Two separate cybersecurity threats surfaced this week, with Australian authorities flagging a global campaign targeting content management systems and researchers uncovering a new Android malware strain that exploits wireless debugging tools to seize elevated device privileges.
The Australian Cyber Security Centre issued an alert warning of a large-scale exploitation campaign striking content management systems and their plugins worldwide, with many small- to medium-sized Australian businesses already compromised.
"A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small- to medium-sized Australian businesses impacted," the ACSC stated in its alert.
Attackers are actively scanning websites for exploitable flaws and deploying webshells — persistent backdoors that allow threat actors to steal credentials, disrupt services, install additional malware, and move laterally through a network.
The agency identified vulnerabilities across 17 products, spanning WordPress plugins including Simple File List, WavePlayer, BerqWP, WPBookit, Ninja Forms, ThemeREX Addons, Breeze Cache, pay-uz, ACF Extended, WPvivid Backup, and Gravity Forms, as well as Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE. Associated CVEs range from older disclosures — including CVE-2020-36847 — through several filed in 2026, reflecting the campaign's broad scope.
The ACSC noted the campaign may be supported by artificial intelligence, which can help threat actors accelerate attacks and scale exploitation of newly disclosed vulnerabilities. Website administrators are advised to apply the latest security updates for all CMS software, themes, and plugins, remove unused components, and enable automatic updates where possible.
Separately, cybersecurity firm Group-IB published an analysis of a new version of the RedHook Android malware, which exploits Android's Wireless Debugging mechanism — known as Wireless ADB — to obtain shell-level privileges without requiring a physical computer connection or a rooted device.
Android Debug Bridge is Google's debugging interface that allows command-line control of an Android device. Wireless ADB, introduced in Android 11, provides the same capability over a network connection rather than via USB.
RedHook's attack chain begins by tricking the user into granting Accessibility Service permissions. The malware then automatically navigates device settings to enable Developer Options and activate Wireless Debugging, retrieves the on-screen pairing code, and connects to the device's own ADB daemon via the loopback address 127.0.0.1.
Once paired, the malware operates at shell privilege level — identified as UID 2000 — which surpasses normal app permissions without reaching root access. It then deploys a Shizuku-based framework, using a library identified as libmx.so, to invoke privileged Android APIs, silently install or remove applications, modify protected system settings, and execute commands without triggering user dialogs.
According to Group-IB's report, this version of RedHook supports 53 distinct server-issued commands, including screen streaming, screenshot capture, keystroke interception, simulated touch gestures, device locking and unlocking, contact and SMS collection, camera activation, overlay creation, and device reboots.
The malware also employs multiple persistence mechanisms: silent audio playback to raise process priority, WakeLocks to prevent CPU sleep, two mutually watchdog services that restart each other upon termination, a five-minute alarm watchdog, automatic restart on device boot, and an oom_score_adj value set to -1000 to resist memory-based process termination.
RedHook is distributed through social engineering, with attackers impersonating government agencies or financial institutions via messages and phone calls, directing victims to counterfeit Google Play download pages.
Both threats underscore the accelerating pace at which adversaries are identifying and weaponizing both newly disclosed and older vulnerabilities — a dynamic that places sustained pressure on administrators and device owners alike to maintain patching discipline and exercise caution around permission requests.