SecuriTricks - credential harvesting

Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind

An exposed attacker server has unveiled FortiBleed, a large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways globally. This operation involved credential harvesting through reuse, brute force, and hash cracking using a distributed GPU …

credential harvesting

fortigate

vpn compromise

fortinet

initial access broker

Published: June 19, 2026

Downloadable IOCs: 7

Public and Private Medical Community Targeted by Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research

A sophisticated espionage campaign attributed to UNC6508, a China-nexus threat actor, targeted North American academic, medical, and military research institutions for over a year. The adversary exploited REDCap servers, deployed custom INFINITERED malware to harvest credentials, and maintained per…

credential harvesting

china-nexus

2026-06-15

content compliance abuse

email exfiltration

infinitered

medical research targeting

redcap exploitation

unc6508

Published: June 15, 2026

Downloadable IOCs: 8

Travel Phishing and Cyber Attacks are Surging in 2026, Growing 122% over the last 3 years: How Cybercriminals Are Targeting Travelers in 2026

The hospitality and travel sector experienced a dramatic surge in cyberattacks, with organizations facing an average of 2,291 weekly attacks in May 2026, representing a 24% year-over-year increase and a cumulative 122% rise since 2023. Cybercriminals registered 47,318 travel-related domains in May …

phishing

credential harvesting

Published: June 15, 2026

Downloadable IOCs: 0

World Cup 2026 Mobile Targeted Phishing: The Global Social Engineering Threat

Threat intelligence has uncovered a significant increase in digital scams and phishing campaigns exploiting the FIFA World Cup 2026, specifically targeting mobile users. Three primary attack campaigns have been identified: The first uses typosquatting and institutional spoofing with fake domains li…

credential harvesting

Published: June 11, 2026

Downloadable IOCs: 0

PHISH ALERT: Press Play for Compromise — Voicemail Phishing Kit Bundles SSO Hijacking, Credential Theft, and RMM Delivery

An advanced voicemail-themed phishing campaign is utilizing HTML attachments to hijack Microsoft 365 sessions through silent OAuth exploitation. Emails arrive spoofing legitimate businesses with fake voicemail notifications containing embedded HTML files. When victims click the play button, the kit…

credential harvesting

microsoft 365

phishing-as-a-service

Published: June 10, 2026

Downloadable IOCs: 19

Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted

A coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character …

phishing

typosquatting

credential harvesting

smishing

government impersonation

2026-05-27

multi-country campaign

payment card theft

postal service fraud

Published: May 27, 2026

Downloadable IOCs: 27

macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

A new variant of SHub Stealer dubbed 'Reaper' targets macOS users through fake WeChat and Miro installers, employing sophisticated multi-stage delivery chains that spoof Apple, Google, and Microsoft services. The malware leverages the applescript:// URL scheme to bypass Terminal-based defenses, con…

credential harvesting

persistence mechanism

2026-05-18

shub reaper

Published: May 18, 2026

Downloadable IOCs: 5

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

This analysis examines new obfuscation techniques employed by Gremlin stealer malware to conceal malicious payloads within embedded resources. A variant protected by sophisticated commercial packing utility uses instruction virtualization, transforming code into custom bytecode executed by a privat…

infostealer

quasar rat

credential harvesting

guloader

agent tesla

obfuscation techniques

gremlin stealer

session hijacking

telegram exfiltration

2026-05-15

cryptocurrency clipper

discord token theft

lokibot

Published: May 15, 2026

Downloadable IOCs: 12

Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

Two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government entities and financial organizations across Latin America using agentic artificial intelligence to conduct cyber intrusions. SHADOW-AETHER-040, a Spanish-speaking group, compromised six…

credential harvesting

Published: May 12, 2026

Downloadable IOCs: 23

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns

An investigation has revealed a structural evolution in phishing operations where threat actors conduct entire campaigns through legitimate, enterprise-trusted cloud infrastructure rather than attacker-controlled systems. Adversaries weaponize platforms employees use daily, including cloud storage,…

credential harvesting

browser memory execution

cloud-native phishing

oauth token theft

trusted infrastructure abuse

Published: May 8, 2026

Downloadable IOCs: 1

Kuse Web App Abused to Host Phishing Document

Bad actors exploited Kuse, a legitimate AI-based workplace application, to conduct a phishing campaign. Attackers leveraged a Vendor Email Compromise (VEC) to send malicious emails from a trusted vendor's compromised mailbox, establishing initial trust. The attack utilized Kuse's file-sharing featu…

