Tag: credential-theft

242 Attack Reports | 0 Vulnerabilities

Attack reports

SilabRAT, What's Your Power?

SilabRAT is an advanced Remote Access Trojan offered as Malware-as-a-Service on Darkweb forums since late 2025, developed by threat actor o1oo1 and sold for $5,000 monthly. This financially-motivated tool focuses on credential theft and cryptocurrency operations, featuring Hidden Virtual Network Co…
credential theft
hijackloader
clickfix
maas
session hijacking
hvnc
cryptocurrency wallet
2026-06-10
asmcrypt
browser profile cloning
darkweb forums
silabrat
Published: June 10, 2026
Downloadable IOCs: 5

Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels

A sophisticated supply chain attack campaign has expanded to 471 affected artifacts across npm and PyPI, targeting developers through malicious packages. The campaign uses three distinct delivery methods: executable .pth startup hooks, trojanized native .abi3.so extensions that execute at import ti…
typosquatting
credential theft
pypi
supply chain attack
hades
ci/cd compromise
mini shai-hulud
2026-06-08
bioinformatics
bun runtime
miasma
javascript stealer
mcp developers
native extensions
Published: June 8, 2026
Downloadable IOCs: 2

AI brands as bait: How threat actors are using the AI hype in social engineering

Threat actors are increasingly leveraging the global interest in artificial intelligence by impersonating popular AI platforms such as ChatGPT, Copilot, DeepSeek, and Claude in social engineering campaigns. These operations span phishing attacks, malvertising, and search engine optimization-driven …
phishing
social engineering
malvertising
lumma stealer
credential theft
vidar
hijack loader
vidar stealer
adversary-in-the-middle
ghostsocks
github abuse
oyster
2026-06-08
ai impersonation
Published: June 8, 2026
Downloadable IOCs: 9

Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open

Two Russia-aligned campaigns continue exploiting CVE-2025-8088, a WinRAR path traversal vulnerability patched in July 2025, against Ukrainian organizations through April 2026. SHADOW-EARTH-066 deploys an evolved GIFTEDCROOK information stealer using in-memory DLL loading via direct NT system calls,…
credential theft
information stealer
gammasteel
giftedcrook
CVE-2025-8088
ukraine targeting
winrar exploitation
2026-06-08
giftedcrook stealer
hta infection chain
russia-aligned threats
Published: June 8, 2026
Linked vulnerabilities : CVE-2025-8088, CVE-2025-6218, CVE-2018-20250
Downloadable IOCs: 50

Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency

Between April and May 2026, a likely North Korean threat actor conducted phishing campaigns targeting developers across nearly 100 organizations in finance, cryptocurrency, education, and technology sectors. The attacks used recruitment and code review themes, delivering emails with links to actor-…
north korea
credential theft
cryptocurrency theft
flexibleferret
ottercookie
visual studio code
invisible ferret
developer targeting
2026-06-08
github repositories
overlord
overlord framework
unk_deaddrop
vsix extensions
wallet exfiltration
Published: June 8, 2026
Downloadable IOCs: 18

Miasma Worm Campaign Spreads with New PyPI Wave

A coordinated PyPI compromise campaign involving 37 malicious wheel artifacts across 19 packages was detected, utilizing Python startup hooks to execute credential-stealing payloads. The attack leverages .pth files for automatic execution during Python interpreter startup, downloads the Bun JavaScr…
credential theft
pypi
supply chain attack
hades
github exfiltration
mini shai-hulud
2026-06-07
bioinformatics
bun runtime
miasma
startup hooks
Published: June 7, 2026
Downloadable IOCs: 3

Argamal: Malware hidden in hentai games

In April 2026, researchers discovered a malware campaign targeting players of adult-themed games. The infected games install a previously unknown implant called Argamal that downloads and executes a RAT after several days, resulting in full system compromise. The malware uses COM hijacking to persi…
powershell
credential theft
2026-06-04
adult gaming
argamal
pixeldrain
termixia
Published: June 4, 2026
Linked vulnerabilities : CVE-2026-3102 (CVSS 5.3)
Downloadable IOCs: 2

Malicious npm packages abuse dependency confusion to profile developer environments

Microsoft Threat Intelligence identified an active supply chain attack involving malicious npm packages that employ dependency confusion techniques. Between May 28-29, 2026, a threat actor using three maintainer aliases published malicious packages across nine organizational scopes that mirror real…
obfuscation
credential theft
npm supply chain
ci/cd targeting
2026-05-30
dependency confusion
environment fingerprinting
lifecycle hooks
reconnaissance payload
Published: May 30, 2026
Downloadable IOCs: 7

From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence

A sophisticated multi-stage intrusion began with the compromise of an internet-facing F5 BIG-IP load balancer running an end-of-life version. The threat actor established SSH access to a Linux server using privileged credentials, then conducted extensive reconnaissance including network scanning wi…
credential theft
2026-05-22
confluence exploitation
kerberos relay
Published: May 22, 2026
Linked vulnerabilities : CVE-2024-2012 (CVSS 9.1), CVE-2025-33073 (CVSS 8.8), CVE-2025-20333 (CVSS 9.9), CVE-2025-20362 (CVSS 6.5), CVE-2025-53521 (CVSS 8.7)
Downloadable IOCs: 5

One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud 'Patriot Bait' Campaign

A solo Russian-speaking threat actor tracked as 'bandcampro' operated a five-year MAGA-themed Telegram channel with approximately 17,000 subscribers, initially forwarding cryptocurrency scam content before pivoting to AI-automated operations in September 2025. The actor utilized jailbroken Google G…
credential theft
ai-assisted
wordpress compromise
cryptocurrency fraud
gotoresolve
2026-05-21
information operation
jailbroken gemini
maga community
qanon targeting
telegram channel
Published: May 21, 2026
Downloadable IOCs: 5

PureLogs: Delivery via PawsRunner Steganography

Attackers are concealing .NET infostealers within seemingly innocuous images to evade detection. A phishing campaign uses TXZ archive attachments with invoice-themed lures to initiate infection. The embedded JavaScript leverages environment variables to hide malicious commands, launching PowerShell…
phishing
infostealer
steganography
credential theft
.net
purelogs
cryptocurrency wallets
2026-05-21
pawsrunner
Published: May 21, 2026
Downloadable IOCs: 8

Mini Shai-Hulud Hits TanStack npm Packages

The Mini Shai-Hulud campaign compromised 84 npm package artifacts in the TanStack namespace with credential-stealing malware targeting continuous integration systems. On May 11, 2026, attackers published 84 malicious versions across 42 TanStack packages by chaining the pull_request_target pattern, …
credential theft
npm
pypi
supply chain attack
github actions
mini shai-hulud
tanstack
2026-05-21
oidc token
Published: May 21, 2026
Downloadable IOCs: 0

SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attack…
typosquatting
infostealer
seo poisoning
credential theft
developer targeting
2026-05-21
ai platform impersonation
fileless powershell
supply chain risk
Published: May 21, 2026
Downloadable IOCs: 34

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

Microsoft identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv maintainer account and published malicious versions of widely used data-visualization packages, affecting libraries like echarts-for-react with over 1 million weekly dow…
obfuscation
credential theft
privilege escalation
data exfiltration
npm
supply chain attack
github actions
ci/cd
2026-05-20
Published: May 20, 2026
Downloadable IOCs: 4

Inside a Tor Backed Supply Chain Worm

A sophisticated npm supply chain attack was uncovered involving the typosquatted package crypto-javascri, designed to mimic the legitimate crypto-js library. The malware harvests npm and GitHub credentials from infected systems, hijacks maintainer accounts, and automatically republishes trojanized …
typosquatting
credential theft
cryptomining
privilege escalation
npm
supply chain attack
worm propagation
2026-05-20
tor c2
Published: May 20, 2026
Downloadable IOCs: 0

Latest PyPi Compromise

A supply chain attack targeting the Microsoft DurableTask Python client compromised versions 1.4.1, 1.4.2, and 1.4.3 on PyPi. The threat actor gained access through a compromised GitHub account previously linked to attacks, using stolen credentials to dump GitHub secrets containing PyPi tokens. The…
credential theft
supply chain attack
pypi compromise
2026-05-19
aws ssm propagation
durabletask
github secrets
kubernetes lateral movement
managed.pyz
password manager
rope.pyz
transformers.pyz
Published: May 19, 2026
Downloadable IOCs: 7

The Worm That Keeps on Digging: Latest Wave

A sophisticated supply chain campaign targeting the open source developer ecosystem has emerged, compromising NPM packages in the @antv namespace, GitHub Actions including actions-cool/issues-helper, and the VSCode extension nrwl.angular-console. The malware initiates multi-stage infection chains u…
credential theft
supply chain attack
github actions
developer environments
npm packages
2026-05-19
backdoor persistence
cicd compromise
vscode extension
Published: May 19, 2026
Downloadable IOCs: 1

Active Supply Chain Attack Compromises Packages on npm

An active npm supply chain attack has compromised packages in the @antv ecosystem, affecting the maintainer account 'atool'. The attack is part of the Mini Shai-Hulud campaign, involving 639 compromised package versions across 323 unique packages. Notable affected packages include echarts-for-react…
credential theft
npm
supply chain attack
ci/cd compromise
github exfiltration
mini shai-hulud
2026-05-19
@antv packages
echarts-for-react
Published: May 19, 2026
Downloadable IOCs: 1

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-uti…
credential-theft
infostealer
npm
open-source
supply-chain-attack
shai-hulud
cryptocurrency-theft
2026-05-18
ddos-botnet
Published: May 18, 2026
Downloadable IOCs: 1

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos tracks active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing remote attackers to obtain administrative privileges. The exploitation is attributed to UAT-8616, a sophisticated threat actor previously involv…
xmrig
credential theft
sliver
godzilla
behinder
webshells
gsocket
cryptocurrency mining
authentication bypass
cisco
adaptixc2
CVE-2026-20122
CVE-2026-20127
CVE-2026-20128
CVE-2026-20133
2026-05-14
CVE-2026-20182
kscan
nimplant
sd-wan
xenshell
Published: May 14, 2026
Linked vulnerabilities : CVE-2025-20333 (CVSS 9.9), CVE-2025-20362 (CVSS 6.5), CVE-2026-20122 (CVSS 5.4), CVE-2026-20127 (CVSS 10.0), CVE-2026-20128 (CVSS 7.5), CVE-2026-20133 (CVSS 6.5), CVE-2026-20182 (CVSS 10.0)
Downloadable IOCs: 24

Device Code Phishing is an Evolution in Identity Takeover

Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization gr…
credential theft
clickfix
microsoft 365
phishing-as-a-service
account takeover
tycoon 2fa
identity compromise
device code phishing
eviltokens
kali365
oauth abuse
2026-05-14
artokens
odx
Published: May 14, 2026
Downloadable IOCs: 0

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in …
espionage
credential-theft
muddywater
iran
dll-sideloading
chromelevator
mois
seedworm
2026-05-12
Published: May 12, 2026
Downloadable IOCs: 11

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

A sophisticated multi-stage infection chain was identified through proactive threat hunting, beginning with the execution of MicrosoftToolkit.exe, a commonly abused hack tool. The attack employed file masquerading techniques, renaming a .dot file to .bat format to evade detection. The malware perfo…
anti-analysis
credential theft
vidar
autoit
information stealer
c2 communication
defense evasion
multi-stage loader
2026-05-11
arkei
Published: May 11, 2026
Downloadable IOCs: 5

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshe…
credential theft
ssh backdoor
southeast asia
telegram exfiltration
CVE-2026-41940
2026-05-11
cpanel exploitation
cpanel-python
filemanager
filemanager rat
wordpress targeting
Published: May 11, 2026
Linked vulnerabilities : CVE-2026-41940 (CVSS 9.3)
Downloadable IOCs: 1

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techni…
surveillance
powershell
credential theft
uac bypass
fileless execution
amsi bypass
2026-05-10
connectwise screenconnect
lolbin abuse
Published: May 10, 2026
Downloadable IOCs: 7

Technical Advisory: Breach of Instructure Canvas LMS

In early May 2026, Instructure confirmed a breach affecting its Canvas learning platform after detecting unauthorized activity on May 1. ShinyHunters exploited the Free-For-Teacher account program, compromising the Canvas platform directly and exposing names, email addresses, student IDs, and priva…
social engineering
extortion
credential theft
data breach
education sector
phishing campaign
2026-05-09
api compromise
canvas lms
Published: May 9, 2026
Downloadable IOCs: 2

AI-Assisted Lure Factory Targets Developers & Gamers

A large-scale malware campaign tracked as TroyDen's Lure Factory has been identified distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub. The operation uses AI-generated lure names incorporating obscure biological taxonomy and medical terminology to target dev…
infostealer
credential theft
redline
github
lummastealer
2026-05-08
ai-generated lures
luajit
prometheus obfuscator
troyden
two-component payload
Published: May 8, 2026
Downloadable IOCs: 9

Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails

A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails…
aitm
credential theft
mfa bypass
session hijacking
phishing campaign
2026-05-06
captcha evasion
financial services
healthcare targeting
Published: May 6, 2026
Downloadable IOCs: 0

Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise

A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML te…
social engineering
aitm
credential theft
multi-stage attack
2026-05-04
authentication token
captcha filtering
token compromise
Published: May 4, 2026
Linked vulnerabilities : CVE-2026-31431
Downloadable IOCs: 3

Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise

A malicious artifact of the widely-used intercom/intercom-php package version 5.0.2 was discovered on Packagist, representing an expansion of the Mini Shai-Hulud supply chain attack from npm into the PHP ecosystem. The compromised package exploits Composer plugin execution to download Bun runtime a…
credential theft
supply chain attack
2026-05-01
mini shai-hulud
intercom
packagist compromise
Published: May 1, 2026
Downloadable IOCs: 6

Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages

Multiple npm packages in the SAP JavaScript and cloud application development ecosystem were compromised in a suspected supply chain attack. Affected packages include [email protected], @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected]. The compromised versions introduced malicio…
obfuscation
credential-theft
supply-chain-attack
github-abuse
2026-04-30
bun-binary
ci-cd-compromise
npm-packages
sap-cap
Published: April 30, 2026
Downloadable IOCs: 4

Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware

A supply chain operation dubbed 'Mini Shai Hulud' compromised SAP-related npm packages by injecting malicious preinstall scripts that execute during installation. The campaign leverages multi-stage payloads to harvest developer and CI/CD secrets from GitHub, npm, and major cloud providers, exfiltra…
credential theft
supply chain attack
ci/cd compromise
npm packages
2026-04-30
github exfiltration
mini shai hulud
sap ecosystem
Published: April 30, 2026
Downloadable IOCs: 10

Komari Red: The Monitoring Tool with a Built-in Reverse Shell

On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP…
credential-theft
impacket
reverse-shell
2026-04-30
github-infrastructure
komari
nssm-persistence
rdp-enablement
sslvpn-compromise
Published: April 30, 2026
Downloadable IOCs: 2

LofyStealer: Malware targeting Minecraft players.

