In partnership with

Welcome to Gone Phishing, your weekly cybersecurity newsletter that wonders whether it’s hackers behind Daylight Savings Hour 👨🏻‍💻🤔😂 

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Google, the cybercriminals are no match… for your patch! 🩹

E.T. phone Chrome 👽

🚨 Chrome Zero-Day Under Attack! Update Now! 🔥

Google just rushed out an emergency fix for CVE-2025-2783, a high-severity zero-day exploit hitting Windows users—and it's already being used in attacks! 🎯

💥 What's happening?

Exploit targets Chrome's Mojo IPC system 🖥️

Used in sophisticated phishing attacks 🎣—victims got tricked into clicking a malicious link, which instantly infected their devices! 😱

Targets? Russian media, education, and government organizations 🇷🇺

Kaspersky is calling it "Operation ForumTroll" 🕵️‍♂️

🔧 Fix? Update Chrome to version 134.0.6998.177/.178 NOW! ⏳

📢 Using Edge, Brave, or Opera? They’re based on Chromium, so updates should be coming soon—stay alert! ⚠️

With state-backed hackers on the loose, don't risk it—update immediately! 🚀

Now, on to this week’s hottest cybersecurity news stories: 

• 💉 JavaScript injection promoting gambling sites infects 150k sites ☣️

• ⚠️ CISA warning! Active exploits hit Next.js and DrayTek devices 📱

• 👾 Raspberry Robin malware linked to almost 200 unique C2 domains 👨🏻‍💻

Don’t gamble with your online safety 🎲

🚨 Massive Web Infections Redirect Users to Chinese Gambling Sites 🎰

A massive JavaScript injection campaign has compromised 150,000+ websites, redirecting visitors to Chinese-language gambling platforms.

🔥 How the Attack Works

🔹 Malicious JavaScript injected into legitimate sites 📜

🔹 Hijacks browsers, replacing content with a gambling page

🔹 Uses iframe overlays to mimic real betting sites (e.g., Bet365) 🎭

🔹 Obfuscates code to evade detection 🕵️‍♂️

🚨 Scale & Evolution

✅ 135,800+ sites still actively infected

✅ Redirects via five domains (e.g., "zuizhongyj[.]com")

✅ Constantly updated with new tactics

🌎 Tied to Larger Cybercrime Networks

🔹 Similar tactics used by DollyWay malware, which has compromised 20,000+ WordPress sites since 2016

🔹 Uses Traffic Direction Systems (TDS) to funnel visitors to scam sites

🔹 Monetized through networks like VexTrio & LosPollos

🛡️ How to Stay Safe

✅ Website admins: Regularly scan for unauthorized JavaScript injections

✅ Keep WordPress & plugins updated to prevent exploitation

✅ Users: Avoid unfamiliar gambling pop-ups & redirects 

With thousands of sites compromised and millions exposed, this attack highlights the growing risk of web-based threats—stay cautious and proactive! 🚧

Here’s Why Over 4 Million Professionals Read Morning Brew

• Business news explained in plain English

• Straight facts, zero fluff, & plenty of puns

• 100% free

See for yourself

Motherf**kers act like they forgot about DrayTek 🎤

🚨 CISA Adds Exploited Sitecore CMS Flaws to KEV List 📝

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old vulnerabilities in Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) list, citing active exploitation.

🔥 The Vulnerabilities

🔹 CVE-2019-9874 (CVSS 9.8) – Allows unauthenticated remote code execution via deserialization attack 🔓

🔹 CVE-2019-9875 (CVSS 8.8) – Allows authenticated remote code execution via deserialization attack

📅 Federal agencies must patch by April 16, 2025 to secure their networks.

⚠️ Other Exploited Vulnerabilities

🔸 Next.js CVE-2025-29927 (CVSS 9.1) – Authorization bypass lets attackers bypass middleware security & access sensitive resources 🔑

🔸 DrayTek Router Flaws (CVE-2020-8515, CVE-2021-20123, CVE-2021-20124) – Used for remote code execution & file theft 📡

🌎 Attack Hotspots

🔹 Sitecore & Next.js flaws actively probed worldwide

🔹 DrayTek router exploits detected in Indonesia, U.S., Hong Kong, Lithuania, & Singapore

🛡️ How to Stay Protected 

✅ Apply patches for all impacted systems ASAP

✅ Monitor logs for unusual activity & exploit attempts

✅ Restrict public access to vulnerable applications

With older flaws still being actively exploited, staying updated is critical to prevent cyber intrusions! 🚧

The newsletter every professional should be reading

There’s a reason Morning Brew is the gold standard of business news—it’s the easiest and most enjoyable way to stay in the loop on all the headlines impacting your world.

Tech, finance, sales, marketing, and everything in between—we’ve got it all. Just the stuff that matters, served up in a fast, fun read.

Look—over 4 million professionals start their day with Morning Brew’s daily newsletter, and it only takes 5 minutes to read. Sign up for free and see for yourself!

Check it out

It’s Robin you blind 💀

🚨 Raspberry Robin Malware Expands with 200+ C2 Domains 👾

A new investigation has uncovered nearly 200 command-and-control (C2) domains linked to Raspberry Robin, a fast-evolving malware used by Russian-linked cybercriminals and nation-state hackers for initial access into victim networks.

🔥 Key Findings

🔹 New C2 domains (180+) discovered via QNAP device relay 📡

🔹 Uses “fast flux” to rotate domains & evade takedowns 🔄

🔹 Top TLDs: .wf, .pm, .re, .nz, .eu, .tw 🌍

🔹 C2 infrastructure tied to niche registrars & Bulgarian hosting provider

🕵️ How Raspberry Robin Spreads

✅ USB-Based Propagation – Infects devices via compromised USB drives

✅ Discord-Based Delivery – Archives & Windows Script Files spread malware 🎭

✅ Exploiting One-Day Vulnerabilities – Gains privilege escalation before public disclosure

🏴‍☠️ Linked to Major Threat Actors

🔸 Used by Russian APT Cadet Blizzard for initial access 🕶️

🔸 Distributes malware for LockBit, Dridex, SocGholish, & FIN11

🔸 Possibly operates as a Pay-Per-Install (PPI) botnet

🛡️ How to Stay Safe 

✅ Disable autorun on USB devices 🚫

✅ Monitor network traffic for unusual domain activity 🌐

✅ Use endpoint protection to detect malware loaders 🛡️

✅ Restrict access to QNAP & NAS devices from external networks

With Russian threat actors leveraging Raspberry Robin for large-scale intrusions, defensive measures are critical to prevent data breaches and ransomware infections. 🚨

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

• 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

• 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

• 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!