Tag: credential harvesting

35 Attack Reports | 0 Vulnerabilities

Attack reports

2025 Holiday Scams: Docusign Phishing Meets Loan Spam

During the holiday season, threat actors exploit overloaded inboxes and financial stress through two main patterns: Docusign-themed phishing for corporate credential harvesting and loan offer spam for personal data theft. The Docusign campaign uses spoofed emails with authentic-looking branding, re…
phishing
credential harvesting
identity theft
docusign
holiday-themed
email security
2025-12-23
loan scams
Published: December 23, 2025
Downloadable IOCs: 3

BlueDelta’s Persistent Campaign Against UKR.NET

Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web service…
phishing
ngrok
credential harvesting
russian threat actor
gru
2025-12-17
pdf lures
proxy tunneling
ukr.net
ukrainian targets
webmail compromise
Published: December 17, 2025
Downloadable IOCs: 23

AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat

A sophisticated malware campaign exploits user trust in AI platforms to deliver the AMOS stealer. Attackers use SEO poisoning to surface malicious ChatGPT and Grok conversations offering 'helpful' macOS disk cleanup advice. These conversations contain Terminal commands that, when executed, deploy A…
social engineering
stealer
persistence
macos
credential harvesting
chatgpt
amos
atomic macos stealer
seo manipulation
2025-12-10
ai-poisoning
grok
Published: December 10, 2025
Downloadable IOCs: 8

Scattered Lapsus$ Hunters Take Aim At Zendesk Users

A new campaign potentially linked to the Scattered Lapsus$ Hunters group is targeting Zendesk users. Over 40 typosquatted Zendesk domains have been discovered, featuring organizations' names or brands. These domains host phishing pages designed to harvest credentials. The campaign also involves sub…
phishing
typosquatting
credential harvesting
remote access trojans
2025-11-27
customer service
saas platforms
zendesk
Published: November 27, 2025
Downloadable IOCs: 0

Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest Spreading NPM Supply Chain Attacks Ever Observed

In November 2025, security researchers identified Shai-Hulud 2.0, an aggressive and automated supply-chain attack targeting the npm ecosystem. This second wave of the Shai-Hulud campaign demonstrated unprecedented automation and propagation speed, compromising hundreds of npm packages within hours.…
backdoor
worm
credential harvesting
npm
github
automation
supply-chain attack
2025-11-27
shai-hulud 2.0
Published: November 27, 2025
Downloadable IOCs: 4

Crossed wires: a case study of Iranian espionage and attribution

This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. The actor used domestic political lures related to Iran, benign conversation starters, health-themed infrastructure, and Remote Managemen…
espionage
phishing
credential harvesting
iranian threat actor
2025-11-05
rmm tools
attribution challenges
isl online
minibike
overlapping ttps
policy experts targeting
minijunk
pdqconnect
Published: November 5, 2025
Downloadable IOCs: 55

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware…
apt
phishing
government
credential harvesting
south asia
military
2025-10-06
Published: October 6, 2025
Downloadable IOCs: 0

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence …
cobalt strike
javascript
latrodectus
data-exfiltration
lateral-movement
brute ratel c4
backconnect
credential-harvesting
cobalt-strike
2025-09-29
Published: September 29, 2025
Downloadable IOCs: 0

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

A widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem has been discovered, involving a novel self-replicating worm called "Shai-Hulud". The worm has compromised over 180 software packages, including widely used libraries. It operates by harvesting credentials,…
phishing
supply chain
worm
javascript
credential harvesting
npm
self-replicating
shai-hulud
2025-09-18
Published: September 18, 2025
Downloadable IOCs: 1

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

In 2025, a significant surge in phishing attacks targeting major U.S. energy companies was observed. The campaign primarily focused on Chevron, ConocoPhillips, PBF Energy, and Phillips 66, utilizing sophisticated impersonation techniques. Attackers employed HTTrack-based cloning to replicate legiti…
phishing
rhadamanthys
credential harvesting
domain impersonation
investment scams
2025-09-12
energy sector
httrack
keitaro
website cloning
brand abuse
Published: September 12, 2025
Downloadable IOCs: 43

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse

A widespread data theft campaign, conducted by UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances, focusing on harvesti…
supply chain
data theft
credential harvesting
salesforce
2025-09-08
oauth tokens
salesloft drift
Published: September 8, 2025
Linked vulnerabilities : CVE-2025-53690
Downloadable IOCs: 8

Amazon disrupts watering hole campaign by Russia's APT29

Amazon's threat intelligence team has uncovered and disrupted a watering hole campaign conducted by APT29, a Russian threat actor. The campaign involved compromising legitimate websites to redirect visitors to malicious infrastructure, tricking users into authorizing attacker-controlled devices thr…
russia
credential harvesting
watering hole
javascript injection
svr
2025-09-01
infrastructure adaptation
device authentication
Published: September 1, 2025
Downloadable IOCs: 2

SOC files: an APT41 attack on government IT services in Africa

Kaspersky's MDR team detected a targeted attack by APT41 against government IT services in Africa. The attackers used Impacket tools, Cobalt Strike, and custom agents for lateral movement and data collection. They leveraged DLL sideloading techniques and publicly available tools like Mimikatz and R…
cobalt strike
government
dll sideloading
africa
credential harvesting
lateral movement
mimikatz
data exfiltration
web shell
sharepoint
targeted attack
2025-07-21
checkout
pillager
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

SentinelLABS and Beazley Security uncovered a series of infostealer campaigns delivering the Python-based PXA Stealer. The malware, which first appeared in late 2024, has evolved to incorporate sophisticated anti-analysis techniques and a hardened command-and-control infrastructure. Over 4,000 uniq…
python
infostealer
data theft
credential harvesting
telegram
2025-08-04
pxa stealer
Published: August 4, 2025
Downloadable IOCs: 5

A Phishing Campaign Targeting Indian Government Entities

A sophisticated phishing campaign, likely attributed to Pakistan-linked APT36 (Transparent Tribe), is targeting Indian defense organizations and government entities using spoofed domains. The attackers employ advanced social engineering techniques, including real-time OTP harvesting, to bypass mult…
phishing
typosquatting
pakistan
india
defense
government
credential-harvesting
2025-08-03
kavach
otp
Published: August 3, 2025
Downloadable IOCs: 2

DCRAT Impersonating the Colombian Government

A new email attack distributing DCRAT, a Remote Access Trojan, has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in Colombia. The attack employs multiple evasion techniques, including password-protected archives, obfuscation, steganography, base…
obfuscation
phishing
persistence
steganography
dcrat
credential harvesting
remote access trojan
colombia
2025-07-02
Published: July 2, 2025
Downloadable IOCs: 8

Cyber Attacks on Government Agencies: Detect and Investigate

This analysis examines cyber threats targeting government institutions worldwide, focusing on three case studies: a phishing email targeting the South Carolina Department of Employment and Workforce, a fraudulent domain mimicking the U.S. Social Security Administration, and a malicious PDF posing a…
screenconnect
phishing
stealer
government
pdf
remote-access
formbook
domain-spoofing
2025-06-04
credential-harvesting
Published: June 4, 2025
Downloadable IOCs: 2

How Adversary Telegram Bots Help to Reveal Threats: Case Study

This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign,…
phishing
exfiltration
credential harvesting
telegram
2025-05-21
notion
pec
cloud platforms
Published: May 21, 2025
Downloadable IOCs: 16

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait

An ongoing phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been identified, utilizing over 100 domains for credential harvesting. The operation, observed since early 2025, employs cloned login portals and impersonated web pages. The infrastructure share…
phishing
credential harvesting
telecommunications
infrastructure
insurance
domain impersonation
ssh keys
2025-05-16
fisheries
kuwait
Published: May 16, 2025
Downloadable IOCs: 77

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting at…
phishing
north korea
powershell
ukraine
credential harvesting
reconnaissance
2025-05-13
government targeting
chm files
Published: May 13, 2025
Downloadable IOCs: 11

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…
apt
credential harvesting
lateral movement
systembc
havoc
custom malware
critical infrastructure
web shells
2025-05-06
credinterceptor
CVE-2023-38950
remoteinjector
hxlibrary
CVE-2023-38951
hanifnet
CVE-2023-38952
proxy chaining
neoexpressrat
Published: May 6, 2025
Downloadable IOCs: 35

I StealC You: Tracking the Rapid Changes To Steal

StealC V2, introduced in March 2025, is an enhanced version of the popular information stealer and malware downloader. Key updates include a streamlined JSON-based C2 communication protocol with RC4 encryption, expanded payload delivery options (MSI packages and PowerShell scripts), and a redesigne…
obfuscation
amadey
credential harvesting
stealc
information stealer
2025-05-02
rc4 encryption
Published: May 2, 2025
Downloadable IOCs: 0

Smishing Attacks Rise: How to Spot and Stop SMS Phishing

SMS-based phishing attacks, known as smishing, are on the rise, targeting businesses with sophisticated social engineering tactics. These attacks often begin with urgent text messages containing disguised links, redirecting victims to fake login pages. Attackers exploit human emotions and create a …
social engineering
credential harvesting
smishing
2025-04-28
Published: April 28, 2025
Downloadable IOCs: 0

