SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefMonday, June 01, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY WP Maps Pro Vulnerability Exploited for Admin Accounts | CRITICAL |
|
5 C2 IPs | 117 OTX IOCs | 6 ARTICLES |
|
■ ANALYST TLDR A critical vulnerability in the WP Maps Pro WordPress plugin is being actively exploited to create unauthorized administrator accounts, posing an immediate threat to website integrity. Concurrently, an unidentified RAT is distributing NetSupport RAT, indicating ongoing remote access tool campaigns. Dutch authorities have also successfully dismantled a massive botnet, highlighting the continuous battle against large-scale cybercrime infrastructure. |
|
■ CRITICAL STORIES WP Maps Pro bug exploited to create admin accounts on WordPress sites This vulnerability allows unauthenticated attackers to create administrator accounts, leading to full compromise of affected WordPress sites. Active exploitation makes immediate patching paramount. |
Unidentified RAT pushes NetSupport RAT The use of an unknown initial access RAT to deploy NetSupport RAT signifies an active campaign to gain persistent remote access to victim systems, potentially leading to data theft or further network compromise. |
Dutch Authorities Dismantle Botnet Linked to 17 Million Infected Devices The takedown of a botnet affecting millions of devices underscores the pervasive nature of malware infections and the ongoing efforts by law enforcement to disrupt cybercriminal operations, reducing the immediate threat from this specific botnet. |
|
■ CVEs IDENTIFIED [CVE-TBD] WP Maps Pro plugin — Unauthenticated administrator account creation |
|
■ THREAT ACTORS Exploiting WP Maps Pro vulnerability |
Unidentified Threat Actor | Cybercriminals |
Distributing NetSupport RAT |
Botnet Operators | Cybercriminals |
Operating a large-scale botnet (now dismantled) |
|
|
|
■ ATT&CK TTPs | T1133 | | External Remote Services | Exploiting WordPress sites via WP Maps Pro |
| T1078.003 | | Valid Accounts: Local Accounts | Creating rogue administrator accounts on WordPress |
| T1098 | | Account Manipulation | Creating new admin accounts via WP Maps Pro |
| T1105 | | Ingress Tool Transfer | Delivery of NetSupport RAT by an unidentified RAT |
| T1219 | | Remote Access Software | Use of NetSupport RAT for control |
| T1071.001 | | Application Layer Protocol: Web Protocols | Likely C2 for RATs and botnet |
|
■ PATCH PRIORITY WordPress — WP Maps Pro plugin — Unauthenticated admin account creation (RCE/PE equivalent) — BleepingComputer |
Endpoint systems — Vulnerable to NetSupport RAT deployment — Remote access and control — SANS |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Immediately patch all instances of the WP Maps Pro plugin to the latest secure version to prevent unauthenticated administrator account creation. |
| 2 | [P2] Implement robust endpoint detection and response (EDR) solutions to detect and block the deployment of unknown RATs and NetSupport RAT. |
| 3 | [P2] Review and harden WordPress security configurations, including strong authentication and regular backups, to mitigate risks from plugin vulnerabilities. |
| 4 | [P3] Advise users to review privacy policies of payment apps and consider alternatives if data collection practices are deemed excessive or concerning. |
| 5 | [P3] Enhance network monitoring for unusual outbound connections indicative of C2 communications associated with RATs or botnet activity. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |