Symantec and Zscaler detailed Mistic, a stealthy new Windows backdoor used in intrusions since April and tied to KongTuke, an initial access broker that sells footholds to ransomware crews including Qilin, Akira, and Rhysida. Mistic is side-loaded through a legitimate Microsoft executable and a malicious DLL named to mimic endpoint-security software, runs payloads only in memory with nothing written to disk, and includes a self-delete kill switch, all aimed at long-term, low-visibility access. It is delivered through social-engineering lures such as fake CAPTCHAs and Microsoft Teams help-desk pretexts that trick users into running PowerShell commands. Defenders should watch for the unusual DLL side-loading pattern.
Attackers compromised the build pipeline of ShapedPlugin, a WordPress plugin maker, and slipped malware into legitimate updates delivered to paying customers through the vendor's own update system. The tainted releases install a fake plugin that impersonates WooCommerce components, steals site credentials, and gives attackers the ability to write files remotely. Three paid plugins are affected: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. The backdoor was injected into Pro builds on May 21, with the first customer reports on June 10. Versions on WordPress.org stayed clean, pointing to a compromise of the vendor's release infrastructure rather than the plugins themselves.
Attackers compromised the content-delivery network of Awesome Motive, one of the biggest WordPress plugin makers, and injected malicious JavaScript into files served for OptinMonster, TrustPulse, and PushEngage, plugins running on more than 1.2 million sites. Discovered by Sansec, the code only triggered when a logged-in WordPress administrator viewed an affected site, at which point it stole authentication tokens, created a hidden rogue admin account, and installed a self-concealing backdoor plugin that exposed a web shell. The bad files were served on June 12 to 14. Awesome Motive says attackers stole a CDN API key after breaching its marketing site, and has since rotated credentials.
QiAnXin XLab has tied the ongoing exploitation of cPanel's CVE-2026-41940 to a previously-quiet threat actor it tracks as Mr_Rot13, who has been operating since at least 2020. The attack chain exploits the cPanel and WHM authentication bypass to drop a Go-based infector that adds an attacker SSH key, plants a PHP web shell, and serves a fake login page to steal cPanel credentials (ROT13-encoded, exfiltrated to wrned[.]com). The final payload is a cross-platform backdoor called Filemanager that runs on Windows, macOS, and Linux. XLab counts over 2,000 attacker source IPs currently scanning for this flaw.
Group-IB and Flare disclosed PamDOORa, a new Linux backdoor for sale on the Russian-speaking Rehub cybercrime forum at $900 (down from $1,600). PamDOORa hijacks the Linux Pluggable Authentication Module (PAM) framework that handles SSH logins - so it intercepts every legitimate user's password as they authenticate, before any application-level logging fires. The backdoor injects a malicious pam_linux.so module into the authentication stack rather than replacing files. It also tampers with lastlog, btmp, utmp, and wtmp to erase attacker login traces - meaning incident response teams who SSH in to investigate will have their own credentials silently stolen. Group-IB notes the abuse method is not yet in MITRE ATT&CK.
Security Affairs covered new research on April 23 documenting a Linux port of the GoGra backdoor, originally seen as Windows-only. The Linux variant retains GoGra's defining feature: it uses Microsoft Graph API as its command-and-control channel, fetching commands from Outlook drafts in an attacker-controlled Microsoft 365 tenant and writing results back to the same drafts. Because the C2 traffic is HTTPS to graph.microsoft.com - the same endpoint legitimate clients hit constantly - it is invisible to most network-layer detections. The Linux port targets enterprise Linux servers with Outbound 443 access to Microsoft cloud services, broadening reach onto build servers and jump hosts.
One of the most methodical WordPress supply chain attacks ever: a buyer known only as 'Kris' purchased the entire Essential Plugin portfolio (30+ free WordPress plugins) on the Flippa marketplace for six figures. In August 2025, they injected a PHP deserialization backdoor in version 2.6.7, disguised as a compatibility check for WordPress 6.8.2. The malicious code sat dormant for eight months, building trust. On April 5-6, 2026, the attacker activated it - the C2 domain analytics.essentialplugin[.]com began distributing payloads to every site running the compromised plugins. The backdoor injected cloaked SEO spam into wp-config.php, visible only to Googlebot. WordPress.org permanently closed all 31 plugins on April 7 and pushed a forced auto-update - but the cleanup only removed the phone-home code, not the wp-config.php modifications, meaning compromised sites still served spam after the 'fix'. This happened the same week as the Smart Slider 3 supply chain attack we reported April 11 - two different supply chain attacks via the WordPress trusted update channel in one week.
Attackers compromised Nextend's update infrastructure and pushed a fully weaponized version of Smart Slider 3 Pro (3.5.1.35) through the official WordPress and Joomla update channel on April 7. Sites with auto-updates enabled received a multi-layered remote access toolkit disguised as a legitimate plugin update. The malicious version was live for approximately six hours before detection. Patchstack's analysis found: unauthenticated remote command execution via crafted HTTP headers, a second authenticated backdoor with PHP eval and OS command execution, a hidden administrator account (prefixed wpsvc_) invisible in the admin interface, persistent backdoors planted in the active theme's functions.php and wp-config.php, and automated credential theft sent to an external server. Traditional defenses like firewalls, nonce verification, and role-based access controls are irrelevant here because the malicious code arrived through the trusted update channel. Affected sites should be considered fully compromised.