Security Affairs
Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Whiffy Recon malware triangulates the position of infected systems via Wi-Fi

Experts observed the SmokeLoader malware delivering a new Wi-Fi scanning malware strain dubbed Whiffy Recon. Secureworks Counter Threat Unit (CTU) researchers observed the Smoke Loader botnet dropping a new Wi-Fi scanning malware named Whiffy Recon. The malicious code triangulates the positions of the infected systems using nearby Wi-Fi access points as a data point for Google’s […]

Whiffy Recon

Experts observed the SmokeLoader malware delivering a new Wi-Fi scanning malware strain dubbed Whiffy Recon.

Secureworks Counter Threat Unit (CTU) researchers observed the Smoke Loader botnet dropping a new Wi-Fi scanning malware named Whiffy Recon. The malicious code triangulates the positions of the infected systems using nearby Wi-Fi access points as a data point for Google’s geolocation API.

“The scan results are mapped to a JSON structure (see Figure 5) that is sent to the Google Geolocation API via an HTTPS POST request. The Google Geolocation API is a legitimate service that triangulates a system’s location using collected Wi-Fi access points and mobile network data and returns coordinates. The Whiffy Recon code includes a hard-coded URL that the threat actors use to query the API.” reads the report published by Secureworks.

“These coordinates are then mapped to a more comprehensive JSON structure that contains detailed information about each wireless access point found in the area. This data identifies the encryption methods used by the access points.”

Whiffy Recon

The experts noticed that the Whiffy Recon’s main code runs as two loops. One loop registers the bot with the C2 server, and the second performs scanning for Wi-Fi access points via the Windows WLAN API. This second loop runs every 60 seconds. The malware register with a remote C2 using a randomly generated “botID” in an HTTP POST request. In turn the server reply with a success message and a secret unique identifier that is saved in a file named “%APPDATA%\Roaming\wlan\str-12.bin.”

Whiffy Recon checks for the WLAN AutoConfig service (WLANSVC) on the infected system and terminates itself if the service name doesn’t exist. The malware maintains persistence on the system by creating the wlan.lnk shortcut in the user’s Startup folder.

Smoke Loader is a tiny dropper used to install on the infected system other malware families

The researchers have yet to determine the motivation of the operators behind this malware.

“Because the Wi-Fi scanning occurs every 60 seconds and is enriched with geolocation data, it could allow the threat actors to track the compromised system. It is unclear how the threat actors use this data. Demonstrating access to geolocation information could be used to intimidate victims or pressure them to comply with demands.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Whiffy Recon)