Industry News  Continuous Xurum Attacks Targeting E-commerce Websites through Severe Magento 2 Vulnerability
Industry News

Continuous Xurum Attacks Targeting E-commerce Websites through Severe Magento 2 Vulnerability

Mister CybersecurityMister CybersecurityAugust 14, 20230
PinterestLinkedInTumblrRedditVKWhatsApp
More stories

Chinese TA415 Exploits VS Code Remote Tunnels for Espionage on U.S. Economic Policy Experts

As tensions between the United States and China continue to escalate, a new threat has emerged in the form of Chinese cyber espionage targeting American economic policy experts. The group known as TA415 has been using advanced techniques to infiltrate the virtual workspace of these experts, leveraging remote tunnels in Visual Studio Code to spy on sensitive information.

By exploiting vulnerabilities in the popular code editor, TA415 has been able to gain unauthorized access to the computers of U.S. economic policy experts, allowing them to monitor their activities and gather intelligence on key economic strategies and policies. This covert operation has raised alarms among cybersecurity experts, who warn of the potential impact on national security and economic stability.

The use of Visual Studio Code remote tunnels for espionage marks a new frontier in cyber warfare, highlighting the importance of securing virtual workspaces and ensuring the protection of sensitive information. As the threat landscape continues to evolve, it is crucial for organizations and individuals to stay vigilant and take proactive measures to defend against cyber attacks.

In response to this growing threat, government agencies and cybersecurity firms are working to uncover the full extent of TA415’s activities and develop countermeasures to mitigate the risk of future attacks. By raising awareness of this issue and implementing robust security measures, the United States can better protect its economic interests and safeguard against foreign espionage.

September 17, 2025



Since January 2023, there was an ongoing marketing campaign focusing on e-commerce websites that use Adobe’s Magento 2 software program. This marketing campaign, referred to as Xurum, exploits a crucial safety flaw in Adobe Commerce and Magento Open Source that has now been patched. If efficiently exploited, this flaw might result in arbitrary code execution. The attackers behind Xurum, believed to be of Russian origin, are primarily fascinated with payment stats from the orders made prior to now 10 days.

In addition to exploiting the safety flaw, the attackers have additionally contaminated some web sites with JavaScript-based skimmers. These skimmers gather bank card data and ship it to a distant server. The full extent of the marketing campaign is presently unknown.

The assault chain utilized by the attackers includes weaponizing CVE-2022-24086 for preliminary entry after which utilizing it to execute malicious PHP code. This code gathers details about the host and deploys an internet shell named wso-ng, disguised as a Google Shopping Ads part. The internet shell solely prompts when the attacker sends the cookie “magemojo000” within the HTTP request. Once activated, it accesses and exfiltrates details about the gross sales order payment strategies from the previous 10 days. The assaults conclude with the creation of a rogue admin consumer with the names “mageworx” or “mageplaza,” that are in style Magento 2 extension shops.

The internet shell wso-ng is an evolution of the WSO internet shell and features a hidden login web page to steal credentials. It additionally integrates with authentic instruments like VirusTotal and SecurityTrails to assemble details about the contaminated machine’s IP fame and different domains hosted on the identical server.

The attackers behind Xurum reveal a meticulous and focused method, specializing in particular Magento 2 cases reasonably than launching indiscriminate assaults. They present a excessive stage of experience in Magento and make investments appreciable time in understanding its internals and establishing their assault infrastructure.



Source hyperlink

PinterestLinkedInTumblrRedditVKWhatsApp

Mister Cybersecurity

Advanced Cyber Attacks Used by Charming Kitten to Target Iranian Dissidents
Telegram and Discord: A New Remote Access Trojan Makes Its Presence Known
Related posts
Load more
Leave a Reply

Your email address will not be published. Required fields are marked *

Read also
Load more