Tag: social engineering

178 Attack Reports | 0 Vulnerabilities

Attack reports

Rogue ScreenConnect: Common Social Engineering Tactics Seen in 2025

In 2025, there was a significant increase in rogue ScreenConnect installations, part of a broader trend of threat actors abusing remote monitoring and management tools (RMMs). These tools were used to gain access, blend in, move laterally, and maintain persistence in target systems. Attackers emplo…
screenconnect
social engineering
remote access
rmm abuse
2025-12-31
lures
Published: December 31, 2025
Downloadable IOCs: 14

Webrat, disguised as exploits, is spreading via GitHub repositories

A new malware campaign targeting security professionals and students has been uncovered. The threat actor behind Webrat is now disguising the backdoor as exploits and proof-of-concept code for high-profile vulnerabilities, distributing it through GitHub repositories. The malware, which previously s…
malware
backdoor
exploit
vulnerability
trojan
information-stealing
social-engineering
cybersecurity
github
webrat
CVE-2025-59230
CVE-2025-59295
CVE-2025-10294
2025-12-23
Published: December 23, 2025
Linked vulnerabilities : CVE-2025-59230 (CVSS 7.8), CVE-2025-59295 (CVSS 8.8), CVE-2025-10294 (CVSS 9.8), CVE-2025-11833 (CVSS 9.8), CVE-2025-11499 (CVSS 9.8), CVE-2025-12595 (CVSS 7.4), CVE-2025-12596 (CVSS 7.4), CVE-2025-55234, CVE-2025-54106, CVE-2025-54897
Downloadable IOCs: 5

A Series of Unfortunate (RMM) Events

Series of Unfortunate Events Summary: This analysis examines the increasing trend of threat actors abusing Remote Monitoring and Management (RMM) tools in their attacks. The report highlights a specific pattern where attackers use PDQ or GoTo Resolve to deploy secondary RMM tools like ScreenConnect…
screenconnect
phishing
social engineering
persistence
simplehelp
2025-12-19
goto resolve
multiple rmm tools
pdq
rmm abuse
Published: December 19, 2025
Downloadable IOCs: 0

A new campaign by the ForumTroll APT group

The ForumTroll APT group has launched a new targeted phishing campaign against Russian political scientists, exploiting plagiarism reports as bait. The attackers used sophisticated techniques, including a well-prepared domain and personalized emails, to deliver the Tuoni framework malware. This cam…
apt
social engineering
powershell
com hijacking
dante
russian targets
leetagent
tuoni
2025-12-17
plagiarism bait
targeted phishing
tuoni framework
Published: December 17, 2025
Downloadable IOCs: 1

RTO Challan Fraud: A Technical Report on APK-Based Financial and Identity Theft

A sophisticated mobile fraud operation has been uncovered, distributing a malicious 'RTO Challan / e-Challan' Android application via WhatsApp. The APK uses advanced obfuscation and hidden installation techniques to establish persistent control over victims' devices. It creates a custom VPN tunnel …
social engineering
android
whatsapp
financial fraud
apk
identity theft
otp interception
2025-12-12
e-challan
rto challan / e-challan
vpn abuse
Published: December 12, 2025
Downloadable IOCs: 2

AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat

A sophisticated malware campaign exploits user trust in AI platforms to deliver the AMOS stealer. Attackers use SEO poisoning to surface malicious ChatGPT and Grok conversations offering 'helpful' macOS disk cleanup advice. These conversations contain Terminal commands that, when executed, deploy A…
social engineering
stealer
persistence
macos
credential harvesting
chatgpt
amos
atomic macos stealer
seo manipulation
2025-12-10
ai-poisoning
grok
Published: December 10, 2025
Downloadable IOCs: 8

Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware

A malicious email campaign exploits workforce anxieties by disguising itself as internal HR announcements about layoffs. The emails contain a RAR archive with a double-extension executable masquerading as a PDF document. Upon execution, the file deploys Remcos RAT, a remote access tool, which estab…
phishing
social engineering
remcos rat
remote access tool
2025-12-09
hr lure
layoff-themed
Published: December 9, 2025
Downloadable IOCs: 3

How Lazarus's IT Workers Scheme Was Caught Live on Camera

This report details an investigation into a North Korean infiltration operation by the Lazarus Group's Famous Chollima division. The operation aims to deploy remote IT workers in American financial and crypto/Web3 companies for corporate espionage and funding. Researchers posed as potential recruit…
social engineering
north korea
cryptocurrency
identity theft
2025-12-09
corporate espionage
it worker infiltration
sandbox analysis
Published: December 9, 2025
Downloadable IOCs: 12

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack invo…
phishing
social engineering
infostealer
credential theft
reconnaissance
microsoft teams
2025-12-03
quick assist
Published: December 3, 2025
Downloadable IOCs: 0

ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

A ValleyRAT campaign is targeting job seekers through email, disguising itself as a Foxit PDF reader and using DLL side-loading for initial system access. The campaign exploits job seekers' eagerness by using recruitment-related lures in archive files. The attack employs sophisticated techniques, i…
social engineering
data theft
valleyrat
dll side-loading
remote access trojan
job seekers
2025-12-03
foxit pdf reader
Published: December 3, 2025
Downloadable IOCs: 25

Over 2,000 Holiday-Themed Fake Stores Detected Exploiting Black Friday and Festive Sales

Two clusters of holiday-themed fake online stores have been identified ahead of Black Friday and other festive sales. The first cluster includes over 750 interconnected sites using uniform holiday banners and misleading trust indicators, many impersonating Amazon. The second cluster spans a .shop e…
phishing
social engineering
typosquatting
financial data theft
2025-11-27
fake online stores
holiday shopping fraud
black friday scams
e-commerce impersonation
Published: November 27, 2025
Downloadable IOCs: 71

Inside DPRK's Fake Job Platform Targeting U.S. AI Talent

This analysis details a sophisticated DPRK-linked operation called Contagious Interview, which uses a fake job platform to target U.S. AI talent. The campaign mimics legitimate recruitment processes, offering job listings from well-known tech companies to lure victims. The platform, hosted at lenvn…
social engineering
cryptocurrency
clickfix
contagious interview
malware delivery
clipboard hijacking
2025-11-26
ai talent
fake job platform
Published: November 26, 2025
Downloadable IOCs: 2

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finge…
phishing
social engineering
powershell
lumma stealer
netsupport rat
lnk files
russian targets
2025-11-26
infrastructure reuse
finger protocol
Published: November 26, 2025
Downloadable IOCs: 38

The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk

Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync…
ios
social engineering
macos
cybersecurity
CVE-2025-27915
push notifications
2025-11-26
balada injector
calendar subscriptions
expired domains
Published: November 26, 2025
Linked vulnerabilities : CVE-2025-27915 (CVSS 5.4)
Downloadable IOCs: 7

Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads

The TamperedChef campaign is a global malvertising and SEO operation that distributes seemingly legitimate software with valid code signing to trick users into executing malicious installers. These fake applications mimic common software and establish persistence through scheduled tasks, delivering…
social engineering
malvertising
persistence
javascript
remote access
scheduled tasks
seo
code-signing
javascript payload
2025-11-20
shell companies
2025-11-26
code-signing certificates
signed applications
Published: November 26, 2025
Downloadable IOCs: 132

macOS Malware Deploys in Fake Job Scams

A sophisticated malware campaign targeting macOS users has been discovered, involving fake job assessments and social engineering tactics. The FlexibleFerret malware, attributed to DPRK-aligned operators, uses multi-stage attacks to deploy on victims' systems. The campaign begins with JavaScript fi…
social engineering
macos
credential theft
multi-stage attack
flexibleferret
2025-11-26
golang backdoor
fake job scams
Published: November 26, 2025
Downloadable IOCs: 21

ClickFix Gets Creative: Malware Buried in Images

A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a stand…
social engineering
lummac2
rhadamanthys
infostealer
steganography
clickfix
multi-stage
2025-11-24
windows update
Published: November 24, 2025
Downloadable IOCs: 12

New Banking Trojan Identified, Distributed Through WhatsApp

A new banking Trojan dubbed Eternidade Stealer has been identified, distributed through WhatsApp hijacking and social engineering. The malware, written in Delphi, uses IMAP to retrieve C2 addresses dynamically. It's spread via a WhatsApp worm campaign using a Python script. The attack chain involve…
social engineering
whatsapp
credential theft
banking trojan
brazil
delphi
2025-11-20
eternidade stealer
imap
Published: November 20, 2025
Linked vulnerabilities : CVE-2025-59287 (CVSS 9.8)
Downloadable IOCs: 23

GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices

A sophisticated Android dropper impersonating the Google Play Store was discovered, distributing an app called 'GPT Trade'. This malicious application, disguised as an AI trading assistant, actually deploys two dangerous payloads: BTMob spyware and UASecurity Miner. The dropper creates directories,…
social engineering
android
dropper
spyware
modular malware
btmob
2025-11-19
apk packer
uasecurity miner
fake app store
cryptocurrency miner
gpt trade
Published: November 19, 2025
Downloadable IOCs: 10

How AI Is Fueling a New Wave of Black Friday Scams

AI tools are enabling cybercriminals to create sophisticated Black Friday scams, including realistic phishing emails, cloned websites, and fake social media ads. Common tactics involve impersonating trusted brands like Amazon and Temu, offering unrealistic discounts on luxury goods, and exploiting …
phishing
social engineering
ai
cybersecurity
scams
e-commerce
black friday
2025-11-15
luxury goods
Published: November 15, 2025
Downloadable IOCs: 15

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use socia…
rat
social engineering
north korea
infostealer
cryptocurrency
beavertail
web3
invisibleferret
ottercookie
trojanized code
2025-11-14
json storage
tsunami payload
Published: November 14, 2025
Downloadable IOCs: 84

Hurricane Melissa Relief Scams: How Criminals Exploit Disaster

In the aftermath of Hurricane Melissa's devastating impact on Jamaica in October 2025, cybercriminals swiftly exploited the crisis through various online scams. These included phishing campaigns, fake charity drives, and fraudulent financial-relief websites impersonating legitimate aid organization…
phishing
social engineering
cryptocurrency
scams
domain spoofing
2025-11-14
fake charities
hurricane
disaster relief
Published: November 14, 2025
Downloadable IOCs: 16

State-Sponsored Remote Wipe Tactics Targeting Android Devices

A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They co…
apt
rat
social engineering
android
remcosrat
quasarrat
spear-phishing
2025-11-10
rftrat
find hub
remote wipe
lilithrat
kakaotalk
endrat
google account
Published: November 10, 2025
Downloadable IOCs: 10

From primitive crypto theft to sophisticated AI-based deception

The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group…
malware
social engineering
north korea
cryptocurrency
remote access
information theft
beavertail
identity theft
invisibleferret
ottercookie
job scams
tropidoor
multiplatform
2025-09-25
weaselstore
postnaptea
tsunamikit
job offers
akdoortea
2025-11-09
it worker fraud
ai-based deception
Published: November 9, 2025
Downloadable IOCs: 1

Watch out for SVG files booby-trapped with malware

A recent malware campaign in Latin America demonstrates cybercriminals' evolving tactics. The attacks use social engineering, sending emails that appear to be from trusted institutions with urgent warnings about legal issues. The campaign's goal is to install AsyncRAT, a remote access trojan that a…
social engineering
asyncrat
dll sideloading
latin america
svg
colombia
2025-11-09
ai-generated templates
judicial system impersonation
Published: November 9, 2025
Downloadable IOCs: 0

Gotta fly: Targeting the UAV sector

ESET researchers have uncovered a new instance of Operation DreamJob, a cyberespionage campaign attributed to the North Korea-aligned Lazarus group. The attackers targeted European companies in the defense industry, particularly those involved in unmanned aerial vehicle (UAV) technology. The campai…
social engineering
north korea
cyberespionage
defense industry
trojanized software
scoringmathtea
quanpinloader
operation dreamjob
2025-11-09
uav
binmergeloader
Published: November 9, 2025
Downloadable IOCs: 0

Booking.com Phishing Campaign Targeting Hotels and Customers

A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduc…
phishing
social engineering
cybercrime
clickfix
hospitality
booking.com
purerat
2025-11-07
Published: November 7, 2025
Downloadable IOCs: 100

The DragonForce Cartel: Scattered Spider at the gate

DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate pro…
social engineering
ransomware
encryption
conti
byovd
dragonforce
affiliate program
mamona
devman
2025-11-05
scattered spider
global
cartel
Published: November 5, 2025
Downloadable IOCs: 0

Remote access, real cargo: cybercriminals targeting trucking and logistics

Cybercriminals are targeting trucking and logistics companies to steal cargo freight through elaborate attack chains. They compromise companies and use their access to bid on cargo shipments, which they then steal and sell. The threat actors typically deliver remote monitoring and management (RMM) …
screenconnect
phishing
social engineering
supply chain
lumma stealer
cybercrime
danabot
netsupport
stealc
simplehelp
fleetdeck
n-able
pdq connect
logistics
2025-11-03
cargo theft
logmein resolve
trucking
remote monitoring tools
Published: November 3, 2025
Downloadable IOCs: 39

Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials

A group of financially motivated threat actors from Vietnam, tracked as UNC6229, is targeting individuals in the digital advertising and marketing sectors through fake job postings. They use social engineering tactics to deliver malware and phishing kits, aiming to compromise high-value corporate a…
social engineering
credential theft
remote access trojans
2025-10-23
fake job postings
digital advertising
Published: October 23, 2025
Downloadable IOCs: 0

SecuritySnack: 18+E-Crime

A financially motivated cybercrime operation has been identified, targeting users with over 80 spoofed domain names and lure websites. The campaign, which began in September 2024, focuses on government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. Th…
social engineering
credential theft
spoofed domains
android malware
trojans
lure websites
2025-10-06
windows malware
Published: October 6, 2025
Downloadable IOCs: 140

Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations

This analysis focuses on UNC6040, a financially motivated threat group specializing in voice phishing campaigns targeting Salesforce instances. The group employs social engineering tactics to trick employees into granting access or sharing credentials, facilitating large-scale data theft and extort…
social engineering
voice phishing
data exfiltration
multi-factor authentication
detection
salesforce
2025-10-01
access control
logging
identity verification
data loader
connected apps
Published: October 1, 2025
Linked vulnerabilities : CVE-2025-53690
Downloadable IOCs: 2

Datzbro: RAT Hiding Behind Senior Travel Scams

A new Android Trojan named Datzbro has been discovered targeting seniors through fake Facebook groups promoting travel and social activities. The malware, which combines spyware and banking Trojan capabilities, is distributed via malicious APKs disguised as community apps. Datzbro features remote a…
social engineering
spyware
remote access
zombinder
banking malware
android trojan
2025-09-30
facebook groups
datzbro
senior scams
Published: September 30, 2025
Downloadable IOCs: 0

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

This analysis delves into the operations of DeceptiveDevelopment, a North Korea-aligned threat actor, and its connections to North Korean IT worker campaigns. The group targets software developers across major systems, focusing on cryptocurrency and Web3 projects. They use social engineering techni…
social engineering
north korea
cryptocurrency
remote access
information theft
beavertail
invisibleferret
ottercookie
tropidoor
multiplatform
2025-09-25
weaselstore
postnaptea
tsunamikit
job offers
akdoortea
Published: September 25, 2025
Downloadable IOCs: 33

Updates Arsenal with BAITSWITCH and SIMPLEFIX

A new multi-stage ClickFix campaign, attributed to the Russia-linked APT group COLDRIVER, has been discovered targeting Russian civil society members. The campaign employs social engineering techniques to trick users into executing malicious commands, leading to the deployment of two new malware fa…
backdoor
apt
social engineering
powershell
russia
clickfix
2025-09-24
baitswitch
simplefix
Published: September 24, 2025
Downloadable IOCs: 0

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, w…
obfuscation
phishing
social engineering
infostealer
steganography
stealc
filefix
2025-09-16
multistage payload
Published: September 16, 2025
Downloadable IOCs: 17

Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion

Two cyber criminal groups, UNC6040 and UNC6395, are targeting organizations' Salesforce platforms for data theft and extortion. UNC6040 uses social engineering, particularly voice phishing, to gain access to Salesforce accounts. They trick employees into granting access or sharing credentials, then…
social engineering
data theft
extortion
vishing
oauth
salesforce
2025-09-15
api exfiltration
shinyhunters
Published: September 15, 2025
Downloadable IOCs: 59

AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks

AdaptixC2, an open-source post-exploitation and adversarial emulation framework, has been observed being used in real-world attacks. This versatile tool allows threat actors to execute commands, transfer files, and perform data exfiltration on compromised systems. Its open-source nature enables eas…
social engineering
foggyweb
data exfiltration
open-source
post-exploitation
c2 framework
tunneling
adaptixc2
2025-09-10
ai-generated scripts
adversarial emulation
Published: September 10, 2025
Downloadable IOCs: 0

An Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps

This analysis examines a campaign distributing Atomic macOS Stealer (AMOS), targeting macOS users through fake 'cracked' applications. Attackers use two main delivery methods: malicious .dmg installers and terminal commands that bypass Gatekeeper protection. AMOS employs rotating domains to evade d…
social engineering
stealer
persistence
macos
data exfiltration
amos
atomic macos stealer
2025-09-04
cracked apps
gatekeeper bypass
Published: September 4, 2025
Downloadable IOCs: 0

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverag…
social engineering
north korea
cryptocurrency
cyber espionage
lazarus
clickfix
2025-09-04
job seeker targeting
infrastructure monitoring
contagiousdrop
Published: September 4, 2025
Downloadable IOCs: 0

Ethereum smart contracts used to push malicious code on npm

A novel technique utilizing Ethereum smart contracts was discovered in two npm packages to conceal malicious commands for installing downloader malware. The packages, colortoolsv2 and mimelib2, are part of a larger campaign targeting npm and GitHub. The attackers created sophisticated GitHub reposi…
social engineering
cryptocurrency
npm
supply chain attack
ethereum
2025-09-04
smart contracts
colortoolsv2
mimelib2
Published: September 4, 2025
Downloadable IOCs: 0

Three Lazarus RATs coming for your cheese

This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations: PondRAT, ThemeForestRAT, and RemotePE. It details an incident response case from 2024 involving social engineering and possible zero-day exploitation. PondRAT is …
rat
social engineering
cryptocurrency
zero-day
poolrat
pondrat
financial
2025-09-02
remotepe
themeforestrat
2025-09-03
Published: September 3, 2025
Downloadable IOCs: 0

Google Salesforce Breach: A Deep dive into the chain and extent of the compromise

In June 2025, Google's Salesforce instance was breached by UNC6040 & UNC6240 using vishing, OAuth app abuse, and anonymity layers. The attackers stole business data of small and medium-sized clients. A parallel attack by UNC6395 compromised Salesloft Drift's Salesforce integration, affecting hundre…
social engineering
vishing
cloud security
data exfiltration
tor
oauth
2025-09-03
salesforce
saas security
Published: September 3, 2025
Downloadable IOCs: 19

Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique

Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websit…
phishing
social engineering
windows
macos
node.js
clickfix
beavertail
invisibleferret
2025-09-01
apt-q-1
Published: September 1, 2025
Downloadable IOCs: 18

AI Waifu RAT: A Ring3 malware-like RAT based on LLM manipulation is circulating in the wild

A niche LLM role-playing community is being targeted by a sophisticated social engineering attack disguised as an AI character enhancement tool. The 'AI Waifu RAT' is a Remote Access Trojan marketed as a feature allowing AI characters to interact with users' computers. The RAT, distributed under th…
backdoor
rat
social engineering
ai
llm
code execution
threat actor
ctf
2025-09-01
ai waifu rat
Published: September 1, 2025
Downloadable IOCs: 7

From a Fake AnyDesk Installer to MetaStealer

A recent attack mimicking ClickFix tactics used a fake AnyDesk installer to deploy MetaStealer. The infection chain involved a fake Cloudflare Turnstile lure, Windows search protocol, and an MSI package disguised as a PDF. Unlike traditional ClickFix attacks, this variant redirected users to Window…
social engineering
anydesk
metastealer
clickfix
cloudflare turnstile
filefix
2025-08-30
windows file explorer
Published: August 30, 2025
Downloadable IOCs: 0

PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

A sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384 targeted diplomats in Southeast Asia and other global entities. The attack chain involved hijacking web traffic through a captive portal redirect to deliver malware disguised as software updates. The multi-sta…
espionage
social engineering
in-memory execution
2025-08-26
prc-nexus
canonstager
sogu.sec
digital signatures
staticplugin
captive portal
Published: August 26, 2025
Downloadable IOCs: 9

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …
obfuscation
screenconnect
phishing
social engineering
malvertising
infostealer
macos
darkgate
lumma stealer
latrodectus
remote access tool
mintsloader
atomic macos stealer (amos)
lampion
2025-08-21
windows run dialog
Published: August 21, 2025
Downloadable IOCs: 10

Threat Actor Profile: Interlock Ransomware

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortio…
social engineering
ransomware
powershell
cobalt strike
clickfix
systembc
double extortion
trycloudflare
remote access trojan
compromised websites
interlock rat
2025-08-15
nodesnake rat
Published: August 15, 2025
Downloadable IOCs: 24

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It ta…
phishing
social engineering
ransomware
encryption
bitcoin
keylogger
data exfiltration
2025-08-15
sap ariba
leeme ransomware
Published: August 15, 2025
Downloadable IOCs: 0

When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub's Expanding Arsenal

EncryptHub, an emerging threat group, has launched a campaign combining social engineering with exploitation of CVE-2025-26633 to deliver malicious payloads. The attackers impersonate IT support staff, use remote desktop sessions, and execute PowerShell commands to deploy malware. The campaign abus…
social engineering
powershell
golang
fickle stealer
CVE-2025-26633
socks5 proxy
2025-08-14
silentcrystal
rivatalk
brave support
Published: August 14, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 16

From ClickFix to Command: A Full PowerShell Attack Chain

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key …
obfuscation
rat
phishing
social engineering
powershell
lateral movement
c2 communication
2025-08-11
israeli targets
powershell rat
Published: August 11, 2025
Downloadable IOCs: 0

The Homograph Illusion: Not Everything Is As It Seems

Homograph attacks involve using non-Latin characters that visually resemble Latin characters to create words that appear legitimate but are actually different. This technique allows attackers to evade detection and analysis, crafting malicious emails that can lead to credential theft or malware inf…
phishing
social engineering
brand impersonation
email security
2025-08-08
character substitution
homograph attack
unicode
Published: August 8, 2025
Downloadable IOCs: 8

Email-Delivered RMM: Abusing PDFs for Silent Initial Access

A targeted campaign has been observed since November 2024, primarily affecting organizations in France and Luxembourg. The attackers use socially engineered emails to deliver PDF documents containing embedded links to Remote Monitoring and Management (RMM) tool installers. This method bypasses many…
phishing
social engineering
rmm
pdf
initial access
france
2025-08-07
luxembourg
Published: August 7, 2025
Downloadable IOCs: 51

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing…
phishing
social engineering
impersonation
ransomware
quasar rat
drive-by download
clickfix
activex
2025-07-25
hta files
epsilon red
Published: July 25, 2025
Downloadable IOCs: 5

Illusory Wishes: China-nexus APT Targets the Tibetan Community

Two cyberattack campaigns, Operation GhostChat and Operation PhantomPrayers, targeted the Tibetan community in June 2025, coinciding with the Dalai Lama's 90th birthday. These attacks involved strategic web compromises, DLL sideloading, and multi-stage infection chains to deploy Ghost RAT and Phant…
social engineering
dll sideloading
phantomnet
multi-stage attack
2025-07-23
ghost rat
web compromise
tibetan community
Published: July 23, 2025
Downloadable IOCs: 26

NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods

This intelligence analysis examines a widespread Request for Quote (RFQ) scam that exploits Net financing options to steal high-value electronics and goods. The scammers pose as procurement agents for legitimate companies, using stolen information and lookalike domains to appear credible. They requ…
social engineering
supply chain
business email compromise
2025-07-23
rfq scam
electronics theft
net financing fraud
Published: July 23, 2025
Downloadable IOCs: 94

Back to Business: Lumma Stealer Returns with Stealthier Methods

Lumma Stealer, an information-stealing malware, has resurfaced shortly after its takedown in May 2025. The cybercriminals behind it are now employing more covert tactics and expanding their reach. The malware is being distributed through discreet channels and uses stealthier evasion techniques. Lum…
social engineering
lumma stealer
malware-as-a-service
infrastructure
information stealer
evasion tactics
cracked software
2025-07-23
github abuse
Published: July 23, 2025
Downloadable IOCs: 52

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

An ongoing social engineering campaign is targeting cryptocurrency users through fake startup companies impersonating AI, gaming, and Web3 firms. The scammers create elaborate facades using spoofed social media accounts and project documentation on platforms like Notion and GitHub. They contact vic…
malware
social engineering
impersonation
windows
cryptocurrency
macos
fake companies
atomic stealer
information stealer
realst
2025-07-16
Published: July 16, 2025
Downloadable IOCs: 1

UNG0002 (Unknown Group 0002): Espionage Campaigns Uncovered

UNG0002, an espionage-focused threat group, has been conducting campaigns across Asian jurisdictions including China, Hong Kong, and Pakistan. The group employs sophisticated multi-stage attacks using LNK files, VBScript, and custom RAT implants. Their operations span two major campaigns: Operation…
social engineering
dll sideloading
clickfix
custom malware
2025-07-16
rat implants
blister dll implant
inet rat
multi-stage attacks
shadow rat
Published: July 16, 2025
Downloadable IOCs: 16

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetS…
rat
social engineering
typosquatting
powershell
infostealer
lumma stealer
latrodectus
autoit
clickfix
netsupport rat
clipboard hijacking
2025-07-10
Published: July 10, 2025
Downloadable IOCs: 65

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extensi…
social engineering
powershell
clickfix
quasarrat
spear-phishing
2025-07-02
Published: July 2, 2025
Downloadable IOCs: 40

Getting a career in cybersecurity isn't easy, but this can help

The article provides insights into starting a career in cybersecurity, emphasizing that the path is not always straightforward. It highlights the importance of having a good attitude, being easy to work with, continuous learning, persistence, joining security communities, and making the most of cur…
phishing
social engineering
2025-06-27
covenant
beardshell
mentorship
cybersecurity career
llm exploitation
ai jailbreaking
Published: June 27, 2025
Downloadable IOCs: 5

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

Cybercriminals are exploiting Discord's invite system and content delivery features to distribute malware and steal sensitive data. They use fake invite links, expired codes, and vanity URLs to redirect users to malicious servers. The attack chain involves a sophisticated combination of social engi…
phishing
social engineering
cryptocurrency
asyncrat
discord
multi-stage attack
wallet injection
chromekatz
skuld stealer
2025-06-20
invite hijacking
Published: June 20, 2025
Downloadable IOCs: 0

TxTag Takedown: Busting Phishing Email Schemes

A new phishing campaign has been observed leveraging a .gov domain to deceive employees into believing they owe unpaid tolls. The scheme uses urgency and fear tactics, threatening penalties or vehicle registration holds if the balance is not paid immediately. The attackers utilize the GovDelivery s…
phishing
social engineering
credit card fraud
email security
txtag
2025-06-20
toll scam
.gov domain
govdelivery
Published: June 20, 2025
Downloadable IOCs: 1

Cybercriminals Abusing Vercel to Deliver Remote Access Malware

A phishing campaign has been identified that exploits Vercel, a legitimate frontend hosting platform, to distribute a malicious version of LogMeIn. Cybercriminals send phishing emails with links to a malicious page on Vercel, impersonating an Adobe PDF viewer and prompting users to download a disgu…
phishing
social engineering
remote access
2025-06-20
logmein
vercel
platform abuse
Published: June 20, 2025
Downloadable IOCs: 5

Steam Phishing: Popular as Ever

A recent phishing campaign targeting Steam users has been identified, involving deceptive messages sent through the platform's Friends list. The attackers use fraudulent URLs that closely mimic Steam's official domain, directing users to a fake 'Summer Gift Marathon' page. Upon logging in, users' c…
phishing
social engineering
credential theft
fraud
cybersecurity
gaming
steam
2025-06-20
Published: June 20, 2025
Downloadable IOCs: 31

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…
apt
social engineering
cryptocurrency
stealer
macos
dprk
process injection
web3
2025-06-19
root troy v4
injectwithdyld
xscreen
cryptobot
telegram 2
Published: June 19, 2025
Downloadable IOCs: 18

Warning Against Distribution of Malware Disguised as Research Papers

The Kimsuky group has launched a sophisticated phishing attack disguised as a request for paper review from a professor. The attack involves a password-protected HWP document with a malicious OLE object, which creates six files upon opening. When executed, these files perform various malicious acti…
apt
phishing
dropbox
anydesk
remote-access
social-engineering
ole
hwp
2025-06-18
Published: June 18, 2025
Downloadable IOCs: 3

GitHub's Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

Cybercriminals are exploiting GitHub's reputation to distribute malware, particularly targeting gamers and children. They create repositories offering game hacks, cracked software, and crypto tools, which actually contain Lumma Stealer variants. The attack chain begins with users searching for thes…
social engineering
malware distribution
lumma stealer
cybersecurity
github
2025-06-18
cracked software
game hacks
crypto tools
Published: June 18, 2025
Downloadable IOCs: 4

From ClickFix deception to information stealer deployment

The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access troj…
social engineering
infostealer
lumma
clickfix
multi-stage attack
remote access trojan
ghostpulse
arechclient2
eddiestealer
2025-06-18
Published: June 18, 2025
Downloadable IOCs: 47

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery

Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_e…
backdoor
phishing
social engineering
aws
evasion techniques
more_eggs
2025-06-11
cloud infrastructure
resume lures
skeleton spider
Published: June 11, 2025
Downloadable IOCs: 24

How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme

A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses c…
social engineering
netsupport rat
captcha
2025-06-05
clipboard poisoning
gitcodes
Published: June 5, 2025
Downloadable IOCs: 72

Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

A sophisticated phishing campaign has been identified that leverages Google Apps Script to create a false sense of security. The attack begins with an email masquerading as an invoice, containing a link to a webpage hosted on Google's trusted environment. When clicked, the link redirects to a fake …
phishing
social engineering
credential theft
email spoofing
2025-06-04
google apps script
invoice scam
microsoft login
Published: June 4, 2025
Downloadable IOCs: 2

AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

A sophisticated campaign using typo-squatted 'Spectrum' domains has been uncovered, spreading a new Atomic macOS Stealer (AMOS) variant. The attack, disguised as a CAPTCHA verification, employs dynamic payloads based on the victim's operating system. For macOS users, a malicious shell script steals…
social engineering
typosquatting
credential theft
clickfix
poseidon
amos
2025-06-04
dynamic payload
spectrum
multi-platform attack
macos stealer
Published: June 4, 2025
Downloadable IOCs: 4

Crocodilus Mobile Malware: Evolving Fast, Going Global

A new Android banking Trojan, Crocodilus, has rapidly evolved since its discovery in March 2025. Initially targeting Turkey, it has expanded to European countries and South America. The malware is distributed through malicious advertising on social networks, masquerading as banking and e-commerce a…
social engineering
android
malvertising
cryptocurrency
banking trojan
2025-06-03
crocodilus
Published: June 3, 2025
Downloadable IOCs: 4

Victims risk AsyncRAT infection after being redirected to fake Booking.com sites

Cybercriminals have launched a campaign redirecting users from gaming sites and social media to fake Booking.com websites. The scam uses fake CAPTCHA prompts to trick visitors into executing malicious commands on their devices. If successful, the attack downloads and installs AsyncRAT, a backdoor T…
social engineering
asyncrat
clipboard hijacking
2025-06-03
travel booking
captcha scam
Published: June 3, 2025
Downloadable IOCs: 14

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically …
rat
social engineering
powershell
infostealer
lumma
netsupport rat
sectoprat
captcha
clipboard injection
2025-05-22
Published: May 22, 2025
Downloadable IOCs: 10

Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks

The Trustwave SpiderLabs Email Security team has identified a significant increase in SVG image-based attacks, where seemingly harmless graphics are used to conceal dangerous links. Cybercriminals are exploiting the ability of SVG files to embed JavaScript, which can execute automatically upon open…
obfuscation
phishing
social engineering
phaas
javascript
cybersecurity
email security
svg
2025-05-16
ursnif
tycoon2fa
Published: May 16, 2025
Downloadable IOCs: 4

Recruitment Scams on the Rise: How Threat Actors Exploit Job Seekers

A significant increase in recruitment scams has been observed, with three distinct threat actors targeting job seekers. The first impersonates tech employers using advance fee fraud tactics. The second poses as a logistics recruitment agency, targeting 18 geographies and affecting 63,000 people in …
phishing
social engineering
cryptocurrency
telegram
identity theft
job seekers
2025-05-12
recruitment scams
advance fee fraud
Published: May 12, 2025
Downloadable IOCs: 0

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

Iranian cyber actors have been identified impersonating a German model agency in a suspected espionage operation. The attackers created a fraudulent website mimicking the authentic agency's branding and content, which triggers obfuscated JavaScript to capture detailed visitor information. This data…
espionage
phishing
social engineering
javascript
2025-05-07
data collection
Published: May 7, 2025
Downloadable IOCs: 3

APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

A recent campaign attributed to APT36 has been observed spoofing India's Ministry of Defence to deliver cross-platform malware. The attackers used a ClickFix-style infection chain, mimicking government press releases and leveraging a compromised .in domain for payload staging. The campaign targeted…
obfuscation
social engineering
cross-platform
spoofing
clickfix
mshta
2025-05-06
ministry of defence
clipboard-based execution
Published: May 6, 2025
Downloadable IOCs: 7

Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams

This report analyzes common techniques, tactics, and procedures (TTPs) used by several investment scam actors who lure victims with fake platforms, including crypto exchanges. Key TTPs include registering large numbers of domains algorithmically, embedding similar web forms to collect user data, hi…
social engineering
cryptocurrency
facebook ads
cloaking
2025-04-29
rdga
dns abuse
web forms
tds
investment scams
2025-05-06
dns exploitation
registered domain generation algorithms
Published: May 6, 2025
Downloadable IOCs: 87

Lampion Is Back With ClickFix Lures

A highly focused malicious campaign targeting Portuguese organizations, particularly in government, finance, and transportation sectors, has been uncovered. The campaign is linked to Lampion malware, an infostealer focusing on banking information. The threat actors have incorporated ClickFix lures,…
obfuscation
social engineering
powershell
infostealer
vbscript
clickfix
2025-05-06
lampion
Published: May 6, 2025
Downloadable IOCs: 10

Fake Social Security Statement emails trick users into installing remote tool

A phishing campaign is targeting users with fake emails purportedly from the US Social Security Administration. These emails aim to trick recipients into installing ScreenConnect, a legitimate remote access tool that can be misused by cybercriminals. The campaign, attributed to a group called Molat…
screenconnect
phishing
social engineering
financial fraud
remote access tool
2025-05-01
social security administration
Published: May 1, 2025
Downloadable IOCs: 0

Security Brief: French BEC Threat Actor Targets Property Payments

A new financially motivated business email compromise (BEC) threat actor, TA2900, has been identified targeting individuals in France and occasionally Canada. The actor sends French language emails using rental payment themes, claiming that rental installments have not been received and instructing…
social engineering
financial fraud
email compromise
bec
2025-04-29
france
iban
rental payments
property management
Published: April 29, 2025
Downloadable IOCs: 3

Pick your Poison - A Double-Edged Email Attack

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF fi…
phishing
social engineering
credential theft
remote access
connectwise rat
2025-04-08
office365
file-sharing
2025-04-28
Published: April 28, 2025
Downloadable IOCs: 0

Smishing Attacks Rise: How to Spot and Stop SMS Phishing

SMS-based phishing attacks, known as smishing, are on the rise, targeting businesses with sophisticated social engineering tactics. These attacks often begin with urgent text messages containing disguised links, redirecting victims to fake login pages. Attackers exploit human emotions and create a …
social engineering
credential harvesting
smishing
2025-04-28
Published: April 28, 2025
Downloadable IOCs: 0

The Return of Pharmacy-Themed Spam

Pharmaceutical-themed spam campaigns continue to target individuals and organizations, particularly in the healthcare and pharmaceutical sectors. Recent observations reveal a bulk spam campaign using spoofed identities and compromised infrastructure to send deceptive emails. The attackers employ ta…
phishing
spam
social-engineering
domain-spoofing
2025-04-26
pharmacy
compromised-servers
email-security
fraudulent-websites
dkim
Published: April 26, 2025
Downloadable IOCs: 0

Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aimin…
social engineering
cryptocurrency
beavertail
frostyferret
2025-04-24
blocknovas
invisible ferret
anonymization networks
Published: April 24, 2025
Downloadable IOCs: 45

Power Parasites: Job & Investment Scam Campaign Targets Energy Companies and Major Brands

A scam campaign dubbed 'Power Parasites' is targeting individuals in Asian countries through deceptive websites, social media groups, and Telegram channels. The campaign exploits the names and branding of global energy companies and other major brands to conduct job and investment scams. Victims ar…
phishing
social engineering
telegram
social media
investment fraud
brand impersonation
2025-04-24
job scam
Published: April 24, 2025
Downloadable IOCs: 0

The "free money" trap: How scammers exploit financial anxiety

This analysis explores how scammers capitalize on financial stress by promising 'free money' through fake subsidy programs, government grants, or relief cards. Common tactics include using urgency, exclusivity, and fabricated social proof to manipulate victims. Scammers employ various techniques su…
phishing
social engineering
malvertising
njrat
identity theft
government impersonation
qr code scams
2025-04-18
financial scams
fake subsidies
Published: April 18, 2025
Downloadable IOCs: 0

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2,…
phishing
social engineering
credential theft
information stealer
sectoprat
2025-04-15
pdf converter
arechclient2
Published: April 15, 2025
Downloadable IOCs: 0

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses Gi…
social engineering
north korea
python
infostealer
cryptocurrency
2025-04-14
rn stealer
rn loader
dpkr
slow pisces
yaml deserialization
Published: April 14, 2025
Downloadable IOCs: 41

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Bo…
xworm
phishing
social engineering
lumma stealer
asyncrat
danabot
venomrat
clickfix
netsupport rat
booking.com
2025-03-13
credential-stealing
2025-04-13
Published: April 13, 2025
Downloadable IOCs: 0

Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits

A stealthy malware campaign dubbed OBSCURE#BAT has been discovered, utilizing social engineering and deceptive file downloads to trick users into executing obfuscated code. The infection chain deploys a user-mode rootkit that manipulates system processes and registry entries to evade detection and …
social engineering
api hooking
quasarrat
r77 rootkit
2025-04-13
user-mode rootkit
Published: April 13, 2025
Downloadable IOCs: 0

March 2025 Trends Report on Phishing Emails

The report analyzes phishing email trends in March 2025, revealing that phishing attacks constituted 59% of email threats. Attackers primarily used HTML scripts to mimic login pages and promotional content, aiming to steal user credentials. The analysis covers distribution statistics, Korean phishi…
phishing
social engineering
malware distribution
credential theft
infostealers
email attachments
2025-04-10
downloaders
html scripts
document exploits
compressed files
Published: April 10, 2025
Downloadable IOCs: 0

Scattered Spider: Still Hunting for Victims in 2025

Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push research…
phishing
social engineering
hubspot
2025-04-09
domain impersonation
klaviyo
spectre rat
Published: April 9, 2025
Downloadable IOCs: 57

The Wagmi Manual: Copy, Paste, and Profit

The Wagmi traffer group, operating since early 2023, specializes in NFT scams and cryptocurrency theft. They utilize sophisticated social engineering tactics, fake web3-themed games, and impersonation of legitimate projects to lure victims. Their operations have allegedly earned over $2.4 million b…
social engineering
lummac2
rhadamanthys
hijackloader
cryptocurrency theft
2025-04-08
nft scams
Published: April 8, 2025
Downloadable IOCs: 96

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they a…
social engineering
powershell
javascript
google ads
gootloader
scheduled tasks
2025-04-03
email phishing
wordpress blogs
legal templates
Published: April 3, 2025
Downloadable IOCs: 0

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…
malware
phishing
social engineering
remcos
credential theft
latrodectus
guloader
redirection
qr codes
remote access trojans
2025-04-03
tax season
ahkbot
bruteratel c4
Published: April 3, 2025
Downloadable IOCs: 0

Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon

Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target cre…
phishing
social engineering
credential harvesting
business email compromise
qr code
2025-04-01
url redirection
human verification
quishing
Published: April 1, 2025
Downloadable IOCs: 57

Delivering Trojans Via ClickFix Captcha

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting user…
obfuscation
social engineering
powershell
qbot
banking trojan
evasion techniques
2025-04-01
clickfix captcha
php dropper
quakbot
Published: April 1, 2025
Downloadable IOCs: 0

Snow White — Beware the Bad Apple in the Torrent

A new malware campaign is targeting users attempting to download the Snow White movie through torrent sites. The attackers exploit a compromised blog to distribute a malicious torrent package disguised as a pirated version of the film. The package contains a fake codec installer that, when executed…
social engineering
tor network
dark web
2025-03-27
iocs
torrent
movie piracy
codec installer
CVE-2023-40680
malware dropper
Published: March 27, 2025
Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …
social engineering
spearphishing
powershell
cryptocurrency
lumma stealer
credential theft
youtube
2025-03-25
clickflix
Published: March 25, 2025
Downloadable IOCs: 5

Real-Time Anti-Phishing: Essential Defense Against Evolving Cyber Threats

Phishing remains a prevalent cybersecurity threat, causing financial loss, data theft, and malware deployment. Attackers are expanding targets across platforms and using AI to refine techniques, making detection more challenging. Real-time anti-phishing (RTAP) solutions using AI and machine learnin…
phishing
social engineering
ai
cybersecurity
machine learning
2025-03-21
real-time anti-phishing
employee awareness
Published: March 21, 2025
Downloadable IOCs: 11

The rising threat of social engineering through fake fixes

ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their…
phishing
social engineering
powershell
asyncrat
clickfix
captcha
2025-03-21
command line
fake fixes
Published: March 21, 2025
Downloadable IOCs: 4

Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social …
phishing
social engineering
cryptocurrency
scams
e-commerce fraud
2025-03-14
charitable fraud
wallet draining
fake giveaways
ramadan
Published: March 14, 2025
Downloadable IOCs: 28

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferenci…
social engineering
rhadamanthys
cryptocurrency
atomic macos stealer
remote access trojan
web3
grasscall
2025-03-13
job recruitment scam
russian-speaking cybercriminals
Published: March 13, 2025
Downloadable IOCs: 0

Hundreds of thousands of rubles for your secrets: cyber spies disguise themselves as recruiters

Cybercriminals impersonating a real company are sending fake job descriptions to employees of targeted organizations. The attackers, known as Squid Werewolf, are offering substantial sums of money, potentially hundreds of thousands of rubles, in exchange for sensitive information. This sophisticate…
phishing
social engineering
impersonation
cyber espionage
2025-03-12
fake job offers
recruitment scam
Published: March 12, 2025
Downloadable IOCs: 6

Trump Cryptocurrency Delivers ConnectWise RAT

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once…
phishing
social engineering
remote access trojan
2025-03-11
cryptocurrency scam
password theft
binance impersonation
connectwise rat
Published: March 11, 2025
Downloadable IOCs: 1

AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution

A campaign using fake GitHub repositories to distribute SmartLoader and Lumma Stealer malware has been uncovered. The attackers create convincing repositories using AI-generated content to deceive users into downloading malicious files disguised as gaming cheats, cracked software, and system tools.…
social engineering
lumma stealer
information theft
github
ai-generated content
2025-03-11
obfuscated scripts
smartloader
Published: March 11, 2025
Downloadable IOCs: 14

Unmasking GrassCall Campaign: The APT Behind Job Recruitment Cyber Scams

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency …
rat
phishing
social engineering
rhadamanthys
cryptocurrency theft
amos
2025-03-06
job recruitment
atomic macos stealer (amos)
grasscall
Published: March 6, 2025
Downloadable IOCs: 14

Stealers and backdoors are spreading under the guise of a DeepSeek client

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data …
backdoor
social engineering
typosquatting
powershell
stealer
dll sideloading
farfli
deepseek
2025-03-06
Published: March 6, 2025
Downloadable IOCs: 9

Booking a Threat: Inside LummaStealer's Fake reCAPTCHA

A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campa…
obfuscation
social engineering
malvertising
powershell
clickfix
fake captcha
lummastealer
2025-03-04
emotet
info-stealer
binary padding
booking websites
indirect control flow
Published: March 4, 2025
Downloadable IOCs: 12

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…
social engineering
ransomware
darkgate
black basta
lateral movement
privilege escalation
systembc
2025-03-03
cactus
backconnect
cloud storage abuse
onedrive exploitation
Published: March 3, 2025
Downloadable IOCs: 0

Russian campaign targeting Romanian WhatsApp numbers

A campaign originating from Russia has been identified, targeting Romanian WhatsApp users. The operation involves sending messages to victims, encouraging them to vote in a fake contest. When users click on the provided link, they are prompted to enter their WhatsApp number and an 8-character code,…
phishing
social engineering
whatsapp
russia
account takeover
2025-02-28
romania
Published: February 28, 2025
Downloadable IOCs: 0

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…
apt
phishing
social engineering
north korea
cryptocurrency
2025-02-26
bybit
Published: February 26, 2025
Downloadable IOCs: 0

Android trojan TgToxic updates its capabilities

TgToxic, an Android banking trojan, has undergone significant updates to enhance its capabilities and evade detection. Initially targeting Southeast Asia, the malware has expanded its reach to include European and Latin American banks. The latest version incorporates improved emulator detection tec…
social engineering
android
banking trojan
tgtoxic
2025-02-26
tiramisudropper
Published: February 26, 2025
Downloadable IOCs: 0

Phishing Campaigns Targeting Higher Education Institutions

Since August 2024, there has been a significant increase in phishing attacks targeting U.S. universities. Three distinct campaigns have emerged, exploiting trust within academic institutions to deceive students, faculty, and staff. One campaign used compromised educational institutions to host Goog…
phishing
social engineering
universities
business email compromise
2025-02-24
google forms
higher education
payment redirection
Published: February 24, 2025
Downloadable IOCs: 4

Amazon Phish Hunts for Security Answers and Payment Information

A phishing scheme targeting Amazon Prime users has been identified, aiming to steal login credentials, verification information, and payment data. The attack begins with a spoofed email claiming the user's payment method has expired. Clicking the update button redirects to a fake Amazon security al…
phishing
social engineering
credential theft
email spoofing
2025-02-18
payment fraud
fake login page
amazon prime
Published: February 18, 2025
Downloadable IOCs: 3

Valentine's Day Cyber Attack Landscape: Exploiting Love Through Digital Deception

Valentine's Day 2025 has become a focal point for sophisticated cybersecurity threats, with attackers exploiting emotional vulnerabilities and seasonal shopping behaviors. A complex network of scams has emerged, including OAuth-based phishing, brand impersonation, and cryptocurrency fraud. These th…
phishing
social engineering
cryptocurrency
financial fraud
social media
e-commerce
brand impersonation
oauth
2025-02-15
valentine's day
Published: February 15, 2025
Downloadable IOCs: 0

Inside a Malware Campaign: A Nigerian Hacker's Perspective

This analysis provides an in-depth look at a Nigerian cybercriminal's malware campaign process. The hacker begins by harvesting email addresses through Google dorking techniques, targeting specific industries and regions. They then configure email campaigns using spoofed domains and bulletproof hos…
phishing
social engineering
redline
redline stealer
chatgpt
2025-02-14
nigerian hacker
google dorking
gammadyne mailer
email harvesting
xlogger
Published: February 14, 2025
Downloadable IOCs: 2

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures…
phishing
social engineering
russia
microsoft 365
spear-phishing
oauth
2025-02-14
device code authentication
Published: February 14, 2025
Downloadable IOCs: 0

ClickFix Scam Exposed! Protect Your Data Before It's Too Late

Cybercriminals are exploiting DeepSeek's popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek's branding to appear legitimate and bypass security …
phishing
social engineering
lumma stealer
credential theft
vidar stealer
clickfix
captcha
deepseek
2025-02-11
Published: February 11, 2025
Downloadable IOCs: 7

When Data Tools Become Dangerous: MS Power BI Links Used in Phishing Campaigns

A sophisticated phishing campaign has been detected that exploits trusted platforms like SharePoint and Power BI to steal user credentials. The scheme uses a seemingly legitimate SharePoint link in an email, which leads to a Power BI report. Users are then prompted to click 'Open Document', redirec…
phishing
social engineering
credential theft
email spoofing
sharepoint
2025-02-06
power bi
microsoft impersonation
Published: February 6, 2025
Downloadable IOCs: 0

Scalable Vector Graphics files pose a novel phishing threat

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and s…
phishing
social engineering
credential theft
evasion techniques
2025-02-05
nymeria
file format abuse
svg
browser-based attacks
troj/autoit-dhb
email attachments
Published: February 5, 2025
Downloadable IOCs: 0

Hackers Hijack JFK File Release: Malware & Phishing Surge

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement…
malware
phishing
social engineering
ransomware
spyware
domain spoofing
2025-02-03
cyber threat
trojans
declassified files
historical documents
jfk files
Published: February 3, 2025
Downloadable IOCs: 4

Two ransomware campaigns tracked using 'email bombing' and Microsoft Teams 'vishing'

Sophos MDR has identified two threat clusters, STAC5143 and STAC5777, targeting organizations using Microsoft Office 365. Both employ similar tactics: email bombing to create urgency, followed by social engineering via Microsoft Teams calls posing as tech support. The attackers use remote access to…
social engineering
ransomware
black basta
vishing
email bombing
2025-01-22
Published: January 22, 2025
Downloadable IOCs: 17

Threat Research Report: Malicious Domain Activity During the Los Angeles Wildfires

During the 2025 Los Angeles wildfires, cybercriminals exploited the disaster through various phishing campaigns. Analysis of 119 domains registered between January 8-13, 2025, revealed themes targeting emergency assistance, legal services, and reconstruction efforts. GoDaddy was the most used regis…
phishing
social engineering
2025-01-17
natural disaster exploitation
los angeles wildfires
Published: January 17, 2025
Downloadable IOCs: 119

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

Star Blizzard, a Russian threat actor, has launched a new spear-phishing campaign targeting WhatsApp accounts. The campaign, observed in mid-November 2024, marks a shift in the actor's tactics. Targets include government officials, diplomats, and researchers focused on Russia-related topics. The at…
social engineering
whatsapp
credential theft
government targets
spear-phishing
2025-01-17
diplomacy targets
qr code
russian threat actor
Published: January 17, 2025
Downloadable IOCs: 2

Recruitment Phishing Scam Imitates Hiring Process

A sophisticated phishing campaign has been discovered that exploits recruitment branding to deliver malware. The attack begins with a phishing email impersonating a recruitment process, directing victims to a malicious website. Users are prompted to download a fake application, which serves as a do…
phishing
social engineering
cryptominer
recruitment
2025-01-10
job seekers
Published: January 10, 2025
Downloadable IOCs: 5

Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software

The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control …
backdoor
apt
social engineering
data theft
c2 communication
2025-01-02
ipmsg
dll64.dll
loader1.dll
att_loader_dll.dll
weaponized installer
Published: January 2, 2025
Downloadable IOCs: 3

Recent Cases of Watering Hole Attacks, Part 1

This analysis focuses on a watering hole attack targeting a Japanese university research laboratory website in 2023. The attack used social engineering to trick users into downloading and executing malware disguised as an Adobe Flash Player update. The malware, identified as a modified Cobalt Strik…
social engineering
cobalt strike
cobalt strike beacon
anti-analysis
cloudflare workers
watering hole
japan
2024-12-20
tips.exe
malware injection
system32.dll
flashupdateinstall.exe
university
Published: December 20, 2024
Linked vulnerabilities : CVE-2022-1388
Downloadable IOCs: 10

Your Data Is Under New Management: The Rise of LummaStealer

LummaStealer, a relatively new information-stealing malware, has gained prominence since 2022 for its ability to collect sensitive data from Windows systems. Marketed as Malware-as-a-Service (MaaS) on underground forums, it targets individuals, cryptocurrency users, and small to medium-sized busine…
phishing
social engineering
python
lummastealer
2024-12-18
malware-as-a-service (maas)
Published: December 18, 2024
Downloadable IOCs: 0

How Threat Actors Exploit Brand Collaborations to Target Popular YouTube Channels

Cybercriminals are targeting YouTube creators through sophisticated phishing campaigns that impersonate trusted brands offering collaboration deals. The malware is disguised as legitimate documents and delivered via password-protected files on platforms like OneDrive. Once downloaded, it steals sen…
phishing
social engineering
youtube
brand impersonation
2024-12-17
content creators
Published: December 17, 2024
Downloadable IOCs: 3

NodeLoader Exposed: The Node.js Malware Evading Detection

Zscaler ThreatLabz discovered a malware campaign using Node.js applications for Windows to distribute cryptocurrency miners and information stealers. Named NodeLoader, this malware family employs Node.js compiled executables to deliver second-stage payloads like XMRig, Lumma, and Phemedrone Stealer…
social engineering
node.js
lumma stealer
evasion techniques
information stealers
2024-12-13
game streaming
cryptocurrency miners
nodeloader
Published: December 13, 2024
Downloadable IOCs: 0

Inside the incident: Uncovering an advanced phishing attack

A sophisticated phishing campaign targeted a U.K.-based insurance company, using a compromised CEO's email account from a major shipping company. The attack involved a malicious PDF link hosted on AWS, leading to a fake Microsoft authentication page. The threat actor employed tactics like deletion …
phishing
social engineering
credential theft
2024-12-11
account takeover
email security
Published: December 11, 2024
Downloadable IOCs: 4

Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows

A sophisticated scam targeting Web3 professionals has been identified, involving the Realst crypto stealer malware with variants for both macOS and Windows. The threat actors have created fake companies using AI-generated content to appear legitimate, cycling through various names like Meetio, Clus…
windows
macos
social-engineering
information theft
cross-platform
ai-generated content
web3
2024-12-07
meeten
electron application
crypto-stealer
realst
Published: December 7, 2024
Downloadable IOCs: 0

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are emp…
xworm
phishing
social engineering
powershell
darkgate
lumma stealer
asyncrat
danabot
latrodectus
netsupport
cybersecurity
clickfix
threat actors
brute ratel c4
2024-11-18
malware delivery
lucky volunteer
recaptcha phish
threat landscape
Published: November 18, 2024
Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…
social engineering
windows
infostealer
macos
lumma stealer
credential theft
ai
2024-11-16
deepfake
Published: November 16, 2024
Downloadable IOCs: 0

Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond

This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network …
phishing
social engineering
identity theft
2024-11-07
Published: November 7, 2024
Downloadable IOCs: 239

North Korean remote workers landing jobs in the West

North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devi…
social engineering
cryptocurrency
data theft
beavertail
contagious interview
invisibleferret
2024-11-06
wagemole
sanctions evasion
remote work
job fraud
Published: November 6, 2024
Downloadable IOCs: 56

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack

A sophisticated malware campaign targeting cryptocurrency enthusiasts has been uncovered, utilizing multiple attack vectors including a malicious Python package on PyPI and deceptive GitHub repositories. The multi-stage malware, disguised as cryptocurrency trading tools, aims to steal sensitive dat…
supply-chain
cryptocurrency
data-theft
social-engineering
pypi
github
2024-11-04
multi-stage
gui
cryptoaitools
Published: November 4, 2024
Downloadable IOCs: 2

LastPass Warns of Hackers Misusing Reviews for Fake Support Numbers

LastPass has alerted users about a social engineering campaign targeting customers through fraudulent 5-star reviews on the Chrome Web Store. Hackers are posting fake reviews for the LastPass Chrome extension, promoting a bogus customer support phone number to steal user data. When users call this …
phishing
social engineering
2024-11-02
lastpass
password management
chrome web store
fake reviews
Published: November 2, 2024
Downloadable IOCs: 0

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys P…
malware
social engineering
android
windows
russia
ukraine
information theft
telegram
cyber-espionage
pronsis loader
sunspinner
craxsrat
purestealer
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 7

Rat King: How the Android Trojan CraxsRAT Steals User Data

CraxsRAT, an Android trojan, has been targeting Russian and Belarusian users since summer 2024. It masquerades as legitimate apps like government services, antivirus software, and telecom operators. The malware spreads through social engineering tactics, prompting users to download malicious APK fi…
espionage
social engineering
android
data theft
trojan
financial fraud
remote access
craxsrat
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 0

More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a Docu…
phishing
social engineering
credential theft
microsoft
domain abuse
2024-10-30
atlassian
docusign
confluence
Published: October 30, 2024
Downloadable IOCs: 2

Malicious CAPTCHA delivers Lumma and Amadey Trojans

An adware campaign targets online users by presenting them with fake CAPTCHA or update prompts, tricking them into running malicious PowerShell commands that deploy credential-stealing malware like Lumma and Amadey. The attackers leverage ad networks to redirect victims to compromised sites hosting…
malvertising
adware
remcos
amadey
infostealers
social-engineering
lumma
captcha
2024-10-29
Published: October 29, 2024
Downloadable IOCs: 1

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…
apt
exploit
social engineering
cryptocurrency
zero-day
CVE-2024-4947
2024-10-23
google chrome
manuscrypt
game
v8 sandbox
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-4947
Downloadable IOCs: 2

Tricks and Treats: New Pixel-Level Deception

GHOSTPULSE malware has evolved to embed malicious data within pixel structures of PNG files, replacing its previous IDAT chunk technique. Recent campaigns involve social engineering tactics, tricking victims with CAPTCHA validations that trigger malicious commands through keyboard shortcuts. The ma…
social engineering
lumma stealer
captcha
2024-10-18
ghostpulse
keyboard shortcuts
yara rules
configuration extractor
pixel-level deception
png files
crc32
gdi+
Published: October 18, 2024
Downloadable IOCs: 9

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…
phishing
social engineering
rhadamanthys
infostealer
cryptocurrency
stealc
clickfix
2024-10-18
web3
amos stealer
google meet
Published: October 18, 2024
Downloadable IOCs: 171

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
social engineering
powershell
windows
rhadamanthys
stealer
macos
infostealers
stealc
clickfix
2024-10-18
google meet
atomic
Published: October 18, 2024
Downloadable IOCs: 0

Threat actors use ChatGPT to write malware

OpenAI has disrupted over 20 malicious cyber operations abusing ChatGPT for various purposes, including malware development and spear-phishing attacks. The company confirmed cases involving Chinese and Iranian threat actors. SweetSpecter, a Chinese group, targeted OpenAI employees with phishing ema…
social engineering
sugargh0st rat
reconnaissance
chatgpt
spear-phishing
2024-10-14
threat actors
cyber operations
openai
Published: October 14, 2024
Downloadable IOCs: 1

DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware

DPRK-associated threat actors are targeting tech industry job seekers through fake recruitment campaigns, installing malware on their devices. The campaign, named CL-STA-240 Contagious Interview, uses social engineering to lure victims into online interviews where they are convinced to download mal…
social engineering
cryptocurrency theft
beavertail
2024-10-09
python backdoor
Published: October 9, 2024
Downloadable IOCs: 0

Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users

A large-scale fraud campaign involving fake trading apps targeting Apple iOS and Android users across multiple regions has been uncovered. The apps, developed using the UniApp framework, were distributed through official app stores and phishing sites. Unlike conventional mobile trojans, these apps …
ios
social engineering
android
cross-platform
2024-10-04
pig butchering
uniapp
fraudulent trading apps
unishadowtrade
goldpickaxe
Published: October 4, 2024
Downloadable IOCs: 9

Separating the bee from the panda: CeranaKeeper making a beeline for Thailand

This intelligence report details a sophisticated malware campaign targeting multiple industries across various countries. The threat actor employs advanced tactics, techniques, and procedures (TTPs) to infiltrate networks, maintain persistence, and exfiltrate sensitive data. The malware used in thi…
social engineering
data exfiltration
advanced persistent threat
2024-10-03
custom malware
multi-industry targeting
persistence techniques
network infiltration
Published: October 3, 2024
Downloadable IOCs: 16

Iranian Cyber Actors Targeting Personal Accounts to Support Operations

Cyber actors working for Iran's Islamic Revolutionary Guard Corps (IRGC) are targeting individuals connected to Iranian and Middle Eastern affairs, including government officials, think tank personnel, journalists, activists, and lobbyists. They use social engineering techniques, impersonating cont…
phishing
social engineering
impersonation
iran
credential theft
2024-09-30
two-factor authentication
political campaigns
Published: September 30, 2024
Downloadable IOCs: 65

Wallet Scam: A Case Study in Crypto Drainer Tactics

A malicious app on Google Play, posing as WalletConnect, targeted mobile users to steal cryptocurrency. The app evaded detection for five months, achieving over 10,000 downloads. It used advanced social engineering and modern crypto drainer toolkit, stealing approximately $70,000 from victims. The …
social engineering
mobile malware
2024-09-27
crypto drainer
walletconnect
Published: September 27, 2024
Downloadable IOCs: 8

The Emerging Dynamics of Deepfake Scam Campaigns on the Web

Researchers have uncovered dozens of scam campaigns utilizing deepfake videos featuring public figures like CEOs, news anchors, and government officials. These campaigns target victims in multiple countries using various languages. The scams promote fake investment schemes and government giveaways.…
phishing
social engineering
impersonation
fraud
ai
scams
2024-08-29
genai
deepfakes
2024-09-02
investment fraud
infrastructure analysis
Published: September 2, 2024
Downloadable IOCs: 428

Iranian backed group steps up phishing campaigns against Israel, U.S.

An Iranian government-backed threat group known as APT42 has significantly intensified its phishing campaigns targeting high-profile individuals in Israel and the United States over the past six months. The group, associated with Iran's Islamic Revolutionary Guard Corps, has focused on current and …
phishing
social engineering
iran
credential theft
2024-08-26
election targeting
ycollection
lcollection
dwp
gcollection
Published: August 26, 2024
Downloadable IOCs: 38

Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset

Proofpoint security researchers identified an Iranian threat group known as TA453 targeting a prominent religious figure through a sophisticated social engineering campaign. The threat actors impersonated a legitimate organization and invited the target to participate in a podcast interview. Upon e…
social engineering
iran
2024-08-20
anvilecho
blacksmith
Published: August 20, 2024
Downloadable IOCs: 10

Threat actor targeting UK banks in ongoing AnyDesk social engineering campaign

Threat analysts are tracking an ongoing campaign that employs fake websites and social engineering tactics to distribute a malicious version of the AnyDesk remote access software to Windows and macOS users. Once installed on a victim's machine, it is being utilized to steal data and money. The camp…
phishing
social engineering
anydesk
remote access
2024-08-09
uk banks
Published: August 9, 2024
Downloadable IOCs: 50

Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering

The intelligence report discusses an ongoing malware campaign that targets software developers through social engineering tactics like fake job interviews. The threat actors behind this campaign have upgraded their tools, now supporting multiple operating systems (Windows, Linux, and macOS) and emp…
social engineering
dev#popper
2024-08-01
Published: August 1, 2024
Downloadable IOCs: 14

Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…
malware
phishing
social engineering
russia
belarus
remcos
steganography
CVE-2017-11882
agent tesla
2024-07-30
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 74

How do cryptocurrency drainer phishing scams work?

Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
phishing
social engineering
cryptocurrency
financial fraud
cybercrime
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 14

Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)

Check Point Research discovered threat actors leveraging novel techniques to execute malicious code on Windows systems by exploiting Internet Explorer's vulnerabilities. The attackers utilized specially crafted .url files that, when opened, would launch IE and visit attacker-controlled URLs. Additi…
social engineering
windows
zero-day
CVE-2023-36025
exploitation
CVE-2021-40444
CVE-2024-38112
2024-07-10
internet explorer
malicious files
Published: July 10, 2024
Linked vulnerabilities : CVE-2024-38112 (CVSS 7.5), CVE-2021-40444, CVE-2023-36025
Downloadable IOCs: 7

Exposing FakeBat loader: distribution methods and adversary infrastructure

During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. Researchers uncovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social …
loader
social engineering
malvertising
fakebat
2024-07-02
drive-by download
paykloader
eugenloader
eugenfest
payk_34
Published: July 2, 2024
Downloadable IOCs: 237

CapraTube Remix | Android Spyware Targeting Gamers, Weapons Enthusiasts

SentinelLabs has uncovered a new campaign of Android spyware apps associated with the suspected Pakistan state-aligned Transparent Tribe threat group. The malicious apps, disguised as video browsers, gaming sites, and TikTok content, target mobile gamers, weapons enthusiasts, and individuals intere…
social engineering
android
pakistan
spyware
2024-07-01
caprarat
Published: July 1, 2024
Downloadable IOCs: 6

Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework

Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
malware
backdoor
social-engineering
2024-06-19
winos
chinese
seo-poisoning
Published: June 19, 2024
Linked vulnerabilities : CVE-2024-21412
Downloadable IOCs: 46

From Clipboard to Compromise: A PowerShell Self-Pwn

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
malware
social engineering
powershell
xmrig
darkgate
lumma stealer
matanbuchus
2024-06-17
netsupport
malicious script
jaskago
compromise
amadey loader
vidar stealer
Published: June 17, 2024
Downloadable IOCs: 14

Cybercriminals attack banking customers in EU with V3B phishing kit

An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
phishing
cybercrime
fraud
social-engineering
banking
2024-06-10
Published: June 10, 2024
Downloadable IOCs: 44

Gootloader walkthrough

The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
social engineering
powershell
seo poisoning
javascript
2024-05-24
gootloader
Published: May 24, 2024
Downloadable IOCs: 12

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote acce…
malware
ransomware
qakbot
qbot
quackbot
pinkslipbot
2024-05-16
2024-05-11
black basta
remote-access
vishing
social-engineering
Published: May 16, 2024
Downloadable IOCs: 12

Romance Scams Urging Investment

The report details an investigation into romance scams that exploit emotional connections to solicit money under the guise of cryptocurrency investments. Perpetrators pose as potential romantic partners or friends to gain trust and eventually introduce victims to fake cryptocurrency exchanges desig…
phishing
social engineering
impersonation
cryptocurrency
2024-05-08
scam
fraud
romance
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 3

New Campaigns from Scattered Spider

Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing cr…
phishing
social engineering
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
telecom targeting
lookalike domains
2024-05-09
2024-05-10
Published: May 10, 2024
Linked vulnerabilities : CVE-2024-22024
Downloadable IOCs: 118

Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
rat
social engineering
python
developers
python-based rat
dev#popper
Published: April 29, 2024
Downloadable IOCs: 7

FakeBat Malware Distributing via Fake Browser Updates

This report details a recent malware campaign leveraging fake browser update notifications to distribute the FakeBat loader. The campaign employs sophisticated social engineering techniques, with malicious JavaScript code injected into compromised websites to trigger deceptive update prompts. These…
phishing
social engineering
fakebat
browser exploits
malicious scripts
Published: April 29, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports