SecuriTricks - social engineering

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack invo…

phishing

social engineering

Published: December 3, 2025

Downloadable IOCs: 1

ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

A ValleyRAT campaign is targeting job seekers through email, disguising itself as a Foxit PDF reader and using DLL side-loading for initial system access. The campaign exploits job seekers' eagerness by using recruitment-related lures in archive files. The attack employs sophisticated techniques, i…

Published: December 3, 2025

Downloadable IOCs: 25

Over 2,000 Holiday-Themed Fake Stores Detected Exploiting Black Friday and Festive Sales

Two clusters of holiday-themed fake online stores have been identified ahead of Black Friday and other festive sales. The first cluster includes over 750 interconnected sites using uniform holiday banners and misleading trust indicators, many impersonating Amazon. The second cluster spans a .shop e…

holiday shopping fraud

black friday scams

e-commerce impersonation

Published: November 27, 2025

Downloadable IOCs: 0

Inside DPRK's Fake Job Platform Targeting U.S. AI Talent

This analysis details a sophisticated DPRK-linked operation called Contagious Interview, which uses a fake job platform to target U.S. AI talent. The campaign mimics legitimate recruitment processes, offering job listings from well-known tech companies to lure victims. The platform, hosted at lenvn…

Published: November 26, 2025

Downloadable IOCs: 6

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finge…

Published: November 26, 2025

Downloadable IOCs: 50

The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk

Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync…

calendar subscriptions

expired domains

Published: November 26, 2025

Linked vulnerabilities : CVE-2025-27915 (CVSS 5.4)

Downloadable IOCs: 22

Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads

The TamperedChef campaign is a global malvertising and SEO operation that distributes seemingly legitimate software with valid code signing to trick users into executing malicious installers. These fake applications mimic common software and establish persistence through scheduled tasks, delivering…

code-signing certificates

signed applications

Published: November 26, 2025

Downloadable IOCs: 0

GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices

A sophisticated Android dropper impersonating the Google Play Store was discovered, distributing an app called 'GPT Trade'. This malicious application, disguised as an AI trading assistant, actually deploys two dangerous payloads: BTMob spyware and UASecurity Miner. The dropper creates directories,…

Published: November 19, 2025

Downloadable IOCs: 10

How AI Is Fueling a New Wave of Black Friday Scams

AI tools are enabling cybercriminals to create sophisticated Black Friday scams, including realistic phishing emails, cloned websites, and fake social media ads. Common tactics involve impersonating trusted brands like Amazon and Temu, offering unrealistic discounts on luxury goods, and exploiting …

Published: November 15, 2025

Downloadable IOCs: 15

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use socia…

Published: November 14, 2025

Downloadable IOCs: 84

Hurricane Melissa Relief Scams: How Criminals Exploit Disaster

In the aftermath of Hurricane Melissa's devastating impact on Jamaica in October 2025, cybercriminals swiftly exploited the crisis through various online scams. These included phishing campaigns, fake charity drives, and fraudulent financial-relief websites impersonating legitimate aid organization…

Published: November 14, 2025

Downloadable IOCs: 16

State-Sponsored Remote Wipe Tactics Targeting Android Devices

A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They co…

Published: November 10, 2025

Downloadable IOCs: 10

From primitive crypto theft to sophisticated AI-based deception

The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group…

Published: November 9, 2025

Downloadable IOCs: 1

Watch out for SVG files booby-trapped with malware

A recent malware campaign in Latin America demonstrates cybercriminals' evolving tactics. The attacks use social engineering, sending emails that appear to be from trusted institutions with urgent warnings about legal issues. The campaign's goal is to install AsyncRAT, a remote access trojan that a…

ai-generated templates

judicial system impersonation

Published: November 9, 2025

Downloadable IOCs: 0

Gotta fly: Targeting the UAV sector

ESET researchers have uncovered a new instance of Operation DreamJob, a cyberespionage campaign attributed to the North Korea-aligned Lazarus group. The attackers targeted European companies in the defense industry, particularly those involved in unmanned aerial vehicle (UAV) technology. The campai…

Published: November 9, 2025

Downloadable IOCs: 0

Booking.com Phishing Campaign Targeting Hotels and Customers

A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduc…

Published: November 7, 2025

Downloadable IOCs: 100

The DragonForce Cartel: Scattered Spider at the gate

DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate pro…

Published: November 5, 2025

Downloadable IOCs: 0

Remote access, real cargo: cybercriminals targeting trucking and logistics

Cybercriminals are targeting trucking and logistics companies to steal cargo freight through elaborate attack chains. They compromise companies and use their access to bid on cargo shipments, which they then steal and sell. The threat actors typically deliver remote monitoring and management (RMM) …

remote monitoring tools

Published: November 3, 2025

Downloadable IOCs: 39

Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials

A group of financially motivated threat actors from Vietnam, tracked as UNC6229, is targeting individuals in the digital advertising and marketing sectors through fake job postings. They use social engineering tactics to deliver malware and phishing kits, aiming to compromise high-value corporate a…

social engineering

credential theft

remote access trojans

2025-10-23

fake job postings

digital advertising

Published: October 23, 2025

Downloadable IOCs: 0

SecuritySnack: 18+E-Crime

A financially motivated cybercrime operation has been identified, targeting users with over 80 spoofed domain names and lure websites. The campaign, which began in September 2024, focuses on government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. Th…

Published: October 6, 2025

Downloadable IOCs: 140

Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations

This analysis focuses on UNC6040, a financially motivated threat group specializing in voice phishing campaigns targeting Salesforce instances. The group employs social engineering tactics to trick employees into granting access or sharing credentials, facilitating large-scale data theft and extort…

social engineering

voice phishing

data exfiltration

multi-factor authentication

identity verification

data loader

connected apps

Published: October 1, 2025

Linked vulnerabilities : CVE-2025-53690

Downloadable IOCs: 2

Datzbro: RAT Hiding Behind Senior Travel Scams

A new Android Trojan named Datzbro has been discovered targeting seniors through fake Facebook groups promoting travel and social activities. The malware, which combines spyware and banking Trojan capabilities, is distributed via malicious APKs disguised as community apps. Datzbro features remote a…

