Tag: phishing

421 Attack Reports | 0 Vulnerabilities

Attack reports

DNS Uncovers Infrastructure Used in SSO Attacks

The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, …
phishing
aitm
reverse proxy
evilginx
2025-12-03
tinyurl
mitm
sso
Published: December 3, 2025
Downloadable IOCs: 82

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack invo…
phishing
social engineering
infostealer
credential theft
reconnaissance
microsoft teams
2025-12-03
quick assist
Published: December 3, 2025
Downloadable IOCs: 1

Salty2FA & Tycoon2FA: Hybrid Phishing Threat

A new hybrid phishing threat combining elements of Salty2FA and Tycoon2FA has emerged, blurring the lines between distinct phishing kits. Analysis reveals a sudden drop in Salty2FA activity, followed by the appearance of samples containing code from both frameworks. The hybrid shows signs of Salty2…
phishing
2fa
detection
tycoon2fa
salty2fa
attribution
2025-12-02
Published: December 2, 2025
Downloadable IOCs: 5

Over 2,000 Holiday-Themed Fake Stores Detected Exploiting Black Friday and Festive Sales

Two clusters of holiday-themed fake online stores have been identified ahead of Black Friday and other festive sales. The first cluster includes over 750 interconnected sites using uniform holiday banners and misleading trust indicators, many impersonating Amazon. The second cluster spans a .shop e…
phishing
social engineering
typosquatting
financial data theft
2025-11-27
fake online stores
holiday shopping fraud
black friday scams
e-commerce impersonation
Published: November 27, 2025
Downloadable IOCs: 0

Analysis of the Lumma infostealer

The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including…
phishing
windows
infostealer
credential theft
autoit
nsis
lumma
maas
process hollowing
2025-11-27
Published: November 27, 2025
Downloadable IOCs: 7

Scattered Lapsus$ Hunters Take Aim At Zendesk Users

A new campaign potentially linked to the Scattered Lapsus$ Hunters group is targeting Zendesk users. Over 40 typosquatted Zendesk domains have been discovered, featuring organizations' names or brands. These domains host phishing pages designed to harvest credentials. The campaign also involves sub…
phishing
typosquatting
credential harvesting
remote access trojans
2025-11-27
customer service
saas platforms
zendesk
Published: November 27, 2025
Downloadable IOCs: 0

Care that you share

This newsletter emphasizes the importance of thoughtful information sharing, especially during busy holiday periods. It highlights the risks of unintentional data leaks and increased phishing attempts during peak shopping seasons. The author recounts a positive experience sharing knowledge with uni…
phishing
2025-11-26
holiday security
student engagement
clamav
information sharing
teamwork
signature database
Published: November 26, 2025
Downloadable IOCs: 0

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finge…
phishing
social engineering
powershell
lumma stealer
netsupport rat
lnk files
russian targets
2025-11-26
infrastructure reuse
finger protocol
Published: November 26, 2025
Downloadable IOCs: 50

Brazilian Campaign: Spreading the Malware via WhatsApp

A massive phishing campaign targeting Brazil is spreading malware through WhatsApp Web using an open-source automation script and loading a banking trojan into memory. The attack begins with a phishing email containing a malicious VBS script that downloads and executes an MSI file and another VBS f…
phishing
whatsapp
autoit
banking trojan
brazil
in-memory execution
selenium
sorvepotel
2025-11-24
water-saci
Published: November 24, 2025
Downloadable IOCs: 5

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for ini…
phishing
north korea
babyshark
powershell
credential theft
keylogging
data exfiltration
spear-phishing
browser credentials
kimjongrat
2025-11-24
pe executable
Published: November 24, 2025
Downloadable IOCs: 13

APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets

An internal leak from APT35 (Charming Kitten) reveals a sophisticated, state-directed cyber-intelligence operation targeting diplomatic, government, and corporate networks in the Middle East and Asia. The documents expose a bureaucratic structure with defined workflows, performance metrics, and spe…
phishing
iran
cyberespionage
proxyshell
middle east
intelligence collection
exchange
2025-11-22
irgc
herv phishing kit
powershort
rat-2ac2
Published: November 22, 2025
Downloadable IOCs: 1

APT24 Pivot to Multi-Vector Attacks

APT24, a Chinese threat actor, has conducted a three-year cyber espionage campaign using BADAUDIO, a highly obfuscated first-stage downloader. The group has evolved from broad strategic web compromises to more sophisticated tactics, including supply chain attacks and targeted phishing. They comprom…
obfuscation
phishing
supply chain
cobalt strike
china
cobalt strike beacon
cyber espionage
2025-11-20
badaudio
strategic web compromise
Published: November 20, 2025
Downloadable IOCs: 0

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL,…
espionage
phishing
defense
lateral movement
privilege escalation
aerospace
custom malware
minibike
2025-11-18
dcsyncer.slick
third-party compromise
sightgrab
trusttrap
lightrail
deeproot
crashpad
twostroke
pollblend
ghostline
Published: November 18, 2025
Downloadable IOCs: 16

How AI Is Fueling a New Wave of Black Friday Scams

AI tools are enabling cybercriminals to create sophisticated Black Friday scams, including realistic phishing emails, cloned websites, and fake social media ads. Common tactics involve impersonating trusted brands like Amazon and Temu, offering unrealistic discounts on luxury goods, and exploiting …
phishing
social engineering
ai
cybersecurity
scams
e-commerce
black friday
2025-11-15
luxury goods
Published: November 15, 2025
Downloadable IOCs: 15

NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?

A cryptostealer for macOS utilizes a bash-based script to establish persistence and execute malicious modules. The malware installs itself in the ~/.mdrivers directory, uses screen sessions for background execution, and employs a LaunchAgent for persistence. It exfiltrates crypto wallet data, colle…
phishing
persistence
macos
bash
modular
2025-11-14
cryptostealer
novastealer
wallet-targeting
Published: November 14, 2025
Downloadable IOCs: 7

Hurricane Melissa Relief Scams: How Criminals Exploit Disaster

In the aftermath of Hurricane Melissa's devastating impact on Jamaica in October 2025, cybercriminals swiftly exploited the crisis through various online scams. These included phishing campaigns, fake charity drives, and fraudulent financial-relief websites impersonating legitimate aid organization…
phishing
social engineering
cryptocurrency
scams
domain spoofing
2025-11-14
fake charities
hurricane
disaster relief
Published: November 14, 2025
Downloadable IOCs: 16

Thousands of Fake Hotel Domains Used in Massive Phishing Campaign

A Russian-speaking threat actor has orchestrated a large-scale phishing campaign targeting travelers by registering over 4,300 domain names since early 2025. The sophisticated operation impersonates major travel brands like Airbnb and Booking.com to steal payment card data. The phishing sites use c…
phishing
malspam
domain registration
2025-11-11
Published: November 11, 2025
Downloadable IOCs: 4135

Booking.com Phishing Campaign Targeting Hotels and Customers

A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduc…
phishing
social engineering
cybercrime
clickfix
hospitality
booking.com
purerat
2025-11-07
Published: November 7, 2025
Downloadable IOCs: 100

Cavalry Werewolf hacker group attacks Russian state institutions

A Russian government organization was targeted by the Cavalry Werewolf hacker group, aiming to collect confidential information and network data. The attack began with phishing emails containing malware disguised as documents. The group utilized various tools including backdoors, trojans, and modif…
phishing
data theft
backdoors
network infiltration
russian government
reverse-shell
open-source tools
2025-11-07
trojan.packed2.49708
telegram api
backdoor.shellnet.2
backdoor.reverseshell.10
backdoor.tunnel.41
trojan.inject5.57968
bat.downloader.1138
trojan.siggen31.54011
backdoor.shellnet.1
trojan.filespynet.5
backdoor.reverseproxy.1
backdoor.rshell.169
backdoor.siggen2.5463
trojan.packed2.49862
Published: November 7, 2025
Downloadable IOCs: 27

Crossed wires: a case study of Iranian espionage and attribution

This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. The actor used domestic political lures related to Iran, benign conversation starters, health-themed infrastructure, and Remote Managemen…
espionage
phishing
credential harvesting
iranian threat actor
2025-11-05
rmm tools
attribution challenges
isl online
minibike
overlapping ttps
policy experts targeting
minijunk
pdqconnect
Published: November 5, 2025
Downloadable IOCs: 55

Remote access, real cargo: cybercriminals targeting trucking and logistics

Cybercriminals are targeting trucking and logistics companies to steal cargo freight through elaborate attack chains. They compromise companies and use their access to bid on cargo shipments, which they then steal and sell. The threat actors typically deliver remote monitoring and management (RMM) …
screenconnect
phishing
social engineering
supply chain
lumma stealer
cybercrime
danabot
netsupport
stealc
simplehelp
fleetdeck
n-able
pdq connect
logistics
2025-11-03
cargo theft
logmein resolve
trucking
remote monitoring tools
Published: November 3, 2025
Downloadable IOCs: 39

LATAM baited into the delivery of PureHVNC

Between August and October 2025, a phishing campaign targeted Colombian users with emails impersonating the Attorney General's office. The emails contained links to download a malicious file, initiating an infection chain using Hijackloader to deliver PureHVNC Remote Access Trojan (RAT). The campai…
phishing
hijackloader
purehvnc
2025-10-31
Published: October 31, 2025
Downloadable IOCs: 30

Major October 2025 Cyber Attacks Your SOC Can't Ignore

October 2025 saw a surge in sophisticated cyber attacks, including phishing campaigns exploiting Google Careers and ClickUp, abuse of Figma for credential theft, the emergence of LockBit 5.0 targeting ESXi and Linux systems, and the discovery of TyKit, a new phishing kit. Attackers increasingly abu…
phishing
ransomware
lockbit
credential theft
cloud abuse
lockbit 5.0
2025-10-29
tykit
clickup
google careers
figma
Published: October 29, 2025
Downloadable IOCs: 10

The Smishing Deluge: China-Based Campaign Flooding Global Text Messages

An extensive smishing campaign attributed to the Smishing Triad is targeting global users with fraudulent toll violation and package misdelivery notices. The operation has expanded beyond the U.S., impersonating international services across critical sectors like banking, healthcare, and law enforc…
phishing
phaas
smishing
2025-10-24
Published: October 24, 2025
Downloadable IOCs: 35

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign

The Jingle Thief campaign, conducted by financially motivated threat actors from Morocco, targets global enterprises in retail and consumer services sectors to execute gift card fraud. Using phishing and smishing tactics, the attackers gain access to Microsoft 365 environments, exploiting cloud ser…
phishing
smishing
microsoft 365
2025-10-22
identity-based threats
cloud-based attacks
gift card fraud
Published: October 22, 2025
Downloadable IOCs: 0

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It …
rat
phishing
infostealer
macos
remote access
clickfix
deerstealer
captcha
odyssey
2025-10-10
clipboard
iuam
clickfix generator
Published: October 10, 2025
Downloadable IOCs: 59

ClayRat: A New Android Spyware Targeting Russia

ClayRat is a rapidly evolving Android spyware campaign primarily targeting Russian users. Distributed through Telegram channels and phishing sites, it masquerades as popular apps to lure victims. The spyware can exfiltrate SMS messages, call logs, notifications, and device information, as well as t…
phishing
spyware
2025-10-10
sms
clayrat
Published: October 10, 2025
Downloadable IOCs: 857

The Evolution of Qilin RaaS

Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of…
phishing
ransomware
bitcoin
qilin
ryuk
raas
tor
supply chain attack
nova
2025-10-08
onion
fin12
alphvblackcat
kela
agenda
wikileaks
Published: October 8, 2025
Downloadable IOCs: 5

APT Meets GPT: Targeted Operations with Untamed LLMs

Over the course of three months, Volexity observed UTA0388 using various themes and fictional identities across dozens of spear phishing campaigns. As time passed, Volexity observed UTA0388 broaden their targeting and send emails in a variety of different languages, including English, Chinese, Japa…
phishing
powershell
persistence
zip
websocket
rar
2025-10-08
uta0388
govershell
llms
randomdir8char
govershell c2
archive file
Published: October 8, 2025
Downloadable IOCs: 41

XWorm V6: Exploring Pivotal Plugins

Since the release of XWorm V6.0 on June 4, 2025, we have noted a surge in samples identified as XWorm V6.0 on VirusTotal, reflecting its rapid adoption by threat actors. One prominent campaign illustrates its delivery: a malicious JavaScript (JS) file initiates a PowerShell (PS1) script, which depl…
xworm
rat
phishing
powershell
javascript
remote desktop
amsi bypass
2025-10-06
file manager
Published: October 6, 2025
Downloadable IOCs: 22

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…
malware
loader
phishing
whatsapp
powershell
persistence
brazil
c server
lnk file
telegram
format
2025-10-06
whatsapp web
water saci
bradesco
brazilian
turn
watsonclient
sorvepotel
Published: October 6, 2025
Downloadable IOCs: 23

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…
malware
loader
phishing
whatsapp
powershell
persistence
brazil
c server
lnk file
telegram
format
2025-10-06
whatsapp web
water saci
bradesco
brazilian
turn
watsonclient
sorvepotel
Published: October 6, 2025
Downloadable IOCs: 0

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware…
apt
phishing
government
credential harvesting
south asia
military
2025-10-06
Published: October 6, 2025
Downloadable IOCs: 0

New spyware campaigns target privacy-conscious Android users in the UAE

Two Android spyware campaigns, ProSpy and ToSpy, have been discovered targeting users in the United Arab Emirates. These campaigns impersonate secure messaging apps like Signal and ToTok, distributing malware through deceptive websites and social engineering tactics. Once installed, the spyware exf…
phishing
android
persistence
spyware
data exfiltration
uae
signal
2025-10-02
android/spy.tospy
totok
app impersonation
android/spy.prospy
Published: October 2, 2025
Downloadable IOCs: 30

Werewolf raids Russia's public sector with trusted relationship attacks

Cavalry Werewolf, a malicious actor group, targeted Russian state agencies and enterprises in the energy, mining, and manufacturing sectors from May to August 2025. The attackers used targeted phishing emails, posing as Kyrgyz government officials, to gain initial access. They employed custom malwa…
rat
phishing
russia
government
asyncrat
mining
telegram
reverse shell
manufacturing
kyrgyzstan
2025-10-02
energy
foalshell
stallionrat
Published: October 2, 2025
Downloadable IOCs: 0

Silent Smishing: The Hidden Abuse of Cellular Router APIs

This report analyzes a smishing campaign exploiting vulnerabilities in Milesight Industrial Cellular Routers to send malicious SMS messages. The attackers targeted primarily Belgian users by impersonating government services like CSAM and eBox. Over 18,000 vulnerable routers were identified globall…
phishing
vulnerability
smishing
api exploitation
2025-10-01
belgium
csam
cellular routers
ebox
CVE-2023-43261
Published: October 1, 2025
Linked vulnerabilities : CVE-2023-43261
Downloadable IOCs: 245

Disallow: /security-research? Crypto Phishing Sites' Failed Attempt to Block Investigators

An analysis of robots.txt files revealed over 60 cryptocurrency phishing pages impersonating hardware wallet brands Trezor and Ledger. The actor behind these pages attempted to block phishing reporting sites by including their endpoints in the robots.txt file, demonstrating a misunderstanding of it…
phishing
cryptocurrency
github
2025-09-30
hardware wallets
cloudflare pages
robots.txt
Published: September 30, 2025
Downloadable IOCs: 2

XWorm RAT Delivered via Shellcode: Multi-Stage Attack Analysis

This analysis details a sophisticated multi-stage attack delivering the XWorm RAT. The campaign begins with a phishing email containing a malicious .xlam file. The file harbors embedded shellcode that, when executed, retrieves a secondary payload. This payload is a .NET binary that reflectively loa…
obfuscation
xworm
rat
phishing
steganography
shellcode
.net
multi-stage attack
reflective dll injection
2025-09-29
Published: September 29, 2025
Downloadable IOCs: 8

Threat Hunting on potential APT35 Servers

The article discusses the discovery of two servers sharing similarities with those reported by Check Point on APT35, an Iranian threat group. The servers are active and resolve multiple domains used for phishing purposes. The analysis focuses on the HTML page displayed on some domains, which contai…
phishing
typosquatting
threat hunting
infrastructure tracking
2025-09-27
iranian apt
video conferencing
Published: September 27, 2025
Downloadable IOCs: 0

SVG Phishing hits Ukraine with Amatera Stealer, PureMiner

A phishing campaign targeting Ukrainian government entities uses malicious SVG files to initiate an infection chain. The attack begins with emails containing SVG attachments that redirect victims to a download site. A CHM file is then used to execute a remote HTA loader, which delivers two malware …
phishing
data theft
ukraine
cryptomining
fileless
chm
svg
amatera stealer
pureminer
countloader
2025-09-26
hta loader
Published: September 26, 2025
Downloadable IOCs: 0

IOCs for phishing campaign using BitM pages

This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific…
phishing
2025-09-26
browser-in-the-middle
bitm
Published: September 26, 2025
Downloadable IOCs: 208

GUNRA RANSOMWARE: What You Don't Know!

Gunra Ransomware is a double extortion group targeting global victims, excluding the US. They primarily attack Windows systems, recently expanding to Linux. The group uses phishing as their main vector and negotiates through a WhatsApp-themed chat panel. They can encrypt large files quickly using a…
linux
phishing
ransomware
windows
encryption
lumma stealer
double extortion
data leak site
2025-09-24
negotiation
gunra ransomware
donot loader
Published: September 24, 2025
Downloadable IOCs: 0

AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise ScreenConnect installers to deliver AsyncRAT payloads. Attackers use open directories as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campa…
obfuscation
screenconnect
phishing
persistence
asyncrat
remote access trojan
c2 infrastructure
open directories
CVE-2025-3935
powershell rat
2025-09-19
payload staging
Published: September 19, 2025
Downloadable IOCs: 0

Fake Empire Podcast Invites Target Crypto Industry with macOS AMOS Stealer

A new phishing campaign is targeting crypto industry developers and influencers with fake interview requests impersonating the popular Empire podcast. Attackers pose as hosts, luring victims to fraudulent websites mimicking platforms like Streamyard and Huddle. These sites prompt users to download …
phishing
macos
crypto
amos stealer
2025-09-19
huddle
empire podcast
fake interviews
streamyard
Published: September 19, 2025
Downloadable IOCs: 7

CountLoader: New Malware Loader Being Served in 3 Different Versions

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, Blac…
phishing
ransomware
powershell
ukraine
lumma stealer
malware loader
.net
cobaltstrike
jscript
purehvnc
evasion techniques
initial access broker
adaptixc2
2025-09-19
countloader
Published: September 19, 2025
Downloadable IOCs: 27

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

A widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem has been discovered, involving a novel self-replicating worm called "Shai-Hulud". The worm has compromised over 180 software packages, including widely used libraries. It operates by harvesting credentials,…
phishing
supply chain
worm
javascript
credential harvesting
npm
self-replicating
shai-hulud
2025-09-18
Published: September 18, 2025
Downloadable IOCs: 1

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, w…
obfuscation
phishing
social engineering
infostealer
steganography
stealc
filefix
2025-09-16
multistage payload
Published: September 16, 2025
Downloadable IOCs: 17

A new RevengeHotels campaign targets Latin America

RevengeHotels, a threat group active since 2015, has launched a new campaign targeting the hospitality sector in Latin America. The group has evolved its tactics, now utilizing AI-generated code and the advanced VenomRAT malware. Their primary attack vector remains phishing emails with invoice them…
xworm
phishing
njrat
venomrat
quasarrat
stealth techniques
hospitality
latin america
revengerat
ai-generated code
2025-09-16
usb spreading
procc
888 rat
nanocorerat
desckvbrat
Published: September 16, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 0

August 2025 Trends Report on Phishing Emails

The analysis reveals that phishing was the predominant threat in email attachments during August 2025, accounting for 63% of cases. Threat actors employed HTML scripts to replicate legitimate login pages and promotional content, aiming to capture user credentials. The report highlights an increase …
malware
phishing
purecrypter
CVE-2017-11882
email attachments
2025-09-16
fakepage
script attachments
korean language
Published: September 16, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 4

Digital Frontlines: India Under Multi-Nation Hacktivist Attack

In July-August 2025, India faced a surge of cross-border cyberattacks combining data breaches, DDoS, defacement, phishing, and malware. Pakistani, Bangladeshi, Russian, Indonesian, and likely Chinese actors targeted Indian judicial, defense, and transport systems. High-impact incidents included jud…
phishing
cyberattacks
ddos
india
hacktivism
data breach
defacement
2025-09-15
cross-border
smss.exe
sysaid.exe
103.97.128.77#clientsetup.exe
fshost64.exe
svchost.exe
manc.exe
Published: September 15, 2025
Downloadable IOCs: 14

Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

This analysis delves into the HijackLoader malware campaign, which has gained prominence since 2023 for its sophisticated payload delivery and evasion techniques. The campaign initiates with a CAPTCHA-based phishing attack, progressing through multiple stages of obfuscated PowerShell scripts. It em…
obfuscation
phishing
powershell
infostealer
hijackloader
lumma
deerstealer
anti-vm
multi-stage
castleloader
2025-09-12
castlebot
nekostealer
Published: September 12, 2025
Downloadable IOCs: 14

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

In 2025, a significant surge in phishing attacks targeting major U.S. energy companies was observed. The campaign primarily focused on Chevron, ConocoPhillips, PBF Energy, and Phillips 66, utilizing sophisticated impersonation techniques. Attackers employed HTTrack-based cloning to replicate legiti…
phishing
rhadamanthys
credential harvesting
domain impersonation
investment scams
2025-09-12
energy sector
httrack
keitaro
website cloning
brand abuse
Published: September 12, 2025
Downloadable IOCs: 43

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

A sophisticated malware campaign has been uncovered that utilizes various techniques to deliver Remote Access Trojans (RATs) such as XWorm and Remcos. The attack chain begins with a ZIP archive, often hosted on trusted platforms like ImgKit, containing obfuscated BAT scripts. These scripts execute …
obfuscation
xworm
rat
phishing
powershell
remcos
evasion techniques
bat scripts
svg
fileless execution
2025-09-11
Published: September 11, 2025
Downloadable IOCs: 2

Threat Spotlight: Speed, Scale, and Stealth: How Axios Powers Automated Phishing

Axios user agent activity has surged by 241% from June to August 2025, outpacing other flagged user agents. Attacks combining Axios with Direct Send achieved a 70% success rate in recent campaigns, significantly higher than non-Axios campaigns. The combination exploits Direct Send's trusted nature …
phishing
credential theft
qr codes
automation
axios
api exploitation
direct send
2025-09-10
user agent
Published: September 10, 2025
Downloadable IOCs: 14

MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access

A sophisticated phishing campaign targeting Japanese users employs MostereRAT, a Remote Access Trojan that utilizes advanced evasion techniques. The attack chain involves multiple stages, including an Easy Programming Language (EPL) payload, security tool disabling, and mTLS-secured C2 communicatio…
phishing
anydesk
remote access
evasion techniques
2025-09-09
tightvnc
mostererat
epl
mtls
Published: September 9, 2025
Downloadable IOCs: 12

Inside the Kimsuky Leak: How the 'Kim' Dump Exposed North Korea's Credential Theft Playbook

A data breach attributed to a North Korean-affiliated actor known as "Kim" has provided new insights into Kimsuky (APT43) tactics and infrastructure. The actor's operations focus on credential-based intrusions targeting South Korean and Taiwanese networks, utilizing Chinese-language tools and infra…
phishing
north korea
rootkit
south korea
credential theft
taiwan
ocr
2025-09-08
hybrid attribution
vmmisc.ko
gpki
Published: September 8, 2025
Downloadable IOCs: 11

From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover

An AWS access key compromise led to a sophisticated SES abuse campaign in May 2025. The attacker exploited the stolen key to bypass SES restrictions, verify new sender identities, and conduct a large-scale phishing operation. They used multi-regional PutAccountDetails requests to escape the SES san…
phishing
cloud security
aws
sandbox escape
2025-09-04
email service
Published: September 4, 2025
Downloadable IOCs: 4

Tax refund scam targets Californians

The California Franchise Tax Board has issued a warning about a tax scam targeting taxpayers through text messages. The scam involves fraudulent links mimicking official FTB web pages to steal personal and banking information. The messages claim to be about approved tax refunds and request recipien…
phishing
2025-09-03
california
franchise tax board
text messages
tax refund scam
Published: September 3, 2025
Downloadable IOCs: 11

Sindoor Dropper: New Phishing Campaign

A sophisticated phishing campaign targeting Indian organizations has been uncovered, utilizing spear-phishing techniques reminiscent of Operation Sindoor. The campaign employs a Linux-focused infection method using weaponized .desktop files, a tactic previously associated with APT36. When executed,…
linux
obfuscation
phishing
meshagent
apt36
spear-phishing
2025-09-02
sindoor
Published: September 2, 2025
Downloadable IOCs: 14

Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique

Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websit…
phishing
social engineering
windows
macos
node.js
clickfix
beavertail
invisibleferret
2025-09-01
apt-q-1
Published: September 1, 2025
Downloadable IOCs: 18

ZipLine Phishing Campaign Targets U.S. Manufacturing

A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legit…
phishing
dns tunneling
manufacturing
2025-08-27
zipline
mixshell
Published: August 27, 2025
Downloadable IOCs: 32

UNC Cluster Targeting South Asian Countries

A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login p…
phishing
credential theft
remote access
rafel rat
information stealer
android malware
2025-08-27
military targets
south asian apt
Published: August 27, 2025
Downloadable IOCs: 0

Virtual Infrastructure Abuse leads to SaaS Hijacks

This analysis examines a series of coordinated SaaS account compromises across multiple customer environments, involving suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. The attackers leveraged virtual private ser…
phishing
session hijacking
2025-08-27
hyonix
inbox rules
saas compromise
vps abuse
Published: August 27, 2025
Downloadable IOCs: 0

The Price of Trust: Analyzing the Malware Campaign Exploiting TASPEN's Legacy to Target Indonesian Senior Citizens

A sophisticated mobile malware campaign is targeting Indonesian pensioners by impersonating TASPEN, the state pension fund. The attackers use a phishing website to distribute a malicious Android app that steals banking credentials, intercepts SMS messages for OTPs, and captures biometric data. The …
phishing
spyware
banking trojan
mobile malware
indonesia
senior citizens
2025-08-27
pension fund
taspen
Published: August 27, 2025
Downloadable IOCs: 7

Major August 2025 Cyber Attacks: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA

In August 2025, significant cyber attacks emerged, including a 7-stage Tycoon2FA phishing campaign targeting government, military, and financial institutions across the US, UK, Canada, and Europe. The attack uses multiple verification steps to evade security systems. A new ClickFix campaign deliver…
phishing
rhadamanthys stealer
clickfix
tycoon2fa
2025-08-26
salty2fa
Published: August 26, 2025
Downloadable IOCs: 27

Phishing Campaign Targeting Companies via UpCrypter

A sophisticated phishing campaign has been identified, utilizing carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages entice recipients to download JavaScript files that act as droppers for UpCrypter, a malware that ultimately deploys various remote ac…
obfuscation
phishing
persistence
anti-analysis
dcrat
purehvnc
remote access tools
anti-vm
global campaign
2025-08-26
upcrypter
babylon rat
Published: August 26, 2025
Downloadable IOCs: 29

Analyzing LAMEHUG

LAMEHUG, discovered on July 10, 2025, is the first known malware integrating large language model capabilities into its attack methodology. Attributed to APT28 (Fancy Bear) with moderate confidence, it targeted Ukrainian government officials through phishing emails containing malicious executables.…
phishing
apt28
ukraine
exfiltration
reconnaissance
llm
proof-of-concept
lamehug
2025-08-24
ai-generated commands
Published: August 24, 2025
Downloadable IOCs: 0

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure

A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fa…
phishing
data theft
macos
clickfix
c2 infrastructure
applescript
2025-08-22
cryptowallet
terminal commands
Published: August 22, 2025
Downloadable IOCs: 0

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …
obfuscation
screenconnect
phishing
social engineering
malvertising
infostealer
macos
darkgate
lumma stealer
latrodectus
remote access tool
mintsloader
atomic macos stealer (amos)
lampion
2025-08-21
windows run dialog
Published: August 21, 2025
Downloadable IOCs: 10

Cybercriminals Abuse AI Website Creation App For Phishing

Cybercriminals are exploiting an AI-powered website creation platform called Lovable to generate fraudulent websites for credential phishing and malware delivery. The threat actors create or clone sites impersonating well-known brands, use CAPTCHA for filtering, and post stolen credentials to Teleg…
phishing
cryptocurrency
credential theft
zgrat
malware delivery
doiloader
tycoon
2025-08-21
ai-generated websites
lovable platform
Published: August 21, 2025
Downloadable IOCs: 0

Paper Werewolf targets Russia with WinRAR zero-day vulnerability

A series of attacks by the Paper Werewolf (GOFFEE) cluster exploited vulnerabilities in WinRAR, including CVE-2025-6218 and a zero-day flaw. The threat actor used phishing emails impersonating Russian organizations, delivering malware through archive files. The attacks targeted Russian entities, ut…
phishing
zero-day
shellcode
c2
winrar
directory traversal
2025-08-20
rar
CVE-2025-6218
xpsrchvw74.exe
winrunapp.exe
Published: August 20, 2025
Downloadable IOCs: 0

Microsoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations

Threat actors are actively exploiting Microsoft 365's Direct Send feature to deliver phishing emails, bypassing perimeter security solutions by routing malicious messages through trusted infrastructure. This technique requires no credentials, only knowledge of the target domain and valid recipient …
phishing
credential theft
spoofing
microsoft 365
business email compromise
email security
2025-08-18
direct send
Published: August 18, 2025
Downloadable IOCs: 27

'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan

A new ransomware strain called 'Blue Locker' is targeting Pakistan's oil and gas sector, particularly affecting Pakistan Petroleum Limited. The National Cyber Emergency Response Team (NCERT) has issued warnings to 39 key ministries and institutions about this severe threat. The ransomware, which sh…
phishing
ransomware
pakistan
encryption
cybersecurity
2025-08-15
oil and gas
ncert
proton
shinra
blue locker
Published: August 15, 2025
Downloadable IOCs: 0

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It ta…
phishing
social engineering
ransomware
encryption
bitcoin
keylogger
data exfiltration
2025-08-15
sap ariba
leeme ransomware
Published: August 15, 2025
Downloadable IOCs: 0

CastleLoader Analysis

CastleLoader, a versatile malware loader, has infected 469 devices since May 2025 using Cloudflare-themed ClickFix phishing and fake GitHub repositories. It delivers information stealers and RATs, with a 28.7% infection rate. The malware employs sophisticated techniques, including PowerShell and Au…
phishing
powershell
malware loader
redline
autoit
hijackloader
c2
rats
stealc
github
netsupport rat
deerstealer
sectoprat
information stealers
2025-08-13
payload delivery
castleloader
u.s. government
Published: August 13, 2025
Downloadable IOCs: 0

From ClickFix to Command: A Full PowerShell Attack Chain

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key …
obfuscation
rat
phishing
social engineering
powershell
lateral movement
c2 communication
2025-08-11
israeli targets
powershell rat
Published: August 11, 2025
Downloadable IOCs: 0

Fake Tesla Websites Scams

A recent scam involves fake Tesla websites advertised through Google paid ads, targeting potential customers interested in preordering the Optimus robot. These fraudulent sites mimic Tesla's official website design and offer non-existent preorders for various Tesla products, including the Optimus r…
phishing
scam
google ads
fake websites
2025-08-10
tesla
Published: August 10, 2025
Downloadable IOCs: 0

Phishing Attack: Deploying Malware on Indian Defense BOSS Linux

APT36, a Pakistan-based threat actor, has launched a sophisticated cyber-espionage campaign targeting the Indian defense sector. The group has adapted its tactics to focus on Linux-based environments, particularly BOSS Linux, used by Indian government agencies. The attack involves phishing emails w…
phishing
transparent tribe
apt36
cyber-espionage
indian defense
2025-08-08
.desktop file
boss linux
elf binary
boss.elf
Published: August 8, 2025
Downloadable IOCs: 8

650 Attack Tools, One Coordinated Campaign

The GreedyBear attack group has launched a massive crypto theft operation, utilizing 150 weaponized Firefox extensions, nearly 500 malicious executables, and numerous phishing websites. Their tactics include Extension Hollowing to bypass marketplace security, distributing various malware families, …
malware
phishing
ransomware
lummastealer
browser extensions
crypto theft
2025-08-08
luca stealer
extension hollowing
scam websites
Published: August 8, 2025
Downloadable IOCs: 111

GenAI Used to Impersonate Brazil's Government Websites

Threat actors are leveraging generative AI tools like DeepSite AI and BlackBox AI to create phishing templates that closely mimic official Brazilian government websites, such as the State Department of Traffic and Ministry of Education. These malicious replicas are boosted in search results using S…
phishing
seo poisoning
brazil
government impersonation
2025-08-08
deepsite ai
blackbox ai
pix payment
generative ai
Published: August 8, 2025
Downloadable IOCs: 7

The Homograph Illusion: Not Everything Is As It Seems

Homograph attacks involve using non-Latin characters that visually resemble Latin characters to create words that appear legitimate but are actually different. This technique allows attackers to evade detection and analysis, crafting malicious emails that can lead to credential theft or malware inf…
phishing
social engineering
brand impersonation
email security
2025-08-08
character substitution
homograph attack
unicode
Published: August 8, 2025
Downloadable IOCs: 8

Unmasking the SVG Threat: How Hackers Use Vector Graphics for Phishing Attacks

Attackers are exploiting Scalable Vector Graphics (SVG) files to execute sophisticated phishing attacks. SVGs, typically used for scalable images, can contain embedded JavaScript that executes when opened in a browser. The attack chain involves sending SVG attachments via spear-phishing emails or c…
phishing
javascript
credential theft
captcha
svg
email attachments
2025-08-07
cloud storage
browser execution
Published: August 7, 2025
Downloadable IOCs: 2

Odyssey Stealer Malware Attacks macOS Users

A phishing campaign targeting macOS users employs a ClickFix technique to deliver the Odyssey Stealer malware. The attack uses a fake CAPTCHA verification page that executes without dropping a binary on the system. When users follow the instructions, they unknowingly execute a malicious AppleScript…
phishing
macos
credential theft
clickfix
applescript
odyssey stealer
2025-08-07
crypto wallet
Published: August 7, 2025
Downloadable IOCs: 3

Email-Delivered RMM: Abusing PDFs for Silent Initial Access

A targeted campaign has been observed since November 2024, primarily affecting organizations in France and Luxembourg. The attackers use socially engineered emails to deliver PDF documents containing embedded links to Remote Monitoring and Management (RMM) tool installers. This method bypasses many…
phishing
social engineering
rmm
pdf
initial access
france
2025-08-07
luxembourg
Published: August 7, 2025
Downloadable IOCs: 51

New Arsenal: LAMEHUG, the First AI-Powered Malware

APT28, a Russian threat group, has developed LAMEHUG, a Python-based malware that utilizes AI to generate and execute system commands. This malware, targeting Ukraine's security and defense sector, begins with a phishing email containing a malicious attachment. LAMEHUG employs the Qwen 2.5-Coder-32…
phishing
python
ukraine
reconnaissance
data exfiltration
2025-08-07
ai-powered malware
hugging face api
lamehug
Published: August 7, 2025
Downloadable IOCs: 0

A Phishing Campaign Targeting Indian Government Entities

A sophisticated phishing campaign, likely attributed to Pakistan-linked APT36 (Transparent Tribe), is targeting Indian defense organizations and government entities using spoofed domains. The attackers employ advanced social engineering techniques, including real-time OTP harvesting, to bypass mult…
phishing
typosquatting
pakistan
india
defense
government
credential-harvesting
2025-08-03
kavach
otp
Published: August 3, 2025
Downloadable IOCs: 2

Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing

Proofpoint has uncovered a sophisticated phishing campaign utilizing fake Microsoft OAuth applications to bypass multifactor authentication and steal credentials. The threat actors impersonate various enterprise apps like RingCentral, SharePoint, Adobe, and DocuSign to lure victims. The attack chai…
phishing
aitm
credential theft
mfa bypass
microsoft 365
oauth
2025-08-01
application impersonation
tycoon
Published: August 1, 2025
Downloadable IOCs: 0

Indian Infrastructure Targeted with Desktop Lures and Poseidon Backdoor

APT36, a Pakistan-linked threat group, has expanded its operations to target Indian government and civilian infrastructure, including railways, oil & gas, and the Ministry of External Affairs. The group employs sophisticated phishing techniques and novel payload strategies, using .desktop files dis…
phishing
india
poseidon
infrastructure
government impersonation
2025-08-01
poseidon backdoor
mythic framework
desktop lures
Published: August 1, 2025
Downloadable IOCs: 36

RedHook: A New Android Banking Trojan Targeting Users In Vietnam

A sophisticated Android banking trojan named RedHook has been discovered targeting Vietnamese users through spoofed government and financial websites. The malware uses WebSocket to communicate with its command-and-control server and supports over 30 remote commands, enabling complete control over c…
rat
phishing
android
banking trojan
keylogging
vietnam
aws s3
websocket
2025-07-31
chinese-language
redhook
Published: July 31, 2025
Downloadable IOCs: 13

Android Malware Posing As Indian Bank Apps

This report analyzes a sophisticated Android malware targeting Indian banking apps. The malware uses a dropper and main payload structure, leveraging permissions like SMS access and silent installation to steal credentials, intercept messages, and perform unauthorized financial activities. It emplo…
phishing
android
credential-theft
trojan
banking
firebase
2025-07-25
call-forwarding
sms-interception
Published: July 25, 2025
Downloadable IOCs: 2

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing…
phishing
social engineering
impersonation
ransomware
quasar rat
drive-by download
clickfix
activex
2025-07-25
hta files
epsilon red
Published: July 25, 2025
Downloadable IOCs: 5

A Special Mission to Nowhere

A phishing campaign exploiting the aftermath of a military conflict between Israel and Iran has been identified. The scam, using a fake domain 'lineageembraer.online', offers evacuation flights from Tel Aviv to New York on an Embraer Lineage 1000E business jet. The website presents unrealistic pric…
phishing
financial fraud
scam
aviation
identity theft
2025-07-23
middle east crisis
evacuation
embraer
Published: July 23, 2025
Downloadable IOCs: 1

DeedRAT Backdoor Enhanced with Advanced Capabilities

Chinese threat actors have launched a new phishing campaign using DeedRAT, a modular backdoor. The campaign exploits a DLL side-loading vulnerability in VIPRE Antivirus Premium's MambaSafeModeUI.exe. DeedRAT now includes a new NetAgent module, expanding its capabilities. The malware uses TCP for C2…
backdoor
obfuscation
phishing
persistence
dll side-loading
2025-07-21
antivirus exploitation
deedrat
netagent
Published: July 21, 2025
Downloadable IOCs: 4

Android Cryptojacker Masquerades as Banking App to Mine Cryptocurrency on Locked Devices

A new Android malware campaign has been discovered, disguising itself as a banking app to covertly mine cryptocurrency on locked devices. The malware, distributed through a phishing website impersonating Axis Bank, downloads and executes a modified version of XMRig, a popular cryptocurrency mining …
phishing
android
xmrig
banking
cryptojacking
monero
2025-07-18
device-lock
battery-drain
overheating
android.dminer.a
Published: July 18, 2025
Downloadable IOCs: 1

Chinese Malware Delivery Domains: Part III

This report details an ongoing campaign by a threat actor operating during Chinese time zone hours, targeting Chinese-speaking individuals and entities globally. Since June 2023, the actor has created over 2,800 domains for malware delivery, primarily targeting Windows systems through fake applicat…
phishing
windows
cryptocurrency
2025-07-18
fake-updates
Published: July 18, 2025
Downloadable IOCs: 1159

Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting

Between March and June 2025, three Chinese state-sponsored threat actors conducted targeted phishing campaigns against the Taiwanese semiconductor industry. The campaigns targeted organizations involved in semiconductor manufacturing, design, testing, supply chain, and financial analysis. This acti…
espionage
phishing
cobalt strike
sparkrat
voldemort
2025-07-17
semiconductor
unk_droppitch
unk_sparkycarp
unk_fistbump
healthkick
Published: July 17, 2025
Downloadable IOCs: 54

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities

A Malware-as-a-Service operation utilizing Amadey for payload delivery has been identified, with connections to a SmokeLoader phishing campaign targeting Ukrainian entities. The operation exploits fake GitHub accounts to host payloads and tools, bypassing web filtering. Emmenhtal, a multistage down…
obfuscation
phishing
rhadamanthys
ukraine
amadey
asyncrat
redline
smokeloader
downloader
github
lumma
maas
emmenhtal
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 4

SVG Smuggling - Image Embedded JavaScript Redirect Attacks

Threat actors are increasingly using Scalable Vector Graphics (SVG) files to deliver JavaScript-based redirect attacks. These SVGs contain embedded, obfuscated JavaScript that initiates browser redirects to attacker-controlled infrastructure. The campaign uses email spoofing and impersonation to de…
obfuscation
phishing
javascript
email spoofing
xor encryption
svg
redirect
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 0