phishing

social engineering

supply chain

credential harvesting

vendor email compromise

Published: April 29, 2026

Downloadable IOCs: 3

Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

Since January 2025, researchers identified over 2,500 phishing domains targeting more than 70 organizations across financial services, telecommunications, and logistics sectors globally. Two dominant smishing campaigns were discovered: Reward Points phishing impersonating banks and telecom provider…

phaas

financial fraud

credential harvesting

Published: April 29, 2026

Downloadable IOCs: 24

Inside a Fake DHL Campaign Built to Steal Credentials

A consumer-targeted credential theft operation uses DHL brand impersonation combined with a fake OTP verification mechanism to harvest passwords from victims. The attack employs an 11-step chain beginning with spoofed shipment notification emails, leading victims through a client-side generated OTP…

social engineering

credential harvesting

Published: April 28, 2026

Downloadable IOCs: 1

A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail

This analysis documents a third Vultr Seoul VPS (158.247.210.58) associated with Kimsuky operations, featuring over 60 domains across an 18-month period of systematic credential harvesting infrastructure. The actor demonstrates deliberate rotation through seven DDNS providers to evade blocklisting …

apt43

credential harvesting

phishing infrastructure

vultr seoul

Published: April 28, 2026

Downloadable IOCs: 0

Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression

In collaboration with the International Consortium of Investigative Journalists (ICIJ), two distinct actor clusters aligned with the People's Republic of China were identified targeting journalists and civil society members. GLITTER CARP conducted widespread credential harvesting campaigns against …

credential harvesting

digital transnational repression

impersonation campaigns

Published: April 28, 2026

Downloadable IOCs: 6

AMOS Stealer delivered via Cursor AI agent session

On April 23, 2026, Field Effect MDR identified AMOS Stealer malware delivered through a novel technique exploiting Cursor AI agent sessions running Claude Code. The attack employed social engineering to manipulate operators into prompting the AI agent to download and execute malicious AppleScript l…

social engineering

credential harvesting

ai agent exploitation

persistent implant

Published: April 25, 2026

Downloadable IOCs: 8

The npm Threat Landscape: Attack Surface and Mitigations

The npm ecosystem experienced a critical shift in September 2025 with the Shai-Hulud worm, marking the transition from isolated attacks to systematic supply chain compromises. In April 2026, TeamPCP launched a coordinated campaign through a malicious @bitwarden/cli package targeting multiple distri…

obfuscation

supply chain

credential harvesting

self-replicating malware

Published: April 25, 2026

Downloadable IOCs: 4

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harve…

credential harvesting

uri handler exploitation

Published: April 23, 2026

Downloadable IOCs: 3

Untangling a Linux Incident With an OpenAI Twist (Part 2)

A Linux endpoint was simultaneously compromised by at least two distinct threat actors while the developer user relied on OpenAI's Codex AI agent for security remediation. Actor A deployed a cryptominer mining Monero to a private pool. Actor B installed a multi-revenue botnet including XMRig mining…

xmrig

botnet

cryptominer

credential harvesting

ai-assisted remediation

multiple threat actors

repocket

systemd-logind

Published: April 22, 2026

Linked vulnerabilities : CVE-2025-30406, CVE-2025-55182 (CVSS 10.0), CVE-2025-31151

Downloadable IOCs: 3

macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections

A sophisticated ClickFix campaign targets both Windows and macOS users through fake CAPTCHA pages that trick victims into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that harvests sensitive data including keychain databases, credentials, and session cook…

social engineering

infostealer

macos

credential harvesting

clickfix

applescript

session hijacking

cryptocurrency wallet theft

2026-04-21

browser data exfiltration

Published: April 21, 2026

Downloadable IOCs: 6

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command…

credential harvesting

post-exploitation framework

Published: April 17, 2026

Downloadable IOCs: 0

Dissecting macOS intrusion from lure to compromise

Microsoft Threat Intelligence uncovered a macOS-focused cyber campaign by North Korean threat actor Sapphire Sleet utilizing social engineering to compromise systems. The attack chain begins with a malicious AppleScript file disguised as a Zoom SDK update, which executes cascading payloads through …

social engineering

north korea

macos

credential harvesting

com.google.chromes.updaters

Published: April 17, 2026

Downloadable IOCs: 13

Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger

On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performin…

apt43

credential harvesting

Published: April 13, 2026

Downloadable IOCs: 20

Telnyx Python SDK Compromised to Deliver Credential-Stealing Malware

A supply chain attack affecting the telnyx Python package on PyPI has been identified. Malicious versions 4.87.1 and 4.87.2 contained embedded credential-harvesting malware. The attack employs a three-stage runtime chain on Linux/macOS using audio steganography for delivery, in-memory execution of …

steganography

pypi

supply-chain-attack

credential-harvesting

Published: March 28, 2026

Downloadable IOCs: 3

Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia

A suspected Chinese state-sponsored espionage campaign targeting Southeast Asian military organizations has been identified, traced back to at least 2020. Designated as CL-STA-1087, the operation demonstrates strategic patience and focused intelligence collection on military capabilities and struct…

apt

espionage

credential harvesting

Published: March 16, 2026

Linked vulnerabilities : CVE-2026-0628 (CVSS 8.8)

Downloadable IOCs: 16

Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign

This analysis examines a sophisticated multi-stage infection chain utilizing Agent Tesla malware. The attack begins with a phishing email containing a RAR file, which includes an obfuscated JSE file. This initial stage triggers a series of script-based evasions, leading to the download and decrypti…

phishing

anti-analysis

credential harvesting

Published: February 25, 2026

Downloadable IOCs: 4

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

A sophisticated malware campaign targeting macOS users has been discovered, utilizing typosquatted domains impersonating the Homebrew package manager. The attack, dubbed ClickFix, exploits users' trust in command-line installation processes. Victims are tricked into executing malicious curl command…

credential harvesting

Published: February 19, 2026

Linked vulnerabilities : CVE-2026-25253 (CVSS 8.8)

Downloadable IOCs: 5

Targets critical infrastructure sectors in North America

UAT-8837, assessed as a China-nexus advanced persistent threat actor, has been targeting critical infrastructure sectors in North America since 2025. The group exploits vulnerabilities, including zero-days, to gain initial access and deploys open-source tools for reconnaissance, credential harvesti…

apt

zero-day

credential harvesting

critical infrastructure

Published: January 16, 2026

Linked vulnerabilities : CVE-2025-53690

Downloadable IOCs: 29

BlueDelta Evolves Credential Harvesting

Between February and September 2025, BlueDelta, a Russian state-sponsored threat group linked to the GRU, conducted multiple credential-harvesting campaigns. The group targeted individuals associated with energy research, defense cooperation, and government communication networks in Turkey, Europe,…

phishing

credential harvesting

2026-01-08

tunneling services

Published: January 8, 2026

Downloadable IOCs: 2

2025 Holiday Scams: Docusign Phishing Meets Loan Spam

During the holiday season, threat actors exploit overloaded inboxes and financial stress through two main patterns: Docusign-themed phishing for corporate credential harvesting and loan offer spam for personal data theft. The Docusign campaign uses spoofed emails with authentic-looking branding, re…

phishing

credential harvesting

Published: December 23, 2025

Downloadable IOCs: 3

BlueDelta’s Persistent Campaign Against UKR.NET

Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web service…

phishing

ngrok

credential harvesting

Published: December 17, 2025

Downloadable IOCs: 23

AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat

A sophisticated malware campaign exploits user trust in AI platforms to deliver the AMOS stealer. Attackers use SEO poisoning to surface malicious ChatGPT and Grok conversations offering 'helpful' macOS disk cleanup advice. These conversations contain Terminal commands that, when executed, deploy A…

credential harvesting

Published: December 10, 2025

Downloadable IOCs: 8

Scattered Lapsus$ Hunters Take Aim At Zendesk Users

A new campaign potentially linked to the Scattered Lapsus$ Hunters group is targeting Zendesk users. Over 40 typosquatted Zendesk domains have been discovered, featuring organizations' names or brands. These domains host phishing pages designed to harvest credentials. The campaign also involves sub…

phishing

typosquatting

credential harvesting

remote access trojans

Published: November 27, 2025

Downloadable IOCs: 0

Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest Spreading NPM Supply Chain Attacks Ever Observed

