SecuriTricks - phishing

UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel

An analysis of threat clusters, dubbed UNG0801 or Operation IconCat, targeting Israeli organizations. The actors use socially engineered phishing lures in Hebrew, exploiting antivirus icon spoofing from well-known vendors like SentinelOne and Check Point. Two distinct infection chains were identifi…

phishing

dropbox

Published: December 22, 2025

Downloadable IOCs: 7

Evasive SideWinder APT Campaign Detected

A sophisticated espionage campaign targeting Indian entities has been identified, masquerading as the Income Tax Department of India. The activity is associated with the SideWinder APT group, which has evolved its toolkit to evade detection by mimicking Chinese enterprise software. The campaign use…

income tax department

mpgear.dll

mysetup.exe

url shorteners

Published: December 20, 2025

Downloadable IOCs: 5

Cloud Atlas activity in the first half of 2025: what changed

The Cloud Atlas APT group continues to target countries in Eastern Europe and Central Asia using phishing emails with malicious attachments exploiting CVE-2018-0802. The infection chain now includes several implants: VBShower, VBCloud, PowerShower, and CloudAtlas. New and updated components are des…

Published: December 20, 2025

Downloadable IOCs: 0

A Series of Unfortunate (RMM) Events

Series of Unfortunate Events Summary: This analysis examines the increasing trend of threat actors abusing Remote Monitoring and Management (RMM) tools in their attacks. The report highlights a specific pattern where attackers use PDQ or GoTo Resolve to deploy secondary RMM tools like ScreenConnect…

Published: December 19, 2025

Downloadable IOCs: 0

Access granted: phishing with device code authorization for account takeover

Multiple threat clusters, including state-aligned and financially-motivated actors, are utilizing phishing tools to trick users into granting access to Microsoft 365 accounts via OAuth device code authorization. This technique leads to account takeovers, data exfiltration, and further compromises. …

Published: December 18, 2025

Downloadable IOCs: 8

BlueDelta’s Persistent Campaign Against UKR.NET

Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web service…

phishing

ngrok

credential harvesting

Published: December 17, 2025

Downloadable IOCs: 23

Kimsuky Distributing Malicious Mobile App via QR Code

A new campaign by Kimsuky involves distributing malicious mobile apps through QR codes and phishing websites. The apps, masquerading as delivery services, VPNs, and cryptocurrency tools, decrypt an embedded APK to deploy a RAT with extensive capabilities. The malware uses a native decryption functi…

Published: December 16, 2025

Downloadable IOCs: 12

Russian APT actor phishes the Baltics and the Balkans

A Russian Advanced Persistent Threat (APT) group has been targeting government entities in the Baltic and Balkan regions with sophisticated phishing campaigns. The attackers use email attachments spoofing official documents to lure victims into entering their credentials on fake login pages. The ph…

Published: December 16, 2025

Downloadable IOCs: 0

Technical Analysis of the BlackForce Phishing Kit

The BlackForce phishing kit, first observed in August 2025, has evolved through multiple versions and is capable of stealing credentials and performing Man-in-the-Browser attacks to bypass multi-factor authentication. It impersonates various brands and uses sophisticated evasion techniques, includi…

Published: December 12, 2025

Downloadable IOCs: 0

Operation MoneyMount, ISO Deploying Phantom Stealer

A Russian phishing campaign targeting finance and accounting sectors uses fake payment confirmation emails to deliver Phantom stealer malware. The attack chain involves a ZIP file containing an ISO, which when mounted reveals an executable that loads the stealer. The malware employs anti-analysis t…

Published: December 12, 2025

Downloadable IOCs: 4

Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

An active phishing campaign has been identified targeting organizations using Microsoft 365 and Okta for single sign-on. The campaign employs modern techniques to bypass multi-factor authentication and hijack legitimate SSO flows. It uses lookalike domains to impersonate Okta authentication pages a…

phishing

credential theft

adversary-in-the-middle

Published: December 10, 2025

Downloadable IOCs: 1

UDPGangster Campaigns Target Multiple Countries

UDPGangster, a UDP-based backdoor associated with the MuddyWater threat group, has been observed targeting users in Turkey, Israel, and Azerbaijan. The malware is delivered through malicious Microsoft Word documents with embedded VBA macros, employing sophisticated anti-analysis techniques to evade…

Published: December 10, 2025

Downloadable IOCs: 15

Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware

A malicious email campaign exploits workforce anxieties by disguising itself as internal HR announcements about layoffs. The emails contain a RAR archive with a double-extension executable masquerading as a PDF document. Upon execution, the file deploys Remcos RAT, a remote access tool, which estab…

Published: December 9, 2025

Downloadable IOCs: 3

CastleLoader Activity Clusters Target Multiple Industries

Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses …

Published: December 9, 2025

Downloadable IOCs: 87

Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

Operation FrostBeacon is a targeted malware campaign delivering Cobalt Strike beacons to companies in Russia. It uses two infection clusters: one leveraging malicious archive files with LNK shortcuts, and another exploiting CVE-2017-0199 and CVE-2017-11882 vulnerabilities. Both clusters lead to rem…

Published: December 8, 2025

Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199

Downloadable IOCs: 60

DNS Uncovers Infrastructure Used in SSO Attacks

The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, …

Published: December 3, 2025

Downloadable IOCs: 15

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack invo…

Published: December 3, 2025

Downloadable IOCs: 0

Salty2FA & Tycoon2FA: Hybrid Phishing Threat

A new hybrid phishing threat combining elements of Salty2FA and Tycoon2FA has emerged, blurring the lines between distinct phishing kits. Analysis reveals a sudden drop in Salty2FA activity, followed by the appearance of samples containing code from both frameworks. The hybrid shows signs of Salty2…

Published: December 2, 2025

Downloadable IOCs: 0

Over 2,000 Holiday-Themed Fake Stores Detected Exploiting Black Friday and Festive Sales

Two clusters of holiday-themed fake online stores have been identified ahead of Black Friday and other festive sales. The first cluster includes over 750 interconnected sites using uniform holiday banners and misleading trust indicators, many impersonating Amazon. The second cluster spans a .shop e…

holiday shopping fraud

black friday scams

e-commerce impersonation

Published: November 27, 2025

Downloadable IOCs: 71

Analysis of the Lumma infostealer

The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including…

Published: November 27, 2025

Downloadable IOCs: 3

Scattered Lapsus$ Hunters Take Aim At Zendesk Users

A new campaign potentially linked to the Scattered Lapsus$ Hunters group is targeting Zendesk users. Over 40 typosquatted Zendesk domains have been discovered, featuring organizations' names or brands. These domains host phishing pages designed to harvest credentials. The campaign also involves sub…

phishing

typosquatting

credential harvesting

remote access trojans

Published: November 27, 2025

Downloadable IOCs: 0

Care that you share

This newsletter emphasizes the importance of thoughtful information sharing, especially during busy holiday periods. It highlights the risks of unintentional data leaks and increased phishing attempts during peak shopping seasons. The author recounts a positive experience sharing knowledge with uni…

Published: November 26, 2025

Downloadable IOCs: 5

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finge…

Published: November 26, 2025

Downloadable IOCs: 38

Brazilian Campaign: Spreading the Malware via WhatsApp

A massive phishing campaign targeting Brazil is spreading malware through WhatsApp Web using an open-source automation script and loading a banking trojan into memory. The attack begins with a phishing email containing a malicious VBS script that downloads and executes an MSI file and another VBS f…

Published: November 24, 2025

Downloadable IOCs: 4

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for ini…

Published: November 24, 2025

Downloadable IOCs: 9

APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets

An internal leak from APT35 (Charming Kitten) reveals a sophisticated, state-directed cyber-intelligence operation targeting diplomatic, government, and corporate networks in the Middle East and Asia. The documents expose a bureaucratic structure with defined workflows, performance metrics, and spe…

intelligence collection

Published: November 22, 2025

Downloadable IOCs: 1

APT24 Pivot to Multi-Vector Attacks

APT24, a Chinese threat actor, has conducted a three-year cyber espionage campaign using BADAUDIO, a highly obfuscated first-stage downloader. The group has evolved from broad strategic web compromises to more sophisticated tactics, including supply chain attacks and targeted phishing. They comprom…

strategic web compromise

Published: November 20, 2025

Downloadable IOCs: 0

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL,…

third-party compromise

Published: November 18, 2025

Downloadable IOCs: 16

How AI Is Fueling a New Wave of Black Friday Scams

AI tools are enabling cybercriminals to create sophisticated Black Friday scams, including realistic phishing emails, cloned websites, and fake social media ads. Common tactics involve impersonating trusted brands like Amazon and Temu, offering unrealistic discounts on luxury goods, and exploiting …

Published: November 15, 2025

Downloadable IOCs: 15

NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?

A cryptostealer for macOS utilizes a bash-based script to establish persistence and execute malicious modules. The malware installs itself in the ~/.mdrivers directory, uses screen sessions for background execution, and employs a LaunchAgent for persistence. It exfiltrates crypto wallet data, colle…

Published: November 14, 2025

Downloadable IOCs: 7

Hurricane Melissa Relief Scams: How Criminals Exploit Disaster

In the aftermath of Hurricane Melissa's devastating impact on Jamaica in October 2025, cybercriminals swiftly exploited the crisis through various online scams. These included phishing campaigns, fake charity drives, and fraudulent financial-relief websites impersonating legitimate aid organization…

Published: November 14, 2025

Downloadable IOCs: 16

Thousands of Fake Hotel Domains Used in Massive Phishing Campaign

A Russian-speaking threat actor has orchestrated a large-scale phishing campaign targeting travelers by registering over 4,300 domain names since early 2025. The sophisticated operation impersonates major travel brands like Airbnb and Booking.com to steal payment card data. The phishing sites use c…

Published: November 11, 2025

Downloadable IOCs: 4135

Booking.com Phishing Campaign Targeting Hotels and Customers

A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduc…

Published: November 7, 2025

Downloadable IOCs: 100

Cavalry Werewolf hacker group attacks Russian state institutions

A Russian government organization was targeted by the Cavalry Werewolf hacker group, aiming to collect confidential information and network data. The attack began with phishing emails containing malware disguised as documents. The group utilized various tools including backdoors, trojans, and modif…

backdoor.reverseshell.10

backdoor.tunnel.41

trojan.inject5.57968

bat.downloader.1138

trojan.siggen31.54011

backdoor.shellnet.1

trojan.filespynet.5

backdoor.reverseproxy.1

backdoor.rshell.169

backdoor.siggen2.5463

trojan.packed2.49862

Published: November 7, 2025

Downloadable IOCs: 27

Crossed wires: a case study of Iranian espionage and attribution

This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. The actor used domestic political lures related to Iran, benign conversation starters, health-themed infrastructure, and Remote Managemen…

espionage

phishing

credential harvesting

iranian threat actor

2025-11-05

rmm tools

attribution challenges

isl online

minibike

overlapping ttps

policy experts targeting

minijunk

pdqconnect

Published: November 5, 2025

Downloadable IOCs: 55

Remote access, real cargo: cybercriminals targeting trucking and logistics

Cybercriminals are targeting trucking and logistics companies to steal cargo freight through elaborate attack chains. They compromise companies and use their access to bid on cargo shipments, which they then steal and sell. The threat actors typically deliver remote monitoring and management (RMM) …

remote monitoring tools

Published: November 3, 2025

Downloadable IOCs: 39

LATAM baited into the delivery of PureHVNC

Between August and October 2025, a phishing campaign targeted Colombian users with emails impersonating the Attorney General's office. The emails contained links to download a malicious file, initiating an infection chain using Hijackloader to deliver PureHVNC Remote Access Trojan (RAT). The campai…

Published: October 31, 2025

Downloadable IOCs: 30

Major October 2025 Cyber Attacks Your SOC Can't Ignore

October 2025 saw a surge in sophisticated cyber attacks, including phishing campaigns exploiting Google Careers and ClickUp, abuse of Figma for credential theft, the emergence of LockBit 5.0 targeting ESXi and Linux systems, and the discovery of TyKit, a new phishing kit. Attackers increasingly abu…

Published: October 29, 2025

Downloadable IOCs: 10

The Smishing Deluge: China-Based Campaign Flooding Global Text Messages

An extensive smishing campaign attributed to the Smishing Triad is targeting global users with fraudulent toll violation and package misdelivery notices. The operation has expanded beyond the U.S., impersonating international services across critical sectors like banking, healthcare, and law enforc…

Published: October 24, 2025

Downloadable IOCs: 35

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign

The Jingle Thief campaign, conducted by financially motivated threat actors from Morocco, targets global enterprises in retail and consumer services sectors to execute gift card fraud. Using phishing and smishing tactics, the attackers gain access to Microsoft 365 environments, exploiting cloud ser…

identity-based threats

cloud-based attacks

gift card fraud

Published: October 22, 2025

Downloadable IOCs: 0

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It …

Published: October 10, 2025

Downloadable IOCs: 59

ClayRat: A New Android Spyware Targeting Russia

ClayRat is a rapidly evolving Android spyware campaign primarily targeting Russian users. Distributed through Telegram channels and phishing sites, it masquerades as popular apps to lure victims. The spyware can exfiltrate SMS messages, call logs, notifications, and device information, as well as t…

Published: October 10, 2025

Downloadable IOCs: 857

The Evolution of Qilin RaaS

Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of…

Published: October 8, 2025

Downloadable IOCs: 5

APT Meets GPT: Targeted Operations with Untamed LLMs

Over the course of three months, Volexity observed UTA0388 using various themes and fictional identities across dozens of spear phishing campaigns. As time passed, Volexity observed UTA0388 broaden their targeting and send emails in a variety of different languages, including English, Chinese, Japa…

Published: October 8, 2025

Downloadable IOCs: 41

XWorm V6: Exploring Pivotal Plugins

Since the release of XWorm V6.0 on June 4, 2025, we have noted a surge in samples identified as XWorm V6.0 on VirusTotal, reflecting its rapid adoption by threat actors. One prominent campaign illustrates its delivery: a malicious JavaScript (JS) file initiates a PowerShell (PS1) script, which depl…

Published: October 6, 2025

Downloadable IOCs: 22

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…

Published: October 6, 2025

Downloadable IOCs: 23

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…

Published: October 6, 2025

Downloadable IOCs: 0

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware…

apt

phishing

government

credential harvesting

south asia

military

2025-10-06

Published: October 6, 2025

Downloadable IOCs: 0

New spyware campaigns target privacy-conscious Android users in the UAE

Two Android spyware campaigns, ProSpy and ToSpy, have been discovered targeting users in the United Arab Emirates. These campaigns impersonate secure messaging apps like Signal and ToTok, distributing malware through deceptive websites and social engineering tactics. Once installed, the spyware exf…

Published: October 2, 2025

Downloadable IOCs: 30

Werewolf raids Russia's public sector with trusted relationship attacks

Cavalry Werewolf, a malicious actor group, targeted Russian state agencies and enterprises in the energy, mining, and manufacturing sectors from May to August 2025. The attackers used targeted phishing emails, posing as Kyrgyz government officials, to gain initial access. They employed custom malwa…

Published: October 2, 2025

Downloadable IOCs: 0

Silent Smishing: The Hidden Abuse of Cellular Router APIs

This report analyzes a smishing campaign exploiting vulnerabilities in Milesight Industrial Cellular Routers to send malicious SMS messages. The attackers targeted primarily Belgian users by impersonating government services like CSAM and eBox. Over 18,000 vulnerable routers were identified globall…

Published: October 1, 2025

Linked vulnerabilities : CVE-2023-43261

Downloadable IOCs: 245

Disallow: /security-research? Crypto Phishing Sites' Failed Attempt to Block Investigators

An analysis of robots.txt files revealed over 60 cryptocurrency phishing pages impersonating hardware wallet brands Trezor and Ledger. The actor behind these pages attempted to block phishing reporting sites by including their endpoints in the robots.txt file, demonstrating a misunderstanding of it…

Published: September 30, 2025

Downloadable IOCs: 2

XWorm RAT Delivered via Shellcode: Multi-Stage Attack Analysis

This analysis details a sophisticated multi-stage attack delivering the XWorm RAT. The campaign begins with a phishing email containing a malicious .xlam file. The file harbors embedded shellcode that, when executed, retrieves a secondary payload. This payload is a .NET binary that reflectively loa…

reflective dll injection

2025-09-29

Published: September 29, 2025

Downloadable IOCs: 8

Threat Hunting on potential APT35 Servers

The article discusses the discovery of two servers sharing similarities with those reported by Check Point on APT35, an Iranian threat group. The servers are active and resolve multiple domains used for phishing purposes. The analysis focuses on the HTML page displayed on some domains, which contai…

phishing

typosquatting

threat hunting

infrastructure tracking

2025-09-27

iranian apt

video conferencing

Published: September 27, 2025

Downloadable IOCs: 0

SVG Phishing hits Ukraine with Amatera Stealer, PureMiner

A phishing campaign targeting Ukrainian government entities uses malicious SVG files to initiate an infection chain. The attack begins with emails containing SVG attachments that redirect victims to a download site. A CHM file is then used to execute a remote HTA loader, which delivers two malware …

Published: September 26, 2025

Downloadable IOCs: 0

IOCs for phishing campaign using BitM pages

This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific…

phishing

2025-09-26

browser-in-the-middle

bitm

Published: September 26, 2025

Downloadable IOCs: 208

GUNRA RANSOMWARE: What You Don't Know!

