Malware Activity
Hidden Threats in Trusted Software
Two (2) recent incidents highlight how widely trusted software components can harbor stealthy, long-running vulnerabilities. One (1) popular WordPress plugin (Quick Page/Post Redirect, ~70,000 installs) was quietly hijacked by attackers around 2020–2021, inserting a hidden self-update mechanism that delivered a rogue plugin version and injected malicious code into sites for about five (5) years until a security scan in 2026 finally caught it. Meanwhile, a newly disclosed Linux kernel flaw dubbed “Copy-Fail” (CVE-2026-31431) had been lurking in core code since 2017. This affected essentially all major Linux distributions and allows any unprivileged user to gain root privileges by corrupting the operating system’s in-memory file cache. For example, altering the cached copy of a setuid root program like “su” and allows it to run their own code. Both cases underscore how supply-chain compromises and subtle logic flaws in core software can remain hidden for years in trusted components, putting numerous systems at risk until discovered and patched, and they highlight the need for rigorous code audits, prompt security updates, and vigilant monitoring. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Popular WordPress Redirect Plugin Hid Dormant Backdoor For Years article
- TheHackerNews: New Linux ‘Copy Fail’ Vulnerability Enables Root Access on Major Distributions article
Threat Actor Activity
US-China Partner in Joint Raid to Shut Down Dubai Crypto Scam Centers
A joint international operation led by Dubai Police, with US and Chinese cooperation, raided nine (9) Dubai-based operation centers running pig-butchering cryptocurrency investment schemes and arrested two hundred seventy-six (276) suspects. These networks built fake online friendships or romances to lure victims onto bogus crypto platforms, then drained their funds, urged them to borrow more, and laundered the money through additional accounts. Four (4) alleged organizers face US fraud and money laundering charges: Burmese national Thet Min Nyi (Ko Thet Company) and Indonesians Wiliang Awang, Andreas Chandra, and Lisa Mariam (Sanduo Group and Giant Company). Awang was arrested in Thailand; the others were detained in Dubai, while two (2) co-conspirators remain fugitives. The case stems from numerous FBI complaints and millions in US victim losses, in a landscape where investment fraud caused $8.6 billion in reported losses in 2025. It is part of broader efforts by the DOJ’s Scam Center Strike Force to disrupt crypto scam networks that siphoned $16 billion from Americans last year, amid growing concern over scam centers across Asia often linked to human trafficking.
Vulnerabilities
Active Exploitation of cPanel Authentication Bypass Exposes Millions of Internet-Facing Servers
A critical authentication bypass vulnerability affecting cPanel, WHM (Web Host Manager), and WP Squared is being actively exploited in the wild, with attack attempts observed as early as February 23, 2026 (prior to public disclosure and patch availability). The flaw tracked as CVE-2026-41940, stems from a CRLF injection vulnerability in the login and session handling processes, where un-sanitized user input from the Authorization header is written into server-side session files before authentication, enabling attackers to bypass login controls without validating credentials. Security researchers at watchTowr have released technical details and proof-of-concept methods demonstrating how the bug can be weaponized, significantly lowering the barrier to exploitation. With an estimated 1.5 million internet-exposed cPanel instances identified via Shodan scans, the potential attack surface is substantial, and successful exploitation grants full control over affected systems, including hosted websites, configurations, and databases. Following mounting pressure, cPanel issued patches on April 28, while providers like Namecheap implemented temporary mitigations such as blocking key service ports. CTIX analysts strongly urge any affected organizations to apply patched versions immediately, restart core services, and, if compromise is suspected, conduct full incident response actions including session invalidation, credential resets, and persistence hunting, leveraging detection tools released by both cPanel and watchtower.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