Ransomware Initial Access Brokers Exposed

An investigation into a brute force attack on an exposed Remote Desktop server led to the discovery of a larger ransomware ecosystem, particularly initial access brokers. The attack began with domain enumeration and successful compromise of an account from multiple IP addresses. The threat actor's …
ransomware
credential harvesting
rdp
vpn
blacksuit
infrastructure
brute force
initial access brokers
2025-04-11
hive
domain enumeration
Published: April 11, 2025
Downloadable IOCs: 0

Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon

Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target cre…
phishing
social engineering
credential harvesting
business email compromise
qr code
2025-04-01
url redirection
human verification
quishing
Published: April 1, 2025
Downloadable IOCs: 57

Analysis of a JavaScript-based Phishing Campaign Targeting Microsoft 365 Credentials

A sophisticated JavaScript-based credential harvesting campaign has been discovered, utilizing fake voicemail notifications to capture Microsoft 365 credentials. The attackers employ HTML smuggling, obfuscation, and encryption techniques to evade detection. The phishing emails contain PDF attachmen…
phishing
credential harvesting
html smuggling
microsoft 365
2025-03-04
voicemail lure
cryptojs
Published: March 4, 2025
Downloadable IOCs: 0

Security Brief: Threat Actors Take Taxes Into Account

Proofpoint researchers have identified an increase in campaigns and malicious domains impersonating tax agencies and financial organizations. This aligns with the annual increase in tax-related content observed from December through April. Phishing lures impersonate government agencies and financia…
xworm
rhadamanthys
financial fraud
asyncrat
venomrat
credential harvesting
metastealer
zgrat
malware delivery
government impersonation
2025-01-28
intuit
mygov
hmrc
tax-themed phishing
revolut
Published: January 28, 2025
Downloadable IOCs: 0

Effective Phishing Campaign Targeting European Companies and Institutions

A sophisticated phishing operation targeting European automotive, chemical, and industrial manufacturing companies has been uncovered. The campaign, which peaked in June 2024, used HubSpot Free Form Builder and Docusign-enabled PDFs to harvest account credentials and infiltrate Microsoft Azure clou…
phishing
persistence
credential harvesting
redirection
docusign
2024-12-18
microsoft azure
european companies
hubspot
Published: December 18, 2024
Downloadable IOCs: 50

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

Investigating a SharePoint Compromise: IR Tales from the Field

An incident response investigation uncovered an attacker who exploited a SharePoint vulnerability (CVE-2024-38094) to gain initial access. The attacker remained undetected for two weeks, moving laterally across the network and compromising the entire domain. Key tactics included installing Horoung …
credential harvesting
lateral movement
mimikatz
impacket
CVE-2024-38094
2024-11-05
domain compromise
sharepoint
fast reverse proxy (frp)
Published: November 5, 2024
Downloadable IOCs: 8

Analyzing the familiar tools used by the Crypt Ghouls hacktivists

The Crypt Ghouls group is targeting Russian businesses and government agencies with ransomware attacks. They utilize a toolkit including utilities like Mimikatz, XenAllPasswordPro, PingCastle, and others. The group employs LockBit 3.0 and Babuk ransomware as final payloads. Initial access is often …
ransomware
russia
lockbit
hacktivism
credential harvesting
lateral movement
babuk
lockbit 3.0
2024-10-18
xenallpasswordpro
cobint
Published: October 18, 2024
Downloadable IOCs: 1

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved lateral…
ransomware
blackcat
alphv
cobalt strike
sliver
credential harvesting
lateral movement
noberus
data exfiltration
2024-10-01
nitrogen
Published: October 1, 2024
Downloadable IOCs: 45

New RansomHub attack uses TDSKiller and LaZagne, disables EDR

A recent analysis by the ThreatDown MDR team has uncovered a novel attack method employed by the RansomHub ransomware gang. The attackers are utilizing two tools: TDSSKiller, a legitimate Kaspersky rootkit removal utility, to disable endpoint detection and response (EDR) systems, and LaZagne, a cre…
ransomware
credential harvesting
edr
ransomhub
byovd
2024-09-11
lazagne
tdsskiller
network segmentation
Published: September 11, 2024
Downloadable IOCs: 2

Chat Messenger voting topics - a new way to steal accounts is gaining momentum

The Government Emergency Response Team of Ukraine CERT-UA informs about the increase in the number of cyberattacks aimed at gaining access to the accounts of popular messengers, including, using the techniques of bypassing two-factor authentication
phishing
credential harvesting
2024-05-31
Published: May 31, 2024
Downloadable IOCs: 230

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack

Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
backdoor
supply chain
CVE-2024-4978
2024-05-24
credential harvesting
installer
stealc infostealer
software
gatedoor/rustdoor
Published: May 24, 2024
Linked vulnerabilities : CVE-2024-4978 (CVSS 8.4)
Downloadable IOCs: 10
Click here to see more Attack Reports