Malware Activity
When Trust and Infrastructure Become the Attack Surface
Deepfake voice fraud and persistent firewall malware highlight how modern cyberattacks are increasingly designed to bypass traditional security controls by targeting trust and core infrastructure instead. Attackers are now convincingly impersonating executives using AI‑generated voices and video, pressuring employees into approving high‑value transactions through what appears to be ordinary conversations. At the same time, advanced malware like Firestarter shows that even well‑patched security devices can remain compromised, quietly giving attackers long‑term access to sensitive networks. These threats succeed because they exploit assumptions: that a familiar voice can be trusted, or that applying updates automatically makes systems safe. In both cases, attackers carefully study their targets, from org charts and approval workflows to the inner workings of network hardware. The result is that organizations with mature security stacks can still be exposed if they rely too heavily on tools alone. Together, these incidents underscore a hard lesson for security leaders. Strong defenses now require vigilant people, disciplined verification processes, and deeper validation that critical systems are truly clean, not just patched. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Deepfake Voice Attacks are Outpacing Defenses: What Security Leaders Should Know article
- BleepingComputer: Firestarter Malware Survives Cisco Firewall Updates, Security Patches article
Threat Actor Activity
BlackFile/Cordial Spider Extorting Retail and Hospitality in New Vishing Campaign
BlackFile, a newly identified financially motivated threat group, has reportedly been conducting data theft and extortion attacks against retail and hospitality firms since February 2026. Also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, the group impersonates corporate IT helpdesk staff in voice-based phishing (vishing) calls from spoofed VoIP numbers, directing employees to fake login pages to capture credentials and one-time passcodes. Once credentials are stolen, the attackers register their own devices to bypass MFA, then escalate to executive-level access by scraping internal directories. They use standard Salesforce APIs and SharePoint download functions to search for and exfiltrate sensitive data, especially files containing terms like “confidential” and “SSN.” Stolen data is moved under the guise of legitimate SSO sessions to attacker-controlled servers and later published on the threat actor’s dark web leak site in conjunction with a seven-figure ransom demands sent from compromised or throwaway email accounts. BlackFile has been tentatively linked to “The Com,” an English-speaking cybercriminal network associated with extortion and other serious crimes. “Swatting” of victims’ executives has also been used as a tactic to increase pressure for payments. CTIX analysts’ recommendations fall in line with those recommended by RH-ISAC, encouraging organizations to implement stronger call-handling procedures, MFA-based caller verification, and simulation-based social engineering training to reduce the effectiveness of these attacks.
Vulnerabilities
Active Exploitation of Critical Breeze Cache Flaw Sparks Urgent Patching for WordPress Sites
A critical vulnerability in the widely used Breeze Cache WordPress plugin, tracked as CVE-2026-3844 (CVSS 9.8/10), is under active exploitation, prompting urgent calls for website administrators to patch affected systems. Impacting Breeze Cache versions up to 2.4.4, the flaw stems from improper file-type validation in the plugin’s “fetch_gravatar_from_remote” function, allowing unauthenticated attackers to upload arbitrary files that could enable remote code execution (RCE) and complete website takeover. While exploitation requires the “Host Files Locally – Gravatars” feature to be enabled (a setting disabled by default) the risk remains significant given the plugin’s more than 400,000 active installations and uncertainty around how many sites have the feature active. Initially observed in over 170 exploitation attempts, threat activity has escalated sharply, with Wordfence reporting nearly 4,000 blocked attacks in a 24-hour period targeting the flaw. The vulnerability, discovered by researcher Hung Nguyen (bashu), was patched in Breeze Cache version 2.4.5, which has already seen significant adoption, though exposed and unpatched systems remain at risk. Given the combination of active exploitation, low attack complexity, and potential for full site compromise, CTIX analysts urge defenders to immediately upgrade to the latest version or, at minimum, disable the vulnerable Gravatar hosting functionality as a mitigation measure.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