June 2025 Security Issues in Korean & Global Financial Sector

This comprehensive analysis covers cyber threats and security issues affecting financial companies in South Korea and globally. It examines malware and phishing cases targeting the financial sector, including the top 10 malware strains and leaked Korean account statistics on Telegram. The report de…
phishing
ransomware
data breach
financial sector
cybercrime forums
account takeover
dark web
2025-07-16
database leak
digital payments
everest
Published: July 16, 2025
Downloadable IOCs: 0

Rainbow Hyena strikes again: new backdoor and shift in tactics

A new phishing campaign targeting healthcare and IT organizations in Russia has been attributed to the Rainbow Hyena cluster. The attackers used compromised email addresses to distribute malicious attachments, including polyglot files and LNK files mimicking legitimate documents. A new custom-built…
backdoor
phishing
lnk files
2025-07-15
phantomremote
rainbow hyena
Published: July 15, 2025
Downloadable IOCs: 0

Deploying NetSupport RAT via WordPress & ClickFix

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that do…
phishing
wordpress
remote access
netsupport rat
post-exploitation
fake captcha
2025-07-10
dom manipulation
Published: July 10, 2025
Downloadable IOCs: 21

Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads

An unidentified spyware called Batavia has been targeting Russian industrial organizations since July 2024 through a sophisticated phishing operation. The campaign uses bait emails disguised as contract agreements to trick employees into downloading malicious scripts, initiating a multi-stage infec…
phishing
spyware
data exfiltration
evasion tactics
multi-stage attack
batavia
2025-07-09
c++ malware
persistence mechanisms
russian targets
vbs scripts
delphi executable
Published: July 9, 2025
Downloadable IOCs: 2

Batavia spyware steals data from Russian organizations

The Batavia spyware campaign, active since July 2024, targets Russian industrial enterprises through phishing emails containing malicious links disguised as contract documents. The infection process involves three stages: a VBS script downloader, the WebView.exe spyware, and the javav.exe module. T…
phishing
spyware
uac bypass
multi-stage infection
2025-07-07
vbs script
webview.exe
batavia
javav.exe
Published: July 7, 2025
Downloadable IOCs: 2

A message from the mechanical shark

Bruce, the mechanical shark from Jaws, reflects on his role in the iconic film 50 years later. He shares insights on the challenges faced during filming due to unpredictable ocean conditions, drawing parallels to cybersecurity. Bruce emphasizes the importance of overpreparing, maintaining perspecti…
phishing
cybersecurity
brand impersonation
cisco talos
2025-07-06
email threats
jaws
pdf payloads
Published: July 6, 2025
Downloadable IOCs: 7

DCRAT Impersonating the Colombian Government

A new email attack distributing DCRAT, a Remote Access Trojan, has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in Colombia. The attack employs multiple evasion techniques, including password-protected archives, obfuscation, steganography, base…
obfuscation
phishing
persistence
steganography
dcrat
credential harvesting
remote access trojan
colombia
2025-07-02
Published: July 2, 2025
Downloadable IOCs: 8

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphish…
phishing
spearphishing
infostealer
russia
malware-as-a-service
keylogger
maas
snake keylogger
credential stealer
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 34

Getting a career in cybersecurity isn't easy, but this can help

The article provides insights into starting a career in cybersecurity, emphasizing that the path is not always straightforward. It highlights the importance of having a good attitude, being easy to work with, continuous learning, persistence, joining security communities, and making the most of cur…
phishing
social engineering
2025-06-27
covenant
beardshell
mentorship
cybersecurity career
llm exploitation
ai jailbreaking
Published: June 27, 2025
Downloadable IOCs: 5

Hacker Exploit Social Security Statement Theme to Target Over 2,000 Victims with Malware

A sophisticated phishing campaign has targeted over 2,000 individuals by exploiting the theme of official Social Security statements. Cybercriminals used a convincing phishing lure, mimicking legitimate communication from the Social Security Administration. The attack involved a URL directing victi…
backdoor
screenconnect
phishing
remote-access
2025-06-26
amazon-aws
social-security
.net-loader
Published: June 26, 2025
Downloadable IOCs: 2

Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware

APT36, a Pakistan-based cyber espionage group, is actively targeting Indian defense personnel through sophisticated phishing campaigns. The group disseminates emails with malicious PDF attachments resembling official government documents. When opened, these PDFs display a blurred background and a b…
phishing
pakistan
cyber espionage
credential theft
pdf
transparent tribe
2025-06-21
indian defense
Published: June 21, 2025
Downloadable IOCs: 0

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

Cybercriminals are exploiting Discord's invite system and content delivery features to distribute malware and steal sensitive data. They use fake invite links, expired codes, and vanity URLs to redirect users to malicious servers. The attack chain involves a sophisticated combination of social engi…
phishing
social engineering
cryptocurrency
asyncrat
discord
multi-stage attack
wallet injection
chromekatz
skuld stealer
2025-06-20
invite hijacking
Published: June 20, 2025
Downloadable IOCs: 0

TxTag Takedown: Busting Phishing Email Schemes

A new phishing campaign has been observed leveraging a .gov domain to deceive employees into believing they owe unpaid tolls. The scheme uses urgency and fear tactics, threatening penalties or vehicle registration holds if the balance is not paid immediately. The attackers utilize the GovDelivery s…
phishing
social engineering
credit card fraud
email security
txtag
2025-06-20
toll scam
.gov domain
govdelivery
Published: June 20, 2025
Downloadable IOCs: 1

Cybercriminals Abusing Vercel to Deliver Remote Access Malware

A phishing campaign has been identified that exploits Vercel, a legitimate frontend hosting platform, to distribute a malicious version of LogMeIn. Cybercriminals send phishing emails with links to a malicious page on Vercel, impersonating an Adobe PDF viewer and prompting users to download a disgu…
phishing
social engineering
remote access
2025-06-20
logmein
vercel
platform abuse
Published: June 20, 2025
Downloadable IOCs: 5

DMV-Themed Phishing Campaign Targeting U.S. Citizens

A sophisticated phishing campaign impersonating U.S. state Departments of Motor Vehicles emerged in May 2025, using SMS phishing and deceptive websites to harvest personal and financial data. Victims received messages about unpaid toll violations, directing them to fake DMV sites requesting extensi…
phishing
impersonation
smishing
2025-06-20
infrastructure-analysis
data-harvesting
sms-spoofing
dmv
china-based
Published: June 20, 2025
Downloadable IOCs: 6

Crypto Phishing Applications On The Play Store

An investigation uncovered more than 20 cryptocurrency phishing applications on the Google Play Store impersonating legitimate wallets like SushiSwap and PancakeSwap. These malicious apps employ phishing techniques to steal users' mnemonic phrases, allowing access to real wallets and theft of funds…
phishing
android
cryptocurrency
google play store
2025-06-20
webview
mnemonic phrases
median framework
wallet impersonation
Published: June 20, 2025
Downloadable IOCs: 36

BERT RANSOMWARE - THE RAVEN FILE

BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufactu…
linux
phishing
ransomware
powershell
windows
encryption
revil
sodinokibi
dark web
2025-06-20
bert ransomware
Published: June 20, 2025
Downloadable IOCs: 11

Steam Phishing: Popular as Ever

A recent phishing campaign targeting Steam users has been identified, involving deceptive messages sent through the platform's Friends list. The attackers use fraudulent URLs that closely mimic Steam's official domain, directing users to a fake 'Summer Gift Marathon' page. Upon logging in, users' c…
phishing
social engineering
credential theft
fraud
cybersecurity
gaming
steam
2025-06-20
Published: June 20, 2025
Downloadable IOCs: 31

Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware

The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The …
obfuscation
rat
phishing
asyncrat
webdav
stealth techniques
memory injection
cloudflare tunnels
shellcode loader
2025-06-20
revengerat
python-based malware
donut packer
Published: June 20, 2025
Downloadable IOCs: 147

What's in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia

A Russia state-sponsored cyber threat actor impersonated the U.S. Department of State to target prominent academics and critics of Russia. The attackers used extensive rapport building and tailored lures to convince targets to set up application specific passwords (ASPs). Once obtained, these ASPs …
phishing
state-sponsored
asp
email compromise
2025-06-18
department of state
Published: June 18, 2025
Downloadable IOCs: 2

Warning Against Distribution of Malware Disguised as Research Papers

The Kimsuky group has launched a sophisticated phishing attack disguised as a request for paper review from a professor. The attack involves a password-protected HWP document with a malicious OLE object, which creates six files upon opening. When executed, these files perform various malicious acti…
apt
phishing
dropbox
anydesk
remote-access
social-engineering
ole
hwp
2025-06-18
Published: June 18, 2025
Downloadable IOCs: 3

AsyncRAT Campaign Continues to Evade Endpoint Detection

A wide-ranging phishing campaign has been identified that enables threat actors to bypass traditional security controls and delay detection. The campaign, tracked since 2024, has facilitated remote surveillance, credential theft, lateral movement, data exfiltration, and ransomware across numerous o…
obfuscation
xworm
phishing
remcos
asyncrat
venomrat
purehvnc
cloud services
cybercriminal
trycloudflare
remote access trojan
2025-06-17
python scripts
endpoint evasion
Published: June 17, 2025
Downloadable IOCs: 0

From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Check Point Research uncovered a malware campaign exploiting expired Discord invite links to redirect users to malicious servers. The attackers use a combination of techniques including ClickFix phishing, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Steale…
phishing
evasion
asyncrat
discord
crypto wallets
2025-06-13
chromekatz
skuld stealer
Published: June 13, 2025
Downloadable IOCs: 0

New BrowserVenom malware being distributed via fake DeepSeek phishing website

A new malicious campaign is distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The phishing site, promoted via Google Ads, mimics the official DeepSeek homepage. The attack installs BrowserVenom, an implant that forces all browsing traffic through a proxy …
phishing
malvertising
proxy
llm
deepseek
2025-06-11
browser manipulation
browservenom
Published: June 11, 2025
Linked vulnerabilities : CVE-2024-3721
Downloadable IOCs: 7

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery

Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_e…
backdoor
phishing
social engineering
aws
evasion techniques
more_eggs
2025-06-11
cloud infrastructure
resume lures
skeleton spider
Published: June 11, 2025
Downloadable IOCs: 24

APT carries out attacks with data theft and crypto miner deployment

Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto…
apt
phishing
xmrig
russia
data theft
crypto mining
2025-06-09
legitimate tools
cis
industrial targets
Published: June 9, 2025
Downloadable IOCs: 55

Threat Analysis: DCRat presence growing in Latin America

Hive0131 is conducting email campaigns targeting users in Colombia with fake electronic notifications of criminal proceedings, purportedly from The Judiciary of Colombia. The campaigns deliver DCRat, a banking trojan operated as Malware-as-a-Service, through embedded links or PDF lures. DCRat's pre…
phishing
dcrat
banking trojan
maas
process hollowing
colombia
2025-06-06
vmdetectloader
Published: June 6, 2025
Downloadable IOCs: 3

How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload

A high-severity phishing campaign targeting old version Office Application users exploits CVE-2017-0199 vulnerability to deliver FormBook malware. The attack begins with an email containing a malicious Excel attachment. When opened, it triggers the vulnerability, downloading and executing a malicio…
phishing
autoit
formbook
CVE-2017-0199
2025-06-05
hta
information-stealer
Published: June 5, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8

Operation Phantom Enigma

A malicious campaign targeting primarily Brazilian residents has been discovered, with attacks detected since early 2025. The attackers employed phishing emails, some sent from compromised company servers, to distribute malware. Two attack chains were identified: one using a malicious browser exten…
phishing
powershell
stealer
banking
browser extension
2025-06-05
mesh agent
pdq connect agent
Published: June 5, 2025
Downloadable IOCs: 0

Be Careful With Fake Zoom Client Downloads

A deceptive email containing a fake Zoom meeting invitation has been identified. Clicking the 'join' button leads to a website prompting users to install a purported Zoom client update. The downloaded executable, 'Session.ClientSetup.exe', is actually malware that installs an MSI package. This pack…
screenconnect
phishing
downloader
fake update
remote access tool
zoom
2025-06-05
Published: June 5, 2025
Downloadable IOCs: 2

Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

A sophisticated phishing campaign has been identified that leverages Google Apps Script to create a false sense of security. The attack begins with an email masquerading as an invoice, containing a link to a webpage hosted on Google's trusted environment. When clicked, the link redirects to a fake …
phishing
social engineering
credential theft
email spoofing
2025-06-04
google apps script
invoice scam
microsoft login
Published: June 4, 2025
Downloadable IOCs: 2

Cyber Attacks on Government Agencies: Detect and Investigate

This analysis examines cyber threats targeting government institutions worldwide, focusing on three case studies: a phishing email targeting the South Carolina Department of Employment and Workforce, a fraudulent domain mimicking the U.S. Social Security Administration, and a malicious PDF posing a…
screenconnect
phishing
stealer
government
pdf
remote-access
formbook
domain-spoofing
2025-06-04
credential-harvesting
Published: June 4, 2025
Downloadable IOCs: 2

Illuminating Transparent Tribe

This analysis explores the infrastructure of APT36, also known as Transparent Tribe, using passive DNS and host response history. Starting with indicators from a CyberXTron report on a targeted phishing attack against Indian Government and Defense, the investigation expands through DNS history, IP …
phishing
defense
apt36
passive dns
infrastructure discovery
2025-06-03
indian government
etag pivoting
dns history
Published: June 3, 2025
Downloadable IOCs: 3

Inside a VenomRAT Malware Campaign

A malicious campaign utilizing VenomRAT, a Remote Access Trojan, is analyzed. The attackers use a fake Bitdefender download website to spread malware, including VenomRAT, StormKitty, and SilentTrinity. These tools work together to provide initial access, steal credentials, and maintain long-term hi…
phishing
credential theft
venomrat
open-source malware
command and control
remote access trojan
stormkitty
silenttrinity
2025-05-29
Published: May 29, 2025
Downloadable IOCs: 35

Fake Bitdefender Site Spreads Trio of Malware Tools

A spoofed Bitdefender website is being used in a malicious campaign to distribute VenomRAT, StormKitty, and SilentTrinity malware. The fake site mimics Bitdefender's legitimate antivirus download page but redirects visitors to malicious files hosted on Bitbucket and Amazon S3. The malware package a…
phishing
venomrat
stormkitty
2025-05-28
silenttrinity
spoofed website
Published: May 28, 2025
Downloadable IOCs: 0

Malware or LLM? Silent Werewolf employs new loaders to attack Russian and Moldovan organizations

Silent Werewolf has launched two new campaigns targeting Russian and Moldovan organizations, utilizing sophisticated loaders to deliver malicious payloads. The attacks employ phishing emails with ZIP attachments containing obfuscated C# loaders. These loaders use legitimate tools and code obfuscati…
obfuscation
phishing
2025-05-27
c# loader
xdigo
Published: May 27, 2025
Downloadable IOCs: 28

Targets Tajikistan: New Macro Word Documents Phishing Tactics

From January to February 2025, a phishing campaign targeting Tajikistan was detected and attributed to TAG-110, a Russia-aligned threat actor. The campaign used Tajikistan government-themed documents as lures, shifting from previous tactics to macro-enabled Word template files for initial payload d…
espionage
phishing
government
cherryspy
hatvibe
pyplunderplug
logpie
2025-05-22
russia-aligned
tajikistan
Published: May 22, 2025
Downloadable IOCs: 6

How Adversary Telegram Bots Help to Reveal Threats: Case Study

This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign,…
phishing
exfiltration
credential harvesting
telegram
2025-05-21
notion
pec
cloud platforms
Published: May 21, 2025
Downloadable IOCs: 16

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait

An ongoing phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been identified, utilizing over 100 domains for credential harvesting. The operation, observed since early 2025, employs cloned login portals and impersonated web pages. The infrastructure share…
phishing
credential harvesting
telecommunications
infrastructure
insurance
domain impersonation
ssh keys
2025-05-16
fisheries
kuwait
Published: May 16, 2025
Downloadable IOCs: 77

Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks

The Trustwave SpiderLabs Email Security team has identified a significant increase in SVG image-based attacks, where seemingly harmless graphics are used to conceal dangerous links. Cybercriminals are exploiting the ability of SVG files to embed JavaScript, which can execute automatically upon open…
obfuscation
phishing
social engineering
phaas
javascript
cybersecurity
email security
svg
2025-05-16
ursnif
tycoon2fa
Published: May 16, 2025
Downloadable IOCs: 4

Part 2: Compromised WordPress Pages and Malware Campaigns

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign tar…
xworm
phishing
ransomware
android
remcos
wordpress
credential theft
strela stealer
proton66
weaxor
2025-05-16
Published: May 16, 2025
Downloadable IOCs: 45

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins wi…
obfuscation
phishing
infostealer
anti-analysis
credential theft
autoit
information stealing
2025-05-14
multi-stage payload
darkcloud stealer
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 4

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting at…
phishing
north korea
powershell
ukraine
credential harvesting
reconnaissance
2025-05-13
government targeting
chm files
Published: May 13, 2025
Downloadable IOCs: 11

Recruitment Scams on the Rise: How Threat Actors Exploit Job Seekers

A significant increase in recruitment scams has been observed, with three distinct threat actors targeting job seekers. The first impersonates tech employers using advance fee fraud tactics. The second poses as a logistics recruitment agency, targeting 18 geographies and affecting 63,000 people in …
phishing
social engineering
cryptocurrency
telegram
identity theft
job seekers
2025-05-12
recruitment scams
advance fee fraud
Published: May 12, 2025
Downloadable IOCs: 0

Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge

In May 2025, Pakistan-linked hacktivist groups claimed over 100 cyberattacks on Indian government, education, and critical infrastructure websites. However, an investigation reveals most breaches were exaggerated or fake. Alleged data leaks contained primarily public information, website defacement…
phishing
crimson rat
pakistan
ddos
india
cyberattack
data leak
apt36
hacktivist
defacement
2025-05-11
Published: May 11, 2025
Downloadable IOCs: 0

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

FreeDrain is a sophisticated, large-scale cryptocurrency phishing operation that has been stealing digital assets for years. It exploits search engine optimization, free-tier web services, and layered redirection techniques to target cryptocurrency wallets. Victims are lured through high-ranking se…
phishing
cryptocurrency
seo manipulation
2025-05-09
redirection techniques
search engine poisoning
wallet theft
Published: May 9, 2025
Downloadable IOCs: 71

Unmasking the FreeDrain Network

A collaborative investigation by Validin and SentinelLABS exposes the FreeDrain Network, a large-scale cryptocurrency phishing operation. The campaign exploits search engine optimization, free web services, and redirection techniques to target and drain cryptocurrency wallets. The attackers use lur…
phishing
cryptocurrency
infrastructure analysis
seo manipulation
wallet draining
2025-05-08
redirectors
free hosting abuse
Published: May 8, 2025
Downloadable IOCs: 0

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered …
phishing
powershell
credential theft
clickfix
2025-05-07
spica
document theft
lostkeys
ngos
Published: May 7, 2025
Downloadable IOCs: 0

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

Iranian cyber actors have been identified impersonating a German model agency in a suspected espionage operation. The attackers created a fraudulent website mimicking the authentic agency's branding and content, which triggers obfuscated JavaScript to capture detailed visitor information. This data…
espionage
phishing
social engineering
javascript
2025-05-07
data collection
Published: May 7, 2025
Downloadable IOCs: 3

CoGUI Phish Kit Targets Japan with Millions of Messages

A sophisticated phishing kit named CoGUI is targeting Japanese organizations with high-volume campaigns, primarily impersonating consumer and finance brands to steal credentials and payment data. The kit employs advanced evasion techniques like geofencing and fingerprinting to avoid detection. Sinc…
phishing
credential theft
brand impersonation
2025-05-06
darcula
cogui
Published: May 6, 2025
Downloadable IOCs: 7

XLoader Info-stealer Distributed Using MS Equation Editor Vulnerability (CVE-2017-11882)

An analysis reveals the distribution of XLoader info-stealer through phishing emails exploiting the MS Equation Editor vulnerability (CVE-2017-11882). The attack begins with a DOCX file containing an RTF document that creates a VBE file in a temporary folder. This VBE file, built using HorusProtect…
phishing
CVE-2017-11882
xloader
info-stealer
2025-05-01
rtf
vbe
ms equation editor
regasm.exe
horusprotector
Published: May 1, 2025
Downloadable IOCs: 0

Fake Social Security Statement emails trick users into installing remote tool

A phishing campaign is targeting users with fake emails purportedly from the US Social Security Administration. These emails aim to trick recipients into installing ScreenConnect, a legitimate remote access tool that can be misused by cybercriminals. The campaign, attributed to a group called Molat…
screenconnect
phishing
social engineering
financial fraud
remote access tool
2025-05-01
social security administration
Published: May 1, 2025
Downloadable IOCs: 0

Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government

A Pakistan-linked APT group, Transparent Tribe (APT36), is targeting Indian Government and Defense personnel using 'Pahalgam Terror Attack' themed documents. The campaign involves credential phishing and deployment of malicious payloads, with fake domains impersonating Jammu & Kashmir Police and In…
phishing
crimson rat
geopolitical
2025-04-30
pahalgam attack
Published: April 30, 2025
Downloadable IOCs: 29

MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks

MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion t…
phishing
socgholish
asyncrat
stealc
drive-by download
boinc
mintsloader
tag-124
ghostweaver
2025-04-29
multi-stage loader
Published: April 29, 2025
Downloadable IOCs: 0

FormBook Malware Distributed via Horus Protector Using Word Docs

Forcepoint X-Labs researchers have identified a phishing campaign where attackers distribute the FormBook information-stealing malware using Horus Protector, a malware distribution service designed to evade detection. The campaign employs malicious Microsoft Word documents that exploit the CVE-2017…
phishing
formbook
CVE-2017-11882
2025-04-29
maldoc
horus
Published: April 29, 2025
Downloadable IOCs: 101

Decoding Fake US ESTA Emails: Scam or Real Deal?

An increase in malicious emails impersonating US Customs and Border Protection has been observed, targeting individuals with fake Electronic System for Travel Authorization (ESTA) applications. These well-crafted emails exploit uncertainty around immigration services, urging recipients to submit ne…
phishing
financial fraud
identity theft
2025-04-28
immigration
us customs and border protection
Published: April 28, 2025
Downloadable IOCs: 0

Pick your Poison - A Double-Edged Email Attack

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF fi…
phishing
social engineering
credential theft
remote access
connectwise rat
2025-04-08
office365
file-sharing
2025-04-28
Published: April 28, 2025
Downloadable IOCs: 0

Emerging Phishing Techniques: New Threats and Attack Vectors

This analysis delves into four sophisticated phishing techniques observed in 2025. These include embedding Base64-encoded JavaScript in SVG files, hiding malicious URLs in PDF annotations, using OneDrive links to deliver dynamic phishing content, and nesting MHT files within OpenXML documents. Thes…
obfuscation
phishing
pdf
qr code
svg
2025-04-28
onedrive
mht
openxml
Published: April 28, 2025
Downloadable IOCs: 0

The Return of Pharmacy-Themed Spam

Pharmaceutical-themed spam campaigns continue to target individuals and organizations, particularly in the healthcare and pharmaceutical sectors. Recent observations reveal a bulk spam campaign using spoofed identities and compromised infrastructure to send deceptive emails. The attackers employ ta…
phishing
spam
social-engineering
domain-spoofing
2025-04-26
pharmacy
compromised-servers
email-security
fraudulent-websites
dkim
Published: April 26, 2025
Downloadable IOCs: 0

Power Parasites: Job & Investment Scam Campaign Targets Energy Companies and Major Brands

A scam campaign dubbed 'Power Parasites' is targeting individuals in Asian countries through deceptive websites, social media groups, and Telegram channels. The campaign exploits the names and branding of global energy companies and other major brands to conduct job and investment scams. Victims ar…
phishing
social engineering
telegram
social media
investment fraud
brand impersonation
2025-04-24
job scam
Published: April 24, 2025
Downloadable IOCs: 0

APT Group Profiles - Larva-24005

A new operation named Larva-24005, linked to the Kimsuky group, has been discovered by ASEC. The threat actors exploited RDP vulnerabilities to infiltrate systems, installing MySpy malware and RDPWrap for continuous remote access. They also deployed keyloggers to record user inputs. The group has b…
apt
phishing
kimsuky
south korea
CVE-2017-11882
keylogger
CVE-2019-0708
japan
2025-04-22
randomquery
rdp exploitation
bluekeep
myspy
kimalogger
Published: April 22, 2025
Downloadable IOCs: 0

Infostealer Malware FormBook Spread via Phishing Campaign – Part I

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downlo…
phishing
infostealer
formbook
CVE-2017-11882
process hollowing
2025-04-22
fileless malware
microsoft equation editor
Published: April 22, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 7

Detecting Multi-Stage Infection Chains Madness

This analysis examines a complex multi-stage attack exploiting a resilient network infrastructure known as 'Cloudflare tunnel infrastructure to deliver multiple RATs' since February 2024. The infection chain involves multiple steps, including phishing emails with malicious attachments, execution of…
phishing
asyncrat
infection chain
multi-stage attack
evasion techniques
2025-04-22
cloudflare tunnel
cyber threat intelligence
detection rules
Published: April 22, 2025
Downloadable IOCs: 15

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involv…
phishing
ransomware
foggyweb
privilege escalation
data exfiltration
sandbox evasion
multi-stage
2025-04-21
doge
Published: April 21, 2025
Downloadable IOCs: 6

It's 2025... so why are obviously malicious advertising URLs still going strong?

In 2025, a phishing email containing a malicious link redirected through Google Ads was received by the Internet Storm Center. The link led to a credential-stealing page hosted on a dynamic DNS service. Despite being clearly fraudulent and detected by VirusTotal, the ad redirect remained active for…
phishing
google ads
malicious urls
threat detection
2025-04-21
ad providers
dynamic dns
security measures
Published: April 21, 2025
Downloadable IOCs: 1

The "free money" trap: How scammers exploit financial anxiety

This analysis explores how scammers capitalize on financial stress by promising 'free money' through fake subsidy programs, government grants, or relief cards. Common tactics include using urgency, exclusivity, and fabricated social proof to manipulate victims. Scammers employ various techniques su…
phishing
social engineering
malvertising
njrat
identity theft
government impersonation
qr code scams
2025-04-18
financial scams
fake subsidies
Published: April 18, 2025
Downloadable IOCs: 0

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also…
xworm
phishing
ransomware
android
korea
remcos
wordpress
strela stealer
2025-04-18
germany
weaxor
Published: April 18, 2025
Downloadable IOCs: 48

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2,…
phishing
social engineering
credential theft
information stealer
sectoprat
2025-04-15
pdf converter
arechclient2
Published: April 15, 2025
Downloadable IOCs: 0

Newly Registered Domains Distributing SpyNote Malware

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for sur…
rat
phishing
android
spynote
remote access
keylogging
data exfiltration
spymax
google play store
2025-04-10
apk dropper
androidos
2025-04-15
Published: April 15, 2025
Downloadable IOCs: 0

Renewed APT29 Phishing Campaign Against European Diplomats

A sophisticated phishing campaign targeting European diplomatic entities has been uncovered, attributed to the Russia-linked threat group APT29. The attackers impersonate a major European foreign affairs ministry, sending fake invitations to wine tasting events. The campaign employs a new loader ca…
backdoor
phishing
wineloader
2025-04-15
grapeloader
Published: April 15, 2025
Downloadable IOCs: 13

A Deep Dive into Strela Stealer and how it Targets European Countries

Strela Stealer, an infostealer targeting email clients in specific European countries, has been active since late 2022. It focuses on exfiltrating credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily targeting Spain, Italy, Germa…
obfuscation
phishing
infostealer
2025-03-11
stellar loader
strela stealer
2025-04-13
locale-verification
Published: April 13, 2025
Downloadable IOCs: 0

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Bo…
xworm
phishing
social engineering
lumma stealer
asyncrat
danabot
venomrat
clickfix
netsupport rat
booking.com
2025-03-13
credential-stealing
2025-04-13
Published: April 13, 2025
Downloadable IOCs: 0

Amazon Gift Card Email Hooks Microsoft Credentials

The Cofense Phishing Defense Center (PDC) has identified a new credential phishing campaign that uses an Amazon e-gift card to harvest Microsoft login credentials from unsuspecting recipients in 2025.
phishing
amazon
credentials
outlook
2025-04-10
amazon gift
activationshub
Published: April 10, 2025
Downloadable IOCs: 2

Blind Eagle: ...And Justice for All

Check Point Research uncovered ongoing campaigns by Blind Eagle (APT-C-36) targeting Colombian institutions since November 2024. The group utilized malicious .url files, similar to CVE-2024-43451, to deliver HeartCrypt-packed malware and Remcos RAT. Campaigns infected over 1,600 victims in a single…
phishing
remcos
government
purecrypter
webdav
remcos rat
CVE-2024-43451
heartcrypt
2025-04-10
apt-c-36
colombia
Published: April 10, 2025
Downloadable IOCs: 0

March 2025 Trends Report on Phishing Emails

The report analyzes phishing email trends in March 2025, revealing that phishing attacks constituted 59% of email threats. Attackers primarily used HTML scripts to mimic login pages and promotional content, aiming to steal user credentials. The analysis covers distribution statistics, Korean phishi…
phishing
social engineering
malware distribution
credential theft
infostealers
email attachments
2025-04-10
downloaders
html scripts
document exploits
compressed files
Published: April 10, 2025
Downloadable IOCs: 0

Sapphire Werewolf refines Amethyst stealer to attack energy companies

The Sapphire Werewolf cluster has upgraded its toolkit with a new version of the Amethyst stealer, targeting energy companies through phishing emails. The enhanced malware features advanced checks for virtualized environments and uses Triple DES for string encryption. The attack involves distributi…
phishing
credential theft
2025-04-09
amethyst stealer
virtualization detection
Published: April 9, 2025
Downloadable IOCs: 0

Scattered Spider: Still Hunting for Victims in 2025

Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push research…
phishing
social engineering
hubspot
2025-04-09
domain impersonation
klaviyo
spectre rat
Published: April 9, 2025
Downloadable IOCs: 57

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customize…
apt
rat
phishing
dll side-loading
multi-platform
msi
spark rat
2025-04-08
xeno rat
curlback rat
Published: April 8, 2025
Downloadable IOCs: 28

March 2025 Security Issues in Korean & Global Financial Sector

This analysis covers cyber threats and security issues in the financial industry, focusing on South Korea and global incidents. It examines malware and phishing cases, lists top malware strains, and provides statistics on leaked Korean accounts. The report delves into major financial threats on the…
phishing
2025-04-08
financial-sector
database-leak
Published: April 8, 2025
Downloadable IOCs: 2

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

A new threat group, dubbed PoisonSeed, is targeting enterprise organizations and individuals outside the cryptocurrency industry. The campaign focuses on phishing CRM and bulk email providers' credentials to export email lists and send bulk spam. The attackers use a cryptocurrency seed phrase poiso…
phishing
cryptocurrency
supply chain
2025-04-04
2025-04-07
crm
coinbase
bulk email
ledger
seed phrase poisoning
Published: April 7, 2025
Downloadable IOCs: 45

New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile

A new malicious campaign has been discovered targeting users searching for PDF documents online. The attack uses fake CAPTCHAs and CloudFlare Turnstile to deliver LegionLoader malware, which then installs a malicious browser extension. The infection chain involves a drive-by download, execution of …
phishing
drive-by download
captcha
process hollowing
legionloader
2025-04-05
browser extension
cloudflare turnstile
Published: April 5, 2025
Downloadable IOCs: 5

Grandoreiro Stealer Targeting Spain and Latin America: Malware Analysis and Decryption Insights

A new campaign utilizing the Brazilian stealer Grandoreiro has been detected targeting Spain and Latin American countries. The malware, active since 2017, aims to steal sensitive information, including banking credentials and personal data. It employs advanced evasion techniques such as string encr…
phishing
grandoreiro
2025-04-04
Published: April 4, 2025
Downloadable IOCs: 0

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a mali…
obfuscation
apt
phishing
south korea
keylogging
lnk file
data exfiltration
cryptocurrency theft
snakekeylogger
2025-04-04
vba script
Published: April 4, 2025
Downloadable IOCs: 0

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report t…
phishing
python
powershell
lnk
cloudflare
telegram
pyramid
pyramid c2
open directory
2025-04-04
dmca
ms-search
Published: April 4, 2025
Downloadable IOCs: 0

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaig…
backdoor
phishing
north korea
infostealer
cryptocurrency
downloader
beavertail
recruitment
invisibleferret
2025-04-03
lightlesscan
tropidoor
Published: April 3, 2025
Downloadable IOCs: 6

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…
malware
phishing
social engineering
remcos
credential theft
latrodectus
guloader
redirection
qr codes
remote access trojans
2025-04-03
tax season
ahkbot
bruteratel c4
Published: April 3, 2025
Downloadable IOCs: 0

Analysis of New Mobile Banking Malware

Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal …
phishing
android
persistence
banking
data exfiltration
credential stealing
sms interception
otp theft
2025-04-01
salvador stealer
Published: April 1, 2025
Downloadable IOCs: 0

Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon

Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target cre…
phishing
social engineering
credential harvesting
business email compromise
qr code
2025-04-01
url redirection
human verification
quishing
Published: April 1, 2025
Downloadable IOCs: 57

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor aut…
screenconnect
phishing
ransomware
supply chain
mfa bypass
qilin
CVE-2023-27532
2025-04-01
evilginx
stac4365
msp
Published: April 1, 2025
Downloadable IOCs: 0

Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants

Silent Push Threat Analysts have uncovered a sophisticated phishing campaign targeting individuals sympathetic to Ukraine's defense, Russian citizens, and potential informants. The operation, believed to be orchestrated by Russian Intelligence Services, employs four major phishing clusters imperson…
phishing
impersonation
state-sponsored
russia
ukraine
russian volunteer corps
2025-04-01
hochuzhit
cia
intelligence gathering
legion liberty
Published: April 1, 2025
Downloadable IOCs: 0

The Shelby Strategy

The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and …
obfuscation
phishing
c2
telecommunications
github
iraq
uae
2025-04-01
shelbyloader
shelby
sandbox-detection
shelbyc2
Published: April 1, 2025
Downloadable IOCs: 0

TsarBot Trojan Hits 750+ Banking & Crypto Apps!

A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Servi…
phishing
android
credential theft
banking trojan
keylogging
sms interception
on-device fraud
2025-04-01
websocket
screen recording
tsarbot
overlay attack
Published: April 1, 2025
Downloadable IOCs: 0

SVG Phishing Malware Being Distributed with Analysis Obstruction Feature

A sophisticated phishing malware using Scalable Vector Graphics (SVG) format has been identified. The malware embeds malicious scripts within SVG files, using Base64 encoding to bypass detection. It employs various techniques to obstruct analysis, including blocking automation tools, preventing spe…
phishing
captcha
base64
xml
svg
microsoft impersonation
2025-04-01
analysis obstruction
svg phishing malware
vector graphics
Published: April 1, 2025
Downloadable IOCs: 0

Remcos RAT Malware Disguised as Major Carrier's Waybill

A sophisticated malware campaign has been discovered, utilizing the Remcos RAT disguised as a shipping company waybill. The attack begins with an email containing an HTML script, which when executed, downloads a JavaScript file. This file creates and downloads several components, including a config…
phishing
autoit
remcos rat
persistence techniques
shellcode injection
2025-04-01
javascript obfuscation
email attack
waybill disguise
Published: April 1, 2025
Downloadable IOCs: 0

PhaaS actor uses DoH and DNS MX to dynamically distribute phishing

Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.
phishing
cloud
malspam
2025-03-31
morphing meerkat
Published: March 31, 2025
Downloadable IOCs: 21

Pulling the Threads on the Phish of Troy Hunt

A sophisticated phishing attack targeted Troy Hunt, compromising his Mailchimp account. The analysis reveals connections to the Scattered Spider group through domain pivoting. Using Validin's DNS, host response, and registration data, dozens of related domain names were uncovered. The investigation…
phishing
threat intelligence
infrastructure discovery
2025-03-29
dns pivoting
mailchimp
validin
troy hunt
Published: March 29, 2025
Downloadable IOCs: 0

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading t…
phishing
powershell
ukraine
remcos
dll sideloading
lnk files
2025-03-28
gthost
hyperhosting
Published: March 28, 2025
Downloadable IOCs: 0

When Getting Phished Puts You in Mortal Danger

The article discusses a network of phishing domains targeting Russians searching for anti-Putin organizations. These domains mimic recruitment websites of Ukrainian paramilitary groups and intelligence agencies. The scam aims to collect personal information from potential recruits, likely for Russi…
phishing
russia
ukraine
recruitment
search engine manipulation
2025-03-28
paramilitary
russian volunteer corps
freedom of russia legion
Published: March 28, 2025
Downloadable IOCs: 0

Operation ForumTroll exploits zero-days in Google Chrome

In March 2025, a sophisticated malware campaign exploited a zero-day vulnerability in Google Chrome to infect targets. The attack, dubbed Operation ForumTroll, used personalized phishing emails with short-lived links to deliver malware. Kaspersky detected the exploit, reported it to Google, and an …
apt
phishing
zero-day
google chrome
2025-03-25
trojan.win64.convagent.gen
sandbox escape
trojan.win64.agent
CVE-2025-2783
Published: March 25, 2025
Downloadable IOCs: 0

New Phishing Campaign Uses Browser-in-the-Browser Attacks to Target Video Gamers/Counter-Strike 2 Players

A sophisticated phishing campaign targeting Counter-Strike 2 players has been uncovered, employing browser-in-the-browser (BitB) attacks. The campaign aims to steal Steam accounts by creating convincing fake browser pop-ups that mimic legitimate login pages. The threat actors are abusing the identi…
phishing
credential theft
gaming
2025-03-25
steam
counter-strike 2
browser-in-the-browser
esports
Published: March 25, 2025
Downloadable IOCs: 8

Real-Time Anti-Phishing: Essential Defense Against Evolving Cyber Threats

Phishing remains a prevalent cybersecurity threat, causing financial loss, data theft, and malware deployment. Attackers are expanding targets across platforms and using AI to refine techniques, making detection more challenging. Real-time anti-phishing (RTAP) solutions using AI and machine learnin…
phishing
social engineering
ai
cybersecurity
machine learning
2025-03-21
real-time anti-phishing
employee awareness
Published: March 21, 2025
Downloadable IOCs: 11

Clickbait to Catastrophe: How a Fake Meta Email Leads to Password Plunder

A sophisticated phishing campaign targeting Meta Business accounts has been uncovered by the Cofense Phishing Defense Center. The attack begins with a fake Instagram alert claiming the user's ads are suspended due to policy violations. Victims are directed to a fraudulent page mimicking Meta's busi…
phishing
credential theft
meta
social media
two-factor authentication
instagram
2025-03-21
chat support
business accounts
Published: March 21, 2025
Linked vulnerabilities : CVE-2025-24071 (CVSS 7.5)
Downloadable IOCs: 5

The rising threat of social engineering through fake fixes

ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their…
phishing
social engineering
powershell
asyncrat
clickfix
captcha
2025-03-21
command line
fake fixes
Published: March 21, 2025
Downloadable IOCs: 4

Unboxing Anubis: Exploring the Stealthy Tactics of FIN7's Latest Backdoor

FIN7, a notorious cybercrime group, has developed a new Python-based backdoor called AnubisBackdoor. This sophisticated tool employs multi-stage attacks, encryption, and obfuscation techniques to evade detection. The malware is distributed through phishing campaigns and uses AES encryption with mul…
obfuscation
apt
phishing
python
encryption
2025-03-20
financial-crime
anubisbackdoor
hospitality-sector
Published: March 20, 2025
Downloadable IOCs: 0

New Steganographic Campaign Distributing Multiple Malware Variants

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HT…
obfuscation
phishing
remcos
steganography
asyncrat
dcrat
CVE-2017-0199
process hollowing
remote access trojan
agenttesla
vipkeylogger
2025-03-17
Published: March 17, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 13

VHDs Used to Distribute VenomRAT and Other Malware

A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs…
obfuscation
phishing
powershell
persistence
venomrat
keylogger
aes encryption
2025-03-14
vhd
Published: March 14, 2025
Downloadable IOCs: 0

Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social …
phishing
social engineering
cryptocurrency
scams
e-commerce fraud
2025-03-14
charitable fraud
wallet draining
fake giveaways
ramadan
Published: March 14, 2025
Downloadable IOCs: 28

APT37 - RokRat

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing email…
phishing
north korea
powershell
rokrat
cloud services
lnk files
remote access trojan
2025-03-12
Published: March 12, 2025
Downloadable IOCs: 9

Hundreds of thousands of rubles for your secrets: cyber spies disguise themselves as recruiters

Cybercriminals impersonating a real company are sending fake job descriptions to employees of targeted organizations. The attackers, known as Squid Werewolf, are offering substantial sums of money, potentially hundreds of thousands of rubles, in exchange for sensitive information. This sophisticate…
phishing
social engineering
impersonation
cyber espionage
2025-03-12
fake job offers
recruitment scam
Published: March 12, 2025
Downloadable IOCs: 6

Trump Cryptocurrency Delivers ConnectWise RAT

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once…
phishing
social engineering
remote access trojan
2025-03-11
cryptocurrency scam
password theft
binance impersonation
connectwise rat
Published: March 11, 2025
Downloadable IOCs: 1

Blind Eagle: …And Justice for All

Check Point Research uncovered ongoing campaigns by Blind Eagle targeting Colombian institutions since November 2024. The group exploits a variant of CVE-2024-43451, using malicious .url files to deliver malware. Their attack chain includes HeartCrypt-packed executables, a .NET RAT, and Remcos RAT …
phishing
remcos
purecrypter
remcos rat
CVE-2024-43451
heartcrypt
2025-03-10
Published: March 10, 2025
Downloadable IOCs: 16

Unmasking GrassCall Campaign: The APT Behind Job Recruitment Cyber Scams

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency …
rat
phishing
social engineering
rhadamanthys
cryptocurrency theft
amos
2025-03-06
job recruitment
atomic macos stealer (amos)
grasscall
Published: March 6, 2025
Downloadable IOCs: 14

The Evolution of Dark Caracal Tools: Campaign Analysis Using the Poco RAT

Attacks using the Poco RAT are a continuation of the Dark Caracal group's campaign. This campaign was launched in 2022 and is aimed at Spanish-speaking countries in Latin America.
rat
phishing
windows
2025-03-05
vmware
bandook
poco rat
ultimate packer
executables
virtualbox
dark caracal
poco c++
Published: March 5, 2025
Downloadable IOCs: 41

Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems

This analysis explores the use of traffic distribution systems (TDS) by threat actors to redirect network traffic for illicit purposes like phishing and malvertising. TDS act as central hubs, obfuscating final destinations and hindering detection. The study found that malicious TDS exhibit distinct…
phishing
malvertising
2025-03-05
cloaking
darknet
traffic distribution systems
Published: March 5, 2025
Downloadable IOCs: 0

Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan

An advanced malware framework known as Winos4.0 was used to target companies in Taiwan in January 2025.
phishing
pdf
c2 server
valleyrat
wechat
screen capture
agent
2025-03-05
team
uacme
corrupt
Published: March 5, 2025
Downloadable IOCs: 55

Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remco…
rat
phishing
powershell
remcos
2025-03-05
zip
vb script
Published: March 5, 2025
Downloadable IOCs: 7

Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2

A threat group impersonating the Electronic Frontier Foundation (EFF) is targeting Albion Online players through phishing messages and decoy documents. The campaign uses malware such as Stealc stealer and Pyramid C2 to compromise player accounts. Analysis of an exposed directory revealed PowerShell…
phishing
stealc
russian-speaking
gaming
2025-03-04
pyramid c2
Published: March 4, 2025
Downloadable IOCs: 0

Analysis of a JavaScript-based Phishing Campaign Targeting Microsoft 365 Credentials

A sophisticated JavaScript-based credential harvesting campaign has been discovered, utilizing fake voicemail notifications to capture Microsoft 365 credentials. The attackers employ HTML smuggling, obfuscation, and encryption techniques to evade detection. The phishing emails contain PDF attachmen…
phishing
credential harvesting
html smuggling
microsoft 365
2025-03-04
voicemail lure
cryptojs
Published: March 4, 2025
Downloadable IOCs: 0

Havoc: SharePoint with Microsoft Graph API turns into FUD C2

A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc D…
phishing
clickfix
havoc
sharepoint
2025-03-03
kaynldr
c2 framework
havoc demon agent
multi-stage malware
Published: March 3, 2025
Downloadable IOCs: 5

Russian campaign targeting Romanian WhatsApp numbers

A campaign originating from Russia has been identified, targeting Romanian WhatsApp users. The operation involves sending messages to victims, encouraging them to vote in a fake contest. When users click on the provided link, they are prompted to enter their WhatsApp number and an 8-character code,…
phishing
social engineering
whatsapp
russia
account takeover
2025-02-28
romania
Published: February 28, 2025
Downloadable IOCs: 0

Your MFA Is No Match for Sneaky2FA

In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDriv…
phishing
phaas
2fa bypass
office 365
2025-02-28
session cookies
sneaky2fa
Published: February 28, 2025
Downloadable IOCs: 15

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…
apt
phishing
social engineering
north korea
cryptocurrency
2025-02-26
bybit
Published: February 26, 2025
Downloadable IOCs: 0

Chinese APT Target Royal Thai Police in Malware Campaign

A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process…
apt
espionage
phishing
china
yokai
2025-02-26
Published: February 26, 2025
Downloadable IOCs: 0

Unmasking a Large-Scale Legacy Driver Exploitation Campaign

Check Point Research uncovered an extensive campaign exploiting a vulnerability in the legacy version 2.0.2 of the Truesight.sys driver, part of Adlice's RogueKiller Antirootkit suite. Attackers leveraged this vulnerability to deploy an EDR/AV killer module, effectively disabling security solutions…
phishing
exploitation
driver
2025-02-24
edrbypass
Published: February 24, 2025
Downloadable IOCs: 951

Phishing Campaigns Targeting Higher Education Institutions

Since August 2024, there has been a significant increase in phishing attacks targeting U.S. universities. Three distinct campaigns have emerged, exploiting trust within academic institutions to deceive students, faculty, and staff. One campaign used compromised educational institutions to host Goog…
phishing
social engineering
universities
business email compromise
2025-02-24
google forms
higher education
payment redirection
Published: February 24, 2025
Downloadable IOCs: 4

The Bleeding Edge of Phishing: darcula-suite 3.0 Enables DIY Phishing of Any Brand

The darcula-suite 3.0 represents a significant advancement in phishing capabilities, allowing criminals to easily create customized phishing campaigns targeting any brand. This new version, set to launch in February 2025, builds upon the previous darcula V2 platform, which has already impacted over…
phishing
phaas
2025-02-20
browser automation
deception techniques
diy phishing kit
card generation
admin dashboard
Published: February 20, 2025
Downloadable IOCs: 0

Finance Report: Who Targets Financial Institutions?

This report provides an overview of key cybercrime and state-sponsored threat actors targeting the financial sector in 2024. It highlights the critical role of Initial Access Brokers in enabling large-scale attacks, the persistent threat of ransomware and extortion groups, and the increasing sophis…
apt
phishing
ransomware
cybercrime
ransomhub
edrkillshifter
rustbucket
goldpickaxe
financial sector
2025-02-20
catb
initial access brokers
jsoutprox
tradertraitor
golddigger
state-sponsored threats
goldkefu
tycoon 2fa
banking trojans
sneaky 2fa
golddiggerplus
Published: February 20, 2025
Downloadable IOCs: 0

Bloody Wolf evolution: new targets, new tools

Bloody Wolf, a notorious threat actor, has shifted its tactics by replacing malware with the legitimate remote administration tool NetSupport. The group has expanded its targets to include organizations in both Kazakhstan and Russia, compromising over 400 systems. Their attack method involves phish…
phishing
russia
edr
netsupport
telegram
strrat
kazakhstan
2025-02-20
remote administration
jar files
Published: February 20, 2025
Downloadable IOCs: 0

Amazon Phish Hunts for Security Answers and Payment Information

A phishing scheme targeting Amazon Prime users has been identified, aiming to steal login credentials, verification information, and payment data. The attack begins with a spoofed email claiming the user's payment method has expired. Clicking the update button redirects to a fake Amazon security al…
phishing
social engineering
credential theft
email spoofing
2025-02-18
payment fraud
fake login page
amazon prime
Published: February 18, 2025
Downloadable IOCs: 3

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple sta…
phishing
cryptocurrency
persistence
credential theft
data exfiltration
fintech
2025-02-18
zhong stealer
Published: February 18, 2025
Downloadable IOCs: 5

Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions' Infrastructure

An ongoing malware campaign is distributing Lumma Stealer, an information-stealing malware, through malicious LNK files disguised as PDF documents. The campaign exploits compromised educational institutions' infrastructure to host these files. When executed, the LNK files initiate a multi-stage inf…
phishing
lumma stealer
information stealing
maas
lnk files
multi-stage infection
2025-02-17
steam profiles
educational institutions
pdf-themed
Published: February 17, 2025
Downloadable IOCs: 24

FinStealer

A sophisticated malware campaign exploits a leading Indian bank's brand through fraudulent mobile applications. Distributed via phishing links and social engineering, these fake apps mimic legitimate bank apps, tricking users into revealing sensitive information. The malware uses advanced evasion t…
sql injection
phishing
android
credential theft
banking
telegram
mobile
c2 servers
xor encryption
2025-02-17
finstealer
trojan.rewardsteal/joxpk
CVE-2011-2688
Published: February 17, 2025
Linked vulnerabilities : CVE-2011-2688
Downloadable IOCs: 5

Valentine's Day Cyber Attack Landscape: Exploiting Love Through Digital Deception

Valentine's Day 2025 has become a focal point for sophisticated cybersecurity threats, with attackers exploiting emotional vulnerabilities and seasonal shopping behaviors. A complex network of scams has emerged, including OAuth-based phishing, brand impersonation, and cryptocurrency fraud. These th…
phishing
social engineering
cryptocurrency
financial fraud
social media
e-commerce
brand impersonation
oauth
2025-02-15
valentine's day
Published: February 15, 2025
Downloadable IOCs: 0

Inside a Malware Campaign: A Nigerian Hacker's Perspective

This analysis provides an in-depth look at a Nigerian cybercriminal's malware campaign process. The hacker begins by harvesting email addresses through Google dorking techniques, targeting specific industries and regions. They then configure email campaigns using spoofed domains and bulletproof hos…
phishing
social engineering
redline
redline stealer
chatgpt
2025-02-14
nigerian hacker
google dorking
gammadyne mailer
email harvesting
xlogger
Published: February 14, 2025
Downloadable IOCs: 2

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures…
phishing
social engineering
russia
microsoft 365
spear-phishing
oauth
2025-02-14
device code authentication
Published: February 14, 2025
Downloadable IOCs: 0

ClickFix Scam Exposed! Protect Your Data Before It's Too Late

Cybercriminals are exploiting DeepSeek's popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek's branding to appear legitimate and bypass security …
phishing
social engineering
lumma stealer
credential theft
vidar stealer
clickfix
captcha
deepseek
2025-02-11
Published: February 11, 2025
Downloadable IOCs: 7

SmokeLoader Malware Targets Ukraine's Auto & Banking Sectors via Open Directories

An investigation uncovered open directories hosting SmokeLoader malware samples and lure documents targeting Ukraine's automotive and banking sectors. Two servers were identified, containing Windows executables and PDF files posing as invoices from Ukrainian companies. The malware injects into expl…
phishing
malware distribution
ukraine
banking
smokeloader
automotive
open directories
2025-02-07
financial lures
Published: February 7, 2025
Downloadable IOCs: 27

Fake DeepSeek Sites Used for Credential Phishing, Crypto Theft, Scams

Researchers have identified numerous fake DeepSeek websites being used for malicious purposes, including credential phishing, cryptocurrency theft, and various scams. Over 50 active sites and thousands of potentially malicious domains have been observed. These fake sites range from obvious imitatio…
phishing
cryptocurrency
credential theft
scams
2025-02-06
deepseek
qr code scams
wallet drainers
fake websites
Published: February 6, 2025
Downloadable IOCs: 0

When Data Tools Become Dangerous: MS Power BI Links Used in Phishing Campaigns

A sophisticated phishing campaign has been detected that exploits trusted platforms like SharePoint and Power BI to steal user credentials. The scheme uses a seemingly legitimate SharePoint link in an email, which leads to a Power BI report. Users are then prompted to click 'Open Document', redirec…
phishing
social engineering
credential theft
email spoofing
sharepoint
2025-02-06
power bi
microsoft impersonation
Published: February 6, 2025
Downloadable IOCs: 0

Phishing via 'com-' prefix domains

This analysis reveals a new phishing trend using domains with a "com-" prefix to mimic legitimate websites. The scam targets users of Florida's Sunpass toll system, exploiting the similarity between sunpass.com and fraudulent "com-" domains. A surge in "com-" prefix domain registrations has been ob…
phishing
2025-02-06
newly-registered-domains
domain-spoofing
sunpass
dns-monitoring
com-prefix
toll-fraud
Published: February 6, 2025
Downloadable IOCs: 9

Mobile Indian Cyber Heist: FatBoyPanel And His Massive Data Breach

A mobile malware campaign targeting Indian banks has been uncovered, comprising nearly 900 samples aimed at Android devices. The malware, distributed via WhatsApp as fake government or banking apps, steals sensitive financial and personal data, including Aadhar and PAN card details, credit card inf…
phishing
android
banking trojan
data breach
mobile malware
sms interception
2025-02-05
otp theft
firebase
fatboypanel
Published: February 5, 2025
Downloadable IOCs: 891

Scalable Vector Graphics files pose a novel phishing threat

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and s…
phishing
social engineering
credential theft
evasion techniques
2025-02-05
nymeria
file format abuse
svg
browser-based attacks
troj/autoit-dhb
email attachments
Published: February 5, 2025
Downloadable IOCs: 0

Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques

ValleyRAT, a sophisticated multi-stage malware attributed to Silver Fox APT, has updated its tactics, techniques, and procedures. The malware targets key roles in finance, accounting, and sales departments using phishing emails, malicious websites, and instant messaging platforms. The infection cha…
phishing
persistence
valleyrat
keylogger
dll side-loading
c2 communication
anti-vm
2025-02-05
ghostrat
silver fox apt
Published: February 5, 2025
Downloadable IOCs: 12

Blast from the Past

A large-scale campaign targeting Russian organizations across various industries has been detected. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed as Malware-as-a-Service, is capable of stealing …
phishing
stealer
persistence
credential theft
data exfiltration
russian
maas
nova
snakelogger
2025-02-05
organizations
Published: February 5, 2025
Downloadable IOCs: 1

APT Targets NetEase 163.com Users with Fake Download Pages & Spoofed Domains

The GreenSpot Advanced Persistent Threat group, operating from Taiwan since 2007, is targeting users of NetEase's 163.com email service. The group employs sophisticated phishing techniques, including spoofed domains and fake download pages, to steal login credentials. Researchers identified domains…
apt
phishing
credential theft
taiwan
spoofed domains
2025-02-05
fake download pages
163.com
netease
Published: February 5, 2025
Downloadable IOCs: 9

NOVA: blast from the past

A large-scale campaign targeting Russian organizations across various industries has been uncovered. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed under the Malware-as-a-Service model, steals cr…
phishing
credential-theft
stealer
persistence
maas
nova
2025-02-04
snakelogger
Published: February 4, 2025
Downloadable IOCs: 1

Hackers Hijack JFK File Release: Malware & Phishing Surge

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement…
malware
phishing
social engineering
ransomware
spyware
domain spoofing
2025-02-03
cyber threat
trojans
declassified files
historical documents
jfk files
Published: February 3, 2025
Downloadable IOCs: 4

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of dow…
xworm
phishing
python
dropbox
asyncrat
venomrat
process injection
evasion techniques
trycloudflare
remote access trojan
2025-02-01
Published: February 1, 2025
Downloadable IOCs: 0

Infrastructure Laundering: Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech

This article unveils the practice of 'infrastructure laundering' by cybercriminals, specifically focusing on the FUNNULL content delivery network. The investigation reveals that FUNNULL has been renting IP addresses from major cloud providers like Amazon Web Services and Microsoft Azure, using thes…
phishing
2025-01-31
infrastructure laundering
Published: January 31, 2025
Downloadable IOCs: 9

Coyote Banking Trojan: A Stealthy Attack via LNK Files

A sophisticated multi-stage attack utilizing LNK files to deliver the Coyote Banking Trojan has been identified, primarily targeting Brazilian financial applications. The malware employs PowerShell commands, shellcode injection, and registry manipulation to establish persistence and evade detection…
phishing
lnk files
2025-01-31
coyote banking trojan
Published: January 31, 2025
Downloadable IOCs: 0

Microsoft advertisers phished via malicious Google ads

Malicious actors are targeting Microsoft advertisers through fraudulent Google ads, aiming to steal login credentials for Microsoft's advertising platform. The campaign involves sophisticated techniques like cloaking, Cloudflare challenges, and redirection chains to evade detection. Phishing pages …
phishing
credential theft
google ads
2025-01-31
Published: January 31, 2025
Downloadable IOCs: 101

A closer look at the Tria stealer campaign

A malicious Android campaign named Tria Stealer has been targeting users in Malaysia and Brunei since mid-2024. The campaign uses wedding invitation lures to trick victims into installing a malicious app that collects SMS data, tracks call logs, and steals messages from apps like WhatsApp and email…
phishing
android
2025-01-30
telegram bots
tria stealer
Published: January 30, 2025
Downloadable IOCs: 3

Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns

Threat actors are exploiting vulnerabilities in government websites, particularly .gov domains, to conduct phishing campaigns. The abuse primarily involves using open redirects to bypass secure email gateways and lead victims to credential phishing pages. A significant portion of these exploits may…
phishing
credential theft
email security
2025-01-29
stormkitty
agent tesla keylogger
CVE-2024-25608
open redirects
.gov domains
liferay
government websites
Published: January 29, 2025
Linked vulnerabilities : CVE-2024-25608
Downloadable IOCs: 4

Phorpiex - Downloader Delivering Ransomware

The report analyzes the Phorpiex botnet's role in delivering LockBit Black Ransomware. It highlights the automated execution of ransomware through Phorpiex, minimal changes to the botnet's code since its source code sale in 2021, and direct deployment of LockBit without network expansion. The analy…
phishing
ransomware
lockbit
botnet
phorpiex
downloader
gandcrab
2025-01-29
twizt
Published: January 29, 2025
Downloadable IOCs: 14

Phishing Campaign Baits Hook With Malicious Amazon PDFs

A new phishing tactic has emerged, using PDF documents to trick victims by announcing expired Amazon Prime memberships. The campaign targets users via email, containing PDF attachments that lead to fake Amazon pages requesting personal and credit card information. Researchers from Palo Alto Network…
phishing
credit card fraud
2025-01-29
Published: January 29, 2025
Downloadable IOCs: 4

New TorNet backdoor seen in widespread campaign

A financially motivated threat actor has been conducting a malicious campaign since July 2024, primarily targeting users in Poland and Germany. The campaign uses phishing emails impersonating financial institutions and companies to deliver various payloads, including a new backdoor called TorNet. T…
backdoor
phishing
evasion
poland
purecrypter
agent tesla
snake keylogger
2025-01-28
tornet
tor network
Published: January 28, 2025
Downloadable IOCs: 0

Hidden in Plain Sight: PDF Mishing Attack

A sophisticated phishing campaign targeting mobile devices has been discovered, impersonating the United States Postal Service (USPS). The campaign uses a novel obfuscation technique in PDF files to hide malicious links, making detection difficult for many security solutions. The attack exploits us…
phishing
credential theft
pdf
2025-01-27
Published: January 27, 2025
Downloadable IOCs: 654

Targeted supply chain attack against Chrome browser extensions

In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API ke…
phishing
supply chain
credentials
browser extensions
2025-01-22
data harvesting
Published: January 22, 2025
Downloadable IOCs: 80

The ticket that doesn't exist: a new threat discovered - FakeTicketer

A new threat actor named FakeTicketer has been identified by F.A.C.C.T. Threat Intelligence, operating since June 2024 with a focus on espionage. The actor targets government officials and sports functionaries using malicious software disguised as tickets for Russian Premier League football matches…
espionage
rat
phishing
stealer
dropper
government
2025-01-22
sports
zagrebator
zagrebator.stealer
zagrebator.dropper
zagrebator.rat
Published: January 22, 2025
Downloadable IOCs: 0

One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks

The report discusses an automated approach using graph neural networks to proactively detect malicious infrastructure employed by threat actors in cyber attacks based on known indicators. It examines the relationships between different types of indicators, such as co-hosted domains, malware deliver…
phishing
carbanak
anunak
automation
threat hunting
2025-01-14
automated detection
aranuk
domain analysis
graph neural networks
web skimming
infrastructure discovery
2025-01-21
skimmer
malicious domains
aranuk/carbanak
Published: January 21, 2025
Downloadable IOCs: 103

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

Cybercriminals are targeting Google Ads advertisers through phishing campaigns, impersonating Google Ads via fraudulent ads. The scheme involves stealing advertiser accounts by redirecting victims to fake login pages, with the goal of reselling these accounts on blackhat forums. The operation uses …
phishing
malvertising
2025-01-20
advertising fraud
Published: January 20, 2025
Downloadable IOCs: 29

Threat Research Report: Malicious Domain Activity During the Los Angeles Wildfires