A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It …
infostealer
minecraft
credential theft
browser data
chromelevator
2026-04-29
grabbot
lofystealer
node.js loader
slinky
syscalls evasion
Published: April 29, 2026
Downloadable IOCs: 3

User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command

A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniqu…
phishing
powershell
lumma stealer
credential theft
dll sideloading
hijackloader
clickfix
information stealer
lummastealer
2026-04-29
Published: April 29, 2026
Downloadable IOCs: 6

KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft

An Android malware campaign masquerading as a bank KYC verification application targets users in India through WhatsApp distribution. The threat operates as a multi-stage dropper installing secondary payloads while establishing persistent command-and-control communication. It combines native code o…
credential theft
sms interception
otp theft
2026-04-29
android banking trojan
firebase c2
india targeting
kycshadow
vpn manipulation
whatsapp distribution
Published: April 29, 2026
Downloadable IOCs: 3

Extortion in the Enterprise: Defending Against BlackFile Attacks

Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with "The Com" collective, employ voice-based phishing comb…
extortion
credential theft
vishing
data exfiltration
2026-04-27
blackfile
cordial spider
saas attacks
the com
unc6671
Published: April 27, 2026
Downloadable IOCs: 16

Supply Chain Poisoning via PyPI Repository Compromise

Xinference, an open-source distributed AI model inference framework, suffered a supply chain attack when attackers compromised PyPI release credentials of maintainers and published three malicious versions (2.6.0, 2.6.1, 2.6.2) on April 22, 2026. The malicious code, encoded in Base64 layers within …
credential theft
supply chain attack
base64 encoding
teampcp
2026-04-27
ai framework
cloud exploitation
pypi compromise
xinference
Published: April 27, 2026
Downloadable IOCs: 3

Token Bingo: Don't Let Your Code be the Winner

In early April 2026, a large-scale device code phishing campaign targeted organizations across multiple sectors and regions, exploiting OAuth 2.0 Device Authorization Grant. Threat actors leveraged the Kali365 phishing-as-a-service platform, originating primarily from IP address 216.203.20[.]95. Th…
credential theft
microsoft 365
phishing-as-a-service
inbox rules
token theft
device code phishing
2026-04-25
kali365
oauth abuse
Published: April 25, 2026
Downloadable IOCs: 5

The AI Frame Campaign Continues

A malicious Chrome extension impersonating Google's Authenticator application has been identified as part of an ongoing campaign active since early 2026. The extension requests excessive permissions and contains dormant infrastructure suggesting a staged deployment model where malicious updates can…
credential theft
chrome extension
two-factor authentication
browser security
iframe injection
2026-04-24
aiframe campaign
fraudulent paywall
Published: April 24, 2026
Downloadable IOCs: 1

Malicious Artifacts Found in Official KICS Docker Repository and Code Extensions

Docker and Socket uncovered a supply chain compromise affecting Checkmarx KICS distribution channels. Attackers poisoned official Docker Hub images (tags v2.1.20, v2.1.21, alpine) and VS Code extensions (versions 1.17.0, 1.19.0), introducing unauthorized data exfiltration capabilities. The trojaniz…
credential theft
github actions
ci/cd compromise
supply chain compromise
2026-04-22
canister worm
checkmarx kics
docker hub poisoning
mcpaddon.js
npm propagation
vs code extension
Published: April 22, 2026
Downloadable IOCs: 13

npm Packages Hit with TeamPCP-Style CanisterWorm Malware

Malicious npm packages associated with Namastex.ai were compromised with malware exhibiting tradecraft similar to TeamPCP's CanisterWorm campaign. The attack targeted packages including @automagik/genie and pgserve, implementing install-time execution that harvests credentials, environment variable…
worm
credential theft
npm
pypi
supply chain attack
self-propagating
canisterworm
2026-04-22
icp canister
Published: April 22, 2026
Downloadable IOCs: 7

March 2026 Phishing Email Trends Report

In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) wer…
remcosrat
credential theft
agenttesla
2026-04-22
fake invoices
html phishing
phishing email
script-based attacks
trojan campaigns
Published: April 22, 2026
Downloadable IOCs: 0

Mach-O Man Malware: What CISOs Need to Know

Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating …
social engineering
macos
credential theft
clickfix
telegram exfiltration
2026-04-22
browser stealing
fintech targeting
mach-o binaries
mach-o man
pylangghostrat
Published: April 22, 2026
Downloadable IOCs: 15

Abusing OAuth Device Code Flow

In early 2026, phishing attacks remain a top threat vector in security operations. This analysis covers a novel attack method exploiting Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to compromise user accounts. Attackers use phishing emails containing Mailchimp's Mandrill ser…
phishing
credential theft
persistent access
oauth
2026-04-20
device code flow
graph api
microsoft entra id
token hijacking
Published: April 20, 2026
Downloadable IOCs: 2

FakeWallet crypto stealer spreading in the App Store

In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages distributing trojanized versions of legitimate wallets engineered to steal recovery phrases and private keys. …
ios
cryptocurrency
credential theft
app store
sparkkitty
cryptocurrency wallet
2026-04-20
chinese targeting
enterprise certificates
fakewallet
phishing apps
provisioning profiles
Published: April 20, 2026
Downloadable IOCs: 32

Untangling a Linux Incident With an OpenAI Twist

A technology sector organization experienced a multi-actor compromise on a Linux endpoint where cryptominers were deployed and credential harvesting occurred. The incident became complex when the legitimate user attempted to troubleshoot suspected malicious activity using OpenAI's Codex AI agent wh…
credential theft
cryptominer
edr evasion
living-off-the-land
monero mining
2026-04-17
codex ai
linux compromise
multi-actor
Published: April 17, 2026
Linked vulnerabilities : CVE-2025-47812
Downloadable IOCs: 1

Fake YouTube copyright notices can steal your Google login

A sophisticated phishing campaign is targeting YouTube creators using convincing fake copyright strike notifications. The attack dynamically pulls real channel data including profile pictures, subscriber counts, and recent videos to create personalized scare pages. Victims are funneled through a Br…
credential theft
browser-in-the-browser
cryptocurrency scams
phishing campaign
2026-04-15
google account takeover
Published: April 15, 2026
Downloadable IOCs: 0

59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs a Chrome Extension Banking Stealer and Leaves the Entire C2 Wide Open

A Brazilian banking fraud operation leveraging ClickFix social engineering was discovered through a community tip, exposing a completely unauthenticated command-and-control infrastructure. The campaign deploys a malicious Chrome extension masquerading as a Banco Central do Brasil tool, force-instal…
credential-theft
clickfix
2026-04-14
banking-stealer
session-hijacking
Published: April 14, 2026
Downloadable IOCs: 12

Tracking an OtterCookie Infostealer Campaign Across npm

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while …
supply-chain
north korea
infostealer
credential theft
npm
beavertail
contagious interview
invisibleferret
ssh backdoor
ottercookie
javascript obfuscation
2026-04-13
koalemos
vercel c2
Published: April 13, 2026
Downloadable IOCs: 9

North Korea's Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

A North Korean threat operation has published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, impersonating legitimate developer tooling. The campaign uses GitHub aliases including golangorg and aokisasakidev to distribute staged malware loaders that contact actor-control…
rat
north korea
credential theft
contagious interview
supply chain attack
cryptocurrency wallet
2026-04-08
cross-ecosystem
developer tooling
pypi npm
staged loader
Published: April 8, 2026
Downloadable IOCs: 3

Supply-Chain Compromise of axios npm Package

A coordinated supply chain attack targeted the axios npm package, compromising two versions (1.14.1 and 0.30.4) by injecting a malicious dependency. The attack delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems. The compromise occurred through the lead maintainer's…
supply-chain
credential-theft
npm
cross-platform
remote access trojan
axios
remote-access-trojan
2026-03-31
Published: March 31, 2026
Downloadable IOCs: 4

CrySome RAT : An Advanced Persistent .NET Remote Access Trojan

CrySome is a sophisticated .NET-based remote access trojan designed for persistent command-and-control operations. It features advanced persistence mechanisms, including recovery partition abuse and offline registry modification, allowing it to survive system resets. The malware incorporates an agg…
rat
persistence
credential theft
remote access
.net
stealth
defense evasion
avkiller
c#
hvnc
2026-03-31
crysome rat
Published: March 31, 2026
Downloadable IOCs: 2

One Click Away: Inside a LinkedIn Phishing Attack

A sophisticated phishing campaign targeting LinkedIn users has been identified. The attack uses fake LinkedIn message notifications to lure victims into clicking on malicious links. The emails closely mimic legitimate LinkedIn communications, including spoofed display names and formatting. Upon cli…
phishing
social engineering
credential theft
domain spoofing
email spoofing
linkedin
fake login page
2026-03-31
notification imitation
Published: March 31, 2026
Downloadable IOCs: 0

TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

TeamPCP launched a sophisticated attack on the Telnyx Python SDK, publishing malicious versions 4.87.1 and 4.87.2 to PyPI. The attack represents an evolution from their previous LiteLLM campaign, incorporating WAV-based steganography, split-file code injection, and expanded platform support. The pa…
persistence
steganography
credential theft
pypi
multi-platform
base64 encoding
supply-chain attack
2026-03-30
wav files
Published: March 30, 2026
Downloadable IOCs: 5

Security brief: tax scams aim to steal funds from taxpayers

Threat actors are exploiting tax season with numerous campaigns leveraging tax themes to deliver malware, remote monitoring tools, fraud attempts, and credential phishing. Over a hundred campaigns have been observed in 2026, with a notable increase in remote monitoring and management (RMM) payloads…
phishing
social engineering
rmm
credential theft
valleyrat
bec
winos4.0
irs impersonation
2026-03-30
tax scams
Published: March 30, 2026
Downloadable IOCs: 5

AI Infrastructure Supply Chain Poisoning Alert

A supply chain poisoning attack on LiteLLM, a popular AI model gateway, was detected by NSFOCUS Technology CERT. The TeamPCP group compromised the Trivy security scanning tool used in LiteLLM's release process, allowing them to publish malicious versions 1.82.7 and 1.82.8 on PyPI. These versions co…
credential theft
kubernetes
pypi
supply chain attack
ai infrastructure
open source
litellm
2026-03-27
software security
Published: March 27, 2026
Downloadable IOCs: 4

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

A new phishing campaign is targeting TikTok for Business accounts using adversary-in-the-middle (AitM) techniques. The attackers employ Cloudflare Turnstile to evade detection and create convincing lookalike pages impersonating TikTok for Business or Google Careers. Victims are tricked into clickin…
phishing
social engineering
aitm
credential theft
vidar
bianlian
stealc
cloudflare turnstile
2026-03-27
aura stealer
svg malware
tiktok
Published: March 27, 2026
Downloadable IOCs: 0

Guidance for detecting, investigating, and defending against the Trivy supply chain compromise

On March 19, 2026, Trivy, an open-source vulnerability scanner, was compromised in a sophisticated CI/CD supply chain attack. Threat actors, identified as TeamPCP, injected credential-stealing malware into official Trivy releases, affecting the core binary and GitHub Actions. The attack exploited m…
credential theft
supply chain attack
trivy
2026-03-25
Published: March 25, 2026
Downloadable IOCs: 2