Gunra Ransomware is a double extortion group targeting global victims, excluding the US. They primarily attack Windows systems, recently expanding to Linux. The group uses phishing as their main vector and negotiates through a WhatsApp-themed chat panel. They can encrypt large files quickly using a…

Published: September 24, 2025

Downloadable IOCs: 0

AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise ScreenConnect installers to deliver AsyncRAT payloads. Attackers use open directories as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campa…

Published: September 19, 2025

Downloadable IOCs: 0

Fake Empire Podcast Invites Target Crypto Industry with macOS AMOS Stealer

A new phishing campaign is targeting crypto industry developers and influencers with fake interview requests impersonating the popular Empire podcast. Attackers pose as hosts, luring victims to fraudulent websites mimicking platforms like Streamyard and Huddle. These sites prompt users to download …

Published: September 19, 2025

Downloadable IOCs: 7

CountLoader: New Malware Loader Being Served in 3 Different Versions

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, Blac…

initial access broker

adaptixc2

2025-09-19

countloader

Published: September 19, 2025

Downloadable IOCs: 27

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

A widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem has been discovered, involving a novel self-replicating worm called "Shai-Hulud". The worm has compromised over 180 software packages, including widely used libraries. It operates by harvesting credentials,…

credential harvesting

Published: September 18, 2025

Downloadable IOCs: 1

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, w…

Published: September 16, 2025

Downloadable IOCs: 17

A new RevengeHotels campaign targets Latin America

RevengeHotels, a threat group active since 2015, has launched a new campaign targeting the hospitality sector in Latin America. The group has evolved its tactics, now utilizing AI-generated code and the advanced VenomRAT malware. Their primary attack vector remains phishing emails with invoice them…

Published: September 16, 2025

Linked vulnerabilities : CVE-2017-0199

Downloadable IOCs: 0

August 2025 Trends Report on Phishing Emails

The analysis reveals that phishing was the predominant threat in email attachments during August 2025, accounting for 63% of cases. Threat actors employed HTML scripts to replicate legitimate login pages and promotional content, aiming to capture user credentials. The report highlights an increase …

Published: September 16, 2025

Linked vulnerabilities : CVE-2017-11882

Downloadable IOCs: 4

Digital Frontlines: India Under Multi-Nation Hacktivist Attack

In July-August 2025, India faced a surge of cross-border cyberattacks combining data breaches, DDoS, defacement, phishing, and malware. Pakistani, Bangladeshi, Russian, Indonesian, and likely Chinese actors targeted Indian judicial, defense, and transport systems. High-impact incidents included jud…

103.97.128.77#clientsetup.exe

fshost64.exe

svchost.exe

manc.exe

Published: September 15, 2025

Downloadable IOCs: 14

Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

This analysis delves into the HijackLoader malware campaign, which has gained prominence since 2023 for its sophisticated payload delivery and evasion techniques. The campaign initiates with a CAPTCHA-based phishing attack, progressing through multiple stages of obfuscated PowerShell scripts. It em…

Published: September 12, 2025

Downloadable IOCs: 14

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

In 2025, a significant surge in phishing attacks targeting major U.S. energy companies was observed. The campaign primarily focused on Chevron, ConocoPhillips, PBF Energy, and Phillips 66, utilizing sophisticated impersonation techniques. Attackers employed HTTrack-based cloning to replicate legiti…

phishing

rhadamanthys

credential harvesting

Published: September 12, 2025

Downloadable IOCs: 43

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

A sophisticated malware campaign has been uncovered that utilizes various techniques to deliver Remote Access Trojans (RATs) such as XWorm and Remcos. The attack chain begins with a ZIP archive, often hosted on trusted platforms like ImgKit, containing obfuscated BAT scripts. These scripts execute …

Published: September 11, 2025

Downloadable IOCs: 2

Threat Spotlight: Speed, Scale, and Stealth: How Axios Powers Automated Phishing

Axios user agent activity has surged by 241% from June to August 2025, outpacing other flagged user agents. Attacks combining Axios with Direct Send achieved a 70% success rate in recent campaigns, significantly higher than non-Axios campaigns. The combination exploits Direct Send's trusted nature …

Published: September 10, 2025

Downloadable IOCs: 14

MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access

A sophisticated phishing campaign targeting Japanese users employs MostereRAT, a Remote Access Trojan that utilizes advanced evasion techniques. The attack chain involves multiple stages, including an Easy Programming Language (EPL) payload, security tool disabling, and mTLS-secured C2 communicatio…

Published: September 9, 2025

Downloadable IOCs: 12

Inside the Kimsuky Leak: How the 'Kim' Dump Exposed North Korea's Credential Theft Playbook

A data breach attributed to a North Korean-affiliated actor known as "Kim" has provided new insights into Kimsuky (APT43) tactics and infrastructure. The actor's operations focus on credential-based intrusions targeting South Korean and Taiwanese networks, utilizing Chinese-language tools and infra…

Published: September 8, 2025

Downloadable IOCs: 11

From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover

An AWS access key compromise led to a sophisticated SES abuse campaign in May 2025. The attacker exploited the stolen key to bypass SES restrictions, verify new sender identities, and conduct a large-scale phishing operation. They used multi-regional PutAccountDetails requests to escape the SES san…

Published: September 4, 2025

Downloadable IOCs: 4

Tax refund scam targets Californians

The California Franchise Tax Board has issued a warning about a tax scam targeting taxpayers through text messages. The scam involves fraudulent links mimicking official FTB web pages to steal personal and banking information. The messages claim to be about approved tax refunds and request recipien…

Published: September 3, 2025

Downloadable IOCs: 11

Sindoor Dropper: New Phishing Campaign

A sophisticated phishing campaign targeting Indian organizations has been uncovered, utilizing spear-phishing techniques reminiscent of Operation Sindoor. The campaign employs a Linux-focused infection method using weaponized .desktop files, a tactic previously associated with APT36. When executed,…

Published: September 2, 2025

Downloadable IOCs: 14

Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique

Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websit…

Published: September 1, 2025

Downloadable IOCs: 18

ZipLine Phishing Campaign Targets U.S. Manufacturing

A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legit…

Published: August 27, 2025

Downloadable IOCs: 32

UNC Cluster Targeting South Asian Countries

A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login p…

Published: August 27, 2025

Downloadable IOCs: 0

Virtual Infrastructure Abuse leads to SaaS Hijacks

This analysis examines a series of coordinated SaaS account compromises across multiple customer environments, involving suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. The attackers leveraged virtual private ser…

Published: August 27, 2025

Downloadable IOCs: 0

The Price of Trust: Analyzing the Malware Campaign Exploiting TASPEN's Legacy to Target Indonesian Senior Citizens

A sophisticated mobile malware campaign is targeting Indonesian pensioners by impersonating TASPEN, the state pension fund. The attackers use a phishing website to distribute a malicious Android app that steals banking credentials, intercepts SMS messages for OTPs, and captures biometric data. The …

Published: August 27, 2025

Downloadable IOCs: 7

Major August 2025 Cyber Attacks: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA

In August 2025, significant cyber attacks emerged, including a 7-stage Tycoon2FA phishing campaign targeting government, military, and financial institutions across the US, UK, Canada, and Europe. The attack uses multiple verification steps to evade security systems. A new ClickFix campaign deliver…

Published: August 26, 2025

Downloadable IOCs: 27

Phishing Campaign Targeting Companies via UpCrypter

A sophisticated phishing campaign has been identified, utilizing carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages entice recipients to download JavaScript files that act as droppers for UpCrypter, a malware that ultimately deploys various remote ac…

Published: August 26, 2025

Downloadable IOCs: 29

Analyzing LAMEHUG

LAMEHUG, discovered on July 10, 2025, is the first known malware integrating large language model capabilities into its attack methodology. Attributed to APT28 (Fancy Bear) with moderate confidence, it targeted Ukrainian government officials through phishing emails containing malicious executables.…

ai-generated commands

Published: August 24, 2025

Downloadable IOCs: 0

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure

A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fa…

Published: August 22, 2025

Downloadable IOCs: 0

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …

atomic macos stealer (amos)

lampion

2025-08-21

windows run dialog

Published: August 21, 2025

Downloadable IOCs: 10

Cybercriminals Abuse AI Website Creation App For Phishing

Cybercriminals are exploiting an AI-powered website creation platform called Lovable to generate fraudulent websites for credential phishing and malware delivery. The threat actors create or clone sites impersonating well-known brands, use CAPTCHA for filtering, and post stolen credentials to Teleg…

ai-generated websites

lovable platform

Published: August 21, 2025

Downloadable IOCs: 0

Paper Werewolf targets Russia with WinRAR zero-day vulnerability

A series of attacks by the Paper Werewolf (GOFFEE) cluster exploited vulnerabilities in WinRAR, including CVE-2025-6218 and a zero-day flaw. The threat actor used phishing emails impersonating Russian organizations, delivering malware through archive files. The attacks targeted Russian entities, ut…

Published: August 20, 2025

Downloadable IOCs: 0

Microsoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations

Threat actors are actively exploiting Microsoft 365's Direct Send feature to deliver phishing emails, bypassing perimeter security solutions by routing malicious messages through trusted infrastructure. This technique requires no credentials, only knowledge of the target domain and valid recipient …

business email compromise

email security

2025-08-18

direct send

Published: August 18, 2025

Downloadable IOCs: 27

'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan

A new ransomware strain called 'Blue Locker' is targeting Pakistan's oil and gas sector, particularly affecting Pakistan Petroleum Limited. The National Cyber Emergency Response Team (NCERT) has issued warnings to 39 key ministries and institutions about this severe threat. The ransomware, which sh…

Published: August 15, 2025

Downloadable IOCs: 0

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It ta…

Published: August 15, 2025

Downloadable IOCs: 0

CastleLoader Analysis

CastleLoader, a versatile malware loader, has infected 469 devices since May 2025 using Cloudflare-themed ClickFix phishing and fake GitHub repositories. It delivers information stealers and RATs, with a 28.7% infection rate. The malware employs sophisticated techniques, including PowerShell and Au…

Published: August 13, 2025

Downloadable IOCs: 0

From ClickFix to Command: A Full PowerShell Attack Chain

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key …

Published: August 11, 2025

Downloadable IOCs: 0

Fake Tesla Websites Scams

A recent scam involves fake Tesla websites advertised through Google paid ads, targeting potential customers interested in preordering the Optimus robot. These fraudulent sites mimic Tesla's official website design and offer non-existent preorders for various Tesla products, including the Optimus r…

Published: August 10, 2025

Downloadable IOCs: 0

Phishing Attack: Deploying Malware on Indian Defense BOSS Linux

APT36, a Pakistan-based threat actor, has launched a sophisticated cyber-espionage campaign targeting the Indian defense sector. The group has adapted its tactics to focus on Linux-based environments, particularly BOSS Linux, used by Indian government agencies. The attack involves phishing emails w…

Published: August 8, 2025

Downloadable IOCs: 8

650 Attack Tools, One Coordinated Campaign

The GreedyBear attack group has launched a massive crypto theft operation, utilizing 150 weaponized Firefox extensions, nearly 500 malicious executables, and numerous phishing websites. Their tactics include Extension Hollowing to bypass marketplace security, distributing various malware families, …

Published: August 8, 2025

Downloadable IOCs: 111

GenAI Used to Impersonate Brazil's Government Websites

Threat actors are leveraging generative AI tools like DeepSite AI and BlackBox AI to create phishing templates that closely mimic official Brazilian government websites, such as the State Department of Traffic and Ministry of Education. These malicious replicas are boosted in search results using S…

phishing

seo poisoning

brazil

government impersonation

Published: August 8, 2025

Downloadable IOCs: 7

The Homograph Illusion: Not Everything Is As It Seems

Homograph attacks involve using non-Latin characters that visually resemble Latin characters to create words that appear legitimate but are actually different. This technique allows attackers to evade detection and analysis, crafting malicious emails that can lead to credential theft or malware inf…

character substitution

homograph attack

unicode

Published: August 8, 2025

Downloadable IOCs: 8

Unmasking the SVG Threat: How Hackers Use Vector Graphics for Phishing Attacks

Attackers are exploiting Scalable Vector Graphics (SVG) files to execute sophisticated phishing attacks. SVGs, typically used for scalable images, can contain embedded JavaScript that executes when opened in a browser. The attack chain involves sending SVG attachments via spear-phishing emails or c…

Published: August 7, 2025

Downloadable IOCs: 2

Odyssey Stealer Malware Attacks macOS Users

A phishing campaign targeting macOS users employs a ClickFix technique to deliver the Odyssey Stealer malware. The attack uses a fake CAPTCHA verification page that executes without dropping a binary on the system. When users follow the instructions, they unknowingly execute a malicious AppleScript…

Published: August 7, 2025

Downloadable IOCs: 3

Email-Delivered RMM: Abusing PDFs for Silent Initial Access

A targeted campaign has been observed since November 2024, primarily affecting organizations in France and Luxembourg. The attackers use socially engineered emails to deliver PDF documents containing embedded links to Remote Monitoring and Management (RMM) tool installers. This method bypasses many…

Published: August 7, 2025

Downloadable IOCs: 51

New Arsenal: LAMEHUG, the First AI-Powered Malware

APT28, a Russian threat group, has developed LAMEHUG, a Python-based malware that utilizes AI to generate and execute system commands. This malware, targeting Ukraine's security and defense sector, begins with a phishing email containing a malicious attachment. LAMEHUG employs the Qwen 2.5-Coder-32…

Published: August 7, 2025

Downloadable IOCs: 0

A Phishing Campaign Targeting Indian Government Entities

A sophisticated phishing campaign, likely attributed to Pakistan-linked APT36 (Transparent Tribe), is targeting Indian defense organizations and government entities using spoofed domains. The attackers employ advanced social engineering techniques, including real-time OTP harvesting, to bypass mult…

credential-harvesting

2025-08-03

kavach

otp

Published: August 3, 2025

Downloadable IOCs: 2

Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing

Proofpoint has uncovered a sophisticated phishing campaign utilizing fake Microsoft OAuth applications to bypass multifactor authentication and steal credentials. The threat actors impersonate various enterprise apps like RingCentral, SharePoint, Adobe, and DocuSign to lure victims. The attack chai…

application impersonation

tycoon

Published: August 1, 2025

Downloadable IOCs: 0

Indian Infrastructure Targeted with Desktop Lures and Poseidon Backdoor

APT36, a Pakistan-linked threat group, has expanded its operations to target Indian government and civilian infrastructure, including railways, oil & gas, and the Ministry of External Affairs. The group employs sophisticated phishing techniques and novel payload strategies, using .desktop files dis…

government impersonation

Published: August 1, 2025

Downloadable IOCs: 36

RedHook: A New Android Banking Trojan Targeting Users In Vietnam

A sophisticated Android banking trojan named RedHook has been discovered targeting Vietnamese users through spoofed government and financial websites. The malware uses WebSocket to communicate with its command-and-control server and supports over 30 remote commands, enabling complete control over c…

Published: July 31, 2025

Downloadable IOCs: 13

Android Malware Posing As Indian Bank Apps

This report analyzes a sophisticated Android malware targeting Indian banking apps. The malware uses a dropper and main payload structure, leveraging permissions like SMS access and silent installation to steal credentials, intercept messages, and perform unauthorized financial activities. It emplo…

Published: July 25, 2025

Downloadable IOCs: 2

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing…

Published: July 25, 2025

Downloadable IOCs: 5

A Special Mission to Nowhere

A phishing campaign exploiting the aftermath of a military conflict between Israel and Iran has been identified. The scam, using a fake domain 'lineageembraer.online', offers evacuation flights from Tel Aviv to New York on an Embraer Lineage 1000E business jet. The website presents unrealistic pric…

