Hackers Exploit Google Ads in AiTM Phishing Attack Targeting GoDaddy ManageWP Users Cybercriminals are leveraging Google Ads to steal credentials for GoDaddy’s ManageWP, a widely used WordPress management platform, through an adversary-in-the-middle (AiTM) phishing campaign. Researchers at Guardio Labs uncovered the operation, which tricks users searching for "ManageWP" by placing a malicious sponsored ad above the legitimate result. When victims click the fake ad, they are redirected to a cloned ManageWP login page that closely mimics the real interface. Unlike traditional phishing, this attack employs a live proxy that relays credentials in real time to the authentic ManageWP service, logging the attacker in simultaneously. Stolen credentials are also forwarded to a Telegram channel controlled by the threat actors. The scheme bypasses two-factor authentication (2FA) by presenting a fake 2FA prompt, allowing attackers to intercept one-time codes and gain full access to compromised accounts. Once inside, they can control connected WordPress sites, deploy malicious plugins, exfiltrate data, or escalate access to hosting environments. Guardio Labs infiltrated the attackers’ infrastructure, discovering a custom operator-driven panel that dynamically manages phishing sessions. The framework appears to be a private tool, not a commercial phishing-as-a-service kit, with code artifacts suggesting Russian origins including a disclaimer prohibiting use against Russian targets. The campaign has already claimed at least 200 victims, though the true number may be higher given ManageWP’s 1 million+ installations. The attack underscores the growing threat of malvertising, where cybercriminals exploit paid search slots to distribute phishing and malware at scale. Users are advised to avoid searching for login pages and instead bookmark official URLs to mitigate risk.

Cybercriminals Exploit Calendar Invites in New "CalPhishing" Attack, Bypassing Security Controls A newly uncovered cyberattack campaign, dubbed CalPhishing, is leveraging calendar invites to hijack user accounts, according to a report by Fortra Intelligence and Research Experts (FIRE). Active since early 2026, the attack exploits iCalendar (.ics) files to bypass traditional security measures, embedding malicious meetings directly into victims’ schedules without requiring them to open the original email. ### How the Attack Works The campaign begins with an email disguised as an urgent administrative alert common subject lines include "Domain Renewal Failed" or "Reminder for Signature – Vendor Information Verification." Once processed by Outlook, the .ics file automatically adds a "tentative" meeting to the victim’s calendar, triggering official notifications and reminders. Hackers manipulate key fields within the invite: - Summary: Creates false urgency. - Location: References an "attached file" to appear legitimate. - Description: Contains phishing instructions. When opened, the meeting displays an HTML file mimicking an admin portal. Clicking it initiates a series of redirects through Cloudflare to evade security scans. ### Two Primary Lures Researchers identified two main deception tactics: 1. Fake Microsoft 365 Domain Renewal Alerts – Directs victims to a spoofed GoDaddy page. 2. Fake DocuSign Signature Requests – Tricks users into "signing" an invoice via a fraudulent portal. The attack employs ConsentFix (also known as device code phishing), a technique that steals session tokens rather than passwords. This allows hackers to bypass multi-factor authentication (MFA) by using the EvilTokens phishing kit, sold on Telegram, to automate the process. Once compromised, attackers can exfiltrate data, disrupt systems, or maintain persistent access. ### Persistence and AI-Driven Automation A key concern is the attack’s longevity standard security tools often overlook .ics files due to their trusted nature. Even if the original email is deleted or marked as junk, the meeting remains on the calendar unless manually hard-deleted. FIRE researchers warn that threat actors are likely using AI to scale these attacks, ensuring victims remain exposed long after the initial compromise. The report highlights the growing sophistication of phishing tactics, where seemingly benign calendar invites become a vector for account takeover and data breaches.

Hackers are exploiting a critical vulnerability in the Roundcube webmail application, which is widely used by hosting providers like GoDaddy. The vulnerability, CVE-2025-49113, allows remote code execution and has a severity score of 9.9 out of 10. This vulnerability has been present for over a decade and impacts versions 1.1.0 through 1.6.10. Despite a patch being released, attackers have reverse-engineered the fix and are selling exploits on hacker forums. The wide use of Roundcube, including by government and academic institutions, makes the attack surface significant. The vulnerability can lead to data breaches and significant impact on organizations using the application.

GoDaddy, a provider of web hosting services, reported that malware and source code had been stolen from its servers. Threat actors have infiltrated the organization's cPanel shared hosting environment. Although the company is unable to pinpoint the exact moment of the initial penetration, it is currently looking into the breach to ascertain the incident's underlying cause. Random client websites might occasionally be redirected to dangerous websites by the malware that had been installed on the company's computer systems. The organization claimed that the attacks haven't affected their operations or business, but that it believes it was the target of a sophisticated threat actor's strike.

The California Attorney General reported a data breach involving GoDaddy on November 17, 2021. The breach occurred on or about September 6, 2021, when an unauthorized third party accessed customer authentication information, including customer numbers, email addresses, and login credentials. The number of individuals affected is currently unknown.

GoDaddy reported the compromising of 28,000 of its customers' web hosting accounts. One of its primary domain names is hosted by "GoDaddy," who inadvertently gave a malicious actor control of the account and site. As a result, the actor was able to manipulate several internal email accounts by altering DNS data. After some time had passed, the hostile actor was able to access document storage and compromise some of their infrastructure. Unauthorized changes were made to certain of the domain registration records' settings at GoDaddy, temporarily rerouting the site's email and web traffic. Although it appears that no emails, passwords, or other sensitive information was obtained, the business advised changing the password and turning on 2FA security.

The California Office of the Attorney General reported on May 17, 2023, that GoDaddy.com LLC experienced a data breach that occurred on October 16, 2019. The breach involved unauthorized remote access to a virtual private server (VPS) due to malware that captured Secure Shell (SSH) passwords.

SystemBC Botnet Resurfaces with 10,000+ Infected IPs, Targeting Hosting Providers and Government Infrastructure Researchers at Silent Push have uncovered a resurgent SystemBC botnet, now controlling over 10,340 unique infected IP addresses worldwide. The malware, first identified in 2019 as "Coroxy" or "DroxiDat," converts compromised systems into SOCKS5 proxies, enabling attackers to launch DDoS attacks and obscure malicious operations. ### Scope and Persistence The botnet maintains an average of 2,888 daily active infections, with some systems remaining compromised for over 100 days. Unlike typical consumer-focused malware, SystemBC disproportionately targets hosting providers, with top affected networks including Network Solutions, UnifiedLayer, Namecheap, GoDaddy, and IONOS. This concentration in data centers ensures high-bandwidth, persistent access for cybercriminals. ### Global Distribution and High-Value Targets The U.S. leads in infections (4,300+ IPs), followed by Germany (829), France (448), Singapore (419), and India (294). Notably, compromised IPs have been linked to government infrastructure, including: - Vietnam’s Phutho provincial government (`duchop[.]gov[.]vn` on `103.28.36[.]105`) - Burkina Faso domains (`196.13.207[.]92`) Many infected systems also scanned WordPress sites for vulnerabilities, suggesting ties to broader exploitation campaigns, including ransomware deployment. ### Evasion and Command Infrastructure SystemBC’s command-and-control (C2) servers rely on bulletproof hosting providers like `bthoster[.]com` and AS213790 (BTCloud) to resist takedowns. The malware uses RC4-encrypted custom protocols in a backconnect setup, functioning as both a backdoor and ransomware loader. A newly discovered Perl-based Linux variant evaded detection by all 62 VirusTotal scanners, while droppers like SafeObject (SHA256: `0f5c81eaf357...`) unpack to deploy 264 payloads, with Russian-language artifacts hinting at its origins. The botnet’s developer, "psevdo," continues to post updates on the underground forum forum[.]exploit[.]in, despite Europol’s 2024 Operation Endgame targeting similar threats. ### Key Indicators of Compromise (IOCs) - Perl variant SHA256: `c729bf6ea292116b3477da4843aaeec73370e2bd46e7a27674671e9a65fb473a` - C2 IPs: `36.255.98[.]159` (and others) The botnet’s resilience underscores its role in DDoS operations and stealthy cyberattacks, with hosting providers and government entities remaining prime targets.