Phishing Campaign Targets WooCommerce Users with Fake Patch

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the active exploitation of a critical SAP NetWeaver vulnerability (CVE-2025-31324) that allows unauthenticated remote code execution via malicious JSP web shells, with potential ties to initial access brokers. Another campaign involves ToyMaker, a financially motivated Initial Access Broker deploying LAGTOY malware to broker access for CACTUS ransomware, enabling credential theft, persistence, and ransomware deployment. WooCommerce users are being targeted with phishing emails delivering fake patches that install malicious WordPress plugins, create hidden admin users, and drop web shells like WSO and p0wny for full site takeover. A new Python-based RAT using Discord as a command-and-control (C2) channel has emerged, capable of executing screen locks, BSOD, and geolocation tracking, while evading detection through legitimate Python libraries. Meanwhile, the China-linked APT group TheWizards is abusing IPv6 SLAAC spoofing with their Spellbinder tool to perform adversary-in-the-middle (AitM) attacks and hijack software updates, targeting users across East Asia and the Middle East. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Threat Actors Exploit Flaw for Remote Access and Post-Exploitation

A critical vulnerability (CVE-2025-31324) in SAP NetWeaver’s Metadata Uploader endpoint is being actively exploited by threat actors. The flaw allows unauthenticated users to upload malicious JSP web shells, enabling remote code execution, persistent access, and potential data theft. Cybersecurity researchers have observed attackers leveraging tools like Brute Ratel C4 and evasion techniques such as Heaven’s Gate, with some attacks delayed, suggesting involvement of initial access brokers. The CVSS score is 10.0, and exploitation can occur via HTTP/HTTPS without authentication, granting full <sid>adm privileges. To mitigate risk, organizations must immediately apply SAP’s patches, restrict access to the vulnerable endpoint, enforce strong authentication, monitor for suspicious activity, audit user permissions, and isolate affected systems if compromise is suspected. Admins should be briefed on this vulnerability and implement rapid patching protocols to defend against further exploitation. Regular forensic reviews and credential rotations are essential for resilience.

2. ToyMaker Deploys Malware to Broker Access for CACTUS Ransomware Operations

ToyMaker is a financially motivated Initial Access Broker (IAB) known for facilitating access to ransomware groups like CACTUS. Rather than launching attacks directly, ToyMaker compromises vulnerable, internet-facing systems using a custom malware called LAGTOY (aka HOLERUN), which enables remote command execution and creates a reverse shell to a hard-coded C2 server. Once access is established, the group conducts reconnaissance, credential harvesting, and sets up persistence tools like OpenSSH and AnyDesk. After about a week, access is handed over to CACTUS, which carries out further reconnaissance, data exfiltration, and ransomware deployment. ToyMaker exhibits a short dwell time and uses known tools to establish footholds. Previously tracked as UNC961, Gold Melody, and Prophet Spider, the actor operates with financial intent, not espionage. Organizations are advised to patch exposed systems, implement MFA, restrict access to remote tools, monitor for suspicious activity, and maintain readiness for incident response and ransomware recovery.

3. Phishing Campaign Targets WooCommerce Users with Fake Patch 

A phishing campaign is targeting WooCommerce users with fake security alerts urging them to install a “critical patch.” The supposed update delivers a malicious plugin that creates hidden admin accounts, installs web shells, and maintains persistent access to WordPress sites. The attack uses homograph domains, replacing characters in URLs to deceive users, and sets up hidden cronjobs to run malicious tasks. Once installed, the plugin registers the site with an attacker-controlled server and fetches additional payloads, enabling ad injection, payment data theft, DDoS, or ransomware deployment. Tools like P.A.S.-Form, p0wny, and WSO web shells are used to fully compromise the site. The plugin hides itself and the rogue admin user to avoid detection. Security experts advise avoiding updates from unsolicited emails, inspecting cronjobs and admin users, monitoring traffic to suspicious domains, and scanning for malware. Users should apply updates only through official sources and enable 2FA and backups for added protection.

4. Python RAT Threat Landscape: Persistence, Command and Control Communication 

A new Python-based Remote Access Trojan (RAT) uses Discord as its command-and-control (C2) channel, disguising itself as a harmless script. It enables attackers to remotely execute disruptive actions like screen locking, system crashes (BSOD), mouse manipulation, and geolocation tracking through simple Discord button commands. Leveraging legitimate Python libraries such as pyautogui, tkinter, and discord.py, the malware evades detection and remains persistent by copying itself to the Windows Startup folder as WindowsCrashHandaler.exe. It communicates with attackers using a hardcoded Discord bot token, sending back system and location data while accepting live control inputs. Its stealthy nature and ease of use make it accessible even to low-skilled threat actors. Organizations are urged to monitor startup folders, watch for abnormal GUI behavior or API calls, and inspect Discord traffic from non-browser sources. Application whitelisting, endpoint detection, and blocking unauthorized Python scripts are essential to harden defenses against such emerging threats.

5. Spellbinder Tool Enables Lateral Movement via IPv6 SLAAC Spoofing s

A China-linked APT group known as TheWizards is leveraging a tool called Spellbinder to perform adversary-in-the-middle (AitM) attacks using IPv6 SLAAC spoofing. This allows them to hijack software update mechanisms for popular Chinese applications like Sogou Pinyin and Tencent QQ, delivering trojanized installers and modular backdoors such as WizardNet. Initial access involves a malicious ZIP archive using DLL sideloading techniques. Once deployed, Spellbinder uses WinPcap to manipulate IPv6 traffic, positioning the attacker’s system as the victim’s default gateway. This enables DNS hijacking and update redirection to attacker-controlled servers. The group also uses DarkNights (DarkNimbus) for Android targeting. Attribution links TheWizards to Chinese contractor UPSEC, likely acting as a malware supplier. Targets span East and Southeast Asia, and the Middle East, including the gambling sector. Defenses should include IPv6 hardening, DNS monitoring, code-signing enforcement, and vigilance against suspicious use of legitimate binaries and memory injection.