Published: July 23, 2025

Downloadable IOCs: 1

DeedRAT Backdoor Enhanced with Advanced Capabilities

Chinese threat actors have launched a new phishing campaign using DeedRAT, a modular backdoor. The campaign exploits a DLL side-loading vulnerability in VIPRE Antivirus Premium's MambaSafeModeUI.exe. DeedRAT now includes a new NetAgent module, expanding its capabilities. The malware uses TCP for C2…

antivirus exploitation

deedrat

netagent

Published: July 21, 2025

Downloadable IOCs: 4

Android Cryptojacker Masquerades as Banking App to Mine Cryptocurrency on Locked Devices

A new Android malware campaign has been discovered, disguising itself as a banking app to covertly mine cryptocurrency on locked devices. The malware, distributed through a phishing website impersonating Axis Bank, downloads and executes a modified version of XMRig, a popular cryptocurrency mining …

Published: July 18, 2025

Downloadable IOCs: 1

Chinese Malware Delivery Domains: Part III

This report details an ongoing campaign by a threat actor operating during Chinese time zone hours, targeting Chinese-speaking individuals and entities globally. Since June 2023, the actor has created over 2,800 domains for malware delivery, primarily targeting Windows systems through fake applicat…

Published: July 18, 2025

Downloadable IOCs: 1159

Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting

Between March and June 2025, three Chinese state-sponsored threat actors conducted targeted phishing campaigns against the Taiwanese semiconductor industry. The campaigns targeted organizations involved in semiconductor manufacturing, design, testing, supply chain, and financial analysis. This acti…

Published: July 17, 2025

Downloadable IOCs: 54

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities

A Malware-as-a-Service operation utilizing Amadey for payload delivery has been identified, with connections to a SmokeLoader phishing campaign targeting Ukrainian entities. The operation exploits fake GitHub accounts to host payloads and tools, bypassing web filtering. Emmenhtal, a multistage down…

Published: July 17, 2025

Downloadable IOCs: 4

SVG Smuggling - Image Embedded JavaScript Redirect Attacks

Threat actors are increasingly using Scalable Vector Graphics (SVG) files to deliver JavaScript-based redirect attacks. These SVGs contain embedded, obfuscated JavaScript that initiates browser redirects to attacker-controlled infrastructure. The campaign uses email spoofing and impersonation to de…

Published: July 17, 2025

Downloadable IOCs: 0

June 2025 Security Issues in Korean & Global Financial Sector

This comprehensive analysis covers cyber threats and security issues affecting financial companies in South Korea and globally. It examines malware and phishing cases targeting the financial sector, including the top 10 malware strains and leaked Korean account statistics on Telegram. The report de…

Published: July 16, 2025

Downloadable IOCs: 0

Rainbow Hyena strikes again: new backdoor and shift in tactics

A new phishing campaign targeting healthcare and IT organizations in Russia has been attributed to the Rainbow Hyena cluster. The attackers used compromised email addresses to distribute malicious attachments, including polyglot files and LNK files mimicking legitimate documents. A new custom-built…

Published: July 15, 2025

Downloadable IOCs: 0

Deploying NetSupport RAT via WordPress & ClickFix

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that do…

Published: July 10, 2025

Downloadable IOCs: 21

Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads

An unidentified spyware called Batavia has been targeting Russian industrial organizations since July 2024 through a sophisticated phishing operation. The campaign uses bait emails disguised as contract agreements to trick employees into downloading malicious scripts, initiating a multi-stage infec…

persistence mechanisms

russian targets

vbs scripts

delphi executable

Published: July 9, 2025

Downloadable IOCs: 2

Batavia spyware steals data from Russian organizations

The Batavia spyware campaign, active since July 2024, targets Russian industrial enterprises through phishing emails containing malicious links disguised as contract documents. The infection process involves three stages: a VBS script downloader, the WebView.exe spyware, and the javav.exe module. T…

phishing

spyware

uac bypass

multi-stage infection

Published: July 7, 2025

Downloadable IOCs: 2

A message from the mechanical shark

Bruce, the mechanical shark from Jaws, reflects on his role in the iconic film 50 years later. He shares insights on the challenges faced during filming due to unpredictable ocean conditions, drawing parallels to cybersecurity. Bruce emphasizes the importance of overpreparing, maintaining perspecti…

Published: July 6, 2025

Downloadable IOCs: 7

DCRAT Impersonating the Colombian Government

A new email attack distributing DCRAT, a Remote Access Trojan, has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in Colombia. The attack employs multiple evasion techniques, including password-protected archives, obfuscation, steganography, base…

credential harvesting

remote access trojan

colombia

2025-07-02

Published: July 2, 2025

Downloadable IOCs: 8

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphish…

Published: June 30, 2025

Downloadable IOCs: 34

Getting a career in cybersecurity isn't easy, but this can help

The article provides insights into starting a career in cybersecurity, emphasizing that the path is not always straightforward. It highlights the importance of having a good attitude, being easy to work with, continuous learning, persistence, joining security communities, and making the most of cur…

Published: June 27, 2025

Downloadable IOCs: 5

Hacker Exploit Social Security Statement Theme to Target Over 2,000 Victims with Malware

A sophisticated phishing campaign has targeted over 2,000 individuals by exploiting the theme of official Social Security statements. Cybercriminals used a convincing phishing lure, mimicking legitimate communication from the Social Security Administration. The attack involved a URL directing victi…

Published: June 26, 2025

Downloadable IOCs: 2

Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware

APT36, a Pakistan-based cyber espionage group, is actively targeting Indian defense personnel through sophisticated phishing campaigns. The group disseminates emails with malicious PDF attachments resembling official government documents. When opened, these PDFs display a blurred background and a b…

Published: June 21, 2025

Downloadable IOCs: 0

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

Cybercriminals are exploiting Discord's invite system and content delivery features to distribute malware and steal sensitive data. They use fake invite links, expired codes, and vanity URLs to redirect users to malicious servers. The attack chain involves a sophisticated combination of social engi…

Published: June 20, 2025

Downloadable IOCs: 0

TxTag Takedown: Busting Phishing Email Schemes

A new phishing campaign has been observed leveraging a .gov domain to deceive employees into believing they owe unpaid tolls. The scheme uses urgency and fear tactics, threatening penalties or vehicle registration holds if the balance is not paid immediately. The attackers utilize the GovDelivery s…

Published: June 20, 2025

Downloadable IOCs: 1

Cybercriminals Abusing Vercel to Deliver Remote Access Malware

A phishing campaign has been identified that exploits Vercel, a legitimate frontend hosting platform, to distribute a malicious version of LogMeIn. Cybercriminals send phishing emails with links to a malicious page on Vercel, impersonating an Adobe PDF viewer and prompting users to download a disgu…

Published: June 20, 2025

Downloadable IOCs: 5

DMV-Themed Phishing Campaign Targeting U.S. Citizens

A sophisticated phishing campaign impersonating U.S. state Departments of Motor Vehicles emerged in May 2025, using SMS phishing and deceptive websites to harvest personal and financial data. Victims received messages about unpaid toll violations, directing them to fake DMV sites requesting extensi…

infrastructure-analysis

Published: June 20, 2025

Downloadable IOCs: 6

Crypto Phishing Applications On The Play Store

An investigation uncovered more than 20 cryptocurrency phishing applications on the Google Play Store impersonating legitimate wallets like SushiSwap and PancakeSwap. These malicious apps employ phishing techniques to steal users' mnemonic phrases, allowing access to real wallets and theft of funds…

Published: June 20, 2025

Downloadable IOCs: 36

BERT RANSOMWARE - THE RAVEN FILE

BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufactu…

Published: June 20, 2025

Downloadable IOCs: 11

Steam Phishing: Popular as Ever

A recent phishing campaign targeting Steam users has been identified, involving deceptive messages sent through the platform's Friends list. The attackers use fraudulent URLs that closely mimic Steam's official domain, directing users to a fake 'Summer Gift Marathon' page. Upon logging in, users' c…

Published: June 20, 2025

Downloadable IOCs: 31

Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware

The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The …

Published: June 20, 2025

Downloadable IOCs: 147

What's in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia

A Russia state-sponsored cyber threat actor impersonated the U.S. Department of State to target prominent academics and critics of Russia. The attackers used extensive rapport building and tailored lures to convince targets to set up application specific passwords (ASPs). Once obtained, these ASPs …

Published: June 18, 2025

Downloadable IOCs: 2

Warning Against Distribution of Malware Disguised as Research Papers

The Kimsuky group has launched a sophisticated phishing attack disguised as a request for paper review from a professor. The attack involves a password-protected HWP document with a malicious OLE object, which creates six files upon opening. When executed, these files perform various malicious acti…

Published: June 18, 2025

Downloadable IOCs: 3

AsyncRAT Campaign Continues to Evade Endpoint Detection

A wide-ranging phishing campaign has been identified that enables threat actors to bypass traditional security controls and delay detection. The campaign, tracked since 2024, has facilitated remote surveillance, credential theft, lateral movement, data exfiltration, and ransomware across numerous o…

Published: June 17, 2025

Downloadable IOCs: 0

From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Check Point Research uncovered a malware campaign exploiting expired Discord invite links to redirect users to malicious servers. The attackers use a combination of techniques including ClickFix phishing, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Steale…

Published: June 13, 2025

Downloadable IOCs: 0

New BrowserVenom malware being distributed via fake DeepSeek phishing website

A new malicious campaign is distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The phishing site, promoted via Google Ads, mimics the official DeepSeek homepage. The attack installs BrowserVenom, an implant that forces all browsing traffic through a proxy …

Published: June 11, 2025

Linked vulnerabilities : CVE-2024-3721

Downloadable IOCs: 7

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery

Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_e…

Published: June 11, 2025

Downloadable IOCs: 24

APT carries out attacks with data theft and crypto miner deployment

Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto…

Published: June 9, 2025

Downloadable IOCs: 55

Threat Analysis: DCRat presence growing in Latin America

Hive0131 is conducting email campaigns targeting users in Colombia with fake electronic notifications of criminal proceedings, purportedly from The Judiciary of Colombia. The campaigns deliver DCRat, a banking trojan operated as Malware-as-a-Service, through embedded links or PDF lures. DCRat's pre…

Published: June 6, 2025

Downloadable IOCs: 3

How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload

A high-severity phishing campaign targeting old version Office Application users exploits CVE-2017-0199 vulnerability to deliver FormBook malware. The attack begins with an email containing a malicious Excel attachment. When opened, it triggers the vulnerability, downloading and executing a malicio…

Published: June 5, 2025

Linked vulnerabilities : CVE-2017-0199

Downloadable IOCs: 8

Operation Phantom Enigma

A malicious campaign targeting primarily Brazilian residents has been discovered, with attacks detected since early 2025. The attackers employed phishing emails, some sent from compromised company servers, to distribute malware. Two attack chains were identified: one using a malicious browser exten…

Published: June 5, 2025

Downloadable IOCs: 0

Be Careful With Fake Zoom Client Downloads

A deceptive email containing a fake Zoom meeting invitation has been identified. Clicking the 'join' button leads to a website prompting users to install a purported Zoom client update. The downloaded executable, 'Session.ClientSetup.exe', is actually malware that installs an MSI package. This pack…

Published: June 5, 2025

Downloadable IOCs: 2

Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

A sophisticated phishing campaign has been identified that leverages Google Apps Script to create a false sense of security. The attack begins with an email masquerading as an invoice, containing a link to a webpage hosted on Google's trusted environment. When clicked, the link redirects to a fake …

Published: June 4, 2025

Downloadable IOCs: 2

Cyber Attacks on Government Agencies: Detect and Investigate

This analysis examines cyber threats targeting government institutions worldwide, focusing on three case studies: a phishing email targeting the South Carolina Department of Employment and Workforce, a fraudulent domain mimicking the U.S. Social Security Administration, and a malicious PDF posing a…

credential-harvesting

Published: June 4, 2025

Downloadable IOCs: 2

Illuminating Transparent Tribe

This analysis explores the infrastructure of APT36, also known as Transparent Tribe, using passive DNS and host response history. Starting with indicators from a CyberXTron report on a targeted phishing attack against Indian Government and Defense, the investigation expands through DNS history, IP …

infrastructure discovery

Published: June 3, 2025

Downloadable IOCs: 3

Inside a VenomRAT Malware Campaign

A malicious campaign utilizing VenomRAT, a Remote Access Trojan, is analyzed. The attackers use a fake Bitdefender download website to spread malware, including VenomRAT, StormKitty, and SilentTrinity. These tools work together to provide initial access, steal credentials, and maintain long-term hi…

Published: May 29, 2025

Downloadable IOCs: 35

Fake Bitdefender Site Spreads Trio of Malware Tools

A spoofed Bitdefender website is being used in a malicious campaign to distribute VenomRAT, StormKitty, and SilentTrinity malware. The fake site mimics Bitdefender's legitimate antivirus download page but redirects visitors to malicious files hosted on Bitbucket and Amazon S3. The malware package a…

Published: May 28, 2025

Downloadable IOCs: 0

Malware or LLM? Silent Werewolf employs new loaders to attack Russian and Moldovan organizations

Silent Werewolf has launched two new campaigns targeting Russian and Moldovan organizations, utilizing sophisticated loaders to deliver malicious payloads. The attacks employ phishing emails with ZIP attachments containing obfuscated C# loaders. These loaders use legitimate tools and code obfuscati…

Published: May 27, 2025

Downloadable IOCs: 28

Targets Tajikistan: New Macro Word Documents Phishing Tactics

From January to February 2025, a phishing campaign targeting Tajikistan was detected and attributed to TAG-110, a Russia-aligned threat actor. The campaign used Tajikistan government-themed documents as lures, shifting from previous tactics to macro-enabled Word template files for initial payload d…

Published: May 22, 2025

Downloadable IOCs: 6

How Adversary Telegram Bots Help to Reveal Threats: Case Study

This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign,…

phishing

exfiltration

credential harvesting

Published: May 21, 2025

Downloadable IOCs: 16

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait

An ongoing phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been identified, utilizing over 100 domains for credential harvesting. The operation, observed since early 2025, employs cloned login portals and impersonated web pages. The infrastructure share…

phishing

credential harvesting

Published: May 16, 2025

Downloadable IOCs: 77

Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks

The Trustwave SpiderLabs Email Security team has identified a significant increase in SVG image-based attacks, where seemingly harmless graphics are used to conceal dangerous links. Cybercriminals are exploiting the ability of SVG files to embed JavaScript, which can execute automatically upon open…

Published: May 16, 2025

Downloadable IOCs: 4

Part 2: Compromised WordPress Pages and Malware Campaigns

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign tar…

Published: May 16, 2025

Downloadable IOCs: 45

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins wi…

Published: May 14, 2025

Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)

Downloadable IOCs: 4

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting at…

credential harvesting

Published: May 13, 2025

Downloadable IOCs: 11

Recruitment Scams on the Rise: How Threat Actors Exploit Job Seekers

A significant increase in recruitment scams has been observed, with three distinct threat actors targeting job seekers. The first impersonates tech employers using advance fee fraud tactics. The second poses as a logistics recruitment agency, targeting 18 geographies and affecting 63,000 people in …

Published: May 12, 2025

Downloadable IOCs: 0

Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge

In May 2025, Pakistan-linked hacktivist groups claimed over 100 cyberattacks on Indian government, education, and critical infrastructure websites. However, an investigation reveals most breaches were exaggerated or fake. Alleged data leaks contained primarily public information, website defacement…

Published: May 11, 2025

Downloadable IOCs: 0

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

FreeDrain is a sophisticated, large-scale cryptocurrency phishing operation that has been stealing digital assets for years. It exploits search engine optimization, free-tier web services, and layered redirection techniques to target cryptocurrency wallets. Victims are lured through high-ranking se…

redirection techniques

search engine poisoning

wallet theft

Published: May 9, 2025

Downloadable IOCs: 71

Unmasking the FreeDrain Network

A collaborative investigation by Validin and SentinelLABS exposes the FreeDrain Network, a large-scale cryptocurrency phishing operation. The campaign exploits search engine optimization, free web services, and redirection techniques to target and drain cryptocurrency wallets. The attackers use lur…

phishing

cryptocurrency

infrastructure analysis

Published: May 8, 2025

Downloadable IOCs: 0

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered …

Published: May 7, 2025

Downloadable IOCs: 0

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

Iranian cyber actors have been identified impersonating a German model agency in a suspected espionage operation. The attackers created a fraudulent website mimicking the authentic agency's branding and content, which triggers obfuscated JavaScript to capture detailed visitor information. This data…

Published: May 7, 2025

Downloadable IOCs: 3

CoGUI Phish Kit Targets Japan with Millions of Messages

A sophisticated phishing kit named CoGUI is targeting Japanese organizations with high-volume campaigns, primarily impersonating consumer and finance brands to steal credentials and payment data. The kit employs advanced evasion techniques like geofencing and fingerprinting to avoid detection. Sinc…

Published: May 6, 2025

Downloadable IOCs: 7

XLoader Info-stealer Distributed Using MS Equation Editor Vulnerability (CVE-2017-11882)

An analysis reveals the distribution of XLoader info-stealer through phishing emails exploiting the MS Equation Editor vulnerability (CVE-2017-11882). The attack begins with a DOCX file containing an RTF document that creates a VBE file in a temporary folder. This VBE file, built using HorusProtect…

Published: May 1, 2025

Downloadable IOCs: 0

Fake Social Security Statement emails trick users into installing remote tool

A phishing campaign is targeting users with fake emails purportedly from the US Social Security Administration. These emails aim to trick recipients into installing ScreenConnect, a legitimate remote access tool that can be misused by cybercriminals. The campaign, attributed to a group called Molat…

social security administration

Published: May 1, 2025

Downloadable IOCs: 0

Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government

A Pakistan-linked APT group, Transparent Tribe (APT36), is targeting Indian Government and Defense personnel using 'Pahalgam Terror Attack' themed documents. The campaign involves credential phishing and deployment of malicious payloads, with fake domains impersonating Jammu & Kashmir Police and In…

Published: April 30, 2025

Downloadable IOCs: 29

MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks

MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion t…

Published: April 29, 2025

Downloadable IOCs: 0

FormBook Malware Distributed via Horus Protector Using Word Docs

Forcepoint X-Labs researchers have identified a phishing campaign where attackers distribute the FormBook information-stealing malware using Horus Protector, a malware distribution service designed to evade detection. The campaign employs malicious Microsoft Word documents that exploit the CVE-2017…

Published: April 29, 2025

Downloadable IOCs: 101

Decoding Fake US ESTA Emails: Scam or Real Deal?

