Tag: spearphishing

22 Attack Reports | 0 Vulnerabilities

Attack reports

Reborn in Rust: MuddyWater Evolves Tooling with RustyWater Implant

MuddyWater APT group has launched a spearphishing campaign targeting various sectors in the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign employs icon spoofing and malicious Word documents to deliver a Rust-based implant dubbed 'RustyWater'. This new too…
spearphishing
implant
rust
2026-01-08
archer rat
icon spoofing
rustywater
Published: January 8, 2026
Downloadable IOCs: 12

Snakes by the riverbank

ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a mor…
backdoor
spearphishing
iran
cyberespionage
custom malware
defense evasion
critical infrastructure
israel
2025-12-02
blub
lp-notes
go-socks5
muddyviper
ce-notes
fooder
egypt
Published: December 2, 2025
Downloadable IOCs: 9

UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities

Chinese-affiliated threat actor UNC6384 is conducting a cyber espionage campaign targeting European diplomatic entities, particularly in Hungary and Belgium. The group exploits the ZDI-CAN-25373 Windows vulnerability to deliver PlugX malware through spearphishing emails with malicious LNK files. Th…
spearphishing
plugx
dll side-loading
canonstager
2025-10-31
diplomatic targeting
zdi-can-25373
Published: October 31, 2025
Downloadable IOCs: 26

Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was …
spearphishing
android
powershell
ukraine
captcha
ngos
2025-10-22
coldriver
websocket rat
Published: October 22, 2025
Downloadable IOCs: 24

PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was …
spearphishing
android
powershell
ukraine
captcha
ngos
2025-10-22
coldriver
websocket rat
Published: October 22, 2025
Downloadable IOCs: 0

Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels

Throughout July and August 2025, TA415, a Chinese state-sponsored threat actor, conducted spearphishing campaigns targeting U.S. government, think tank, and academic organizations focused on U.S.-China relations. The group impersonated high-profile individuals and organizations to deliver an infect…
spearphishing
voldemort
lnk files
python loader
2025-09-17
economic espionage
u.s.-china relations
vs code remote tunnels
whirlcoil
github authentication
Published: September 17, 2025
Downloadable IOCs: 0

Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability

A zero-day vulnerability in WinRAR, CVE-2025-8088, has been discovered being exploited in the wild by the Russia-aligned group RomCom. The vulnerability allows attackers to hide malicious files in archives, which are silently deployed when extracted. The exploit was used in spearphishing campaigns …
backdoor
exploit
spearphishing
vulnerability
zero-day
mythic
winrar
snipbot
rustyclaw
russia-aligned
2025-08-11
CVE-2025-8088
Published: August 11, 2025
Linked vulnerabilities : CVE-2023-36884, CVE-2025-8088
Downloadable IOCs: 9

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scal…
apt
spearphishing
powershell
cloudflare tunnels
2025-07-04
Published: July 4, 2025
Downloadable IOCs: 53

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphish…
phishing
spearphishing
infostealer
russia
malware-as-a-service
keylogger
maas
snake keylogger
credential stealer
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 34

Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure

A sophisticated spearphishing campaign targeting South Korea has been uncovered, utilizing GitHub as attack infrastructure. The threat actor, linked to the North Korean group Kimsuky, created multiple private repositories to store malware, decoy files, and exfiltrated victim data. The attack levera…
north korea
spearphishing
kimsuky
dropbox
south korea
xenorat
2025-06-26
Published: June 26, 2025
Downloadable IOCs: 16

Unmasking the Infrastructure of a Spear‑phishing Campaign

Censys researchers uncovered a spear‑phishing campaign where threat actors leveraged a cluster of 16 open directories hosting heavily obfuscated Visual Basic Script (VBS) files. The study analyzes how attackers set up these public-accessible directories to store malicious scripts, the obfuscation t…
spearphishing
remcos
asyncrat
dcrat
2025-06-11
limerat
opendir
Published: June 11, 2025
Downloadable IOCs: 54

UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign

A spear phishing campaign targeting Polish entities has been observed, exploiting the CVE-2024-42009 vulnerability in Roundcube to steal user credentials. The campaign, attributed to UNC1151, involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. T…
spearphishing
poland
credential theft
vulnerability exploitation
CVE-2024-42009
unc1151
CVE-2025-49113
2025-06-05
roundcube
Published: June 5, 2025
Linked vulnerabilities : CVE-2024-42009, CVE-2025-49113 (CVSS 9.9)
Downloadable IOCs: 3