In November 2025, security researchers identified Shai-Hulud 2.0, an aggressive and automated supply-chain attack targeting the npm ecosystem. This second wave of the Shai-Hulud campaign demonstrated unprecedented automation and propagation speed, compromising hundreds of npm packages within hours.…

backdoor

worm

credential harvesting

Published: November 27, 2025

Downloadable IOCs: 4

Crossed wires: a case study of Iranian espionage and attribution

This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. The actor used domestic political lures related to Iran, benign conversation starters, health-themed infrastructure, and Remote Managemen…

espionage

phishing

credential harvesting

iranian threat actor

2025-11-05

rmm tools

attribution challenges

isl online

minibike

overlapping ttps

policy experts targeting

minijunk

pdqconnect

Published: November 5, 2025

Downloadable IOCs: 55

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware…

apt

phishing

government

credential harvesting

south asia

military

2025-10-06

Published: October 6, 2025

Downloadable IOCs: 0

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence …

credential-harvesting

cobalt-strike

2025-09-29

Published: September 29, 2025

Downloadable IOCs: 0

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

A widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem has been discovered, involving a novel self-replicating worm called "Shai-Hulud". The worm has compromised over 180 software packages, including widely used libraries. It operates by harvesting credentials,…

credential harvesting

Published: September 18, 2025

Downloadable IOCs: 1

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

In 2025, a significant surge in phishing attacks targeting major U.S. energy companies was observed. The campaign primarily focused on Chevron, ConocoPhillips, PBF Energy, and Phillips 66, utilizing sophisticated impersonation techniques. Attackers employed HTTrack-based cloning to replicate legiti…

phishing

rhadamanthys

credential harvesting

Published: September 12, 2025

Downloadable IOCs: 43

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse

A widespread data theft campaign, conducted by UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances, focusing on harvesti…

supply chain

data theft

credential harvesting

Published: September 8, 2025

Linked vulnerabilities : CVE-2025-53690

Downloadable IOCs: 8

Amazon disrupts watering hole campaign by Russia's APT29

Amazon's threat intelligence team has uncovered and disrupted a watering hole campaign conducted by APT29, a Russian threat actor. The campaign involved compromising legitimate websites to redirect visitors to malicious infrastructure, tricking users into authorizing attacker-controlled devices thr…

russia

credential harvesting

infrastructure adaptation

device authentication

Published: September 1, 2025

Downloadable IOCs: 2

SOC files: an APT41 attack on government IT services in Africa

Kaspersky's MDR team detected a targeted attack by APT41 against government IT services in Africa. The attackers used Impacket tools, Cobalt Strike, and custom agents for lateral movement and data collection. They leveraged DLL sideloading techniques and publicly available tools like Mimikatz and R…

credential harvesting

Published: August 20, 2025

Downloadable IOCs: 0

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

SentinelLABS and Beazley Security uncovered a series of infostealer campaigns delivering the Python-based PXA Stealer. The malware, which first appeared in late 2024, has evolved to incorporate sophisticated anti-analysis techniques and a hardened command-and-control infrastructure. Over 4,000 uniq…

python

infostealer

data theft

credential harvesting

2025-08-04

pxa stealer

Published: August 4, 2025

Downloadable IOCs: 5

A Phishing Campaign Targeting Indian Government Entities

A sophisticated phishing campaign, likely attributed to Pakistan-linked APT36 (Transparent Tribe), is targeting Indian defense organizations and government entities using spoofed domains. The attackers employ advanced social engineering techniques, including real-time OTP harvesting, to bypass mult…

credential-harvesting

2025-08-03

kavach

otp

Published: August 3, 2025

Downloadable IOCs: 2

DCRAT Impersonating the Colombian Government

A new email attack distributing DCRAT, a Remote Access Trojan, has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in Colombia. The attack employs multiple evasion techniques, including password-protected archives, obfuscation, steganography, base…

credential harvesting

remote access trojan

colombia

2025-07-02

Published: July 2, 2025

Downloadable IOCs: 8

Cyber Attacks on Government Agencies: Detect and Investigate

This analysis examines cyber threats targeting government institutions worldwide, focusing on three case studies: a phishing email targeting the South Carolina Department of Employment and Workforce, a fraudulent domain mimicking the U.S. Social Security Administration, and a malicious PDF posing a…

