ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories  Ravie Lakshmanan  Apr 09, 2026 Hacking News / Cybersecurity News Thursday. Another week, another batch of things that probably should've been caught sooner but weren't. This one's got some range — old vulnerabilities getting new life, a few "why was that even possible" moments, attackers leaning on platforms and tools you'd normally trust without thinking twice. Quiet escalations more than loud zero-days, but the kind that matter more in practice anyway. Mix of malware, infrastructure exposure, AI-adjacent weirdness, and some supply chain stuff that's... not great. Let's get into it. Resilient hybrid botnet surge Phorpiex Botnet Detailed A new variant of the botnet known as Phorpiex (aka Trik) has been observed, using a hybrid communication model that combines traditional C2 HTTP polling with a peer-to-peer (P2P) protocol over both TCP and UDP to ensure operational continuity in the face of server takedowns. The malware acts as a conduit for encrypted payloads, making it challenging for external parties to inject or modify commands. The primary goal of Phorpiex's Twizt variant is to drop a clipper that re-routes cryptocurrency transactions, as well as distribute high-volume sextortion email spam and facilitate ransomware deployment (e.g., LockBit Black, Global). It also exhibits worm-like behavior by propagating through removable and remote drives, and drop modules responsible for exfiltrating mnemonic phrases and scanning for Local File Inclusion (LFI) vulnerabilities. "Phorpiex has consistently demonstrated its capability to evolve, shifting from a pure spam operation to a sophisticated platform," Bitsight said . "The Phorpiex botnet remains a highly adaptive and resilient threat." There are about 125,000 infections daily on average, with the most affected countries being Iran, Uzbekistan, China, Kazakhstan, and Pakistan. Chained flaws enable stealth RCE 13-Year-Old Flaw in Apache ActiveMQ Classic A remote code execution (RCE) vulnerability that lurked in Apache ActiveMQ Classic for 13 years could be chained with an older flaw (CVE-2024-32114) to bypass authentication. Tracked as CVE-2026-34197 (CVSS score: 8.8), the newly identified bug allows attackers to invoke management operations through the Jolokia API and trick the message broker into retrieving a remote configuration file and executing operating system commands. According to Horizon3.ai, the security defect is a bypass for CVE-2022-41678, a bug that allows authenticated attackers to trigger arbitrary code execution and write web shells to disk. "The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments," Horizon3.ai researcher Naveen Sunkavally said . "On some versions (6.0.0 - 6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE." The newly discovered security defect was addressed in ActiveMQ Classic versions 5.19.4 and 6.2.3. Cyber fraud losses hit record highs Cybercrime Costs Victims $17.7B in 2025 Cyber-enabled fraud cost victims over $17.7 billion during 2025, as financial losses to internet-enabled fraud continue to grow. The total loss exceeds $20.87 billion, up 26% from 2024. "Cyber-enabled fraud is responsible for almost 85% of all losses reported to IC3 [Internet Crime Complaint Center] in 2025," the U.S. Federal Bureau of Investigation (FBI) said . "Cryptocurrency investment fraud was the highest source of financial losses to Americans in 2025, with $7.2 billion reported in losses." In all investment scams led the pack with $8.6 billion in reported losses, followed by business email compromise ($3 billion) and tech support scams ($2.1 billion). Sixty-three new ransomware variants were identified last year, leading to more than $32 million in losses. Akira, Qilin, INC./Lynx/Sinobi, BianLian, Play, Ransomhub, Lockbit, Dragonforce, Safepay, and Medusa emerged as the top ten variants to hit critical manufacturing, healthcare, public health, and government entities. AI-driven DDoS tactics escalate 8M DDoS Attacks in H2 2025 According to data from NETSCOUT, more than 8 million DDoS attacks were recorded across 203 countries and territories between July and December 2025. "The attack count remained stable compared to the first half of the year, but the nature and sophistication of attacks changed dramatically," the company said . "The TurboMirai class of IoT botnets, including AISURU and Eleven11 (RapperBot), emerged as a major force. DDoS-for-hire platforms are now integrating dark-web LLMs and conversational AI, lowering the technical barrier for launching complex, multi-vector attacks. Even unskilled threat actors can now orchestrate sophisticated campaigns using natural-language prompts, increasing risk for all industries." Insider breach exposes private photos Former Meta