The threat involves two primary vulnerabilities exploited in the wild: CVE-2025-6389, a critical remote code execution (RCE) flaw in the Sneeit Framework WordPress plugin, and CVE-2025-2611, a vulnerability in ICTBroadcast software. The Sneeit RCE allows unauthenticated attackers to execute arbitrary code on affected servers, enabling them to create malicious administrator accounts or inject persistent backdoors, thereby gaining full control over the compromised WordPress sites. This vulnerability has been actively exploited since at least November 24, 2025, with over 131,000 attack attempts blocked by Wordfence, indicating widespread scanning and exploitation attempts. Simultaneously, the ICTBroadcast vulnerability is exploited to spread the Frost botnet, a sophisticated DDoS botnet with spreading capabilities that leverage exploits for at least fifteen different CVEs, making it a multi-vector threat. The Frost botnet combines volumetric DDoS attacks with propagation mechanisms, increasing its potential impact and persistence. The attacks are part of a small, targeted campaign, likely due to the limited number of vulnerable internet-exposed systems. Indicators such as malicious IP addresses (e.g., 185.125.50.59, 194.104.147.192) and domains (racoonlab.top) have been identified. The threat actors remain unknown, and no official patches or mitigations have been linked yet, increasing the urgency for defensive measures. The exploitation techniques align with known tactics including initial access via exploitation (T1190), persistence (T1505.003), command execution (T1059), account manipulation (T1136.002), and DDoS attacks (T1499).

European organizations running WordPress sites with the Sneeit Framework plugin or ICTBroadcast software face significant risks including full server compromise, unauthorized administrative access, and persistent backdoors. This can lead to data breaches, defacement, service disruption, and use of compromised infrastructure in DDoS attacks against other targets. The Frost botnet’s DDoS capabilities threaten availability of critical online services, potentially impacting e-commerce, government portals, and financial institutions. The multi-CVE exploitation vector increases the likelihood of lateral movement and infection spread within networks. The creation of malicious admin accounts undermines trust and complicates incident response. Given the active exploitation and high volume of attack attempts, organizations without timely detection and mitigation may suffer operational downtime and reputational damage. The targeted nature suggests attackers may focus on specific sectors or high-value targets, increasing the risk for strategic European entities.

1. Immediately audit WordPress installations for the presence of the Sneeit Framework plugin and ICTBroadcast software; prioritize patching or removal if updates are unavailable. 2. Implement strict web application firewalls (WAF) with custom rules to detect and block exploitation attempts targeting CVE-2025-6389 and CVE-2025-2611. 3. Monitor logs for suspicious activities such as unauthorized admin account creation, unexpected code injections, or anomalous outbound traffic indicative of botnet activity. 4. Employ network segmentation to isolate critical infrastructure and limit lateral movement if compromise occurs. 5. Use multi-factor authentication (MFA) on all administrative accounts to reduce risk from credential theft or creation of rogue accounts. 6. Conduct regular vulnerability scans and penetration tests focusing on WordPress plugins and telephony software like ICTBroadcast. 7. Collaborate with threat intelligence providers to update detection signatures and indicators of compromise (IOCs) including the known malicious IPs and domains. 8. Prepare incident response plans specifically addressing web server compromises and botnet infections. 9. Educate administrators on the risks of installing unvetted plugins and the importance of timely updates. 10. Consider deploying endpoint detection and response (EDR) solutions to identify and remediate backdoors or malware such as Trojan.Karagany variants associated with this threat.