Tag: social engineering

89 Attack Reports | 0 Vulnerabilities

Attack reports

Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aimin…
social engineering
cryptocurrency
beavertail
frostyferret
2025-04-24
blocknovas
invisible ferret
anonymization networks
Published: April 24, 2025
Downloadable IOCs: 45

Power Parasites: Job & Investment Scam Campaign Targets Energy Companies and Major Brands

A scam campaign dubbed 'Power Parasites' is targeting individuals in Asian countries through deceptive websites, social media groups, and Telegram channels. The campaign exploits the names and branding of global energy companies and other major brands to conduct job and investment scams. Victims ar…
phishing
social engineering
telegram
social media
investment fraud
brand impersonation
2025-04-24
job scam
Published: April 24, 2025
Downloadable IOCs: 0

The "free money" trap: How scammers exploit financial anxiety

This analysis explores how scammers capitalize on financial stress by promising 'free money' through fake subsidy programs, government grants, or relief cards. Common tactics include using urgency, exclusivity, and fabricated social proof to manipulate victims. Scammers employ various techniques su…
phishing
social engineering
malvertising
njrat
identity theft
government impersonation
qr code scams
2025-04-18
financial scams
fake subsidies
Published: April 18, 2025
Downloadable IOCs: 0

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2,…
phishing
social engineering
credential theft
information stealer
sectoprat
2025-04-15
pdf converter
arechclient2
Published: April 15, 2025
Downloadable IOCs: 0

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses Gi…
social engineering
north korea
python
infostealer
cryptocurrency
2025-04-14
rn stealer
rn loader
dpkr
slow pisces
yaml deserialization
Published: April 14, 2025
Downloadable IOCs: 41

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Bo…
xworm
phishing
social engineering
lumma stealer
asyncrat
danabot
venomrat
clickfix
netsupport rat
booking.com
2025-03-13
credential-stealing
2025-04-13
Published: April 13, 2025
Downloadable IOCs: 0

Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits

A stealthy malware campaign dubbed OBSCURE#BAT has been discovered, utilizing social engineering and deceptive file downloads to trick users into executing obfuscated code. The infection chain deploys a user-mode rootkit that manipulates system processes and registry entries to evade detection and …
social engineering
api hooking
quasarrat
r77 rootkit
2025-04-13
user-mode rootkit
Published: April 13, 2025
Downloadable IOCs: 0

March 2025 Trends Report on Phishing Emails

The report analyzes phishing email trends in March 2025, revealing that phishing attacks constituted 59% of email threats. Attackers primarily used HTML scripts to mimic login pages and promotional content, aiming to steal user credentials. The analysis covers distribution statistics, Korean phishi…
phishing
social engineering
malware distribution
credential theft
infostealers
email attachments
2025-04-10
downloaders
html scripts
document exploits
compressed files
Published: April 10, 2025
Downloadable IOCs: 0

Scattered Spider: Still Hunting for Victims in 2025

Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push research…
phishing
social engineering
hubspot
2025-04-09
domain impersonation
klaviyo
spectre rat
Published: April 9, 2025
Downloadable IOCs: 57

The Wagmi Manual: Copy, Paste, and Profit

The Wagmi traffer group, operating since early 2023, specializes in NFT scams and cryptocurrency theft. They utilize sophisticated social engineering tactics, fake web3-themed games, and impersonation of legitimate projects to lure victims. Their operations have allegedly earned over $2.4 million b…
social engineering
lummac2
rhadamanthys
hijackloader
cryptocurrency theft
2025-04-08
nft scams
Published: April 8, 2025
Downloadable IOCs: 96

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they a…
social engineering
powershell
javascript
google ads
gootloader
scheduled tasks
2025-04-03
email phishing
wordpress blogs
legal templates
Published: April 3, 2025
Downloadable IOCs: 0

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…
malware
phishing
social engineering
remcos
credential theft
latrodectus
guloader
redirection
qr codes
remote access trojans
2025-04-03
tax season
ahkbot
bruteratel c4
Published: April 3, 2025
Downloadable IOCs: 0

Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon

Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target cre…
phishing
social engineering
credential harvesting
business email compromise
qr code
2025-04-01
url redirection
human verification
quishing
Published: April 1, 2025
Downloadable IOCs: 57

Delivering Trojans Via ClickFix Captcha

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting user…
obfuscation
social engineering
powershell
qbot
banking trojan
evasion techniques
2025-04-01
clickfix captcha
php dropper
quakbot
Published: April 1, 2025
Downloadable IOCs: 0

Snow White — Beware the Bad Apple in the Torrent

A new malware campaign is targeting users attempting to download the Snow White movie through torrent sites. The attackers exploit a compromised blog to distribute a malicious torrent package disguised as a pirated version of the film. The package contains a fake codec installer that, when executed…
social engineering
tor network
dark web
2025-03-27
iocs
torrent
movie piracy
codec installer
CVE-2023-40680
malware dropper
Published: March 27, 2025
Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …
social engineering
spearphishing
powershell
cryptocurrency
lumma stealer
credential theft
youtube
2025-03-25
clickflix
Published: March 25, 2025
Downloadable IOCs: 5

Real-Time Anti-Phishing: Essential Defense Against Evolving Cyber Threats

Phishing remains a prevalent cybersecurity threat, causing financial loss, data theft, and malware deployment. Attackers are expanding targets across platforms and using AI to refine techniques, making detection more challenging. Real-time anti-phishing (RTAP) solutions using AI and machine learnin…
phishing
social engineering
ai
cybersecurity
machine learning
2025-03-21
real-time anti-phishing
employee awareness
Published: March 21, 2025
Downloadable IOCs: 11

The rising threat of social engineering through fake fixes

ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their…
phishing
social engineering
powershell
asyncrat
clickfix
captcha
2025-03-21
command line
fake fixes
Published: March 21, 2025
Downloadable IOCs: 4

Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social …
phishing
social engineering
cryptocurrency
scams
e-commerce fraud
2025-03-14
charitable fraud
wallet draining
fake giveaways
ramadan
Published: March 14, 2025
Downloadable IOCs: 28

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferenci…
social engineering
rhadamanthys
cryptocurrency
atomic macos stealer
remote access trojan
web3
grasscall
2025-03-13
job recruitment scam
russian-speaking cybercriminals
Published: March 13, 2025
Downloadable IOCs: 0

Hundreds of thousands of rubles for your secrets: cyber spies disguise themselves as recruiters

Cybercriminals impersonating a real company are sending fake job descriptions to employees of targeted organizations. The attackers, known as Squid Werewolf, are offering substantial sums of money, potentially hundreds of thousands of rubles, in exchange for sensitive information. This sophisticate…
phishing
social engineering
impersonation
cyber espionage
2025-03-12
fake job offers
recruitment scam
Published: March 12, 2025
Downloadable IOCs: 6

Trump Cryptocurrency Delivers ConnectWise RAT

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once…
phishing
social engineering
remote access trojan
2025-03-11
cryptocurrency scam
password theft
binance impersonation
connectwise rat
Published: March 11, 2025
Downloadable IOCs: 1

AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution

A campaign using fake GitHub repositories to distribute SmartLoader and Lumma Stealer malware has been uncovered. The attackers create convincing repositories using AI-generated content to deceive users into downloading malicious files disguised as gaming cheats, cracked software, and system tools.…
social engineering
lumma stealer
information theft
github
ai-generated content
2025-03-11
obfuscated scripts
smartloader
Published: March 11, 2025
Downloadable IOCs: 14

Unmasking GrassCall Campaign: The APT Behind Job Recruitment Cyber Scams

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency …
rat
phishing
social engineering
rhadamanthys
cryptocurrency theft
amos
2025-03-06
job recruitment
atomic macos stealer (amos)
grasscall
Published: March 6, 2025
Downloadable IOCs: 14

