Operation Endgame, a coordinated law enforcement action by Netherlands, Canada, US, and Germany, disrupted TA569's SocGholish web inject infrastructure by taking down over 100 servers and remediating 14,971 compromised websites. TA569 compromises legitimate websites—often WordPress installations—to inject obfuscated JavaScript that presents fake browser update pages to visitors, ultimately delivering GhoLoader malware which can lead to ransomware deployments. The attack chain leverages traffic direction systems (TA2726's Keitaro TDS and ParrotTDS) for victim filtering and uses advanced client-side blob URL construction to evade sandbox detection and network-based download tracing.
This threat intelligence report highlights recent data breaches involving third-party vendors, emerging AI threat vectors such as prompt injection and WebSocket abuse, and active exploitation of critical vulnerabilities in Fortinet, Cisco, and Splunk products. Additionally, seasonal phishing campaigns targeting travelers and Amazon Prime members are surging alongside a cross-platform Rust-based crypto clipboard hijacker.
Trust Chains Broken at Scale While ClickFix Becomes a Service
This week, attackers stopped trying to kick down the front door and instead walked in through the trust chains that hold digital ecosystems together. North Korea's Sapphire Sleet compromised over 140 Mastra npm packages through a single typosquatted dependency, stealing cryptocurrency wallets and planting persistent backdoors on developer machines. The GlassWorm group trojanized Open VSX extensions with WebAssembly malware that uses the Solana blockchain as an unkillable command channel, while SmartApeSG hijacked the Okendo Reviews widget to serve malicious prompts on thousands of e-commerce sites. Even vendor integrations became a liability: the Klue breach exposed Recorded Future client data through a compromised OAuth token connecting a marketing tool to Salesforce.
Deception also became an industrial product. The ErrTraffic framework now operates as full Malware-as-a-Service, using blockchain smart contracts to hide its infrastructure and compromised WordPress sites to serve fake error prompts that trick users into running malicious commands. Attackers weaponized trusted AI platforms too—one campaign abused claude.ai's shared chat feature to deliver MacSync infostealer on macOS, while the shai_hulululud npm package uses prompt injection to blind AI-powered security scanners. On the infrastructure side, the FortiBleed campaign cracked credentials for over 73,000 FortiGate firewalls with a 45-GPU cluster, handing attackers valid keys to government and defense networks worldwide.
Defenders should immediately hunt for the easy-day-js dependency in their npm projects, reset credentials on any FortiGate firewall, enable Azure AD Graph Activity Logs to close a years-long reconnaissance visibility gap in Microsoft cloud environments, and audit OAuth tokens on all third-party vendor integrations.
Operation Endgame successfully disrupted the SocGholish (TA569) initial access framework, which relies on compromised WordPress sites and Traffic Distribution Systems (TDS) to deliver fake browser updates. The threat actor utilizes domain shadowing and a multi-stage JScript payload to establish footholds, primarily targeting corporate environments during standard work weeks to facilitate follow-on ransomware deployment.
ErrTraffic is a Malware-as-a-Service framework that compromises WordPress sites and uses malvertising to deliver ClickFix social engineering lures. It leverages EtherHiding via Polygon smart contracts to dynamically resolve C2 infrastructure and distribute infostealers, RATs, and loaders.
This threat intelligence report highlights multiple high-profile breaches, including 7-Eleven and GitHub, alongside the active exploitation of vulnerabilities in Windows Defender, Trend Micro, and Drupal. It also details emerging threats such as the Kali365 phishing kit, AI-driven prompt injection attacks, the Nimbus Manticore IRGC-linked campaign deploying the MiniFast backdoor, and a supply chain attack on Laravel Lang packages.
A solo Russian-speaking threat actor tracked as 'bandcampro' leveraged jailbroken AI models to automate a multi-year influence operation and cryptocurrency fraud campaign targeting American conservative communities. The actor utilized AI for content generation, infrastructure management, password mutation for WordPress brute-forcing, and distributed a fake crypto wallet that installed the legitimate GoToResolve RMM tool for remote access.
Socket.dev has launched an experimental PHP reachability analysis tool designed to reduce vulnerability alert fatigue. By performing deep static analysis of function-level call graphs, including complex PHP dispatch patterns, the tool determines whether known CVEs in dependencies are actually executable within an application's context.
Trend Micro MDR uncovered an ongoing campaign by the KongTuke threat group utilizing compromised WordPress sites and fake CAPTCHA lures to trick users into executing malicious PowerShell commands. The attack leverages living-off-the-land binaries like finger.exe to deploy a Python-based backdoor known as modeloRAT, which focuses on enterprise environments for potential lateral movement and establishes persistence via scheduled tasks and registry keys.