This Weeks Headlines

• Exploited VMware ESXi Zero-Day Vulnerabilities Expose Thousands to Ransomware Attacks
• ‘Bulletproof’ Hosting Provider Allegedly Routes Operations Through Kaspersky Lab Networks
• Over 1,000 WordPress Sites Compromised by JavaScript Backdoors
• Eleven11bot Botnet Infects Over 86,000 IoT Devices, Primarily Security Cameras and NVRs
• Hunters International Ransomware Group Claims Hack on Tata Technologies

Exploited VMware ESXi Zero-Day Vulnerabilities Expose Thousands to Ransomware Attacks

Recent reports have identified that tens of thousands of VMware ESXi instances are vulnerable to three zero-day vulnerabilities which have been actively exploited in the wild:

• CVE-2025-22224
• CVE-2025-22225
• CVE-2025-22226

These flaws enable attackers with elevated privileges to perform virtual machine (VM) escapes, potentially compromising the hypervisor itself.

Security scans have detected over 41,000 internet-exposed ESXi servers susceptible to these vulnerabilities, with significant concentrations in countries like China, France, the United States, Germany, Iran, Brazil, and South Korea.

The Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, underscoring the urgency for administrators to apply the available patches promptly to mitigate risks associated with ransomware and other malicious activities.

‘Bulletproof’ Hosting Provider Allegedly Routes Operations Through Kaspersky Lab Networks

Prospero OOO, a Russia-based provider notorious for offering ‘bulletproof’ web hosting services to cybercriminals, has reportedly begun routing its operations through networks operated by Russian cybersecurity firm Kaspersky Lab. ‘Bulletproof’ hosts are known for ignoring legal demands and abuse complaints, often facilitating malware distribution, botnet control, and phishing sites.

Security experts have linked Prospero to malicious activities, including hosting control servers for ransomware gangs and malware operations like SocGholish and GootLoader. Kaspersky Lab has denied any association with Prospero, stating that the routing through their networks does not imply a business relationship and that they are investigating the situation.

Over 1,000 WordPress Sites Compromised by JavaScript Backdoors

More than 1,000 WordPress websites have been compromised through the injection of malicious third-party JavaScript code, resulting in the installation of four distinct backdoors. This multi-backdoor strategy ensures attackers retain access even if one backdoor is detected and removed.

The malicious code is served via the domain cdn.csyndication[.]com, with at least 908 websites currently referencing this domain. The backdoors facilitate various malicious activities, including the installation of fake plugins, injection of harmful code into critical configuration files, unauthorized addition of SSH keys for persistent remote access, and execution of remote commands potentially opening reverse shells.

Website administrators are advised to remove unauthorized SSH keys, update WordPress admin credentials, and monitor system logs for unusual activities to mitigate these threats.

Eleven11bot Botnet Infects Over 86,000 IoT Devices, Primarily Security Cameras and NVRs

Researchers from Nokia Deepfield Emergency Response Team (ERT) have identified a new botnet, dubbed Eleven11bot, which has compromised over 86,000 Internet of Things (IoT) devices. The majority of these infected devices are security cameras and network video recorders (NVRs).

The botnet leverages these compromised devices to launch Distributed Denial-of-Service (DDoS) attacks, posing significant risks to both the affected devices and the broader internet infrastructure. This development underscores the critical need for robust security measures in IoT devices to prevent their exploitation in large-scale cyberattacks.

Hunters International Ransomware Group Claims Hack on Tata Technologies

The Hunters International ransomware group has claimed responsibility for a cyberattack on Tata Technologies, a subsidiary of Tata Motors.

The attack, which occurred in January, allegedly resulted in the theft of 1.4 terabytes of data, including contracts, financial documents, engineering projects, and employee PII.

Tata Technologies has notified authorities and is working with external experts to investigate the incident and has restored all systems. Hunters International, suspected to be a rebrand of the Hive ransomware gang, has added Tata Technologies to its list of victims on its Tor leak site.

If you’re ready to chat about how we can help protect your business from cyber threats, contact us using the form below 👇.