FISA

In June 2025, Albania once again found itself under a digital siege—this time, the Municipality of Tirana became the epicenter of a coordinated cyberattack that disrupted local government services, leaked sensitive data, and reignited tensions in an already volatile geopolitical landscape. But what really happened behind the screens? Who was responsible—and why? More importantly, what does this mean for the future of municipal cybersecurity? Let’s break it down.  What Exactly Happened? Timeline of the Incident June 20–21, 2025 : The official website and online services of the Tirana Municipality were taken offline. June 22 : Parents were unable to register their children for kindergartens or nurseries via the "E-Fëmijët" portal, which is part of the city's digital public service infrastructure. Following Days : Investigators uncovered traces of a malicious tool designed to wipe data and disable core systems . The Malware Used: Display10 Wiper According t...

Source : The Hacker News A sophisticated malware campaign has emerged, leveraging counterfeit VPN and browser installers to deploy Winos 4.0, a stealthy remote access trojan (RAT). Disguised as legitimate applications like LetsVPN and QQBrowser, these trojanized installers exploit the Nullsoft Scriptable Install System (NSIS) to execute a multi-stage, in-memory attack sequence. [2,4] The infection chain initiates with the Catena loader, a memory-resident component that employs shellcode embedded in .ini files and reflective DLL injection to evade traditional antivirus detection. This loader orchestrates the deployment of Winos 4.0, a modular malware framework capable of data exfiltration, remote shell access, and distributed denial-of-service (DDoS) attacks. [2] Notably, the malware exhibits region-specific targeting, primarily focusing on Chinese-speaking users. It checks for Chinese language settings on infected systems, although this filter is not strictly enforced, indicating po...

Source: The Hacker News Imagine installing a plugin that promises to protect your WordPress site, only to find out later that it left the door wide open for attackers. That’s exactly what’s been happening in a recent malware campaign where a fake WordPress security plugin is acting more like a saboteur than a shield. Researchers have uncovered a plugin going by the name wp-antymalwary-bot.php , posing as a security solution while silently handing over admin access to threat actors. Once installed, it injects a stealthy backdoor into the site, letting attackers execute remote commands and manipulate content without raising any red flags. It’s a slick operation. Nothing shows up in the admin panel, and the plugin re-installs itself even after deletion, using a tampered wp-cron.php file as its anchor. Under the Hood T he attackers aren’t just brute-forcing their way in, they’ve baked persistence into the plugin itself. Once active, the malware uses a function called emergency_login_all_a...

Cybersecurity researchers have disclosed a surge in "mass scanning, credential brute-forcing, and exploitation attempts" originating from IP addresses associated with a Russian bulletproof hosting service provider named  Proton66 . The activity, detected since January 8, 2025, targeted organizations worldwide, according to a two-part analysis published by Trustwave SpiderLabs last week. "Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute-force attempts," security researchers Pawel Knapczyk and Dawid Nesterowicz  said . "Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years." The Russian autonomous system Proton66 is assessed to be linked to another autonomous system named PROSPERO. Last year, French security firm Intrinsec detailed their connections to bulletproof services marketed on Russian cybercrime forums under the ...

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code. According to Sucuri, the campaign has  infected more than 3,900 sites  over the past three weeks. "These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher Puja Srivastava  said  in a report dated March 7. Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins. The shortcoming was exploited as part of a  Balada Injector campaign  earlier this January, compromising no less than 7,000 sites. The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages. WordPress site owne...

  A dormant package available on the Python Package Index (PyPI) repository was updated nearly after two years to propagate an information stealer malware called Nova Sentinel. The package, named  django-log-tracker , was first published to PyPI in April 2022, according to software supply chain security firm Phylum, which  detected  an anomalous update to the library on February 21, 2024. While the  linked GitHub repository  hasn't been updated since April 10, 2022, the introduction of a malicious update suggests a likely compromise of the PyPI account belonging to the developer. Django-log-tracker has been  downloaded 3,866 times  to date, with the rogue version (1.0.4) downloaded 107 times on the date it was published. The package is no longer available for download from PyPI. "In the malicious update, the attacker stripped the package of most of its original content, leaving only an __init__.py and example.py file behind," the company said. The...

  A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts. "This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir  said  in a technical report. The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines. The cloud security company said it detected the campaign after it identified an "unusual series of commands" targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options - protected-mode replica-read-only aof-rewrite-incremental-fsync , and rdb-save-incremental-fsync It's suspected that these options are turned off in order to send additional commands to the Redis server f...

In January, the cybersecurity landscape has been particularly troubled by the sophistication of malware such as the Phemedrone Stealer, Androxgh0st, and the NSPX30 backdoor, all of which have demonstrated advanced techniques for evasion, data harvesting, and exploiting network vulnerabilities. These threats underline the critical need for up-to-date defenses against sophisticated malware campaigns that can bypass standard security protocols and compromise sensitive information. CVE-2023-36025: Phemedrone Malware Campaign Targets Microsoft Defender SmartScreen Vulnerability The Phemedrone Stealer campaign has been leveraging CVE-2023-36025, a vulnerability that allows bypassing Windows Defender SmartScreen, to conduct defense evasion and payload delivery since its discovery. This vulnerability enables attackers to execute malicious scripts without triggering SmartScreen's warning mechanisms, a critical security feature in Windows environments designed to block unrecognized applicati...