credential-harvesting

Published: June 4, 2025

Downloadable IOCs: 2

How Adversary Telegram Bots Help to Reveal Threats: Case Study

This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign,…

phishing

exfiltration

credential harvesting

Published: May 21, 2025

Downloadable IOCs: 16

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait

An ongoing phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been identified, utilizing over 100 domains for credential harvesting. The operation, observed since early 2025, employs cloned login portals and impersonated web pages. The infrastructure share…

phishing

credential harvesting

Published: May 16, 2025

Downloadable IOCs: 77

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting at…

credential harvesting

Published: May 13, 2025

Downloadable IOCs: 11

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…

apt

credential harvesting

critical infrastructure

Published: May 6, 2025

Downloadable IOCs: 35

I StealC You: Tracking the Rapid Changes To Steal

StealC V2, introduced in March 2025, is an enhanced version of the popular information stealer and malware downloader. Key updates include a streamlined JSON-based C2 communication protocol with RC4 encryption, expanded payload delivery options (MSI packages and PowerShell scripts), and a redesigne…

obfuscation

amadey

credential harvesting

Published: May 2, 2025

Downloadable IOCs: 0

Smishing Attacks Rise: How to Spot and Stop SMS Phishing

SMS-based phishing attacks, known as smishing, are on the rise, targeting businesses with sophisticated social engineering tactics. These attacks often begin with urgent text messages containing disguised links, redirecting victims to fake login pages. Attackers exploit human emotions and create a …

social engineering

credential harvesting

smishing

2025-04-28

Published: April 28, 2025

Downloadable IOCs: 0

Ransomware Initial Access Brokers Exposed

An investigation into a brute force attack on an exposed Remote Desktop server led to the discovery of a larger ransomware ecosystem, particularly initial access brokers. The attack began with domain enumeration and successful compromise of an account from multiple IP addresses. The threat actor's …

ransomware

credential harvesting

initial access brokers

2025-04-11

hive

domain enumeration

Published: April 11, 2025

Downloadable IOCs: 0

Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon

Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target cre…

phishing

social engineering

credential harvesting

business email compromise

Published: April 1, 2025

Downloadable IOCs: 57

Analysis of a JavaScript-based Phishing Campaign Targeting Microsoft 365 Credentials

A sophisticated JavaScript-based credential harvesting campaign has been discovered, utilizing fake voicemail notifications to capture Microsoft 365 credentials. The attackers employ HTML smuggling, obfuscation, and encryption techniques to evade detection. The phishing emails contain PDF attachmen…

phishing

credential harvesting

Published: March 4, 2025

Downloadable IOCs: 0

Security Brief: Threat Actors Take Taxes Into Account

Proofpoint researchers have identified an increase in campaigns and malicious domains impersonating tax agencies and financial organizations. This aligns with the annual increase in tax-related content observed from December through April. Phishing lures impersonate government agencies and financia…

credential harvesting

metastealer

zgrat

malware delivery

government impersonation

Published: January 28, 2025

Downloadable IOCs: 0

Effective Phishing Campaign Targeting European Companies and Institutions

A sophisticated phishing operation targeting European automotive, chemical, and industrial manufacturing companies has been uncovered. The campaign, which peaked in June 2024, used HubSpot Free Form Builder and Docusign-enabled PDFs to harvest account credentials and infiltrate Microsoft Azure clou…

phishing

persistence

credential harvesting

Published: December 18, 2024

Downloadable IOCs: 50

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…

phishing

autoit

credential harvesting

Published: December 6, 2024

Downloadable IOCs: 0

Investigating a SharePoint Compromise: IR Tales from the Field

An incident response investigation uncovered an attacker who exploited a SharePoint vulnerability (CVE-2024-38094) to gain initial access. The attacker remained undetected for two weeks, moving laterally across the network and compromising the entire domain. Key tactics included installing Horoung …

credential harvesting

fast reverse proxy (frp)

