In today’s cybersecurity news…
Uyghur Language Software Hijacked to Deliver Malware
In March 2025, senior members of the World Uyghur Congress (WUC) living in exile received government-backed attack alerts from Google Drive. Members forwarded these to Citizen Lab, which identified a spearphishing campaign targeting the group. The campaign attempted to deliver a trojanized version of an otherwise legitimate open-source Uyghur language text editor. The malicious app included a backdoor to gather device information, communicate with a C2 server, and download further plugins. The registration information on the domains for the C2 servers shows this campaign could have been planned as far back as May 2024. The researchers say this campaign isn’t technically complex but relies on social engineering cues with a deep understanding of the target community.
Cloudflare sees a big jump in DDoS attacks
Cloudflare’s Q1 DDoS Report disclosed that the company mitigated 20.5 million DDoS attacks in the quarter, compared to 21.3 million DDoS attacks it mitigated in all of 2024. The Q1 figure is up 358% on the year and up almost 200% compared to Q4 2024 numbers. Attacks on Cloudflare accounted for 32% of the Q1 figure, and it saw over 6.6 million DDoS attacks as part of an 18-day campaign. Network layer attacks accounted for this huge spike, up 509% on the year. Within that, attacks using Connectionless Lightweight Directory Access Protocol (CLDAP) and Encapsulating Security Payload (ESP) floods saw the most significant growth. Cloudflare also saw over 700 attacks with at least one terabit bandwidths per second.
4chan back online
If the last two weeks on the internet felt slightly less awful, that’s because the infamous 4chan forum had been offline since April 14th. The site’s boards and front page are now back online, although posting and images remain down. In its first blog post in 8 years, 4chan’s operators explained that “a hacker using a UK IP address exploited an out-of-date software package on one of 4chan’s servers, via a bogus PDF upload.” From there, the threat actors exfiltrated database tables and source code before pivoting to vandalizing the site. Once that was detected, moderators took 4chan’s servers offline. The post said a prolonged server migration to newer hardware exposed its infrastructure.
WooCommerce hit with large-scale phishing campaign
Researchers at PatchStack warned of a campaign targeting the popular CMS platform. Threat actors send phishing messages to sites warning of a (non-existent) ‘Unauthenticated Administrative Access’ vulnerability. The messages try to get a clickthrough to phishing sites to download a “patch.” This leads them to a spoofed WooCommerce Marketplace page that installs a WordPress plugin which sets up a new admin-level user, sends an HTTP GET request to a server with the account login credentials, downloads a next stage payload, and hides the plugin and new admin user. Once gaining access to the site, the threat actors inject spam, redirect the site to other malicious sites, enroll the site in a botnet, or extort the site owner.
Thanks to today’s episode sponsor, ThreatLocker
Iran claims it stopped infrastructure cyberattack
The head of Iran’s Telecommunication Infrastructure Company, Behzad Akbari told the Tasnim News Agency that “one of the most widespread and complex cyber attacks against the country’s infrastructure was identified and preventive measures were taken,” over the weekend. However, he was otherwise light on details. This announcement came a day after a large explosion at Iran’s largest commercial port, although there is no indication these events are related. Iran suffered two notable infrastructure attacks in 2021 and 2022, both claimed by the dissident group Predatory Sparrow, but no group has come forward to take credit so far.
A look at quantum readiness
In the past two years, we’ve seen some signs that quantum computing might someday move from the lab to production, with NIST notably putting out its first quantum-resistant algorithms. That hasn’t translated to many organizations. According to a new survey by ISACA, only 5% of IT professionals said their organization has a strategy to defend against quantum-enabled threats, with 3% saying it was a high business priority for the near future. 59% said they have done nothing to prepare for quantum computing. Remember those NIST standards? Well, 7% of respondents said they had a strong understanding of them, and 44% had never heard of them.
CMS zero-day exploits hundreds of sites
Researchers at Orange Cyberdefense warned that a critical zero-day impacting Craft CMS is under active exploitation. This allows attackers to “send a POST request to the endpoint responsible for the image transformation, and the data within the POST would be interpreted by the server,” in other words, to remove code execution. Exploitation of the flaw began on February 10th, with over 300 deployments subsequently compromised. Craft CMS released patches on April 10th.
The FBI wants your help with Salt Typhoon
The Federal Bureau of Investigation released a Public Service Announcement asking the public to come forward with any actionable intelligence about the China-linked threat actor Salt Typhoon, which law enforcement discovered accessing US telecommunication companies in November. Among other things, the group targeted staff phones for both major parties’ presidential campaigns last year. In addition, the US Department of State’s Rewards for Justice program will offer up to a $10 million reward for any information on foreign state-linked threat actors who target US critical infrastructure.