Stealers and backdoors are spreading under the guise of a DeepSeek client

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data …
backdoor
social engineering
typosquatting
powershell
stealer
dll sideloading
farfli
deepseek
2025-03-06
Published: March 6, 2025
Downloadable IOCs: 9

Booking a Threat: Inside LummaStealer's Fake reCAPTCHA

A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campa…
obfuscation
social engineering
malvertising
powershell
clickfix
fake captcha
lummastealer
2025-03-04
emotet
info-stealer
binary padding
booking websites
indirect control flow
Published: March 4, 2025
Downloadable IOCs: 12

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…
social engineering
ransomware
darkgate
black basta
lateral movement
privilege escalation
systembc
2025-03-03
cactus
backconnect
cloud storage abuse
onedrive exploitation
Published: March 3, 2025
Downloadable IOCs: 0

Russian campaign targeting Romanian WhatsApp numbers

A campaign originating from Russia has been identified, targeting Romanian WhatsApp users. The operation involves sending messages to victims, encouraging them to vote in a fake contest. When users click on the provided link, they are prompted to enter their WhatsApp number and an 8-character code,…
phishing
social engineering
whatsapp
russia
account takeover
2025-02-28
romania
Published: February 28, 2025
Downloadable IOCs: 0

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…
apt
phishing
social engineering
north korea
cryptocurrency
2025-02-26
bybit
Published: February 26, 2025
Downloadable IOCs: 0

Android trojan TgToxic updates its capabilities

TgToxic, an Android banking trojan, has undergone significant updates to enhance its capabilities and evade detection. Initially targeting Southeast Asia, the malware has expanded its reach to include European and Latin American banks. The latest version incorporates improved emulator detection tec…
social engineering
android
banking trojan
tgtoxic
2025-02-26
tiramisudropper
Published: February 26, 2025
Downloadable IOCs: 0

Phishing Campaigns Targeting Higher Education Institutions

Since August 2024, there has been a significant increase in phishing attacks targeting U.S. universities. Three distinct campaigns have emerged, exploiting trust within academic institutions to deceive students, faculty, and staff. One campaign used compromised educational institutions to host Goog…
phishing
social engineering
universities
business email compromise
2025-02-24
google forms
higher education
payment redirection
Published: February 24, 2025
Downloadable IOCs: 4

Amazon Phish Hunts for Security Answers and Payment Information

A phishing scheme targeting Amazon Prime users has been identified, aiming to steal login credentials, verification information, and payment data. The attack begins with a spoofed email claiming the user's payment method has expired. Clicking the update button redirects to a fake Amazon security al…
phishing
social engineering
credential theft
email spoofing
2025-02-18
payment fraud
fake login page
amazon prime
Published: February 18, 2025
Downloadable IOCs: 3

Valentine's Day Cyber Attack Landscape: Exploiting Love Through Digital Deception

Valentine's Day 2025 has become a focal point for sophisticated cybersecurity threats, with attackers exploiting emotional vulnerabilities and seasonal shopping behaviors. A complex network of scams has emerged, including OAuth-based phishing, brand impersonation, and cryptocurrency fraud. These th…
phishing
social engineering
cryptocurrency
financial fraud
social media
e-commerce
brand impersonation
oauth
2025-02-15
valentine's day
Published: February 15, 2025
Downloadable IOCs: 0

Inside a Malware Campaign: A Nigerian Hacker's Perspective

This analysis provides an in-depth look at a Nigerian cybercriminal's malware campaign process. The hacker begins by harvesting email addresses through Google dorking techniques, targeting specific industries and regions. They then configure email campaigns using spoofed domains and bulletproof hos…
phishing
social engineering
redline
redline stealer
chatgpt
2025-02-14
nigerian hacker
google dorking
gammadyne mailer
email harvesting
xlogger
Published: February 14, 2025
Downloadable IOCs: 2

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures…
phishing
social engineering
russia
microsoft 365
spear-phishing
oauth
2025-02-14
device code authentication
Published: February 14, 2025
Downloadable IOCs: 0

ClickFix Scam Exposed! Protect Your Data Before It's Too Late

Cybercriminals are exploiting DeepSeek's popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek's branding to appear legitimate and bypass security …
phishing
social engineering
lumma stealer
credential theft
vidar stealer
clickfix
captcha
deepseek
2025-02-11
Published: February 11, 2025
Downloadable IOCs: 7

When Data Tools Become Dangerous: MS Power BI Links Used in Phishing Campaigns

A sophisticated phishing campaign has been detected that exploits trusted platforms like SharePoint and Power BI to steal user credentials. The scheme uses a seemingly legitimate SharePoint link in an email, which leads to a Power BI report. Users are then prompted to click 'Open Document', redirec…
phishing
social engineering
credential theft
email spoofing
sharepoint
2025-02-06
power bi
microsoft impersonation
Published: February 6, 2025
Downloadable IOCs: 0

Scalable Vector Graphics files pose a novel phishing threat

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and s…
phishing
social engineering
credential theft
evasion techniques
2025-02-05
nymeria
file format abuse
svg
browser-based attacks
troj/autoit-dhb
email attachments
Published: February 5, 2025
Downloadable IOCs: 0

Hackers Hijack JFK File Release: Malware & Phishing Surge

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement…
malware
phishing
social engineering
ransomware
spyware
domain spoofing
2025-02-03
cyber threat
trojans
declassified files
historical documents
jfk files
Published: February 3, 2025
Downloadable IOCs: 4

Two ransomware campaigns tracked using 'email bombing' and Microsoft Teams 'vishing'

Sophos MDR has identified two threat clusters, STAC5143 and STAC5777, targeting organizations using Microsoft Office 365. Both employ similar tactics: email bombing to create urgency, followed by social engineering via Microsoft Teams calls posing as tech support. The attackers use remote access to…
social engineering
ransomware
black basta
vishing
email bombing
2025-01-22
Published: January 22, 2025
Downloadable IOCs: 17

Threat Research Report: Malicious Domain Activity During the Los Angeles Wildfires

During the 2025 Los Angeles wildfires, cybercriminals exploited the disaster through various phishing campaigns. Analysis of 119 domains registered between January 8-13, 2025, revealed themes targeting emergency assistance, legal services, and reconstruction efforts. GoDaddy was the most used regis…
phishing
social engineering
2025-01-17
natural disaster exploitation
los angeles wildfires
Published: January 17, 2025
Downloadable IOCs: 119

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

Star Blizzard, a Russian threat actor, has launched a new spear-phishing campaign targeting WhatsApp accounts. The campaign, observed in mid-November 2024, marks a shift in the actor's tactics. Targets include government officials, diplomats, and researchers focused on Russia-related topics. The at…
social engineering
whatsapp
credential theft
government targets
spear-phishing
2025-01-17
diplomacy targets
qr code
russian threat actor
Published: January 17, 2025
Downloadable IOCs: 2

Recruitment Phishing Scam Imitates Hiring Process

A sophisticated phishing campaign has been discovered that exploits recruitment branding to deliver malware. The attack begins with a phishing email impersonating a recruitment process, directing victims to a malicious website. Users are prompted to download a fake application, which serves as a do…
phishing
social engineering
cryptominer
recruitment
2025-01-10
job seekers
Published: January 10, 2025
Downloadable IOCs: 5

Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software

The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control …
backdoor
apt
social engineering
data theft
c2 communication
2025-01-02
ipmsg
dll64.dll
loader1.dll
att_loader_dll.dll
weaponized installer
Published: January 2, 2025
Downloadable IOCs: 3

Recent Cases of Watering Hole Attacks, Part 1

This analysis focuses on a watering hole attack targeting a Japanese university research laboratory website in 2023. The attack used social engineering to trick users into downloading and executing malware disguised as an Adobe Flash Player update. The malware, identified as a modified Cobalt Strik…
social engineering
cobalt strike
cobalt strike beacon
anti-analysis
cloudflare workers
watering hole
japan
2024-12-20
tips.exe
malware injection
system32.dll
flashupdateinstall.exe
university
Published: December 20, 2024
Linked vulnerabilities : CVE-2022-1388
Downloadable IOCs: 10

Your Data Is Under New Management: The Rise of LummaStealer

LummaStealer, a relatively new information-stealing malware, has gained prominence since 2022 for its ability to collect sensitive data from Windows systems. Marketed as Malware-as-a-Service (MaaS) on underground forums, it targets individuals, cryptocurrency users, and small to medium-sized busine…
phishing
social engineering
python
lummastealer
2024-12-18
malware-as-a-service (maas)
Published: December 18, 2024
Downloadable IOCs: 0

How Threat Actors Exploit Brand Collaborations to Target Popular YouTube Channels

Cybercriminals are targeting YouTube creators through sophisticated phishing campaigns that impersonate trusted brands offering collaboration deals. The malware is disguised as legitimate documents and delivered via password-protected files on platforms like OneDrive. Once downloaded, it steals sen…
phishing
social engineering
youtube
brand impersonation
2024-12-17
content creators
Published: December 17, 2024
Downloadable IOCs: 3

NodeLoader Exposed: The Node.js Malware Evading Detection

Zscaler ThreatLabz discovered a malware campaign using Node.js applications for Windows to distribute cryptocurrency miners and information stealers. Named NodeLoader, this malware family employs Node.js compiled executables to deliver second-stage payloads like XMRig, Lumma, and Phemedrone Stealer…
social engineering
node.js
lumma stealer
evasion techniques
information stealers
2024-12-13
game streaming
cryptocurrency miners
nodeloader
Published: December 13, 2024
Downloadable IOCs: 0

Inside the incident: Uncovering an advanced phishing attack

A sophisticated phishing campaign targeted a U.K.-based insurance company, using a compromised CEO's email account from a major shipping company. The attack involved a malicious PDF link hosted on AWS, leading to a fake Microsoft authentication page. The threat actor employed tactics like deletion …
phishing
social engineering
credential theft
2024-12-11
account takeover
email security
Published: December 11, 2024
Downloadable IOCs: 4

Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows

A sophisticated scam targeting Web3 professionals has been identified, involving the Realst crypto stealer malware with variants for both macOS and Windows. The threat actors have created fake companies using AI-generated content to appear legitimate, cycling through various names like Meetio, Clus…
windows
macos
social-engineering
information theft
cross-platform
ai-generated content
web3
2024-12-07
meeten
electron application
crypto-stealer
realst
Published: December 7, 2024
Downloadable IOCs: 0

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are emp…
xworm
phishing
social engineering
powershell
darkgate
lumma stealer
asyncrat
danabot
latrodectus
netsupport
cybersecurity
clickfix
threat actors
brute ratel c4
2024-11-18
malware delivery
lucky volunteer
recaptcha phish
threat landscape
Published: November 18, 2024
Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…
social engineering
windows
infostealer
macos
lumma stealer
credential theft
ai
2024-11-16
deepfake
Published: November 16, 2024
Downloadable IOCs: 0

Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond

This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network …
phishing
social engineering
identity theft
2024-11-07
Published: November 7, 2024
Downloadable IOCs: 239

North Korean remote workers landing jobs in the West

North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devi…
social engineering
cryptocurrency
data theft
beavertail
contagious interview
invisibleferret
2024-11-06
wagemole
sanctions evasion
remote work
job fraud
Published: November 6, 2024
Downloadable IOCs: 56

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack

A sophisticated malware campaign targeting cryptocurrency enthusiasts has been uncovered, utilizing multiple attack vectors including a malicious Python package on PyPI and deceptive GitHub repositories. The multi-stage malware, disguised as cryptocurrency trading tools, aims to steal sensitive dat…
supply-chain
cryptocurrency
data-theft
social-engineering
pypi
github
2024-11-04
multi-stage
gui
cryptoaitools
Published: November 4, 2024
Downloadable IOCs: 2