KICS GitHub Action Compromised: TeamPCP Supply Chain Attack

The KICS GitHub Action, an open-source infrastructure as code security scanner by Checkmarx, was compromised by TeamPCP, the group behind the recent Trivy attack. Between 12:58 and 16:50 UTC on March 23, 35 tags were hijacked, exposing users to credential-stealing malware. The attack involved stagi…
credential theft
supply chain attack
cloud credentials
2026-03-24
infrastructure as code
kics
Published: March 24, 2026
Downloadable IOCs: 4

GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer

The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The…
credential-theft
macos
github
supply-chain-attack
2026-03-23
ghostclaw
ghostloader
Published: March 23, 2026
Downloadable IOCs: 16

Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets

A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. …
infostealer
exfiltration
credential theft
supply chain attack
github actions
ci/cd
2026-03-20
teampcp cloud stealer
trivy
typosquat
Published: March 20, 2026
Downloadable IOCs: 2

An Overview of The Gentlemen's TTPs

This intelligence report provides a comprehensive analysis of The Gentlemen, a ransomware group known for its sophisticated tactics, techniques, and procedures (TTPs). The group exploits vulnerabilities in FortiOS/FortiProxy, maintains a database of compromised devices, and employs advanced defense…
exploit
ransomware
credential-theft
medusa
CVE-2024-37085
qilin
CVE-2023-27532
data-exfiltration
lateral-movement
babuk
vasa locker
babyk
raas
CVE-2024-55591
CVE-2025-32463
fortios
lockbit 5.0
defense-evasion
the gentlemen
2026-03-20
Published: March 20, 2026
Linked vulnerabilities : CVE-2024-37085 (CVSS 6.8), CVE-2024-55591 (CVSS 9.8), CVE-2023-27532, CVE-2025-32463 (CVSS 9.3)
Downloadable IOCs: 4

When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures

During tax season, threat actors exploit the urgency of time-sensitive tax-related emails to trick targets into opening malicious attachments, scanning QR codes, or following link chains. Recent campaigns identified by Microsoft Threat Intelligence use lures around W-2 forms, tax forms, and imperso…
malware
screenconnect
phishing
social engineering
credential theft
simplehelp
tax season
remote monitoring tools
2026-03-19
cpa targeting
datto
irs impersonation
Published: March 19, 2026
Downloadable IOCs: 2

Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine

An exposed open directory revealed a comprehensive Roundcube exploitation toolkit used by APT28 to target Ukrainian government entities. The toolkit includes XSS payloads, a Flask-based C2 server, CSS injection tools, and a Go-based implant. It enables credential harvesting, persistent mail forward…
fancy bear
apt28
ukraine
government
credential theft
xss
webmail
roundcube
2026-03-18
css injection
go implant
httd
spypress.roundish
Published: March 18, 2026
Downloadable IOCs: 5

Fake Pudgy World site steals crypto passwords

A sophisticated phishing campaign is targeting users of the newly-launched Pudgy World browser game, exploiting the game's requirement to connect cryptocurrency wallets. The fake site mimics the official game's appearance and wallet connection process, presenting convincing forgeries of 11 differen…
phishing
cryptocurrency
credential theft
evasion techniques
wallet
2026-03-18
browser game
nft
pudgy world
Published: March 18, 2026
Downloadable IOCs: 0

Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

A credential theft campaign by Storm-2561 exploits SEO poisoning to distribute fake VPN clients. Users searching for legitimate VPN software are redirected to malicious websites hosting ZIP files containing trojans masquerading as trusted VPN clients. These digitally signed trojans harvest VPN cred…
seo poisoning
credential theft
vpn
code signing
2026-03-16
hyrax
Published: March 16, 2026
Downloadable IOCs: 12

"Handala Hack" - Unveiling Group's Modus Operandi

Handala Hack, an online persona operated by Void Manticore, is affiliated with Iranian intelligence services. The group, known for destructive wiping attacks and hack-and-leak operations, has targeted organizations in Israel, Albania, and the US. Their tactics include supply chain attacks, credenti…
supply chain
credential theft
iranian threat actor
2026-03-16
handala wiper
wiping attacks
Published: March 16, 2026
Downloadable IOCs: 7

Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise

SentinelOne's DFIR team has responded to multiple incidents involving compromised FortiGate NGFW appliances used to establish footholds in targeted environments. Attackers exploited vulnerabilities or weak credentials to access FortiGate devices, extract configuration files containing service accou…
credential theft
lateral movement
fortigate
rmm tools
CVE-2025-59718
CVE-2025-59719
CVE-2026-24858
2026-03-11
ngfw
Published: March 11, 2026
Linked vulnerabilities : CVE-2025-59718 (CVSS 9.8), CVE-2025-59719 (CVSS 9.8), CVE-2026-24858 (CVSS 9.8)
Downloadable IOCs: 2

Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

Tycoon2FA emerged as a prominent phishing-as-a-service platform in August 2023, enabling large-scale campaigns targeting over 500,000 organizations monthly. Developed by Storm-1747, it provided adversary-in-the-middle capabilities to bypass multifactor authentication. The kit allowed impersonation …
credential theft
adversary-in-the-middle
evasion techniques
phishing-as-a-service
tycoon2fa
2026-03-04
multifactor authentication bypass
session token interception
Published: March 4, 2026
Downloadable IOCs: 9

Nefilim Ransomware

Nefilim ransomware emerged in March 2020, evolving from Nemty's code. It targets vulnerabilities in Citrix gateway devices and uses exposed Remote Desktop Protocol for initial access. The malware exfiltrates sensitive data before encryption and threatens to publish it if ransom isn't paid. Nefilim …
ransomware
encryption
credential theft
lateral movement
rdp
data exfiltration
CVE-2019-19781
nefilim
2026-02-24
aes-128
citrix
CVE-2019-11634
nemty
netwalker
Published: February 24, 2026
Downloadable IOCs: 14

Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences

A new Go-based remote access trojan named Moonrise has been discovered, operating without early static detection and establishing active C2 communication before vendor alerts. The RAT supports credential theft, remote command execution, persistence, and user monitoring, enabling full remote control…
rat
credential theft
c2 communication
remote access trojan
low-detection
go-based
2026-02-24
moonrise
moonrise rat
Published: February 24, 2026
Downloadable IOCs: 7

Apache ActiveMQ Exploit Leads to LockBit Ransomware

A threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server, gaining initial access and later returning after being evicted. The attacker used Metasploit for post-exploitation activities, including privilege escalation, credential access, and lateral movement. Upon regaining access…
ransomware
lockbit
credential theft
lateral movement
rdp
metasploit
CVE-2023-46604
apache activemq
2026-02-23
Published: February 23, 2026
Downloadable IOCs: 3

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains

An active supply chain worm campaign, dubbed SANDWORM_MODE, is spreading through typosquatting and AI toolchain poisoning across at least 19 malicious npm packages. The worm exhibits Shai-Hulud characteristics, incorporating GitHub API exfiltration with DNS fallback, hook-based persistence, SSH pro…
supply-chain
typosquatting
credential-theft
worm
exfiltration
ai
npm
github
2026-02-23
ci
sandworm_mode
Published: February 23, 2026
Downloadable IOCs: 2

Invitation to Trouble: The Rise of Calendar Phishing Attacks

A new phishing tactic involving fake Microsoft and Google Calendar invites has been identified, aimed at stealing login credentials. These sophisticated attacks mimic designs from well-known platforms, exploiting routine business activities like scheduling meetings. Threat actors use email spoofing…
social engineering
credential theft
microsoft
email spoofing
2026-02-19
calendar phishing
corporate targeting
fake invitations
google
Published: February 19, 2026
Downloadable IOCs: 7

Remcos Revisited: Inside the RAT's Evolving Command-and-Control Techniques

This analysis examines the evolution of Remcos, a Remote Access Trojan that has become a significant global threat. Originally a commercial tool, Remcos now provides attackers with capabilities such as credential theft, keylogging, screen capture, and webcam control. The latest variant exhibits rea…
rat
persistence
remcos
credential theft
keylogging
data exfiltration
evasion techniques
remote access trojan
command-and-control
2026-02-18
Published: February 18, 2026
Downloadable IOCs: 1

How ClickFix Opens the Door to Stealthy StealC Information Stealer

This analysis examines a sophisticated attack chain targeting Windows systems through social engineering. It uses fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands. The multi-stage infection process ultimately deploys the StealC information stealer, a commo…
social engineering
credential theft
stealc
clickfix
information stealer
process injection
multi-stage infection
fileless execution
2026-02-17
Published: February 17, 2026
Downloadable IOCs: 9

Lumma Stealer and Ninja Browser malware campaign abusing Google Groups

A malicious campaign exploiting Google Groups to distribute Lumma Stealer and Ninja Browser malware has been uncovered. The attackers infiltrate industry-related forums, posting seemingly legitimate technical discussions with embedded malicious download links. For Windows users, the payload is Lumm…
social engineering
lumma stealer
credential theft
lumma
2026-02-16
google groups
ninja browser
trojanized browser
Published: February 16, 2026
Downloadable IOCs: 19

Infostealers without borders: macOS, Python stealers, and platform abuse

Infostealer threats are expanding beyond Windows, targeting macOS and leveraging cross-platform languages like Python. Recent campaigns use social engineering to deploy macOS-specific infostealers such as DigitStealer, MacSync, and AMOS. These stealers use fileless execution and native macOS utilit…
social engineering
python
infostealer
macos
credential theft
atomic macos stealer
fileless execution
platform abuse
pxa stealer
eternidade stealer
macsync
2026-02-02
digitstealer
Published: February 2, 2026
Downloadable IOCs: 23

Fake Dropbox Phishing Campaign via PDF and Cloud Storage

A sophisticated phishing campaign has been detected that utilizes a multi-stage approach to evade detection. The attack begins with a procurement-themed email containing a PDF attachment. This PDF redirects victims to another PDF hosted on trusted cloud storage, which then leads to a fake Dropbox l…
phishing
credential theft
pdf
multi-stage attack
telegram exfiltration
cloud storage
2026-02-02
dropbox impersonation
Published: February 2, 2026
Downloadable IOCs: 2

Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

Threat actors associated with ShinyHunters-branded extortion operations are expanding their tactics, targeting cloud-based SaaS applications for data theft and extortion. The attackers use sophisticated voice phishing and credential harvesting to gain initial access, then exfiltrate sensitive data …
social engineering
extortion
ddos
credential theft
vishing
data exfiltration
mfa bypass
2026-01-31
saas
Published: January 31, 2026
Downloadable IOCs: 14

A $6,000 Russian Malware Toolkit with Chrome Web Store Guarantee

A new malware-as-a-service toolkit called 'Stanley' is being sold on Russian cybercrime forums for $2,000 to $6,000. It provides a turnkey website-spoofing operation disguised as a Chrome extension, with the premium tier promising guaranteed publication on the Chrome Web Store. The toolkit allows f…
phishing
credential theft
chrome web store
browser extension
malware-as-service
2026-01-26
russian cybercrime
stanley
website spoofing
Published: January 26, 2026
Linked vulnerabilities : CVE-2025-14847 (CVSS 8.7)
Downloadable IOCs: 3

CastleLoader Malware Analysis: Full Execution Breakdown

CastleLoader is a sophisticated malware loader designed to deliver and install malicious components, primarily targeting government entities and critical infrastructure. It employs a multi-stage execution chain involving Inno Setup, AutoIt, and process hollowing to evade detection. The loader deliv…
loader
evasion
credential theft
process hollowing
multi-stage
castleloader
2026-01-15
memory-only
Published: January 15, 2026
Downloadable IOCs: 6

Booking.com Phishing Campaign Targeting Hotels and Customers

A sophisticated phishing campaign targeting the hospitality industry has been uncovered, compromising hotel administrators' Booking.com accounts to defraud customers. The attack chain begins with spear-phishing emails impersonating Booking.com, leading to malware infection via the ClickFix social e…
phishing
social engineering
credential theft
cybercrime
clickfix
hospitality
booking.com
purerat
2025-11-07
2026-01-13
Published: January 13, 2026
Downloadable IOCs: 56

Reflecting on AI in 2025: Faster Attacks, Same Old Tradecraft

In 2025, AI did not revolutionize cyber attacks as predicted. Instead, adversaries used AI to accelerate traditional tradecraft, focusing on speed and accessibility rather than new offensive capabilities. The article examines several case studies showcasing AI-generated scripts for credential theft…
credential theft
chrome extension
2026-01-12
ai-generated attacks
cybersecurity outlook
powershell scripts
tradecraft acceleration
Published: January 12, 2026
Downloadable IOCs: 6

Malicious NPM Packages Deliver NodeCordRAT

Three malicious npm packages were discovered in November 2025, designed to deliver and install a new RAT malware family named NodeCordRAT. The packages, bitcoin-main-lib, bitcoin-lib-js, and bip40, mimicked legitimate Bitcoin-related libraries to deceive developers. NodeCordRAT uses Discord for com…
supply-chain
credential-theft
cryptocurrency
npm
2026-01-08
nodecordrat
Published: January 8, 2026
Downloadable IOCs: 0

Phishing actors exploiting complex routing scenarios and misconfigured spoof protections