An increase in malicious emails impersonating US Customs and Border Protection has been observed, targeting individuals with fake Electronic System for Travel Authorization (ESTA) applications. These well-crafted emails exploit uncertainty around immigration services, urging recipients to submit ne…

us customs and border protection

Published: April 28, 2025

Downloadable IOCs: 0

Pick your Poison - A Double-Edged Email Attack

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF fi…

Published: April 28, 2025

Downloadable IOCs: 0

Emerging Phishing Techniques: New Threats and Attack Vectors

This analysis delves into four sophisticated phishing techniques observed in 2025. These include embedding Base64-encoded JavaScript in SVG files, hiding malicious URLs in PDF annotations, using OneDrive links to deliver dynamic phishing content, and nesting MHT files within OpenXML documents. Thes…

Published: April 28, 2025

Downloadable IOCs: 0

The Return of Pharmacy-Themed Spam

Pharmaceutical-themed spam campaigns continue to target individuals and organizations, particularly in the healthcare and pharmaceutical sectors. Recent observations reveal a bulk spam campaign using spoofed identities and compromised infrastructure to send deceptive emails. The attackers employ ta…

Published: April 26, 2025

Downloadable IOCs: 0

Power Parasites: Job & Investment Scam Campaign Targets Energy Companies and Major Brands

A scam campaign dubbed 'Power Parasites' is targeting individuals in Asian countries through deceptive websites, social media groups, and Telegram channels. The campaign exploits the names and branding of global energy companies and other major brands to conduct job and investment scams. Victims ar…

Published: April 24, 2025

Downloadable IOCs: 0

APT Group Profiles - Larva-24005

A new operation named Larva-24005, linked to the Kimsuky group, has been discovered by ASEC. The threat actors exploited RDP vulnerabilities to infiltrate systems, installing MySpy malware and RDPWrap for continuous remote access. They also deployed keyloggers to record user inputs. The group has b…

Published: April 22, 2025

Downloadable IOCs: 0

Infostealer Malware FormBook Spread via Phishing Campaign – Part I

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downlo…

microsoft equation editor

Published: April 22, 2025

Linked vulnerabilities : CVE-2017-11882

Downloadable IOCs: 7

Detecting Multi-Stage Infection Chains Madness

This analysis examines a complex multi-stage attack exploiting a resilient network infrastructure known as 'Cloudflare tunnel infrastructure to deliver multiple RATs' since February 2024. The infection chain involves multiple steps, including phishing emails with malicious attachments, execution of…

cyber threat intelligence

detection rules

Published: April 22, 2025

Downloadable IOCs: 15

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involv…

Published: April 21, 2025

Downloadable IOCs: 6

It's 2025... so why are obviously malicious advertising URLs still going strong?

In 2025, a phishing email containing a malicious link redirected through Google Ads was received by the Internet Storm Center. The link led to a credential-stealing page hosted on a dynamic DNS service. Despite being clearly fraudulent and detected by VirusTotal, the ad redirect remained active for…

Published: April 21, 2025

Downloadable IOCs: 1

The "free money" trap: How scammers exploit financial anxiety

This analysis explores how scammers capitalize on financial stress by promising 'free money' through fake subsidy programs, government grants, or relief cards. Common tactics include using urgency, exclusivity, and fabricated social proof to manipulate victims. Scammers employ various techniques su…

government impersonation

Published: April 18, 2025

Downloadable IOCs: 0

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also…

Published: April 18, 2025

Downloadable IOCs: 48

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2,…

Published: April 15, 2025

Downloadable IOCs: 0

Newly Registered Domains Distributing SpyNote Malware

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for sur…

Published: April 15, 2025

Downloadable IOCs: 0

Renewed APT29 Phishing Campaign Against European Diplomats

A sophisticated phishing campaign targeting European diplomatic entities has been uncovered, attributed to the Russia-linked threat group APT29. The attackers impersonate a major European foreign affairs ministry, sending fake invitations to wine tasting events. The campaign employs a new loader ca…

Published: April 15, 2025

Downloadable IOCs: 13

A Deep Dive into Strela Stealer and how it Targets European Countries

Strela Stealer, an infostealer targeting email clients in specific European countries, has been active since late 2022. It focuses on exfiltrating credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily targeting Spain, Italy, Germa…

Published: April 13, 2025

Downloadable IOCs: 0

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Bo…

Published: April 13, 2025

Downloadable IOCs: 0

Amazon Gift Card Email Hooks Microsoft Credentials

The Cofense Phishing Defense Center (PDC) has identified a new credential phishing campaign that uses an Amazon e-gift card to harvest Microsoft login credentials from unsuspecting recipients in 2025.

Published: April 10, 2025

Downloadable IOCs: 2

Blind Eagle: ...And Justice for All

Check Point Research uncovered ongoing campaigns by Blind Eagle (APT-C-36) targeting Colombian institutions since November 2024. The group utilized malicious .url files, similar to CVE-2024-43451, to deliver HeartCrypt-packed malware and Remcos RAT. Campaigns infected over 1,600 victims in a single…

Published: April 10, 2025

Downloadable IOCs: 0

March 2025 Trends Report on Phishing Emails

The report analyzes phishing email trends in March 2025, revealing that phishing attacks constituted 59% of email threats. Attackers primarily used HTML scripts to mimic login pages and promotional content, aiming to steal user credentials. The analysis covers distribution statistics, Korean phishi…

Published: April 10, 2025

Downloadable IOCs: 0

Sapphire Werewolf refines Amethyst stealer to attack energy companies

The Sapphire Werewolf cluster has upgraded its toolkit with a new version of the Amethyst stealer, targeting energy companies through phishing emails. The enhanced malware features advanced checks for virtualized environments and uses Triple DES for string encryption. The attack involves distributi…

virtualization detection

Published: April 9, 2025

Downloadable IOCs: 0

Scattered Spider: Still Hunting for Victims in 2025

Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push research…

Published: April 9, 2025

Downloadable IOCs: 57

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customize…

Published: April 8, 2025

Downloadable IOCs: 28

March 2025 Security Issues in Korean & Global Financial Sector

This analysis covers cyber threats and security issues in the financial industry, focusing on South Korea and global incidents. It examines malware and phishing cases, lists top malware strains, and provides statistics on leaked Korean accounts. The report delves into major financial threats on the…

Published: April 8, 2025

Downloadable IOCs: 2

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

A new threat group, dubbed PoisonSeed, is targeting enterprise organizations and individuals outside the cryptocurrency industry. The campaign focuses on phishing CRM and bulk email providers' credentials to export email lists and send bulk spam. The attackers use a cryptocurrency seed phrase poiso…

seed phrase poisoning

Published: April 7, 2025

Downloadable IOCs: 45

New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile

A new malicious campaign has been discovered targeting users searching for PDF documents online. The attack uses fake CAPTCHAs and CloudFlare Turnstile to deliver LegionLoader malware, which then installs a malicious browser extension. The infection chain involves a drive-by download, execution of …

Published: April 5, 2025

Downloadable IOCs: 5

Grandoreiro Stealer Targeting Spain and Latin America: Malware Analysis and Decryption Insights

A new campaign utilizing the Brazilian stealer Grandoreiro has been detected targeting Spain and Latin American countries. The malware, active since 2017, aims to steal sensitive information, including banking credentials and personal data. It employs advanced evasion techniques such as string encr…

phishing

grandoreiro

2025-04-04

Published: April 4, 2025

Downloadable IOCs: 0

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a mali…

Published: April 4, 2025

Downloadable IOCs: 0

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report t…

Published: April 4, 2025

Downloadable IOCs: 0

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaig…

Published: April 3, 2025

Downloadable IOCs: 6

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…

remote access trojans

Published: April 3, 2025

Downloadable IOCs: 0

Analysis of New Mobile Banking Malware

Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal …

Published: April 1, 2025

Downloadable IOCs: 0

Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon

Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target cre…

phishing

social engineering

credential harvesting

business email compromise

Published: April 1, 2025

Downloadable IOCs: 57

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor aut…

Published: April 1, 2025

Downloadable IOCs: 0

Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants

Silent Push Threat Analysts have uncovered a sophisticated phishing campaign targeting individuals sympathetic to Ukraine's defense, Russian citizens, and potential informants. The operation, believed to be orchestrated by Russian Intelligence Services, employs four major phishing clusters imperson…

russian volunteer corps

2025-04-01

hochuzhit

cia

intelligence gathering

legion liberty

Published: April 1, 2025

Downloadable IOCs: 0

The Shelby Strategy

The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and …

Published: April 1, 2025

Downloadable IOCs: 0

TsarBot Trojan Hits 750+ Banking & Crypto Apps!

A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Servi…

Published: April 1, 2025

Downloadable IOCs: 0

SVG Phishing Malware Being Distributed with Analysis Obstruction Feature

A sophisticated phishing malware using Scalable Vector Graphics (SVG) format has been identified. The malware embeds malicious scripts within SVG files, using Base64 encoding to bypass detection. It employs various techniques to obstruct analysis, including blocking automation tools, preventing spe…

microsoft impersonation

Published: April 1, 2025

Downloadable IOCs: 0

Remcos RAT Malware Disguised as Major Carrier's Waybill

A sophisticated malware campaign has been discovered, utilizing the Remcos RAT disguised as a shipping company waybill. The attack begins with an email containing an HTML script, which when executed, downloads a JavaScript file. This file creates and downloads several components, including a config…

phishing

autoit

remcos rat

persistence techniques

shellcode injection

2025-04-01

javascript obfuscation

email attack

waybill disguise

Published: April 1, 2025

Downloadable IOCs: 0

PhaaS actor uses DoH and DNS MX to dynamically distribute phishing

Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.

Published: March 31, 2025

Downloadable IOCs: 21

Pulling the Threads on the Phish of Troy Hunt

A sophisticated phishing attack targeted Troy Hunt, compromising his Mailchimp account. The analysis reveals connections to the Scattered Spider group through domain pivoting. Using Validin's DNS, host response, and registration data, dozens of related domain names were uncovered. The investigation…

phishing

threat intelligence

infrastructure discovery

Published: March 29, 2025

Downloadable IOCs: 0

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading t…

Published: March 28, 2025

Downloadable IOCs: 0

When Getting Phished Puts You in Mortal Danger

The article discusses a network of phishing domains targeting Russians searching for anti-Putin organizations. These domains mimic recruitment websites of Ukrainian paramilitary groups and intelligence agencies. The scam aims to collect personal information from potential recruits, likely for Russi…

search engine manipulation

2025-03-28

paramilitary

russian volunteer corps

freedom of russia legion

Published: March 28, 2025

Downloadable IOCs: 0

Operation ForumTroll exploits zero-days in Google Chrome

In March 2025, a sophisticated malware campaign exploited a zero-day vulnerability in Google Chrome to infect targets. The attack, dubbed Operation ForumTroll, used personalized phishing emails with short-lived links to deliver malware. Kaspersky detected the exploit, reported it to Google, and an …

trojan.win64.convagent.gen

sandbox escape

trojan.win64.agent

CVE-2025-2783

Published: March 25, 2025

Downloadable IOCs: 0

New Phishing Campaign Uses Browser-in-the-Browser Attacks to Target Video Gamers/Counter-Strike 2 Players

A sophisticated phishing campaign targeting Counter-Strike 2 players has been uncovered, employing browser-in-the-browser (BitB) attacks. The campaign aims to steal Steam accounts by creating convincing fake browser pop-ups that mimic legitimate login pages. The threat actors are abusing the identi…

browser-in-the-browser

esports

Published: March 25, 2025

Downloadable IOCs: 8

Real-Time Anti-Phishing: Essential Defense Against Evolving Cyber Threats

Phishing remains a prevalent cybersecurity threat, causing financial loss, data theft, and malware deployment. Attackers are expanding targets across platforms and using AI to refine techniques, making detection more challenging. Real-time anti-phishing (RTAP) solutions using AI and machine learnin…

real-time anti-phishing

employee awareness

Published: March 21, 2025

Downloadable IOCs: 11

Clickbait to Catastrophe: How a Fake Meta Email Leads to Password Plunder

A sophisticated phishing campaign targeting Meta Business accounts has been uncovered by the Cofense Phishing Defense Center. The attack begins with a fake Instagram alert claiming the user's ads are suspended due to policy violations. Victims are directed to a fraudulent page mimicking Meta's busi…

phishing

credential theft

The rising threat of social engineering through fake fixes

ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their…

Published: March 21, 2025

Downloadable IOCs: 4

Unboxing Anubis: Exploring the Stealthy Tactics of FIN7's Latest Backdoor

FIN7, a notorious cybercrime group, has developed a new Python-based backdoor called AnubisBackdoor. This sophisticated tool employs multi-stage attacks, encryption, and obfuscation techniques to evade detection. The malware is distributed through phishing campaigns and uses AES encryption with mul…

Published: March 20, 2025

Downloadable IOCs: 0

New Steganographic Campaign Distributing Multiple Malware Variants

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HT…

Published: March 17, 2025

Linked vulnerabilities : CVE-2017-0199

Downloadable IOCs: 13

VHDs Used to Distribute VenomRAT and Other Malware

A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs…

Published: March 14, 2025

Downloadable IOCs: 0

Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social …

Published: March 14, 2025

Downloadable IOCs: 28

APT37 - RokRat

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing email…

Published: March 12, 2025

Downloadable IOCs: 9

Hundreds of thousands of rubles for your secrets: cyber spies disguise themselves as recruiters

Cybercriminals impersonating a real company are sending fake job descriptions to employees of targeted organizations. The attackers, known as Squid Werewolf, are offering substantial sums of money, potentially hundreds of thousands of rubles, in exchange for sensitive information. This sophisticate…

Published: March 12, 2025

Downloadable IOCs: 6

Trump Cryptocurrency Delivers ConnectWise RAT

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once…

binance impersonation

connectwise rat

Published: March 11, 2025

Downloadable IOCs: 1

Blind Eagle: …And Justice for All

Check Point Research uncovered ongoing campaigns by Blind Eagle targeting Colombian institutions since November 2024. The group exploits a variant of CVE-2024-43451, using malicious .url files to deliver malware. Their attack chain includes HeartCrypt-packed executables, a .NET RAT, and Remcos RAT …

Published: March 10, 2025

Downloadable IOCs: 16

Unmasking GrassCall Campaign: The APT Behind Job Recruitment Cyber Scams

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency …

atomic macos stealer (amos)

grasscall

Published: March 6, 2025

Downloadable IOCs: 14

The Evolution of Dark Caracal Tools: Campaign Analysis Using the Poco RAT

Attacks using the Poco RAT are a continuation of the Dark Caracal group's campaign. This campaign was launched in 2022 and is aimed at Spanish-speaking countries in Latin America.