During the 2025 Los Angeles wildfires, cybercriminals exploited the disaster through various phishing campaigns. Analysis of 119 domains registered between January 8-13, 2025, revealed themes targeting emergency assistance, legal services, and reconstruction efforts. GoDaddy was the most used regis…
phishing
social engineering
2025-01-17
natural disaster exploitation
los angeles wildfires
Published: January 17, 2025
Downloadable IOCs: 119

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authe…
obfuscation
phishing
aitm
cryptocurrency
telegram
2025-01-17
Published: January 17, 2025
Downloadable IOCs: 26

Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscat…
obfuscation
phishing
powershell
lummac2
infostealer
cryptocurrency
captcha
2025-01-13
clipbanker
Published: January 13, 2025
Downloadable IOCs: 4

Increase in Distribution of AutoIt Compile Malware via Phishing Emails

The distribution of malware compiled with AutoIt has been rapidly increasing, surpassing .NET-type malware. AutoIt, a scripting language for Windows automation, is preferred due to its ease of compilation into EXE files and fewer dependencies. The trend began in August 2024, with AutoIt malware nea…
phishing
infostealer
remcosrat
redline
autoit
agenttesla
2025-01-10
xloader
snakekeylogger
Published: January 10, 2025
Downloadable IOCs: 3

Recruitment Phishing Scam Imitates Hiring Process

A sophisticated phishing campaign has been discovered that exploits recruitment branding to deliver malware. The attack begins with a phishing email impersonating a recruitment process, directing victims to a malicious website. Users are prompted to download a fake application, which serves as a do…
phishing
social engineering
cryptominer
recruitment
2025-01-10
job seekers
Published: January 10, 2025
Downloadable IOCs: 5

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connecti…
phishing
chrome extension
domain spoofing
2025-01-10
certificate rotation
Published: January 10, 2025
Downloadable IOCs: 66

Banshee: The Stealer That "Stole Code" From MacOS XProtect

A new version of the Banshee macOS stealer, linked to Russian-speaking cybercriminals, has been monitored since September. This version went undetected for over two months, using a string encryption algorithm identical to Apple's XProtect antivirus engine. The malware targets browser credentials, c…
phishing
cryptocurrency
macos
lumma stealer
github
string encryption
banshee
2025-01-09
xprotect
Published: January 9, 2025
Downloadable IOCs: 25

Formbook Phishing Campaign with old Payloads

A recent phishing campaign has been observed delivering Formbook stealers through email attachments. The malware uses multiple stages and steganography to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Mont…
phishing
steganography
process-hollowing
2025-01-07
xml
formbook stealer
Published: January 7, 2025
Downloadable IOCs: 1

Cyberhaven’s preliminary analysis of the recent malicious Chrome extension

A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads…
phishing
data exfiltration
chrome extension
command and control
2025-01-02
facebook ads
oauth
Published: January 2, 2025
Downloadable IOCs: 5

Espionage cluster Paper Werewolf engages in destructive behavior

The Paper Werewolf cluster, also known as GOFFEE, has increased its activity, targeting Russian organizations in government, energy, finance, and media sectors. Their primary method involves phishing emails with malicious Microsoft Word attachments containing macros. The group has evolved from cybe…
phishing
powershell
powerrat
2024-12-25
qwakmyagent
goffee
powertaskel
freyja
owowa
Published: December 25, 2024
Downloadable IOCs: 0

A Look Back: The Evolution of Latin American eCrime Malware in 2024

Latin American cybercrime continues to evolve as adversaries refine their tactics and techniques. Key developments in 2024 include the adoption of Rust for improved evasion, consistent use of multi-stage infection chains and malspam campaigns, and evidence of collaboration among threat actors. Nota…
phishing
javascript
rust
banking trojan
information stealer
2024-12-18
nirsoft
Published: December 18, 2024
Downloadable IOCs: 32

Your Data Is Under New Management: The Rise of LummaStealer

LummaStealer, a relatively new information-stealing malware, has gained prominence since 2022 for its ability to collect sensitive data from Windows systems. Marketed as Malware-as-a-Service (MaaS) on underground forums, it targets individuals, cryptocurrency users, and small to medium-sized busine…
phishing
social engineering
python
lummastealer
2024-12-18
malware-as-a-service (maas)
Published: December 18, 2024
Downloadable IOCs: 0

Effective Phishing Campaign Targeting European Companies and Institutions

A sophisticated phishing operation targeting European automotive, chemical, and industrial manufacturing companies has been uncovered. The campaign, which peaked in June 2024, used HubSpot Free Form Builder and Docusign-enabled PDFs to harvest account credentials and infiltrate Microsoft Azure clou…
phishing
persistence
credential harvesting
redirection
docusign
2024-12-18
microsoft azure
european companies
hubspot
Published: December 18, 2024
Downloadable IOCs: 50

How Threat Actors Exploit Brand Collaborations to Target Popular YouTube Channels

Cybercriminals are targeting YouTube creators through sophisticated phishing campaigns that impersonate trusted brands offering collaboration deals. The malware is disguised as legitimate documents and delivered via password-protected files on platforms like OneDrive. Once downloaded, it steals sen…
phishing
social engineering
youtube
brand impersonation
2024-12-17
content creators
Published: December 17, 2024
Downloadable IOCs: 3

New I2PRAT communicates via anonymous peer-to-peer network

A novel malware strain, I2PRAT, has been discovered utilizing the I2P network for command and control communication. The infection begins with a phishing email leading to a fake CAPTCHA page, which tricks users into executing a malicious PowerShell script. The malware employs UAC bypass, Microsoft …
phishing
uac bypass
privateloader
2024-12-16
i2p
i2prat
Published: December 16, 2024
Downloadable IOCs: 0

Unwrapping the AIZ—Aggressive Inventory Zombies—Retail & Crypto Phishing Network Campaign

A large-scale phishing campaign targeting retail brands and cryptocurrency users has been uncovered. The campaign, dubbed 'Aggressive Inventory Zombies' (AIZ), initially impersonated Etsy but expanded to target major retailers like Amazon, BestBuy, and eBay. The threat actor uses a popular website …
phishing
impersonation
e-commerce
2024-12-13
retail
Published: December 13, 2024
Downloadable IOCs: 59

Inside the incident: Uncovering an advanced phishing attack

A sophisticated phishing campaign targeted a U.K.-based insurance company, using a compromised CEO's email account from a major shipping company. The attack involved a malicious PDF link hosted on AWS, leading to a fake Microsoft authentication page. The threat actor employed tactics like deletion …
phishing
social engineering
credential theft
2024-12-11
account takeover
email security
Published: December 11, 2024
Downloadable IOCs: 4

Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams

Threat actors exploit high-profile events like global sporting championships to launch attacks through phishing and scams. The analysis focuses on trends in domain registrations, DNS traffic, URL traffic, active domains, verdict change requests, and domain textual patterns. Case studies include obs…
phishing
dns traffic
olympics
scams
domain abuse
2024-12-07
url filtering
threat monitoring
cybersquatting
Published: December 7, 2024
Downloadable IOCs: 0

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

The adventures of an extroverted cyber nerd and the people who help to fight the good fight

The article describes the experiences of a Senior Security Strategist at Talos, highlighting the unique blend of technical expertise and communication skills required for the role. It emphasizes the importance of supporting NGOs in cybersecurity, detailing the author's involvement with the NGO-ISAC…
phishing
cybersecurity
2024-12-06
qr code attacks
ngo
communication skills
water systems vulnerabilities
Published: December 6, 2024
Downloadable IOCs: 0

Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)

This analysis explores the Rockstar 2FA phishing-as-a-service kit, focusing on real-world email campaign examples. It highlights various techniques used by attackers, including the abuse of legitimate services for FUD (Fully Undetectable) links, such as Microsoft OneDrive, OneNote, Dynamics 365, At…
phishing
aitm
email campaigns
microsoft 365
2024-12-03
phishing-as-a-service
dadsec
rockstar 2fa
2024-12-04
rockstar
Published: December 4, 2024
Downloadable IOCs: 51

Analyzing threat actor Kimsuky email phishing campaign

The report provides an in-depth analysis of the email phishing campaigns conducted by the Kimsuky threat actor group. It highlights their tactics of using diverse themes and subjects to pique the curiosity of recipients, targeting researchers and individuals related to North Korean affairs in an at…
phishing
north korea
impersonation
credential theft
2024-12-04
malwareless
Published: December 4, 2024
Downloadable IOCs: 24

Hunting Payroll Pirates: Tracking HR Redirect Phishing Scam

A malicious threat actor group dubbed 'Payroll Pirates' is orchestrating an ongoing human resources payroll redirection phishing scam targeting numerous organizations' employees. The campaign primarily focuses on Workday users and high-profile companies. The actors employ search ads with brand keyw…
phishing
2024-12-04
hr scam
Published: December 4, 2024
Downloadable IOCs: 69

SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer

Threat actors are exploiting old Microsoft Office vulnerabilities using SmokeLoader, a modular malware loader, to steal browser credentials. The campaign targets manufacturing, healthcare, and IT companies in Taiwan, utilizing CVE-2017-0199 and CVE-2017-11882 to execute remote code and deploy malic…
phishing
plugins
credential theft
smokeloader
CVE-2017-0199
CVE-2017-11882
taiwan
modular malware
2024-12-03
microsoft office
vulnerabilities
andeloader
Published: December 3, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 28

Beware of phishing attacks by APT-C-01 (Poison Ivy)

APT-C-01, known as Poison Ivy, is a persistent threat group targeting defense, government, technology, and education sectors since 2007. They specialize in phishing attacks, including watering hole and spear-phishing, using personalized bait content. Recent observations show the group creating fake…
apt
phishing
poison ivy
2024-12-03
sliver rat
Published: December 3, 2024
Downloadable IOCs: 7

TaxOff: You've Got a Backdoor...

A sophisticated threat group named TaxOff has been discovered targeting Russian government agencies. The group uses phishing emails with legal and financial themes to deliver the Trinper backdoor, a multithreaded C++ malware with advanced features. Trinper employs STL containers, custom serializati…
espionage
phishing
keylogging
2024-12-03
code injection
russian government
trinper backdoor
Published: December 3, 2024
Downloadable IOCs: 11

NetSupport RAT and RMS in malicious emails

The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitima…
obfuscation
phishing
rhadamanthys
russia
stealer
remote access
burnsrat
netsupport rat
meduza
2024-12-02
Published: December 2, 2024
Downloadable IOCs: 35

Attacks by APT-C-60 Group Exploiting Legitimate Services

The APT-C-60 group targeted organizations in Japan and East Asia with a sophisticated attack campaign. The attack begins with a phishing email containing a Google Drive link to download a VHDX file. This file includes an LNK file that executes a downloader, which then retrieves a backdoor called Sp…
phishing
lnk
downloader
com hijacking
bitbucket
2024-11-27
statcounter
east asia
vhdx
spygrace
Published: November 27, 2024
Downloadable IOCs: 0

Financially Motivated Threat Actor Leveraged Google Docs and Weebly Services

A phishing campaign targeting telecommunications and financial sectors was identified in late October 2024. The attackers used Google Docs to deliver phishing links, redirecting victims to fake login pages hosted on Weebly. This method bypassed standard email filters and endpoint protections by lev…
phishing
mfa bypass
sim swapping
financial sector
2024-11-27
google docs
telecom
tracking tools
weebly
Published: November 27, 2024
Downloadable IOCs: 35

RobotDropper Automates the Delivery of Multiple Infostealers

A phishing campaign is distributing Trojanized MSI files that use DLL sideloading to execute LegionLoader, a malicious program that delivers multiple infostealers. The campaign is widespread, with over 400 unique malicious MSI files identified since June 2024. Victims are targeted globally through …
phishing
infostealer
dll sideloading
2024-11-26
legionloader
robotdropper
Published: November 26, 2024
Downloadable IOCs: 5

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are emp…
xworm
phishing
social engineering
powershell
darkgate
lumma stealer
asyncrat
danabot
latrodectus
netsupport
cybersecurity
clickfix
threat actors
brute ratel c4
2024-11-18
malware delivery
lucky volunteer
recaptcha phish
threat landscape
Published: November 18, 2024
Downloadable IOCs: 0

Telekopye transitions to targeting tourists via hotel booking scam

ESET researchers have discovered that Telekopye, a Telegram-based toolkit used by cybercriminals to scam people on online marketplaces, has expanded its operations to target users of popular accommodation booking platforms like Booking.com and Airbnb. The scammers, referred to as Neanderthals, now …
phishing
cybercrime
scam
telegram
2024-11-17
telekopye
tourism
booking
marketplace
accommodation
Published: November 17, 2024
Downloadable IOCs: 0

Glove Stealer bypasses Chrome's App-Bound Encryption to steal cookies

Researchers have discovered a new .NET-based information stealer called Glove Stealer that targets browser extensions and local software to steal sensitive data like cookies, passwords, and cryptocurrency wallets. It uses a novel technique to bypass Chrome's App-Bound encryption by exploiting the I…
malware
phishing
information stealer
2024-11-16
chrome
encryption bypass
glove stealer
Published: November 16, 2024
Downloadable IOCs: 0

Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack

Unit 42 researchers identified a North Korean IT worker activity cluster, CL-STA-0237, involved in phishing attacks using malware-infected video conference apps. The cluster likely operates from Laos and exploited a U.S.-based SMB IT services company to apply for other jobs, securing a position at …
phishing
north korea
supply chain
beavertail
contagious interview
invisibleferret
wagemole
2024-11-15
insider threat
fake it workers
Published: November 15, 2024
Downloadable IOCs: 6

Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers

A Chinese financially motivated threat actor, dubbed SilkSpecter, has been uncovered targeting e-commerce shoppers in Europe and USA with a phishing campaign leveraging Black Friday discounts. The actor uses fake discounted products as lures to steal Cardholder Data, Sensitive Authentication Data, …
phishing
financial fraud
e-commerce
chinese threat actor
2024-11-14
oemapps
black friday
google translate
stripe
Published: November 14, 2024
Downloadable IOCs: 13

Malware Spotlight: A Deep-Dive Analysis of WezRat

Check Point Research provides a comprehensive analysis of WezRat, a custom modular infostealer attributed to the Iranian cyber group Emennet Pasargad. The malware has been active for over a year, targeting organizations in multiple countries. WezRat's capabilities include executing commands, taking…
backdoor
espionage
phishing
infostealer
iran
modular
2024-11-14
wezrat
c&c
Published: November 14, 2024
Downloadable IOCs: 0

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chai…
rat
phishing
windows
russia
ukraine
zero-day
CVE-2024-43451
2024-11-14
ntlm
spark rat
pass-the-hash
hash stealing
Published: November 14, 2024
Downloadable IOCs: 24

How to Improve Cyber Threat Investigations with TI Lookup

This article discusses the use of Threat Intelligence (TI) Lookup, a centralized service for threat data exploration and analysis. It highlights key features such as fast search results, extensive search parameters, and access to a large database of malware and phishing samples. The article explain…
phishing
remcos
stealc
cybersecurity
lumma
malware analysis
threat intelligence
agenttesla
yara rules
2024-11-13
darkvision
sandbox
ioc
Published: November 13, 2024
Downloadable IOCs: 0

Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity

Check Point Research has been tracking ongoing activity of the WIRTE threat actor, associated with Hamas, despite the ongoing conflict in the region. The group continues to target entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia for espionage. WIRTE has expanded its oper…
apt
espionage
phishing
wiper
cyber-espionage
2024-11-12
middle east
ironwind
hamas
havoc demon
samecoin
Published: November 12, 2024
Downloadable IOCs: 90

Scammers target UK senior citizens with Winter Fuel Payment texts

Opportunistic scammers are exploiting the UK's recent changes to the Winter Fuel Payments program by targeting senior British residents with fraudulent text messages. These messages claim to offer 'winter heating allowance' and 'cost of living support', directing recipients to deceptive websites th…
phishing
2024-11-09
mobile-targeted
senior citizens
gov.uk impersonation
uk
winter fuel payment
text scam
Published: November 9, 2024
Downloadable IOCs: 597

New Campaign Uses Remcos RAT to Exploit Victims

A phishing campaign utilizing Remcos RAT has been detected. The attack begins with an email containing a malicious Excel document that exploits CVE-2017-0199. When opened, it downloads and executes an HTA file, which in turn downloads and runs a malicious EXE. This EXE uses PowerShell to load and e…
rat
phishing
powershell
remcos
CVE-2017-0199
process hollowing
2024-11-08
Published: November 8, 2024
Downloadable IOCs: 2

CVE-2024-38213: From Crumbs to Full Compromise in a Stealthy Cyber Attack

A targeted email campaign exploiting CVE-2024-38213 has been uncovered, disguised as communication related to the Gas Infrastructure Europe Annual Conference in Munich. The attack bypasses standard security protocols to deploy LummaStealer malware, stealing sensitive data. The vulnerability, known …
xworm
phishing
asyncrat
venomrat
formbook
CVE-2024-38213
2024-11-08
copy2pwn
darkgate rat
lummastealer
Published: November 8, 2024
Downloadable IOCs: 0

BlueNoroff used macOS malware with novel persistence

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stag…
apt
phishing
north korea
cryptocurrency
persistence
macos
2024-11-08
lessonone
growth
Published: November 8, 2024
Downloadable IOCs: 0

Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond

This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network …
phishing
social engineering
identity theft
2024-11-07
Published: November 7, 2024
Downloadable IOCs: 239

CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits

A large-scale phishing campaign deploying the latest version of Rhadamanthys stealer (0.7) has been discovered. The campaign, dubbed CopyRh(ight)adamantys, uses copyright infringement claims to target various regions globally. It impersonates numerous companies, mainly from Entertainment/Media and …
phishing
rhadamanthys
stealer
copyright
2024-11-06
ocr
Published: November 6, 2024
Downloadable IOCs: 0

Attempts to disrupt Russian businesses with MetaStealer

A previously unknown threat actor, Venture Wolf, has been targeting Russian businesses since November 2023. The group uses multiple loaders to deliver MetaStealer, a malware that focuses on manufacturing, construction, IT, and telecommunications industries. The campaign involves disseminating archi…
obfuscation
phishing
data theft
injection
redline
metastealer
stealers
2024-11-05
loaders
Published: November 5, 2024
Downloadable IOCs: 20

G700: The Next Generation of Craxs RAT

G700 RAT, an advanced variant of Craxs RAT, targets Android devices and cryptocurrency applications. It employs sophisticated techniques like privilege escalation, phishing, and malicious APK distribution to infiltrate devices. The malware bypasses authentication, captures sensitive data, and manip…
obfuscation
phishing
android
cryptocurrency
craxs rat
privilege escalation
2024-11-04
apk distribution
transaction hijacking
sms interception
g700 rat
Published: November 4, 2024
Downloadable IOCs: 3

Analyzing an Encrypted Phishing PDF

This analysis explores the challenges of decoding encrypted PDF documents, particularly in the context of phishing. It explains that while the structure of encrypted PDFs remains visible, strings and streams are encrypted. The article recommends using qpdf, an open-source tool, to decrypt PDFs for …
phishing
2024-11-04
decryption
qpdf
drm
pdf-parser
ciphertext
uri extraction
encrypted pdf
confidentiality
Published: November 4, 2024
Downloadable IOCs: 0

Booking.com Phishers May Leave You With Reservations

A recent spear-phishing campaign targeted a California hotel after its Booking.com credentials were stolen. The scam involved sending targeted messages within the Booking mobile app, claiming additional information was required for anti-fraud purposes. Booking.com confirmed a security incident affe…
phishing
credential theft
cybercrime
2024-11-02
2fa
hospitality
booking.com
travel
Published: November 2, 2024
Downloadable IOCs: 0

LastPass Warns of Hackers Misusing Reviews for Fake Support Numbers

LastPass has alerted users about a social engineering campaign targeting customers through fraudulent 5-star reviews on the Chrome Web Store. Hackers are posting fake reviews for the LastPass Chrome extension, promoting a bogus customer support phone number to steal user data. When users call this …
phishing
social engineering
2024-11-02
lastpass
password management
chrome web store
fake reviews
Published: November 2, 2024
Downloadable IOCs: 0

Threat actors use copyright infringement phishing lure to deploy infostealers

An unknown threat actor is conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The campaign uses emails impersonating legal departments, claiming copyright infringement to lure victims into downloading malware. The attackers abuse Google's Appspot dom…
obfuscation
phishing
evasion
lummac2
rhadamanthys
infostealer
taiwan
2024-10-31
facebook
copyright
Published: October 31, 2024
Downloadable IOCs: 0

Threat Intelligence Alert: Phish 'n' Ships Fakes Online Shops to Steal Money and Credit Card Information

A sophisticated fraud scheme dubbed 'Phish 'n' Ships' has been uncovered, involving fake web shops that exploit digital payment providers to steal consumers' money and credit card information. The operation, traced back to 2019, has infected over 1,000 websites, created 121 fake web stores, and res…
phishing
seo poisoning
2024-10-31
chinese threat actors
credit card theft
fake web stores
payment processor abuse
search engine manipulation
e-commerce fraud
Published: October 31, 2024
Downloadable IOCs: 22

Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Z…
backdoor
phishing
russia
campaign
rdp
2024-10-30
remote desktop
apt29
midnight blizzard
unc2452
cozy bear
hustlecon
Published: October 30, 2024
Downloadable IOCs: 281

Strela Stealer Targets Europe Stealthily Via WebDav

Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users thr…
phishing
powershell
infostealer
dll file
webdav
2024-10-30
javascript code
zip file
webdav server
strela
Published: October 30, 2024
Downloadable IOCs: 103

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Researchers discovered a potential North Korean phishing campaign targeting Naver, a major South Korean tech platform. The investigation revealed an exposed directory containing phishing pages designed to steal Naver user credentials. Separately, an infrastructure cluster was identified using domai…
phishing
apple
credential theft
dprk
infrastructure analysis
domain spoofing
2024-10-30
naver
tls certificates
Published: October 30, 2024
Downloadable IOCs: 0

More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a Docu…
phishing
social engineering
credential theft
microsoft
domain abuse
2024-10-30
atlassian
docusign
confluence
Published: October 30, 2024
Downloadable IOCs: 2

Malicious RDP Files Identified in Latest Attack on Ukrainian Entities

CERT-UA has uncovered a new malicious email campaign targeting Ukrainian government agencies, enterprises, and military entities. The campaign uses RDP configuration files to establish remote connections, enabling data theft and further malware deployment. Attributed to UAC-0215 and linked to APT29…
phishing
apt28
ukraine
rdp
aws
2024-10-26
uac-0218
uac-0215
domain seizure
homesteel
cert-ua
Published: October 26, 2024
Downloadable IOCs: 0

Uncovering the Lounge Pass Scam Campaign: Targeted Android SMS Stealer Preying on Air Travellers

A sophisticated scam targeting air travelers in Indian airports has been uncovered, involving a malicious Android app called 'Lounge Pass'. The app, distributed through fake domains, intercepts and forwards SMS messages from victims' devices to cybercriminals, resulting in significant financial los…
phishing
android
financial fraud
2024-10-25
sms stealer
airport scam
travel security
lounge pass
lounge access
mobile security
Published: October 25, 2024
Downloadable IOCs: 0

ValleyRAT Insights: Tactics, Techniques, and Detection Methods

ValleyRAT is a remote access Trojan targeting Chinese-speaking users through phishing campaigns. It employs multi-stage, multi-component tactics to evade detection and maintain persistence. The malware uses various techniques including process injection, registry manipulation, and UAC bypass. It at…
phishing
evasion
persistence
valleyrat
remote access trojan
2024-10-25
uac bypass
chinese-speaking targets
Published: October 25, 2024
Downloadable IOCs: 3

Triad Nexus: FUNNULL CDN hosting DGA domains for suspect Chinese sites

Silent Push has uncovered a large-scale malicious infrastructure dubbed 'Triad Nexus' hosted on the FUNNULL content delivery network. The investigation revealed over 200,000 unique hostnames, with 95% created using Domain Generation Algorithms. FUNNULL is linked to hosting suspect gambling websites…
phishing
dga
gambling
2024-10-23
supply chain attack
funnull
triad nexus
suncity group
cdn
Published: October 23, 2024
Downloadable IOCs: 70

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

A new phishing campaign targeting Russian-speaking users employs the open-source Gophish framework to deliver DarkCrystal RAT and a novel remote access trojan called PowerRAT. The attack utilizes modular infection chains, either through malicious Microsoft Word documents or HTML files with embedded…
phishing
dcrat
html smuggling
darkcrystal rat
russian-speaking
remote access trojan
2024-10-22
powerrat
gophish
Published: October 22, 2024
Downloadable IOCs: 2

New wave of Bumblebee malware attacks warned

Security researchers have detected new attacks involving the Bumblebee malware loader, just four months after Europol disrupted its operations in Operation Endgame. The malware has resurfaced with updated tactics, using MSI files disguised as legitimate software installers to deliver its payload di…
malware
loader
phishing
ransomware
evasion
in-memory
msi
bumblebee
2024-10-22
Published: October 22, 2024
Downloadable IOCs: 9

New Bumblebee Loader Infection Chain Signals Possible Resurgence

A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike bea…
loader
pikabot
phishing
cobalt strike
icedid
lnk
darkgate
latrodectus
stealth
2024-10-21
msi
bumblebee
infection-chain
in-memory-execution
Published: October 21, 2024
Downloadable IOCs: 11

Inside the Latrodectus Malware Campaign

The Latrodectus malware campaign employs a combination of traditional phishing techniques and innovative payload delivery methods to target financial, automotive, and healthcare sectors. The attack chain begins with compromised emails containing malicious PDF or HTML attachments, which redirect use…
obfuscation
phishing
icedid
javascript
healthcare
latrodectus
financial
2024-10-21
msi
dll
automotive
activex
rundll32
Published: October 21, 2024
Downloadable IOCs: 20

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…
phishing
social engineering
rhadamanthys
infostealer
cryptocurrency
stealc
clickfix
2024-10-18
web3
amos stealer
google meet
Published: October 18, 2024
Downloadable IOCs: 171

Operation MiddleFloor: Disinformation campaign targets Moldova ahead of presidential elections and EU membership referendum

A cyber-enabled disinformation campaign called Operation MiddleFloor is targeting Moldova's government and education sectors ahead of crucial elections and an EU membership referendum. The campaign, attributed to a Russian-speaking group named Lying Pigeon, uses spoofed emails and documents to spre…
phishing
disinformation
elections
2024-10-10
moldova
eu referendum
email spoofing
lumma infostealer
Published: October 10, 2024
Downloadable IOCs: 69

Wreaking havoc in cyberspace: threat actors experiment with pentest tools

Recent research reveals adversaries increasingly using the Havoc post-exploitation framework to bypass cybersecurity systems. Two campaigns utilizing this framework were analyzed. The first campaign involved phishing emails with malicious archives containing ISO files and LNK files, which downloade…
loader
phishing
havoc
2024-10-08
demon
havoc framework
cybersecurity evasion
demon implant
post-exploitation
Published: October 8, 2024
Downloadable IOCs: 0

Mamba 2FA: A new contender in the AiTM phishing ecosystem

Mamba 2FA is a newly discovered adversary-in-the-middle (AiTM) phishing kit being sold as phishing-as-a-service (PhaaS). It features capabilities similar to other popular AiTM phishing services, including handling two-step verifications for non-phishing-resistant MFA methods, supporting various aut…
phishing
aitm
phaas
microsoft 365
evasion techniques
2024-10-07
socket.io
multi-factor authentication
mamba 2fa
Published: October 7, 2024
Downloadable IOCs: 0

Analyzing the Awaken Likho APT group implant: new tools and techniques

A new campaign by the Awaken Likho APT group targeting Russian government agencies and industrial enterprises was discovered in June 2024. The group has significantly changed its attack methods, now preferring the MeshCentral platform agent instead of UltraVNC for remote access. The implant is deli…
apt
phishing
meshagent
meshcentral
2024-10-07
Published: October 7, 2024
Downloadable IOCs: 0

Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware

A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
obfuscation
xworm
phishing
python
powershell
asyncrat
webdav
2024-10-04
shellcode injection
trycloudflare
Published: October 4, 2024
Downloadable IOCs: 15

Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware

A campaign impersonating Royal Mail was identified delivering Prince ransomware, an open-source variant available on GitHub. The low-volume attack targeted UK and US organizations in mid-September, often originating from contact forms on target websites. The ransomware lacks decryption mechanisms a…
obfuscation
phishing
github
2024-10-02
prince ransomware
destructive attack
royal mail
open-source malware
prince
contact forms
Published: October 2, 2024
Downloadable IOCs: 3

Key Group uses leaked builders of ransomware and wipers

Key Group, also known as keygroup777, is a financially motivated ransomware group primarily targeting Russian users. The group has been active since 2022, using various leaked ransomware builders and wipers, including Xorist, Chaos, Annabelle, Slam, RuRansom, UX-Cryptor, Hakuna Matata, and Judge/No…
phishing
ransomware
persistence
njrat
wiper
telegram
chaos
2024-10-02
xorist
slam
hakuna matata
annabelle
ruransom
ux-cryptor
multi-stage loaders
leaked builders
russian-speaking
judge/nocry
Published: October 2, 2024
Downloadable IOCs: 24

Iranian Cyber Actors Targeting Personal Accounts to Support Operations

Cyber actors working for Iran's Islamic Revolutionary Guard Corps (IRGC) are targeting individuals connected to Iranian and Middle Eastern affairs, including government officials, think tank personnel, journalists, activists, and lobbyists. They use social engineering techniques, impersonating cont…
phishing
social engineering
impersonation
iran
credential theft
2024-09-30
two-factor authentication
political campaigns
Published: September 30, 2024
Downloadable IOCs: 65

A Measure of Motive: How Attackers Weaponize Digital Analytics Tools

Threat actors are repurposing digital analytics and advertising tools to evade detection and enhance their malicious campaigns. The report explores how link shorteners, IP geolocation utilities, CAPTCHA systems, and advertising intelligence platforms are being weaponized. It provides insights into …
phishing
malvertising
captcha
2024-09-30
azorult
sockrat
adwind
jsocket
jrat
jfrutas
jbifrost
alienspy
trojan.maljava
frutas
unrecom
geolocation
evasion techniques
kraken ransomware
turkeydrop
friendspeak
dancefloor
link shorteners
digital analytics
advertising tools
mixlabel
Published: September 30, 2024
Downloadable IOCs: 10

Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz

Unit42 explores Sniper Dz, a popular phishing-as-a-service (PhaaS) platform targeting social media and online services. Over 140,000 phishing websites associated with Sniper Dz were identified in the past year. The platform offers an admin panel with phishing page catalogs, allowing users to host o…
phishing
phaas
credential theft
2024-09-25
victim tracking
sniper dz
Published: September 25, 2024
Downloadable IOCs: 7

Russia-linked crypto threat actor involved in political spoofing tracked

A Russia-linked threat actor is deploying domains for crypto scams targeting the US Presidential Election and prominent tech brands. The scams involve fake Bitcoin and Ethereum giveaways, asking users to send coins to attacker-controlled wallets with false promises of doubling returns. A large clus…
phishing
cryptocurrency
2024-09-20
political spoofing
us elections
Published: September 20, 2024
Downloadable IOCs: 6

SambaSpy – a new RAT targeting Italian users

A campaign exclusively targeting Italian users was detected in May 2024, delivering a new Remote Access Trojan (RAT) dubbed SambaSpy. The infection chain involves phishing emails impersonating a legitimate Italian real estate company, redirecting victims to a malicious website. The campaign employs…
rat
phishing
java
2024-09-19
credential stealing
sambaspy
Published: September 19, 2024
Downloadable IOCs: 24

An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader

UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
backdoor
phishing
2024-09-18
burnbook
Published: September 18, 2024
Downloadable IOCs: 14

Phishing Pages Delivered Through Refresh HTTP Response Header

Unit 42 researchers observed large-scale phishing campaigns in 2024 using a refresh entry in the HTTP response header. This technique, unlike traditional HTML-based phishing, occurs before HTML content processing and automatically refreshes webpages without user interaction. Attackers distribute ma…
phishing
credential theft
2024-09-18
http header
business email compromise
Published: September 18, 2024
Downloadable IOCs: 7

A Network of Harm: Gigabud Threat and Its Associates

An investigation reveals a significant connection between Gigabud and Spynote malware families, targeting over 50 financial apps including banks and cryptocurrency platforms. The campaign utilizes sophisticated distribution methods, including 11 command and control servers and 79 phishing websites …
phishing
cryptocurrency
spynote
banking trojan
2024-09-17
gigabud
android rat
Published: September 17, 2024
Downloadable IOCs: 116

Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics

From February to July 2024, an analysis of over 500 popular domains revealed more than 10,000 malicious lookalike domains employing typosquatting and brand impersonation techniques. Google, Microsoft, and Amazon were the most targeted brands, accounting for nearly 75% of phishing domains. Almost ha…
phishing
typosquatting
credential theft
scams
domain abuse
2024-09-12
brand impersonation
certificate abuse
Published: September 12, 2024
Downloadable IOCs: 10

Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries

The Scattered Spider cybercriminal group is targeting cloud infrastructures in the insurance and financial sectors using advanced techniques. They exploit leaked authentication tokens, conduct phishing and smishing campaigns, and leverage SIM swapping to bypass multi-factor authentication. The grou…
phishing
ransomware
blackcat
alphv
persistence
cloud
noberus
vidar stealer
stealc
redline stealer
raccoon stealer
2024-09-11
sim swapping
finance
insurance
Published: September 11, 2024
Downloadable IOCs: 12

BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar

BlindEagle, an advanced persistent threat actor, has been observed targeting the Colombian insurance sector using the BlotchyQuasar Remote Access Trojan. The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google …
phishing
remcosrat
asyncrat
credential theft
banking trojan
quasarrat
2024-09-05
blotchyquasar
Published: September 5, 2024
Downloadable IOCs: 16

Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The ma…
phishing
dll sideloading
gh0st rat
2024-09-05
toneshell
pif file
Published: September 5, 2024
Downloadable IOCs: 4

Emansrepo Stealer: Multi-Vector Attack Chains

A Python infostealer named Emansrepo has been observed since November 2023, distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data, credit card information, and files, sending them to the attacker's email. The attack chain has evolved, becoming…
phishing
infostealer
remcos
2024-09-04
emansrepo
Published: September 4, 2024
Downloadable IOCs: 42

Head Mare: adventures of a unicorn in Russia and Belarus

Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like …
phishing
ransomware
russia
belarus
lockbit
CVE-2023-38831
2024-09-02
babuk
vasa locker
phantomdl
phantomcore
babyk
hacktivists
Published: September 2, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 52

Stone Wolf employs Meduza Stealer to hack Russian companies

A malicious campaign by a group called Stone Wolf has been targeting Russian companies using phishing emails impersonating a legitimate industrial automation provider. The attackers aim to deliver Meduza Stealer, a commercial malware available on underground forums. The campaign involves sending an…
phishing
data theft
meduza stealer
2024-09-02
industrial automation
russian companies
Published: September 2, 2024
Downloadable IOCs: 41

The trojan horse that wanted to fly

Rocinante is a new strain of mobile malware originating from Brazil, capable of keylogging, stealing PII through phishing, and performing device takeover. It targets Brazilian banking institutions using a combination of Firebase messaging, HTTP traffic, WebSocket, and Telegram API for communication…
phishing
remote access
banking trojan
brazil
keylogging
mobile malware
2024-09-02
device takeover
hook
rocinante
ermac
Published: September 2, 2024
Downloadable IOCs: 4

Exploring AsyncRAT and Infostealer Plugin Delivery Through…

This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
phishing
powershell
infostealer
asyncrat
vbscript
2024-09-02
process hollowing
cryptocurrency wallets
browser data theft
Published: September 2, 2024
Linked vulnerabilities : CVE-2024-7593 (CVSS 9.8), CVE-2024-28986
Downloadable IOCs: 8

The Emerging Dynamics of Deepfake Scam Campaigns on the Web

Researchers have uncovered dozens of scam campaigns utilizing deepfake videos featuring public figures like CEOs, news anchors, and government officials. These campaigns target victims in multiple countries using various languages. The scams promote fake investment schemes and government giveaways.…
phishing
social engineering
impersonation
fraud
ai
scams
2024-08-29
genai
deepfakes
2024-09-02
investment fraud
infrastructure analysis
Published: September 2, 2024
Downloadable IOCs: 428

Exploring Newly Released Top-Level Domains

An investigation into 19 new top-level domains (TLDs) released in the past year revealed various malicious activities, including phishing campaigns, distribution of potentially unwanted programs, torrenting websites, and pranking campaigns. The study found a correlation between the TLDs' general av…
phishing
dns
cybersecurity
2024-09-02
domain abuse
top-level domains
graph-based detection
redirection campaigns
domain registration
torrenting
Published: September 2, 2024
Downloadable IOCs: 22

Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure, involving newly registered domains designed to resemble legit…
malware
phishing
evasion
globalprotect
2024-08-30
cnc
globalprotect.exe
Published: August 30, 2024
Linked vulnerabilities : CVE-2023-22527
Downloadable IOCs: 5

Deep Analysis of Snake Keylogger’s New Variant

FortiGuard Labs recently caught a phishing campaign delivering a new variant of Snake Keylogger, a keylogger malware that can steal sensitive data like saved credentials, keystrokes, and screenshots. The analysis examines the phishing email, malicious Excel document, and techniques used by the malw…
phishing
persistence
credential theft
CVE-2017-0199
keylogger
2024-08-30
process injection
snake keylogger
Published: August 30, 2024
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8

Iranian backed group steps up phishing campaigns against Israel, U.S.

An Iranian government-backed threat group known as APT42 has significantly intensified its phishing campaigns targeting high-profile individuals in Israel and the United States over the past six months. The group, associated with Iran's Islamic Revolutionary Guard Corps, has focused on current and …
phishing
social engineering
iran
credential theft
2024-08-26
election targeting
ycollection
lcollection
dwp
gcollection
Published: August 26, 2024
Downloadable IOCs: 38

NGate Android malware relays NFC traffic to steal cash

ESET researchers uncovered a crimeware campaign targeting bank customers in Czechia. The NGate Android malware can relay NFC data from victims' payment cards to attackers' devices, enabling unauthorized ATM withdrawals. It's the first time this capability has been observed in the wild. The campaign…
malware
phishing
android
banking
2024-08-22
czechia
ngate
relay
nfc
Published: August 22, 2024
Downloadable IOCs: 12

GreenCharlie Infrastructure Linked to US Political Campaign Targeting

An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations inv…
malware
apt
espionage
phishing
iran
2024-08-21
powerstar
gorble
Published: August 21, 2024
Downloadable IOCs: 111

Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site

The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persist…
malware
phishing
stealer
latrodectus
downloader
cybersecurity
acr stealer
2024-08-20
Published: August 20, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21412, CVE-2024-21893
Downloadable IOCs: 15

Ongoing Social Engineering Campaign Refreshes Payloads

Rapid7 observed a shift in tools utilized by threat actors in an ongoing social engineering campaign. The initial lure involves an email bombing followed by calls to users offering fake solutions. Once connected remotely, threat actors deploy payloads for credential harvesting, establishing command…
phishing
2024-08-20
social_engineering
remote_access
update7.exe
credential_access
update4.exe
update8.exe
update6.exe
update7.ps1
update3.exe
update2.dll
update5.dll
lateral_movement
update1.exe
antispam.exe
CVE-2022-26923
Published: August 20, 2024
Linked vulnerabilities : CVE-2022-26923
Downloadable IOCs: 43

2024 Paris Olympic Games Infrastructure Attack Report

This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
phishing
cryptocurrency
cybercrime
fraud
olympics
2024-08-16
Published: August 16, 2024
Downloadable IOCs: 148

Campaign uses infostealers and clippers for financial gain

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and Stea…
phishing
evasion
infostealer
cryptocurrency
injection
danabot
stealc
russian
2024-08-16
clipper
Published: August 16, 2024
Downloadable IOCs: 68

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and …
rat
phishing
spyware
dll sideloading
cloudsorcerer
2024-08-14
plugy
grewapacha
Published: August 14, 2024
Downloadable IOCs: 5

Rivers of Phish: Sophisticated Phishing Targets Russia's Perceived Enemies Around the Globe

An extensive investigation uncovered an elaborate phishing campaign conducted by a Russia-based threat actor known as COLDRIVER, attributed to Russia's Federal Security Service. The campaign employed personalized social engineering tactics to target civil society groups, NGOs, journalists, and gove…
phishing
javascript
pdf
2024-08-14
coldwastrel
captcha
Published: August 14, 2024
Downloadable IOCs: 28

Ande Loader Leads to 0bj3ctivity Stealer Infection

In July 2024, eSentire's Threat Response Unit observed a phishing attack leading to a 0bj3ctivity Stealer malware infection. The attack involved a malicious JavaScript file that retrieved and executed Ande Loader and the 0bj3ctivity Stealer. Ande Loader created persistence, downloaded additional pa…
malware
loader
obfuscation
phishing
stealer
infection
2024-08-12
ande loader
0bj3ctivity stealer
Published: August 12, 2024
Downloadable IOCs: 2

Threat actor targeting UK banks in ongoing AnyDesk social engineering campaign

Threat analysts are tracking an ongoing campaign that employs fake websites and social engineering tactics to distribute a malicious version of the AnyDesk remote access software to Windows and macOS users. Once installed on a victim's machine, it is being utilized to steal data and money. The camp…
phishing
social engineering
anydesk
remote access
2024-08-09
uk banks
Published: August 9, 2024
Downloadable IOCs: 50

