Kaspersky says the attacks use phishing, GitHub-hosted payloads, CVE-2025-9491 LNK abuse, and Go2Tunnel-based tunneling.
local hint = Instance.new('Hint', Workspace) hint.Text = "Vehicle Simulator Autofarm loading..." ...
.php cgi-bin images admin includes search .html cache login modules templates plugins wp-admin themes js index xmlrpc wp-includes media wp-content css language tmp scripts register misc install ...