Published: March 5, 2025

Downloadable IOCs: 41

Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems

This analysis explores the use of traffic distribution systems (TDS) by threat actors to redirect network traffic for illicit purposes like phishing and malvertising. TDS act as central hubs, obfuscating final destinations and hindering detection. The study found that malicious TDS exhibit distinct…

traffic distribution systems

Published: March 5, 2025

Downloadable IOCs: 0

Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan

An advanced malware framework known as Winos4.0 was used to target companies in Taiwan in January 2025.

Published: March 5, 2025

Downloadable IOCs: 55

Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remco…

Published: March 5, 2025

Downloadable IOCs: 7

Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2

A threat group impersonating the Electronic Frontier Foundation (EFF) is targeting Albion Online players through phishing messages and decoy documents. The campaign uses malware such as Stealc stealer and Pyramid C2 to compromise player accounts. Analysis of an exposed directory revealed PowerShell…

Published: March 4, 2025

Downloadable IOCs: 0

Analysis of a JavaScript-based Phishing Campaign Targeting Microsoft 365 Credentials

A sophisticated JavaScript-based credential harvesting campaign has been discovered, utilizing fake voicemail notifications to capture Microsoft 365 credentials. The attackers employ HTML smuggling, obfuscation, and encryption techniques to evade detection. The phishing emails contain PDF attachmen…

phishing

credential harvesting

Published: March 4, 2025

Downloadable IOCs: 0

Havoc: SharePoint with Microsoft Graph API turns into FUD C2

A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc D…

Published: March 3, 2025

Downloadable IOCs: 5

Russian campaign targeting Romanian WhatsApp numbers

A campaign originating from Russia has been identified, targeting Romanian WhatsApp users. The operation involves sending messages to victims, encouraging them to vote in a fake contest. When users click on the provided link, they are prompted to enter their WhatsApp number and an 8-character code,…

Published: February 28, 2025

Downloadable IOCs: 0

Your MFA Is No Match for Sneaky2FA

In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDriv…

Published: February 28, 2025

Downloadable IOCs: 15

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…

Published: February 26, 2025

Downloadable IOCs: 0

Chinese APT Target Royal Thai Police in Malware Campaign

A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process…

Published: February 26, 2025

Downloadable IOCs: 0

Unmasking a Large-Scale Legacy Driver Exploitation Campaign

Check Point Research uncovered an extensive campaign exploiting a vulnerability in the legacy version 2.0.2 of the Truesight.sys driver, part of Adlice's RogueKiller Antirootkit suite. Attackers leveraged this vulnerability to deploy an EDR/AV killer module, effectively disabling security solutions…

Published: February 24, 2025

Downloadable IOCs: 951

Phishing Campaigns Targeting Higher Education Institutions

Since August 2024, there has been a significant increase in phishing attacks targeting U.S. universities. Three distinct campaigns have emerged, exploiting trust within academic institutions to deceive students, faculty, and staff. One campaign used compromised educational institutions to host Goog…

phishing

social engineering

universities

business email compromise

Published: February 24, 2025

Downloadable IOCs: 4

The Bleeding Edge of Phishing: darcula-suite 3.0 Enables DIY Phishing of Any Brand

The darcula-suite 3.0 represents a significant advancement in phishing capabilities, allowing criminals to easily create customized phishing campaigns targeting any brand. This new version, set to launch in February 2025, builds upon the previous darcula V2 platform, which has already impacted over…

Published: February 20, 2025

Downloadable IOCs: 0

Finance Report: Who Targets Financial Institutions?

This report provides an overview of key cybercrime and state-sponsored threat actors targeting the financial sector in 2024. It highlights the critical role of Initial Access Brokers in enabling large-scale attacks, the persistent threat of ransomware and extortion groups, and the increasing sophis…

initial access brokers

jsoutprox

tradertraitor

golddigger

state-sponsored threats

Published: February 20, 2025

Downloadable IOCs: 0

Bloody Wolf evolution: new targets, new tools

Bloody Wolf, a notorious threat actor, has shifted its tactics by replacing malware with the legitimate remote administration tool NetSupport. The group has expanded its targets to include organizations in both Kazakhstan and Russia, compromising over 400 systems. Their attack method involves phish…

remote administration

jar files

Published: February 20, 2025

Downloadable IOCs: 0

Amazon Phish Hunts for Security Answers and Payment Information

A phishing scheme targeting Amazon Prime users has been identified, aiming to steal login credentials, verification information, and payment data. The attack begins with a spoofed email claiming the user's payment method has expired. Clicking the update button redirects to a fake Amazon security al…

Published: February 18, 2025

Downloadable IOCs: 3

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple sta…

Published: February 18, 2025

Downloadable IOCs: 5

Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions' Infrastructure

An ongoing malware campaign is distributing Lumma Stealer, an information-stealing malware, through malicious LNK files disguised as PDF documents. The campaign exploits compromised educational institutions' infrastructure to host these files. When executed, the LNK files initiate a multi-stage inf…

multi-stage infection

2025-02-17

steam profiles

educational institutions

pdf-themed

Published: February 17, 2025

Downloadable IOCs: 24

FinStealer

A sophisticated malware campaign exploits a leading Indian bank's brand through fraudulent mobile applications. Distributed via phishing links and social engineering, these fake apps mimic legitimate bank apps, tricking users into revealing sensitive information. The malware uses advanced evasion t…

trojan.rewardsteal/joxpk

CVE-2011-2688

Published: February 17, 2025

Linked vulnerabilities : CVE-2011-2688

Downloadable IOCs: 5

Valentine's Day Cyber Attack Landscape: Exploiting Love Through Digital Deception

Valentine's Day 2025 has become a focal point for sophisticated cybersecurity threats, with attackers exploiting emotional vulnerabilities and seasonal shopping behaviors. A complex network of scams has emerged, including OAuth-based phishing, brand impersonation, and cryptocurrency fraud. These th…

Published: February 15, 2025

Downloadable IOCs: 0

Inside a Malware Campaign: A Nigerian Hacker's Perspective

This analysis provides an in-depth look at a Nigerian cybercriminal's malware campaign process. The hacker begins by harvesting email addresses through Google dorking techniques, targeting specific industries and regions. They then configure email campaigns using spoofed domains and bulletproof hos…

Published: February 14, 2025

Downloadable IOCs: 2

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures…

device code authentication

Published: February 14, 2025

Downloadable IOCs: 0

ClickFix Scam Exposed! Protect Your Data Before It's Too Late

Cybercriminals are exploiting DeepSeek's popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek's branding to appear legitimate and bypass security …

Published: February 11, 2025

Downloadable IOCs: 7

SmokeLoader Malware Targets Ukraine's Auto & Banking Sectors via Open Directories

An investigation uncovered open directories hosting SmokeLoader malware samples and lure documents targeting Ukraine's automotive and banking sectors. Two servers were identified, containing Windows executables and PDF files posing as invoices from Ukrainian companies. The malware injects into expl…

Published: February 7, 2025

Downloadable IOCs: 27

Fake DeepSeek Sites Used for Credential Phishing, Crypto Theft, Scams

Researchers have identified numerous fake DeepSeek websites being used for malicious purposes, including credential phishing, cryptocurrency theft, and various scams. Over 50 active sites and thousands of potentially malicious domains have been observed. These fake sites range from obvious imitatio…

Published: February 6, 2025

Downloadable IOCs: 0

When Data Tools Become Dangerous: MS Power BI Links Used in Phishing Campaigns

A sophisticated phishing campaign has been detected that exploits trusted platforms like SharePoint and Power BI to steal user credentials. The scheme uses a seemingly legitimate SharePoint link in an email, which leads to a Power BI report. Users are then prompted to click 'Open Document', redirec…

microsoft impersonation

Published: February 6, 2025

Downloadable IOCs: 0

Phishing via 'com-' prefix domains

This analysis reveals a new phishing trend using domains with a "com-" prefix to mimic legitimate websites. The scam targets users of Florida's Sunpass toll system, exploiting the similarity between sunpass.com and fraudulent "com-" domains. A surge in "com-" prefix domain registrations has been ob…

phishing

2025-02-06

newly-registered-domains

Published: February 6, 2025

Downloadable IOCs: 9

Mobile Indian Cyber Heist: FatBoyPanel And His Massive Data Breach

A mobile malware campaign targeting Indian banks has been uncovered, comprising nearly 900 samples aimed at Android devices. The malware, distributed via WhatsApp as fake government or banking apps, steals sensitive financial and personal data, including Aadhar and PAN card details, credit card inf…

Published: February 5, 2025

Downloadable IOCs: 891

Scalable Vector Graphics files pose a novel phishing threat

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and s…

browser-based attacks

troj/autoit-dhb

email attachments

Published: February 5, 2025

Downloadable IOCs: 0

Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques

ValleyRAT, a sophisticated multi-stage malware attributed to Silver Fox APT, has updated its tactics, techniques, and procedures. The malware targets key roles in finance, accounting, and sales departments using phishing emails, malicious websites, and instant messaging platforms. The infection cha…

Published: February 5, 2025

Downloadable IOCs: 12

Blast from the Past

A large-scale campaign targeting Russian organizations across various industries has been detected. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed as Malware-as-a-Service, is capable of stealing …

Published: February 5, 2025

Downloadable IOCs: 1

APT Targets NetEase 163.com Users with Fake Download Pages & Spoofed Domains

The GreenSpot Advanced Persistent Threat group, operating from Taiwan since 2007, is targeting users of NetEase's 163.com email service. The group employs sophisticated phishing techniques, including spoofed domains and fake download pages, to steal login credentials. Researchers identified domains…

Published: February 5, 2025

Downloadable IOCs: 9

NOVA: blast from the past

A large-scale campaign targeting Russian organizations across various industries has been uncovered. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed under the Malware-as-a-Service model, steals cr…

Published: February 4, 2025

Downloadable IOCs: 1

Hackers Hijack JFK File Release: Malware & Phishing Surge

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement…

Published: February 3, 2025

Downloadable IOCs: 4

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of dow…

Published: February 1, 2025

Downloadable IOCs: 0

Infrastructure Laundering: Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech

This article unveils the practice of 'infrastructure laundering' by cybercriminals, specifically focusing on the FUNNULL content delivery network. The investigation reveals that FUNNULL has been renting IP addresses from major cloud providers like Amazon Web Services and Microsoft Azure, using thes…

phishing

2025-01-31

infrastructure laundering

Published: January 31, 2025

Downloadable IOCs: 9

Coyote Banking Trojan: A Stealthy Attack via LNK Files

A sophisticated multi-stage attack utilizing LNK files to deliver the Coyote Banking Trojan has been identified, primarily targeting Brazilian financial applications. The malware employs PowerShell commands, shellcode injection, and registry manipulation to establish persistence and evade detection…

phishing

lnk files

2025-01-31

coyote banking trojan

Published: January 31, 2025

Downloadable IOCs: 0

Microsoft advertisers phished via malicious Google ads

Malicious actors are targeting Microsoft advertisers through fraudulent Google ads, aiming to steal login credentials for Microsoft's advertising platform. The campaign involves sophisticated techniques like cloaking, Cloudflare challenges, and redirection chains to evade detection. Phishing pages …

Published: January 31, 2025

Downloadable IOCs: 101

A closer look at the Tria stealer campaign

A malicious Android campaign named Tria Stealer has been targeting users in Malaysia and Brunei since mid-2024. The campaign uses wedding invitation lures to trick victims into installing a malicious app that collects SMS data, tracks call logs, and steals messages from apps like WhatsApp and email…

Published: January 30, 2025

Downloadable IOCs: 3

Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns

Threat actors are exploiting vulnerabilities in government websites, particularly .gov domains, to conduct phishing campaigns. The abuse primarily involves using open redirects to bypass secure email gateways and lead victims to credential phishing pages. A significant portion of these exploits may…

agent tesla keylogger

Published: January 29, 2025

Linked vulnerabilities : CVE-2024-25608

Downloadable IOCs: 4

Phorpiex - Downloader Delivering Ransomware

The report analyzes the Phorpiex botnet's role in delivering LockBit Black Ransomware. It highlights the automated execution of ransomware through Phorpiex, minimal changes to the botnet's code since its source code sale in 2021, and direct deployment of LockBit without network expansion. The analy…

Published: January 29, 2025

Downloadable IOCs: 14

Phishing Campaign Baits Hook With Malicious Amazon PDFs

A new phishing tactic has emerged, using PDF documents to trick victims by announcing expired Amazon Prime memberships. The campaign targets users via email, containing PDF attachments that lead to fake Amazon pages requesting personal and credit card information. Researchers from Palo Alto Network…

phishing

credit card fraud

2025-01-29

Published: January 29, 2025

Downloadable IOCs: 4

New TorNet backdoor seen in widespread campaign

A financially motivated threat actor has been conducting a malicious campaign since July 2024, primarily targeting users in Poland and Germany. The campaign uses phishing emails impersonating financial institutions and companies to deliver various payloads, including a new backdoor called TorNet. T…

Published: January 28, 2025

Downloadable IOCs: 0

Hidden in Plain Sight: PDF Mishing Attack

A sophisticated phishing campaign targeting mobile devices has been discovered, impersonating the United States Postal Service (USPS). The campaign uses a novel obfuscation technique in PDF files to hide malicious links, making detection difficult for many security solutions. The attack exploits us…

Published: January 27, 2025

Downloadable IOCs: 654

Targeted supply chain attack against Chrome browser extensions

In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API ke…

Published: January 22, 2025

Downloadable IOCs: 80

The ticket that doesn't exist: a new threat discovered - FakeTicketer

A new threat actor named FakeTicketer has been identified by F.A.C.C.T. Threat Intelligence, operating since June 2024 with a focus on espionage. The actor targets government officials and sports functionaries using malicious software disguised as tickets for Russian Premier League football matches…

Published: January 22, 2025

Downloadable IOCs: 0

One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks

The report discusses an automated approach using graph neural networks to proactively detect malicious infrastructure employed by threat actors in cyber attacks based on known indicators. It examines the relationships between different types of indicators, such as co-hosted domains, malware deliver…

graph neural networks

web skimming

infrastructure discovery

Published: January 21, 2025

Downloadable IOCs: 103

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

Cybercriminals are targeting Google Ads advertisers through phishing campaigns, impersonating Google Ads via fraudulent ads. The scheme involves stealing advertiser accounts by redirecting victims to fake login pages, with the goal of reselling these accounts on blackhat forums. The operation uses …

Published: January 20, 2025

Downloadable IOCs: 29

Threat Research Report: Malicious Domain Activity During the Los Angeles Wildfires

During the 2025 Los Angeles wildfires, cybercriminals exploited the disaster through various phishing campaigns. Analysis of 119 domains registered between January 8-13, 2025, revealed themes targeting emergency assistance, legal services, and reconstruction efforts. GoDaddy was the most used regis…

phishing

social engineering

2025-01-17

natural disaster exploitation

los angeles wildfires

Published: January 17, 2025

Downloadable IOCs: 119

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authe…

Published: January 17, 2025

Downloadable IOCs: 26

Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscat…

Published: January 13, 2025

Downloadable IOCs: 4

Increase in Distribution of AutoIt Compile Malware via Phishing Emails

The distribution of malware compiled with AutoIt has been rapidly increasing, surpassing .NET-type malware. AutoIt, a scripting language for Windows automation, is preferred due to its ease of compilation into EXE files and fewer dependencies. The trend began in August 2024, with AutoIt malware nea…

Published: January 10, 2025

Downloadable IOCs: 3

Recruitment Phishing Scam Imitates Hiring Process

A sophisticated phishing campaign has been discovered that exploits recruitment branding to deliver malware. The attack begins with a phishing email impersonating a recruitment process, directing victims to a malicious website. Users are prompted to download a fake application, which serves as a do…

Published: January 10, 2025

Downloadable IOCs: 5

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connecti…

Published: January 10, 2025

Downloadable IOCs: 66

Banshee: The Stealer That "Stole Code" From MacOS XProtect

A new version of the Banshee macOS stealer, linked to Russian-speaking cybercriminals, has been monitored since September. This version went undetected for over two months, using a string encryption algorithm identical to Apple's XProtect antivirus engine. The malware targets browser credentials, c…

Published: January 9, 2025

Downloadable IOCs: 25

Formbook Phishing Campaign with old Payloads

A recent phishing campaign has been observed delivering Formbook stealers through email attachments. The malware uses multiple stages and steganography to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Mont…

Published: January 7, 2025

Downloadable IOCs: 1

Cyberhaven’s preliminary analysis of the recent malicious Chrome extension

A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads…

Published: January 2, 2025

Downloadable IOCs: 5

Espionage cluster Paper Werewolf engages in destructive behavior

The Paper Werewolf cluster, also known as GOFFEE, has increased its activity, targeting Russian organizations in government, energy, finance, and media sectors. Their primary method involves phishing emails with malicious Microsoft Word attachments containing macros. The group has evolved from cybe…

Published: December 25, 2024

Downloadable IOCs: 0

A Look Back: The Evolution of Latin American eCrime Malware in 2024

Latin American cybercrime continues to evolve as adversaries refine their tactics and techniques. Key developments in 2024 include the adoption of Rust for improved evasion, consistent use of multi-stage infection chains and malspam campaigns, and evidence of collaboration among threat actors. Nota…

Published: December 18, 2024

Downloadable IOCs: 32

Your Data Is Under New Management: The Rise of LummaStealer

LummaStealer, a relatively new information-stealing malware, has gained prominence since 2022 for its ability to collect sensitive data from Windows systems. Marketed as Malware-as-a-Service (MaaS) on underground forums, it targets individuals, cryptocurrency users, and small to medium-sized busine…

malware-as-a-service (maas)

Published: December 18, 2024

Downloadable IOCs: 0

Effective Phishing Campaign Targeting European Companies and Institutions

A sophisticated phishing operation targeting European automotive, chemical, and industrial manufacturing companies has been uncovered. The campaign, which peaked in June 2024, used HubSpot Free Form Builder and Docusign-enabled PDFs to harvest account credentials and infiltrate Microsoft Azure clou…

phishing

persistence

credential harvesting

Published: December 18, 2024

Downloadable IOCs: 50

How Threat Actors Exploit Brand Collaborations to Target Popular YouTube Channels

Cybercriminals are targeting YouTube creators through sophisticated phishing campaigns that impersonate trusted brands offering collaboration deals. The malware is disguised as legitimate documents and delivered via password-protected files on platforms like OneDrive. Once downloaded, it steals sen…

Published: December 17, 2024

Downloadable IOCs: 3

New I2PRAT communicates via anonymous peer-to-peer network

A novel malware strain, I2PRAT, has been discovered utilizing the I2P network for command and control communication. The infection begins with a phishing email leading to a fake CAPTCHA page, which tricks users into executing a malicious PowerShell script. The malware employs UAC bypass, Microsoft …

Published: December 16, 2024

Downloadable IOCs: 0

Unwrapping the AIZ—Aggressive Inventory Zombies—Retail & Crypto Phishing Network Campaign

A large-scale phishing campaign targeting retail brands and cryptocurrency users has been uncovered. The campaign, dubbed 'Aggressive Inventory Zombies' (AIZ), initially impersonated Etsy but expanded to target major retailers like Amazon, BestBuy, and eBay. The threat actor uses a popular website …

Published: December 13, 2024

Downloadable IOCs: 59

Inside the incident: Uncovering an advanced phishing attack

A sophisticated phishing campaign targeted a U.K.-based insurance company, using a compromised CEO's email account from a major shipping company. The attack involved a malicious PDF link hosted on AWS, leading to a fake Microsoft authentication page. The threat actor employed tactics like deletion …

Published: December 11, 2024

Downloadable IOCs: 4

Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams

Threat actors exploit high-profile events like global sporting championships to launch attacks through phishing and scams. The analysis focuses on trends in domain registrations, DNS traffic, URL traffic, active domains, verdict change requests, and domain textual patterns. Case studies include obs…

Published: December 7, 2024

Downloadable IOCs: 0

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…

phishing

autoit

credential harvesting

Published: December 6, 2024

Downloadable IOCs: 0

The adventures of an extroverted cyber nerd and the people who help to fight the good fight

The article describes the experiences of a Senior Security Strategist at Talos, highlighting the unique blend of technical expertise and communication skills required for the role. It emphasizes the importance of supporting NGOs in cybersecurity, detailing the author's involvement with the NGO-ISAC…

water systems vulnerabilities

Published: December 6, 2024

Downloadable IOCs: 0

Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)

This analysis explores the Rockstar 2FA phishing-as-a-service kit, focusing on real-world email campaign examples. It highlights various techniques used by attackers, including the abuse of legitimate services for FUD (Fully Undetectable) links, such as Microsoft OneDrive, OneNote, Dynamics 365, At…

phishing-as-a-service

Published: December 4, 2024

Downloadable IOCs: 51

Analyzing threat actor Kimsuky email phishing campaign

The report provides an in-depth analysis of the email phishing campaigns conducted by the Kimsuky threat actor group. It highlights their tactics of using diverse themes and subjects to pique the curiosity of recipients, targeting researchers and individuals related to North Korean affairs in an at…

Published: December 4, 2024

Downloadable IOCs: 24

Hunting Payroll Pirates: Tracking HR Redirect Phishing Scam

A malicious threat actor group dubbed 'Payroll Pirates' is orchestrating an ongoing human resources payroll redirection phishing scam targeting numerous organizations' employees. The campaign primarily focuses on Workday users and high-profile companies. The actors employ search ads with brand keyw…

phishing

2024-12-04

hr scam

Published: December 4, 2024

Downloadable IOCs: 69

SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer

Threat actors are exploiting old Microsoft Office vulnerabilities using SmokeLoader, a modular malware loader, to steal browser credentials. The campaign targets manufacturing, healthcare, and IT companies in Taiwan, utilizing CVE-2017-0199 and CVE-2017-11882 to execute remote code and deploy malic…

Published: December 3, 2024

Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199

Downloadable IOCs: 28

Beware of phishing attacks by APT-C-01 (Poison Ivy)

APT-C-01, known as Poison Ivy, is a persistent threat group targeting defense, government, technology, and education sectors since 2007. They specialize in phishing attacks, including watering hole and spear-phishing, using personalized bait content. Recent observations show the group creating fake…

Published: December 3, 2024

Downloadable IOCs: 7

TaxOff: You've Got a Backdoor...

A sophisticated threat group named TaxOff has been discovered targeting Russian government agencies. The group uses phishing emails with legal and financial themes to deliver the Trinper backdoor, a multithreaded C++ malware with advanced features. Trinper employs STL containers, custom serializati…

Published: December 3, 2024

Downloadable IOCs: 11

NetSupport RAT and RMS in malicious emails

The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitima…

Published: December 2, 2024

Downloadable IOCs: 35

Attacks by APT-C-60 Group Exploiting Legitimate Services

The APT-C-60 group targeted organizations in Japan and East Asia with a sophisticated attack campaign. The attack begins with a phishing email containing a Google Drive link to download a VHDX file. This file includes an LNK file that executes a downloader, which then retrieves a backdoor called Sp…

Published: November 27, 2024

Downloadable IOCs: 0

Financially Motivated Threat Actor Leveraged Google Docs and Weebly Services

A phishing campaign targeting telecommunications and financial sectors was identified in late October 2024. The attackers used Google Docs to deliver phishing links, redirecting victims to fake login pages hosted on Weebly. This method bypassed standard email filters and endpoint protections by lev…

Published: November 27, 2024

Downloadable IOCs: 35

RobotDropper Automates the Delivery of Multiple Infostealers

A phishing campaign is distributing Trojanized MSI files that use DLL sideloading to execute LegionLoader, a malicious program that delivers multiple infostealers. The campaign is widespread, with over 400 unique malicious MSI files identified since June 2024. Victims are targeted globally through …

Published: November 26, 2024

Downloadable IOCs: 5

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are emp…

Published: November 18, 2024

Downloadable IOCs: 0

Telekopye transitions to targeting tourists via hotel booking scam

ESET researchers have discovered that Telekopye, a Telegram-based toolkit used by cybercriminals to scam people on online marketplaces, has expanded its operations to target users of popular accommodation booking platforms like Booking.com and Airbnb. The scammers, referred to as Neanderthals, now …

Published: November 17, 2024

Downloadable IOCs: 0

Glove Stealer bypasses Chrome's App-Bound Encryption to steal cookies

Researchers have discovered a new .NET-based information stealer called Glove Stealer that targets browser extensions and local software to steal sensitive data like cookies, passwords, and cryptocurrency wallets. It uses a novel technique to bypass Chrome's App-Bound encryption by exploiting the I…

Published: November 16, 2024

Downloadable IOCs: 0

Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack

Unit 42 researchers identified a North Korean IT worker activity cluster, CL-STA-0237, involved in phishing attacks using malware-infected video conference apps. The cluster likely operates from Laos and exploited a U.S.-based SMB IT services company to apply for other jobs, securing a position at …

Published: November 15, 2024

Downloadable IOCs: 6

Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers

A Chinese financially motivated threat actor, dubbed SilkSpecter, has been uncovered targeting e-commerce shoppers in Europe and USA with a phishing campaign leveraging Black Friday discounts. The actor uses fake discounted products as lures to steal Cardholder Data, Sensitive Authentication Data, …

Published: November 14, 2024

Downloadable IOCs: 13

Malware Spotlight: A Deep-Dive Analysis of WezRat

Check Point Research provides a comprehensive analysis of WezRat, a custom modular infostealer attributed to the Iranian cyber group Emennet Pasargad. The malware has been active for over a year, targeting organizations in multiple countries. WezRat's capabilities include executing commands, taking…

Published: November 14, 2024

Downloadable IOCs: 0

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chai…

Published: November 14, 2024

Downloadable IOCs: 24

How to Improve Cyber Threat Investigations with TI Lookup

This article discusses the use of Threat Intelligence (TI) Lookup, a centralized service for threat data exploration and analysis. It highlights key features such as fast search results, extensive search parameters, and access to a large database of malware and phishing samples. The article explain…

Published: November 13, 2024

Downloadable IOCs: 0

Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity

Check Point Research has been tracking ongoing activity of the WIRTE threat actor, associated with Hamas, despite the ongoing conflict in the region. The group continues to target entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia for espionage. WIRTE has expanded its oper…

Published: November 12, 2024

Downloadable IOCs: 90

Scammers target UK senior citizens with Winter Fuel Payment texts

Opportunistic scammers are exploiting the UK's recent changes to the Winter Fuel Payments program by targeting senior British residents with fraudulent text messages. These messages claim to offer 'winter heating allowance' and 'cost of living support', directing recipients to deceptive websites th…

Published: November 9, 2024

Downloadable IOCs: 597

New Campaign Uses Remcos RAT to Exploit Victims

A phishing campaign utilizing Remcos RAT has been detected. The attack begins with an email containing a malicious Excel document that exploits CVE-2017-0199. When opened, it downloads and executes an HTA file, which in turn downloads and runs a malicious EXE. This EXE uses PowerShell to load and e…

Published: November 8, 2024

Downloadable IOCs: 2

CVE-2024-38213: From Crumbs to Full Compromise in a Stealthy Cyber Attack

A targeted email campaign exploiting CVE-2024-38213 has been uncovered, disguised as communication related to the Gas Infrastructure Europe Annual Conference in Munich. The attack bypasses standard security protocols to deploy LummaStealer malware, stealing sensitive data. The vulnerability, known …

Published: November 8, 2024

Downloadable IOCs: 0

BlueNoroff used macOS malware with novel persistence

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stag…

Published: November 8, 2024

Downloadable IOCs: 0

Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond

This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network …

Published: November 7, 2024

Downloadable IOCs: 239

CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits

A large-scale phishing campaign deploying the latest version of Rhadamanthys stealer (0.7) has been discovered. The campaign, dubbed CopyRh(ight)adamantys, uses copyright infringement claims to target various regions globally. It impersonates numerous companies, mainly from Entertainment/Media and …

Published: November 6, 2024

Downloadable IOCs: 0

Attempts to disrupt Russian businesses with MetaStealer

A previously unknown threat actor, Venture Wolf, has been targeting Russian businesses since November 2023. The group uses multiple loaders to deliver MetaStealer, a malware that focuses on manufacturing, construction, IT, and telecommunications industries. The campaign involves disseminating archi…

Published: November 5, 2024

Downloadable IOCs: 20

G700: The Next Generation of Craxs RAT

G700 RAT, an advanced variant of Craxs RAT, targets Android devices and cryptocurrency applications. It employs sophisticated techniques like privilege escalation, phishing, and malicious APK distribution to infiltrate devices. The malware bypasses authentication, captures sensitive data, and manip…

transaction hijacking

sms interception

g700 rat

Published: November 4, 2024

Downloadable IOCs: 3

Analyzing an Encrypted Phishing PDF

This analysis explores the challenges of decoding encrypted PDF documents, particularly in the context of phishing. It explains that while the structure of encrypted PDFs remains visible, strings and streams are encrypted. The article recommends using qpdf, an open-source tool, to decrypt PDFs for …

Published: November 4, 2024

Downloadable IOCs: 0

Booking.com Phishers May Leave You With Reservations

A recent spear-phishing campaign targeted a California hotel after its Booking.com credentials were stolen. The scam involved sending targeted messages within the Booking mobile app, claiming additional information was required for anti-fraud purposes. Booking.com confirmed a security incident affe…

Published: November 2, 2024

Downloadable IOCs: 0

LastPass Warns of Hackers Misusing Reviews for Fake Support Numbers

LastPass has alerted users about a social engineering campaign targeting customers through fraudulent 5-star reviews on the Chrome Web Store. Hackers are posting fake reviews for the LastPass Chrome extension, promoting a bogus customer support phone number to steal user data. When users call this …

Published: November 2, 2024

Downloadable IOCs: 0

Threat actors use copyright infringement phishing lure to deploy infostealers

An unknown threat actor is conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The campaign uses emails impersonating legal departments, claiming copyright infringement to lure victims into downloading malware. The attackers abuse Google's Appspot dom…

Published: October 31, 2024

Downloadable IOCs: 0

Threat Intelligence Alert: Phish 'n' Ships Fakes Online Shops to Steal Money and Credit Card Information

A sophisticated fraud scheme dubbed 'Phish 'n' Ships' has been uncovered, involving fake web shops that exploit digital payment providers to steal consumers' money and credit card information. The operation, traced back to 2019, has infected over 1,000 websites, created 121 fake web stores, and res…

phishing

seo poisoning

2024-10-31

chinese threat actors

credit card theft

fake web stores

payment processor abuse

search engine manipulation

e-commerce fraud

Published: October 31, 2024

Downloadable IOCs: 22

Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Z…

Published: October 30, 2024

Downloadable IOCs: 281

Strela Stealer Targets Europe Stealthily Via WebDav

Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users thr…

Published: October 30, 2024

Downloadable IOCs: 103

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Researchers discovered a potential North Korean phishing campaign targeting Naver, a major South Korean tech platform. The investigation revealed an exposed directory containing phishing pages designed to steal Naver user credentials. Separately, an infrastructure cluster was identified using domai…

infrastructure analysis

Published: October 30, 2024

Downloadable IOCs: 0

More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a Docu…

Published: October 30, 2024

Downloadable IOCs: 2

Malicious RDP Files Identified in Latest Attack on Ukrainian Entities

CERT-UA has uncovered a new malicious email campaign targeting Ukrainian government agencies, enterprises, and military entities. The campaign uses RDP configuration files to establish remote connections, enabling data theft and further malware deployment. Attributed to UAC-0215 and linked to APT29…

Published: October 26, 2024

Downloadable IOCs: 0

Uncovering the Lounge Pass Scam Campaign: Targeted Android SMS Stealer Preying on Air Travellers

A sophisticated scam targeting air travelers in Indian airports has been uncovered, involving a malicious Android app called 'Lounge Pass'. The app, distributed through fake domains, intercepts and forwards SMS messages from victims' devices to cybercriminals, resulting in significant financial los…

Published: October 25, 2024

Downloadable IOCs: 0

ValleyRAT Insights: Tactics, Techniques, and Detection Methods

ValleyRAT is a remote access Trojan targeting Chinese-speaking users through phishing campaigns. It employs multi-stage, multi-component tactics to evade detection and maintain persistence. The malware uses various techniques including process injection, registry manipulation, and UAC bypass. It at…

chinese-speaking targets

Published: October 25, 2024

Downloadable IOCs: 3

Triad Nexus: FUNNULL CDN hosting DGA domains for suspect Chinese sites

Silent Push has uncovered a large-scale malicious infrastructure dubbed 'Triad Nexus' hosted on the FUNNULL content delivery network. The investigation revealed over 200,000 unique hostnames, with 95% created using Domain Generation Algorithms. FUNNULL is linked to hosting suspect gambling websites…

Published: October 23, 2024

Downloadable IOCs: 70

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

A new phishing campaign targeting Russian-speaking users employs the open-source Gophish framework to deliver DarkCrystal RAT and a novel remote access trojan called PowerRAT. The attack utilizes modular infection chains, either through malicious Microsoft Word documents or HTML files with embedded…

Published: October 22, 2024

Downloadable IOCs: 2

New wave of Bumblebee malware attacks warned

Security researchers have detected new attacks involving the Bumblebee malware loader, just four months after Europol disrupted its operations in Operation Endgame. The malware has resurfaced with updated tactics, using MSI files disguised as legitimate software installers to deliver its payload di…

Published: October 22, 2024

Downloadable IOCs: 9

New Bumblebee Loader Infection Chain Signals Possible Resurgence

A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike bea…

Published: October 21, 2024

Downloadable IOCs: 11

Inside the Latrodectus Malware Campaign

The Latrodectus malware campaign employs a combination of traditional phishing techniques and innovative payload delivery methods to target financial, automotive, and healthcare sectors. The attack chain begins with compromised emails containing malicious PDF or HTML attachments, which redirect use…

Published: October 21, 2024

Downloadable IOCs: 20

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…

Published: October 18, 2024

Downloadable IOCs: 171

Operation MiddleFloor: Disinformation campaign targets Moldova ahead of presidential elections and EU membership referendum

A cyber-enabled disinformation campaign called Operation MiddleFloor is targeting Moldova's government and education sectors ahead of crucial elections and an EU membership referendum. The campaign, attributed to a Russian-speaking group named Lying Pigeon, uses spoofed emails and documents to spre…

Published: October 10, 2024

Downloadable IOCs: 69

Wreaking havoc in cyberspace: threat actors experiment with pentest tools

Recent research reveals adversaries increasingly using the Havoc post-exploitation framework to bypass cybersecurity systems. Two campaigns utilizing this framework were analyzed. The first campaign involved phishing emails with malicious archives containing ISO files and LNK files, which downloade…

cybersecurity evasion

demon implant

post-exploitation

Published: October 8, 2024

Downloadable IOCs: 0

Mamba 2FA: A new contender in the AiTM phishing ecosystem

Mamba 2FA is a newly discovered adversary-in-the-middle (AiTM) phishing kit being sold as phishing-as-a-service (PhaaS). It features capabilities similar to other popular AiTM phishing services, including handling two-step verifications for non-phishing-resistant MFA methods, supporting various aut…

multi-factor authentication

mamba 2fa

Published: October 7, 2024

Downloadable IOCs: 0

Analyzing the Awaken Likho APT group implant: new tools and techniques

A new campaign by the Awaken Likho APT group targeting Russian government agencies and industrial enterprises was discovered in June 2024. The group has significantly changed its attack methods, now preferring the MeshCentral platform agent instead of UltraVNC for remote access. The implant is deli…

Published: October 7, 2024

Downloadable IOCs: 0

Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware

A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…

Published: October 4, 2024

Downloadable IOCs: 15

Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware

A campaign impersonating Royal Mail was identified delivering Prince ransomware, an open-source variant available on GitHub. The low-volume attack targeted UK and US organizations in mid-September, often originating from contact forms on target websites. The ransomware lacks decryption mechanisms a…

Published: October 2, 2024

Downloadable IOCs: 3

Key Group uses leaked builders of ransomware and wipers

Key Group, also known as keygroup777, is a financially motivated ransomware group primarily targeting Russian users. The group has been active since 2022, using various leaked ransomware builders and wipers, including Xorist, Chaos, Annabelle, Slam, RuRansom, UX-Cryptor, Hakuna Matata, and Judge/No…

Published: October 2, 2024

Downloadable IOCs: 24

Iranian Cyber Actors Targeting Personal Accounts to Support Operations

Cyber actors working for Iran's Islamic Revolutionary Guard Corps (IRGC) are targeting individuals connected to Iranian and Middle Eastern affairs, including government officials, think tank personnel, journalists, activists, and lobbyists. They use social engineering techniques, impersonating cont…

two-factor authentication

political campaigns

Published: September 30, 2024

Downloadable IOCs: 65

A Measure of Motive: How Attackers Weaponize Digital Analytics Tools

Threat actors are repurposing digital analytics and advertising tools to evade detection and enhance their malicious campaigns. The report explores how link shorteners, IP geolocation utilities, CAPTCHA systems, and advertising intelligence platforms are being weaponized. It provides insights into …

Published: September 30, 2024

Downloadable IOCs: 10

Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz

Unit42 explores Sniper Dz, a popular phishing-as-a-service (PhaaS) platform targeting social media and online services. Over 140,000 phishing websites associated with Sniper Dz were identified in the past year. The platform offers an admin panel with phishing page catalogs, allowing users to host o…

Published: September 25, 2024

Downloadable IOCs: 7

Russia-linked crypto threat actor involved in political spoofing tracked

A Russia-linked threat actor is deploying domains for crypto scams targeting the US Presidential Election and prominent tech brands. The scams involve fake Bitcoin and Ethereum giveaways, asking users to send coins to attacker-controlled wallets with false promises of doubling returns. A large clus…

Published: September 20, 2024

Downloadable IOCs: 6

SambaSpy – a new RAT targeting Italian users

A campaign exclusively targeting Italian users was detected in May 2024, delivering a new Remote Access Trojan (RAT) dubbed SambaSpy. The infection chain involves phishing emails impersonating a legitimate Italian real estate company, redirecting victims to a malicious website. The campaign employs…

Published: September 19, 2024

Downloadable IOCs: 24

An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader

UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…

Published: September 18, 2024

Downloadable IOCs: 14

Phishing Pages Delivered Through Refresh HTTP Response Header

Unit 42 researchers observed large-scale phishing campaigns in 2024 using a refresh entry in the HTTP response header. This technique, unlike traditional HTML-based phishing, occurs before HTML content processing and automatically refreshes webpages without user interaction. Attackers distribute ma…

business email compromise

Published: September 18, 2024

Downloadable IOCs: 7

A Network of Harm: Gigabud Threat and Its Associates

An investigation reveals a significant connection between Gigabud and Spynote malware families, targeting over 50 financial apps including banks and cryptocurrency platforms. The campaign utilizes sophisticated distribution methods, including 11 command and control servers and 79 phishing websites …

Published: September 17, 2024

Downloadable IOCs: 116

Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics

From February to July 2024, an analysis of over 500 popular domains revealed more than 10,000 malicious lookalike domains employing typosquatting and brand impersonation techniques. Google, Microsoft, and Amazon were the most targeted brands, accounting for nearly 75% of phishing domains. Almost ha…

Published: September 12, 2024

Downloadable IOCs: 10

Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries

The Scattered Spider cybercriminal group is targeting cloud infrastructures in the insurance and financial sectors using advanced techniques. They exploit leaked authentication tokens, conduct phishing and smishing campaigns, and leverage SIM swapping to bypass multi-factor authentication. The grou…

Published: September 11, 2024

Downloadable IOCs: 12

BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar

BlindEagle, an advanced persistent threat actor, has been observed targeting the Colombian insurance sector using the BlotchyQuasar Remote Access Trojan. The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google …

Published: September 5, 2024

Downloadable IOCs: 16

Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The ma…

Published: September 5, 2024

Downloadable IOCs: 4

Emansrepo Stealer: Multi-Vector Attack Chains

A Python infostealer named Emansrepo has been observed since November 2023, distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data, credit card information, and files, sending them to the attacker's email. The attack chain has evolved, becoming…

Published: September 4, 2024

Downloadable IOCs: 42

Head Mare: adventures of a unicorn in Russia and Belarus

Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like …

Published: September 2, 2024

Linked vulnerabilities : CVE-2023-38831

Downloadable IOCs: 52

Stone Wolf employs Meduza Stealer to hack Russian companies

A malicious campaign by a group called Stone Wolf has been targeting Russian companies using phishing emails impersonating a legitimate industrial automation provider. The attackers aim to deliver Meduza Stealer, a commercial malware available on underground forums. The campaign involves sending an…

industrial automation

russian companies

Published: September 2, 2024

Downloadable IOCs: 41

The trojan horse that wanted to fly

Rocinante is a new strain of mobile malware originating from Brazil, capable of keylogging, stealing PII through phishing, and performing device takeover. It targets Brazilian banking institutions using a combination of Firebase messaging, HTTP traffic, WebSocket, and Telegram API for communication…

Published: September 2, 2024

Downloadable IOCs: 4

Exploring AsyncRAT and Infostealer Plugin Delivery Through…

This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…

cryptocurrency wallets

browser data theft

Published: September 2, 2024

Linked vulnerabilities : CVE-2024-7593 (CVSS 9.8), CVE-2024-28986

Downloadable IOCs: 8

The Emerging Dynamics of Deepfake Scam Campaigns on the Web

Researchers have uncovered dozens of scam campaigns utilizing deepfake videos featuring public figures like CEOs, news anchors, and government officials. These campaigns target victims in multiple countries using various languages. The scams promote fake investment schemes and government giveaways.…

infrastructure analysis

Published: September 2, 2024

Downloadable IOCs: 428

Exploring Newly Released Top-Level Domains

An investigation into 19 new top-level domains (TLDs) released in the past year revealed various malicious activities, including phishing campaigns, distribution of potentially unwanted programs, torrenting websites, and pranking campaigns. The study found a correlation between the TLDs' general av…

graph-based detection

redirection campaigns

domain registration

torrenting

Published: September 2, 2024

Downloadable IOCs: 22

Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure, involving newly registered domains designed to resemble legit…

Published: August 30, 2024

Linked vulnerabilities : CVE-2023-22527

Downloadable IOCs: 5

Deep Analysis of Snake Keylogger’s New Variant

FortiGuard Labs recently caught a phishing campaign delivering a new variant of Snake Keylogger, a keylogger malware that can steal sensitive data like saved credentials, keystrokes, and screenshots. The analysis examines the phishing email, malicious Excel document, and techniques used by the malw…

Published: August 30, 2024

Linked vulnerabilities : CVE-2017-0199

Downloadable IOCs: 8

Iranian backed group steps up phishing campaigns against Israel, U.S.

An Iranian government-backed threat group known as APT42 has significantly intensified its phishing campaigns targeting high-profile individuals in Israel and the United States over the past six months. The group, associated with Iran's Islamic Revolutionary Guard Corps, has focused on current and …

Published: August 26, 2024

Downloadable IOCs: 38

NGate Android malware relays NFC traffic to steal cash

ESET researchers uncovered a crimeware campaign targeting bank customers in Czechia. The NGate Android malware can relay NFC data from victims' payment cards to attackers' devices, enabling unauthorized ATM withdrawals. It's the first time this capability has been observed in the wild. The campaign…

Published: August 22, 2024

Downloadable IOCs: 12

GreenCharlie Infrastructure Linked to US Political Campaign Targeting

An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations inv…

Published: August 21, 2024

Downloadable IOCs: 111

Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site

The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persist…

Published: August 20, 2024

Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21412, CVE-2024-21893

Downloadable IOCs: 15

Ongoing Social Engineering Campaign Refreshes Payloads

Rapid7 observed a shift in tools utilized by threat actors in an ongoing social engineering campaign. The initial lure involves an email bombing followed by calls to users offering fake solutions. Once connected remotely, threat actors deploy payloads for credential harvesting, establishing command…

Published: August 20, 2024

Linked vulnerabilities : CVE-2022-26923

Downloadable IOCs: 43

2024 Paris Olympic Games Infrastructure Attack Report

This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…

Published: August 16, 2024

Downloadable IOCs: 148

Campaign uses infostealers and clippers for financial gain

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and Stea…

Published: August 16, 2024

Downloadable IOCs: 68

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and …

Published: August 14, 2024

Downloadable IOCs: 5

Rivers of Phish: Sophisticated Phishing Targets Russia's Perceived Enemies Around the Globe

An extensive investigation uncovered an elaborate phishing campaign conducted by a Russia-based threat actor known as COLDRIVER, attributed to Russia's Federal Security Service. The campaign employed personalized social engineering tactics to target civil society groups, NGOs, journalists, and gove…

Published: August 14, 2024

Downloadable IOCs: 28

Ande Loader Leads to 0bj3ctivity Stealer Infection

In July 2024, eSentire's Threat Response Unit observed a phishing attack leading to a 0bj3ctivity Stealer malware infection. The attack involved a malicious JavaScript file that retrieved and executed Ande Loader and the 0bj3ctivity Stealer. Ande Loader created persistence, downloaded additional pa…

Published: August 12, 2024

Downloadable IOCs: 2

Threat actor targeting UK banks in ongoing AnyDesk social engineering campaign

Threat analysts are tracking an ongoing campaign that employs fake websites and social engineering tactics to distribute a malicious version of the AnyDesk remote access software to Windows and macOS users. Once installed on a victim's machine, it is being utilized to steal data and money. The camp…

Published: August 9, 2024

Downloadable IOCs: 50

APT Group Kimsuky Targets University Researchers

A report detailing an ongoing cyberattack campaign by the North Korean APT group Kimsuky, which is targeting university staff, researchers, and professors to conduct espionage and gather intelligence for the North Korean government. The group employs phishing tactics, compromised infrastructure, an…

Published: August 9, 2024

Downloadable IOCs: 24

PureHVNC Deployed via Python Multi-stage Loader

FortiGuard Labs uncovered a sophisticated attack campaign utilizing multiple obfuscation and evasion techniques to distribute and execute various malware, including VenomRAT, XWorm, AsyncRAT, and PureHVNC. The campaign starts with a phishing email containing a malicious attachment that initiates a …

Published: August 9, 2024

Downloadable IOCs: 18

Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell

The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…

Published: August 7, 2024

Downloadable IOCs: 8

RHADAMANTHYS: In-Depth Analysis of a Sophisticated Stealer Targeting Israeli Users

This comprehensive technical analysis delves into the intricate workings of an advanced and localized malware campaign employing the RHADAMANTHYS stealer. Dissecting the infection chain, anti-analysis techniques, data theft capabilities, and Command & Control infrastructure, this detailed report sh…

Published: August 5, 2024

Downloadable IOCs: 5

Quartet of Trouble: XWorm, AsyncRAT, VenomRAT, and...

eSentire's Threat Response Unit (TRU) uncovered a malware campaign affecting a government customer. The infection involved multiple threats - XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT - hosted on a TryCloudflare WebDAV server. The initial vector was a phishing email with a malicious ZIP file.…

Published: August 5, 2024

Downloadable IOCs: 7

Fighting Ursa Luring Targets With Car for Sale

This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…

Published: August 5, 2024

Linked vulnerabilities : CVE-2024-3400

Downloadable IOCs: 6

Brief Overview of the DeerStealer Distribution Campaign

A recent cybersecurity investigation uncovered a malware distribution campaign called DeerStealer. The malware was disseminated through counterfeit Google Authenticator websites, tricking visitors into downloading the malicious payload hosted on GitHub. Upon execution, the stealer collects system i…

Published: August 2, 2024

Downloadable IOCs: 28

Social Media Malvertising Campaign Promotes Fake AI Editor Website for Credential Theft

An examination of how threat actors hijack social media pages, rename them to resemble legitimate AI photo editors, and post malicious links to fake websites promoted through paid ads. The links trick users into installing endpoint management software, allowing the execution of credential stealers …

Published: August 1, 2024

Downloadable IOCs: 73

Strikes with commercial malware against organizations in Kazakhstan

BI.ZONE experts have been monitoring the activities of a threat group called Bloody Wolf since late 2023. This group targets organizations in Kazakhstan using STRRAT, a commercial malware known as Strigoi Master. The attackers employ phishing emails posing as communications from government agencies…

Published: August 1, 2024

Downloadable IOCs: 10

Threat actor impersonates Google via fake ad for Authenticator

An unknown threat actor created a deceptive advertisement that appeared as if it was from a reputable company, enticing users to click on it and visit a malicious website. The site hosted a digitally signed malicious file disguised as a popular multi-factor authentication application. Upon executio…

Published: July 31, 2024

Downloadable IOCs: 5

Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…

Published: July 30, 2024

Linked vulnerabilities : CVE-2017-11882

Downloadable IOCs: 74

SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and …

Published: July 30, 2024

Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199

Downloadable IOCs: 47

Likely eCrime Actor Capitalizing on Falcon Sensor Issues

A cybercrime group has leveraged a content update issue with the CrowdStrike Falcon sensor to distribute malicious files targeting Latin American customers. The campaign involves a ZIP archive named 'crowdstrike-hotfix.zip' containing a HijackLoader payload that loads RemCos malware, using Spanish …

Published: July 29, 2024

Downloadable IOCs: 14

GXC Team Unmasked: The cybercriminal group targeting Spanish bank users with AI-powered phishing tools and Android malware

Group-IB discovered a Spanish-speaking criminal group, GXC Team, offering a sophisticated AI-powered phishing-as-a-service platform targeting Spanish bank customers. The group specialized in developing phishing kits, Android malware, and AI-powered scam tools. Their malicious Android app, disguised…

Published: July 29, 2024

Downloadable IOCs: 161

Malware Distributed Using Falcon Sensor Update Phishing Lure

CrowdStrike Intelligence uncovered a phishing campaign impersonating CrowdStrike and distributing malicious files containing a Microsoft Installer (MSI) loader. The loader executes the commodity stealer 'Lumma Stealer' packed with 'CypherIt'. This campaign is likely linked to a previous 'Lumma Stea…

Published: July 29, 2024

Downloadable IOCs: 32

Scam Attacks Taking Advantage of the Popularity of the Generative AI Wave

This analysis explores the evolution of network threats associated with generative AI (GenAI) terms, correlating with key milestones like ChatGPT's launch and integration into Bing. It examines suspicious domain registrations capitalizing on the GenAI trend, their textual patterns, and traffic volu…

phishing

2024-07-26

spoofed domains

Published: July 26, 2024

Downloadable IOCs: 31

Increase In The Exploitation Of Microsoft SmartScreen Vulnerability CVE-2024-21412

Cyble analyzes an ongoing campaign exploiting a Microsoft SmartScreen vulnerability to deliver stealers through spam emails. The campaign employs lures related to healthcare, transportation, and tax notices to trick users into downloading malicious payloads. It utilizes techniques like DLL sideload…

Published: July 11, 2024

Downloadable IOCs: 12

FIN7: Silent Push unearths 4000+ phishing and shell domains

Silent Push threat analysts have uncovered an extensive series of campaigns linked to the FIN7 cybercrime group, including several hundred active phishing, spoofing, shell and malware delivery domains and IPs targeting various organizations. The campaigns utilize over 4000 domains and subdomains, w…

Published: July 11, 2024

Downloadable IOCs: 94

Analysis of Suspected APT Attack Activities by “Silver Fox”

This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…

Published: July 10, 2024

Downloadable IOCs: 7

How do cryptocurrency drainer phishing scams work?

Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…

Published: July 10, 2024

Downloadable IOCs: 14

M365 adversary-in-the-middle campaign

Field Effect researchers uncovered a previously unreported campaign leveraging the Axios user agent string to facilitate business email compromise (BEC) attacks against Microsoft 365 (M365) accounts. The threat actor utilized malicious domains impersonating M365 login pages to harvest victims' cred…

adversary-in-the-middle

Published: July 8, 2024

Downloadable IOCs: 19

The Hidden Danger of PDF Files with Embedded QR Codes

The report describes how malware authors are abusing PDF files with embedded QR codes to deceive users into visiting malicious phishing URLs disguised as legitimate services. The QR codes redirect users to fake Microsoft login pages designed to harvest credentials and potentially gain unauthorized …

Published: July 5, 2024

Downloadable IOCs: 1

ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution

This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…

Published: July 2, 2024

Downloadable IOCs: 25

An Android RAT targets Telegram Users

This analysis discusses SpyMax, a Remote Access Trojan (RAT) that targets Android devices and specifically aims at obtaining data from Telegram users. It employs phishing techniques to trick victims into installing a malicious application disguised as the legitimate Telegram app. Once installed, Sp…

Published: June 28, 2024

Downloadable IOCs: 4

DBatLoader Distributed via CMD Files

A cybersecurity analysis has identified a malicious operation involving the distribution of a downloader, dubbed DBatLoader or ModiLoader, through CMD files disguised as innocuous files. The campaign leverages phishing emails containing compressed CMD files that, when executed on English-language W…

Published: June 27, 2024

Downloadable IOCs: 0

Phishing Incident Report: Facts and Timeline

On June 18, 2024, an employee's account at ANY.RUN was compromised and used to carry out a phishing attack against the company's entire contact list. The initial compromise occurred on May 27 through an AiTM phishing campaign targeting the employee. Over the following weeks, the attacker maintained…

Published: June 25, 2024

Downloadable IOCs: 9

AdsExhaust, a Newly Discovered Adware MasqueradingOculus…

In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.

Published: June 24, 2024

Downloadable IOCs: 17

espionage group targets government agencies with and more infection techniques

A recently discovered threat actor, dubbed 'SneakyChef,' has been conducting an ongoing espionage campaign targeting government agencies across different regions, primarily utilizing the SugarGh0st malware. The group employs decoy documents impersonating government entities and infects victims thro…

Published: June 24, 2024

Downloadable IOCs: 148

Unveiling SpiceRAT: Latest tool targeting EMEA and Asia

Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, employed by the threat actor SneakyChef in a recent malicious campaign. The campaign targeted government agencies across multiple countries in Europe, the Middle East, Africa, and Asia. SpiceRAT was delivered alongside SugarGh…

Published: June 24, 2024

Downloadable IOCs: 6

SolarMarker Impersonates Job Employment Website

On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.

Published: June 18, 2024

Downloadable IOCs: 6

Dipping into Danger: The WARMCOOKIE backdoor

Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …

Published: June 12, 2024

Downloadable IOCs: 6

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has uncovered a sophisticated malicious campaign that exploits the Windows search functionality embedded in HTML code to deploy malware. The campaign initiates with a suspicious email containing an HTML attachment masquerading as a routine document like an invoice. Once opened,…

phishing

2024-06-11

search-ms

Published: June 11, 2024

Downloadable IOCs: 2

RAT Distributed as UUEncoding (UUE) File

This intelligence report describes a malicious operation where the Remcos Remote Access Trojan (RAT) is being disseminated through phishing emails containing an attachment exploiting the Unix-to-Unix Encoding (UUE) technique. The encoded file loads an obfuscated VBScript that fetches additional mal…

Published: June 11, 2024

Downloadable IOCs: 3

New Agent Tesla Campaign Targeting Spanish-Speaking People

This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript…

Published: June 10, 2024

Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199

Downloadable IOCs: 6

Cybercriminals attack banking customers in EU with V3B phishing kit

An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…

Published: June 10, 2024

Downloadable IOCs: 44

Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks

Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a suspected geopolitical or hacktivist group. While their origin remains unclear, recent techniques suggest espionage and data exfiltration intent. Sticky Werewolf has targeted the aviation industry, employing ph…

Published: June 7, 2024

Downloadable IOCs: 14

DarkGate again but... Improved?

The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…

Published: June 6, 2024

Downloadable IOCs: 313

Warning Against Phishing Emails Prompting Execution of Commands via Paste

This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…

Published: June 6, 2024

Downloadable IOCs: 15

Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud

An analysis by McAfee's Mobile Research Team uncovered an Android InfoStealer malware masquerading as a government service app in Bahrain. The malicious app, promoted through deceitful Facebook pages and SMS messages, tricks users into providing personal information like CPR numbers, phone numbers,…

Published: June 3, 2024

Downloadable IOCs: 14

Chat Messenger voting topics - a new way to steal accounts is gaining momentum

The Government Emergency Response Team of Ukraine CERT-UA informs about the increase in the number of cyberattacks aimed at gaining access to the accounts of popular messengers, including, using the techniques of bypassing two-factor authentication

phishing

credential harvesting

2024-05-31

Published: May 31, 2024

Downloadable IOCs: 230

Disrupting FlyingYeti's campaign targeting Ukraine

This report details Cloudforce One's real-time effort to detect, deny, degrade, disrupt, and delay a phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine. The campaign aimed to capitalize on anxiety over potential loss of housing and utilities by enticing targets to ope…

Published: May 31, 2024

Linked vulnerabilities : CVE-2023-38831

Downloadable IOCs: 8

'Reptile Recon': Discovering CryptoChameleon fast flux IOFAs. Hundreds of domains, IPs, and ASNs discovered

A report detailing the analysis of the CryptoChameleon phishing kit, which is used to harvest sensitive information from employees and customers across various platforms. Silent Push Threat Analysts conducted research that revealed a large number of fast flux Indicators of Future Attack (IOFAs) tar…

Published: May 30, 2024

Downloadable IOCs: 30

Side Loading through IObit against Colombia

In May 2024, researchers detected a phishing campaign impersonating the Colombian Attorney General's Office, aiming to infect systems with AsyncRAT malware. The attack employs a ZIP file containing legitimate IObit antivirus software and malicious files, utilizing DLL side-loading for execution. Wh…

Published: May 29, 2024

Downloadable IOCs: 3

Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling

Netskope Threat Labs has been tracking an increase in phishing campaigns hosted on Cloudflare Workers. The campaigns use techniques like HTML smuggling and transparent phishing to evade detections. The phishing pages target Microsoft and Google credentials. Netskope recommends inspecting web traffi…

Published: May 28, 2024

Downloadable IOCs: 134

Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware

Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …

Published: May 22, 2024

Downloadable IOCs: 16

D3F@ck Loader, the New MaaS Loader

In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge…

Published: May 21, 2024

Linked vulnerabilities : CVE-2024-3400

Downloadable IOCs: 3

Banking trojan unleashed: Observing emerging global campaigns

IBM's X-Force has been tracking large-scale phishing campaigns distributing the Grandoreiro banking trojan, likely operated as a Malware-as-a-Service. The malware targets over 1500 global banks, enabling banking fraud in over 60 countries. The latest variant features major updates, including string…

Published: May 20, 2024

Downloadable IOCs: 18

From Document to Script: Insides of Campaign

This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …

Published: May 17, 2024

Downloadable IOCs: 11

Payload Trends in Malicious OneNote Samples

This analysis examines the types of malicious payloads that attackers embed within Microsoft OneNote files to deceive users into executing malicious code. By analyzing approximately 6,000 malicious OneNote samples, it reveals that attackers frequently employ images resembling buttons to lure victim…

Published: May 16, 2024

Downloadable IOCs: 550

SugarGh0st RAT Used to Target American Artificial Intelligence Experts

This intelligence report provides details about a SugarGh0st RAT campaign conducted by an unattributed threat actor, tracked as UNK_SweetSpecter, targeting organizations in the United States involved in artificial intelligence (AI) efforts across academia, private industry, and government. The camp…

Published: May 16, 2024

Downloadable IOCs: 9

Romance Scams Urging Investment

The report details an investigation into romance scams that exploit emotional connections to solicit money under the guise of cryptocurrency investments. Perpetrators pose as potential romantic partners or friends to gain trust and eventually introduce victims to fake cryptocurrency exchanges desig…

Published: May 13, 2024

Downloadable IOCs: 3

StopRansomware: Black Basta

This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Publ…

Published: May 13, 2024

Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2024-1709, CVE-2021-34527, CVE-2020-1472

Downloadable IOCs: 174

New Campaigns from Scattered Spider

Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing cr…

Published: May 10, 2024

Linked vulnerabilities : CVE-2024-22024

Downloadable IOCs: 118

APT28 campaign against Polish government institutions

The CERT Polska team is investigating a large-scale malware campaign carried out by the Russian intelligence group APT28, which has been targeting Polish government institutions in the past year and is believed to be linked to the GRU.

Published: May 8, 2024

Downloadable IOCs: 74

Scaly Wolf’s new loader: the right tool for the wrong job

The report analyzes a recent campaign by the Scaly Wolf threat group targeting organizations in Russia and Belarus. The group employs phishing emails disguised as communications from government agencies, containing legitimate documents and password-protected archives with malicious executables. The…

Published: May 2, 2024

Downloadable IOCs: 23

Nearly 20% of Docker Hub Repositories Spread Malware & Phishing Scams

This report details an investigation by JFrog Security researchers on a coordinated attack on Docker Hub, where millions of malicious repositories were planted to spread malware and phishing scams. It analyzes three major malware campaigns, dubbed 'Downloader', 'eBook Phishing', and 'Website SEO', …

phishing

campaigns

repositories

freehtmlvalidator.exe

docker hub

Published: May 1, 2024

Downloadable IOCs: 46

Linux Trojan - Xorddos with Filename eyshcjdmzg

This analysis examines a recurring Linux trojan called Xorddos, which is a distributed denial-of-service (DDoS) malware. It provides details on various file hashes associated with the malware, as well as indicators of compromise (IOCs) such as IP addresses, domains, and email addresses. The analysi…

Published: May 1, 2024

Downloadable IOCs: 11

FakeBat Malware Distributing via Fake Browser Updates

This report details a recent malware campaign leveraging fake browser update notifications to distribute the FakeBat loader. The campaign employs sophisticated social engineering techniques, with malicious JavaScript code injected into compromised websites to trigger deceptive update prompts. These…

Published: April 29, 2024

Downloadable IOCs: 6

Tag: phishing

Attack reports

DeedRAT: Unpacking a Modern Backdoor's Playbook

Silver Fox Targeting India Using Tax Themed Phishing Lures

2025 Holiday Scams: Docusign Phishing Meets Loan Spam

Indian Income Tax-Themed Phishing Campaign Targets Local Businesses

UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel

Evasive SideWinder APT Campaign Detected

Cloud Atlas activity in the first half of 2025: what changed

A Series of Unfortunate (RMM) Events

Access granted: phishing with device code authorization for account takeover

BlueDelta’s Persistent Campaign Against UKR.NET

Kimsuky Distributing Malicious Mobile App via QR Code

Russian APT actor phishes the Baltics and the Balkans

Technical Analysis of the BlackForce Phishing Kit

Operation MoneyMount, ISO Deploying Phantom Stealer

Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

UDPGangster Campaigns Target Multiple Countries

Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware

CastleLoader Activity Clusters Target Multiple Industries

Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

DNS Uncovers Infrastructure Used in SSO Attacks

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

Salty2FA & Tycoon2FA: Hybrid Phishing Threat

Over 2,000 Holiday-Themed Fake Stores Detected Exploiting Black Friday and Festive Sales

Analysis of the Lumma infostealer

Scattered Lapsus$ Hunters Take Aim At Zendesk Users

Care that you share

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

Brazilian Campaign: Spreading the Malware via WhatsApp

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets

APT24 Pivot to Multi-Vector Attacks

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

How AI Is Fueling a New Wave of Black Friday Scams

NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?

Hurricane Melissa Relief Scams: How Criminals Exploit Disaster

Thousands of Fake Hotel Domains Used in Massive Phishing Campaign

Booking.com Phishing Campaign Targeting Hotels and Customers

Cavalry Werewolf hacker group attacks Russian state institutions

Crossed wires: a case study of Iranian espionage and attribution

Remote access, real cargo: cybercriminals targeting trucking and logistics

LATAM baited into the delivery of PureHVNC

Major October 2025 Cyber Attacks Your SOC Can't Ignore

The Smishing Deluge: China-Based Campaign Flooding Global Text Messages

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

ClayRat: A New Android Spyware Targeting Russia

The Evolution of Qilin RaaS

APT Meets GPT: Targeted Operations with Untamed LLMs

XWorm V6: Exploring Pivotal Plugins

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

New spyware campaigns target privacy-conscious Android users in the UAE

Werewolf raids Russia's public sector with trusted relationship attacks

Silent Smishing: The Hidden Abuse of Cellular Router APIs

Disallow: /security-research? Crypto Phishing Sites' Failed Attempt to Block Investigators

XWorm RAT Delivered via Shellcode: Multi-Stage Attack Analysis

Threat Hunting on potential APT35 Servers

SVG Phishing hits Ukraine with Amatera Stealer, PureMiner

IOCs for phishing campaign using BitM pages

GUNRA RANSOMWARE: What You Don't Know!

AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

Fake Empire Podcast Invites Target Crypto Industry with macOS AMOS Stealer

CountLoader: New Malware Loader Being Served in 3 Different Versions

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

A new RevengeHotels campaign targets Latin America

August 2025 Trends Report on Phishing Emails

Digital Frontlines: India Under Multi-Nation Hacktivist Attack

Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

Threat Spotlight: Speed, Scale, and Stealth: How Axios Powers Automated Phishing

MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access

Inside the Kimsuky Leak: How the 'Kim' Dump Exposed North Korea's Credential Theft Playbook

From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover

Tax refund scam targets Californians

Sindoor Dropper: New Phishing Campaign