Published: September 30, 2025

Downloadable IOCs: 0

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

This analysis delves into the operations of DeceptiveDevelopment, a North Korea-aligned threat actor, and its connections to North Korean IT worker campaigns. The group targets software developers across major systems, focusing on cryptocurrency and Web3 projects. They use social engineering techni…

Published: September 25, 2025

Downloadable IOCs: 33

Updates Arsenal with BAITSWITCH and SIMPLEFIX

A new multi-stage ClickFix campaign, attributed to the Russia-linked APT group COLDRIVER, has been discovered targeting Russian civil society members. The campaign employs social engineering techniques to trick users into executing malicious commands, leading to the deployment of two new malware fa…

Published: September 24, 2025

Downloadable IOCs: 0

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, w…

Published: September 16, 2025

Downloadable IOCs: 17

Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion

Two cyber criminal groups, UNC6040 and UNC6395, are targeting organizations' Salesforce platforms for data theft and extortion. UNC6040 uses social engineering, particularly voice phishing, to gain access to Salesforce accounts. They trick employees into granting access or sharing credentials, then…

Published: September 15, 2025

Downloadable IOCs: 59

AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks

AdaptixC2, an open-source post-exploitation and adversarial emulation framework, has been observed being used in real-world attacks. This versatile tool allows threat actors to execute commands, transfer files, and perform data exfiltration on compromised systems. Its open-source nature enables eas…

adversarial emulation

Published: September 10, 2025

Downloadable IOCs: 0

An Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps

This analysis examines a campaign distributing Atomic macOS Stealer (AMOS), targeting macOS users through fake 'cracked' applications. Attackers use two main delivery methods: malicious .dmg installers and terminal commands that bypass Gatekeeper protection. AMOS employs rotating domains to evade d…

Published: September 4, 2025

Downloadable IOCs: 0

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverag…

infrastructure monitoring

contagiousdrop

Published: September 4, 2025

Downloadable IOCs: 0

Ethereum smart contracts used to push malicious code on npm

A novel technique utilizing Ethereum smart contracts was discovered in two npm packages to conceal malicious commands for installing downloader malware. The packages, colortoolsv2 and mimelib2, are part of a larger campaign targeting npm and GitHub. The attackers created sophisticated GitHub reposi…

Published: September 4, 2025

Downloadable IOCs: 0

Three Lazarus RATs coming for your cheese

This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations: PondRAT, ThemeForestRAT, and RemotePE. It details an incident response case from 2024 involving social engineering and possible zero-day exploitation. PondRAT is …

Published: September 3, 2025

Downloadable IOCs: 0

Google Salesforce Breach: A Deep dive into the chain and extent of the compromise

In June 2025, Google's Salesforce instance was breached by UNC6040 & UNC6240 using vishing, OAuth app abuse, and anonymity layers. The attackers stole business data of small and medium-sized clients. A parallel attack by UNC6395 compromised Salesloft Drift's Salesforce integration, affecting hundre…

Published: September 3, 2025

Downloadable IOCs: 19

Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique

Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websit…

Published: September 1, 2025

Downloadable IOCs: 18

AI Waifu RAT: A Ring3 malware-like RAT based on LLM manipulation is circulating in the wild

A niche LLM role-playing community is being targeted by a sophisticated social engineering attack disguised as an AI character enhancement tool. The 'AI Waifu RAT' is a Remote Access Trojan marketed as a feature allowing AI characters to interact with users' computers. The RAT, distributed under th…

Published: September 1, 2025

Downloadable IOCs: 7

From a Fake AnyDesk Installer to MetaStealer

A recent attack mimicking ClickFix tactics used a fake AnyDesk installer to deploy MetaStealer. The infection chain involved a fake Cloudflare Turnstile lure, Windows search protocol, and an MSI package disguised as a PDF. Unlike traditional ClickFix attacks, this variant redirected users to Window…

windows file explorer

Published: August 30, 2025

Downloadable IOCs: 0

PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

A sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384 targeted diplomats in Southeast Asia and other global entities. The attack chain involved hijacking web traffic through a captive portal redirect to deliver malware disguised as software updates. The multi-sta…

Published: August 26, 2025

Downloadable IOCs: 9

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …

atomic macos stealer (amos)

lampion

2025-08-21

windows run dialog

Published: August 21, 2025

Downloadable IOCs: 10

Threat Actor Profile: Interlock Ransomware

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortio…

Published: August 15, 2025

Downloadable IOCs: 24

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It ta…

Published: August 15, 2025

Downloadable IOCs: 0

When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub's Expanding Arsenal

EncryptHub, an emerging threat group, has launched a campaign combining social engineering with exploitation of CVE-2025-26633 to deliver malicious payloads. The attackers impersonate IT support staff, use remote desktop sessions, and execute PowerShell commands to deploy malware. The campaign abus…

Published: August 14, 2025

Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)

Downloadable IOCs: 16

From ClickFix to Command: A Full PowerShell Attack Chain

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key …

Published: August 11, 2025

Downloadable IOCs: 0

The Homograph Illusion: Not Everything Is As It Seems

Homograph attacks involve using non-Latin characters that visually resemble Latin characters to create words that appear legitimate but are actually different. This technique allows attackers to evade detection and analysis, crafting malicious emails that can lead to credential theft or malware inf…

character substitution

homograph attack

unicode

Published: August 8, 2025

Downloadable IOCs: 8

Email-Delivered RMM: Abusing PDFs for Silent Initial Access

A targeted campaign has been observed since November 2024, primarily affecting organizations in France and Luxembourg. The attackers use socially engineered emails to deliver PDF documents containing embedded links to Remote Monitoring and Management (RMM) tool installers. This method bypasses many…

Published: August 7, 2025

Downloadable IOCs: 51

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing…

Published: July 25, 2025

Downloadable IOCs: 5

Illusory Wishes: China-nexus APT Targets the Tibetan Community

Two cyberattack campaigns, Operation GhostChat and Operation PhantomPrayers, targeted the Tibetan community in June 2025, coinciding with the Dalai Lama's 90th birthday. These attacks involved strategic web compromises, DLL sideloading, and multi-stage infection chains to deploy Ghost RAT and Phant…

Published: July 23, 2025

Downloadable IOCs: 26

NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods

This intelligence analysis examines a widespread Request for Quote (RFQ) scam that exploits Net financing options to steal high-value electronics and goods. The scammers pose as procurement agents for legitimate companies, using stolen information and lookalike domains to appear credible. They requ…

social engineering

supply chain

business email compromise

Published: July 23, 2025

Downloadable IOCs: 94

Back to Business: Lumma Stealer Returns with Stealthier Methods

Lumma Stealer, an information-stealing malware, has resurfaced shortly after its takedown in May 2025. The cybercriminals behind it are now employing more covert tactics and expanding their reach. The malware is being distributed through discreet channels and uses stealthier evasion techniques. Lum…

Published: July 23, 2025

Downloadable IOCs: 52

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

An ongoing social engineering campaign is targeting cryptocurrency users through fake startup companies impersonating AI, gaming, and Web3 firms. The scammers create elaborate facades using spoofed social media accounts and project documentation on platforms like Notion and GitHub. They contact vic…

Published: July 16, 2025

Downloadable IOCs: 1

UNG0002 (Unknown Group 0002): Espionage Campaigns Uncovered

UNG0002, an espionage-focused threat group, has been conducting campaigns across Asian jurisdictions including China, Hong Kong, and Pakistan. The group employs sophisticated multi-stage attacks using LNK files, VBScript, and custom RAT implants. Their operations span two major campaigns: Operation…

Published: July 16, 2025

Downloadable IOCs: 16

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetS…

Published: July 10, 2025

Downloadable IOCs: 65

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extensi…

Published: July 2, 2025

Downloadable IOCs: 40

Getting a career in cybersecurity isn't easy, but this can help

The article provides insights into starting a career in cybersecurity, emphasizing that the path is not always straightforward. It highlights the importance of having a good attitude, being easy to work with, continuous learning, persistence, joining security communities, and making the most of cur…

Published: June 27, 2025

Downloadable IOCs: 5

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

Cybercriminals are exploiting Discord's invite system and content delivery features to distribute malware and steal sensitive data. They use fake invite links, expired codes, and vanity URLs to redirect users to malicious servers. The attack chain involves a sophisticated combination of social engi…

Published: June 20, 2025

Downloadable IOCs: 0

TxTag Takedown: Busting Phishing Email Schemes

A new phishing campaign has been observed leveraging a .gov domain to deceive employees into believing they owe unpaid tolls. The scheme uses urgency and fear tactics, threatening penalties or vehicle registration holds if the balance is not paid immediately. The attackers utilize the GovDelivery s…

Published: June 20, 2025

Downloadable IOCs: 1

Cybercriminals Abusing Vercel to Deliver Remote Access Malware

A phishing campaign has been identified that exploits Vercel, a legitimate frontend hosting platform, to distribute a malicious version of LogMeIn. Cybercriminals send phishing emails with links to a malicious page on Vercel, impersonating an Adobe PDF viewer and prompting users to download a disgu…

Published: June 20, 2025

Downloadable IOCs: 5

Steam Phishing: Popular as Ever

A recent phishing campaign targeting Steam users has been identified, involving deceptive messages sent through the platform's Friends list. The attackers use fraudulent URLs that closely mimic Steam's official domain, directing users to a fake 'Summer Gift Marathon' page. Upon logging in, users' c…

Published: June 20, 2025

Downloadable IOCs: 31

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…

Published: June 19, 2025

Downloadable IOCs: 18

Warning Against Distribution of Malware Disguised as Research Papers

The Kimsuky group has launched a sophisticated phishing attack disguised as a request for paper review from a professor. The attack involves a password-protected HWP document with a malicious OLE object, which creates six files upon opening. When executed, these files perform various malicious acti…

Published: June 18, 2025

Downloadable IOCs: 3

GitHub's Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

Cybercriminals are exploiting GitHub's reputation to distribute malware, particularly targeting gamers and children. They create repositories offering game hacks, cracked software, and crypto tools, which actually contain Lumma Stealer variants. The attack chain begins with users searching for thes…

Published: June 18, 2025

Downloadable IOCs: 4

From ClickFix deception to information stealer deployment

The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access troj…

Published: June 18, 2025

Downloadable IOCs: 47

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery

Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_e…

Published: June 11, 2025

Downloadable IOCs: 24

How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme

A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses c…

Published: June 5, 2025

Downloadable IOCs: 72

Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

A sophisticated phishing campaign has been identified that leverages Google Apps Script to create a false sense of security. The attack begins with an email masquerading as an invoice, containing a link to a webpage hosted on Google's trusted environment. When clicked, the link redirects to a fake …

Published: June 4, 2025

Downloadable IOCs: 2

AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

A sophisticated campaign using typo-squatted 'Spectrum' domains has been uncovered, spreading a new Atomic macOS Stealer (AMOS) variant. The attack, disguised as a CAPTCHA verification, employs dynamic payloads based on the victim's operating system. For macOS users, a malicious shell script steals…

multi-platform attack

macos stealer

Published: June 4, 2025

Downloadable IOCs: 4

Crocodilus Mobile Malware: Evolving Fast, Going Global

A new Android banking Trojan, Crocodilus, has rapidly evolved since its discovery in March 2025. Initially targeting Turkey, it has expanded to European countries and South America. The malware is distributed through malicious advertising on social networks, masquerading as banking and e-commerce a…

Published: June 3, 2025

Downloadable IOCs: 4

Victims risk AsyncRAT infection after being redirected to fake Booking.com sites

Cybercriminals have launched a campaign redirecting users from gaming sites and social media to fake Booking.com websites. The scam uses fake CAPTCHA prompts to trick visitors into executing malicious commands on their devices. If successful, the attack downloads and installs AsyncRAT, a backdoor T…

Published: June 3, 2025

Downloadable IOCs: 14

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically …

Published: May 22, 2025

Downloadable IOCs: 10

Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks

The Trustwave SpiderLabs Email Security team has identified a significant increase in SVG image-based attacks, where seemingly harmless graphics are used to conceal dangerous links. Cybercriminals are exploiting the ability of SVG files to embed JavaScript, which can execute automatically upon open…

Published: May 16, 2025

Downloadable IOCs: 4

Recruitment Scams on the Rise: How Threat Actors Exploit Job Seekers

A significant increase in recruitment scams has been observed, with three distinct threat actors targeting job seekers. The first impersonates tech employers using advance fee fraud tactics. The second poses as a logistics recruitment agency, targeting 18 geographies and affecting 63,000 people in …

Published: May 12, 2025

Downloadable IOCs: 0

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

Iranian cyber actors have been identified impersonating a German model agency in a suspected espionage operation. The attackers created a fraudulent website mimicking the authentic agency's branding and content, which triggers obfuscated JavaScript to capture detailed visitor information. This data…

Published: May 7, 2025

Downloadable IOCs: 3

APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

A recent campaign attributed to APT36 has been observed spoofing India's Ministry of Defence to deliver cross-platform malware. The attackers used a ClickFix-style infection chain, mimicking government press releases and leveraging a compromised .in domain for payload staging. The campaign targeted…

clipboard-based execution

Published: May 6, 2025

Downloadable IOCs: 7

Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams

This report analyzes common techniques, tactics, and procedures (TTPs) used by several investment scam actors who lure victims with fake platforms, including crypto exchanges. Key TTPs include registering large numbers of domains algorithmically, embedding similar web forms to collect user data, hi…

registered domain generation algorithms

Published: May 6, 2025

Downloadable IOCs: 87

Lampion Is Back With ClickFix Lures

A highly focused malicious campaign targeting Portuguese organizations, particularly in government, finance, and transportation sectors, has been uncovered. The campaign is linked to Lampion malware, an infostealer focusing on banking information. The threat actors have incorporated ClickFix lures,…

Published: May 6, 2025

Downloadable IOCs: 10

Fake Social Security Statement emails trick users into installing remote tool

A phishing campaign is targeting users with fake emails purportedly from the US Social Security Administration. These emails aim to trick recipients into installing ScreenConnect, a legitimate remote access tool that can be misused by cybercriminals. The campaign, attributed to a group called Molat…

social security administration

Published: May 1, 2025

Downloadable IOCs: 0

Security Brief: French BEC Threat Actor Targets Property Payments

A new financially motivated business email compromise (BEC) threat actor, TA2900, has been identified targeting individuals in France and occasionally Canada. The actor sends French language emails using rental payment themes, claiming that rental installments have not been received and instructing…

Published: April 29, 2025

Downloadable IOCs: 3

Pick your Poison - A Double-Edged Email Attack

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF fi…

Published: April 28, 2025

Downloadable IOCs: 0

Smishing Attacks Rise: How to Spot and Stop SMS Phishing

SMS-based phishing attacks, known as smishing, are on the rise, targeting businesses with sophisticated social engineering tactics. These attacks often begin with urgent text messages containing disguised links, redirecting victims to fake login pages. Attackers exploit human emotions and create a …

social engineering

credential harvesting

smishing

2025-04-28

Published: April 28, 2025

Downloadable IOCs: 0

The Return of Pharmacy-Themed Spam

Pharmaceutical-themed spam campaigns continue to target individuals and organizations, particularly in the healthcare and pharmaceutical sectors. Recent observations reveal a bulk spam campaign using spoofed identities and compromised infrastructure to send deceptive emails. The attackers employ ta…

Published: April 26, 2025

Downloadable IOCs: 0

Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aimin…

anonymization networks

Published: April 24, 2025

Downloadable IOCs: 45

Power Parasites: Job & Investment Scam Campaign Targets Energy Companies and Major Brands

A scam campaign dubbed 'Power Parasites' is targeting individuals in Asian countries through deceptive websites, social media groups, and Telegram channels. The campaign exploits the names and branding of global energy companies and other major brands to conduct job and investment scams. Victims ar…

Published: April 24, 2025

Downloadable IOCs: 0

The "free money" trap: How scammers exploit financial anxiety

This analysis explores how scammers capitalize on financial stress by promising 'free money' through fake subsidy programs, government grants, or relief cards. Common tactics include using urgency, exclusivity, and fabricated social proof to manipulate victims. Scammers employ various techniques su…

government impersonation

Published: April 18, 2025

Downloadable IOCs: 0

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2,…

Published: April 15, 2025

Downloadable IOCs: 0

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses Gi…

Published: April 14, 2025

Downloadable IOCs: 41

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Bo…

Published: April 13, 2025

Downloadable IOCs: 0

Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits

A stealthy malware campaign dubbed OBSCURE#BAT has been discovered, utilizing social engineering and deceptive file downloads to trick users into executing obfuscated code. The infection chain deploys a user-mode rootkit that manipulates system processes and registry entries to evade detection and …

Published: April 13, 2025

Downloadable IOCs: 0

March 2025 Trends Report on Phishing Emails

The report analyzes phishing email trends in March 2025, revealing that phishing attacks constituted 59% of email threats. Attackers primarily used HTML scripts to mimic login pages and promotional content, aiming to steal user credentials. The analysis covers distribution statistics, Korean phishi…

Published: April 10, 2025

Downloadable IOCs: 0

Scattered Spider: Still Hunting for Victims in 2025

Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push research…

Published: April 9, 2025

Downloadable IOCs: 57

The Wagmi Manual: Copy, Paste, and Profit

The Wagmi traffer group, operating since early 2023, specializes in NFT scams and cryptocurrency theft. They utilize sophisticated social engineering tactics, fake web3-themed games, and impersonation of legitimate projects to lure victims. Their operations have allegedly earned over $2.4 million b…

Published: April 8, 2025

Downloadable IOCs: 96

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they a…

Published: April 3, 2025

Downloadable IOCs: 0

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…

remote access trojans

Published: April 3, 2025

Downloadable IOCs: 0

Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon

Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target cre…

phishing

social engineering

credential harvesting

business email compromise

Published: April 1, 2025

Downloadable IOCs: 57

Delivering Trojans Via ClickFix Captcha

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting user…

Published: April 1, 2025

Downloadable IOCs: 0

Snow White — Beware the Bad Apple in the Torrent

A new malware campaign is targeting users attempting to download the Snow White movie through torrent sites. The attackers exploit a compromised blog to distribute a malicious torrent package disguised as a pirated version of the film. The package contains a fake codec installer that, when executed…

Published: March 27, 2025

Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …

Published: March 25, 2025

Downloadable IOCs: 5

Real-Time Anti-Phishing: Essential Defense Against Evolving Cyber Threats

Phishing remains a prevalent cybersecurity threat, causing financial loss, data theft, and malware deployment. Attackers are expanding targets across platforms and using AI to refine techniques, making detection more challenging. Real-time anti-phishing (RTAP) solutions using AI and machine learnin…

real-time anti-phishing

employee awareness

Published: March 21, 2025

Downloadable IOCs: 11

The rising threat of social engineering through fake fixes

ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their…

Published: March 21, 2025

Downloadable IOCs: 4

Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social …

Published: March 14, 2025

Downloadable IOCs: 28

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferenci…

russian-speaking cybercriminals

Published: March 13, 2025

Downloadable IOCs: 0

Hundreds of thousands of rubles for your secrets: cyber spies disguise themselves as recruiters

Cybercriminals impersonating a real company are sending fake job descriptions to employees of targeted organizations. The attackers, known as Squid Werewolf, are offering substantial sums of money, potentially hundreds of thousands of rubles, in exchange for sensitive information. This sophisticate…

Published: March 12, 2025

Downloadable IOCs: 6

Trump Cryptocurrency Delivers ConnectWise RAT

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once…

binance impersonation

connectwise rat

Published: March 11, 2025

Downloadable IOCs: 1

AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution

A campaign using fake GitHub repositories to distribute SmartLoader and Lumma Stealer malware has been uncovered. The attackers create convincing repositories using AI-generated content to deceive users into downloading malicious files disguised as gaming cheats, cracked software, and system tools.…

Published: March 11, 2025

Downloadable IOCs: 14

Unmasking GrassCall Campaign: The APT Behind Job Recruitment Cyber Scams

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency …

atomic macos stealer (amos)

grasscall

Published: March 6, 2025

Downloadable IOCs: 14

Stealers and backdoors are spreading under the guise of a DeepSeek client

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data …

Published: March 6, 2025

Downloadable IOCs: 9

Booking a Threat: Inside LummaStealer's Fake reCAPTCHA

A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campa…

indirect control flow

Published: March 4, 2025

Downloadable IOCs: 12

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…

onedrive exploitation

Published: March 3, 2025

Downloadable IOCs: 0

Russian campaign targeting Romanian WhatsApp numbers

A campaign originating from Russia has been identified, targeting Romanian WhatsApp users. The operation involves sending messages to victims, encouraging them to vote in a fake contest. When users click on the provided link, they are prompted to enter their WhatsApp number and an 8-character code,…

Published: February 28, 2025

Downloadable IOCs: 0

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…

Published: February 26, 2025

Downloadable IOCs: 0

Android trojan TgToxic updates its capabilities

TgToxic, an Android banking trojan, has undergone significant updates to enhance its capabilities and evade detection. Initially targeting Southeast Asia, the malware has expanded its reach to include European and Latin American banks. The latest version incorporates improved emulator detection tec…

Published: February 26, 2025

Downloadable IOCs: 0

Phishing Campaigns Targeting Higher Education Institutions

Since August 2024, there has been a significant increase in phishing attacks targeting U.S. universities. Three distinct campaigns have emerged, exploiting trust within academic institutions to deceive students, faculty, and staff. One campaign used compromised educational institutions to host Goog…

phishing

social engineering

universities

business email compromise

Published: February 24, 2025

Downloadable IOCs: 4

Amazon Phish Hunts for Security Answers and Payment Information

A phishing scheme targeting Amazon Prime users has been identified, aiming to steal login credentials, verification information, and payment data. The attack begins with a spoofed email claiming the user's payment method has expired. Clicking the update button redirects to a fake Amazon security al…

Published: February 18, 2025

Downloadable IOCs: 3

Valentine's Day Cyber Attack Landscape: Exploiting Love Through Digital Deception

Valentine's Day 2025 has become a focal point for sophisticated cybersecurity threats, with attackers exploiting emotional vulnerabilities and seasonal shopping behaviors. A complex network of scams has emerged, including OAuth-based phishing, brand impersonation, and cryptocurrency fraud. These th…

Published: February 15, 2025

Downloadable IOCs: 0

Inside a Malware Campaign: A Nigerian Hacker's Perspective

This analysis provides an in-depth look at a Nigerian cybercriminal's malware campaign process. The hacker begins by harvesting email addresses through Google dorking techniques, targeting specific industries and regions. They then configure email campaigns using spoofed domains and bulletproof hos…

Published: February 14, 2025

Downloadable IOCs: 2

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures…

device code authentication

Published: February 14, 2025

Downloadable IOCs: 0

ClickFix Scam Exposed! Protect Your Data Before It's Too Late

Cybercriminals are exploiting DeepSeek's popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek's branding to appear legitimate and bypass security …

Published: February 11, 2025

Downloadable IOCs: 7

When Data Tools Become Dangerous: MS Power BI Links Used in Phishing Campaigns

A sophisticated phishing campaign has been detected that exploits trusted platforms like SharePoint and Power BI to steal user credentials. The scheme uses a seemingly legitimate SharePoint link in an email, which leads to a Power BI report. Users are then prompted to click 'Open Document', redirec…

microsoft impersonation

Published: February 6, 2025

Downloadable IOCs: 0

Scalable Vector Graphics files pose a novel phishing threat

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and s…

browser-based attacks

troj/autoit-dhb

email attachments

Published: February 5, 2025

Downloadable IOCs: 0

Hackers Hijack JFK File Release: Malware & Phishing Surge

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement…

Published: February 3, 2025

Downloadable IOCs: 4

Two ransomware campaigns tracked using 'email bombing' and Microsoft Teams 'vishing'

Sophos MDR has identified two threat clusters, STAC5143 and STAC5777, targeting organizations using Microsoft Office 365. Both employ similar tactics: email bombing to create urgency, followed by social engineering via Microsoft Teams calls posing as tech support. The attackers use remote access to…

Published: January 22, 2025

Downloadable IOCs: 17

Threat Research Report: Malicious Domain Activity During the Los Angeles Wildfires

During the 2025 Los Angeles wildfires, cybercriminals exploited the disaster through various phishing campaigns. Analysis of 119 domains registered between January 8-13, 2025, revealed themes targeting emergency assistance, legal services, and reconstruction efforts. GoDaddy was the most used regis…

phishing

social engineering

2025-01-17

natural disaster exploitation

los angeles wildfires

Published: January 17, 2025

Downloadable IOCs: 119

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

Star Blizzard, a Russian threat actor, has launched a new spear-phishing campaign targeting WhatsApp accounts. The campaign, observed in mid-November 2024, marks a shift in the actor's tactics. Targets include government officials, diplomats, and researchers focused on Russia-related topics. The at…

Published: January 17, 2025

Downloadable IOCs: 2

Recruitment Phishing Scam Imitates Hiring Process

A sophisticated phishing campaign has been discovered that exploits recruitment branding to deliver malware. The attack begins with a phishing email impersonating a recruitment process, directing victims to a malicious website. Users are prompted to download a fake application, which serves as a do…

Published: January 10, 2025

Downloadable IOCs: 5

Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software

The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control …

Published: January 2, 2025

Downloadable IOCs: 3

Recent Cases of Watering Hole Attacks, Part 1

This analysis focuses on a watering hole attack targeting a Japanese university research laboratory website in 2023. The attack used social engineering to trick users into downloading and executing malware disguised as an Adobe Flash Player update. The malware, identified as a modified Cobalt Strik…

flashupdateinstall.exe

university

Published: December 20, 2024

Linked vulnerabilities : CVE-2022-1388

Downloadable IOCs: 10

Your Data Is Under New Management: The Rise of LummaStealer

LummaStealer, a relatively new information-stealing malware, has gained prominence since 2022 for its ability to collect sensitive data from Windows systems. Marketed as Malware-as-a-Service (MaaS) on underground forums, it targets individuals, cryptocurrency users, and small to medium-sized busine…

malware-as-a-service (maas)

Published: December 18, 2024

Downloadable IOCs: 0

How Threat Actors Exploit Brand Collaborations to Target Popular YouTube Channels

Cybercriminals are targeting YouTube creators through sophisticated phishing campaigns that impersonate trusted brands offering collaboration deals. The malware is disguised as legitimate documents and delivered via password-protected files on platforms like OneDrive. Once downloaded, it steals sen…

Published: December 17, 2024

Downloadable IOCs: 3

NodeLoader Exposed: The Node.js Malware Evading Detection

Zscaler ThreatLabz discovered a malware campaign using Node.js applications for Windows to distribute cryptocurrency miners and information stealers. Named NodeLoader, this malware family employs Node.js compiled executables to deliver second-stage payloads like XMRig, Lumma, and Phemedrone Stealer…

cryptocurrency miners

nodeloader

Published: December 13, 2024

Downloadable IOCs: 0

Inside the incident: Uncovering an advanced phishing attack

A sophisticated phishing campaign targeted a U.K.-based insurance company, using a compromised CEO's email account from a major shipping company. The attack involved a malicious PDF link hosted on AWS, leading to a fake Microsoft authentication page. The threat actor employed tactics like deletion …

Published: December 11, 2024

Downloadable IOCs: 4

Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows

A sophisticated scam targeting Web3 professionals has been identified, involving the Realst crypto stealer malware with variants for both macOS and Windows. The threat actors have created fake companies using AI-generated content to appear legitimate, cycling through various names like Meetio, Clus…

Published: December 7, 2024

Downloadable IOCs: 0

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are emp…

Published: November 18, 2024

Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…

Published: November 16, 2024

Downloadable IOCs: 0

Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond

This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network …

Published: November 7, 2024

Downloadable IOCs: 239

North Korean remote workers landing jobs in the West

North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devi…

Published: November 6, 2024

Downloadable IOCs: 56

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack

A sophisticated malware campaign targeting cryptocurrency enthusiasts has been uncovered, utilizing multiple attack vectors including a malicious Python package on PyPI and deceptive GitHub repositories. The multi-stage malware, disguised as cryptocurrency trading tools, aims to steal sensitive dat…

Published: November 4, 2024

Downloadable IOCs: 2

LastPass Warns of Hackers Misusing Reviews for Fake Support Numbers

LastPass has alerted users about a social engineering campaign targeting customers through fraudulent 5-star reviews on the Chrome Web Store. Hackers are posting fake reviews for the LastPass Chrome extension, promoting a bogus customer support phone number to steal user data. When users call this …

Published: November 2, 2024

Downloadable IOCs: 0

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys P…

Published: October 31, 2024

Downloadable IOCs: 7

Rat King: How the Android Trojan CraxsRAT Steals User Data

CraxsRAT, an Android trojan, has been targeting Russian and Belarusian users since summer 2024. It masquerades as legitimate apps like government services, antivirus software, and telecom operators. The malware spreads through social engineering tactics, prompting users to download malicious APK fi…

Published: October 31, 2024

Downloadable IOCs: 0

More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a Docu…

Published: October 30, 2024

Downloadable IOCs: 2

Malicious CAPTCHA delivers Lumma and Amadey Trojans

An adware campaign targets online users by presenting them with fake CAPTCHA or update prompts, tricking them into running malicious PowerShell commands that deploy credential-stealing malware like Lumma and Amadey. The attackers leverage ad networks to redirect victims to compromised sites hosting…

Published: October 29, 2024

Downloadable IOCs: 1

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…

Published: October 23, 2024

Linked vulnerabilities : CVE-2024-4947

Downloadable IOCs: 2

Tricks and Treats: New Pixel-Level Deception

GHOSTPULSE malware has evolved to embed malicious data within pixel structures of PNG files, replacing its previous IDAT chunk technique. Recent campaigns involve social engineering tactics, tricking victims with CAPTCHA validations that trigger malicious commands through keyboard shortcuts. The ma…

configuration extractor

pixel-level deception

png files

crc32

gdi+

Published: October 18, 2024

Downloadable IOCs: 9

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…

Published: October 18, 2024

Downloadable IOCs: 171

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…

Published: October 18, 2024

Downloadable IOCs: 0

Threat actors use ChatGPT to write malware

OpenAI has disrupted over 20 malicious cyber operations abusing ChatGPT for various purposes, including malware development and spear-phishing attacks. The company confirmed cases involving Chinese and Iranian threat actors. SweetSpecter, a Chinese group, targeted OpenAI employees with phishing ema…

Published: October 14, 2024

Downloadable IOCs: 1

DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware

DPRK-associated threat actors are targeting tech industry job seekers through fake recruitment campaigns, installing malware on their devices. The campaign, named CL-STA-240 Contagious Interview, uses social engineering to lure victims into online interviews where they are convinced to download mal…

Published: October 9, 2024

Downloadable IOCs: 0

Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users

A large-scale fraud campaign involving fake trading apps targeting Apple iOS and Android users across multiple regions has been uncovered. The apps, developed using the UniApp framework, were distributed through official app stores and phishing sites. Unlike conventional mobile trojans, these apps …

fraudulent trading apps

unishadowtrade

goldpickaxe

Published: October 4, 2024

Downloadable IOCs: 9

Separating the bee from the panda: CeranaKeeper making a beeline for Thailand

This intelligence report details a sophisticated malware campaign targeting multiple industries across various countries. The threat actor employs advanced tactics, techniques, and procedures (TTPs) to infiltrate networks, maintain persistence, and exfiltrate sensitive data. The malware used in thi…

social engineering

data exfiltration

advanced persistent threat

2024-10-03

custom malware

multi-industry targeting

persistence techniques

network infiltration

Published: October 3, 2024

Downloadable IOCs: 16

Iranian Cyber Actors Targeting Personal Accounts to Support Operations

Cyber actors working for Iran's Islamic Revolutionary Guard Corps (IRGC) are targeting individuals connected to Iranian and Middle Eastern affairs, including government officials, think tank personnel, journalists, activists, and lobbyists. They use social engineering techniques, impersonating cont…

two-factor authentication

political campaigns

Published: September 30, 2024

Downloadable IOCs: 65

Wallet Scam: A Case Study in Crypto Drainer Tactics

A malicious app on Google Play, posing as WalletConnect, targeted mobile users to steal cryptocurrency. The app evaded detection for five months, achieving over 10,000 downloads. It used advanced social engineering and modern crypto drainer toolkit, stealing approximately $70,000 from victims. The …

Published: September 27, 2024

Downloadable IOCs: 8

The Emerging Dynamics of Deepfake Scam Campaigns on the Web

Researchers have uncovered dozens of scam campaigns utilizing deepfake videos featuring public figures like CEOs, news anchors, and government officials. These campaigns target victims in multiple countries using various languages. The scams promote fake investment schemes and government giveaways.…

infrastructure analysis

Published: September 2, 2024

Downloadable IOCs: 428

Iranian backed group steps up phishing campaigns against Israel, U.S.

An Iranian government-backed threat group known as APT42 has significantly intensified its phishing campaigns targeting high-profile individuals in Israel and the United States over the past six months. The group, associated with Iran's Islamic Revolutionary Guard Corps, has focused on current and …

Published: August 26, 2024

Downloadable IOCs: 38

Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset

Proofpoint security researchers identified an Iranian threat group known as TA453 targeting a prominent religious figure through a sophisticated social engineering campaign. The threat actors impersonated a legitimate organization and invited the target to participate in a podcast interview. Upon e…

Published: August 20, 2024

Downloadable IOCs: 10

Threat actor targeting UK banks in ongoing AnyDesk social engineering campaign

Threat analysts are tracking an ongoing campaign that employs fake websites and social engineering tactics to distribute a malicious version of the AnyDesk remote access software to Windows and macOS users. Once installed on a victim's machine, it is being utilized to steal data and money. The camp…

Published: August 9, 2024

Downloadable IOCs: 50

Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering

The intelligence report discusses an ongoing malware campaign that targets software developers through social engineering tactics like fake job interviews. The threat actors behind this campaign have upgraded their tools, now supporting multiple operating systems (Windows, Linux, and macOS) and emp…

social engineering

dev#popper

2024-08-01

Published: August 1, 2024

Downloadable IOCs: 14

Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…

Published: July 30, 2024

Linked vulnerabilities : CVE-2017-11882

Downloadable IOCs: 74

How do cryptocurrency drainer phishing scams work?

Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…

Published: July 10, 2024

Downloadable IOCs: 14

Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)

Check Point Research discovered threat actors leveraging novel techniques to execute malicious code on Windows systems by exploiting Internet Explorer's vulnerabilities. The attackers utilized specially crafted .url files that, when opened, would launch IE and visit attacker-controlled URLs. Additi…

Published: July 10, 2024

Linked vulnerabilities : CVE-2024-38112 (CVSS 7.5), CVE-2021-40444, CVE-2023-36025

Downloadable IOCs: 7

Exposing FakeBat loader: distribution methods and adversary infrastructure

During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. Researchers uncovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social …

Published: July 2, 2024

Downloadable IOCs: 237

CapraTube Remix | Android Spyware Targeting Gamers, Weapons Enthusiasts

SentinelLabs has uncovered a new campaign of Android spyware apps associated with the suspected Pakistan state-aligned Transparent Tribe threat group. The malicious apps, disguised as video browsers, gaming sites, and TikTok content, target mobile gamers, weapons enthusiasts, and individuals intere…

Published: July 1, 2024

Downloadable IOCs: 6

Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework

Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …

Published: June 19, 2024

Linked vulnerabilities : CVE-2024-21412

Downloadable IOCs: 46

From Clipboard to Compromise: A PowerShell Self-Pwn

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…

Published: June 17, 2024

Downloadable IOCs: 14

Cybercriminals attack banking customers in EU with V3B phishing kit

An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…

Published: June 10, 2024

Downloadable IOCs: 44

Gootloader walkthrough

The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…

Published: May 24, 2024

Downloadable IOCs: 12

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote acce…

Published: May 16, 2024

Downloadable IOCs: 12

Romance Scams Urging Investment

The report details an investigation into romance scams that exploit emotional connections to solicit money under the guise of cryptocurrency investments. Perpetrators pose as potential romantic partners or friends to gain trust and eventually introduce victims to fake cryptocurrency exchanges desig…

Published: May 13, 2024

Downloadable IOCs: 3

New Campaigns from Scattered Spider

Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing cr…

Published: May 10, 2024

Linked vulnerabilities : CVE-2024-22024

Downloadable IOCs: 118

Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…

Published: April 29, 2024

Downloadable IOCs: 7

FakeBat Malware Distributing via Fake Browser Updates

This report details a recent malware campaign leveraging fake browser update notifications to distribute the FakeBat loader. The campaign employs sophisticated social engineering techniques, with malicious JavaScript code injected into compromised websites to trigger deceptive update prompts. These…

Published: April 29, 2024

Downloadable IOCs: 6

Tag: social engineering

Attack reports

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

Over 2,000 Holiday-Themed Fake Stores Detected Exploiting Black Friday and Festive Sales

Inside DPRK's Fake Job Platform Targeting U.S. AI Talent

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk

Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads

macOS Malware Deploys in Fake Job Scams

ClickFix Gets Creative: Malware Buried in Images

New Banking Trojan Identified, Distributed Through WhatsApp

GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices

How AI Is Fueling a New Wave of Black Friday Scams

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

Hurricane Melissa Relief Scams: How Criminals Exploit Disaster

State-Sponsored Remote Wipe Tactics Targeting Android Devices

From primitive crypto theft to sophisticated AI-based deception

Watch out for SVG files booby-trapped with malware

Gotta fly: Targeting the UAV sector

Booking.com Phishing Campaign Targeting Hotels and Customers

The DragonForce Cartel: Scattered Spider at the gate

Remote access, real cargo: cybercriminals targeting trucking and logistics

Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials

SecuritySnack: 18+E-Crime

Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations

Datzbro: RAT Hiding Behind Senior Travel Scams

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

Updates Arsenal with BAITSWITCH and SIMPLEFIX

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion

AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks

An Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Ethereum smart contracts used to push malicious code on npm

Three Lazarus RATs coming for your cheese

Google Salesforce Breach: A Deep dive into the chain and extent of the compromise

Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique

AI Waifu RAT: A Ring3 malware-like RAT based on LLM manipulation is circulating in the wild

From a Fake AnyDesk Installer to MetaStealer

PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

Threat Actor Profile: Interlock Ransomware

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub's Expanding Arsenal

From ClickFix to Command: A Full PowerShell Attack Chain

The Homograph Illusion: Not Everything Is As It Seems

Email-Delivered RMM: Abusing PDFs for Silent Initial Access

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

Illusory Wishes: China-nexus APT Targets the Tibetan Community

NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods

Back to Business: Lumma Stealer Returns with Stealthier Methods

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

UNG0002 (Unknown Group 0002): Espionage Campaigns Uncovered

Fix the Click: Preventing the ClickFix Attack Vector

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

Getting a career in cybersecurity isn't easy, but this can help

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

TxTag Takedown: Busting Phishing Email Schemes

Cybercriminals Abusing Vercel to Deliver Remote Access Malware

Steam Phishing: Popular as Ever

Inside the BlueNoroff Web3 macOS Intrusion Analysis

Warning Against Distribution of Malware Disguised as Research Papers

GitHub's Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

From ClickFix deception to information stealer deployment

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery

How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme

Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

Crocodilus Mobile Malware: Evolving Fast, Going Global

Victims risk AsyncRAT infection after being redirected to fake Booking.com sites

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks

Recruitment Scams on the Rise: How Threat Actors Exploit Job Seekers

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams

Lampion Is Back With ClickFix Lures

Fake Social Security Statement emails trick users into installing remote tool

Security Brief: French BEC Threat Actor Targets Property Payments