Operation RoundPress targeting high-value webmail servers

ESET researchers have uncovered a Russia-aligned espionage operation named RoundPress, targeting high-value webmail servers through XSS vulnerabilities. The campaign, attributed to the Sednit group, aims to steal confidential data from specific email accounts. Initially focused on Roundcube in 2023…
espionage
spearphishing
russia
zero-day
credential theft
xss
data exfiltration
CVE-2024-27443
CVE-2024-11182
2025-05-15
2025-05-18
webmail
eastern europe
spypress.roundcube
spypress.mdaemon
CVE-2023-43770
spypress.zimbra
spypress.horde
Published: May 18, 2025
Linked vulnerabilities : CVE-2024-27443, CVE-2024-11182 (CVSS 6.1), CVE-2020-35730, CVE-2023-23397, CVE-2023-43770
Downloadable IOCs: 16

Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware

This analysis details a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) in March 2025. The attackers used a trojanized version of a legitimate Uyghur language text editor to deliver Windows-based malware for remote surveillance. While not technically advanced, the…
spearphishing
trojanized software
2025-04-28
gheyretdetector backdoor
remote surveillance
uyghureditpp trojan
digital transnational repression
uyghur
diaspora targeting
world uyghur congress
Published: April 28, 2025
Downloadable IOCs: 8

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …
social engineering
spearphishing
powershell
cryptocurrency
lumma stealer
credential theft
youtube
2025-03-25
clickflix
Published: March 25, 2025
Downloadable IOCs: 5

Operation AkaiRyū: Europe invited to Expo 2025 and ANEL backdoor revived

Chinese threat actor MirrorFace expanded its cyberespionage activities beyond Japan, targeting a Central European diplomatic institute in relation to Expo 2025. The group refreshed its tactics, introducing new tools like customized AsyncRAT and reviving the ANEL backdoor previously associated with …
spearphishing
asyncrat
apt10
anel
2025-03-18
windows sandbox
expo 2025
visual studio code
hiddenface
facexinjector
Published: March 18, 2025
Downloadable IOCs: 6

Targeting of freelance developers

North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login cre…
north korea
spearphishing
infostealer
cryptocurrency
beavertail
invisibleferret
2025-02-21
job scams
freelancers
Published: February 21, 2025
Downloadable IOCs: 0

RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats

Between July 2023 and December 2024, the Chinese state-sponsored group RedDelta targeted Mongolia, Taiwan, and Southeast Asian countries with an adapted infection chain to distribute its customized PlugX backdoor. The group used themed lure documents and evolved its tactics, transitioning from Wind…
spearphishing
plugx
html
microsoft azure
2025-01-09
cloudflare cdn
shortcut (lnk) file
Published: January 9, 2025
Downloadable IOCs: 259

Leveraging Cloudflare Tunnels for GammaDrop Infrastructure

BlueAlpha, a Russian state-sponsored cyber threat group, has evolved its malware delivery tactics by exploiting Cloudflare Tunnels to conceal GammaDrop staging infrastructure. The group employs HTML smuggling with sophisticated modifications to bypass email security systems and uses DNS fast-fluxin…
apt
spearphishing
html smuggling
2024-12-05
gammadrop
obfuscation techniques
gammaload
cloudflare tunnels
russian state-sponsored
dns fast-fluxing
Published: December 5, 2024
Downloadable IOCs: 1

BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure

BlueAlpha, a Russian state-sponsored cyber threat group, has evolved its malware delivery tactics by exploiting Cloudflare Tunnels to conceal GammaDrop staging infrastructure. The group employs HTML smuggling with sophisticated modifications to bypass email security systems and uses DNS fast-fluxin…
apt
spearphishing
html smuggling
2024-12-05
gammadrop
obfuscation techniques
gammaload
cloudflare tunnels
russian state-sponsored
dns fast-fluxing
Published: December 5, 2024
Downloadable IOCs: 0

HawkEye Malware: Technical Analysis

HawkEye, also known as PredatorPain, is a long-lived keylogger malware that has evolved to include stealer capabilities. Originating before 2010, it gained popularity in 2013 through spearphishing campaigns. The malware is typically delivered via phishing emails or compromised websites, and utilize…
spearphishing
stealer
exfiltration
persistence
injection
keylogger
2024-11-13
predatorpain
hawkeye
Published: November 13, 2024
Downloadable IOCs: 4

Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German Entity

On July 24, 2024, CrowdStrike Intelligence identified an unattributed spearphishing attempt delivering an inauthentic installer impersonating CrowdStrike's Crash Reporter through a website targeting a German entity. The site utilized JavaScript obfuscation to deliver the malicious installer, which …
obfuscation
impersonation
spearphishing
installer
2024-07-31
Published: July 31, 2024
Downloadable IOCs: 5
Click here to see more Attack Reports