Threat actors are leveraging complex routing scenarios and misconfigured spoof protections to send phishing emails that appear to be internal communications. These attacks, which have increased since May 2025, use various lures like voicemails, shared documents, and password resets to conduct crede…
phishing
credential theft
spoofing
financial scams
dkim
tycoon2fa
email
2026-01-07
dmarc
spf
Published: January 7, 2026
Downloadable IOCs: 4

MuddyWater: Snakes by the riverbank

MuddyWater, an Iran-aligned cyberespionage group, has been targeting critical infrastructure in Israel and Egypt with custom malware and improved tactics. The campaign uses previously undocumented tools like the Fooder loader and MuddyViper backdoor to enhance defense evasion and persistence. Foode…
iran
credential theft
cyberespionage
defense evasion
critical infrastructure
blub
lp-notes
go-socks5
muddyviper
ce-notes
fooder
reverse tunneling
2026-01-03
fooder loader
muddyviper backdoor
Published: January 3, 2026
Downloadable IOCs: 9

Russian APT actor phishes the Baltics and the Balkans

A Russian Advanced Persistent Threat (APT) group has been targeting government entities in the Baltic and Balkan regions with sophisticated phishing campaigns. The attackers use email attachments spoofing official documents to lure victims into entering their credentials on fake login pages. The ph…
apt
phishing
credential-theft
government
eastern europe
2025-12-16
Published: December 16, 2025
Downloadable IOCs: 0

Technical Analysis of the BlackForce Phishing Kit

The BlackForce phishing kit, first observed in August 2025, has evolved through multiple versions and is capable of stealing credentials and performing Man-in-the-Browser attacks to bypass multi-factor authentication. It impersonates various brands and uses sophisticated evasion techniques, includi…
phishing
credential theft
mfa bypass
telegram
evasion techniques
2025-12-12
blackforce
mitb
Published: December 12, 2025
Downloadable IOCs: 0

Operation MoneyMount, ISO Deploying Phantom Stealer

A Russian phishing campaign targeting finance and accounting sectors uses fake payment confirmation emails to deliver Phantom stealer malware. The attack chain involves a ZIP file containing an ISO, which when mounted reveals an executable that loads the stealer. The malware employs anti-analysis t…
phishing
russia
exfiltration
steganography
credential theft
finance
multi-stage attack
phantom stealer
2025-12-12
iso
Published: December 12, 2025
Downloadable IOCs: 4

Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

An active phishing campaign has been identified targeting organizations using Microsoft 365 and Okta for single sign-on. The campaign employs modern techniques to bypass multi-factor authentication and hijack legitimate SSO flows. It uses lookalike domains to impersonate Okta authentication pages a…
phishing
credential theft
adversary-in-the-middle
microsoft 365
session hijacking
sso
2025-12-10
okta
Published: December 10, 2025
Downloadable IOCs: 1

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack invo…
phishing
social engineering
infostealer
credential theft
reconnaissance
microsoft teams
2025-12-03
quick assist
Published: December 3, 2025
Downloadable IOCs: 0

Shai-Hulud V2 Poses Risk to NPM Supply Chain

A second wave of the Shai-Hulud malware campaign, dubbed 'The Second Coming', has emerged targeting the npm ecosystem. This advanced software supply chain attack has compromised over 700 npm packages and created more than 27,000 malicious GitHub repositories. Shai-Hulud V2 introduces critical advan…
backdoor
supply chain
worm
exfiltration
credential theft
github
2025-12-03
shai-hulud v2
Published: December 3, 2025
Downloadable IOCs: 3

Analysis of the Lumma infostealer

The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including…
phishing
windows
infostealer
credential theft
autoit
nsis
lumma
maas
process hollowing
2025-11-27
Published: November 27, 2025
Downloadable IOCs: 3

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware target…
supply chain
cloud
credential theft
azure
npm
aws
github
shai-hulud
2025-11-27
gcp
Published: November 27, 2025
Downloadable IOCs: 6

How NTLM is being abused in 2025 cyberattacks

NTLM, a legacy authentication protocol, remains prevalent in Windows environments despite known vulnerabilities. Threat actors continue to exploit both old and newly discovered flaws in NTLM for credential theft, privilege escalation, and lateral movement. Recent vulnerabilities like CVE-2024-43451…
apt
windows
credential theft
lateral movement
exploits
CVE-2023-38831
authentication
phantomcore
remcos rat
CVE-2024-43451
ntlm
vulnerabilities
CVE-2025-24054
CVE-2025-24071
CVE-2025-33073
2025-11-26
warzone
avemaria
Published: November 26, 2025
Linked vulnerabilities : CVE-2024-43451 (CVSS 6.5), CVE-2025-24054 (CVSS 6.5), CVE-2025-24071 (CVSS 7.5), CVE-2023-38831, CVE-2025-33073 (CVSS 8.8)
Downloadable IOCs: 3

macOS Malware Deploys in Fake Job Scams

A sophisticated malware campaign targeting macOS users has been discovered, involving fake job assessments and social engineering tactics. The FlexibleFerret malware, attributed to DPRK-aligned operators, uses multi-stage attacks to deploy on victims' systems. The campaign begins with JavaScript fi…
social engineering
macos
credential theft
multi-stage attack
flexibleferret
2025-11-26
golang backdoor
fake job scams
Published: November 26, 2025
Downloadable IOCs: 21

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for ini…
phishing
north korea
babyshark
powershell
credential theft
keylogging
data exfiltration
spear-phishing
browser credentials
kimjongrat
2025-11-24
pe executable
Published: November 24, 2025
Downloadable IOCs: 9

New Banking Trojan Identified, Distributed Through WhatsApp

A new banking Trojan dubbed Eternidade Stealer has been identified, distributed through WhatsApp hijacking and social engineering. The malware, written in Delphi, uses IMAP to retrieve C2 addresses dynamically. It's spread via a WhatsApp worm campaign using a Python script. The attack chain involve…
social engineering
whatsapp
credential theft
banking trojan
brazil
delphi
2025-11-20
eternidade stealer
imap
Published: November 20, 2025
Linked vulnerabilities : CVE-2025-59287 (CVSS 9.8)
Downloadable IOCs: 23

Major October 2025 Cyber Attacks Your SOC Can't Ignore

October 2025 saw a surge in sophisticated cyber attacks, including phishing campaigns exploiting Google Careers and ClickUp, abuse of Figma for credential theft, the emergence of LockBit 5.0 targeting ESXi and Linux systems, and the discovery of TyKit, a new phishing kit. Attackers increasingly abu…
phishing
ransomware
lockbit
credential theft
cloud abuse
lockbit 5.0
2025-10-29
tykit
clickup
google careers
figma
Published: October 29, 2025
Downloadable IOCs: 10

New Android Malware Mimics Human Behavior to Evade Detection

A new Android malware called Herodotus has been discovered, designed to perform device takeover while mimicking human behavior to bypass biometric detection. Active campaigns have been observed in Italy and Brazil. Herodotus is being offered as Malware-as-a-Service and shows links to the previously…
android
credential theft
malware-as-a-service
banking trojan
device takeover
hook
mqtt
remote control
2025-10-28
octo
behavior mimicry
herodotus
brokewell
Published: October 28, 2025
Downloadable IOCs: 1

Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials

A group of financially motivated threat actors from Vietnam, tracked as UNC6229, is targeting individuals in the digital advertising and marketing sectors through fake job postings. They use social engineering tactics to deliver malware and phishing kits, aiming to compromise high-value corporate a…
social engineering
credential theft
remote access trojans
2025-10-23
fake job postings
digital advertising
Published: October 23, 2025
Downloadable IOCs: 0

SecuritySnack: 18+E-Crime

A financially motivated cybercrime operation has been identified, targeting users with over 80 spoofed domain names and lure websites. The campaign, which began in September 2024, focuses on government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. Th…
social engineering
credential theft
spoofed domains
android malware
trojans
lure websites
2025-10-06
windows malware
Published: October 6, 2025
Downloadable IOCs: 140

Update on Ongoing Akira Ransomware Campaign

The Akira ransomware campaign targeting SonicWall SSL VPN accounts has intensified since July 2025, with new infrastructure observed as recently as September 20. Threat actors are exploiting previously exfiltrated credentials, including those with OTP MFA, likely related to CVE-2024-40766. The atta…
ransomware
credential theft
akira
CVE-2024-40766
CVE-2023-20269
CVE-2020-3259
sonicwall
ssl vpn
2025-09-27
infrastructure rotation
Published: September 27, 2025
Downloadable IOCs: 0

Hidden WordPress Backdoors Creating Admin Accounts

Two malicious files were discovered on a compromised WordPress website, designed to manipulate administrator accounts and maintain unauthorized access. The first file, disguised as a plugin called 'DebugMaster Pro', created a secret admin user and communicated with a command and control server. The…
backdoor
wordpress
credential theft
compromise
stealth
2025-09-24
debugmaster pro
admin accounts
Published: September 24, 2025
Downloadable IOCs: 0

Unmasking Akira: The ransomware tactics you can't afford to ignore

The Akira ransomware group has been targeting UK businesses since 2023, primarily affecting retail, finance, manufacturing, and medical sectors. Their tactics include exploiting SSL VPNs, using double extortion, and focusing on financial gain. Key observations from 2023-2025 include initial access …
ransomware
encryption
credential theft
data exfiltration
akira
CVE-2023-27532
CVE-2024-40766
CVE-2024-40711
double extortion
CVE-2023-20269
2025-09-22
backup destruction
Published: September 22, 2025
Downloadable IOCs: 0

Warlock operation joins busy ransomware landscape

GOLD SALEM, also known as Warlock Group, has emerged as a significant player in the ransomware landscape since March 2025. The group has compromised networks across North America, Europe, and South America, targeting a range of organizations from small entities to large corporations. GOLD SALEM ope…
ransomware
credential theft
lateral movement
CVE-2024-51324
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
warlock
dedicated leak site
2025-09-17
edr bypass
sharepoint exploitation
warlock group
Published: September 17, 2025
Linked vulnerabilities : CVE-2024-51324 (CVSS 3.8), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 2

The Dangers of Storing Unencrypted Passwords

A threat actor exploited a SonicWall VPN vulnerability to gain initial access to an organization's network. The attacker discovered plaintext Huntress recovery codes on a user's desktop, allowing them to bypass MFA and access the Huntress portal. They then proceeded to close active incident reports…
ransomware
credential theft
akira
sonicwall
2025-09-15
certificate export
vpn exploit
recovery codes
Published: September 15, 2025
Downloadable IOCs: 2

AI-Generated Code and Fake Apps Used for Far-Reaching Attacks

A new malware campaign called EvilAI is spreading globally by disguising itself as legitimate AI-enhanced productivity tools. The malware uses AI-generated code and professional interfaces to evade detection, targeting organizations across sectors like manufacturing, government, and healthcare. It …
obfuscation
persistence
node.js
trojan
credential theft
command and control
2025-09-12
ai-generated code
evilai
fake applications
Published: September 12, 2025
Downloadable IOCs: 14

Threat Spotlight: Speed, Scale, and Stealth: How Axios Powers Automated Phishing

Axios user agent activity has surged by 241% from June to August 2025, outpacing other flagged user agents. Attacks combining Axios with Direct Send achieved a 70% success rate in recent campaigns, significantly higher than non-Axios campaigns. The combination exploits Direct Send's trusted nature …
phishing
credential theft
qr codes
automation
axios
api exploitation
direct send
2025-09-10
user agent
Published: September 10, 2025
Downloadable IOCs: 14

Inside the Kimsuky Leak: How the 'Kim' Dump Exposed North Korea's Credential Theft Playbook

A data breach attributed to a North Korean-affiliated actor known as "Kim" has provided new insights into Kimsuky (APT43) tactics and infrastructure. The actor's operations focus on credential-based intrusions targeting South Korean and Taiwanese networks, utilizing Chinese-language tools and infra…
phishing
north korea
rootkit
south korea
credential theft
taiwan
ocr
2025-09-08
hybrid attribution
vmmisc.ko
gpki
Published: September 8, 2025
Downloadable IOCs: 11

Malicious Appsuite PDF Editor Spreads Tamperedchef Malware

A large cybercrime campaign has been observed involving multiple fraudulent websites promoted through Google advertising. The campaign aims to trick users into downloading and installing a trojanized PDF editor containing the TamperedChef information-stealing malware. The malware harvests sensitive…
obfuscation
credential theft
information stealer
trojanized software
tamperedchef
2025-08-28
google advertising
appsuite pdf editor
Published: August 28, 2025
Downloadable IOCs: 97

UNC Cluster Targeting South Asian Countries

A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login p…
phishing
credential theft
remote access
rafel rat
information stealer
android malware
2025-08-27
military targets
south asian apt
Published: August 27, 2025
Downloadable IOCs: 0

Android Document Readers and Deception: Tracking the Latest Updates to Anatsa

Anatsa, an Android banking malware first discovered in 2020, has evolved with new capabilities and targets. The latest variant now affects over 831 financial institutions worldwide, including new countries and cryptocurrency platforms. Anatsa has streamlined its payload delivery, implemented DES ru…
android
cryptocurrency
credential theft
banking trojan
anatsa
teabot
evasion techniques
coper
joker
google play store
financial institutions
2025-08-22
harly
facestealer
Published: August 22, 2025
Downloadable IOCs: 0

Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC

A financially motivated threat group dubbed Greedy Sponge has been targeting Mexican organizations since 2021 with a modified version of AllaKore RAT and SystemBC malware. The group uses spear-phishing and drive-by downloads to deliver custom packaged installers containing the RAT. Recent updates i…
allakore rat
financial fraud
credential theft
drive-by download
systembc
spear-phishing
geofencing
2025-08-21
mexico
Published: August 21, 2025
Downloadable IOCs: 0

Cybercriminals Abuse AI Website Creation App For Phishing

Cybercriminals are exploiting an AI-powered website creation platform called Lovable to generate fraudulent websites for credential phishing and malware delivery. The threat actors create or clone sites impersonating well-known brands, use CAPTCHA for filtering, and post stolen credentials to Teleg…
phishing
cryptocurrency
credential theft
zgrat
malware delivery
doiloader
tycoon
2025-08-21
ai-generated websites
lovable platform
Published: August 21, 2025
Downloadable IOCs: 0

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…
ransomware
lockbit
vulnerability
credential theft
dll sideloading
lateral movement
data exfiltration
CVE-2023-27532
lockbit 3.0
sharepoint
warlock
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

Microsoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations

Threat actors are actively exploiting Microsoft 365's Direct Send feature to deliver phishing emails, bypassing perimeter security solutions by routing malicious messages through trusted infrastructure. This technique requires no credentials, only knowledge of the target domain and valid recipient …
phishing
credential theft
spoofing
microsoft 365
business email compromise
email security
2025-08-18
direct send
Published: August 18, 2025
Downloadable IOCs: 27

A New Threat Actor Targeting Geopolitical Hotbeds

Bitdefender Labs has uncovered a new threat actor group named Curly COMrades, operating since mid-2024 to support Russian interests. The group targets critical organizations in countries experiencing geopolitical shifts, focusing on judicial and government bodies in Georgia and an energy distributi…
backdoor
russia
credential theft
lateral movement
geopolitical
moldova
resocks
2025-08-12
georgia
clsid hijacking
mucoragent
proxy tools
Published: August 12, 2025
Downloadable IOCs: 0

Unveiling a New Variant of the DarkCloud Campaign

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .…
powershell
credential-theft
anti-analysis
process-hollowing
fileless
information-stealer
2025-08-08
darkcloud
Published: August 8, 2025
Downloadable IOCs: 2

Unmasking the SVG Threat: How Hackers Use Vector Graphics for Phishing Attacks

Attackers are exploiting Scalable Vector Graphics (SVG) files to execute sophisticated phishing attacks. SVGs, typically used for scalable images, can contain embedded JavaScript that executes when opened in a browser. The attack chain involves sending SVG attachments via spear-phishing emails or c…
phishing
javascript
credential theft
captcha
svg
email attachments
2025-08-07
cloud storage
browser execution
Published: August 7, 2025
Downloadable IOCs: 2

Odyssey Stealer Malware Attacks macOS Users

A phishing campaign targeting macOS users employs a ClickFix technique to deliver the Odyssey Stealer malware. The attack uses a fake CAPTCHA verification page that executes without dropping a binary on the system. When users follow the instructions, they unknowingly execute a malicious AppleScript…
phishing
macos
credential theft
clickfix
applescript
odyssey stealer
2025-08-07
crypto wallet
Published: August 7, 2025
Downloadable IOCs: 3

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

A sophisticated cyber attack campaign leveraged SEO poisoning to compromise organizations through trojanized IT management tool installers. The attack began when users searching for ManageEngine OpManager were directed to a malicious website, downloading a compromised MSI file that installed Bumble…
ransomware
seo poisoning
credential theft
lateral movement
data exfiltration
akira
bumblebee
2025-08-07
rustdesk
it management tools
adaptixc2
Published: August 7, 2025
Downloadable IOCs: 0

Active Exploitation of SonicWall VPNs

A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential…
ransomware
zero-day
credential theft
lateral movement
vpn
mfa bypass
akira
sonicwall
2025-08-04
Published: August 4, 2025
Downloadable IOCs: 12

FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT

A malicious campaign using the domain 'telegrampremium[.]app' is distributing a new variant of Lumma Stealer malware. The fake site mimics the official Telegram Premium platform and automatically downloads an executable file 'start.exe' upon access. This sophisticated information-stealing trojan ca…
windows
infostealer
lumma stealer
credential theft
drive-by download
brand impersonation
2025-08-03
telegram premium
Published: August 3, 2025
Downloadable IOCs: 0

Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing

Proofpoint has uncovered a sophisticated phishing campaign utilizing fake Microsoft OAuth applications to bypass multifactor authentication and steal credentials. The threat actors impersonate various enterprise apps like RingCentral, SharePoint, Adobe, and DocuSign to lure victims. The attack chai…
phishing
aitm
credential theft
mfa bypass
microsoft 365
oauth
2025-08-01
application impersonation
tycoon
Published: August 1, 2025
Downloadable IOCs: 0

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration

Raven Stealer is a modern information-stealing malware developed in Delphi and C++, designed to extract sensitive data from victim machines. It targets Chromium-based browsers, extracting passwords, cookies, payment details, and autofill information. The malware uses a modular architecture and a bu…
infostealer
credential theft
information-stealing
data exfiltration
github
telegram
c++
browser data
delphi
octalyn stealer
2025-07-26
raven stealer
upx packing
2025-08-01
Published: August 1, 2025
Downloadable IOCs: 0

MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT is a NodeJS-based Malware-as-a-Service (MaaS) information stealer developed by a French-speaking threat group. It's sold as an educational tool but used for credential theft and cryptowallet compromise. The malware features heavy obfuscation, multiple anti-analysis techniques, and variou…
obfuscation
infostealer
anti-analysis
electron
credential theft
data exfiltration
maas
nodejs
2025-07-31
nova sentinel
malicord
novablight
Published: July 31, 2025
Downloadable IOCs: 8

Android Malware Posing As Indian Bank Apps

This report analyzes a sophisticated Android malware targeting Indian banking apps. The malware uses a dropper and main payload structure, leveraging permissions like SMS access and silent installation to steal credentials, intercept messages, and perform unauthorized financial activities. It emplo…
phishing
android
credential-theft
trojan
banking
firebase
2025-07-25
call-forwarding
sms-interception
Published: July 25, 2025
Downloadable IOCs: 2

Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor

A financially-motivated threat actor, UNC6148, is targeting fully patched end-of-life SonicWall SMA 100 series appliances. They are using stolen credentials and OTP seeds from previous intrusions to regain access. The actor has deployed a new persistent backdoor/user-mode rootkit called OVERSTEP, w…
backdoor
rootkit
credential theft
vpn
data exfiltration
sonicwall
CVE-2025-32819
2025-07-18
overstep
CVE-2021-20038
CVE-2024-38475
CVE-2021-20039
CVE-2021-20035
sma
Published: July 18, 2025
Linked vulnerabilities : CVE-2025-32819 (CVSS 8.8), CVE-2021-20039, CVE-2023-44221, CVE-2021-20035, CVE-2024-38475, CVE-2021-20038
Downloadable IOCs: 4

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Katz Stealer is a sophisticated infostealer marketed as Malware-as-a-Service (MaaS), launched in early 2025. It features robust credential and data theft capabilities, along with modern evasion and anti-analysis techniques. The stealer targets a wide range of personal and sensitive information, inc…
infostealer
cryptocurrency
credential theft
data exfiltration
maas
evasion techniques
browser injection
katz stealer
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 31

Applications of Snake Keylogger in Geopolitics: Abuse of Trusted Java Utilities in Cybercriminal Activities

A new phishing campaign using Snake Keylogger, a Russian-origin stealer, has been discovered targeting various victims including corporations, governments, and individuals. The campaign uses spear-phishing emails offering petroleum products, with malicious attachments exploiting the legitimate jsad…
credential theft
dll sideloading
java
keylogger
geopolitical
maas
snake keylogger
spear-phishing
2025-07-06
petroleum
Published: July 6, 2025
Downloadable IOCs: 0

Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery…
ransomware
credential theft
lateral movement
rdp
ransomhub
mimikatz
data exfiltration
password spray
living-off-the-land
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 9

Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware

APT36, a Pakistan-based cyber espionage group, is actively targeting Indian defense personnel through sophisticated phishing campaigns. The group disseminates emails with malicious PDF attachments resembling official government documents. When opened, these PDFs display a blurred background and a b…
phishing
pakistan
cyber espionage
credential theft
pdf
transparent tribe
2025-06-21
indian defense
Published: June 21, 2025
Downloadable IOCs: 0

Steam Phishing: Popular as Ever

A recent phishing campaign targeting Steam users has been identified, involving deceptive messages sent through the platform's Friends list. The attackers use fraudulent URLs that closely mimic Steam's official domain, directing users to a fake 'Summer Gift Marathon' page. Upon logging in, users' c…
phishing
social engineering
credential theft
fraud
cybersecurity
gaming
steam
2025-06-20
Published: June 20, 2025
Downloadable IOCs: 31

Resurgence of the Prometei Botnet

Unit 42 researchers identified a new wave of Prometei botnet attacks in March 2025. The malware, which includes Linux and Windows variants, allows remote control of compromised systems for cryptocurrency mining and credential theft. Prometei is actively developed, incorporating new modules and meth…
linux
backdoor
botnet
credential theft
cryptominer
dga
prometei
2025-06-20
Published: June 20, 2025
Downloadable IOCs: 11

Understanding CyberEYE RAT Builder: Capabilities and Implications

CyberEye is a modular, .NET-based Remote Access Trojan that utilizes Telegram for Command and Control, eliminating the need for attackers to maintain their own infrastructure. It offers a wide array of surveillance and data theft capabilities, including keylogging, file grabbing, and clipboard hija…
rat
persistence
anti-analysis
credential theft
data exfiltration
telegram
2025-06-13
cybereye
windows defender evasion
telegramrat
Published: June 13, 2025
Downloadable IOCs: 0

UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign

A spear phishing campaign targeting Polish entities has been observed, exploiting the CVE-2024-42009 vulnerability in Roundcube to steal user credentials. The campaign, attributed to UNC1151, involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. T…
spearphishing
poland
credential theft
vulnerability exploitation
CVE-2024-42009
unc1151
CVE-2025-49113
2025-06-05
roundcube
Published: June 5, 2025
Linked vulnerabilities : CVE-2024-42009, CVE-2025-49113 (CVSS 9.9)
Downloadable IOCs: 3

PumaBot: Novel Botnet Targeting IoT Surveillance Devices

A new Go-based Linux botnet named PumaBot has been identified targeting IoT devices, particularly surveillance systems. It brute-forces SSH credentials using lists from a C2 server, then deploys itself and establishes persistence. The malware disguises itself as legitimate system files, creates sys…
linux
surveillance
persistence
iot
botnet
credential theft
2025-06-04
pumabot
ssh brute-force
Published: June 4, 2025
Downloadable IOCs: 1

Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

A sophisticated phishing campaign has been identified that leverages Google Apps Script to create a false sense of security. The attack begins with an email masquerading as an invoice, containing a link to a webpage hosted on Google's trusted environment. When clicked, the link redirects to a fake …
phishing
social engineering
credential theft
email spoofing
2025-06-04
google apps script
invoice scam
microsoft login
Published: June 4, 2025
Downloadable IOCs: 2

AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

A sophisticated campaign using typo-squatted 'Spectrum' domains has been uncovered, spreading a new Atomic macOS Stealer (AMOS) variant. The attack, disguised as a CAPTCHA verification, employs dynamic payloads based on the victim's operating system. For macOS users, a malicious shell script steals…
social engineering
typosquatting
credential theft
clickfix
poseidon
amos
2025-06-04
dynamic payload
spectrum
multi-platform attack
macos stealer
Published: June 4, 2025
Downloadable IOCs: 4

PhaaS the Secrets: The Hidden Ties Between Tycoon2FA and Dadsec's Operations

This analysis explores the connections between two Phishing-as-a-Service (PhaaS) platforms: Tycoon2FA and Dadsec. The investigation reveals shared infrastructure and operational similarities, suggesting a common origin or adaptation. The report details the evolving tactics of Tycoon2FA, including i…
aitm
credential theft
mfa bypass
phishing-as-a-service
dadsec
tycoon2fa
2025-05-29
Published: May 29, 2025
Downloadable IOCs: 0

Inside a VenomRAT Malware Campaign

A malicious campaign utilizing VenomRAT, a Remote Access Trojan, is analyzed. The attackers use a fake Bitdefender download website to spread malware, including VenomRAT, StormKitty, and SilentTrinity. These tools work together to provide initial access, steal credentials, and maintain long-term hi…
phishing
credential theft
venomrat
open-source malware
command and control
remote access trojan
stormkitty
silenttrinity
2025-05-29
Published: May 29, 2025
Downloadable IOCs: 35

Evolution of Zanubis, a banking Trojan for Android

Zanubis is an evolving Android banking Trojan that emerged in 2022, targeting financial institutions in Peru before expanding to virtual cards and crypto wallets. It impersonates legitimate apps to trick users into granting accessibility permissions, enabling extensive data theft and device control…
android
credential theft
banking trojan
2025-05-28
zanubis
sms hijacking
Published: May 28, 2025
Downloadable IOCs: 8

Global operation disrupts Lumma Stealer

ESET collaborated with Microsoft and other partners in a global operation to disrupt Lumma Stealer, a prominent malware-as-a-service infostealer. ESET's contribution involved analyzing tens of thousands of malware samples to extract key data like C&C servers and affiliate identifiers. The operation…
infostealer
lumma stealer
credential theft
malware-as-a-service
disruption
2025-05-26
c&c infrastructure
Published: May 26, 2025
Downloadable IOCs: 113

PupkinStealer .NET Infostealer Using Telegram for Data Theft

PupkinStealer is a newly identified .NET-based information-stealing malware that extracts sensitive data like web browser passwords and app session tokens, exfiltrating it via Telegram. It targets Chromium-based browsers, Telegram, and Discord, focusing on credential theft and session hijacking. Th…
infostealer
credential theft
2025-05-22
session hijacking
pupkinstealer
Published: May 22, 2025
Downloadable IOCs: 1

Operation RoundPress targeting high-value webmail servers

ESET researchers have uncovered a Russia-aligned espionage operation named RoundPress, targeting high-value webmail servers through XSS vulnerabilities. The campaign, attributed to the Sednit group, aims to steal confidential data from specific email accounts. Initially focused on Roundcube in 2023…
espionage
spearphishing
russia
zero-day
credential theft
xss
data exfiltration
CVE-2024-27443
CVE-2024-11182
2025-05-15
2025-05-18
webmail
eastern europe
spypress.roundcube
spypress.mdaemon
CVE-2023-43770
spypress.zimbra
spypress.horde
Published: May 18, 2025
Linked vulnerabilities : CVE-2024-27443, CVE-2024-11182 (CVSS 6.1), CVE-2020-35730, CVE-2023-23397, CVE-2023-43770
Downloadable IOCs: 16

Part 2: Compromised WordPress Pages and Malware Campaigns

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign tar…
xworm
phishing
ransomware
android
remcos
wordpress
credential theft
strela stealer
proton66
weaxor
2025-05-16
Published: May 16, 2025
Downloadable IOCs: 45

Security Incident Response Team

A critical vulnerability in various Fortinet products allows remote attackers to execute arbitrary code via crafted HTTP requests. Observed exploitation on FortiVoice involved network scanning, erasing system logs, and enabling fcgi debugging to capture credentials. Affected products include FortiV…
credential theft
remote code execution
buffer overflow
network scanning
2025-05-14
fortivoice
CVE-2025-32756
fortindr
forticamera
fortimail
log manipulation
fortirecorder
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-32756
Downloadable IOCs: 6

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins wi…
obfuscation
phishing
infostealer
anti-analysis
credential theft
autoit
information stealing
2025-05-14
multi-stage payload
darkcloud stealer
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 4

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms

As artificial intelligence (AI) surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation—from generating art and music to transforming photos into videos. But amid this excitement, cybercriminals have uncovered a potent new lure: fake AI platforms promi…
xworm
python
infostealer
worm
credential theft
remote access
ai
morphisec
facebook
2025-05-12
word document
noodlophile
capcutloader
video dream
Published: May 12, 2025
Downloadable IOCs: 32

Additional Features of OtterCookie Malware Used by WaterPlum

The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new…
north korea
windows
cryptocurrency
stealer
macos
credential theft
beavertail
invisibleferret
ottercookie
2025-05-11
financial institutions
Published: May 11, 2025
Downloadable IOCs: 0

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered …
phishing
powershell
credential theft
clickfix
2025-05-07
spica
document theft
lostkeys
ngos
Published: May 7, 2025
Downloadable IOCs: 0

CoGUI Phish Kit Targets Japan with Millions of Messages

A sophisticated phishing kit named CoGUI is targeting Japanese organizations with high-volume campaigns, primarily impersonating consumer and finance brands to steal credentials and payment data. The kit employs advanced evasion techniques like geofencing and fingerprinting to avoid detection. Sinc…
phishing
credential theft
brand impersonation
2025-05-06
darcula
cogui
Published: May 6, 2025
Downloadable IOCs: 7

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Insikt Group has discovered two new malware families, TerraStealerV2 and TerraLogger, linked to the financially motivated threat actor Golden Chickens. TerraStealerV2 is designed to steal browser credentials, cryptocurrency wallet data, and browser extension information, while TerraLogger functions…
stealer
credential theft
malware-as-a-service
keylogger
revc2
venomlnk
2025-05-01
terraloader
terrastealerv2
terralogger
browser data
Published: May 1, 2025
Downloadable IOCs: 39

Pick your Poison - A Double-Edged Email Attack

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF fi…
phishing
social engineering
credential theft
remote access
connectwise rat
2025-04-08
office365
file-sharing
2025-04-28
Published: April 28, 2025
Downloadable IOCs: 0

Navigating Through The Fog

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Ac…
ransomware
anydesk
persistence
credential theft
CVE-2020-1472
CVE-2021-42278
CVE-2021-42287
sliver
lateral movement
vpn
fog ransomware
sonicwall
2025-04-28
active directory
Published: April 28, 2025
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2020-1472
Downloadable IOCs: 1

A new version of Triada spreads embedded in the firmware of Android devices

Kaspersky researchers have discovered a new version of the Triada Trojan being distributed through infected Android device firmware. The malware is embedded into system files before devices are sold, making it nearly impossible to remove. It infects the Zygote process to compromise all apps on the …
android
cryptocurrency
trojan
credential theft
triada
sms interception
firmware
reverse proxy
2025-04-25
Published: April 25, 2025
Downloadable IOCs: 0

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2,…
phishing
social engineering
credential theft
information stealer
sectoprat
2025-04-15
pdf converter
arechclient2
Published: April 15, 2025
Downloadable IOCs: 0

March 2025 Trends Report on Phishing Emails

The report analyzes phishing email trends in March 2025, revealing that phishing attacks constituted 59% of email threats. Attackers primarily used HTML scripts to mimic login pages and promotional content, aiming to steal user credentials. The analysis covers distribution statistics, Korean phishi…
phishing
social engineering
malware distribution
credential theft
infostealers
email attachments
2025-04-10
downloaders
html scripts
document exploits
compressed files
Published: April 10, 2025
Downloadable IOCs: 0

Sapphire Werewolf refines Amethyst stealer to attack energy companies

The Sapphire Werewolf cluster has upgraded its toolkit with a new version of the Amethyst stealer, targeting energy companies through phishing emails. The enhanced malware features advanced checks for virtualized environments and uses Triple DES for string encryption. The attack involves distributi…
phishing
credential theft
2025-04-09
amethyst stealer
virtualization detection
Published: April 9, 2025
Downloadable IOCs: 0

Proactive ClickFix Threat Hunting with Hunt.io

ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Cybercriminals and advanced actors employ this method to deploy malware, primarily information stealers. The technique involves luring users with fake…
powershell
cryptbot
lumma stealer
credential theft
clickfix
captcha
information stealers
malware delivery
threat hunting
browser-based attacks
2025-04-04
clipboard hijacking
Published: April 4, 2025
Downloadable IOCs: 0

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…
malware
phishing
social engineering
remcos
credential theft
latrodectus
guloader
redirection
qr codes
remote access trojans
2025-04-03
tax season
ahkbot
bruteratel c4
Published: April 3, 2025
Downloadable IOCs: 0

TsarBot Trojan Hits 750+ Banking & Crypto Apps!

A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Servi…
phishing
android
credential theft
banking trojan
keylogging
sms interception
on-device fraud
2025-04-01
websocket
screen recording
tsarbot
overlay attack
Published: April 1, 2025
Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …
social engineering
spearphishing
powershell
cryptocurrency
lumma stealer
credential theft
youtube
2025-03-25
clickflix
Published: March 25, 2025
Downloadable IOCs: 5

SnakeKeylogger: Multistage Info Stealer Malware Analysis & Prevention

SnakeKeylogger is a highly active credential-stealing malware targeting individuals and businesses. It employs a multi-stage infection chain, starting with malicious spam emails containing .img files. The malware uses sophisticated techniques like process hollowing and obfuscation to evade detectio…
obfuscation
credential-theft
process-hollowing
multi-stage
snakekeylogger
info-stealer
2025-03-25
spam-email
apache-server
Published: March 25, 2025
Downloadable IOCs: 2

New Phishing Campaign Uses Browser-in-the-Browser Attacks to Target Video Gamers/Counter-Strike 2 Players

A sophisticated phishing campaign targeting Counter-Strike 2 players has been uncovered, employing browser-in-the-browser (BitB) attacks. The campaign aims to steal Steam accounts by creating convincing fake browser pop-ups that mimic legitimate login pages. The threat actors are abusing the identi…
phishing
credential theft
gaming
2025-03-25
steam
counter-strike 2
browser-in-the-browser
esports
Published: March 25, 2025
Downloadable IOCs: 8

Clickbait to Catastrophe: How a Fake Meta Email Leads to Password Plunder

A sophisticated phishing campaign targeting Meta Business accounts has been uncovered by the Cofense Phishing Defense Center. The attack begins with a fake Instagram alert claiming the user's ads are suspended due to policy violations. Victims are directed to a fraudulent page mimicking Meta's busi…
phishing
credential theft
meta
social media
two-factor authentication
instagram
2025-03-21
chat support
business accounts
Published: March 21, 2025
Linked vulnerabilities : CVE-2025-24071 (CVSS 7.5)
Downloadable IOCs: 5

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

Microsoft Incident Response researchers discovered a novel remote access trojan named StilachiRAT, demonstrating sophisticated evasion, persistence, and data exfiltration techniques. The malware collects extensive system information, targets cryptocurrency wallet extensions, steals browser credenti…
persistence
credential theft
cryptocurrency theft
command and control
remote access trojan
2025-03-17
stilachirat
system reconnaissance
anti-forensics
rdp monitoring
Published: March 17, 2025
Linked vulnerabilities : CVE-2023-36884
Downloadable IOCs: 2

SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, includin…
backdoor
ransomware
javascript
socgholish
credential theft
ransomhub
compromised websites
2025-03-14
keitaro tds
Published: March 14, 2025
Downloadable IOCs: 0

Unmasking the new persistent attacks on Japan

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, …
powershell
cobalt strike
persistence
credential theft
CVE-2024-4577
japan
2025-03-06
php-cgi
taowu
Published: March 6, 2025
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)
Downloadable IOCs: 3

Confluence Exploit Leads to LockBit Ransomware

An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deplo…
ransomware
lockbit
exfiltration
credential theft
lateral movement
rdp
CVE-2023-22527
confluence
2025-02-24
Published: February 24, 2025
Linked vulnerabilities : CVE-2017-0199, CVE-2023-22515, CVE-2023-22527, CVE-2023-22518
Downloadable IOCs: 15

Lumma Stealer Malware Thrives as Unique Patterns Uncovered in the Infostealer's Domain Clusters

Recent research reveals Lumma Stealer command and control domain clusters share specific technical characteristics, enabling mapping of entire infrastructure clusters. The infostealer's logs are being shared for free on Leaky[.]pro, a new hacking forum, offering billions of stolen credential record…
malvertising
infostealer
lumma stealer
credential theft
youtube
malspam
sectoprat
c2 infrastructure
2025-02-22
domain clusters
Published: February 22, 2025
Downloadable IOCs: 0

Evolving Snake Keylogger Variant

A new variant of Snake Keylogger, identified as AutoIt/Injector.GTY!tr, has been detected by FortiSandbox v5.0. This malware has attempted over 280 million infections, primarily targeting China, Turkey, Indonesia, Taiwan, and Spain. Snake Keylogger steals sensitive information from popular web brow…
credential theft
autoit
keylogging
snake keylogger
process hollowing
2025-02-20
fortisandbox
ai detection
404 keylogger
paix
Published: February 20, 2025
Downloadable IOCs: 3

Amazon Phish Hunts for Security Answers and Payment Information

A phishing scheme targeting Amazon Prime users has been identified, aiming to steal login credentials, verification information, and payment data. The attack begins with a spoofed email claiming the user's payment method has expired. Clicking the update button redirects to a fake Amazon security al…
phishing
social engineering
credential theft
email spoofing
2025-02-18
payment fraud
fake login page
amazon prime
Published: February 18, 2025
Downloadable IOCs: 3

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple sta…
phishing
cryptocurrency
persistence
credential theft
data exfiltration
fintech
2025-02-18
zhong stealer
Published: February 18, 2025
Downloadable IOCs: 5

Don't Ghost the SocGholish: GhostWeaver Backdoor

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal…
backdoor
powershell
cryptocurrency
socgholish
credential theft
boinc
fakeupdates
netsupport rat
mintsloader
2025-02-17
web injection
ghostweaver
juniper stealer
Published: February 17, 2025
Downloadable IOCs: 14

FinStealer

A sophisticated malware campaign exploits a leading Indian bank's brand through fraudulent mobile applications. Distributed via phishing links and social engineering, these fake apps mimic legitimate bank apps, tricking users into revealing sensitive information. The malware uses advanced evasion t…
sql injection
phishing
android
credential theft
banking
telegram
mobile
c2 servers
xor encryption
2025-02-17
finstealer
trojan.rewardsteal/joxpk
CVE-2011-2688
Published: February 17, 2025
Linked vulnerabilities : CVE-2011-2688
Downloadable IOCs: 5

The BadPilot campaign: Multiyear global access operation

A Russian state actor subgroup within Seashell Blizzard has conducted a global access operation called the BadPilot campaign since 2021. The group exploits vulnerabilities in Internet-facing infrastructure to gain persistent access to high-value targets across various sectors worldwide. Their tacti…
persistence
credential theft
CVE-2024-1709
CVE-2021-34473
vulnerability exploitation
CVE-2023-42793
CVE-2023-48788
initial access
2025-02-12
CVE-2023-23397
CVE-2023-32315
badpilot
russian state actor
global operation
localolive
CVE-2022-41352
remote management
shadowlink
Published: February 12, 2025
Downloadable IOCs: 0

ClickFix Scam Exposed! Protect Your Data Before It's Too Late

Cybercriminals are exploiting DeepSeek's popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek's branding to appear legitimate and bypass security …
phishing
social engineering
lumma stealer
credential theft
vidar stealer
clickfix
captcha
deepseek
2025-02-11
Published: February 11, 2025
Downloadable IOCs: 7

Fake DeepSeek Sites Used for Credential Phishing, Crypto Theft, Scams

Researchers have identified numerous fake DeepSeek websites being used for malicious purposes, including credential phishing, cryptocurrency theft, and various scams. Over 50 active sites and thousands of potentially malicious domains have been observed. These fake sites range from obvious imitatio…
phishing
cryptocurrency
credential theft
scams
2025-02-06
deepseek
qr code scams
wallet drainers
fake websites
Published: February 6, 2025
Downloadable IOCs: 0

When Data Tools Become Dangerous: MS Power BI Links Used in Phishing Campaigns

A sophisticated phishing campaign has been detected that exploits trusted platforms like SharePoint and Power BI to steal user credentials. The scheme uses a seemingly legitimate SharePoint link in an email, which leads to a Power BI report. Users are then prompted to click 'Open Document', redirec…
phishing
social engineering
credential theft
email spoofing
sharepoint
2025-02-06
power bi
microsoft impersonation
Published: February 6, 2025
Downloadable IOCs: 0

Scalable Vector Graphics files pose a novel phishing threat

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and s…
phishing
social engineering
credential theft
evasion techniques
2025-02-05
nymeria
file format abuse
svg
browser-based attacks
troj/autoit-dhb
email attachments
Published: February 5, 2025
Downloadable IOCs: 0

Blast from the Past

A large-scale campaign targeting Russian organizations across various industries has been detected. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed as Malware-as-a-Service, is capable of stealing …
phishing
stealer
persistence
credential theft
data exfiltration
russian
maas
nova
snakelogger
2025-02-05
organizations
Published: February 5, 2025
Downloadable IOCs: 1

APT Targets NetEase 163.com Users with Fake Download Pages & Spoofed Domains

The GreenSpot Advanced Persistent Threat group, operating from Taiwan since 2007, is targeting users of NetEase's 163.com email service. The group employs sophisticated phishing techniques, including spoofed domains and fake download pages, to steal login credentials. Researchers identified domains…
apt
phishing
credential theft
taiwan
spoofed domains
2025-02-05
fake download pages
163.com
netease
Published: February 5, 2025
Downloadable IOCs: 9

Stealers on the Rise: A Closer Look at a Growing macOS Threat

This analysis examines the increasing prevalence of macOS infostealers, focusing on three prominent threats: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malware variants target sensitive information, including financial details, credentials, and intellectual property. The article d…
infostealer
macos
credential theft
data exfiltration
atomic stealer
cthulhu stealer
applescript
2025-02-04
poseidon stealer
Published: February 4, 2025
Downloadable IOCs: 26

NOVA: blast from the past

A large-scale campaign targeting Russian organizations across various industries has been uncovered. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed under the Malware-as-a-Service model, steals cr…
phishing
credential-theft
stealer
persistence
maas
nova
2025-02-04
snakelogger
Published: February 4, 2025
Downloadable IOCs: 1

Microsoft advertisers phished via malicious Google ads

Malicious actors are targeting Microsoft advertisers through fraudulent Google ads, aiming to steal login credentials for Microsoft's advertising platform. The campaign involves sophisticated techniques like cloaking, Cloudflare challenges, and redirection chains to evade detection. Phishing pages …
phishing
credential theft
google ads
2025-01-31
Published: January 31, 2025
Downloadable IOCs: 101

Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns

Threat actors are exploiting vulnerabilities in government websites, particularly .gov domains, to conduct phishing campaigns. The abuse primarily involves using open redirects to bypass secure email gateways and lead victims to credential phishing pages. A significant portion of these exploits may…
phishing
credential theft
email security
2025-01-29
stormkitty
agent tesla keylogger
CVE-2024-25608
open redirects
.gov domains
liferay
government websites
Published: January 29, 2025
Linked vulnerabilities : CVE-2024-25608
Downloadable IOCs: 4

Analysis of Interlock Ransomware Attack on Healthcare Facilities

The Interlock ransomware group has been actively targeting healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data. The attacks involve drive-by compromise techniques, using fake software updaters to deploy malware. The group employs double-ex…
ransomware
credential theft
healthcare
lateral movement
data exfiltration
double-extortion
interlock
2025-01-28
drive-by compromise
Published: January 28, 2025
Downloadable IOCs: 0

Hidden in Plain Sight: PDF Mishing Attack

A sophisticated phishing campaign targeting mobile devices has been discovered, impersonating the United States Postal Service (USPS). The campaign uses a novel obfuscation technique in PDF files to hide malicious links, making detection difficult for many security solutions. The attack exploits us…
phishing
credential theft
pdf
2025-01-27
Published: January 27, 2025
Downloadable IOCs: 654

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

Star Blizzard, a Russian threat actor, has launched a new spear-phishing campaign targeting WhatsApp accounts. The campaign, observed in mid-November 2024, marks a shift in the actor's tactics. Targets include government officials, diplomats, and researchers focused on Russia-related topics. The at…
social engineering
whatsapp
credential theft
government targets
spear-phishing
2025-01-17
diplomacy targets
qr code
russian threat actor
Published: January 17, 2025
Downloadable IOCs: 2

Chinese Malware Delivery Websites

A cluster of over 400 domains have been registered since June 2024 to host spoofed websites delivering malware to Chinese-speaking users. The sites imitate popular applications like web browsers, VPNs, messaging apps, and crypto wallets. Identified malware includes Gh0stRAT, ValleyRAT, RemKos RAT, …
apt
credential theft
redline
gh0strat
valleyrat
lummastealer
malware delivery
2025-01-16
farfli
remote access trojans
chinese-speaking users
remkos rat
spoofed websites
hack-for-hire
Published: January 16, 2025
Downloadable IOCs: 526

Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation

A new zero-day vulnerability, CVE-2025-0282, in Ivanti Connect Secure VPN appliances has been exploited since mid-December 2024. The vulnerability allows unauthenticated remote code execution. Attackers have deployed multiple malware families, including SPAWN, DRYHOOK, and PHASEJAM, to maintain per…
credential theft
ivanti
vpn
2025-01-09
phasejam
dryhook
spawnsloth
spawnant
Published: January 9, 2025
Linked vulnerabilities : CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-21887, CVE-2023-46805
Downloadable IOCs: 7

Araneida Scanner: Cracked Acunetix Web App & API Scanner Discovered

Silent Push Threat Analysts have uncovered the Araneida Scanner, a cracked version of Acunetix being used for illegal purposes. The scanner is employed for offensive reconnaissance, user data scraping, and vulnerability exploitation. It was detected during a partner's reconnaissance effort, prompti…
credential theft
reconnaissance
telegram
2024-12-20
araneida scanner
web vulnerability
data scraping
cracked acunetix
Published: December 20, 2024
Downloadable IOCs: 13

Attackers exploiting a FortiClient EMS vulnerability in the wild

Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like…
screenconnect
sql injection
forticlient ems
anydesk
credential theft
remote access
lateral movement
mimikatz
CVE-2023-48788
2024-12-19
Published: December 19, 2024
Downloadable IOCs: 0

Inside the incident: Uncovering an advanced phishing attack

A sophisticated phishing campaign targeted a U.K.-based insurance company, using a compromised CEO's email account from a major shipping company. The attack involved a malicious PDF link hosted on AWS, leading to a fake Microsoft authentication page. The threat actor employed tactics like deletion …
phishing
social engineering
credential theft
2024-12-11
account takeover
email security
Published: December 11, 2024
Downloadable IOCs: 4

Analyzing threat actor Kimsuky email phishing campaign

The report provides an in-depth analysis of the email phishing campaigns conducted by the Kimsuky threat actor group. It highlights their tactics of using diverse themes and subjects to pique the curiosity of recipients, targeting researchers and individuals related to North Korean affairs in an at…
phishing
north korea
impersonation
credential theft
2024-12-04
malwareless
Published: December 4, 2024
Downloadable IOCs: 24

SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer

Threat actors are exploiting old Microsoft Office vulnerabilities using SmokeLoader, a modular malware loader, to steal browser credentials. The campaign targets manufacturing, healthcare, and IT companies in Taiwan, utilizing CVE-2017-0199 and CVE-2017-11882 to execute remote code and deploy malic…
phishing
plugins
credential theft
smokeloader
CVE-2017-0199
CVE-2017-11882
taiwan
modular malware
2024-12-03
microsoft office
vulnerabilities
andeloader
Published: December 3, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 28

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

Spot the Difference: New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella

Earth Kasha, a threat group targeting Japan since 2019, has launched a new campaign with significant updates to their tactics and arsenals. The group has expanded its targets to include Taiwan and India, focusing on advanced technology organizations and government agencies. They now exploit public-…
backdoor
apt
cobalt strike
credential theft
lodeinfo
noopdoor
CVE-2023-27997
china-nexus
2024-11-19
mirrorstealer
CVE-2023-45727
CVE-2023-28461
Published: November 19, 2024
Linked vulnerabilities : CVE-2023-3519, CVE-2023-27997, CVE-2023-45727, CVE-2023-28461, CVE-2013-3900, CVE-2023-3467, CVE-2023-3466
Downloadable IOCs: 7

Chinese hackers exploit Fortinet VPN zero-day to steal credentials

Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN s…
espionage
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese hackers
2024-11-18
deeppost
deepdata
forticlient
Published: November 18, 2024
Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…
social engineering
windows
infostealer
macos
lumma stealer
credential theft
ai
2024-11-16
deepfake
Published: November 16, 2024
Downloadable IOCs: 0

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a…
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese threat actor
2024-11-16
deeppost
deepdata
forticlient
Published: November 16, 2024
Downloadable IOCs: 0

Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave

The Androxgh0st botnet, active since January 2024, has evolved to incorporate Mozi botnet payloads, expanding its attack surface from web servers to IoT devices. It exploits vulnerabilities in various platforms, including Cisco ASA, Atlassian JIRA, and PHP frameworks, utilizing remote code executio…
iot
botnet
credential theft
CVE-2024-4577
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
routers
CVE-2022-1040
mozi
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
2024-11-12
web servers
persistent access
Published: November 12, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-41773, CVE-2018-15133, CVE-2017-9841, CVE-2022-1040, CVE-2021-41277, CVE-2018-10562, CVE-2014-2120, CVE-2021-26086, CVE-2024-36401, CVE-2022-21587, CVE-2018-10561, CVE-2023-1389
Downloadable IOCs: 10

Malware Steals Account Credentials

A malicious script targeting e-commerce sites, particularly Magento, has been discovered. The script, found in the dataPost.js file, is heavily obfuscated and designed to steal customer account credentials and admin login details. It waits for login actions to trigger, then scrapes data entered int…
obfuscation
credential theft
magento
e-commerce
2024-11-09
account hijacking
admin access
Published: November 9, 2024
Downloadable IOCs: 0

InfoStealer Malware Attacking Meta Business Page To Steal Logins

A sophisticated malvertising campaign is distributing the SYS01 infostealer malware through Meta's advertising platform. The attackers impersonate trusted brands and popular software, targeting primarily senior male demographics. The malware, designed to steal personal data and credentials, is dist…
malvertising
powershell
infostealer
persistence
electron
credential theft
sys01
meta
social media
2024-11-04
Published: November 4, 2024
Downloadable IOCs: 26

Booking.com Phishers May Leave You With Reservations

A recent spear-phishing campaign targeted a California hotel after its Booking.com credentials were stolen. The scam involved sending targeted messages within the Booking mobile app, claiming additional information was required for anti-fraud purposes. Booking.com confirmed a security incident affe…
phishing
credential theft
cybercrime
2024-11-02
2fa
hospitality
booking.com
travel
Published: November 2, 2024
Downloadable IOCs: 0

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Researchers discovered a potential North Korean phishing campaign targeting Naver, a major South Korean tech platform. The investigation revealed an exposed directory containing phishing pages designed to steal Naver user credentials. Separately, an infrastructure cluster was identified using domai…
phishing
apple
credential theft
dprk
infrastructure analysis
domain spoofing
2024-10-30
naver
tls certificates
Published: October 30, 2024
Downloadable IOCs: 0

More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a Docu…
phishing
social engineering
credential theft
microsoft
domain abuse
2024-10-30
atlassian
docusign
confluence
Published: October 30, 2024
Downloadable IOCs: 2

Unauthorized RDP Connections For Cyberespionage Operations

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative acc…
powershell
persistence
credential theft
cyberespionage
rdp
multi-stage attack
uac bypass
2024-10-26
bat scripts
chromepass
Published: October 26, 2024
Downloadable IOCs: 0

Unmasking Prometei: A Deep Dive Into MXDR Findings

This analysis examines the Prometei botnet's infiltration of a customer's system through a targeted brute force attack. Leveraging Trend Vision One, the investigation traced the botnet's detailed installation routine and stealthy tactics. Prometei, a modular malware family used for cryptocurrency m…
botnet
credential theft
lateral movement
dga
web shell
tor
cryptocurrency mining
2024-10-23
prometei
CVE-2021-27065
CVE-2021-26858
CVE-2019-0708
Published: October 23, 2024
Downloadable IOCs: 0

Grandoreiro banking trojan: overview of recent versions and new tricks

Grandoreiro is a Brazilian banking trojan that has evolved into a global financial threat, targeting over 1,700 banks and 276 crypto wallets in 45 countries. Despite law enforcement efforts, the malware remains active, with new versions featuring enhanced evasion techniques like multiple Domain Gen…
credential theft
remote access
grandoreiro
banking trojan
brazil
evasion techniques
2024-10-22
financial malware
global threat
Published: October 22, 2024
Downloadable IOCs: 0

Over 10 Million Personal And Corporate Devices Infected By Information Stealers

A significant increase in data-stealing malware infections has been observed, with nearly 10 million devices compromised in 2023, marking a 643% rise over three years. Cybercriminals are using sophisticated distribution methods, including malvertising and YouTube comment spam. On average, 50.9 logi…
data theft
credential theft
redline
cybercrime
vidar
malware-as-a-service
lumma
amos
information stealers
2024-10-22
raccoon
vidar/acr
kral stealer
Published: October 22, 2024
Downloadable IOCs: 0

Stealers on the rise: Kral, AMOS, Vidar and ACR

This intelligence report analyzes the increasing prevalence of information stealers, focusing on Kral, AMOS, Vidar, and ACR. Kral, delivered by its downloader, targets cryptocurrency wallets and browser data. AMOS, a macOS stealer, spreads through malvertising impersonating Homebrew. Vidar distribu…
cryptocurrency
macos
credential theft
vidar
data exfiltration
amos
aurora
2024-10-21
dll hijacking
information stealers
kral
penguish
acr
Published: October 21, 2024
Downloadable IOCs: 0

LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits

This report details the tactics and techniques employed by the LemonDuck cryptomining malware, which exploits the SMB service by leveraging the EternalBlue vulnerability (CVE-2017-0144). After gaining initial access through brute-force attacks, the malware creates malicious files, disables security…
persistence
malicious scripts
credential theft
cryptomining
CVE-2017-0144
lemonduck
2024-10-14
network manipulation
Published: October 14, 2024
Linked vulnerabilities : CVE-2017-0144, CVE-2023-46865
Downloadable IOCs: 8

Advanced Cyberattacks Against UAE and Gulf Regions

Earth Simnavaz, also known as APT34 and OilRig, has been actively targeting governmental entities in the UAE and Gulf region. The group employs sophisticated tactics, including a backdoor that exploits Microsoft Exchange servers for credential theft and the use of CVE-2024-30088 for privilege escal…
cyber espionage
credential theft
oilrig
CVE-2024-30088
privilege escalation
microsoft exchange
2024-10-14
apt34
stealhook
iis malware
gulf region
uae
Published: October 14, 2024
Linked vulnerabilities : CVE-2024-30088 (CVSS 7.0)
Downloadable IOCs: 17

Threat actor believed to be spreading new MedusaLocker variant since 2022

A financially motivated threat actor has been active since 2022, delivering a MedusaLocker ransomware variant called 'BabyLockerKZ'. The group targets organizations worldwide, with a focus shift from EU countries to South American countries in mid-2023. The actor uses a combination of publicly know…
iab
ransomware
credential theft
lateral movement
financially motivated
2024-10-04
babylockerkz
medusalocker
Published: October 4, 2024
Downloadable IOCs: 11

Iranian Cyber Actors Targeting Personal Accounts to Support Operations

Cyber actors working for Iran's Islamic Revolutionary Guard Corps (IRGC) are targeting individuals connected to Iranian and Middle Eastern affairs, including government officials, think tank personnel, journalists, activists, and lobbyists. They use social engineering techniques, impersonating cont…
phishing
social engineering
impersonation
iran
credential theft
2024-09-30
two-factor authentication
political campaigns
Published: September 30, 2024
Downloadable IOCs: 65

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
backdoor
ransomware
credential-theft
cobalt strike
rclone
impacket
data-exfiltration
lateral-movement
2024-09-30
CVE-2022-47966
CVE-2023-4966
hybrid-cloud
embargo
aadinternals
CVE-2023-38203
CVE-2023-29300
Published: September 30, 2024
Linked vulnerabilities : CVE-2023-4966, CVE-2023-38203, CVE-2023-29300, CVE-2022-47966
Downloadable IOCs: 14

Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz

Unit42 explores Sniper Dz, a popular phishing-as-a-service (PhaaS) platform targeting social media and online services. Over 140,000 phishing websites associated with Sniper Dz were identified in the past year. The platform offers an admin panel with phishing page catalogs, allowing users to host o…
phishing
phaas
credential theft
2024-09-25
victim tracking
sniper dz
Published: September 25, 2024
Downloadable IOCs: 7

Phishing Pages Delivered Through Refresh HTTP Response Header

Unit 42 researchers observed large-scale phishing campaigns in 2024 using a refresh entry in the HTTP response header. This technique, unlike traditional HTML-based phishing, occurs before HTML content processing and automatically refreshes webpages without user interaction. Attackers distribute ma…
phishing
credential theft
2024-09-18
http header
business email compromise
Published: September 18, 2024
Downloadable IOCs: 7

Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics

From February to July 2024, an analysis of over 500 popular domains revealed more than 10,000 malicious lookalike domains employing typosquatting and brand impersonation techniques. Google, Microsoft, and Amazon were the most targeted brands, accounting for nearly 75% of phishing domains. Almost ha…
phishing
typosquatting
credential theft
scams
domain abuse
2024-09-12
brand impersonation
certificate abuse
Published: September 12, 2024
Downloadable IOCs: 10

BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar

BlindEagle, an advanced persistent threat actor, has been observed targeting the Colombian insurance sector using the BlotchyQuasar Remote Access Trojan. The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google …
phishing
remcosrat
asyncrat
credential theft
banking trojan
quasarrat
2024-09-05
blotchyquasar
Published: September 5, 2024
Downloadable IOCs: 16

Deep Analysis of Snake Keylogger’s New Variant

FortiGuard Labs recently caught a phishing campaign delivering a new variant of Snake Keylogger, a keylogger malware that can steal sensitive data like saved credentials, keystrokes, and screenshots. The analysis examines the phishing email, malicious Excel document, and techniques used by the malw…
phishing
persistence
credential theft
CVE-2017-0199
keylogger
2024-08-30
process injection
snake keylogger
Published: August 30, 2024
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names s…
ransomware
state-sponsored
credential-theft
blackcat
alphv
CVE-2024-3400
iran
CVE-2024-21887
CVE-2024-24919
noberus
2024-08-28
webshells
CVE-2022-1388
CVE-2023-3519
noescape
ransomhouse
CVE-2019-19781
Published: August 28, 2024
Downloadable IOCs: 33

Iranian backed group steps up phishing campaigns against Israel, U.S.

An Iranian government-backed threat group known as APT42 has significantly intensified its phishing campaigns targeting high-profile individuals in Israel and the United States over the past six months. The group, associated with Iran's Islamic Revolutionary Guard Corps, has focused on current and …
phishing
social engineering
iran
credential theft
2024-08-26
election targeting
ycollection
lcollection
dwp
gcollection
Published: August 26, 2024
Downloadable IOCs: 38

Ailurophile: G DATA has sighted a new info stealer in the wild

G DATA has detected a novel information-stealing malware, dubbed 'Ailurophile Stealer'. It is a PHP-based stealer offered through a subscription model on its dedicated website. Customers utilize a web panel to generate customized malware variants, specifying features such as the malware name, icon,…
infostealer
stealer
exfiltration
credential theft
2024-08-19
cryptocurrency theft
ailurophile stealer
Published: August 19, 2024
Downloadable IOCs: 2

CheckMesh: Hidden Threats in Your FW

This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the atta…
credential theft
lateral movement
2024-08-05
meshagent
encrypted communication
advanced persistent threat
firewall compromise
Published: August 5, 2024
Downloadable IOCs: 9

Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware, Cobalt Strike, and custom tools, exploiting vulnerabilities like CVE-2018-0824 f…
apt
cobalt strike
credential theft
cobaltstrike
shadowpad
data exfiltration
2024-08-02
poisonplug.shadow
CVE-2018-0824
unmarshalpwn
Published: August 2, 2024
Linked vulnerabilities : CVE-2018-0824
Downloadable IOCs: 13

Social Media Malvertising Campaign Promotes Fake AI Editor Website for Credential Theft

An examination of how threat actors hijack social media pages, rename them to resemble legitimate AI photo editors, and post malicious links to fake websites promoted through paid ads. The links trick users into installing endpoint management software, allowing the execution of credential stealers …
phishing
credential theft
lumma
2024-08-01
Published: August 1, 2024
Downloadable IOCs: 73

Who You Gonna Call? AndroxGh0st Busters!

This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
python
botnet
credential theft
2024-07-17
androxgh0st
CVE-2021-41773
rce exploitation
CVE-2017-9841
web exploitation
CVE-2018-15133
Published: July 17, 2024
Linked vulnerabilities : CVE-2021-41773, CVE-2018-15133, CVE-2017-9841
Downloadable IOCs: 7

The Hidden Danger of PDF Files with Embedded QR Codes

The report describes how malware authors are abusing PDF files with embedded QR codes to deceive users into visiting malicious phishing URLs disguised as legitimate services. The QR codes redirect users to fake Microsoft login pages designed to harvest credentials and potentially gain unauthorized …
phishing
credential theft
2024-07-05
pdf files
qr codes
malicious urls
Published: July 5, 2024
Downloadable IOCs: 1

Mekotio Banking Trojan Threatens Financial Systems in Latin America

The Mekotio banking trojan, active since 2015, primarily targets Latin American countries to steal sensitive banking credentials through phishing emails containing malicious links or attachments. Upon execution, it gathers system information, connects to a command-and-control server, and performs c…
credential theft
banking trojan
2024-07-04
mekotio
Published: July 4, 2024
Downloadable IOCs: 15

ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution

This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
phishing
credential theft
cybercrime
2024-07-02
onnx store
qrcode
caffeine
fintech
Published: July 2, 2024
Downloadable IOCs: 25

Kimsuky Deploys TRANSLATEXT Chrome Extension

In March 2024, the cybersecurity firm Zscaler observed a new activity from Kimsuky, a North Korean state-sponsored hacker group. They employed a malicious Google Chrome extension named 'TRANSLATEXT' specifically crafted to steal email addresses, usernames, passwords, cookies, and capture browser sc…
malware
north korea
cyber espionage
credential theft
2024-06-28
chrome extension
Published: June 28, 2024
Downloadable IOCs: 10

Sustained Campaign Using Chinese Espionage Tools Targets Telcos

Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
backdoor
espionage
credential theft
keylogger
2024-06-20
coolclient
quickheal
rainyday
telecommunications
responder
Published: June 20, 2024
Downloadable IOCs: 47

Analysis of Attack Case Installing VPN on Korean ERP Server

This analysis examines an attack where a threat actor compromised a Korean company's ERP server, initially accessing it through a poorly secured MS-SQL service. The actor installed a web shell, stole credentials, and ultimately set up SoftEther VPN on the server, likely to use it as part of a comma…
sql injection
credential theft
remote access
2024-06-17
vpn
erp
softether vpn
Published: June 17, 2024
Downloadable IOCs: 11

Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling

Netskope Threat Labs has been tracking an increase in phishing campaigns hosted on Cloudflare Workers. The campaigns use techniques like HTML smuggling and transparent phishing to evade detections. The phishing pages target Microsoft and Google credentials. Netskope recommends inspecting web traffi…
phishing
credential theft
2024-05-28
html smuggling
cloudflare workers
Published: May 28, 2024
Downloadable IOCs: 134

New Campaigns from Scattered Spider

Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing cr…
phishing
social engineering
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
telecom targeting
lookalike domains
2024-05-09
2024-05-10
Published: May 10, 2024
Linked vulnerabilities : CVE-2024-22024
Downloadable IOCs: 118

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and …
rat
evasion
persistence
remcos
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
remote access
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 34
Click here to see more Attack Reports