal. The archive contains a modular Deno-based Remote Access Trojan and a TCP proxy framework spanning four different JavaScript files. \u00abThe JavaScript files implement a Deno-based remote access and tunneling agent,\u00bb InfoGuard Labs <a href=\"https:\/\/labs.infoguard.ch\/posts\/anatomy_deno_rat\/\">said<\/a>. \u00abThe main backdoor connects to a CloudFront-hosted WebSocket C2 endpoint, registers victim identity metadata, receives commands, and brokers traffic through local helper services.\u00bb The proxy turns the compromised host into a pivot point for internal network access, allowing the attacker to route traffic through the victim machine.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><b>\ud83d\udd27 Cybersecurity Tools<\/b><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/0xsp-SRD\/aether\">Aether<\/a> \u2192 Because advanced malware often evades standard antivirus software by executing directly in a system&#8217;s RAM, security teams need tools to inspect live memory. Aether is an open-source Windows threat-hunting tool that scans active, running processes for hidden payloads, code injections, and malicious behaviors, using a layered validation model to minimize false alarms during incident response.<\/li>\n<li><a href=\"https:\/\/github.com\/Mr-Un1k0d3r\/AzureRedOps\">AzureRedOps<\/a> \u2192 It is an open-source offensive security toolkit designed to streamline Microsoft Entra ID and Azure red teaming. It unifies complex workflows\u2014such as multi-flow token management, directory enumeration, and post-exploitation Microsoft Graph actions\u2014into a single command-line interface.<\/li>\n<\/ul>\n<p><i>Disclaimer: This is strictly for research and learning. It hasn&#8217;t been through a formal security audit, so don&#8217;t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you\u2019re doing stays on the right side of the law.<\/i><\/p>\n<h2 style=\"text-align: left;\"><b>Conclusion<\/b><\/h2>\n<p>This week\u2019s lesson: most attacks do not need a genius move. They need one trusted app, one stale login, one noisy plugin, or one user chasing a shortcut.<\/p>\n<p>The fix starts in the dull places. Cut access. Clean old sites. Question helper tools. Watch the small cracks, because that is where the week usually starts leaking.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Jun 22, 2026Cybersecurity \/ Hacking It\u2019s Monday again. This week\u2019s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools,&hellip;<\/p>\n","protected":false},"author":1,"featured_media":1406,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[281,192,265,809,632,70,768,2140,667],"class_list":["post-1405","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-android","tag-botnet","tag-browser","tag-bugs","tag-edr","tag-flaw","tag-killers","tag-openbsd","tag-trojan"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1405"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1405\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1406"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}