Employee Probed for Downloading 30K Facebook Photos A former Meta employee in the U.K. is under investigation over allegations that he illegally downloaded about 30,000 private photos from Facebook. According to The Guardian , the accused developed a software program to evade Facebook's internal security systems and access users' private images. Meta uncovered the breach more than a year ago, terminated the employee, and referred the case to law enforcement. The company said it also notified affected users, although it's not clear how many were impacted. Help desk attacks enable enterprise breaches UNC6783 Compromises BPOs to Target High-Value Firms Google said it's tracking a financially motivated threat cluster called UNC6783 that's tied to the "Raccoon" persona and is targeting dozens of high-profile organizations across multiple sectors by compromising business process outsourcing (BPO) providers and help desk staff for later data extortion. "The campaign relies on live chat social engineering to direct employees to spoofed Okta logins using [org].zendesk-support[##].com domains," Austin Larsen, Google Threat Intelligence Group (GITG) principal threat analyst, said . "Their phishing kit steals clipboard contents to bypass MFA and enroll their own devices for persistent access. We also observed them using fake security updates (ClickFix) to drop remote access malware." Organizations are advised to prioritize FIDO2 hardware keys for high-risk roles, monitor live chat for suspicious links, and regularly audit newly enrolled MFA devices. Magecart skimmer hides in SVG PolyShell Flaw Behind New Magecart Campaign A large-scale Magecart campaign is using invisible 1x1 pixel SVG elements to inject a fake checkout overlay on 99 Magento e-commerce stores, exfiltrating payment data to six attacker-controlled domains. "In the early hours of April 7th, nearly 100 Magento stores got mass-infected with a 'double-tap' skimmer: a credit card stealer hidden inside an invisible SVG element," Sansec said . "The likely entry vector is the PolyShell vulnerability that continues to affect unprotected Magento stores." Like other attacks of this kind, the skimmer shows victims a convincing "Secure Checkout" overlay, complete with card validation and billing fields. Once the payment details are captured, it silently redirects the shopper to the real checkout page. Adobe has yet to release a security update to address the PolyShell flaw in production versions of Magento. Emoji-coded signals evade detection Criminals' Use of Emojis Dissected Cybercriminals are using emojis across illicit communities to signal financial activity, access and account compromise, tooling and service offerings, represent targets or regions, and communicate momentum or importance. Using emojis allows bad actors to bypass security controls. "Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text," Flashpoint said . "This is particularly valuable in: large Telegram channels with international membership, cross-border fraud operations, [and] decentralized marketplaces. This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks." Stealth RAT delivered via MSI ClickFix Delivers Node.js Stealer A ClickFix campaign targeting Windows users is leveraging malicious MSI installers to deliver a Node.js-based information stealer. "This Windows payload is a highly adaptable remote access Trojan (RAT) that minimizes its forensic footprint by using dynamic capability loading," Netskope said . "The core stealing modules and communication protocols are never stored on the victim’s disk. Instead, they are delivered in-memory only after a successful C2 connection is established. To further obfuscate the attacker’s infrastructure, the malware routes gRPC streaming traffic over the Tor network, providing a persistent and masked bidirectional channel." macOS attack bypasses Terminal safeguards ClickFix Variant Targets macOS More ClickFix, this time targeting macOS. According to Jamf, a ClickFix-style macOS attack is abusing the "applescript://" URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload, thereby bypassing Terminal entirely. The attack leverages fake Apple-themed web pages that include instructions to "reclaim disk space on your Mac" by clicking on an "Execute" button that triggers the "applescript://" URL scheme. The new approach is likely a response to a new security feature introduced by Apple in macOS 26.4 that scans commands pasted into Terminal before they're executed. "It's a meaningful friction point, but as this campaign illustrates, when one door closes, attackers find another," security researcher Thijs Xhaflaire said. PyPI package exfiltrates AI prompts Malicious Python Package Steals AI Prompts A malicious PyPI package named hermes-px has been advertise