SocGholish Takedown Highlights Malicious TDS Threats

Who’s Left to Build WordPress?

WordPress chiếm 41,5% thị trường web nhưng đang đối mặt bốn thách thức lớn: lực lượng developer già đi, xu hướng chuyển sang nền tảng quản lý, AI thay thế nhu cầu xây dựng website đơn giản, và khủng hoảng quản trị do Matt Mullenweg kiểm soát quá mức. Nền kinh tế plugin đang phân hóa khi các plugin doanh nghiệp vẫn vững chắc nhưng những plugin đơn giản không có tương lai trước AI.

Đọc bài này để hiểu cách WordPress đang mất vị thế trong thị trường web và tại sao sự thay đổi cơ chế quản trị, thay vì chỉ dựa vào xu hướng công nghệ, mới có thể cứu lại tương lai của nền tảng này.

Hiding the Classic block from the inserter in WordPress 7.1

Trong WordPress 7.1, khối Classic (core/freeform) sẽ bị ẩn khỏi trình chèn block theo mặc định nhưng vẫn hoạt động bình thường với các block đã tồn tại. Nhà phát triển có thể khôi phục chức năng này thông qua bộ lọc wp_classic_block_supports_inserter hoặc plugin nhỏ, nhằm từng bước đưa khối Classic trở thành tùy chọn và tối ưu hóa việc tải TinyMCE khi cần thiết.

Những lập trình viên phát triển plugin hoặc theme WordPress nên đọc để hiểu cách điều khiển và tương thích với thay đổi mới về Classic block, đặc biệt khi cần bảo tồn tính năng cũ hoặc xây dựng plugin hỗ trợ tính năng này trong tương lai.

Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack

A detailed technical analysis of a ClickFix attack chain observed in May 2026 that led to a full hands-on-keyboard intrusion across 11 hosts. The infection began with a user tricked into running a command via the Windows Run Dialog, which fetched and silently installed an MSI dropping 'Potemkin', a custom x64 loader using a Domain Generation Algorithm (DGA) with XorShift32 seeded at 151678 to find its C2. Potemkin reflectively loads 'RMMProject', a 4.4 MB Lua-scriptable DLL with 15 task types including browser credential theft (with a Chrome App-Bound Encryption bypass via DLL injection), hidden remote desktop control, process injection, and module loading. The attacker also deployed EtherRAT (a Node.js backdoor resolving C2 via Ethereum blockchain) and Cloudflare tunnels, then moved laterally via WMIExec and SMBExec to reach the domain controller. The post includes full DGA Python implementation, cipher decryption algorithm, C2 protocol details, and indicators of compromise.

Europe Evolves Into Ransomware's Favorite Region

Ransomware attacks in Europe surged 55% in the first four months of 2026 compared to the same period in 2025, with France seeing a 119% increase and Italy 92%. Researchers from Black Kite attribute the shift to US market oversaturation and AI-assisted target research pointing attackers toward European organizations. The number of active ransomware groups has grown from 60 in 2023 to 150 today, filling the vacuum left by law enforcement takedowns of major RaaS operations. Manufacturing and digital services sectors are primary targets, largely because attackers exploit supply chain leverage — breaching one vendor to access hundreds of downstream clients, as demonstrated by the Miljödata attack that exposed data from ~200 Swedish municipalities. Experts recommend organizations map fourth- and fifth-party vendor dependencies and rank vendors by risk proactively rather than reactively.

Akira, LimeWire, and the Sour Taste of Data Exfiltration

A Huntress SOC investigation uncovered an Akira ransomware affiliate using an unusual attack chain: the threat actor accessed a hypervisor, spun up a new virtual machine (bypassing installed security tooling), disabled Microsoft Defender, archived target data with WinRAR, and exfiltrated it via Easyupload.io — a file-sharing site now owned by the rebranded LimeWire platform. The VHDX image of the VM provided forensic analysts a clear timeline of attacker activity, including Active Directory enumeration, lateral movement to file servers, and rapid ransomware deployment. The incident highlights how RaaS affiliates adapt TTPs, including creating new VMs to evade endpoint security stacks, and underscores the need to monitor for new endpoint creation within environments.

The Latest Addition to Turla’s Intelligence Gathering Apparatus

Google Threat Intelligence Group (GTIG) has published a detailed analysis of STOCKSTAY, a multi-component .NET backdoor attributed to the Russian state-linked threat actor Turla (FSB Center 16). Active since at least December 2022, STOCKSTAY targets Ukrainian government and military organizations as well as European entities with foreign affairs interests. The backdoor uses a modular architecture (STOCKBROKER for C2 tunneling, STOCKMARKET for orchestration, STOCKTRADER for execution) communicating over encrypted WebSockets. It masquerades as benign applications like stock market tools, PDF viewers, and calculators. STOCKSTAY shares significant code overlaps with Turla's established KAZUAR toolkit, including a shared string obfuscation mechanism called K1MORPHER based on the Squirrel3 PRNG. Deployment methods include malicious RDP files, HTA files, WinRAR CVE-2025-8088 exploitation, and GitHub-hosted MSI installers. The post includes a detailed operational timeline from 2022–2025, YARA detection rules, and indicators of compromise.

Threat landscape for SMBs in 2026: fake AI tools, phishing and more

Kaspersky's 2026 SMB threat report reveals a nearly fivefold increase in cyberattacks disguising malware as popular AI tools like Claude compared to 2025. Fake messenger apps remain the most common lure with over 414,000 attacks detected in the first four months of 2026. Phishing campaigns increasingly exploit legitimate platforms (OneDrive, Zoom Docs) to bypass email filters. Dark web analysis shows SMBs and mid-sized businesses account for more than half of all initial access listings sold by brokers, with Middle East, Africa, and Latin America seeing significant increases. The report includes a practical cybersecurity action plan covering access controls, employee training, backups, and specialized security solutions.