Published: November 5, 2024

Downloadable IOCs: 8

Analyzing the familiar tools used by the Crypt Ghouls hacktivists

The Crypt Ghouls group is targeting Russian businesses and government agencies with ransomware attacks. They utilize a toolkit including utilities like Mimikatz, XenAllPasswordPro, PingCastle, and others. The group employs LockBit 3.0 and Babuk ransomware as final payloads. Initial access is often …

credential harvesting

Published: October 18, 2024

Downloadable IOCs: 1

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved lateral…

credential harvesting

Published: October 1, 2024

Downloadable IOCs: 45

New RansomHub attack uses TDSKiller and LaZagne, disables EDR

A recent analysis by the ThreatDown MDR team has uncovered a novel attack method employed by the RansomHub ransomware gang. The attackers are utilizing two tools: TDSSKiller, a legitimate Kaspersky rootkit removal utility, to disable endpoint detection and response (EDR) systems, and LaZagne, a cre…

ransomware

credential harvesting

Published: September 11, 2024

Downloadable IOCs: 2

Chat Messenger voting topics - a new way to steal accounts is gaining momentum

The Government Emergency Response Team of Ukraine CERT-UA informs about the increase in the number of cyberattacks aimed at gaining access to the accounts of popular messengers, including, using the techniques of bypassing two-factor authentication

phishing

credential harvesting

2024-05-31

Published: May 31, 2024

Downloadable IOCs: 230

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack

Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…

credential harvesting

Published: May 24, 2024

Linked vulnerabilities : CVE-2024-4978 (CVSS 8.4)

Downloadable IOCs: 10

Tag: credential harvesting

Attack reports

Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind

GitBait: Phishing targeting the Mexican financial sector

Bluekit Phishing as a Service (PhaaS)

How attackers are jailbreaking LLMs with CTF framing and how to catch them

Public and Private Medical Community Targeted by Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research

Travel Phishing and Cyber Attacks are Surging in 2026, Growing 122% over the last 3 years: How Cybercriminals Are Targeting Travelers in 2026

World Cup 2026 Mobile Targeted Phishing: The Global Social Engineering Threat

PHISH ALERT: Press Play for Compromise — Voicemail Phishing Kit Bundles SSO Hijacking, Credential Theft, and RMM Delivery

Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted

macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns

Kuse Web App Abused to Host Phishing Document

Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

Inside a Fake DHL Campaign Built to Steal Credentials

A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail

Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression

AMOS Stealer delivered via Cursor AI agent session

The npm Threat Landscape: Attack Surface and Mitigations

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

Untangling a Linux Incident With an OpenAI Twist (Part 2)

macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections

Using KATA and KEDR to detect the AdaptixC2 agent

Dissecting macOS intrusion from lure to compromise

Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger

Telnyx Python SDK Compromised to Deliver Credential-Stealing Malware

Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia

Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

Targets critical infrastructure sectors in North America

BlueDelta Evolves Credential Harvesting

2025 Holiday Scams: Docusign Phishing Meets Loan Spam

BlueDelta’s Persistent Campaign Against UKR.NET

AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat

Scattered Lapsus$ Hunters Take Aim At Zendesk Users

Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest Spreading NPM Supply Chain Attacks Ever Observed

Crossed wires: a case study of Iranian espionage and attribution

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse

Amazon disrupts watering hole campaign by Russia's APT29

SOC files: an APT41 attack on government IT services in Africa

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

A Phishing Campaign Targeting Indian Government Entities

DCRAT Impersonating the Colombian Government

Cyber Attacks on Government Agencies: Detect and Investigate

How Adversary Telegram Bots Help to Reveal Threats: Case Study

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait

TA406 Pivots to the Front

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

I StealC You: Tracking the Rapid Changes To Steal

Smishing Attacks Rise: How to Spot and Stop SMS Phishing

Ransomware Initial Access Brokers Exposed

Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon

Analysis of a JavaScript-based Phishing Campaign Targeting Microsoft 365 Credentials

Security Brief: Threat Actors Take Taxes Into Account

Effective Phishing Campaign Targeting European Companies and Institutions

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

Investigating a SharePoint Compromise: IR Tales from the Field

Analyzing the familiar tools used by the Crypt Ghouls hacktivists

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

New RansomHub attack uses TDSKiller and LaZagne, disables EDR

Chat Messenger voting topics - a new way to steal accounts is gaining momentum

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack