ThreatsDay Bulletin: Hybrid Botnets, 13-Year-Old Vulnerabilities, and the Weaponization of AI

TL;DR

This week’s threat landscape is dominated by the evolution of the Phorpiex botnet into a resilient hybrid model, the discovery of a 13-year-old RCE flaw in Apache ActiveMQ, and a surge in "ClickFix" campaigns targeting both Windows and macOS. Additionally, cyber-enabled fraud losses hit a staggering $17.7 billion in 2025, while attackers increasingly leverage AI tools and trusted SaaS platforms like Jira and GitHub to bypass traditional security.

---

Infrastructure and Botnets: The Rise of Hybrid Resilience

The Phorpiex botnet (also known as Trik) has evolved. A new "Twizt" variant now employs a hybrid communication model, combining traditional HTTP polling with peer-to-peer (P2P) protocols over TCP and UDP. This dual-layered command-and-control (C2) structure ensures the botnet remains operational even if central servers are taken down.

Currently seeing roughly 125,000 daily infections—primarily in Iran, Uzbekistan, and China—Phorpiex focuses on:

• Cryptocurrency Theft: Deploying "clippers" to reroute transactions.
• Spam & Ransomware: Distributing mass sextortion emails and facilitating LockBit Black deployments.
• Worm-like Propagation: Spreading via removable drives and scanning for Local File Inclusion (LFI) vulnerabilities.

Vulnerabilities: A 13-Year-Old Ghost in the Machine

A critical remote code execution (RCE) vulnerability has been uncovered in Apache ActiveMQ Classic. Tracked as CVE-2026-34197 (CVSS 8.8), the bug has existed for 13 years and allows attackers to bypass authentication by chaining it with an older flaw (CVE-2024-32114).

By exploiting the Jolokia API, attackers can trick the message broker into executing OS commands. While many environments are vulnerable due to default "admin:admin" credentials, versions 6.0.0 through 6.1.1 are particularly at risk as they require no credentials at all to expose the API. Updates are available in ActiveMQ versions 5.19.4 and 6.2.3.

The Economic Impact of Cyber Fraud

The FBI’s IC3 reports that cyber-enabled fraud cost victims over $17.7 billion in 2025, accounting for 85% of all reported losses.

• Top Loss Leader: Cryptocurrency investment fraud ($7.2 billion).
• Corporate Threats: Business Email Compromise (BEC) followed closely at $3 billion.
• Ransomware: 63 new variants were identified, with Akira and Lockbit among the top ten variants hitting critical infrastructure.

AI: From Productivity Tool to Attack Vector

Artificial Intelligence is being weaponized on multiple fronts:

• DDoS Evolution: "DDoS-for-hire" platforms now integrate dark-web LLMs, allowing unskilled actors to launch complex multi-vector attacks using natural language prompts.
• The Claude Code Leak: Following a brief accidental exposure of Anthropic’s "Claude Code" source material, threat actors created fake GitHub repositories to distribute Vidar and PureLogs stealers under the guise of the leaked code.
• Direct Exploitation: Researchers demonstrated "GrafanaGhost," an exploit that tricks Grafana’s AI into leaking enterprise data via indirect prompt injection—bypassing safety guardrails without any user interaction.

Engineering Deception: ClickFix and Social Engineering

The "ClickFix" tactic—using fake browser or system update prompts—is expanding across platforms:

• Windows: Delivering a Node.js-based RAT that operates entirely in-memory, routing traffic over the Tor network.
• macOS: Abusing the applescript:// URL scheme to bypass new Terminal security features introduced in macOS 26.4.
• SaaS Abuse: Attackers are using legitimate notification systems in Jira and GitHub to send phishing links. Because the emails originate from trusted infrastructure, they often bypass traditional email security filters.

Supply Chain and Edge Risks

• Industrial Controls: Over 5,000 Rockwell Automation PLCs remain exposed to the internet, with 74% located in the U.S. These devices are actively targeted by Iranian-affiliated actors.
• Magecart: A new campaign is hiding credit card skimmers inside invisible 1x1 pixel SVG elements on Magento e-commerce stores.
• PyPI Malware: A package named hermes-px (marketed as an AI proxy) was found to be stealing user prompts and exfiltrating them to an attacker-controlled database.

Conclusion

This week’s data suggests a shift toward "quiet escalations" rather than loud zero-days. Attackers are finding success by reviving old vulnerabilities, abusing the inherent trust in SaaS platforms, and finding creative ways to bypass new OS-level security features. Organizations should prioritize FIDO2 hardware keys, audit MFA enrollments, and remain extremely cautious of AI tools that have direct access to internal documentation or databases.

---

Source: The Hacker News - ThreatsDay Bulletin