Now, a new iOS app called Gotcha wants to do the same, with the difference being that you are catching real animals instead of Pokémon. The concept is simple and addictive. You point your phone at any creature, be it a pigeon or stray cat, and Gotcha cuts it out from the background, identifies what it is, and adds it to your personal collection.
While I was not down with the Pokémon Go fever, this app sounds like something I will actually enjoy using.
How does catching animals actually work?
Catching is as easy as snapping a photo. Once you locate an animal, launch the app and snap a picture. Gotcha will automatically remove the background and figure out the species on its own.
Rachit Agarwal / Digital Trends
Every animal you catch turns into a sticker with its own collectible card, ranging from common finds to legendary ones. You can pull up the original photo and share your best catches with friends.
Rachit Agarwal / Digital Trends
That thrill of spotting something rare and adding it to your roster is baked right in, except the entire world around is the map, and all animals are your collectibles. Honestly, I am surprised no one ever thought of this idea before.
Can you really collect them all?
Gotcha gives you an index filled with hundreds of species, all waiting as silhouettes until you catch them in real life. Mammals, birds, bugs, and reptiles are all sorted into neat collections, and slowly filling those empty slots gives you a real reason to look up from your screen and explore.
Rachit Agarwal / Digital Trends
It turns a regular walk in the park into a treasure hunt. Suddenly, that bird you would normally ignore becomes a potential addition to your collection.
Gotcha is built by a developer named Jurre and is launching soon on iPhone. It is free to use, and you can join the waitlist now to be among the first to play. Sadly, there is no word on an Android version yet, so iPhone users get to have all the fun first.
Threat actors are actively exploiting a security flaw, tracked as CVE-2026-26980, in Ghost CMS that was fixed months ago in real attacks against unpatched websites. According to Qianxin, the campaign has already affected more than 700 sites, including well-known organizations and universities.
The vulnerability is an SQL injection issue in Ghost’s Content API that can let an attacker read data from the database without logging in. In the worst case, this can expose the Admin API key, which can allow attackers to take over the site.
That key matters because it can be used to change published content. In this campaign, attackers used it to edit articles on compromised Ghost sites and insert malicious JavaScript at the end of pages. The goal was not just defacement, but to turn trusted websites into launch points for further malware delivery.
“After an in-depth investigation and analysis, we determined that this was not a targeted intrusion against the customer, but rather a large-scale poisoning campaign by an in-the-wild attack group targeting Ghost CMS. Although CVE-2026-26980 was publicly disclosed as early as February 19, a large number of users did not patch and upgrade in time, providing an opportunity for attackers.” reads the advisory published by Qianxin. “At least two groups are currently actively conducting such poisoning operations, and some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day.”
The inserted code led visitors through a two-step chain. First, the page loaded a remote script that checked the browser and decided what the visitor should see. Then real victims were redirected to a fake verification page that looked like a normal “I’m human” check.
This is where the ClickFix part began. The page told users to press Windows+R, paste a command, and hit Enter. In practice, that command downloaded and started a malware payload on the victim’s machine. It was a classic social engineering trick: make the user do the dangerous part themselves.
Qianxin says the first signs of this activity appeared in early May. The malicious code found in the campaign had a compilation date of February 16, the same day Ghost announced the fix for CVE-2026-26980. That suggests the attackers moved quickly once they saw how many sites had not been updated.
The affected websites cover a wide range of sectors. Roughly half are personal blogs or independent sites, but the list also includes technology blogs, AI sites, media outlets, crypto projects, and educational institutions. Qianxin researchers say victims include sites linked to Harvard, Oxford, and DuckDuckGo.
The attack chain was also designed to be flexible. The loaders could fetch different payloads depending on the target, and the operators changed infrastructure several times.
“entire attack process has obvious five-stage characteristics of “CMS Takeover → Page Poisoning → Two-stage Loading → Social Engineering Lure (FakeCaptcha/ClickFix) → Malware Delivery”, and the entire process is highly automated: bulk vulnerability scanning → automatic key extraction → bulk injection → dynamic C2 distribution.” states the report.
In some cases, they switched domains after detection, keeping the campaign alive even when part of the chain was blocked.
“Through feature scanning of publicly accessible pages, we have cumulatively identified more than 700 poisoned victim domains, and have proactively contacted the sites for which contact information could be obtained, notifying them of the poisoning.” continues the report.
Qianxin also believes at least two different groups are involved. In some cases, the same site was hit more than once, with one attacker replacing the code left by another. That makes the campaign harder to clean up and shows how attractive compromised Ghost sites have become for abuse.
For site owners, the advice is straightforward. Ghost should be updated immediately, all credentials should be rotated, and site logs should be reviewed for suspicious admin API activity. Any injected scripts should be removed from the database itself, not just from the visual editor. Visitors who may have reached a poisoned site should also be warned.
The report includes Indicators of Compromise (IoCs) for the attacks observed by the researchers.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
May 25, 2026