APT Group Kimsuky Targets University Researchers

A report detailing an ongoing cyberattack campaign by the North Korean APT group Kimsuky, which is targeting university staff, researchers, and professors to conduct espionage and gather intelligence for the North Korean government. The group employs phishing tactics, compromised infrastructure, an…
apt
espionage
phishing
north korea
2024-08-09
universities
Published: August 9, 2024
Downloadable IOCs: 24

PureHVNC Deployed via Python Multi-stage Loader

FortiGuard Labs uncovered a sophisticated attack campaign utilizing multiple obfuscation and evasion techniques to distribute and execute various malware, including VenomRAT, XWorm, AsyncRAT, and PureHVNC. The campaign starts with a phishing email containing a malicious attachment that initiates a …
xworm
rat
phishing
asyncrat
venomrat
2024-08-09
purehvnc
Published: August 9, 2024
Downloadable IOCs: 18

Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell

The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
phishing
ransomware
powershell
fileless
2024-08-07
cronus
Published: August 7, 2024
Downloadable IOCs: 8

RHADAMANTHYS: In-Depth Analysis of a Sophisticated Stealer Targeting Israeli Users

This comprehensive technical analysis delves into the intricate workings of an advanced and localized malware campaign employing the RHADAMANTHYS stealer. Dissecting the infection chain, anti-analysis techniques, data theft capabilities, and Command & Control infrastructure, this detailed report sh…
phishing
evasion
rhadamanthys
stealer
persistence
2024-08-05
israeli
Published: August 5, 2024
Downloadable IOCs: 5

Quartet of Trouble: XWorm, AsyncRAT, VenomRAT, and...

eSentire's Threat Response Unit (TRU) uncovered a malware campaign affecting a government customer. The infection involved multiple threats - XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT - hosted on a TryCloudflare WebDAV server. The initial vector was a phishing email with a malicious ZIP file.…
xworm
phishing
government
asyncrat
venomrat
2024-08-05
purelogs stealer
Published: August 5, 2024
Downloadable IOCs: 7

Fighting Ursa Luring Targets With Car for Sale

This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
malware
backdoor
espionage
phishing
russia
headlace
2024-08-05
diplomats
Published: August 5, 2024
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 6

Brief Overview of the DeerStealer Distribution Campaign

A recent cybersecurity investigation uncovered a malware distribution campaign called DeerStealer. The malware was disseminated through counterfeit Google Authenticator websites, tricking visitors into downloading the malicious payload hosted on GitHub. Upon execution, the stealer collects system i…
phishing
stealer
c2
deerstealer
2024-08-02
xfiles
xor
Published: August 2, 2024
Downloadable IOCs: 28

Social Media Malvertising Campaign Promotes Fake AI Editor Website for Credential Theft

An examination of how threat actors hijack social media pages, rename them to resemble legitimate AI photo editors, and post malicious links to fake websites promoted through paid ads. The links trick users into installing endpoint management software, allowing the execution of credential stealers …
phishing
credential theft
lumma
2024-08-01
Published: August 1, 2024
Downloadable IOCs: 73

Strikes with commercial malware against organizations in Kazakhstan

BI.ZONE experts have been monitoring the activities of a threat group called Bloody Wolf since late 2023. This group targets organizations in Kazakhstan using STRRAT, a commercial malware known as Strigoi Master. The attackers employ phishing emails posing as communications from government agencies…
phishing
data theft
remote access
2024-08-01
strrat
strigoi master
Published: August 1, 2024
Downloadable IOCs: 10

Threat actor impersonates Google via fake ad for Authenticator

An unknown threat actor created a deceptive advertisement that appeared as if it was from a reputable company, enticing users to click on it and visit a malicious website. The site hosted a digitally signed malicious file disguised as a popular multi-factor authentication application. Upon executio…
phishing
stealer
2024-07-31
deerstealer
authentication
advertising
Published: July 31, 2024
Downloadable IOCs: 5

Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…
malware
phishing
social engineering
russia
belarus
remcos
steganography
CVE-2017-11882
agent tesla
2024-07-30
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 74

SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and …
espionage
phishing
vulnerability
nation-state
javascript
targeted
CVE-2017-0199
CVE-2017-11882
2024-07-30
infrastructure
maritime
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 47

Likely eCrime Actor Capitalizing on Falcon Sensor Issues

A cybercrime group has leveraged a content update issue with the CrowdStrike Falcon sensor to distribute malicious files targeting Latin American customers. The campaign involves a ZIP archive named 'crowdstrike-hotfix.zip' containing a HijackLoader payload that loads RemCos malware, using Spanish …
phishing
remcos
hijackloader
2024-07-29
falcon
latam
Published: July 29, 2024
Downloadable IOCs: 14

GXC Team Unmasked: The cybercriminal group targeting Spanish bank users with AI-powered phishing tools and Android malware

Group-IB discovered a Spanish-speaking criminal group, GXC Team, offering a sophisticated AI-powered phishing-as-a-service platform targeting Spanish bank customers. The group specialized in developing phishing kits, Android malware, and AI-powered scam tools. Their malicious Android app, disguised…
phishing
android
banking
spain
2024-07-29
Published: July 29, 2024
Downloadable IOCs: 161

Malware Distributed Using Falcon Sensor Update Phishing Lure

CrowdStrike Intelligence uncovered a phishing campaign impersonating CrowdStrike and distributing malicious files containing a Microsoft Installer (MSI) loader. The loader executes the commodity stealer 'Lumma Stealer' packed with 'CypherIt'. This campaign is likely linked to a previous 'Lumma Stea…
phishing
stealer
lumma stealer
malspam
lumma
2024-07-29
Published: July 29, 2024
Downloadable IOCs: 32

Scam Attacks Taking Advantage of the Popularity of the Generative AI Wave

This analysis explores the evolution of network threats associated with generative AI (GenAI) terms, correlating with key milestones like ChatGPT's launch and integration into Bing. It examines suspicious domain registrations capitalizing on the GenAI trend, their textual patterns, and traffic volu…
phishing
2024-07-26
spoofed domains
Published: July 26, 2024
Downloadable IOCs: 31

Increase In The Exploitation Of Microsoft SmartScreen Vulnerability CVE-2024-21412

Cyble analyzes an ongoing campaign exploiting a Microsoft SmartScreen vulnerability to deliver stealers through spam emails. The campaign employs lures related to healthcare, transportation, and tax notices to trick users into downloading malicious payloads. It utilizes techniques like DLL sideload…
phishing
vulnerability
stealer
CVE-2024-21412
spam
malicious
2024-07-11
lumma
meduza stealer
Published: July 11, 2024
Downloadable IOCs: 12

FIN7: Silent Push unearths 4000+ phishing and shell domains

Silent Push threat analysts have uncovered an extensive series of campaigns linked to the FIN7 cybercrime group, including several hundred active phishing, spoofing, shell and malware delivery domains and IPs targeting various organizations. The campaigns utilize over 4000 domains and subdomains, w…
phishing
eugenloader
2024-07-11
carbanak
spoofing
anunak
gracewire
Published: July 11, 2024
Downloadable IOCs: 94

Analysis of Suspected APT Attack Activities by “Silver Fox”

This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
malware
obfuscation
apt
phishing
cybercrime
winos
2024-07-10
updatedll
Published: July 10, 2024
Downloadable IOCs: 7

How do cryptocurrency drainer phishing scams work?

Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
phishing
social engineering
cryptocurrency
financial fraud
cybercrime
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 14

M365 adversary-in-the-middle campaign

Field Effect researchers uncovered a previously unreported campaign leveraging the Axios user agent string to facilitate business email compromise (BEC) attacks against Microsoft 365 (M365) accounts. The threat actor utilized malicious domains impersonating M365 login pages to harvest victims' cred…
phishing
credential
2024-07-08
bec
m365
harvesting
adversary-in-the-middle
Published: July 8, 2024
Downloadable IOCs: 19

The Hidden Danger of PDF Files with Embedded QR Codes

The report describes how malware authors are abusing PDF files with embedded QR codes to deceive users into visiting malicious phishing URLs disguised as legitimate services. The QR codes redirect users to fake Microsoft login pages designed to harvest credentials and potentially gain unauthorized …
phishing
credential theft
2024-07-05
pdf files
qr codes
malicious urls
Published: July 5, 2024
Downloadable IOCs: 1

ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution

This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
phishing
credential theft
cybercrime
2024-07-02
onnx store
qrcode
caffeine
fintech
Published: July 2, 2024
Downloadable IOCs: 25

An Android RAT targets Telegram Users

This analysis discusses SpyMax, a Remote Access Trojan (RAT) that targets Android devices and specifically aims at obtaining data from Telegram users. It employs phishing techniques to trick victims into installing a malicious application disguised as the legitimate Telegram app. Once installed, Sp…
surveillance
rat
phishing
android
keylogger
2024-06-28
spymax
Published: June 28, 2024
Downloadable IOCs: 4

DBatLoader Distributed via CMD Files

A cybersecurity analysis has identified a malicious operation involving the distribution of a downloader, dubbed DBatLoader or ModiLoader, through CMD files disguised as innocuous files. The campaign leverages phishing emails containing compressed CMD files that, when executed on English-language W…
stealthy
obfuscation
phishing
2024-06-27
downloader
dbatloader
modiloader
Published: June 27, 2024
Downloadable IOCs: 0

Phishing Incident Report: Facts and Timeline

On June 18, 2024, an employee's account at ANY.RUN was compromised and used to carry out a phishing attack against the company's entire contact list. The initial compromise occurred on May 27 through an AiTM phishing campaign targeting the employee. Over the following weeks, the attacker maintained…
phishing
2024-06-25
data exfiltration
incident response
mfa bypass
email compromise
Published: June 25, 2024
Downloadable IOCs: 9

AdsExhaust, a Newly Discovered Adware MasqueradingOculus…

In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
phishing
powershell
c2 server
download
2024-06-24
urls
adsexhaust
Published: June 24, 2024
Downloadable IOCs: 17

espionage group targets government agencies with and more infection techniques

A recently discovered threat actor, dubbed 'SneakyChef,' has been conducting an ongoing espionage campaign targeting government agencies across different regions, primarily utilizing the SugarGh0st malware. The group employs decoy documents impersonating government entities and infects victims thro…
apt
espionage
rat
phishing
government
sugargh0st
2024-06-24
spicerat
Published: June 24, 2024
Downloadable IOCs: 148

Unveiling SpiceRAT: Latest tool targeting EMEA and Asia

Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, employed by the threat actor SneakyChef in a recent malicious campaign. The campaign targeted government agencies across multiple countries in Europe, the Middle East, Africa, and Asia. SpiceRAT was delivered alongside SugarGh…
rat
phishing
sugargh0st
sideloading
2024-06-24
spicerat
Published: June 24, 2024
Downloadable IOCs: 6

SolarMarker Impersonates Job Employment Website

On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
backdoor
phishing
solarmarker
solarphantom
2024-06-18
stellarinjector
drive-by-download
Published: June 18, 2024
Downloadable IOCs: 6

Dipping into Danger: The WARMCOOKIE backdoor

Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
malware
backdoor
obfuscation
phishing
campaigns
2024-06-12
warmcookie
Published: June 12, 2024
Downloadable IOCs: 6

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has uncovered a sophisticated malicious campaign that exploits the Windows search functionality embedded in HTML code to deploy malware. The campaign initiates with a suspicious email containing an HTML attachment masquerading as a routine document like an invoice. Once opened,…
phishing
2024-06-11
search-ms
Published: June 11, 2024
Downloadable IOCs: 2

RAT Distributed as UUEncoding (UUE) File

This intelligence report describes a malicious operation where the Remcos Remote Access Trojan (RAT) is being disseminated through phishing emails containing an attachment exploiting the Unix-to-Unix Encoding (UUE) technique. The encoded file loads an obfuscated VBScript that fetches additional mal…
obfuscation
rat
phishing
persistence
remcos
remote access
2024-06-11
Published: June 11, 2024
Downloadable IOCs: 3

New Agent Tesla Campaign Targeting Spanish-Speaking People

This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript…
malware
obfuscation
phishing
infostealer
2024-06-10
CVE-2017-0199
CVE-2017-11882
agent tesla
spain
Published: June 10, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 6

Cybercriminals attack banking customers in EU with V3B phishing kit

An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
phishing
cybercrime
fraud
social-engineering
banking
2024-06-10
Published: June 10, 2024
Downloadable IOCs: 44

Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks

Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a suspected geopolitical or hacktivist group. While their origin remains unclear, recent techniques suggest espionage and data exfiltration intent. Sticky Werewolf has targeted the aviation industry, employing ph…
phishing
rhadamanthys stealer
2024-06-07
netwire
rats
webdav
metastealer
ozone rat
lnks
aviation
darktrack
Published: June 7, 2024
Downloadable IOCs: 14

DarkGate again but... Improved?

The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
obfuscation
pikabot
rat
phishing
autohotkey
darkgate
2024-06-06
Published: June 6, 2024
Downloadable IOCs: 313

Warning Against Phishing Emails Prompting Execution of Commands via Paste

This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
phishing
powershell
darkgate
malicious
2024-06-06
emails
commands
Published: June 6, 2024
Downloadable IOCs: 15

Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud

An analysis by McAfee's Mobile Research Team uncovered an Android InfoStealer malware masquerading as a government service app in Bahrain. The malicious app, promoted through deceitful Facebook pages and SMS messages, tricks users into providing personal information like CPR numbers, phone numbers,…
phishing
android
infostealer
fraud
malicious
2024-06-03
android/infostealer
Published: June 3, 2024
Downloadable IOCs: 14

Chat Messenger voting topics - a new way to steal accounts is gaining momentum

The Government Emergency Response Team of Ukraine CERT-UA informs about the increase in the number of cyberattacks aimed at gaining access to the accounts of popular messengers, including, using the techniques of bypassing two-factor authentication
phishing
credential harvesting
2024-05-31
Published: May 31, 2024
Downloadable IOCs: 230

Disrupting FlyingYeti's campaign targeting Ukraine

This report details Cloudforce One's real-time effort to detect, deny, degrade, disrupt, and delay a phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine. The campaign aimed to capitalize on anxiety over potential loss of housing and utilities by enticing targets to ope…
malware
phishing
russia
ukraine
2024-05-31
CVE-2023-38831
cookbox
Published: May 31, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 8

'Reptile Recon': Discovering CryptoChameleon fast flux IOFAs. Hundreds of domains, IPs, and ASNs discovered

A report detailing the analysis of the CryptoChameleon phishing kit, which is used to harvest sensitive information from employees and customers across various platforms. Silent Push Threat Analysts conducted research that revealed a large number of fast flux Indicators of Future Attack (IOFAs) tar…
phishing
2024-05-30
cryptochameleon
phishing kit
Published: May 30, 2024
Downloadable IOCs: 30

Side Loading through IObit against Colombia

In May 2024, researchers detected a phishing campaign impersonating the Colombian Attorney General's Office, aiming to infect systems with AsyncRAT malware. The attack employs a ZIP file containing legitimate IObit antivirus software and malicious files, utilizing DLL side-loading for execution. Wh…
phishing
asyncrat
2024-05-29
dllsideloading
processhollowing
Published: May 29, 2024
Downloadable IOCs: 3

Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling

Netskope Threat Labs has been tracking an increase in phishing campaigns hosted on Cloudflare Workers. The campaigns use techniques like HTML smuggling and transparent phishing to evade detections. The phishing pages target Microsoft and Google credentials. Netskope recommends inspecting web traffi…
phishing
credential theft
2024-05-28
html smuggling
cloudflare workers
Published: May 28, 2024
Downloadable IOCs: 134

Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware

Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
phishing
powershell
cloud
2024-05-22
vbscript
cloud#reverser
Published: May 22, 2024
Downloadable IOCs: 16

D3F@ck Loader, the New MaaS Loader

In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge…
loader
phishing
danabot
2024-05-21
google ads
smartscreen
c2 server
figure
inno setup
microsoft
unit
cyber
fileswindows nt
threat response
Published: May 21, 2024
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 3

Banking trojan unleashed: Observing emerging global campaigns

IBM's X-Force has been tracking large-scale phishing campaigns distributing the Grandoreiro banking trojan, likely operated as a Malware-as-a-Service. The malware targets over 1500 global banks, enabling banking fraud in over 60 countries. The latest variant features major updates, including string…
phishing
trojan
2024-05-20
banking
malware-as-a-service
grandoreiro
Published: May 20, 2024
Downloadable IOCs: 18

From Document to Script: Insides of Campaign

This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
obfuscation
phishing
darkgate
campaign
cybercrime
malicious
payload
2024-05-17
autoit
java
Published: May 17, 2024
Downloadable IOCs: 11

Payload Trends in Malicious OneNote Samples

This analysis examines the types of malicious payloads that attackers embed within Microsoft OneNote files to deceive users into executing malicious code. By analyzing approximately 6,000 malicious OneNote samples, it reveals that attackers frequently employ images resembling buttons to lure victim…
malware
phishing
shellcode
2024-05-16
onenote
malicious
payload
Published: May 16, 2024
Downloadable IOCs: 550

SugarGh0st RAT Used to Target American Artificial Intelligence Experts

This intelligence report provides details about a SugarGh0st RAT campaign conducted by an unattributed threat actor, tracked as UNK_SweetSpecter, targeting organizations in the United States involved in artificial intelligence (AI) efforts across academia, private industry, and government. The camp…
rat
phishing
2024-05-16
2024-05-11
sugargh0st
ai
gh0strat
sugargh0st rat
Published: May 16, 2024
Downloadable IOCs: 9

Romance Scams Urging Investment

The report details an investigation into romance scams that exploit emotional connections to solicit money under the guise of cryptocurrency investments. Perpetrators pose as potential romantic partners or friends to gain trust and eventually introduce victims to fake cryptocurrency exchanges desig…
phishing
social engineering
impersonation
cryptocurrency
2024-05-08
scam
fraud
romance
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 3

StopRansomware: Black Basta

This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Publ…
phishing
ransomware
exfiltration
encryption
2024-05-08
qakbot
qbot
CVE-2020-1472
quackbot
pinkslipbot
CVE-2024-1709
healthcare
CVE-2021-34527
CVE-2021-42278
CVE-2021-42287
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2024-1709, CVE-2021-34527, CVE-2020-1472
Downloadable IOCs: 174

New Campaigns from Scattered Spider

Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing cr…
phishing
social engineering
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
telecom targeting
lookalike domains
2024-05-09
2024-05-10
Published: May 10, 2024
Linked vulnerabilities : CVE-2024-22024
Downloadable IOCs: 118

APT28 campaign against Polish government institutions

The CERT Polska team is investigating a large-scale malware campaign carried out by the Russian intelligence group APT28, which has been targeting Polish government institutions in the past year and is believed to be linked to the GRU.
phishing
apt28
russia
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
government
microsoft edge
webhook
bat script
mocky
headlace
poland
campaign
Published: May 8, 2024
Downloadable IOCs: 74

Scaly Wolf’s new loader: the right tool for the wrong job

The report analyzes a recent campaign by the Scaly Wolf threat group targeting organizations in Russia and Belarus. The group employs phishing emails disguised as communications from government agencies, containing legitimate documents and password-protected archives with malicious executables. The…
phishing
infostealer
white snake
winapi
Published: May 2, 2024
Downloadable IOCs: 23

Nearly 20% of Docker Hub Repositories Spread Malware & Phishing Scams

This report details an investigation by JFrog Security researchers on a coordinated attack on Docker Hub, where millions of malicious repositories were planted to spread malware and phishing scams. It analyzes three major malware campaigns, dubbed 'Downloader', 'eBook Phishing', and 'Website SEO', …
phishing
campaigns
repositories
freehtmlvalidator.exe
docker hub
Published: May 1, 2024
Downloadable IOCs: 46

Linux Trojan - Xorddos with Filename eyshcjdmzg

This analysis examines a recurring Linux trojan called Xorddos, which is a distributed denial-of-service (DDoS) malware. It provides details on various file hashes associated with the malware, as well as indicators of compromise (IOCs) such as IP addresses, domains, and email addresses. The analysi…
linux
phishing
trojan
ddos
xorddos
eyshcjdmzg
Published: May 1, 2024
Downloadable IOCs: 11

FakeBat Malware Distributing via Fake Browser Updates

This report details a recent malware campaign leveraging fake browser update notifications to distribute the FakeBat loader. The campaign employs sophisticated social engineering techniques, with malicious JavaScript code injected into compromised websites to trigger deceptive update prompts. These…
phishing
social engineering
fakebat
browser exploits
malicious scripts
Published: April 29, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports