IoT Botnets, WordPress Plugin Flaws, and Ransomware: A Week of Escalating Cyber Threats

A wave of cyber incidents this week underscores the escalating threat landscape. From millions of home IoT devices secretly powering massive DDoS attacks to a critical WordPress plugin flaw exposing API keys, and a new ransomware strain that prioritizes recent files, attackers are exploiting multiple vectors. In Brazil, hackers breached the national cellphone alert system, sending a leetspeak message to devices across several states.

According to a Wall Street Journal investigation, millions of internet-connected home devices, particularly knockoff digital picture frames and streaming devices sold on Amazon and Walmart, ship with pre-installed backdoor software. Security experts believe manufacturers are paid to include this malware. Within minutes of powering on, devices generated a surge of traffic to gambling, porn, and cryptocurrency sites. Residential proxy companies rent access to tens of millions of these networks, and hackers have seized control of backdoors to launch some of the largest cyberattacks ever recorded. Last month, a 23-year-old Ottawa man was arrested for taking over more than a million devices.

Gravity SMTP Flaw Under Active Mass Exploitation

Separately, attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin, tracked as CVE-2026-4020. The flaw exposes API keys, OAuth tokens, and detailed system configuration data to anyone sending a single unauthenticated HTTP request. Wordfence, the WordPress security firm owned by Defiant, reports it has blocked more than 17 million exploit attempts targeting this flaw since activity began. The plugin is installed on over 100,000 WordPress sites, making this a widespread threat.

• 17 million exploit attempts blocked by Wordfence since activity started.
• Affects over 100,000 WordPress sites using the Gravity SMTP plugin.
• Exposes API keys, OAuth tokens, and system configuration data.
• Attackers can gain persistent access to email services and cloud APIs.

New Ransomware and a Breached Alert System

A new ransomware operation named 'Prinz Eugen' has emerged, with a unique tactic: it prioritizes recently modified files for encryption, likely to maximize disruption. The ransomware leaves no ransom note on the system, complicating victim response. Meanwhile, in Brazil, hackers breached the national cellphone alert system on Saturday, sending an unauthorized 'extreme' alert bearing the word 'misantropi4' (leetspeak for misanthropy) to devices in several states. The Brazilian government confirmed the breach and is investigating.

These incidents highlight a fragmented but aggressive threat environment. The IoT botnet problem, fueled by cheap, insecure devices, shows no sign of abating. The Gravity SMTP flaw demonstrates how a single plugin vulnerability can expose thousands of sites. As for Prinz Eugen and the Brazil alert breach, both signal that attackers are innovating in tactics and targeting critical infrastructure. Security teams should prioritize patching the Gravity SMTP plugin, segment IoT devices on separate VLANs, and review incident response plans for ransomware and alert system compromises.