LastPass Warns of Hackers Misusing Reviews for Fake Support Numbers

LastPass has alerted users about a social engineering campaign targeting customers through fraudulent 5-star reviews on the Chrome Web Store. Hackers are posting fake reviews for the LastPass Chrome extension, promoting a bogus customer support phone number to steal user data. When users call this …
phishing
social engineering
2024-11-02
lastpass
password management
chrome web store
fake reviews
Published: November 2, 2024
Downloadable IOCs: 0

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys P…
malware
social engineering
android
windows
russia
ukraine
information theft
telegram
cyber-espionage
pronsis loader
sunspinner
craxsrat
purestealer
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 7

Rat King: How the Android Trojan CraxsRAT Steals User Data

CraxsRAT, an Android trojan, has been targeting Russian and Belarusian users since summer 2024. It masquerades as legitimate apps like government services, antivirus software, and telecom operators. The malware spreads through social engineering tactics, prompting users to download malicious APK fi…
espionage
social engineering
android
data theft
trojan
financial fraud
remote access
craxsrat
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 0

More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a Docu…
phishing
social engineering
credential theft
microsoft
domain abuse
2024-10-30
atlassian
docusign
confluence
Published: October 30, 2024
Downloadable IOCs: 2

Malicious CAPTCHA delivers Lumma and Amadey Trojans

An adware campaign targets online users by presenting them with fake CAPTCHA or update prompts, tricking them into running malicious PowerShell commands that deploy credential-stealing malware like Lumma and Amadey. The attackers leverage ad networks to redirect victims to compromised sites hosting…
malvertising
adware
remcos
amadey
infostealers
social-engineering
lumma
captcha
2024-10-29
Published: October 29, 2024
Downloadable IOCs: 1

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…
apt
exploit
social engineering
cryptocurrency
zero-day
CVE-2024-4947
2024-10-23
google chrome
manuscrypt
game
v8 sandbox
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-4947
Downloadable IOCs: 2

Tricks and Treats: New Pixel-Level Deception

GHOSTPULSE malware has evolved to embed malicious data within pixel structures of PNG files, replacing its previous IDAT chunk technique. Recent campaigns involve social engineering tactics, tricking victims with CAPTCHA validations that trigger malicious commands through keyboard shortcuts. The ma…
social engineering
lumma stealer
captcha
2024-10-18
ghostpulse
keyboard shortcuts
yara rules
configuration extractor
pixel-level deception
png files
crc32
gdi+
Published: October 18, 2024
Downloadable IOCs: 9

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…
phishing
social engineering
rhadamanthys
infostealer
cryptocurrency
stealc
clickfix
2024-10-18
web3
amos stealer
google meet
Published: October 18, 2024
Downloadable IOCs: 171

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
social engineering
powershell
windows
rhadamanthys
stealer
macos
infostealers
stealc
clickfix
2024-10-18
google meet
atomic
Published: October 18, 2024
Downloadable IOCs: 0

Threat actors use ChatGPT to write malware

OpenAI has disrupted over 20 malicious cyber operations abusing ChatGPT for various purposes, including malware development and spear-phishing attacks. The company confirmed cases involving Chinese and Iranian threat actors. SweetSpecter, a Chinese group, targeted OpenAI employees with phishing ema…
social engineering
sugargh0st rat
reconnaissance
chatgpt
spear-phishing
2024-10-14
threat actors
cyber operations
openai
Published: October 14, 2024
Downloadable IOCs: 1

DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware

DPRK-associated threat actors are targeting tech industry job seekers through fake recruitment campaigns, installing malware on their devices. The campaign, named CL-STA-240 Contagious Interview, uses social engineering to lure victims into online interviews where they are convinced to download mal…
social engineering
cryptocurrency theft
beavertail
2024-10-09
python backdoor
Published: October 9, 2024
Downloadable IOCs: 0

Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users

A large-scale fraud campaign involving fake trading apps targeting Apple iOS and Android users across multiple regions has been uncovered. The apps, developed using the UniApp framework, were distributed through official app stores and phishing sites. Unlike conventional mobile trojans, these apps …
ios
social engineering
android
cross-platform
2024-10-04
pig butchering
uniapp
fraudulent trading apps
unishadowtrade
goldpickaxe
Published: October 4, 2024
Downloadable IOCs: 9

Separating the bee from the panda: CeranaKeeper making a beeline for Thailand

This intelligence report details a sophisticated malware campaign targeting multiple industries across various countries. The threat actor employs advanced tactics, techniques, and procedures (TTPs) to infiltrate networks, maintain persistence, and exfiltrate sensitive data. The malware used in thi…
social engineering
data exfiltration
advanced persistent threat
2024-10-03
custom malware
multi-industry targeting
persistence techniques
network infiltration
Published: October 3, 2024
Downloadable IOCs: 16

Iranian Cyber Actors Targeting Personal Accounts to Support Operations

Cyber actors working for Iran's Islamic Revolutionary Guard Corps (IRGC) are targeting individuals connected to Iranian and Middle Eastern affairs, including government officials, think tank personnel, journalists, activists, and lobbyists. They use social engineering techniques, impersonating cont…
phishing
social engineering
impersonation
iran
credential theft
2024-09-30
two-factor authentication
political campaigns
Published: September 30, 2024
Downloadable IOCs: 65

Wallet Scam: A Case Study in Crypto Drainer Tactics

A malicious app on Google Play, posing as WalletConnect, targeted mobile users to steal cryptocurrency. The app evaded detection for five months, achieving over 10,000 downloads. It used advanced social engineering and modern crypto drainer toolkit, stealing approximately $70,000 from victims. The …
social engineering
mobile malware
2024-09-27
crypto drainer
walletconnect
Published: September 27, 2024
Downloadable IOCs: 8

The Emerging Dynamics of Deepfake Scam Campaigns on the Web

Researchers have uncovered dozens of scam campaigns utilizing deepfake videos featuring public figures like CEOs, news anchors, and government officials. These campaigns target victims in multiple countries using various languages. The scams promote fake investment schemes and government giveaways.…
phishing
social engineering
impersonation
fraud
ai
scams
2024-08-29
genai
deepfakes
2024-09-02
investment fraud
infrastructure analysis
Published: September 2, 2024
Downloadable IOCs: 428

Iranian backed group steps up phishing campaigns against Israel, U.S.

An Iranian government-backed threat group known as APT42 has significantly intensified its phishing campaigns targeting high-profile individuals in Israel and the United States over the past six months. The group, associated with Iran's Islamic Revolutionary Guard Corps, has focused on current and …
phishing
social engineering
iran
credential theft
2024-08-26
election targeting
ycollection
lcollection
dwp
gcollection
Published: August 26, 2024
Downloadable IOCs: 38

Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset

Proofpoint security researchers identified an Iranian threat group known as TA453 targeting a prominent religious figure through a sophisticated social engineering campaign. The threat actors impersonated a legitimate organization and invited the target to participate in a podcast interview. Upon e…
social engineering
iran
2024-08-20
anvilecho
blacksmith
Published: August 20, 2024
Downloadable IOCs: 10

Threat actor targeting UK banks in ongoing AnyDesk social engineering campaign

Threat analysts are tracking an ongoing campaign that employs fake websites and social engineering tactics to distribute a malicious version of the AnyDesk remote access software to Windows and macOS users. Once installed on a victim's machine, it is being utilized to steal data and money. The camp…
phishing
social engineering
anydesk
remote access
2024-08-09
uk banks
Published: August 9, 2024
Downloadable IOCs: 50

Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering

The intelligence report discusses an ongoing malware campaign that targets software developers through social engineering tactics like fake job interviews. The threat actors behind this campaign have upgraded their tools, now supporting multiple operating systems (Windows, Linux, and macOS) and emp…
social engineering
dev#popper
2024-08-01
Published: August 1, 2024
Downloadable IOCs: 14

Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…
malware
phishing
social engineering
russia
belarus
remcos
steganography
CVE-2017-11882
agent tesla
2024-07-30
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 74

How do cryptocurrency drainer phishing scams work?

Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
phishing
social engineering
cryptocurrency
financial fraud
cybercrime
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 14

Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)

Check Point Research discovered threat actors leveraging novel techniques to execute malicious code on Windows systems by exploiting Internet Explorer's vulnerabilities. The attackers utilized specially crafted .url files that, when opened, would launch IE and visit attacker-controlled URLs. Additi…
social engineering
windows
zero-day
CVE-2023-36025
exploitation
CVE-2021-40444
CVE-2024-38112
2024-07-10
internet explorer
malicious files
Published: July 10, 2024
Linked vulnerabilities : CVE-2024-38112 (CVSS 7.5), CVE-2021-40444, CVE-2023-36025
Downloadable IOCs: 7

Exposing FakeBat loader: distribution methods and adversary infrastructure

During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. Researchers uncovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social …
loader
social engineering
malvertising
fakebat
2024-07-02
drive-by download
paykloader
eugenloader
eugenfest
payk_34
Published: July 2, 2024
Downloadable IOCs: 237

CapraTube Remix | Android Spyware Targeting Gamers, Weapons Enthusiasts

SentinelLabs has uncovered a new campaign of Android spyware apps associated with the suspected Pakistan state-aligned Transparent Tribe threat group. The malicious apps, disguised as video browsers, gaming sites, and TikTok content, target mobile gamers, weapons enthusiasts, and individuals intere…
social engineering
android
pakistan
spyware
2024-07-01
caprarat
Published: July 1, 2024
Downloadable IOCs: 6

Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework

Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
malware
backdoor
social-engineering
2024-06-19
winos
chinese
seo-poisoning
Published: June 19, 2024
Linked vulnerabilities : CVE-2024-21412
Downloadable IOCs: 46

From Clipboard to Compromise: A PowerShell Self-Pwn

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
malware
social engineering
powershell
xmrig
darkgate
lumma stealer
matanbuchus
2024-06-17
netsupport
malicious script
jaskago
compromise
amadey loader
vidar stealer
Published: June 17, 2024
Downloadable IOCs: 14

Cybercriminals attack banking customers in EU with V3B phishing kit

An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
phishing
cybercrime
fraud
social-engineering
banking
2024-06-10
Published: June 10, 2024
Downloadable IOCs: 44

Gootloader walkthrough

The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
social engineering
powershell
seo poisoning
javascript
2024-05-24
gootloader
Published: May 24, 2024
Downloadable IOCs: 12

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote acce…
malware
ransomware
qakbot
qbot
quackbot
pinkslipbot
2024-05-16
2024-05-11
black basta
remote-access
vishing
social-engineering
Published: May 16, 2024
Downloadable IOCs: 12

Romance Scams Urging Investment

The report details an investigation into romance scams that exploit emotional connections to solicit money under the guise of cryptocurrency investments. Perpetrators pose as potential romantic partners or friends to gain trust and eventually introduce victims to fake cryptocurrency exchanges desig…
phishing
social engineering
impersonation
cryptocurrency
2024-05-08
scam
fraud
romance
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 3

New Campaigns from Scattered Spider

Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing cr…
phishing
social engineering
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
telecom targeting
lookalike domains
2024-05-09
2024-05-10
Published: May 10, 2024
Linked vulnerabilities : CVE-2024-22024
Downloadable IOCs: 118

Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
rat
social engineering
python
developers
python-based rat
dev#popper
Published: April 29, 2024
Downloadable IOCs: 7

FakeBat Malware Distributing via Fake Browser Updates

This report details a recent malware campaign leveraging fake browser update notifications to distribute the FakeBat loader. The campaign employs sophisticated social engineering techniques, with malicious JavaScript code injected into compromised websites to trigger deceptive update prompts. These…
phishing
social engineering
fakebat
browser exploits
malicious scripts
Published: April 29, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports